Commit 5e4b657d authored by Vladislav Vaintroub's avatar Vladislav Vaintroub

MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library

- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
parent 31fe7029
...@@ -8,3 +8,6 @@ ...@@ -8,3 +8,6 @@
path = wsrep-lib path = wsrep-lib
url = https://github.com/codership/wsrep-lib.git url = https://github.com/codership/wsrep-lib.git
branch = master branch = master
[submodule "extra/wolfssl/wolfssl"]
path = extra/wolfssl/wolfssl
url = https://github.com/WolfSSL/wolfssl
...@@ -346,7 +346,7 @@ IF(NOT HAVE_CXX_NEW) ...@@ -346,7 +346,7 @@ IF(NOT HAVE_CXX_NEW)
ENDIF() ENDIF()
# Find header files from the bundled libraries # Find header files from the bundled libraries
# (yassl, readline, pcre, etc) # (wolfssl, readline, pcre, etc)
# before the ones installed in the system # before the ones installed in the system
SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON) SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON)
...@@ -359,7 +359,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include) ...@@ -359,7 +359,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include)
# Add bundled or system zlib. # Add bundled or system zlib.
MYSQL_CHECK_ZLIB_WITH_COMPRESS() MYSQL_CHECK_ZLIB_WITH_COMPRESS()
# Add bundled yassl/taocrypt or system openssl. # Add bundled wolfssl/wolfcrypt or system openssl.
MYSQL_CHECK_SSL() MYSQL_CHECK_SSL()
# Add readline or libedit. # Add readline or libedit.
MYSQL_CHECK_READLINE() MYSQL_CHECK_READLINE()
......
...@@ -317,7 +317,7 @@ ELSEIF(UNIX) ...@@ -317,7 +317,7 @@ ELSEIF(UNIX)
ENDIF() ENDIF()
ENDIF() ENDIF()
# We try to hide the symbols in yassl/zlib to avoid name clashes with # We try to hide the symbols in bundled libraries to avoid name clashes with
# other libraries like openssl. # other libraries like openssl.
FUNCTION(RESTRICT_SYMBOL_EXPORTS target) FUNCTION(RESTRICT_SYMBOL_EXPORTS target)
IF(VISIBILITY_HIDDEN_FLAG) IF(VISIBILITY_HIDDEN_FLAG)
......
...@@ -8,7 +8,7 @@ SET(CONC_WITH_SIGNCODE ${SIGNCODE}) ...@@ -8,7 +8,7 @@ SET(CONC_WITH_SIGNCODE ${SIGNCODE})
SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS}) SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS})
SET(CONC_WITH_EXTERNAL_ZLIB ON) SET(CONC_WITH_EXTERNAL_ZLIB ON)
IF(SSL_DEFINES MATCHES "YASSL") IF(SSL_DEFINES MATCHES "WOLFSSL")
IF(WIN32) IF(WIN32)
SET(CONC_WITH_SSL "SCHANNEL") SET(CONC_WITH_SSL "SCHANNEL")
ELSE() ELSE()
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA
# We support different versions of SSL: # We support different versions of SSL:
# - "bundled" uses source code in <source dir>/extra/yassl # - "bundled" uses source code in <source dir>/extra/wolfssl
# - "system" (typically) uses headers/libraries in /usr/lib and /usr/lib64 # - "system" (typically) uses headers/libraries in /usr/lib and /usr/lib64
# - a custom installation of openssl can be used like this # - a custom installation of openssl can be used like this
# - cmake -DCMAKE_PREFIX_PATH=</path/to/custom/openssl> -DWITH_SSL="system" # - cmake -DCMAKE_PREFIX_PATH=</path/to/custom/openssl> -DWITH_SSL="system"
