MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library

- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)

.gitmodules

@@ -8,3 +8,6 @@
 	path = wsrep-lib
 	url = https://github.com/codership/wsrep-lib.git
 	branch = master
+[submodule "extra/wolfssl/wolfssl"]
+	path = extra/wolfssl/wolfssl
+	url = https://github.com/WolfSSL/wolfssl

CMakeLists.txt

@@ -346,7 +346,7 @@ IF(NOT HAVE_CXX_NEW)
 ENDIF()
 
 # Find header files from the bundled libraries
-# (yassl, readline, pcre, etc)
+# (wolfssl, readline, pcre, etc)
 # before the ones installed in the system
 SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)
 
@@ -359,7 +359,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include)
 
 # Add bundled or system zlib.
 MYSQL_CHECK_ZLIB_WITH_COMPRESS()
-# Add bundled yassl/taocrypt or system openssl.
+# Add bundled wolfssl/wolfcrypt or system openssl.
 MYSQL_CHECK_SSL()
 # Add readline or libedit.
 MYSQL_CHECK_READLINE()

cmake/libutils.cmake

@@ -317,7 +317,7 @@ ELSEIF(UNIX)
   ENDIF()
 ENDIF()
 
-# We try to hide the symbols in yassl/zlib to avoid name clashes with
+# We try to hide the symbols in bundled libraries to avoid name clashes with
 # other libraries like openssl.
 FUNCTION(RESTRICT_SYMBOL_EXPORTS target)
   IF(VISIBILITY_HIDDEN_FLAG)

cmake/mariadb_connector_c.cmake

@@ -8,7 +8,7 @@ SET(CONC_WITH_SIGNCODE ${SIGNCODE})
 SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS})
 SET(CONC_WITH_EXTERNAL_ZLIB ON)
 
-IF(SSL_DEFINES MATCHES "YASSL")
+IF(SSL_DEFINES MATCHES "WOLFSSL")
   IF(WIN32)
     SET(CONC_WITH_SSL "SCHANNEL")
   ELSE()

cmake/ssl.cmake

@@ -15,7 +15,7 @@
 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1335  USA
 
 # We support different versions of SSL:
-# - "bundled" uses source code in <source dir>/extra/yassl
+# - "bundled" uses source code in <source dir>/extra/wolfssl
 # - "system"  (typically) uses headers/libraries in /usr/lib and /usr/lib64
 # - a custom installation of openssl can be used like this
 #     - cmake -DCMAKE_PREFIX_PATH=</path/to/custom/openssl> -DWITH_SSL="system"
@@ -35,7 +35,7 @@
 #   'set path=</path/to/custom/openssl>\bin;%PATH%
 # in order to find the .dll files at runtime.
 
-SET(WITH_SSL_DOC "bundled (use yassl)")
+SET(WITH_SSL_DOC "bundled (use wolfssl)")
 SET(WITH_SSL_DOC
   "${WITH_SSL_DOC}, yes (prefer os library if present, otherwise use bundled)")
 SET(WITH_SSL_DOC
@@ -48,29 +48,19 @@ MACRO (CHANGE_SSL_SETTINGS string)
 ENDMACRO()
 
 MACRO (MYSQL_USE_BUNDLED_SSL)
-  SET(INC_DIRS 
-    ${CMAKE_SOURCE_DIR}/extra/yassl/include
-    ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/include
+  SET(INC_DIRS
+    ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl
+    ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl/wolfssl
   )
-  SET(SSL_LIBRARIES  yassl taocrypt)
+  SET(SSL_LIBRARIES  wolfssl wolfcrypt)
   SET(SSL_INCLUDE_DIRS ${INC_DIRS})
-  SET(SSL_INTERNAL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/mySTL)
-  SET(SSL_DEFINES "-DHAVE_YASSL -DYASSL_PREFIX -DHAVE_OPENSSL -DMULTI_THREADED")
-  SET(HAVE_ERR_remove_thread_state OFF CACHE INTERNAL "yassl doesn't have ERR_remove_thread_state")
-  SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "yassl doesn't support AES-CTR")
-  SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "yassl doesn't support AES-GCM")
+  SET(SSL_DEFINES "-DHAVE_OPENSSL -DHAVE_WOLFSSL  -DOPENSSL_ALL -DWOLFSSL_MYSQL_COMPATIBLE -DWC_NO_HARDEN")
+  SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
+  SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
+  SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
+  SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
   CHANGE_SSL_SETTINGS("bundled")
-  ADD_SUBDIRECTORY(extra/yassl)
-  ADD_SUBDIRECTORY(extra/yassl/taocrypt)
-  GET_TARGET_PROPERTY(src yassl SOURCES)
-  FOREACH(file ${src})
-    SET(SSL_SOURCES ${SSL_SOURCES} ${CMAKE_SOURCE_DIR}/extra/yassl/${file})
-  ENDFOREACH()
-  GET_TARGET_PROPERTY(src taocrypt SOURCES)
-  FOREACH(file ${src})
-    SET(SSL_SOURCES ${SSL_SOURCES}
-      ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/${file})
-  ENDFOREACH()
+  ADD_SUBDIRECTORY(extra/wolfssl)
   MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
 ENDMACRO()
 
