137 lines
3.3 KiB
C++
137 lines
3.3 KiB
C++
/*
|
|
* Copyright (c) 2018 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
|
|
*
|
|
* Change Date: 2022-01-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
#pragma once
|
|
|
|
/**
|
|
* @file ssl.hh
|
|
*
|
|
* The SSL definitions for MaxScale
|
|
*/
|
|
|
|
#include <maxscale/ccdefs.hh>
|
|
|
|
#include <maxscale/protocol.hh>
|
|
#include <maxscale/modinfo.h>
|
|
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/dh.h>
|
|
|
|
struct DCB;
|
|
class MXS_CONFIG_PARAMETER;
|
|
|
|
enum ssl_method_type_t
|
|
{
|
|
#ifndef OPENSSL_1_1
|
|
SERVICE_TLS10,
|
|
#endif
|
|
#ifdef OPENSSL_1_0
|
|
SERVICE_TLS11,
|
|
SERVICE_TLS12,
|
|
#endif
|
|
SERVICE_SSL_MAX,
|
|
SERVICE_TLS_MAX,
|
|
SERVICE_SSL_TLS_MAX,
|
|
SERVICE_SSL_UNKNOWN
|
|
};
|
|
|
|
const char* ssl_method_type_to_string(ssl_method_type_t method_type);
|
|
ssl_method_type_t string_to_ssl_method_type(const char* str);
|
|
|
|
/**
|
|
* Return codes for SSL authentication checks
|
|
*/
|
|
#define SSL_AUTH_CHECKS_OK 0
|
|
#define SSL_ERROR_CLIENT_NOT_SSL 1
|
|
#define SSL_ERROR_ACCEPT_FAILED 2
|
|
|
|
extern const MXS_ENUM_VALUE ssl_version_values[];
|
|
|
|
namespace maxscale
|
|
{
|
|
|
|
/**
|
|
* The SSLContext is used to aggregate the SSL configuration and data for a particular object.
|
|
*/
|
|
class SSLContext
|
|
{
|
|
public:
|
|
/**
|
|
* Create a new SSL configuration
|
|
*
|
|
* @param params Parameters from which the SSL configuration is created from
|
|
*
|
|
* @return A new SSL configuration or nullptr on error
|
|
*/
|
|
static SSLContext* create(const MXS_CONFIG_PARAMETER& params);
|
|
|
|
/**
|
|
* Serialize the SSL configuration into a INI file section
|
|
*
|
|
* @return SSLContext as a INI file section
|
|
*/
|
|
std::string serialize() const;
|
|
|
|
/**
|
|
* Opens a new OpenSSL session for this configuration context
|
|
*/
|
|
SSL* open() const
|
|
{
|
|
return SSL_new(m_ctx);
|
|
}
|
|
|
|
// Private key
|
|
const std::string& ssl_key() const
|
|
{
|
|
return m_key;
|
|
}
|
|
|
|
// Public cert
|
|
const std::string& ssl_cert() const
|
|
{
|
|
return m_cert;
|
|
}
|
|
|
|
// Certificate authority
|
|
const std::string& ssl_ca() const
|
|
{
|
|
return m_ca;
|
|
}
|
|
|
|
// Convert to JSON representation
|
|
json_t* to_json() const;
|
|
|
|
// Convert to human readable string representation
|
|
std::string to_string() const;
|
|
|
|
~SSLContext();
|
|
|
|
private:
|
|
SSL_CTX* m_ctx = nullptr;
|
|
SSL_METHOD* m_method = nullptr; /**< SSLv3 or TLS1.0/1.1/1.2 methods
|
|
* see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
|
|
|
|
std::string m_key; /**< SSL private key */
|
|
std::string m_cert; /**< SSL certificate */
|
|
std::string m_ca; /**< SSL CA certificate */
|
|
ssl_method_type_t m_version; /**< Which TLS version to use */
|
|
int m_verify_depth; /**< SSL certificate verification depth */
|
|
bool m_verify_peer; /**< Enable peer certificate verification */
|
|
|
|
SSLContext(const std::string& key, const std::string& cert, const std::string& ca,
|
|
ssl_method_type_t version, int verify_depth, bool verify_peer_cert);
|
|
bool init();
|
|
};
|
|
}
|