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
# 'set path=</path/to/custom/openssl>\bin;%PATH% # 'set path=</path/to/custom/openssl>\bin;%PATH%
# in order to find the .dll files at runtime. # in order to find the .dll files at runtime.
SET(WITH_SSL_DOC "bundled (use yassl)") SET(WITH_SSL_DOC "bundled (use wolfssl)")
SET(WITH_SSL_DOC SET(WITH_SSL_DOC
"${WITH_SSL_DOC}, yes (prefer os library if present, otherwise use bundled)") "${WITH_SSL_DOC}, yes (prefer os library if present, otherwise use bundled)")
SET(WITH_SSL_DOC SET(WITH_SSL_DOC
...@@ -49,28 +49,18 @@ ENDMACRO() ...@@ -49,28 +49,18 @@ ENDMACRO()
MACRO (MYSQL_USE_BUNDLED_SSL) MACRO (MYSQL_USE_BUNDLED_SSL)
SET(INC_DIRS SET(INC_DIRS
${CMAKE_SOURCE_DIR}/extra/yassl/include ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl
${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/include ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl/wolfssl
) )
SET(SSL_LIBRARIES yassl taocrypt) SET(SSL_LIBRARIES wolfssl wolfcrypt)
SET(SSL_INCLUDE_DIRS ${INC_DIRS}) SET(SSL_INCLUDE_DIRS ${INC_DIRS})
SET(SSL_INTERNAL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/mySTL) SET(SSL_DEFINES "-DHAVE_OPENSSL -DHAVE_WOLFSSL -DOPENSSL_ALL -DWOLFSSL_MYSQL_COMPATIBLE -DWC_NO_HARDEN")
SET(SSL_DEFINES "-DHAVE_YASSL -DYASSL_PREFIX -DHAVE_OPENSSL -DMULTI_THREADED") SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state")
SET(HAVE_ERR_remove_thread_state OFF CACHE INTERNAL "yassl doesn't have ERR_remove_thread_state") SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR")
SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "yassl doesn't support AES-CTR") SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "yassl doesn't support AES-GCM") SET(HAVE_X509_check_host ON CACHE INTERNAL "wolfssl does support X509_check_host")
CHANGE_SSL_SETTINGS("bundled") CHANGE_SSL_SETTINGS("bundled")
ADD_SUBDIRECTORY(extra/yassl) ADD_SUBDIRECTORY(extra/wolfssl)
ADD_SUBDIRECTORY(extra/yassl/taocrypt)
GET_TARGET_PROPERTY(src yassl SOURCES)
FOREACH(file ${src})
SET(SSL_SOURCES ${SSL_SOURCES} ${CMAKE_SOURCE_DIR}/extra/yassl/${file})
ENDFOREACH()
GET_TARGET_PROPERTY(src taocrypt SOURCES)
FOREACH(file ${src})
SET(SSL_SOURCES ${SSL_SOURCES}
${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/${file})
ENDFOREACH()
MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}") MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
ENDMACRO() ENDMACRO()
...@@ -155,6 +145,8 @@ MACRO (MYSQL_CHECK_SSL) ...@@ -155,6 +145,8 @@ MACRO (MYSQL_CHECK_SSL)
HAVE_EncryptAes128Ctr) HAVE_EncryptAes128Ctr)
CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h" CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h"
HAVE_EncryptAes128Gcm) HAVE_EncryptAes128Gcm)
CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
HAVE_X509_check_host)
SET(CMAKE_REQUIRED_INCLUDES) SET(CMAKE_REQUIRED_INCLUDES)
SET(CMAKE_REQUIRED_LIBRARIES) SET(CMAKE_REQUIRED_LIBRARIES)
ELSE() ELSE()
......
...@@ -380,6 +380,7 @@ ...@@ -380,6 +380,7 @@
#cmakedefine HAVE_SVR3_SIGNALS 1 #cmakedefine HAVE_SVR3_SIGNALS 1
#cmakedefine HAVE_V7_SIGNALS 1 #cmakedefine HAVE_V7_SIGNALS 1
#cmakedefine HAVE_ERR_remove_thread_state 1 #cmakedefine HAVE_ERR_remove_thread_state 1
#cmakedefine HAVE_X509_check_host 1
#cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1 #cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1
......
...@@ -52,8 +52,8 @@ ELSE() ...@@ -52,8 +52,8 @@ ELSE()
SET(NT_SERVICE_SOURCE) SET(NT_SERVICE_SOURCE)
ENDIF() ENDIF()
ADD_DEFINITIONS(-DPCRE_STATIC=1 -DHAVE_OPENSSL=1) ADD_DEFINITIONS(-DPCRE_STATIC=1)
ADD_DEFINITIONS(${SSL_DEFINES})
MYSQL_ADD_EXECUTABLE(mariabackup MYSQL_ADD_EXECUTABLE(mariabackup
xtrabackup.cc xtrabackup.cc
innobackupex.cc innobackupex.cc
......