@@ -155,6 +145,8 @@ MACRO (MYSQL_CHECK_SSL)
                           HAVE_EncryptAes128Ctr)
       CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
                           HAVE_EncryptAes128Gcm)
+      CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
+                          HAVE_X509_check_host)
       SET(CMAKE_REQUIRED_INCLUDES)
       SET(CMAKE_REQUIRED_LIBRARIES)
     ELSE()

config.h.cmake

@@ -380,6 +380,7 @@
 #cmakedefine HAVE_SVR3_SIGNALS 1
 #cmakedefine HAVE_V7_SIGNALS 1
 #cmakedefine HAVE_ERR_remove_thread_state 1
+#cmakedefine HAVE_X509_check_host 1
 
 #cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1
 

extra/mariabackup/CMakeLists.txt

@@ -52,8 +52,8 @@ ELSE()
   SET(NT_SERVICE_SOURCE)
 ENDIF()
 
-ADD_DEFINITIONS(-DPCRE_STATIC=1 -DHAVE_OPENSSL=1)
-
+ADD_DEFINITIONS(-DPCRE_STATIC=1)
+ADD_DEFINITIONS(${SSL_DEFINES})
 MYSQL_ADD_EXECUTABLE(mariabackup
   xtrabackup.cc
   innobackupex.cc

extra/wolfssl/CMakeLists.txt

+SET(WOLFSSL_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/src)
+ADD_DEFINITIONS(${SSL_DEFINES})
+ADD_DEFINITIONS(
+  -DHAVE_CRL
+  -DWOLFSSL_MYSQL_COMPATIBLE
+  -DHAVE_ECC
+  -DECC_TIMING_RESISTANT
+  -DBUILDING_WOLFSSL
+  -DHAVE_HASHDRBG
+  -DWOLFSSL_AES_DIRECT
+  -DWOLFSSL_SHA384
+  -DWOLFSSL_SHA512
+  -DWOLFSSL_SHA224
+  -DSESSION_CERT
+  -DKEEP_OUR_CERT
+  -DWOLFSSL_STATIC_RSA
+  -DWC_RSA_BLINDING
+  -DHAVE_TLS_EXTENSIONS
+  -DHAVE_AES_ECB
+  -DWOLFSSL_AES_COUNTER
+  -DNO_WOLFSSL_STUB)
+
+SET(WOLFSSL_SOURCES  
+   ${WOLFSSL_SRCDIR}/crl.c
+   ${WOLFSSL_SRCDIR}/internal.c
+   ${WOLFSSL_SRCDIR}/keys.c
+   ${WOLFSSL_SRCDIR}/tls.c
+   ${WOLFSSL_SRCDIR}/wolfio.c
+   ${WOLFSSL_SRCDIR}/ocsp.c
+   ${WOLFSSL_SRCDIR}/ssl.c)
+ADD_DEFINITIONS(-DWOLFSSL_LIB)
+INCLUDE_DIRECTORIES(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl)
+IF(MSVC)
+  # size_t to long truncation warning
+  SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -wd4267")
+  IF(CMAKE_C_COMPILER_ID MATCHES Clang)
+    # Workaround a bug with clang-cl, see https://github.com/wolfSSL/wolfssl/pull/2090
+    ADD_DEFINITIONS(-DMP_16BIT)
+  ENDIF()
+ENDIF()
+
+ADD_CONVENIENCE_LIBRARY(wolfssl ${WOLFSSL_SOURCES})
+
+# Workaround linker crash with older Ubuntu binutils
+# e.g aborting at ../../bfd/merge.c line 873 in _bfd_merged_section_offset
+IF(CMAKE_SYSTEM_NAME MATCHES "Linux")
+  STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_RELWITHDEBINFO 
+   ${CMAKE_C_FLAGS_RELWITHDEBINFO})
+  STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_DEBUG 
+     ${CMAKE_C_FLAGS_DEBUG})
+  STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_RELWITHDEBINFO 
+    ${CMAKE_C_FLAGS_RELWITHDEBINFO})
+  STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_DEBUG 
+     ${CMAKE_C_FLAGS_DEBUG})
+ENDIF()
+
+SET(WOLFCRYPT_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfcrypt/src)
+SET(WOLFCRYPT_SOURCES
+${WOLFCRYPT_SRCDIR}/aes.c
+${WOLFCRYPT_SRCDIR}/arc4.c
+${WOLFCRYPT_SRCDIR}/asn.c
+${WOLFCRYPT_SRCDIR}/coding.c
+${WOLFCRYPT_SRCDIR}/des3.c
+${WOLFCRYPT_SRCDIR}/dh.c
+${WOLFCRYPT_SRCDIR}/dsa.c
+${WOLFCRYPT_SRCDIR}/ecc.c
+${WOLFCRYPT_SRCDIR}/error.c
+${WOLFCRYPT_SRCDIR}/hmac.c
+${WOLFCRYPT_SRCDIR}/integer.c
+${WOLFCRYPT_SRCDIR}/logging.c
+${WOLFCRYPT_SRCDIR}/md4.c
+${WOLFCRYPT_SRCDIR}/md5.c
+${WOLFCRYPT_SRCDIR}/memory.c
+${WOLFCRYPT_SRCDIR}/pkcs12.c
+${WOLFCRYPT_SRCDIR}/pwdbased.c
+${WOLFCRYPT_SRCDIR}/rabbit.c
+${WOLFCRYPT_SRCDIR}/random.c
+${WOLFCRYPT_SRCDIR}/rsa.c
+${WOLFCRYPT_SRCDIR}/sha.c
+${WOLFCRYPT_SRCDIR}/sha256.c
+${WOLFCRYPT_SRCDIR}/sha512.c
+${WOLFCRYPT_SRCDIR}/wc_port.c
+${WOLFCRYPT_SRCDIR}/wc_encrypt.c
+${WOLFCRYPT_SRCDIR}/hash.c
+${WOLFCRYPT_SRCDIR}/wolfmath.c
+)
+
+ADD_CONVENIENCE_LIBRARY(wolfcrypt ${WOLFCRYPT_SOURCES})
+

