MySQL  8.0.22
Source Code Documentation
xcom_ssl_transport.h
Go to the documentation of this file.
1 /* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
2 
3  This program is free software; you can redistribute it and/or modify
4  it under the terms of the GNU General Public License, version 2.0,
5  as published by the Free Software Foundation.
6 
7  This program is also distributed with certain software (including
8  but not limited to OpenSSL) that is licensed under separate terms,
9  as designated in a particular file or component or in included license
10  documentation. The authors of MySQL hereby grant you an additional
11  permission to link the program and your derivative works with the
12  separately licensed software that they have included with MySQL.
13 
14  This program is distributed in the hope that it will be useful,
15  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  GNU General Public License, version 2.0, for more details.
18 
19  You should have received a copy of the GNU General Public License
20  along with this program; if not, write to the Free Software
21  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
22 
23 #ifndef XCOM_SSL_TRANSPORT_H
24 #define XCOM_SSL_TRANSPORT_H
25 
26 #ifndef XCOM_WITHOUT_OPENSSL
27 #ifdef _WIN32
28 /* In OpenSSL before 1.1.0, we need this first. */
29 #include <winsock2.h>
30 #endif /* _WIN32 */
31 
32 #include <openssl/err.h>
33 #include <openssl/ssl.h>
34 
35 #ifndef SSL_SUCCESS
36 #define SSL_SUCCESS 1
37 #define SSL_ERROR 0
38 #endif
39 
40 /*
41  Possible operation modes as explained further down. If you
42  want to add a new mode, do it before the LAST_SSL_MODE.
43 */
52 };
53 
54 /*
55  Possible operation fips modes as explained further down. If you
56  want to add a new ssl fips mode, do it before the LAST_SSL_FIPS_MODE.
57 */
64 };
65 
66 /*
67  Return the operation fips mode as an integer from an operation fips mode
68  provided as a string. Note that the string must be provided in upper case
69  letters and the possible values are: "OFF", "ON", "STRICT",
70 
71  If a different value is provide, INVALID_SSL_MODE (-1) is returned.
72 */
73 int xcom_get_ssl_fips_mode(const char *mode);
74 
75 /*
76  Set the operation fips mode which might be the following:
77 
78  . SSL_FIPS_MODE_OFF (0): This will set openssl fips mode value to 0
79 
80  . SSL_FIPS_MODE_ON (1): This will set openssl fips mode value to 1
81 
82  . SSL_FIPS_MODE_STRICT (2): This will set openssl fips mode value to 2
83 
84  If a different value is provide, INVALID_SSL_FIPS_MODE (-1) is returned.
85 */
87 
88 /*
89  Return the operation mode as an integer from an operation mode provided
90  as a string. Note that the string must be provided in upper case letters
91  and the possible values are: "DISABLED", "PREFERRED", "REQUIRED",
92  "VERIFY_CA" or "VERIFY_IDENTITY".
93 
94  If a different value is provide, INVALID_SSL_MODE (-1) is returned.
95 */
96 int xcom_get_ssl_mode(const char *mode);
97 
98 /*
99  Set the operation mode which might be the following:
100 
101  . SSL_DISABLED (1): The SSL mode will be disabled and this is the default
102  value.
103 
104  . SSL_PREFERRED (2): The SSL mode will be always disabled if this value is
105  provided and is only allowed to keep the solution compatibility with
106  MySQL server.
107 
108  . SSL_REQUIRED (4): The SSL mode will be enabled but the verifications
109  described in the next modes are not performed.
110 
111  . SSL_VERIFY_CA (4) - Verify the server TLS certificate against the configured
112  Certificate Authority (CA) certificates. The connection attempt fails if no
113  valid matching CA certificates are found.
114 
115  . SSL_VERIFY_IDENTITY (5): Like VERIFY_CA, but additionally verify that the
116  server certificate matches the host to which the connection is attempted.
117 
118  If a different value is provide, INVALID_SSL_MODE (-1) is returned.
119 */
120 int xcom_set_ssl_mode(int mode);
121 
122 /*
123  Initialize the SSL.
124 
125  server_key_file - Path of file that contains the server's X509 key in PEM
126  format.