SET(WOLFSSL_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/src)
ADD_DEFINITIONS(${SSL_DEFINES})
ADD_DEFINITIONS(
-DHAVE_CRL
-DWOLFSSL_MYSQL_COMPATIBLE
-DHAVE_ECC
-DECC_TIMING_RESISTANT
-DBUILDING_WOLFSSL
-DHAVE_HASHDRBG
-DWOLFSSL_AES_DIRECT
-DWOLFSSL_SHA384
-DWOLFSSL_SHA512
-DWOLFSSL_SHA224
-DSESSION_CERT
-DKEEP_OUR_CERT
-DWOLFSSL_STATIC_RSA
-DWC_RSA_BLINDING
-DHAVE_TLS_EXTENSIONS
-DHAVE_AES_ECB
-DWOLFSSL_AES_COUNTER
-DNO_WOLFSSL_STUB)
SET(WOLFSSL_SOURCES
${WOLFSSL_SRCDIR}/crl.c
${WOLFSSL_SRCDIR}/internal.c
${WOLFSSL_SRCDIR}/keys.c
${WOLFSSL_SRCDIR}/tls.c
${WOLFSSL_SRCDIR}/wolfio.c
${WOLFSSL_SRCDIR}/ocsp.c
${WOLFSSL_SRCDIR}/ssl.c)
ADD_DEFINITIONS(-DWOLFSSL_LIB)
INCLUDE_DIRECTORIES(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl)
IF(MSVC)
# size_t to long truncation warning
SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -wd4267")
IF(CMAKE_C_COMPILER_ID MATCHES Clang)
# Workaround a bug with clang-cl, see https://github.com/wolfSSL/wolfssl/pull/2090
ADD_DEFINITIONS(-DMP_16BIT)
ENDIF()
ENDIF()
ADD_CONVENIENCE_LIBRARY(wolfssl ${WOLFSSL_SOURCES})
# Workaround linker crash with older Ubuntu binutils
# e.g aborting at ../../bfd/merge.c line 873 in _bfd_merged_section_offset
IF(CMAKE_SYSTEM_NAME MATCHES "Linux")
STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_RELWITHDEBINFO
${CMAKE_C_FLAGS_RELWITHDEBINFO})
STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_DEBUG
${CMAKE_C_FLAGS_DEBUG})
STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_RELWITHDEBINFO
${CMAKE_C_FLAGS_RELWITHDEBINFO})
STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_DEBUG
${CMAKE_C_FLAGS_DEBUG})
ENDIF()
SET(WOLFCRYPT_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfcrypt/src)
SET(WOLFCRYPT_SOURCES
${WOLFCRYPT_SRCDIR}/aes.c
${WOLFCRYPT_SRCDIR}/arc4.c
${WOLFCRYPT_SRCDIR}/asn.c
${WOLFCRYPT_SRCDIR}/coding.c
${WOLFCRYPT_SRCDIR}/des3.c
${WOLFCRYPT_SRCDIR}/dh.c
${WOLFCRYPT_SRCDIR}/dsa.c
${WOLFCRYPT_SRCDIR}/ecc.c
${WOLFCRYPT_SRCDIR}/error.c
${WOLFCRYPT_SRCDIR}/hmac.c
${WOLFCRYPT_SRCDIR}/integer.c
${WOLFCRYPT_SRCDIR}/logging.c
${WOLFCRYPT_SRCDIR}/md4.c
${WOLFCRYPT_SRCDIR}/md5.c
${WOLFCRYPT_SRCDIR}/memory.c
${WOLFCRYPT_SRCDIR}/pkcs12.c
${WOLFCRYPT_SRCDIR}/pwdbased.c
${WOLFCRYPT_SRCDIR}/rabbit.c
${WOLFCRYPT_SRCDIR}/random.c
${WOLFCRYPT_SRCDIR}/rsa.c
${WOLFCRYPT_SRCDIR}/sha.c
${WOLFCRYPT_SRCDIR}/sha256.c
${WOLFCRYPT_SRCDIR}/sha512.c
${WOLFCRYPT_SRCDIR}/wc_port.c
${WOLFCRYPT_SRCDIR}/wc_encrypt.c
${WOLFCRYPT_SRCDIR}/hash.c
${WOLFCRYPT_SRCDIR}/wolfmath.c
)
ADD_CONVENIENCE_LIBRARY(wolfcrypt ${WOLFCRYPT_SOURCES})
Subproject commit 21f2beca9f320199fcea4a96df3e19967804144b
...@@ -989,7 +989,6 @@ typedef struct st_mysql_lex_string LEX_STRING; ...@@ -989,7 +989,6 @@ typedef struct st_mysql_lex_string LEX_STRING;
#if defined(__WIN__) #if defined(__WIN__)
#define socket_errno WSAGetLastError() #define socket_errno WSAGetLastError()
#define SOCKET_EINTR WSAEINTR #define SOCKET_EINTR WSAEINTR
#define SOCKET_EAGAIN WSAEINPROGRESS
#define SOCKET_ETIMEDOUT WSAETIMEDOUT #define SOCKET_ETIMEDOUT WSAETIMEDOUT
#define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK
#define SOCKET_EADDRINUSE WSAEADDRINUSE #define SOCKET_EADDRINUSE WSAEADDRINUSE
......
...@@ -45,7 +45,7 @@ extern "C" { ...@@ -45,7 +45,7 @@ extern "C" {
/* The max key length of all supported algorithms */ /* The max key length of all supported algorithms */
#define MY_AES_MAX_KEY_LENGTH 32 #define MY_AES_MAX_KEY_LENGTH 32
#define MY_AES_CTX_SIZE 512 #define MY_AES_CTX_SIZE 560
enum my_aes_mode { enum my_aes_mode {
MY_AES_ECB, MY_AES_CBC MY_AES_ECB, MY_AES_CBC
......
