ff54771cd1
If the SSL configuration of a server was altered successfully, it would overwrite an existing configuration leading to a true memory leak. Converting the SSL_LISTENER structure to a list allows it to store the old configurations without leaking the memory. This has no functional benefits apart from storing references which could aid in debugging. In the future, the discarded configurations could be freed once all connections that use it are closed.
85 lines
2.4 KiB
C
85 lines
2.4 KiB
C
#pragma once
|
|
/*
|
|
* Copyright (c) 2016 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl.
|
|
*
|
|
* Change Date: 2019-07-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
|
|
/**
|
|
* @file gw_ssl.h
|
|
*
|
|
* The SSL definitions for MaxScale
|
|
*
|
|
* @verbatim
|
|
* Revision History
|
|
*
|
|
* Date Who Description
|
|
* 27/01/16 Martin Brampton Initial implementation
|
|
*
|
|
* @endverbatim
|
|
*/
|
|
|
|
#include <maxscale/cdefs.h>
|
|
#include <maxscale/gw_protocol.h>
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/dh.h>
|
|
|
|
MXS_BEGIN_DECLS
|
|
|
|
struct dcb;
|
|
|
|
typedef enum ssl_method_type
|
|
{
|
|
SERVICE_TLS10,
|
|
#ifdef OPENSSL_1_0
|
|
SERVICE_TLS11,
|
|
SERVICE_TLS12,
|
|
#endif
|
|
SERVICE_SSL_MAX,
|
|
SERVICE_TLS_MAX,
|
|
SERVICE_SSL_TLS_MAX
|
|
} ssl_method_type_t;
|
|
|
|
/**
|
|
* Return codes for SSL authentication checks
|
|
*/
|
|
#define SSL_AUTH_CHECKS_OK 0
|
|
#define SSL_ERROR_CLIENT_NOT_SSL 1
|
|
#define SSL_ERROR_ACCEPT_FAILED 2
|
|
|
|
/**
|
|
* The ssl_listener structure is used to aggregate the SSL configuration items
|
|
* and data for a particular listener
|
|
*/
|
|
typedef struct ssl_listener
|
|
{
|
|
SSL_CTX *ctx;
|
|
SSL_METHOD *method; /*< SSLv3 or TLS1.0/1.1/1.2 methods
|
|
* see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
|
|
int ssl_cert_verify_depth; /*< SSL certificate verification depth */
|
|
int ssl_method_type; /*< Which of the SSLv3 or TLS1.0/1.1/1.2 methods to use */
|
|
char *ssl_cert; /*< SSL certificate */
|
|
char *ssl_key; /*< SSL private key */
|
|
char *ssl_ca_cert; /*< SSL CA certificate */
|
|
bool ssl_init_done; /*< If SSL has already been initialized for this service */
|
|
struct ssl_listener *next; /*< Next SSL configuration, currently used to store obsolete configurations */
|
|
} SSL_LISTENER;
|
|
|
|
int ssl_authenticate_client(struct dcb *dcb, bool is_capable);
|
|
bool ssl_is_connection_healthy(struct dcb *dcb);
|
|
bool ssl_check_data_to_process(struct dcb *dcb);
|
|
bool ssl_required_by_dcb(struct dcb *dcb);
|
|
bool ssl_required_but_not_negotiated(struct dcb *dcb);
|
|
const char* ssl_method_type_to_string(ssl_method_type_t method_type);
|
|
|
|
MXS_END_DECLS
|