1 
2 /**
3  *    Copyright (C) 2018-present MongoDB, Inc.
4  *
5  *    This program is free software: you can redistribute it and/or modify
6  *    it under the terms of the Server Side Public License, version 1,
7  *    as published by MongoDB, Inc.
8  *
9  *    This program is distributed in the hope that it will be useful,
10  *    but WITHOUT ANY WARRANTY; without even the implied warranty of
11  *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  *    Server Side Public License for more details.
13  *
14  *    You should have received a copy of the Server Side Public License
15  *    along with this program. If not, see
16  *    <http://www.mongodb.com/licensing/server-side-public-license>.
17  *
18  *    As a special exception, the copyright holders give permission to link the
19  *    code of portions of this program with the OpenSSL library under certain
20  *    conditions as described in each individual source file and distribute
21  *    linked combinations including the program with the OpenSSL library. You
22  *    must comply with the Server Side Public License in all respects for
23  *    all of the code used other than as permitted herein. If you modify file(s)
24  *    with this exception, you may extend this exception to your version of the
25  *    file(s), but you are not obligated to do so. If you do not wish to do so,
26  *    delete this exception statement from your version. If you delete this
27  *    exception statement from all source files in the program, then also delete
28  *    it in the license file.
29  */
30 
31 #pragma once
32 
33 #include "mongo/util/net/ssl_manager.h"
34 
35 #include <boost/optional.hpp>
36 #include <map>
37 #include <set>
38 #include <vector>
39 
40 #include "mongo/base/status.h"
41 #include "mongo/crypto/sha256_block.h"
42 #include "mongo/db/auth/role_name.h"
43 
44 namespace mongo {
45 
46 namespace optionenvironment {
47 class OptionSection;
48 class Environment;
49 }  // namespace optionenvironment
50 
51 struct SSLParams {
52     using TLSCATrusts = std::map<SHA256Block, std::set<RoleName>>;
53 
54     enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 };
55     AtomicInt32 sslMode;            // --sslMode - the TLS operation mode, see enum SSLModes
56     std::string sslPEMTempDHParam;  // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file
57                                     // with DH parameters.
58     std::string sslPEMKeyFile;      // --sslPEMKeyFile
59     std::string sslPEMKeyPassword;  // --sslPEMKeyPassword
60     std::string sslClusterFile;     // --sslInternalKeyFile
61     std::string sslClusterPassword;  // --sslInternalKeyPassword
62     std::string sslCAFile;           // --sslCAFile
63     std::string sslClusterCAFile;    // --sslClusterCAFile
64     std::string sslCRLFile;          // --sslCRLFile
65     std::string sslCipherConfig;     // --sslCipherConfig
66 
67     boost::optional<TLSCATrusts> tlsCATrusts;  // --setParameter tlsCATrusts
68 
69     std::vector<Protocols> sslDisabledProtocols;  // --sslDisabledProtocols
70     std::vector<Protocols> tlsLogVersions;        // --tlsLogVersion
71     bool sslWeakCertificateValidation = false;    // --sslWeakCertificateValidation
72     bool sslFIPSMode = false;                     // --sslFIPSMode
73     bool sslAllowInvalidCertificates = false;     // --sslAllowInvalidCertificates
74     bool sslAllowInvalidHostnames = false;        // --sslAllowInvalidHostnames
75     bool disableNonSSLConnectionLogging =
76         false;  // --setParameter disableNonSSLConnectionLogging=true
77     bool suppressNoTLSPeerCertificateWarning =
78         false;  // --setParameter suppressNoTLSPeerCertificateWarning
79     bool tlsWithholdClientCertificate = false;  // --setParameter tlsWithholdClientCertificate
80 
SSLParamsSSLParams81     SSLParams() {
82         sslMode.store(SSLMode_disabled);
83     }
84 
85     enum SSLModes {
86         /**
87         * Make unencrypted outgoing connections and do not accept incoming SSL-connections.
88         */
89         SSLMode_disabled,
90 
91         /**
92         * Make unencrypted outgoing connections and accept both unencrypted and SSL-connections.
93         */
94         SSLMode_allowSSL,
95 
96         /**
97         * Make outgoing SSL-connections and accept both unecrypted and SSL-connections.
98         */
99         SSLMode_preferSSL,
100 
101         /**
102         * Make outgoing SSL-connections and only accept incoming SSL-connections.
103         */
104         SSLMode_requireSSL
105     };
106 };
107 
108 extern SSLParams sslGlobalParams;
109 
110 Status addSSLServerOptions(mongo::optionenvironment::OptionSection* options);
111 
112 Status addSSLClientOptions(mongo::optionenvironment::OptionSection* options);
113 
114 Status storeSSLServerOptions(const mongo::optionenvironment::Environment& params);
115 
116 /**
117  * Canonicalize SSL options for the given environment that have different representations with
118  * the same logical meaning.
119  */
120 Status canonicalizeSSLServerOptions(mongo::optionenvironment::Environment* params);
121 
122 Status validateSSLServerOptions(const mongo::optionenvironment::Environment& params);
123 
124 Status storeSSLClientOptions(const mongo::optionenvironment::Environment& params);
125 }  // namespace mongo
126