1 /* Copyright (c) 2016, 2021, Oracle and/or its affiliates.
2 
3    This program is free software; you can redistribute it and/or modify
4    it under the terms of the GNU General Public License, version 2.0,
5    as published by the Free Software Foundation.
6 
7    This program is also distributed with certain software (including
8    but not limited to OpenSSL) that is licensed under separate terms,
9    as designated in a particular file or component or in included license
10    documentation.  The authors of MySQL hereby grant you an additional
11    permission to link the program and your derivative works with the
12    separately licensed software that they have included with MySQL.
13 
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License, version 2.0, for more details.
18 
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
22 
23 
24 #ifndef XCOM_SSL_TRANSPORT_H
25 #define XCOM_SSL_TRANSPORT_H
26 
27 #ifdef XCOM_HAVE_OPENSSL
28 #include "openssl/ssl.h"
29 #include "openssl/err.h"
30 #ifdef __cplusplus
31 extern "C" {
32 #endif
33 
34 #ifndef SSL_SUCCESS
35 #define SSL_SUCCESS		1
36 #define SSL_ERROR		0
37 #endif
38 
39 /*
40   Possible operation modes as explained further down. If you
41   want to add a new mode, do it before the LAST_SSL_MODE.
42 */
43 enum ssl_enum_mode_options
44 {
45   INVALID_SSL_MODE= -1,
46   SSL_DISABLED= 1,
47   SSL_PREFERRED,
48   SSL_REQUIRED,
49   SSL_VERIFY_CA,
50   SSL_VERIFY_IDENTITY,
51   LAST_SSL_MODE
52 };
53 
54 /*
55   Return the operation mode as an integer from an operation mode provided
56   as a string. Note that the string must be provided in upper case letters
57   and the possible values are: "DISABLED", "PREFERRED", "REQUIRED",
58   "VERIFY_CA" or "VERIFY_IDENTITY".
59 
60   If a different value is provide, INVALID_SSL_MODE (-1) is returned.
61 */
62 int xcom_get_ssl_mode(const char* mode);
63 
64 /*
65   Set the operation mode which might be the following:
66 
67   . SSL_DISABLED (1): The SSL mode will be disabled and this is the default
68     value.
69 
70   . SSL_PREFERRED (2): The SSL mode will be always disabled if this value is
71     provided and is only allowed to keep the solution compatibility with
72     MySQL server.
73 
74   . SSL_REQUIRED (4): The SSL mode will be enabled but the verifications
75     described in the next modes are not performed.
76 
77   . SSL_VERIFY_CA (4) - Verify the server TLS certificate against the configured
78     Certificate Authority (CA) certificates. The connection attempt fails if no
79     valid matching CA certificates are found.
80 
81   . SSL_VERIFY_IDENTITY (5): Like VERIFY_CA, but additionally verify that the
82     server certificate matches the host to which the connection is attempted.
83 
84   If a different value is provide, INVALID_SSL_MODE (-1) is returned.
85 */
86 int xcom_set_ssl_mode(int mode);
87 
88 /*
89   Set the password used by SSL to store keys. If nothing is set, "yassl123"
90   is used by default. The password provided as parameter is copied so the
91   value can be discarded by the caller after the call.
92 */
93 void xcom_set_default_passwd(char *pw);
94 
95 /*
96   Initialize the SSL.
97 
98   server_key_file  - Path of file that contains the server's X509 key in PEM
99                      format.
100   server_cert_file - Path of file that contains the server's X509 certificate in
101                      PEM format.
102   client_key_file  - Path of file that contains the client's X509 key in PEM
103                      format.
104   client_cert_file - Path of file that contains the client's X509 certificate in
105                      PEM format.
106   ca_file          - Path of file that contains list of trusted SSL CAs.
107   ca_path          - Path of directory that contains trusted SSL CA certificates
108                      in PEM format.
109   crl_file         - Path of file that contains certificate revocation lists.
110   crl_path         - Path of directory that contains certificate revocation list
111                      files.
112   cipher           - List of permitted ciphers to use for connection encryption.
113   tls_version      - Protocols permitted for secure connections.
114 
115   Note that only the server_key_file/server_cert_file and the client_key_file/
116   client_cert_file are required and the rest of the pointers can be NULL.
117   If the key is provided along with the certificate, either the key file or
118   the other can be ommited.
119 
120   The caller can free the parameters after the call if this is necessary.
121 
122   Return 0 if success 1 otherwise.
123 */
124 int xcom_init_ssl(const char *server_key_file, const char *server_cert_file,
125                   const char *client_key_file, const char *client_cert_file,
126                   const char *ca_file, const char *ca_path,
127                   const char *crl_file, const char *crl_path,
128                   const char *cipher, const char *tls_version);
129 
130 /*
131   Destroy the SSL Configuration freeing allocated memory.
132 */
133 void xcom_cleanup_ssl();
134 void xcom_destroy_ssl();
135 
136 
137 /*
138   Return whether the SSL will be used to encrypt data or not.
139 
140   Return 1 if it is enabled 0 otherwise.
141 */
142 int xcom_use_ssl();
143 
144 /*
145   Verify whether the server certificate matches the host to which
146   the connection is attempted.
147 */
148 int ssl_verify_server_cert(SSL *ssl, const char* server_hostname);
149 
150 /*
151   Pointers to the SSL Context for the server and client
152   contexts respectively.
153 */
154 extern SSL_CTX*    server_ctx;
155 extern SSL_CTX*    client_ctx;
156 
157 #ifdef __cplusplus
158 }
159 #endif
160 #endif /* XCOM_HAVE_OPENSSL */
161 #endif /* XCOM_SSL_TRANSPORT_H */
162