MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption…

… library

- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)

.gitmodules

@@ -8,3 +8,6 @@
  path = wsrep-lib
  url = https://github.com/codership/wsrep-lib.git
  branch = master
+[submodule "extra/wolfssl/wolfssl"]
+ path = extra/wolfssl/wolfssl
+ url = https://github.com/WolfSSL/wolfssl

CMakeLists.txt

@@ -346,7 +346,7 @@ IF(NOT HAVE_CXX_NEW)
 ENDIF()
 
 # Find header files from the bundled libraries
-# (yassl, readline, pcre, etc)
+# (wolfssl, readline, pcre, etc)
 # before the ones installed in the system
 SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)
 
@@ -359,7 +359,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include)
 
 # Add bundled or system zlib.
 MYSQL_CHECK_ZLIB_WITH_COMPRESS()
-# Add bundled yassl/taocrypt or system openssl.
+# Add bundled wolfssl/wolfcrypt or system openssl.
 MYSQL_CHECK_SSL()
 # Add readline or libedit.
 MYSQL_CHECK_READLINE()

cmake/libutils.cmake

@@ -317,7 +317,7 @@ ELSEIF(UNIX)
  ENDIF()
 ENDIF()
 
-# We try to hide the symbols in yassl/zlib to avoid name clashes with
+# We try to hide the symbols in bundled libraries to avoid name clashes with
 # other libraries like openssl.
 FUNCTION(RESTRICT_SYMBOL_EXPORTS target)
  IF(VISIBILITY_HIDDEN_FLAG)

cmake/mariadb_connector_c.cmake

@@ -8,7 +8,7 @@ SET(CONC_WITH_SIGNCODE ${SIGNCODE})
 SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS})
 SET(CONC_WITH_EXTERNAL_ZLIB ON)
 
-IF(SSL_DEFINES MATCHES "YASSL")
+IF(SSL_DEFINES MATCHES "WOLFSSL")
  IF(WIN32)
  SET(CONC_WITH_SSL "SCHANNEL")
  ELSE()

cmake/ssl.cmake

@@ -15,7 +15,7 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA
 
 # We support different versions of SSL:
-# - "bundled" uses source code in <source dir>/extra/yassl
+# - "bundled" uses source code in <source dir>/extra/wolfssl
 # - "system" (typically) uses headers/libraries in /usr/lib and /usr/lib64
 # - a custom installation of openssl can be used like this
 # - cmake -DCMAKE_PREFIX_PATH=</path/to/custom/openssl> -DWITH_SSL="system"
@@ -35,7 +35,7 @@
 # 'set path=</path/to/custom/openssl>\bin;%PATH%
 # in order to find the .dll files at runtime.
 
-SET(WITH_SSL_DOC "bundled (use yassl)")
+SET(WITH_SSL_DOC "bundled (use wolfssl)")
 SET(WITH_SSL_DOC
  "${WITH_SSL_DOC}, yes (prefer os library if present, otherwise use bundled)")
 SET(WITH_SSL_DOC
@@ -48,29 +48,19 @@ MACRO (CHANGE_SSL_SETTINGS string)
 ENDMACRO()
 
 MACRO (MYSQL_USE_BUNDLED_SSL)
- SET(INC_DIRS 
- ${CMAKE_SOURCE_DIR}/extra/yassl/include
- ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/include
+ SET(INC_DIRS
+ ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl
+ ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl/wolfssl
  )
- SET(SSL_LIBRARIES yassl taocrypt)
+ SET(SSL_LIBRARIES wolfssl wolfcrypt)
  SET(SSL_INCLUDE_DIRS ${INC_DIRS})
- SET(SSL_INTERNAL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/mySTL)
- SET(SSL_DEFINES "-DHAVE_YASSL -DYASSL_PREFIX -DHAVE_OPENSSL -DMULTI_THREADED")
- SET(HAVE_ERR_remove_thread_state OFF CACHE INTERNAL "yassl doesn't have ERR_remove_thread_state")
- SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "yassl doesn't support AES-CTR")
- SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "yassl doesn't support AES-GCM")
+ SET(SSL_DEFINES "-DHAVE_OPENSSL -DHAVE_WOLFSSL -DOPENSSL_ALL -DWOLFSSL_MYSQL_COMPATIBLE -DWC_NO_HARDEN")
+ SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
+ SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
+ SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
+ SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
  CHANGE_SSL_SETTINGS("bundled")
- ADD_SUBDIRECTORY(extra/yassl)
- ADD_SUBDIRECTORY(extra/yassl/taocrypt)
- GET_TARGET_PROPERTY(src yassl SOURCES)
- FOREACH(file ${src})
- SET(SSL_SOURCES ${SSL_SOURCES} ${CMAKE_SOURCE_DIR}/extra/yassl/${file})
- ENDFOREACH()
- GET_TARGET_PROPERTY(src taocrypt SOURCES)
- FOREACH(file ${src})
- SET(SSL_SOURCES ${SSL_SOURCES}
- ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/${file})
- ENDFOREACH()
+ ADD_SUBDIRECTORY(extra/wolfssl)
  MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
 ENDMACRO()
 
