MySQL 8.3.0
Source Code Documentation
tls_context.h
Go to the documentation of this file.
1/*
2 Copyright (c) 2018, 2023, Oracle and/or its affiliates.
3
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License, version 2.0,
6 as published by the Free Software Foundation.
7
8 This program is also distributed with certain software (including
9 but not limited to OpenSSL) that is licensed under separate terms,
10 as designated in a particular file or component or in included license
11 documentation. The authors of MySQL hereby grant you an additional
12 permission to link the program and your derivative works with the
13 separately licensed software that they have included with MySQL.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23*/
24
25#ifndef MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
26#define MYSQL_HARNESS_TLS_CONTEXT_INCLUDED
27
29
30#include <memory> // unique_ptr
31#include <string>
32#include <system_error>
33#include <vector>
34
35#ifdef _WIN32
36// include windows headers before openssl/ssl.h
37#include <windows.h>
38#include <winsock2.h>
39#include <ws2tcpip.h>
40#endif
41
42#include <openssl/ssl.h> // SSL_METHOD
43
45
46/**
47 * TLS Versions.
48 *
49 * used for set_min_version.
50 *
51 * @note for now own TLS1.2 is used, but others may be added later.
52 */
54
55/**
56 * Verification of Cerifiticates.
57 *
58 * NONE no certificate is verified
59 * PEER verify the cert of the peer
60 */
61enum class TlsVerify { NONE, PEER };
62
64 public:
71};
72
73/**
74 * wraps SSL_CTX.
75 *
76 * TODO:
77 * - SSL_CTX_set_session_cache_mode()
78 * - SSL_CTX_set_alpn_select_cb()
79 * - SSL_CTX_set_tlsext_ticket_key_cb()
80 * - SSL_CTX_set_tlsext_servername_callback() for SNI
81 * - SSL_CTX_set_cert_verify_callback() vs. SSL_CTX_set_verify()
82 *
83 */
85 public:
86 /**
87 * if TLS context allows to change elliptic curves list.
88 *
89 * @returns if curves_list() is supported.
90 * @retval false curves_list() is not supported
91 */
92 static constexpr bool has_set_curves_list() {
93 // 1.0.2 and later
94 return OPENSSL_VERSION_NUMBER >= 0x1000200f;
95 }
96
97 /**
98 * if TLS context allows setting cipher-suites (TLSv1.3 and later).
99 *
100 * @returns if cipher_suites() is supported.
101 * @retval false cipher_suites() is not supported
102 */
103 static constexpr bool has_set_cipher_suites() {
104 // 1.1.1 and later
105 return OPENSSL_VERSION_NUMBER >= 0x1010100f;
106 }
107
108 /**
109 * construct a TlsContext based on the SSL_METHODs provided by openssl.
110 */
111 explicit TlsContext(const SSL_METHOD *method);
112
113 /**
114 * set CA file and CA directory.
115 *
116 * Search-order:
117 *
118 * 1. ca_file (if not empty)
119 * 2. all PEMs in ca_dir (if not empty)
120 *
121 * @see SSL_CTX_load_verify_locations
122 *
123 * @param ca_file path to a PEM file containing a certificate of a CA, ignored
124 * if empty()
125 * @param ca_path path to a directory of PEM files containing certifications,
126 * ignored if empty() of CAs
127 *
128 * @returns success
129 * @retval false if both ca_file and ca_path are empty
130 */
131 stdx::expected<void, std::error_code> ssl_ca(const std::string &ca_file,
132 const std::string &ca_path);
133
134 /**
135 * set CRL file and CRL directory.
136 *
137 * Search-order:
138 *
139 * 1. crl_file (if not empty)
140 * 2. all PEMs in crl_dir (if not empty)
141 *
142 * @see X509_STORE_load_locations
143 *
144 * @param crl_file path to a PEM file containing CRL file,
145 * ignored if empty()
146 * @param crl_path path to a directory of PEM files containing CRL files,
147 * ignored if empty()
148 *
149 * @returns success
150 * @retval false if both ca_file and ca_path are empty
151 */
152 stdx::expected<void, std::error_code> crl(const std::string &crl_file,
153 const std::string &crl_path);
154
155 /**
156 * get non-owning pointer to SSL_CTX.
157 */
158 SSL_CTX *get() const { return ssl_ctx_.get(); }
159
160 /**
161 * set the supported TLS version range.
162 */
163 stdx::expected<void, std::error_code> version_range(TlsVersion min_version,
164 TlsVersion max_version);
165
166 /**
167 * get the min TLS version.
168 */
169 TlsVersion min_version() const;
170
171 /**
172 * init elliptic curves for DH ciphers for Perfect Forward Security.
173 *
174 * @note uses P-512, P-384 or P-256
175 * @see RFC 5480
176 * @see has_curves()
177 *
178 * @param curves colon-separated names of curves
179 * @throws TlsError
180 * @throws std::invalid_argument if API isn't supported
181 * @see has_set_curves_list()
182 */
183 stdx::expected<void, std::error_code> curves_list(const std::string &curves);
184
185 /**
186 * get current cipher-list.
187 */
188 std::vector<std::string> cipher_list() const;
189
190 using InfoCallback = void (*)(const SSL *, int, int);
191
192 /**
193 * set info callback.
194 */
195 void info_callback(InfoCallback);
196
197 /**
198 * get info callback
199 */
200 InfoCallback info_callback() const;
201
202 /**
203 * get security_level.
204 */
205 int security_level() const;
206
207 /**
208 * get session reuse cache hits number
209 */
210 long session_cache_hits() const;
211
212 /**
213 * load key and cert.
214 *
215 * cerifiticate is verified against the key
216 *
217 * @param private_key_file filename of a PEM file containing a key
218 * @param cert_chain_file filename of a PEM file containing a certificate
219 */
221 const std::string &private_key_file, const std::string &cert_chain_file);
222
223 protected:
224 std::unique_ptr<SSL_CTX, decltype(&SSL_CTX_free)> ssl_ctx_{nullptr,
225 &SSL_CTX_free};
226};
227
228#endif
wraps SSL_CTX.
Definition: tls_context.h:84
static constexpr bool has_set_curves_list()
if TLS context allows to change elliptic curves list.
Definition: tls_context.h:92
SSL_CTX * get() const
get non-owning pointer to SSL_CTX.
Definition: tls_context.h:158
static constexpr bool has_set_cipher_suites()
if TLS context allows setting cipher-suites (TLSv1.3 and later).
Definition: tls_context.h:103
void(*)(const SSL *, int, int) InfoCallback
Definition: tls_context.h:190
Definition: tls_context.h:63
TlsLibraryContext(TlsLibraryContext &&)=delete
TlsLibraryContext & operator=(const TlsLibraryContext &)=delete
TlsLibraryContext & operator=(TlsLibraryContext &&)=delete
TlsLibraryContext(const TlsLibraryContext &)=delete
Definition: expected.h:943
int security_level(void)
Definition: mysql_ssl_rsa_setup.cc:162
std::conditional_t< !std::is_array< T >::value, std::unique_ptr< T, detail::Deleter< T > >, std::conditional_t< detail::is_unbounded_array_v< T >, std::unique_ptr< T, detail::Array_deleter< std::remove_extent_t< T > > >, void > > unique_ptr
The following is a common type that is returned by all the ut::make_unique (non-aligned) specializati...
Definition: ut0new.h:2437
TlsVerify
Verification of Cerifiticates.
Definition: tls_context.h:61
TlsVersion
TLS Versions.
Definition: tls_context.h:53
#define HARNESS_TLS_EXPORT
Definition: tls_export.h:15