...@@ -17,11 +17,7 @@ ...@@ -17,11 +17,7 @@
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
/* OpenSSL version specific definitions */ /* OpenSSL version specific definitions */
#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) #if defined(OPENSSL_VERSION_NUMBER)
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
#define HAVE_X509_check_host 1
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
#define HAVE_OPENSSL11 1 #define HAVE_OPENSSL11 1
...@@ -49,27 +45,39 @@ ...@@ -49,27 +45,39 @@
#else #else
#define HAVE_OPENSSL10 1 #define HAVE_OPENSSL10 1
#ifdef HAVE_WOLFSSL
#define SSL_LIBRARY "WolfSSL " WOLFSSL_VERSION
#else
#define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION) #define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
#endif
#ifdef HAVE_ERR_remove_thread_state #ifdef HAVE_WOLFSSL
#undef ERR_remove_state
#define ERR_remove_state(x) do {} while(0)
#elif defined (HAVE_ERR_remove_thread_state)
#define ERR_remove_state(X) ERR_remove_thread_state(NULL) #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
#endif /* HAVE_ERR_remove_thread_state */ #endif /* HAVE_ERR_remove_thread_state */
#endif /* HAVE_OPENSSL11 */ #endif /* HAVE_OPENSSL11 */
#endif
#elif defined(HAVE_YASSL) #ifdef HAVE_WOLFSSL
#define SSL_LIBRARY "YaSSL " YASSL_VERSION #define EVP_MD_CTX_SIZE sizeof(wc_Md5)
#define BN_free(X) do { } while(0) #endif
#endif /* !defined(HAVE_YASSL) */
#ifndef HAVE_OPENSSL11 #ifndef HAVE_OPENSSL11
#ifndef ASN1_STRING_get0_data
#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) #define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
#endif
#ifndef EVP_MD_CTX_SIZE
#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX)
#endif
#define OPENSSL_init_ssl(X,Y) SSL_library_init() #define OPENSSL_init_ssl(X,Y) SSL_library_init()
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) #define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) #define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX)
#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) #define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X)
#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) #define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
......
...@@ -29,8 +29,8 @@ ...@@ -29,8 +29,8 @@
One can disable SSL later by using --skip-ssl or --ssl=0 One can disable SSL later by using --skip-ssl or --ssl=0
*/ */
opt_use_ssl= 1; opt_use_ssl= 1;
/* crl has no effect in yaSSL */ #ifdef HAVE_WOLFSSL
#ifdef HAVE_YASSL /* CRL does not work with WolfSSL */
opt_ssl_crl= NULL; opt_ssl_crl= NULL;
opt_ssl_crlpath= NULL; opt_ssl_crlpath= NULL;
#endif #endif
......
...@@ -22,14 +22,14 @@ create procedure have_ssl() ...@@ -22,14 +22,14 @@ create procedure have_ssl()
--echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()"
# this is the test where certificate verification fails. # this is the test where certificate verification fails.
# but yassl doesn't support certificate verification, so # but client library may not support certificate verification, so
# we fake the test result for yassl # we fake the test result for it. We assume client is openssl, when server is openssl
let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; let client_supports_cert_verification =`select variable_value not in('Unknown','OFF') from information_schema.session_status where variable_name='Ssl_session_cache_mode'`;
if (!$yassl) { if ($client_supports_cert_verification) {
--replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate"
--exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1
} }
if ($yassl) { if (!$client_supports_cert_verification) {
--echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate
} }
drop procedure have_ssl; drop procedure have_ssl;
...@@ -43,7 +43,7 @@ drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_use ...@@ -43,7 +43,7 @@ drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_use
# #
# Bug#21611 Slave can't connect when master-ssl-cipher specified # Bug#21611 Slave can't connect when master-ssl-cipher specified
# - Apparently selecting a cipher doesn't work at all # - Apparently selecting a cipher doesn't work at all
# - Use a cipher that both yaSSL and OpenSSL supports # - Use a cipher that both WolfSSL and OpenSSL supports
# #
--write_file $MYSQLTEST_VARDIR/tmp/test.sql --write_file $MYSQLTEST_VARDIR/tmp/test.sql
SHOW STATUS LIKE 'Ssl_cipher'; SHOW STATUS LIKE 'Ssl_cipher';
......
...@@ -66,9 +66,14 @@ sub skip_combinations { ...@@ -66,9 +66,14 @@ sub skip_combinations {
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.1d" and $1 lt "1.1.1"; and $1 ge "1.0.1d" and $1 lt "1.1.1";
sub x509v3_ok() {
return ($::mysqld_variables{'version-ssl-library'} =~ /WolfSSL/) ||
($::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.2");
}
$skip{'main/ssl_7937.combinations'} = [ 'x509v3' ] $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ]
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ unless x509v3_ok();
and $1 ge "1.0.2";
$skip{'main/ssl_verify_ip.test'} = 'x509v3 support required' $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required'
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
......