127  server_cert_file - Path of file that contains the server's X509 certificate in
128  PEM format.
129  client_key_file - Path of file that contains the client's X509 key in PEM
130  format.
131  client_cert_file - Path of file that contains the client's X509 certificate in
132  PEM format.
133  ca_file - Path of file that contains list of trusted SSL CAs.
134  ca_path - Path of directory that contains trusted SSL CA certificates
135  in PEM format.
136  crl_file - Path of file that contains certificate revocation lists.
137  crl_path - Path of directory that contains certificate revocation list
138  files.
139  cipher - List of permitted ciphers to use for connection encryption.
140  tls_version - Protocols permitted for secure connections.
141 
142  Note that only the server_key_file/server_cert_file and the client_key_file/
143  client_cert_file are required and the rest of the pointers can be NULL.
144  If the key is provided along with the certificate, either the key file or
145  the other can be ommited.
146 
147  The caller can free the parameters after the call if this is necessary.
148 
149  Return 0 if success 1 otherwise.
150 */
151 int xcom_init_ssl(const char *server_key_file, const char *server_cert_file,
152  const char *client_key_file, const char *client_cert_file,
153  const char *ca_file, const char *ca_path,
154  const char *crl_file, const char *crl_path,
155  const char *cipher, const char *tls_version,
156  const char *tls_ciphersuites);
157 
158 /*
159  Destroy the SSL Configuration freeing allocated memory.
160 */
161 void xcom_cleanup_ssl();
162 void xcom_destroy_ssl();
163 
164 /*
165  Return whether the SSL will be used to encrypt data or not.
166 
167  Return 1 if it is enabled 0 otherwise.
168 */
169 int xcom_use_ssl();
170 
171 /*
172  Verify whether the server certificate matches the host to which
173  the connection is attempted.
174 */
175 int ssl_verify_server_cert(SSL *ssl, const char *server_hostname);
176 
177 /*
178  Pointers to the SSL Context for the server and client
179  contexts respectively.
180 */
181 extern SSL_CTX *server_ctx;
182 extern SSL_CTX *client_ctx;
183 
184 #endif /* !XCOM_WITHOUT_OPENSSL */
185 #endif /* XCOM_SSL_TRANSPORT_H */
int xcom_use_ssl()
Definition: xcom_ssl_transport.cc:480
Definition: xcom_ssl_transport.h:63
SSL_CTX * server_ctx
Definition: xcom_ssl_transport.cc:167
static constexpr Flags SSL(1<< 11)
int xcom_get_ssl_mode(const char *mode)
Definition: xcom_ssl_transport.cc:485
mode
Definition: file_handle.h:59
Definition: xcom_ssl_transport.h:50
ssl_enum_mode_options
Definition: xcom_ssl_transport.h:44
Definition: xcom_ssl_transport.h:47
Definition: xcom_ssl_transport.h:49
Definition: xcom_ssl_transport.h:62
Definition: xcom_ssl_transport.h:48
ssl_enum_fips_mode_options
Definition: xcom_ssl_transport.h:58
int xcom_set_ssl_mode(int mode)
Definition: xcom_ssl_transport.cc:500
Definition: xcom_ssl_transport.h:61
int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, const char *client_key_file, const char *client_cert_file, const char *ca_file, const char *ca_path, const char *crl_file, const char *crl_path, const char *cipher, const char *tls_version, const char *tls_ciphersuites)
Definition: xcom_ssl_transport.cc:538
SSL_CTX * client_ctx
Definition: xcom_ssl_transport.cc:168
Definition: xcom_ssl_transport.h:51
int xcom_set_ssl_fips_mode(int mode)
Definition: xcom_ssl_transport.cc:527
Definition: xcom_ssl_transport.h:60
Definition: xcom_ssl_transport.h:45
void xcom_destroy_ssl()
Definition: xcom_ssl_transport.cc:619
int xcom_get_ssl_fips_mode(const char *mode)
Definition: xcom_ssl_transport.cc:512
Definition: xcom_ssl_transport.h:46
Definition: xcom_ssl_transport.h:59
void xcom_cleanup_ssl()
Definition: xcom_ssl_transport.cc:611
int ssl_verify_server_cert(SSL *ssl, const char *server_hostname)
Definition: xcom_ssl_transport.cc:648