wolfssl @ 21f2beca

+Subproject commit 21f2beca9f320199fcea4a96df3e19967804144b

include/my_global.h

@@ -989,7 +989,6 @@ typedef struct st_mysql_lex_string LEX_STRING;
 #if defined(__WIN__)
 #define socket_errno	WSAGetLastError()
 #define SOCKET_EINTR	WSAEINTR
-#define SOCKET_EAGAIN	WSAEINPROGRESS
 #define SOCKET_ETIMEDOUT WSAETIMEDOUT
 #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK
 #define SOCKET_EADDRINUSE WSAEADDRINUSE

include/mysql/service_my_crypt.h

@@ -45,7 +45,7 @@ extern "C" {
 /* The max key length of all supported algorithms */
 #define MY_AES_MAX_KEY_LENGTH 32
 
-#define MY_AES_CTX_SIZE 512
+#define MY_AES_CTX_SIZE 560
 
 enum my_aes_mode {
     MY_AES_ECB, MY_AES_CBC

include/ssl_compat.h

@@ -17,11 +17,7 @@
 #include <openssl/opensslv.h>
 
 /* OpenSSL version specific definitions */
-#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER)
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define HAVE_X509_check_host 1
-#endif
+#if defined(OPENSSL_VERSION_NUMBER)
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #define HAVE_OPENSSL11 1
@@ -49,27 +45,39 @@
 
 #else
 #define HAVE_OPENSSL10 1
+#ifdef HAVE_WOLFSSL
+#define SSL_LIBRARY "WolfSSL " WOLFSSL_VERSION
+#else
 #define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
+#endif
 
-#ifdef HAVE_ERR_remove_thread_state
+#ifdef HAVE_WOLFSSL
+#undef ERR_remove_state
+#define ERR_remove_state(x) do {} while(0)
+#elif defined (HAVE_ERR_remove_thread_state)
 #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
 #endif /* HAVE_ERR_remove_thread_state */
 
 #endif /* HAVE_OPENSSL11 */
+#endif
 
-#elif defined(HAVE_YASSL)
-#define SSL_LIBRARY "YaSSL " YASSL_VERSION
-#define BN_free(X) do { } while(0)
-#endif /* !defined(HAVE_YASSL) */
+#ifdef HAVE_WOLFSSL
+#define EVP_MD_CTX_SIZE                 sizeof(wc_Md5)
+#endif
 
 #ifndef HAVE_OPENSSL11
+#ifndef ASN1_STRING_get0_data
 #define ASN1_STRING_get0_data(X)        ASN1_STRING_data(X)
+#endif
+#ifndef EVP_MD_CTX_SIZE
+#define EVP_MD_CTX_SIZE                 sizeof(EVP_MD_CTX)
+#endif
+
 #define OPENSSL_init_ssl(X,Y)           SSL_library_init()
 #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
 #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
 #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
 #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
-#define EVP_MD_CTX_SIZE                 sizeof(EVP_MD_CTX)
 