...@@ -78,20 +78,11 @@ double my_rnd(struct my_rnd_struct *rand_st) ...@@ -78,20 +78,11 @@ double my_rnd(struct my_rnd_struct *rand_st)
double my_rnd_ssl(struct my_rnd_struct *rand_st) double my_rnd_ssl(struct my_rnd_struct *rand_st)
{ {
#if defined(HAVE_OPENSSL)
#if defined(HAVE_YASSL) || defined(HAVE_OPENSSL)
int rc;
unsigned int res;
#if defined(HAVE_YASSL)
rc= yaSSL::RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
#else
rc= RAND_bytes((unsigned char *) &res, sizeof (unsigned int)); rc= RAND_bytes((unsigned char *) &res, sizeof (unsigned int));
#endif /* HAVE_YASSL */
if (rc) if (rc)
return (double)res / (double)UINT_MAX; return (double)res / (double)UINT_MAX;
#endif /* defined(HAVE_YASSL) || defined(HAVE_OPENSSL) */ #endif /* defined(HAVE_OPENSSL) */
return my_rnd(rand_st); return my_rnd(rand_st);
} }
...@@ -36,7 +36,6 @@ SET(MYSYS_SSL_SOURCES ...@@ -36,7 +36,6 @@ SET(MYSYS_SSL_SOURCES
my_crypt.cc my_crypt.cc
) )
# We do RESTRICT_SYMBOL_EXPORTS(yassl) elsewhere.
# In order to get correct symbol visibility, these files # In order to get correct symbol visibility, these files
# must be compiled with "-fvisibility=hidden" # must be compiled with "-fvisibility=hidden"
IF(WITH_SSL STREQUAL "bundled" AND HAVE_VISIBILITY_HIDDEN) IF(WITH_SSL STREQUAL "bundled" AND HAVE_VISIBILITY_HIDDEN)
......
...@@ -18,14 +18,10 @@ ...@@ -18,14 +18,10 @@
#include <my_global.h> #include <my_global.h>
#include <string.h> #include <string.h>
#ifdef HAVE_YASSL
#include "yassl.cc"
#else
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/aes.h> #include <openssl/aes.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#endif
#include <my_crypt.h> #include <my_crypt.h>
#include <ssl_compat.h> #include <ssl_compat.h>
...@@ -54,7 +50,7 @@ class MyCTX ...@@ -54,7 +50,7 @@ class MyCTX
if (unlikely(!cipher)) if (unlikely(!cipher))
return MY_AES_BAD_KEYSIZE; return MY_AES_BAD_KEYSIZE;
if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt) != 1)
return MY_AES_OPENSSL_ERROR; return MY_AES_OPENSSL_ERROR;
DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen);
...@@ -64,14 +60,30 @@ class MyCTX ...@@ -64,14 +60,30 @@ class MyCTX
} }
virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{ {
if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) if (EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen) != 1)
return MY_AES_OPENSSL_ERROR; return MY_AES_OPENSSL_ERROR;
return MY_AES_OK; return MY_AES_OK;
} }
virtual int finish(uchar *dst, uint *dlen) virtual int finish(uchar *dst, uint *dlen)
{ {
if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) #ifdef HAVE_WOLFSSL
/*
Bug in WolfSSL - sometimes EVP_CipherFinal_ex
returns success without setting destination length
when it should return error.
We catch it by presetting invalid value for length,
and checking if it has changed after the call.
See https://github.com/wolfSSL/wolfssl/issues/2224
*/
*dlen= UINT_MAX;
#endif
if (EVP_CipherFinal_ex(ctx, dst, (int*)dlen) != 1)
return MY_AES_BAD_DATA;
#ifdef HAVE_WOLFSSL
if (*dlen == UINT_MAX)
return MY_AES_BAD_DATA; return MY_AES_BAD_DATA;
#endif
return MY_AES_OK; return MY_AES_OK;
} }
}; };
......
...@@ -27,26 +27,23 @@ ...@@ -27,26 +27,23 @@
#include <my_md5.h> #include <my_md5.h>
#include <stdarg.h> #include <stdarg.h>
#if defined(HAVE_YASSL) #if defined(HAVE_WOLFSSL)
#include "md5.hpp" #include <wolfssl/wolfcrypt/md5.h>
#include <ssl_compat.h> #include <ssl_compat.h>
typedef wc_Md5 EVP_MD_CTX;
typedef TaoCrypt::MD5 EVP_MD_CTX;
static void md5_init(EVP_MD_CTX *context) static void md5_init(EVP_MD_CTX *context)
{ {
context= new(context) EVP_MD_CTX; wc_InitMd5(context);;
context->Init();
} }
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
{ {
context->Update((const TaoCrypt::byte *) buf, len); wc_Md5Update(context, buf, len);
} }
static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
{ {
context->Final((TaoCrypt::byte *) digest); wc_Md5Final(context,digest);
} }
#elif defined(HAVE_OPENSSL) #elif defined(HAVE_OPENSSL)
...@@ -74,7 +71,7 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) ...@@ -74,7 +71,7 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
EVP_MD_CTX_reset(context); EVP_MD_CTX_reset(context);
} }
#endif /* HAVE_YASSL */ #endif /* HAVE_WOLFSSL */
/** /**
Wrapper function to compute MD5 message digest. Wrapper function to compute MD5 message digest.
......
