MySQL 8.0.29
Source Code Documentation
tls_context.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2018, 2021, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23*/
24
25#ifndef MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
26#define MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
27
29
30#include <memory> // unique_ptr
31#include <string>
32#include <system_error>
33#include <vector>
34
35#ifdef _WIN32
36// include windows headers before openssl/ssl.h
37#include <windows.h>
38#include <winsock2.h>
39#include <ws2tcpip.h>
40#endif
41
42#include <openssl/ssl.h> // SSL_METHOD
43
45
46/**
47 * TLS Versions.
48 *
49 * used for set_min_version.
50 *
51 * @note for now own TLS1.2 is used, but others may be added later.
52 */
54
55/**
56 * Verification of Cerifiticates.
57 *
58 * NONE no certifcate is verified
59 * PEER verify the cert of the peer
60 */
61enum class TlsVerify { NONE, PEER };
62
64 public:
71};
72
73/**
74 * wraps SSL_CTX.
75 *
76 * TODO:
77 * - SSL_CTX_set_session_cache_mode()
78 * - SSL_CTX_set_alpn_select_cb()
79 * - SSL_CTX_set_tlsext_ticket_key_cb()
80 * - SSL_CTX_set_session_id_context()
81 * - SSL_CTX_set_tlsext_servername_callback() for SNI
82 * - SSL_CTX_set_cert_verify_callback() vs. SSL_CTX_set_verify()
83 *
84 */
86 public:
87 /**
88 * if TLS context allows to change elliptic curves list.
89 *
90 * @returns if curves_list() is supported.
91 * @retval false curves_list() is not supported
92 */
93 static constexpr bool has_set_curves_list() {
94 // 1.0.2 and later
95 return OPENSSL_VERSION_NUMBER >= 0x1000200f;
96 }
97
98 /**
99 * if TLS context allows setting cipher-suites (TLSv1.3 and later).
100 *
101 * @returns if cipher_suites() is supported.
102 * @retval false cipher_suites() is not supported
103 */
104 static constexpr bool has_set_cipher_suites() {
105 // 1.1.1 and later
106 return OPENSSL_VERSION_NUMBER >= 0x1010100f;
107 }
108
109 /**
110 * if TLS context allows getting cipher-lists.
111 *
112 * @returns if cipher_list() is supported.
113 * @retval false cipher_list() is not supported
114 */
115 static constexpr bool has_get_cipher_list() {
116 // 1.1.0 and later
117 return OPENSSL_VERSION_NUMBER >= 0x1010000f;
118 }
119
120 /**
121 * construct a TlsContext based on the SSL_METHODs provided by openssl.
122 */
123 explicit TlsContext(const SSL_METHOD *method);
124
125 /**
126 * set CA file and CA directory.
127 *
128 * Search-order:
129 *
130 * 1. ca_file (if not empty)
131 * 2. all PEMs in ca_dir (if not empty)
132 *
133 * @see SSL_CTX_load_verify_locations
134 *
135 * @param ca_file path to a PEM file containing a certificate of a CA, ignored
136 * if empty()
137 * @param ca_path path to a directory of PEM files containing certifications,
138 * ignored if empty() of CAs
139 *
140 * @returns success
141 * @retval false if both ca_file and ca_path are empty
142 */
143 stdx::expected<void, std::error_code> ssl_ca(const std::string &ca_file,
144 const std::string &ca_path);
145
146 /**
147 * set CRL file and CRL directory.
148 *
149 * Search-order:
150 *
151 * 1. crl_file (if not empty)
152 * 2. all PEMs in crl_dir (if not empty)
153 *
154 * @see X509_STORE_load_locations
155 *
156 * @param crl_file path to a PEM file containing CRL file,
157 * ignored if empty()
158 * @param crl_path path to a directory of PEM files containing CRL files,
159 * ignored if empty()
160 *
161 * @returns success
162 * @retval false if both ca_file and ca_path are empty
163 */
164 stdx::expected<void, std::error_code> crl(const std::string &crl_file,
165 const std::string &crl_path);
166
167 /**
168 * get non-owning pointer to SSL_CTX.
169 */
170 SSL_CTX *get() const { return ssl_ctx_.get(); }
171
172 /**
173 * set the supported TLS version range.
174 */
175 stdx::expected<void, std::error_code> version_range(TlsVersion min_version,
176 TlsVersion max_version);
177
178 /**
179 * get the min TLS version.
180 */
181 TlsVersion min_version() const;
182
183 /**
184 * init elliptic curves for DH ciphers for Perfect Forward Security.
185 *
186 * @note uses P-512, P-384 or P-256
187 * @see RFC 5480
188 * @see has_curves()
189 *
190 * @param curves colon-separated names of curves
191 * @throws TlsError
192 * @throws std::invalid_argument if API isn't supported
193 * @see has_set_curves_list()
194 */
195 stdx::expected<void, std::error_code> curves_list(const std::string &curves);
196
197 /**
198 * get current cipher-list.
199 *
200 * @throws std::invalid_argument if API isn't supported
201 * @see has_get_cipher_list()
202 */
203 std::vector<std::string> cipher_list() const;
204
205 using InfoCallback = void (*)(const SSL *, int, int);
206
207 /**
208 * set info callback.
209 */
210 void info_callback(InfoCallback);
211
212 /**
213 * get info callback
214 */
215 InfoCallback info_callback() const;
216
217 /**
218 * get security_level.
219 */
220 int security_level() const;
221
222 protected:
223 std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)> ssl_ctx_{nullptr,
224 &SSL_CTX_free};
225};
226
227#endif
wraps SSL_CTX.
Definition: tls_context.h:85
static constexpr bool has_set_curves_list()
if TLS context allows to change elliptic curves list.
Definition: tls_context.h:93
SSL_CTX * get() const
get non-owning pointer to SSL_CTX.
Definition: tls_context.h:170
static constexpr bool has_set_cipher_suites()
if TLS context allows setting cipher-suites (TLSv1.3 and later).
Definition: tls_context.h:104
void(*)(const SSL *, int, int) InfoCallback
Definition: tls_context.h:205
static constexpr bool has_get_cipher_list()
if TLS context allows getting cipher-lists.
Definition: tls_context.h:115
Definition: tls_context.h:63
TlsLibraryContext(TlsLibraryContext &&)=delete
TlsLibraryContext & operator=(const TlsLibraryContext &)=delete
TlsLibraryContext & operator=(TlsLibraryContext &&)=delete
TlsLibraryContext(const TlsLibraryContext &)=delete
Definition: expected.h:936
std::conditional_t< !std::is_array< T >::value, std::unique_ptr< T, detail::Deleter< T > >, std::conditional_t< detail::is_unbounded_array_v< T >, std::unique_ptr< T, detail::Array_deleter< std::remove_extent_t< T > > >, void > > unique_ptr
The following is a common type that is returned by all the ut::make_unique (non-aligned) specializati...
Definition: ut0new.h:2434
TlsVerify
Verification of Cerifiticates.
Definition: tls_context.h:61
TlsVersion
TLS Versions.
Definition: tls_context.h:53
#define HARNESS_TLS_EXPORT
Definition: tls_export.h:15