 #define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X)
 #define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)

include/sslopt-case.h

@@ -29,8 +29,8 @@
       One can disable SSL later by using --skip-ssl or --ssl=0
     */
       opt_use_ssl= 1;
-    /* crl has no effect in yaSSL */  
-#ifdef HAVE_YASSL
+#ifdef HAVE_WOLFSSL
+      /* CRL does not work with WolfSSL */ 
       opt_ssl_crl= NULL;
       opt_ssl_crlpath= NULL;
 #endif

mysql-test/main/ssl_7937.test

@@ -22,14 +22,14 @@ create procedure have_ssl()
 
 --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
 # this is the test where certificate verification fails.
-# but yassl doesn't support certificate verification, so
-# we fake the test result for yassl
-let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
-if (!$yassl) {
+# but client library may not support certificate verification, so
+# we fake the test result for it. We assume client is openssl, when server is openssl
+let client_supports_cert_verification =`select variable_value not in('Unknown','OFF') from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
+if ($client_supports_cert_verification) {
   --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate"
   --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
 }
-if ($yassl) {
+if (!$client_supports_cert_verification) {
   --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
 }
 drop procedure have_ssl;

mysql-test/main/ssl_cipher.test

@@ -43,7 +43,7 @@ drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_use
 #
 # Bug#21611 Slave can't connect when master-ssl-cipher specified
 # - Apparently selecting a cipher doesn't work at all
-# - Use a cipher that both yaSSL and OpenSSL supports
+# - Use a cipher that both WolfSSL and OpenSSL supports
 #
 --write_file $MYSQLTEST_VARDIR/tmp/test.sql
 SHOW STATUS LIKE 'Ssl_cipher';

mysql-test/suite.pm

@@ -66,9 +66,14 @@ sub skip_combinations {
     unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
        and $1 ge "1.0.1d" and $1 lt "1.1.1";
 
+  sub x509v3_ok() {
+   return ($::mysqld_variables{'version-ssl-library'} =~ /WolfSSL/) ||
+          ($::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
+            and $1 ge "1.0.2");
+  }
+
   $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
-    unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
-       and $1 ge "1.0.2";
+    unless x509v3_ok();
 
   $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
     unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/

mysys/my_rnd.c

@@ -78,20 +78,11 @@ double my_rnd(struct my_rnd_struct *rand_st)
 
 double my_rnd_ssl(struct my_rnd_struct *rand_st)
 {
-
-#if defined(HAVE_YASSL) || defined(HAVE_OPENSSL)
-  int rc;
-  unsigned int res;
-
-#if defined(HAVE_YASSL)
-  rc= yaSSL::RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
-#else
+#if defined(HAVE_OPENSSL)
   rc= RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
-#endif /* HAVE_YASSL */
-
   if (rc)
     return (double)res / (double)UINT_MAX;
-#endif /* defined(HAVE_YASSL) || defined(HAVE_OPENSSL) */
+#endif /* defined(HAVE_OPENSSL) */
 
   return my_rnd(rand_st);
 }

mysys_ssl/CMakeLists.txt

@@ -36,7 +36,6 @@ SET(MYSYS_SSL_SOURCES
     my_crypt.cc
    )
 
-# We do RESTRICT_SYMBOL_EXPORTS(yassl) elsewhere.
 # In order to get correct symbol visibility, these files
 # must be compiled with "-fvisibility=hidden"
 IF(WITH_SSL STREQUAL "bundled" AND HAVE_VISIBILITY_HIDDEN)

mysys_ssl/my_crypt.cc

@@ -18,14 +18,10 @@
 #include <my_global.h>
 #include <string.h>
 
-#ifdef HAVE_YASSL
-#include "yassl.cc"
-#else
 #include <openssl/evp.h>
 #include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#endif
 
 #include <my_crypt.h>
 #include <ssl_compat.h>
@@ -54,7 +50,7 @@ class MyCTX
     if (unlikely(!cipher))
       return MY_AES_BAD_KEYSIZE;
 
-    if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt))
+    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt) != 1)
       return MY_AES_OPENSSL_ERROR;
 
     DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen);
@@ -64,14 +60,30 @@ class MyCTX
   }
   virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
   {
-    if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen))
+    if (EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen) != 1)
       return MY_AES_OPENSSL_ERROR;
     return MY_AES_OK;
   }
   virtual int finish(uchar *dst, uint *dlen)
   {
-    if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen))
+#ifdef HAVE_WOLFSSL
+     /*
+       Bug in WolfSSL - sometimes EVP_CipherFinal_ex
+       returns success without setting destination length
+       when it should return error.
+       We catch it by presetting invalid value for length,
+       and checking if it has changed after the call.
+
+       See https://github.com/wolfSSL/wolfssl/issues/2224
+     */
+    *dlen= UINT_MAX;
+#endif
+    if (EVP_CipherFinal_ex(ctx, dst, (int*)dlen) != 1)
       return MY_AES_BAD_DATA;
+#ifdef HAVE_WOLFSSL
+    if (*dlen == UINT_MAX)
+      return MY_AES_BAD_DATA;
+#endif
     return MY_AES_OK;
   }
 };

mysys_ssl/my_md5.cc

@@ -27,26 +27,23 @@
 #include <my_md5.h>
 #include <stdarg.h>
 
-#if defined(HAVE_YASSL)
-#include "md5.hpp"
+#if defined(HAVE_WOLFSSL)
+#include <wolfssl/wolfcrypt/md5.h>
 #include <ssl_compat.h>
-
-typedef TaoCrypt::MD5 EVP_MD_CTX;
-
+typedef wc_Md5 EVP_MD_CTX;
 static void md5_init(EVP_MD_CTX *context)
 {
-  context= new(context) EVP_MD_CTX;
-  context->Init();
+  wc_InitMd5(context);;
 }
 
 static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
 {
-  context->Update((const TaoCrypt::byte *) buf, len);
+  wc_Md5Update(context, buf, len);
 }
 
 static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
 {
-    context->Final((TaoCrypt::byte *) digest);
+  wc_Md5Final(context,digest);
 }
 
 #elif defined(HAVE_OPENSSL)
@@ -74,7 +71,7 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
   EVP_MD_CTX_reset(context);
 }
 
-#endif /* HAVE_YASSL */
+#endif /* HAVE_WOLFSSL */
 
 /**
   Wrapper function to compute MD5 message digest.

mysys_ssl/my_sha.ic

@@ -28,35 +28,50 @@
 
 #define HASH_SIZE (NUM > 1 ? NUM/8 : 20)
 
-#if defined(HAVE_YASSL)
-#include "sha.hpp"
-
-#define xCONTEXT(x)     TaoCrypt::SHA ## x
+#if defined(HAVE_WOLFSSL)
+#define WOLFSSL_SHA512
+#define WOLFSSL_SHA384
+#define WOLFSSL_SHA224
+#include <wolfcrypt/sha.h>
+#include <wolfcrypt/sha256.h>
+#include <wolfcrypt/sha512.h>
+#define xCONTEXT(x)     wc_Sha ## x
 #define yCONTEXT(y)     xCONTEXT(y)
 #define CONTEXT         yCONTEXT(NUM)
-#define SHA1            SHA
+#define wc_InitSha1     wc_InitSha
+#define wc_Sha1Final    wc_ShaFinal
+#define wc_Sha1Update   wc_ShaUpdate
+#define wc_Sha1         wc_Sha
+#define SHA224_CTX      SHA256_CTX
+#define SHA384_CTX      SHA512_CTX
 
+#define xSHA_Init(x)    wc_InitSha ## x
+#define xSHA_Update(x)  wc_Sha ## x ## Update
+#define xSHA_Final(x)   wc_Sha ## x ## Final
+#define ySHA_Init(y)    xSHA_Init(y)
+#define ySHA_Update(y)  xSHA_Update(y)
+#define ySHA_Final(y)   xSHA_Final(y)
+#define SHA_Init        ySHA_Init(NUM)
+#define SHA_Update      ySHA_Update(NUM)
+#define SHA_Final       ySHA_Final(NUM)
 static void sha_init(CONTEXT *context)
 {
-  context->Init();
+  SHA_Init(context);
 }
 
-/*
-  this is a variant of sha_init to be used in this file only.
-  does nothing for yassl, because the context's constructor was called automatically.
-*/
 static void sha_init_fast(CONTEXT *context)
 {
+  sha_init(context);
 }
 
 static void sha_input(CONTEXT *context, const uchar *buf, unsigned len)
 {
-  context->Update((const TaoCrypt::byte *) buf, len);
+  SHA_Update(context, buf, len);
 }
 
 static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE])
 {
-    context->Final((TaoCrypt::byte *) digest);
+  SHA_Final(context, digest);
 }
 
 #elif defined(HAVE_OPENSSL)
@@ -99,7 +114,7 @@ static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE])
   SHA_Final(digest, context);
 }
 