...@@ -28,35 +28,50 @@ ...@@ -28,35 +28,50 @@
#define HASH_SIZE (NUM > 1 ? NUM/8 : 20) #define HASH_SIZE (NUM > 1 ? NUM/8 : 20)
#if defined(HAVE_YASSL) #if defined(HAVE_WOLFSSL)
#include "sha.hpp" #define WOLFSSL_SHA512
#define WOLFSSL_SHA384
#define xCONTEXT(x) TaoCrypt::SHA ## x #define WOLFSSL_SHA224
#include <wolfcrypt/sha.h>
#include <wolfcrypt/sha256.h>
#include <wolfcrypt/sha512.h>
#define xCONTEXT(x) wc_Sha ## x
#define yCONTEXT(y) xCONTEXT(y) #define yCONTEXT(y) xCONTEXT(y)
#define CONTEXT yCONTEXT(NUM) #define CONTEXT yCONTEXT(NUM)
#define SHA1 SHA #define wc_InitSha1 wc_InitSha
#define wc_Sha1Final wc_ShaFinal
#define wc_Sha1Update wc_ShaUpdate
#define wc_Sha1 wc_Sha
#define SHA224_CTX SHA256_CTX
#define SHA384_CTX SHA512_CTX
#define xSHA_Init(x) wc_InitSha ## x
#define xSHA_Update(x) wc_Sha ## x ## Update
#define xSHA_Final(x) wc_Sha ## x ## Final
#define ySHA_Init(y) xSHA_Init(y)
#define ySHA_Update(y) xSHA_Update(y)
#define ySHA_Final(y) xSHA_Final(y)
#define SHA_Init ySHA_Init(NUM)
#define SHA_Update ySHA_Update(NUM)
#define SHA_Final ySHA_Final(NUM)
static void sha_init(CONTEXT *context) static void sha_init(CONTEXT *context)
{ {
context->Init(); SHA_Init(context);
} }
/*
this is a variant of sha_init to be used in this file only.
does nothing for yassl, because the context's constructor was called automatically.
*/
static void sha_init_fast(CONTEXT *context) static void sha_init_fast(CONTEXT *context)
{ {
sha_init(context);
} }
static void sha_input(CONTEXT *context, const uchar *buf, unsigned len) static void sha_input(CONTEXT *context, const uchar *buf, unsigned len)
{ {
context->Update((const TaoCrypt::byte *) buf, len); SHA_Update(context, buf, len);
} }
static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE]) static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE])
{ {
context->Final((TaoCrypt::byte *) digest); SHA_Final(context, digest);
} }
#elif defined(HAVE_OPENSSL) #elif defined(HAVE_OPENSSL)
...@@ -99,7 +114,7 @@ static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE]) ...@@ -99,7 +114,7 @@ static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE])
SHA_Final(digest, context); SHA_Final(digest, context);
} }
#endif /* HAVE_YASSL */ #endif /* HAVE_WOLFSSL */
#define xmy_sha_multi(x) my_sha ## x ## _multi #define xmy_sha_multi(x) my_sha ## x ## _multi
#define xmy_sha_context_size(x) my_sha ## x ## _context_size #define xmy_sha_context_size(x) my_sha ## x ## _context_size
......
...@@ -214,7 +214,7 @@ Aws::SDKOptions sdkOptions; ...@@ -214,7 +214,7 @@ Aws::SDKOptions sdkOptions;
static int aws_init() static int aws_init()
{ {
#ifdef HAVE_YASSL #ifdef HAVE_WOLFSSL
sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true; sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true;
#else #else
/* Server initialized OpenSSL already, thus AWS must skip it */ /* Server initialized OpenSSL already, thus AWS must skip it */
......
...@@ -96,14 +96,6 @@ openssl enc -aes-256-cbc -md sha1 -k "secret" -in keys.txt -out keys.enc ...@@ -96,14 +96,6 @@ openssl enc -aes-256-cbc -md sha1 -k "secret" -in keys.txt -out keys.enc
@param secret [in] the given secret as String, provided by the user @param secret [in] the given secret as String, provided by the user
@param key [out] 32 Bytes of key are written to this pointer @param key [out] 32 Bytes of key are written to this pointer
@param iv [out] 16 Bytes of iv are written to this pointer @param iv [out] 16 Bytes of iv are written to this pointer
Note, that in openssl this whole function can be reduced to
#include <openssl/evp.h>
EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt,
secret, strlen(secret), 1, key, iv);
but alas! we want to support yassl too
*/ */
void Parser::bytes_to_key(const unsigned char *salt, const char *input, void Parser::bytes_to_key(const unsigned char *salt, const char *input,
......
