hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5f0d3eb3722e3931d0514f85f405612e9d1b9da
MaxScale/include/maxscale/ssl.hh
Markus Mäkelä c2975d33f8 MXS-2483: Fix dcb.hh includes 
The header depended on ssl.hh to include the OpenSSL headers even though
it used OpenSSL types. By fixing these dependencies the ssl.h header can
now freely include the rworker_local type which removes the need for the
hidden implementation of SSLProvider.
2019-05-24 15:33:18 +03:00

157 lines
4.0 KiB
C++
Raw Blame History

/*
* Copyright (c) 2018 MariaDB Corporation Ab
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
*
* Change Date: 2022-01-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2 or later of the General
* Public License.
*/
#pragma once
/**
* @file ssl.hh
*
* The SSL definitions for MaxScale
*/
#include <maxscale/ccdefs.hh>
#include <maxscale/protocol.hh>
#include <maxscale/modinfo.h>
#include <maxscale/routingworker.hh>
#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/dh.h>
struct DCB;
class MXS_CONFIG_PARAMETER;
enum ssl_method_type_t
{
#ifndef OPENSSL_1_1
SERVICE_TLS10,
#endif
#ifdef OPENSSL_1_0
SERVICE_TLS11,
SERVICE_TLS12,
#endif
SERVICE_SSL_MAX,
SERVICE_TLS_MAX,
SERVICE_SSL_TLS_MAX,
SERVICE_SSL_UNKNOWN
};
const char* ssl_method_type_to_string(ssl_method_type_t method_type);
ssl_method_type_t string_to_ssl_method_type(const char* str);
/**
* Return codes for SSL authentication checks
*/
#define SSL_AUTH_CHECKS_OK 0
#define SSL_ERROR_CLIENT_NOT_SSL 1
#define SSL_ERROR_ACCEPT_FAILED 2
extern const MXS_ENUM_VALUE ssl_version_values[];
// The concrete implementation of the SSLProvider class (hides the dependency on routingworker.hh)
class SSLProviderImp;
namespace maxscale
{
// SSL configuration
struct SSLConfig
{
SSLConfig() = default;
SSLConfig(const MXS_CONFIG_PARAMETER& params);
// CA must always be defined for non-empty configurations
bool empty() const
{
return ca.empty();
}
std::string key; /**< SSL private key */
std::string cert; /**< SSL certificate */
std::string ca; /**< SSL CA certificate */
ssl_method_type_t version = SERVICE_SSL_TLS_MAX; /**< Which TLS version to use */
int verify_depth = 9; /**< SSL certificate verification depth */
bool verify_peer = true; /**< Enable peer certificate verification */
};
/**
* The SSLContext is used to aggregate the SSL configuration and data for a particular object.
*/
class SSLContext
{
public:
/**
* Create a new SSL configuration
*
* @param params Parameters from which the SSL configuration is created from
*
* @return A new SSL configuration or nullptr on error
*/
static std::unique_ptr<SSLContext> create(const MXS_CONFIG_PARAMETER& params);
/**
* Serialize the SSL configuration into a INI file section
*
* @return SSLContext as a INI file section
*/
std::string serialize() const;
/**
* Opens a new OpenSSL session for this configuration context
*/
SSL* open() const
{
return SSL_new(m_ctx);
}
// SSL configuration
const SSLConfig& config() const
{
return m_cfg;
}
// Convert to JSON representation
json_t* to_json() const;
// Convert to human readable string representation
std::string to_string() const;
~SSLContext();
private:
SSL_CTX* m_ctx = nullptr;
SSL_METHOD* m_method = nullptr; /**< SSLv3 or TLS1.0/1.1/1.2 methods
* see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
SSLConfig m_cfg;
SSLContext(const SSLConfig& cfg);
bool init();
};
// A SSL connection provider (incoming or outgoing). Used by servers and listeners.
class SSLProvider
{
public:
SSLProvider(std::unique_ptr<mxs::SSLContext> context);
const mxs::SSLConfig& config() const;
mxs::SSLContext* context() const;
void set_context(std::unique_ptr<mxs::SSLContext> ssl);
private:
mxs::rworker_local<std::shared_ptr<mxs::SSLContext>> m_context; /**< SSL context */
mxs::SSLConfig m_config; /**< SSL configuration */
};
}
Reference in New Issue View Git Blame Copy Permalink