-#endif /* HAVE_YASSL */
+#endif /* HAVE_WOLFSSL */
 
 #define xmy_sha_multi(x)         my_sha ## x ## _multi
 #define xmy_sha_context_size(x)  my_sha ## x ## _context_size

plugin/aws_key_management/aws_key_management_plugin.cc

@@ -214,7 +214,7 @@ Aws::SDKOptions sdkOptions;
 static int aws_init()
 {
 
-#ifdef HAVE_YASSL
+#ifdef HAVE_WOLFSSL
   sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true;
 #else
   /* Server initialized OpenSSL already, thus AWS must skip it */

plugin/file_key_management/parser.cc

@@ -96,14 +96,6 @@ openssl enc -aes-256-cbc -md sha1 -k "secret" -in keys.txt -out keys.enc
    @param secret [in]  the given secret as String, provided by the user
    @param key    [out] 32 Bytes of key are written to this pointer
    @param iv     [out] 16 Bytes of iv are written to this pointer
-
-   Note, that in openssl this whole function can be reduced to
-
-    #include <openssl/evp.h>
-    EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt,
-                   secret, strlen(secret), 1, key, iv);
-
-   but alas! we want to support yassl too
 */
 
 void Parser::bytes_to_key(const unsigned char *salt, const char *input,

plugin/locale_info/CMakeLists.txt

-INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex
-                    ${CMAKE_SOURCE_DIR}/extra/yassl/include)
+INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex)
 
 MYSQL_ADD_PLUGIN(LOCALES locale_info.cc RECOMPILE_FOR_EMBEDDED)
 

plugin/qc_info/CMakeLists.txt

 INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql
-                    ${PCRE_INCLUDES}
-                    ${CMAKE_SOURCE_DIR}/extra/yassl/include)
+                    ${PCRE_INCLUDES})
 
 MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc RECOMPILE_FOR_EMBEDDED)

sql-common/client.c

@@ -1576,9 +1576,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
 
 #ifdef HAVE_X509_check_host
   ret_validation=
-   (X509_check_host(server_cert, server_hostname,
-       strlen(server_hostname), 0, 0) != 1) &&
-   (X509_check_ip_asc(server_cert, server_hostname, 0) != 1);
+    X509_check_host(server_cert, server_hostname,
+       strlen(server_hostname), 0, 0) != 1;
+#ifndef HAVE_WOLFSSL
+   if (ret_validation)
+   {
+     ret_validation=
+         X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
+   }
+#endif
 #else
   subject= X509_get_subject_name(server_cert);
   cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);

sql/mysqld.cc

@@ -1453,7 +1453,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct,
 
 #ifdef HAVE_OPENSSL
 #include <openssl/crypto.h>
-#ifdef HAVE_OPENSSL10
+#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
 typedef struct CRYPTO_dynlock_value
 {
   mysql_rwlock_t lock;
@@ -2112,7 +2112,7 @@ static void clean_up_mutexes()
   mysql_mutex_destroy(&LOCK_global_index_stats);
 #ifdef HAVE_OPENSSL
   mysql_mutex_destroy(&LOCK_des_key_file);
-#ifdef HAVE_OPENSSL10
+#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
   for (int i= 0; i < CRYPTO_num_locks(); ++i)
     mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
   OPENSSL_free(openssl_stdlocks);
@@ -4550,7 +4550,7 @@ static int init_thread_environment()
 #ifdef HAVE_OPENSSL
   mysql_mutex_init(key_LOCK_des_key_file,
                    &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
-#ifdef HAVE_OPENSSL10
+#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
   openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
                                                      sizeof(openssl_lock_t));
   for (int i= 0; i < CRYPTO_num_locks(); ++i)
@@ -4595,7 +4595,7 @@ static int init_thread_environment()
 }
 
 
-#ifdef HAVE_OPENSSL10
+#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
 static openssl_lock_t *openssl_dynlock_create(const char *file, int line)
 {
   openssl_lock_t *lock= new openssl_lock_t;
@@ -4767,9 +4767,7 @@ int reinit_ssl()
   {
     my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0),
       sslGetErrString(error));
-#ifndef HAVE_YASSL
     ERR_clear_error();
-#endif
     return 1;
   }
   mysql_rwlock_wrlock(&LOCK_ssl_refresh);
@@ -5943,7 +5941,7 @@ int mysqld_main(int argc, char **argv)
       CloseHandle(hEventShutdown);
   }
 #endif
-#if (defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)) && !defined(EMBEDDED_LIBRARY)
+#if (defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY))
   ERR_remove_state(0);
 #endif
   mysqld_exit(0);
@@ -7105,8 +7103,8 @@ struct my_option my_long_options[]=
   MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-period"),      // HAVE_REPLICATION
   MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-group"),       // HAVE_REPLICATION
   MYSQL_SUGGEST_ANALOG_OPTION("slave-pending-jobs-size-max", "--slave-parallel-max-queued"),  // HAVE_REPLICATION
-  MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL && !HAVE_YASSL
-  MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"),  // HAVE_OPENSSL && !HAVE_YASSL
+  MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL
+  MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"),  // HAVE_OPENSSL
 
