1 /*
2    Copyright (c) 2015, 2021, Oracle and/or its affiliates.
3 
4    This program is free software; you can redistribute it and/or modify
5    it under the terms of the GNU General Public License, version 2.0,
6    as published by the Free Software Foundation.
7 
8    This program is also distributed with certain software (including
9    but not limited to OpenSSL) that is licensed under separate terms,
10    as designated in a particular file or component or in included license
11    documentation.  The authors of MySQL hereby grant you an additional
12    permission to link the program and your derivative works with the
13    separately licensed software that they have included with MySQL.
14 
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License, version 2.0, for more details.
19 
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
23 */
24 
25 #include "client_priv.h"
26 #include <vector>
27 #include "mysql_connection_options.h"
28 #include "sslopt-vars.h"
29 #include "instance_callback.h"
30 
31 using namespace Mysql::Tools::Base::Options;
32 
create_options()33 void Mysql_connection_options::Ssl_options::create_options()
34 {
35   Instance_callback<void, char*, Mysql_connection_options::Ssl_options>
36     callback(this, &Mysql_connection_options::Ssl_options::mode_option_callback);
37 
38 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
39   this->create_new_option(&this->m_ssl_mode_string, "ssl-mode",
40       "SSL connection mode.")
41 #ifdef MYSQL_CLIENT
42     ->add_callback(new Instance_callback<void, char*,
43       Mysql_connection_options::Ssl_options>(
44         this, &Mysql_connection_options::Ssl_options::mode_option_callback))
45 #endif
46     ;
47   this->create_new_option(&::opt_ssl_ca, "ssl-ca", "CA file in PEM format.")
48     ->add_callback(new Instance_callback<void, char*,
49       Mysql_connection_options::Ssl_options>(
50         this, &Mysql_connection_options::Ssl_options::ca_option_callback));
51   this->create_new_option(&::opt_ssl_capath, "ssl-capath", "CA directory.")
52     ->add_callback(new Instance_callback<void, char*,
53       Mysql_connection_options::Ssl_options>(
54         this, &Mysql_connection_options::Ssl_options::ca_option_callback));
55   this->create_new_option(&::opt_ssl_cert, "ssl-cert",
56       "X509 cert in PEM format.");
57   this->create_new_option(&::opt_ssl_cipher, "ssl-cipher",
58       "SSL cipher to use.");
59   this->create_new_option(&::opt_ssl_key, "ssl-key",
60       "X509 key in PEM format.");
61   this->create_new_option(&::opt_ssl_crl, "ssl-crl",
62       "Certificate revocation list.");
63   this->create_new_option(&::opt_ssl_crlpath, "ssl-crlpath",
64       "Certificate revocation list path.");
65   this->create_new_option(&::opt_tls_version, "tls-version",
66       "TLS version to use.");
67 
68 #ifdef MYSQL_CLIENT
69   this->create_new_option(&this->m_ssl, "ssl",
70                           "Deprecated. Use ssl-mode instead.")
71     ->add_callback(new Instance_callback<void, char*,
72                    Mysql_connection_options::Ssl_options>(
73                      this, &Mysql_connection_options::Ssl_options::use_ssl_option_callback));
74 
75   this->create_new_option(&this->m_ssl_verify_server_cert, "ssl-verify-server-cert",
76                           "Deprecated. Use ssl-mode=VERIFY_IDENTITY instead.")
77     ->add_callback(new Instance_callback<void, char*,
78                    Mysql_connection_options::Ssl_options>(
79                      this,
80                      &Mysql_connection_options::Ssl_options::ssl_verify_server_cert_callback));
81 
82 #endif
83 #endif /* HAVE_OPENSSL */
84 }
85 
86 
ca_option_callback(char * argument MY_ATTRIBUTE ((unused)))87 void Mysql_connection_options::Ssl_options::ca_option_callback(
88   char *argument MY_ATTRIBUTE((unused)))
89 {
90   if (!ssl_mode_set_explicitly)
91     ::opt_ssl_mode= SSL_MODE_VERIFY_CA;
92 }
93 
94 
mode_option_callback(char * argument)95 void Mysql_connection_options::Ssl_options::mode_option_callback(
96   char *argument)
97 {
98   ::opt_ssl_mode= find_type_or_exit(argument, &ssl_mode_typelib, "ssl-mode");
99   ssl_mode_set_explicitly= true;
100 }
101 
102 
apply_for_connection(MYSQL * connection)103 void Mysql_connection_options::Ssl_options::apply_for_connection(
104   MYSQL* connection)
105 {
106   SSL_SET_OPTIONS(connection);
107 }
108 
109 
use_ssl_option_callback(char * argument MY_ATTRIBUTE ((unused)))110 void Mysql_connection_options::Ssl_options::use_ssl_option_callback(
111   char *argument MY_ATTRIBUTE((unused)))
112 {
113   CLIENT_WARN_DEPRECATED("--ssl", "--ssl-mode");
114   if (!opt_use_ssl_arg)
115     opt_ssl_mode= SSL_MODE_DISABLED;
116   else if (opt_ssl_mode < SSL_MODE_REQUIRED)
117     opt_ssl_mode= SSL_MODE_REQUIRED;
118 }
119 
120 
ssl_verify_server_cert_callback(char * argument MY_ATTRIBUTE ((unused)))121 void Mysql_connection_options::Ssl_options::ssl_verify_server_cert_callback(
122   char *argument MY_ATTRIBUTE((unused)))
123 {
124   CLIENT_WARN_DEPRECATED("--ssl-verify-server-cert",
125                          "--ssl-mode=VERIFY_IDENTITY");
126   if (!opt_ssl_verify_server_cert_arg)
127   {
128     if (opt_ssl_mode >= SSL_MODE_VERIFY_IDENTITY)
129       opt_ssl_mode= SSL_MODE_VERIFY_CA;
130   }
131   else
132     opt_ssl_mode= SSL_MODE_VERIFY_IDENTITY;
133 }