MySQL 8.0.33
Source Code Documentation
tls_context.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2018, 2023, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23*/
24
25#ifndef MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
26#define MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
27
29
30#include <memory> // unique_ptr
31#include <string>
32#include <system_error>
33#include <vector>
34
35#ifdef _WIN32
36// include windows headers before openssl/ssl.h
37#include <windows.h>
38#include <winsock2.h>
39#include <ws2tcpip.h>
40#endif
41
42#include <openssl/ssl.h> // SSL_METHOD
43
45
46/**
47 * TLS Versions.
48 *
49 * used for set_min_version.
50 *
51 * @note for now own TLS1.2 is used, but others may be added later.
52 */
54
55/**
56 * Verification of Cerifiticates.
57 *
58 * NONE no certificate is verified
59 * PEER verify the cert of the peer
60 */
61enum class TlsVerify { NONE, PEER };
62
64 public:
71};
72
73/**
74 * wraps SSL_CTX.
75 *
76 * TODO:
77 * - SSL_CTX_set_session_cache_mode()
78 * - SSL_CTX_set_alpn_select_cb()
79 * - SSL_CTX_set_tlsext_ticket_key_cb()
80 * - SSL_CTX_set_tlsext_servername_callback() for SNI
81 * - SSL_CTX_set_cert_verify_callback() vs. SSL_CTX_set_verify()
82 *
83 */
85 public:
86 /**
87 * if TLS context allows to change elliptic curves list.
88 *
89 * @returns if curves_list() is supported.
90 * @retval false curves_list() is not supported
91 */
92 static constexpr bool has_set_curves_list() {
93 // 1.0.2 and later
94 return OPENSSL_VERSION_NUMBER >= 0x1000200f;
95 }
96
97 /**
98 * if TLS context allows setting cipher-suites (TLSv1.3 and later).
99 *
100 * @returns if cipher_suites() is supported.
101 * @retval false cipher_suites() is not supported
102 */
103 static constexpr bool has_set_cipher_suites() {
104 // 1.1.1 and later
105 return OPENSSL_VERSION_NUMBER >= 0x1010100f;
106 }
107
108 /**
109 * if TLS context allows getting cipher-lists.
110 *
111 * @returns if cipher_list() is supported.
112 * @retval false cipher_list() is not supported
113 */
114 static constexpr bool has_get_cipher_list() {
115 // 1.1.0 and later
116 return OPENSSL_VERSION_NUMBER >= 0x1010000f;
117 }
118
119 /**
120 * construct a TlsContext based on the SSL_METHODs provided by openssl.
121 */
122 explicit TlsContext(const SSL_METHOD *method);
123
124 /**
125 * set CA file and CA directory.
126 *
127 * Search-order:
128 *
129 * 1. ca_file (if not empty)
130 * 2. all PEMs in ca_dir (if not empty)
131 *
132 * @see SSL_CTX_load_verify_locations
133 *
134 * @param ca_file path to a PEM file containing a certificate of a CA, ignored
135 * if empty()
136 * @param ca_path path to a directory of PEM files containing certifications,
137 * ignored if empty() of CAs
138 *
139 * @returns success
140 * @retval false if both ca_file and ca_path are empty
141 */
142 stdx::expected<void, std::error_code> ssl_ca(const std::string &ca_file,
143 const std::string &ca_path);
144
145 /**
146 * set CRL file and CRL directory.
147 *
148 * Search-order:
149 *
150 * 1. crl_file (if not empty)
151 * 2. all PEMs in crl_dir (if not empty)
152 *
153 * @see X509_STORE_load_locations
154 *
155 * @param crl_file path to a PEM file containing CRL file,
156 * ignored if empty()
157 * @param crl_path path to a directory of PEM files containing CRL files,
158 * ignored if empty()
159 *
160 * @returns success
161 * @retval false if both ca_file and ca_path are empty
162 */
163 stdx::expected<void, std::error_code> crl(const std::string &crl_file,
164 const std::string &crl_path);
165
166 /**
167 * get non-owning pointer to SSL_CTX.
168 */
169 SSL_CTX *get() const { return ssl_ctx_.get(); }
170
171 /**
172 * set the supported TLS version range.
173 */
174 stdx::expected<void, std::error_code> version_range(TlsVersion min_version,
175 TlsVersion max_version);
176
177 /**
178 * get the min TLS version.
179 */
180 TlsVersion min_version() const;
181
182 /**
183 * init elliptic curves for DH ciphers for Perfect Forward Security.
184 *
185 * @note uses P-512, P-384 or P-256
186 * @see RFC 5480
187 * @see has_curves()
188 *
189 * @param curves colon-separated names of curves
190 * @throws TlsError
191 * @throws std::invalid_argument if API isn't supported
192 * @see has_set_curves_list()
193 */
194 stdx::expected<void, std::error_code> curves_list(const std::string &curves);
195
196 /**
197 * get current cipher-list.
198 *
199 * @throws std::invalid_argument if API isn't supported
200 * @see has_get_cipher_list()
201 */
202 std::vector<std::string> cipher_list() const;
203
204 using InfoCallback = void (*)(const SSL *, int, int);
205
206 /**
207 * set info callback.
208 */
209 void info_callback(InfoCallback);
210
211 /**
212 * get info callback
213 */
214 InfoCallback info_callback() const;
215
216 /**
217 * get security_level.
218 */
219 int security_level() const;
220
221 /**
222 * get session reuse cache hits number
223 */
224 long session_cache_hits() const;
225
226 protected:
227 std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)> ssl_ctx_{nullptr,
228 &SSL_CTX_free};
229};
230
231#endif
wraps SSL_CTX.
Definition: tls_context.h:84
static constexpr bool has_set_curves_list()
if TLS context allows to change elliptic curves list.
Definition: tls_context.h:92
SSL_CTX * get() const
get non-owning pointer to SSL_CTX.
Definition: tls_context.h:169
static constexpr bool has_set_cipher_suites()
if TLS context allows setting cipher-suites (TLSv1.3 and later).
Definition: tls_context.h:103
void(*)(const SSL *, int, int) InfoCallback
Definition: tls_context.h:204
static constexpr bool has_get_cipher_list()
if TLS context allows getting cipher-lists.
Definition: tls_context.h:114
Definition: tls_context.h:63
TlsLibraryContext(TlsLibraryContext &&)=delete
TlsLibraryContext & operator=(const TlsLibraryContext &)=delete
TlsLibraryContext & operator=(TlsLibraryContext &&)=delete
TlsLibraryContext(const TlsLibraryContext &)=delete
Definition: expected.h:943
int security_level(void)
Definition: mysql_ssl_rsa_setup.cc:159
std::conditional_t< !std::is_array< T >::value, std::unique_ptr< T, detail::Deleter< T > >, std::conditional_t< detail::is_unbounded_array_v< T >, std::unique_ptr< T, detail::Array_deleter< std::remove_extent_t< T > > >, void > > unique_ptr
The following is a common type that is returned by all the ut::make_unique (non-aligned) specializati...
Definition: ut0new.h:2436
TlsVerify
Verification of Cerifiticates.
Definition: tls_context.h:61
TlsVersion
TLS Versions.
Definition: tls_context.h:53
#define HARNESS_TLS_EXPORT
Definition: tls_export.h:15