   /* The following options exist in 5.5 and 5.6 but not in 10.0 */
   MYSQL_SUGGEST_ANALOG_OPTION("abort-slave-event-count", "--debug-abort-slave-event-count"),
@@ -7338,13 +7336,13 @@ static int show_ssl_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
 {
   var->type= SHOW_LONG;
   var->value= buff;
-#ifndef HAVE_YASSL
+#ifndef HAVE_WOLFSSL
   if( thd->net.vio && thd->net.vio->ssl_arg )
     *((long *)buff)= (long)SSL_get_verify_mode((SSL*)thd->net.vio->ssl_arg);
   else
     *((long *)buff)= 0;
 #else
-  *((long *)buff) = 0;
+  *((long *)buff)= 0;
 #endif
   return 0;
 }
@@ -7354,14 +7352,10 @@ static int show_ssl_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
 {
   var->type= SHOW_LONG;
   var->value= buff;
-#ifndef HAVE_YASSL
   if( thd->vio_ok() && thd->net.vio->ssl_arg )
     *((long *)buff)= (long)SSL_get_verify_depth((SSL*)thd->net.vio->ssl_arg);
   else
     *((long *)buff)= 0;
-#else
-  *((long *)buff)= 0;
-#endif
 
   return 0;
 }
@@ -7422,15 +7416,6 @@ DEF_SHOW_FUNC(net_wait_num, SHOW_LONGLONG)
 DEF_SHOW_FUNC(avg_net_wait_time, SHOW_LONG)
 DEF_SHOW_FUNC(avg_trx_wait_time, SHOW_LONG)
 
-#ifdef HAVE_YASSL
-
-static char *
-my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
-{
-  return yaSSL_ASN1_TIME_to_string(time, buf, len);
-}
-
-#else /* openssl */
 
 static char *
 my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
@@ -7458,8 +7443,6 @@ my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
   return res;
 }
 
-#endif
-
 
 /**
   Handler function for the 'ssl_get_server_not_before' variable
@@ -8145,7 +8128,7 @@ static int mysql_init_variables(void)
 
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
   have_ssl=SHOW_OPTION_YES;
-#if defined(HAVE_YASSL)
+#if defined(HAVE_WOLFSSL)
   have_openssl= SHOW_OPTION_NO;
 #else
   have_openssl= SHOW_OPTION_YES;

support-files/compiler_warnings.supp

@@ -98,17 +98,6 @@
 #
 .*/oqgraph/graphcore\.cc : may be used uninitialized in this function
 
-#
-# Yassl
-#
-.*/include/runtime.hpp: .*pure_error.*
-.*/extra/yassl/.*taocrypt/.*: comparison with string literal
-.*/extra/yassl/taocrypt/src/blowfish\.cpp: array subscript is above array bounds
-.*/extra/yassl/taocrypt/src/file\.cpp: ignoring return value
-.*/extra/yassl/taocrypt/src/integer\.cpp: control reaches end of non-void function
-.*/mySTL/algorithm\.hpp: is used uninitialized in this function
-.*/include/pwdbased\.hpp: comparison of unsigned expression
-
 #
 # OpenSSL
 #

unittest/json_lib/CMakeLists.txt

@@ -16,7 +16,6 @@
 INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include
                     ${CMAKE_SOURCE_DIR}/sql
                     ${CMAKE_SOURCE_DIR}/regex
-                    ${CMAKE_SOURCE_DIR}/extra/yassl/include
                     ${CMAKE_SOURCE_DIR}/unittest/mytap)
 
 #

unittest/my_decimal/CMakeLists.txt

@@ -16,7 +16,6 @@
 INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include
                     ${CMAKE_SOURCE_DIR}/sql
                     ${CMAKE_SOURCE_DIR}/regex
-                    ${CMAKE_SOURCE_DIR}/extra/yassl/include
                     ${CMAKE_SOURCE_DIR}/unittest/mytap)
 
 #

vio/vio.c

@@ -329,8 +329,8 @@ void vio_delete(Vio* vio)
 */
 void vio_end(void)
 {
-#ifdef HAVE_YASSL
-  yaSSL_CleanUp();
+#ifdef HAVE_WOLFSSL
+  wolfSSL_Cleanup();
 #elif defined(HAVE_OPENSSL)
   // This one is needed on the client side
   ERR_remove_state(0);

vio/viossl.c

@@ -26,19 +26,7 @@
 
 #ifdef HAVE_OPENSSL
 
-#ifdef HAVE_YASSL
-/*
-  yassl seem to be different here, SSL_get_error() value can be
-  directly passed to ERR_error_string(), and these errors don't go
-  into ERR_get_error() stack.
-  in openssl, apparently, SSL_get_error() values live in a different
-  namespace, one needs to use ERR_get_error() as an argument
-  for ERR_error_string().
-*/
-#define SSL_errno(X,Y) SSL_get_error(X,Y)
-#else
 #define SSL_errno(X,Y) ERR_get_error()
-#endif
 
