/* * Copyright (c) 2018 MariaDB Corporation Ab * * Use of this software is governed by the Business Source License included * in the LICENSE.TXT file and at www.mariadb.com/bsl11. * * Change Date: 2022-01-01 * * On the date above, in accordance with the Business Source License, use * of this software will be governed by version 2 or later of the General * Public License. */ #pragma once /** * @file ssl.hh * * The SSL definitions for MaxScale */ #include #include #include #include #include #include #include struct DCB; class MXS_CONFIG_PARAMETER; enum ssl_method_type_t { #ifndef OPENSSL_1_1 SERVICE_TLS10, #endif #ifdef OPENSSL_1_0 SERVICE_TLS11, SERVICE_TLS12, #endif SERVICE_SSL_MAX, SERVICE_TLS_MAX, SERVICE_SSL_TLS_MAX, SERVICE_SSL_UNKNOWN }; const char* ssl_method_type_to_string(ssl_method_type_t method_type); ssl_method_type_t string_to_ssl_method_type(const char* str); /** * Return codes for SSL authentication checks */ #define SSL_AUTH_CHECKS_OK 0 #define SSL_ERROR_CLIENT_NOT_SSL 1 #define SSL_ERROR_ACCEPT_FAILED 2 extern const MXS_ENUM_VALUE ssl_version_values[]; // The concrete implementation of the SSLProvider class (hides the dependency on routingworker.hh) class SSLProviderImp; namespace maxscale { // SSL configuration struct SSLConfig { SSLConfig() = default; SSLConfig(const MXS_CONFIG_PARAMETER& params); // CA must always be defined for non-empty configurations bool empty() const { return ca.empty(); } std::string key; /**< SSL private key */ std::string cert; /**< SSL certificate */ std::string ca; /**< SSL CA certificate */ ssl_method_type_t version = SERVICE_SSL_TLS_MAX; /**< Which TLS version to use */ int verify_depth = 9; /**< SSL certificate verification depth */ bool verify_peer = true; /**< Enable peer certificate verification */ }; /** * The SSLContext is used to aggregate the SSL configuration and data for a particular object. */ class SSLContext { public: /** * Create a new SSL configuration * * @param params Parameters from which the SSL configuration is created from * * @return A new SSL configuration or nullptr on error */ static std::unique_ptr create(const MXS_CONFIG_PARAMETER& params); /** * Serialize the SSL configuration into a INI file section * * @return SSLContext as a INI file section */ std::string serialize() const; /** * Opens a new OpenSSL session for this configuration context */ SSL* open() const { return SSL_new(m_ctx); } // SSL configuration const SSLConfig& config() const { return m_cfg; } // Convert to JSON representation json_t* to_json() const; // Convert to human readable string representation std::string to_string() const; ~SSLContext(); private: SSL_CTX* m_ctx = nullptr; SSL_METHOD* m_method = nullptr; /**< SSLv3 or TLS1.0/1.1/1.2 methods * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */ SSLConfig m_cfg; SSLContext(const SSLConfig& cfg); bool init(); }; // A SSL connection provider (incoming or outgoing). Used by servers and listeners. class SSLProvider { public: const mxs::SSLConfig& config() const; mxs::SSLContext* context() const; void set_context(std::unique_ptr ssl); SSLProvider(std::unique_ptr&& context); ~SSLProvider(); private: std::unique_ptr m_imp; }; }