1 // Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
2 //
3 // This program is free software; you can redistribute it and/or modify
4 // it under the terms of the GNU General Public License, version 2.0, as
5 // published by the Free Software Foundation.
6 //
7 // This program is also distributed with certain software (including
8 // but not limited to OpenSSL) that is licensed under separate terms,
9 // as designated in a particular file or component or in included license
10 // documentation. The authors of MySQL hereby grant you an
11 // additional permission to link the program and your derivative works
12 // with the separately licensed software that they have included with
13 // MySQL.
14 //
15 // Without limiting anything contained in the foregoing, this file,
16 // which is part of MySQL Server, is also subject to the
17 // Universal FOSS Exception, version 1.0, a copy of which can be found at
18 // http://oss.oracle.com/licenses/universal-foss-exception.
19 //
20 // This program is distributed in the hope that it will be useful, but
21 // WITHOUT ANY WARRANTY; without even the implied warranty of
22 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
23 // See the GNU General Public License, version 2.0, for more details.
24 //
25 // You should have received a copy of the GNU General Public License
26 // along with this program; if not, write to the Free Software Foundation, Inc.,
27 // 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
29 #ifndef SSLOPT_VARS_INCLUDED
30 #define SSLOPT_VARS_INCLUDED
31
32 /**
33 @file include/sslopt-vars.h
34 */
35
36 #include <stdio.h>
37
38 #include "m_string.h"
39 #include "my_inttypes.h"
40 #include "mysql.h"
41 #include "typelib.h"
42
43 #if defined(HAVE_OPENSSL)
44
45 #ifdef MYSQL_SERVER
46 #error This header is supposed to be used only in the client
47 #endif
48
49 #include <stddef.h>
50 #include <stdio.h>
51 #include <sys/types.h>
52
53 #include "m_string.h"
54 #include "my_inttypes.h"
55 #include "my_macros.h"
56 #include "mysql.h"
57 #include "typelib.h"
58
59 const char *ssl_mode_names_lib[] = {"DISABLED", "PREFERRED", "REQUIRED",
60 "VERIFY_CA", "VERIFY_IDENTITY", NullS};
61 TYPELIB ssl_mode_typelib = {array_elements(ssl_mode_names_lib) - 1, "",
62 ssl_mode_names_lib, NULL};
63
64 const char *ssl_fips_mode_names_lib[] =
65 #ifndef HAVE_WOLFSSL
66 {"OFF", "ON", "STRICT",
67 #else
68 {"OFF",
69 #endif
70 NullS};
71 TYPELIB ssl_fips_mode_typelib = {array_elements(ssl_fips_mode_names_lib) - 1,
72 "", ssl_fips_mode_names_lib, NULL};
73
74 static uint opt_ssl_mode = SSL_MODE_PREFERRED;
75 static char *opt_ssl_ca = 0;
76 static char *opt_ssl_capath = 0;
77 static char *opt_ssl_cert = 0;
78 static char *opt_ssl_cipher = 0;
79 static char *opt_ssl_key = 0;
80 static char *opt_ssl_crl = 0;
81 static char *opt_ssl_crlpath = 0;
82 static char *opt_tls_version = 0;
83 static ulong opt_ssl_fips_mode = SSL_FIPS_MODE_OFF;
84 static bool ssl_mode_set_explicitly = false;
85
set_client_ssl_options(MYSQL * mysql)86 static inline void set_client_ssl_options(MYSQL *mysql) {
87 /*
88 Print a warning if explicitly defined combination of --ssl-mode other than
89 VERIFY_CA or VERIFY_IDENTITY with explicit --ssl-ca or --ssl-capath values.
90 */
91 if (ssl_mode_set_explicitly && opt_ssl_mode < SSL_MODE_VERIFY_CA &&
92 (opt_ssl_ca || opt_ssl_capath)) {
93 fprintf(stderr,
94 "WARNING: no verification of server certificate will be done. "
95 "Use --ssl-mode=VERIFY_CA or VERIFY_IDENTITY.\n");
96 }
97
98 /* Set SSL parameters: key, cert, ca, capath, cipher, clr, clrpath. */
99 if (opt_ssl_mode >= SSL_MODE_VERIFY_CA)
100 mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath,
101 opt_ssl_cipher);
102 else
103 mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, NULL, NULL, opt_ssl_cipher);
104 mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
105 mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
106 mysql_options(mysql, MYSQL_OPT_TLS_VERSION, opt_tls_version);
107 mysql_options(mysql, MYSQL_OPT_SSL_MODE, &opt_ssl_mode);
108 mysql_options(mysql, MYSQL_OPT_SSL_FIPS_MODE, &opt_ssl_fips_mode);
109 }
110
111 #define SSL_SET_OPTIONS(mysql) set_client_ssl_options(mysql);
112 #else
113 #define SSL_SET_OPTIONS(mysql) \
114 do { \
115 } while (0)
116 #endif
117 #endif /* SSLOPT_VARS_INCLUDED */
118