 /**
   Obtain the equivalent system error status for the last SSL I/O operation.
@@ -124,9 +112,7 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event
   default:
     should_retry= FALSE;
     ssl_set_sys_error(ssl_error);
-#ifndef HAVE_YASSL
     ERR_clear_error();
-#endif
     break;
   }
 
@@ -197,25 +183,6 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size)
   DBUG_RETURN(ret < 0 ? -1 : ret);
 }
 
-#ifdef HAVE_YASSL
-
-/* Emulate a blocking recv() call with vio_read(). */
-static long yassl_recv(void *ptr, void *buf, size_t len,
-                       int flag __attribute__((unused)))
-{
-  return (long)vio_read(ptr, buf, len);
-}
-
-
-/* Emulate a blocking send() call with vio_write(). */
-static long yassl_send(void *ptr, const void *buf, size_t len,
-                       int flag __attribute__((unused)))
-{
-  return (long)vio_write(ptr, buf, len);
-}
-
-#endif
-
 int vio_ssl_close(Vio *vio)
 {
   int r= 0;
@@ -335,21 +302,13 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
   SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
   SSL_set_fd(ssl, (int)sd);
 
-  /*
-    Since yaSSL does not support non-blocking send operations, use
-    special transport functions that properly handles non-blocking
-    sockets. These functions emulate the behavior of blocking I/O
-    operations by waiting for I/O to become available.
-  */
-#ifdef HAVE_YASSL
+#ifdef HAVE_WOLFSSL
   /* Set first argument of the transport functions. */
-  yaSSL_transport_set_ptr(ssl, vio);
-  /* Set functions to use in order to send and receive data. */
-  yaSSL_transport_set_recv_function(ssl, yassl_recv);
-  yaSSL_transport_set_send_function(ssl, yassl_send);
+  wolfSSL_SetIOReadCtx(ssl, vio);
+  wolfSSL_SetIOWriteCtx(ssl, vio);
 #endif
 
-#if !defined(HAVE_YASSL) && defined(SSL_OP_NO_COMPRESSION)
+#if defined(SSL_OP_NO_COMPRESSION)
   SSL_set_options(ssl, SSL_OP_NO_COMPRESSION);
 #endif
 

vio/viosslfactories.c

@@ -18,10 +18,8 @@
 #include <ssl_compat.h>
 
 #ifdef HAVE_OPENSSL
-#ifndef HAVE_YASSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
-#endif
 
 static my_bool     ssl_algorithms_added    = FALSE;
 static my_bool     ssl_error_strings_loaded= FALSE;
@@ -166,6 +164,25 @@ static void check_ssl_init()
   }
 }
 
+#ifdef HAVE_WOLFSSL
+static int wolfssl_recv(WOLFSSL* ssl, char* buf, int sz, void* vio)
+{
+  size_t ret;
+  (void)ssl;
+  ret = vio_read((Vio *)vio, (uchar *)buf, sz);
+  /* check if connection was closed */
+  if (ret == 0)
+    return WOLFSSL_CBIO_ERR_CONN_CLOSE;
+
+  return (int)ret;
+}
+
+static int wolfssl_send(WOLFSSL* ssl, char* buf, int sz, void* vio)
+{
+  return (int)vio_write((Vio *)vio, (unsigned char*)buf, sz);
+}
+#endif /* HAVE_WOLFSSL */
+
 /************************ VioSSLFd **********************************/
 static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
@@ -232,7 +249,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
                  sslGetErrString(*error)));
       goto err2;
     }
-
+#ifndef HAVE_WOLFSSL
     /* otherwise go use the defaults */
     if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
@@ -240,13 +257,15 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
       DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
       goto err2;
     }
+#endif
   }
 
   if (crl_file || crl_path)
   {
-#ifdef HAVE_YASSL
-    DBUG_PRINT("warning", ("yaSSL doesn't support CRL"));
+#ifdef HAVE_WOLFSSL
+    /* CRL does not work with WolfSSL. */
     DBUG_ASSERT(0);
+    goto err2;
 #else
     X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
     /* Load crls from the trusted ca */
@@ -282,6 +301,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DH_free(dh);
   }
 
+#ifdef HAVE_WOLFSSL
+  /* set IO functions used by wolfSSL */
+   wolfSSL_SetIORecv(ssl_fd->ssl_context, wolfssl_recv);
+   wolfSSL_SetIOSend(ssl_fd->ssl_context, wolfssl_send);
+#endif
+
   DBUG_PRINT("exit", ("OK 1"));
 
   DBUG_RETURN(ssl_fd);