1 // Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
2 //
3 // This program is free software; you can redistribute it and/or modify
4 // it under the terms of the GNU General Public License, version 2.0, as
5 // published by the Free Software Foundation.
6 //
7 // This program is also distributed with certain software (including
8 // but not limited to OpenSSL) that is licensed under separate terms,
9 // as designated in a particular file or component or in included license
10 // documentation. The authors of MySQL hereby grant you an
11 // additional permission to link the program and your derivative works
12 // with the separately licensed software that they have included with
13 // MySQL.
14 //
15 // Without limiting anything contained in the foregoing, this file,
16 // which is part of MySQL Server, is also subject to the
17 // Universal FOSS Exception, version 1.0, a copy of which can be found at
18 // http://oss.oracle.com/licenses/universal-foss-exception.
19 //
20 // This program is distributed in the hope that it will be useful, but
21 // WITHOUT ANY WARRANTY; without even the implied warranty of
22 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
23 // See the GNU General Public License, version 2.0, for more details.
24 //
25 // You should have received a copy of the GNU General Public License
26 // along with this program; if not, write to the Free Software Foundation, Inc.,
27 // 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28 
29 #ifndef SSLOPT_VARS_INCLUDED
30 #define SSLOPT_VARS_INCLUDED
31 
32 /**
33   @file include/sslopt-vars.h
34 */
35 
36 #include <stdio.h>
37 
38 #include "m_string.h"
39 #include "my_inttypes.h"
40 #include "mysql.h"
41 #include "typelib.h"
42 
43 #if defined(HAVE_OPENSSL)
44 
45 #ifdef MYSQL_SERVER
46 #error This header is supposed to be used only in the client
47 #endif
48 
49 #include <stddef.h>
50 #include <stdio.h>
51 #include <sys/types.h>
52 
53 #include "m_string.h"
54 #include "my_inttypes.h"
55 #include "my_macros.h"
56 #include "mysql.h"
57 #include "typelib.h"
58 
59 const char *ssl_mode_names_lib[] = {"DISABLED",  "PREFERRED",       "REQUIRED",
60                                     "VERIFY_CA", "VERIFY_IDENTITY", NullS};
61 TYPELIB ssl_mode_typelib = {array_elements(ssl_mode_names_lib) - 1, "",
62                             ssl_mode_names_lib, NULL};
63 
64 const char *ssl_fips_mode_names_lib[] =
65 #ifndef HAVE_WOLFSSL
66     {"OFF", "ON", "STRICT",
67 #else
68     {"OFF",
69 #endif
70      NullS};
71 TYPELIB ssl_fips_mode_typelib = {array_elements(ssl_fips_mode_names_lib) - 1,
72                                  "", ssl_fips_mode_names_lib, NULL};
73 
74 static uint opt_ssl_mode = SSL_MODE_PREFERRED;
75 static char *opt_ssl_ca = 0;
76 static char *opt_ssl_capath = 0;
77 static char *opt_ssl_cert = 0;
78 static char *opt_ssl_cipher = 0;
79 static char *opt_ssl_key = 0;
80 static char *opt_ssl_crl = 0;
81 static char *opt_ssl_crlpath = 0;
82 static char *opt_tls_version = 0;
83 static ulong opt_ssl_fips_mode = SSL_FIPS_MODE_OFF;
84 static bool ssl_mode_set_explicitly = false;
85 
set_client_ssl_options(MYSQL * mysql)86 static inline void set_client_ssl_options(MYSQL *mysql) {
87   /*
88     Print a warning if explicitly defined combination of --ssl-mode other than
89     VERIFY_CA or VERIFY_IDENTITY with explicit --ssl-ca or --ssl-capath values.
90   */
91   if (ssl_mode_set_explicitly && opt_ssl_mode < SSL_MODE_VERIFY_CA &&
92       (opt_ssl_ca || opt_ssl_capath)) {
93     fprintf(stderr,
94             "WARNING: no verification of server certificate will be done. "
95             "Use --ssl-mode=VERIFY_CA or VERIFY_IDENTITY.\n");
96   }
97 
98   /* Set SSL parameters: key, cert, ca, capath, cipher, clr, clrpath. */
99   if (opt_ssl_mode >= SSL_MODE_VERIFY_CA)
100     mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath,
101                   opt_ssl_cipher);
102   else
103     mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, NULL, NULL, opt_ssl_cipher);
104   mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
105   mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
106   mysql_options(mysql, MYSQL_OPT_TLS_VERSION, opt_tls_version);
107   mysql_options(mysql, MYSQL_OPT_SSL_MODE, &opt_ssl_mode);
108   mysql_options(mysql, MYSQL_OPT_SSL_FIPS_MODE, &opt_ssl_fips_mode);
109 }
110 
111 #define SSL_SET_OPTIONS(mysql) set_client_ssl_options(mysql);
112 #else
113 #define SSL_SET_OPTIONS(mysql) \
114   do {                         \
115   } while (0)
116 #endif
117 #endif /* SSLOPT_VARS_INCLUDED */
118