@@ -155,6 +145,8 @@ MACRO (MYSQL_CHECK_SSL)
  HAVE_EncryptAes128Ctr)
  CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
  HAVE_EncryptAes128Gcm)
+ CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
+ HAVE_X509_check_host)
  SET(CMAKE_REQUIRED_INCLUDES)
  SET(CMAKE_REQUIRED_LIBRARIES)
  ELSE()

config.h.cmake

@@ -380,6 +380,7 @@
 #cmakedefine HAVE_SVR3_SIGNALS 1
 #cmakedefine HAVE_V7_SIGNALS 1
 #cmakedefine HAVE_ERR_remove_thread_state 1
+#cmakedefine HAVE_X509_check_host 1
 
 #cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1
 

extra/mariabackup/CMakeLists.txt

@@ -52,8 +52,8 @@ ELSE()
  SET(NT_SERVICE_SOURCE)
 ENDIF()
 
-ADD_DEFINITIONS(-DPCRE_STATIC=1 -DHAVE_OPENSSL=1)
-
+ADD_DEFINITIONS(-DPCRE_STATIC=1)
+ADD_DEFINITIONS(${SSL_DEFINES})
 MYSQL_ADD_EXECUTABLE(mariabackup
  xtrabackup.cc
  innobackupex.cc

