1 /* Copyright (c) 2016, 2021, Oracle and/or its affiliates. 2 3 This program is free software; you can redistribute it and/or modify 4 it under the terms of the GNU General Public License, version 2.0, 5 as published by the Free Software Foundation. 6 7 This program is also distributed with certain software (including 8 but not limited to OpenSSL) that is licensed under separate terms, 9 as designated in a particular file or component or in included license 10 documentation. The authors of MySQL hereby grant you an additional 11 permission to link the program and your derivative works with the 12 separately licensed software that they have included with MySQL. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License, version 2.0, for more details. 18 19 You should have received a copy of the GNU General Public License 20 along with this program; if not, write to the Free Software 21 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ 22 23 24 #ifndef XCOM_SSL_TRANSPORT_H 25 #define XCOM_SSL_TRANSPORT_H 26 27 #ifdef XCOM_HAVE_OPENSSL 28 #include "openssl/ssl.h" 29 #include "openssl/err.h" 30 #ifdef __cplusplus 31 extern "C" { 32 #endif 33 34 #ifndef SSL_SUCCESS 35 #define SSL_SUCCESS 1 36 #define SSL_ERROR 0 37 #endif 38 39 /* 40 Possible operation modes as explained further down. If you 41 want to add a new mode, do it before the LAST_SSL_MODE. 42 */ 43 enum ssl_enum_mode_options 44 { 45 INVALID_SSL_MODE= -1, 46 SSL_DISABLED= 1, 47 SSL_PREFERRED, 48 SSL_REQUIRED, 49 SSL_VERIFY_CA, 50 SSL_VERIFY_IDENTITY, 51 LAST_SSL_MODE 52 }; 53 54 /* 55 Return the operation mode as an integer from an operation mode provided 56 as a string. Note that the string must be provided in upper case letters 57 and the possible values are: "DISABLED", "PREFERRED", "REQUIRED", 58 "VERIFY_CA" or "VERIFY_IDENTITY". 59 60 If a different value is provide, INVALID_SSL_MODE (-1) is returned. 61 */ 62 int xcom_get_ssl_mode(const char* mode); 63 64 /* 65 Set the operation mode which might be the following: 66 67 . SSL_DISABLED (1): The SSL mode will be disabled and this is the default 68 value. 69 70 . SSL_PREFERRED (2): The SSL mode will be always disabled if this value is 71 provided and is only allowed to keep the solution compatibility with 72 MySQL server. 73 74 . SSL_REQUIRED (4): The SSL mode will be enabled but the verifications 75 described in the next modes are not performed. 76 77 . SSL_VERIFY_CA (4) - Verify the server TLS certificate against the configured 78 Certificate Authority (CA) certificates. The connection attempt fails if no 79 valid matching CA certificates are found. 80 81 . SSL_VERIFY_IDENTITY (5): Like VERIFY_CA, but additionally verify that the 82 server certificate matches the host to which the connection is attempted. 83 84 If a different value is provide, INVALID_SSL_MODE (-1) is returned. 85 */ 86 int xcom_set_ssl_mode(int mode); 87 88 /* 89 Set the password used by SSL to store keys. If nothing is set, "yassl123" 90 is used by default. The password provided as parameter is copied so the 91 value can be discarded by the caller after the call. 92 */ 93 void xcom_set_default_passwd(char *pw); 94 95 /* 96 Initialize the SSL. 97 98 server_key_file - Path of file that contains the server's X509 key in PEM 99 format. 100 server_cert_file - Path of file that contains the server's X509 certificate in 101 PEM format. 102 client_key_file - Path of file that contains the client's X509 key in PEM 103 format. 104 client_cert_file - Path of file that contains the client's X509 certificate in 105 PEM format. 106 ca_file - Path of file that contains list of trusted SSL CAs. 107 ca_path - Path of directory that contains trusted SSL CA certificates 108 in PEM format. 109 crl_file - Path of file that contains certificate revocation lists. 110 crl_path - Path of directory that contains certificate revocation list 111 files. 112 cipher - List of permitted ciphers to use for connection encryption. 113 tls_version - Protocols permitted for secure connections. 114 115 Note that only the server_key_file/server_cert_file and the client_key_file/ 116 client_cert_file are required and the rest of the pointers can be NULL. 117 If the key is provided along with the certificate, either the key file or 118 the other can be ommited. 119 120 The caller can free the parameters after the call if this is necessary. 121 122 Return 0 if success 1 otherwise. 123 */ 124 int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, 125 const char *client_key_file, const char *client_cert_file, 126 const char *ca_file, const char *ca_path, 127 const char *crl_file, const char *crl_path, 128 const char *cipher, const char *tls_version); 129 130 /* 131 Destroy the SSL Configuration freeing allocated memory. 132 */ 133 void xcom_cleanup_ssl(); 134 void xcom_destroy_ssl(); 135 136 137 /* 138 Return whether the SSL will be used to encrypt data or not. 139 140 Return 1 if it is enabled 0 otherwise. 141 */ 142 int xcom_use_ssl(); 143 144 /* 145 Verify whether the server certificate matches the host to which 146 the connection is attempted. 147 */ 148 int ssl_verify_server_cert(SSL *ssl, const char* server_hostname); 149 150 /* 151 Pointers to the SSL Context for the server and client 152 contexts respectively. 153 */ 154 extern SSL_CTX* server_ctx; 155 extern SSL_CTX* client_ctx; 156 157 #ifdef __cplusplus 158 } 159 #endif 160 #endif /* XCOM_HAVE_OPENSSL */ 161 #endif /* XCOM_SSL_TRANSPORT_H */ 162