extra/wolfssl/CMakeLists.txt

@@ -0,0 +1,89 @@
+SET(WOLFSSL_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/src)
+ADD_DEFINITIONS(${SSL_DEFINES})
+ADD_DEFINITIONS(
+ -DHAVE_CRL
+ -DWOLFSSL_MYSQL_COMPATIBLE
+ -DHAVE_ECC
+ -DECC_TIMING_RESISTANT
+ -DBUILDING_WOLFSSL
+ -DHAVE_HASHDRBG
+ -DWOLFSSL_AES_DIRECT
+ -DWOLFSSL_SHA384
+ -DWOLFSSL_SHA512
+ -DWOLFSSL_SHA224
+ -DSESSION_CERT
+ -DKEEP_OUR_CERT
+ -DWOLFSSL_STATIC_RSA
+ -DWC_RSA_BLINDING
+ -DHAVE_TLS_EXTENSIONS
+ -DHAVE_AES_ECB
+ -DWOLFSSL_AES_COUNTER
+ -DNO_WOLFSSL_STUB)
+
+SET(WOLFSSL_SOURCES 
+ ${WOLFSSL_SRCDIR}/crl.c
+ ${WOLFSSL_SRCDIR}/internal.c
+ ${WOLFSSL_SRCDIR}/keys.c
+ ${WOLFSSL_SRCDIR}/tls.c
+ ${WOLFSSL_SRCDIR}/wolfio.c
+ ${WOLFSSL_SRCDIR}/ocsp.c
+ ${WOLFSSL_SRCDIR}/ssl.c)
+ADD_DEFINITIONS(-DWOLFSSL_LIB)
+INCLUDE_DIRECTORIES(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl)
+IF(MSVC)
+ # size_t to long truncation warning
+ SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -wd4267")
+ IF(CMAKE_C_COMPILER_ID MATCHES Clang)
+ # Workaround a bug with clang-cl, see https://github.com/wolfSSL/wolfssl/pull/2090
+ ADD_DEFINITIONS(-DMP_16BIT)
+ ENDIF()
+ENDIF()
+
+ADD_CONVENIENCE_LIBRARY(wolfssl ${WOLFSSL_SOURCES})
+
+# Workaround linker crash with older Ubuntu binutils
+# e.g aborting at ../../bfd/merge.c line 873 in _bfd_merged_section_offset
+IF(CMAKE_SYSTEM_NAME MATCHES "Linux")
+ STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_RELWITHDEBINFO 
+ ${CMAKE_C_FLAGS_RELWITHDEBINFO})
+ STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_DEBUG 
+ ${CMAKE_C_FLAGS_DEBUG})
+ STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_RELWITHDEBINFO 
+ ${CMAKE_C_FLAGS_RELWITHDEBINFO})
+ STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_DEBUG 
+ ${CMAKE_C_FLAGS_DEBUG})
+ENDIF()
+
+SET(WOLFCRYPT_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfcrypt/src)
+SET(WOLFCRYPT_SOURCES
+${WOLFCRYPT_SRCDIR}/aes.c
+${WOLFCRYPT_SRCDIR}/arc4.c
+${WOLFCRYPT_SRCDIR}/asn.c
+${WOLFCRYPT_SRCDIR}/coding.c
+${WOLFCRYPT_SRCDIR}/des3.c
+${WOLFCRYPT_SRCDIR}/dh.c
+${WOLFCRYPT_SRCDIR}/dsa.c
+${WOLFCRYPT_SRCDIR}/ecc.c
+${WOLFCRYPT_SRCDIR}/error.c
+${WOLFCRYPT_SRCDIR}/hmac.c
+${WOLFCRYPT_SRCDIR}/integer.c
+${WOLFCRYPT_SRCDIR}/logging.c
+${WOLFCRYPT_SRCDIR}/md4.c
+${WOLFCRYPT_SRCDIR}/md5.c
+${WOLFCRYPT_SRCDIR}/memory.c
+${WOLFCRYPT_SRCDIR}/pkcs12.c
+${WOLFCRYPT_SRCDIR}/pwdbased.c
+${WOLFCRYPT_SRCDIR}/rabbit.c
+${WOLFCRYPT_SRCDIR}/random.c
+${WOLFCRYPT_SRCDIR}/rsa.c
+${WOLFCRYPT_SRCDIR}/sha.c
+${WOLFCRYPT_SRCDIR}/sha256.c
+${WOLFCRYPT_SRCDIR}/sha512.c
+${WOLFCRYPT_SRCDIR}/wc_port.c
+${WOLFCRYPT_SRCDIR}/wc_encrypt.c
+${WOLFCRYPT_SRCDIR}/hash.c
+${WOLFCRYPT_SRCDIR}/wolfmath.c
+)
+
+ADD_CONVENIENCE_LIBRARY(wolfcrypt ${WOLFCRYPT_SOURCES})
+

include/my_global.h

@@ -989,7 +989,6 @@ typedef struct st_mysql_lex_string LEX_STRING;
 #if defined(__WIN__)
 #define socket_errno WSAGetLastError()
 #define SOCKET_EINTR WSAEINTR
-#define SOCKET_EAGAIN WSAEINPROGRESS
 #define SOCKET_ETIMEDOUT WSAETIMEDOUT
 #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK
 #define SOCKET_EADDRINUSE WSAEADDRINUSE

include/mysql/service_my_crypt.h

@@ -45,7 +45,7 @@ extern "C" {
 /* The max key length of all supported algorithms */
 #define MY_AES_MAX_KEY_LENGTH 32
 
-#define MY_AES_CTX_SIZE 512
+#define MY_AES_CTX_SIZE 560
 
 enum my_aes_mode {
  MY_AES_ECB, MY_AES_CBC

include/ssl_compat.h

@@ -17,11 +17,7 @@
 #include <openssl/opensslv.h>
 
 /* OpenSSL version specific definitions */
-#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER)
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_X509_check_host 1
-#endif
+#if defined(OPENSSL_VERSION_NUMBER)
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #define HAVE_OPENSSL11 1
@@ -49,27 +45,39 @@
 
 #else
 #define HAVE_OPENSSL10 1
+#ifdef HAVE_WOLFSSL
+#define SSL_LIBRARY "WolfSSL " WOLFSSL_VERSION
+#else
 #define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
+#endif
 
-#ifdef HAVE_ERR_remove_thread_state
+#ifdef HAVE_WOLFSSL
+#undef ERR_remove_state
+#define ERR_remove_state(x) do {} while(0)
+#elif defined (HAVE_ERR_remove_thread_state)
 #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
 #endif /* HAVE_ERR_remove_thread_state */
 
 #endif /* HAVE_OPENSSL11 */
+#endif
 
-#elif defined(HAVE_YASSL)
-#define SSL_LIBRARY "YaSSL " YASSL_VERSION
-#define BN_free(X) do { } while(0)
-#endif /* !defined(HAVE_YASSL) */
+#ifdef HAVE_WOLFSSL
+#define EVP_MD_CTX_SIZE sizeof(wc_Md5)
+#endif
 
 #ifndef HAVE_OPENSSL11
+#ifndef ASN1_STRING_get0_data
 #define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
+#endif
+#ifndef EVP_MD_CTX_SIZE
+#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX)
+#endif
+
 #define OPENSSL_init_ssl(X,Y) SSL_library_init()
 #define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
 #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
 #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
 #define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
-#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX)
 
 #define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X)
 #define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)

include/sslopt-case.h

@@ -29,8 +29,8 @@
  One can disable SSL later by using --skip-ssl or --ssl=0
  */
  opt_use_ssl= 1;
- /* crl has no effect in yaSSL */ 
-#ifdef HAVE_YASSL
+#ifdef HAVE_WOLFSSL
+ /* CRL does not work with WolfSSL */ 
  opt_ssl_crl= NULL;
  opt_ssl_crlpath= NULL;
 #endif

mysql-test/main/ssl_7937.test

@@ -22,14 +22,14 @@ create procedure have_ssl()
 
 --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 # this is the test where certificate verification fails.
-# but yassl doesn't support certificate verification, so
-# we fake the test result for yassl
-let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
-if (!$yassl) {
+# but client library may not support certificate verification, so
+# we fake the test result for it. We assume client is openssl, when server is openssl
+let client_supports_cert_verification =`select variable_value not in('Unknown','OFF') from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
+if ($client_supports_cert_verification) {
  --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate"
  --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 }
-if ($yassl) {
+if (!$client_supports_cert_verification) {
  --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
 }
 drop procedure have_ssl;

mysql-test/main/ssl_cipher.test

@@ -43,7 +43,7 @@ drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_use
 #
 # Bug#21611 Slave can't connect when master-ssl-cipher specified
 # - Apparently selecting a cipher doesn't work at all
-# - Use a cipher that both yaSSL and OpenSSL supports
+# - Use a cipher that both WolfSSL and OpenSSL supports
 #
 --write_file $MYSQLTEST_VARDIR/tmp/test.sql
 SHOW STATUS LIKE 'Ssl_cipher';

mysql-test/suite.pm

@@ -66,9 +66,14 @@ sub skip_combinations {
  unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
  and $1 ge "1.0.1d" and $1 lt "1.1.1";
 
+ sub x509v3_ok() {
+ return ($::mysqld_variables{'version-ssl-library'} =~ /WolfSSL/) ||
+ ($::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
+ and $1 ge "1.0.2");
+ }
+
  $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
- unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
- and $1 ge "1.0.2";
+ unless x509v3_ok();
 
  $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
  unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/

mysys/my_rnd.c

@@ -78,20 +78,11 @@ double my_rnd(struct my_rnd_struct *rand_st)
 
 double my_rnd_ssl(struct my_rnd_struct *rand_st)
 {
-
-#if defined(HAVE_YASSL) || defined(HAVE_OPENSSL)
- int rc;
- unsigned int res;
-
-#if defined(HAVE_YASSL)
- rc= yaSSL::RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
-#else
+#if defined(HAVE_OPENSSL)
  rc= RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
-#endif /* HAVE_YASSL */
-
  if (rc)
  return (double)res / (double)UINT_MAX;
-#endif /* defined(HAVE_YASSL) || defined(HAVE_OPENSSL) */
+#endif /* defined(HAVE_OPENSSL) */
 
  return my_rnd(rand_st);
 }

mysys_ssl/CMakeLists.txt

@@ -36,7 +36,6 @@ SET(MYSYS_SSL_SOURCES
  my_crypt.cc
  )
 
-# We do RESTRICT_SYMBOL_EXPORTS(yassl) elsewhere.
 # In order to get correct symbol visibility, these files
 # must be compiled with "-fvisibility=hidden"
 IF(WITH_SSL STREQUAL "bundled" AND HAVE_VISIBILITY_HIDDEN)