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex)
${CMAKE_SOURCE_DIR}/extra/yassl/include)
MYSQL_ADD_PLUGIN(LOCALES locale_info.cc RECOMPILE_FOR_EMBEDDED) MYSQL_ADD_PLUGIN(LOCALES locale_info.cc RECOMPILE_FOR_EMBEDDED)
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql
${PCRE_INCLUDES} ${PCRE_INCLUDES})
${CMAKE_SOURCE_DIR}/extra/yassl/include)
MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc RECOMPILE_FOR_EMBEDDED) MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc RECOMPILE_FOR_EMBEDDED)
...@@ -1576,9 +1576,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c ...@@ -1576,9 +1576,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
#ifdef HAVE_X509_check_host #ifdef HAVE_X509_check_host
ret_validation= ret_validation=
(X509_check_host(server_cert, server_hostname, X509_check_host(server_cert, server_hostname,
strlen(server_hostname), 0, 0) != 1) && strlen(server_hostname), 0, 0) != 1;
(X509_check_ip_asc(server_cert, server_hostname, 0) != 1); #ifndef HAVE_WOLFSSL
if (ret_validation)
{
ret_validation=
X509_check_ip_asc(server_cert, server_hostname, 0) != 1;
}
#endif
#else #else
subject= X509_get_subject_name(server_cert); subject= X509_get_subject_name(server_cert);
cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
......
...@@ -1453,7 +1453,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, ...@@ -1453,7 +1453,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct,
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
#include <openssl/crypto.h> #include <openssl/crypto.h>
#ifdef HAVE_OPENSSL10 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
typedef struct CRYPTO_dynlock_value typedef struct CRYPTO_dynlock_value
{ {
mysql_rwlock_t lock; mysql_rwlock_t lock;
...@@ -2112,7 +2112,7 @@ static void clean_up_mutexes() ...@@ -2112,7 +2112,7 @@ static void clean_up_mutexes()
mysql_mutex_destroy(&LOCK_global_index_stats); mysql_mutex_destroy(&LOCK_global_index_stats);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
mysql_mutex_destroy(&LOCK_des_key_file); mysql_mutex_destroy(&LOCK_des_key_file);
#ifdef HAVE_OPENSSL10 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
for (int i= 0; i < CRYPTO_num_locks(); ++i) for (int i= 0; i < CRYPTO_num_locks(); ++i)
mysql_rwlock_destroy(&openssl_stdlocks[i].lock); mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
OPENSSL_free(openssl_stdlocks); OPENSSL_free(openssl_stdlocks);
...@@ -4550,7 +4550,7 @@ static int init_thread_environment() ...@@ -4550,7 +4550,7 @@ static int init_thread_environment()
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
mysql_mutex_init(key_LOCK_des_key_file, mysql_mutex_init(key_LOCK_des_key_file,
&LOCK_des_key_file, MY_MUTEX_INIT_FAST); &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
#ifdef HAVE_OPENSSL10 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
sizeof(openssl_lock_t)); sizeof(openssl_lock_t));
for (int i= 0; i < CRYPTO_num_locks(); ++i) for (int i= 0; i < CRYPTO_num_locks(); ++i)
...@@ -4595,7 +4595,7 @@ static int init_thread_environment() ...@@ -4595,7 +4595,7 @@ static int init_thread_environment()
} }
#ifdef HAVE_OPENSSL10 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
static openssl_lock_t *openssl_dynlock_create(const char *file, int line) static openssl_lock_t *openssl_dynlock_create(const char *file, int line)
{ {
openssl_lock_t *lock= new openssl_lock_t; openssl_lock_t *lock= new openssl_lock_t;
...@@ -4767,9 +4767,7 @@ int reinit_ssl() ...@@ -4767,9 +4767,7 @@ int reinit_ssl()
{ {
my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0), my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0),
sslGetErrString(error)); sslGetErrString(error));
#ifndef HAVE_YASSL
ERR_clear_error(); ERR_clear_error();
#endif
return 1; return 1;
} }
mysql_rwlock_wrlock(&LOCK_ssl_refresh); mysql_rwlock_wrlock(&LOCK_ssl_refresh);
...@@ -5943,7 +5941,7 @@ int mysqld_main(int argc, char **argv) ...@@ -5943,7 +5941,7 @@ int mysqld_main(int argc, char **argv)
CloseHandle(hEventShutdown); CloseHandle(hEventShutdown);
} }
#endif #endif
#if (defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)) && !defined(EMBEDDED_LIBRARY) #if (defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY))
ERR_remove_state(0); ERR_remove_state(0);
#endif #endif
mysqld_exit(0); mysqld_exit(0);
...@@ -7105,8 +7103,8 @@ struct my_option my_long_options[]= ...@@ -7105,8 +7103,8 @@ struct my_option my_long_options[]=
MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-period"), // HAVE_REPLICATION MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-period"), // HAVE_REPLICATION
MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-group"), // HAVE_REPLICATION MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-group"), // HAVE_REPLICATION
MYSQL_SUGGEST_ANALOG_OPTION("slave-pending-jobs-size-max", "--slave-parallel-max-queued"), // HAVE_REPLICATION MYSQL_SUGGEST_ANALOG_OPTION("slave-pending-jobs-size-max", "--slave-parallel-max-queued"), // HAVE_REPLICATION
MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL && !HAVE_YASSL MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL
MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"), // HAVE_OPENSSL && !HAVE_YASSL MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"), // HAVE_OPENSSL
/* The following options exist in 5.5 and 5.6 but not in 10.0 */ /* The following options exist in 5.5 and 5.6 but not in 10.0 */
MYSQL_SUGGEST_ANALOG_OPTION("abort-slave-event-count", "--debug-abort-slave-event-count"), MYSQL_SUGGEST_ANALOG_OPTION("abort-slave-event-count", "--debug-abort-slave-event-count"),
...@@ -7338,13 +7336,13 @@ static int show_ssl_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff, ...@@ -7338,13 +7336,13 @@ static int show_ssl_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
{ {
var->type= SHOW_LONG; var->type= SHOW_LONG;
var->value= buff; var->value= buff;
#ifndef HAVE_YASSL #ifndef HAVE_WOLFSSL
if( thd->net.vio && thd->net.vio->ssl_arg ) if( thd->net.vio && thd->net.vio->ssl_arg )
*((long *)buff)= (long)SSL_get_verify_mode((SSL*)thd->net.vio->ssl_arg); *((long *)buff)= (long)SSL_get_verify_mode((SSL*)thd->net.vio->ssl_arg);
else else
*((long *)buff)= 0; *((long *)buff)= 0;
#else #else
*((long *)buff) = 0; *((long *)buff)= 0;
#endif #endif
return 0; return 0;
} }
...@@ -7354,14 +7352,10 @@ static int show_ssl_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff, ...@@ -7354,14 +7352,10 @@ static int show_ssl_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
{ {
var->type= SHOW_LONG; var->type= SHOW_LONG;
var->value= buff; var->value= buff;
#ifndef HAVE_YASSL
if( thd->vio_ok() && thd->net.vio->ssl_arg ) if( thd->vio_ok() && thd->net.vio->ssl_arg )
*((long *)buff)= (long)SSL_get_verify_depth((SSL*)thd->net.vio->ssl_arg); *((long *)buff)= (long)SSL_get_verify_depth((SSL*)thd->net.vio->ssl_arg);
else else
*((long *)buff)= 0; *((long *)buff)= 0;
#else
*((long *)buff)= 0;
#endif
return 0; return 0;
} }
...@@ -7422,15 +7416,6 @@ DEF_SHOW_FUNC(net_wait_num, SHOW_LONGLONG) ...@@ -7422,15 +7416,6 @@ DEF_SHOW_FUNC(net_wait_num, SHOW_LONGLONG)
DEF_SHOW_FUNC(avg_net_wait_time, SHOW_LONG) DEF_SHOW_FUNC(avg_net_wait_time, SHOW_LONG)
DEF_SHOW_FUNC(avg_trx_wait_time, SHOW_LONG) DEF_SHOW_FUNC(avg_trx_wait_time, SHOW_LONG)
#ifdef HAVE_YASSL
static char *
my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
{
return yaSSL_ASN1_TIME_to_string(time, buf, len);
}
#else /* openssl */
static char * static char *
my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len) my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
...@@ -7458,8 +7443,6 @@ my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len) ...@@ -7458,8 +7443,6 @@ my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
return res; return res;
} }
#endif
/** /**
Handler function for the 'ssl_get_server_not_before' variable Handler function for the 'ssl_get_server_not_before' variable
...@@ -8145,7 +8128,7 @@ static int mysql_init_variables(void) ...@@ -8145,7 +8128,7 @@ static int mysql_init_variables(void)
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
have_ssl=SHOW_OPTION_YES; have_ssl=SHOW_OPTION_YES;
#if defined(HAVE_YASSL) #if defined(HAVE_WOLFSSL)
have_openssl= SHOW_OPTION_NO; have_openssl= SHOW_OPTION_NO;
#else #else
have_openssl= SHOW_OPTION_YES; have_openssl= SHOW_OPTION_YES;
......
...@@ -98,17 +98,6 @@ ...@@ -98,17 +98,6 @@
# #
.*/oqgraph/graphcore\.cc : may be used uninitialized in this function .*/oqgraph/graphcore\.cc : may be used uninitialized in this function
#
# Yassl
#
.*/include/runtime.hpp: .*pure_error.*
.*/extra/yassl/.*taocrypt/.*: comparison with string literal
.*/extra/yassl/taocrypt/src/blowfish\.cpp: array subscript is above array bounds
.*/extra/yassl/taocrypt/src/file\.cpp: ignoring return value
.*/extra/yassl/taocrypt/src/integer\.cpp: control reaches end of non-void function
.*/mySTL/algorithm\.hpp: is used uninitialized in this function
.*/include/pwdbased\.hpp: comparison of unsigned expression
# #
# OpenSSL # OpenSSL
# #
......
...@@ -16,7 +16,6 @@ ...@@ -16,7 +16,6 @@
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include
${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/sql
${CMAKE_SOURCE_DIR}/regex ${CMAKE_SOURCE_DIR}/regex
${CMAKE_SOURCE_DIR}/extra/yassl/include
${CMAKE_SOURCE_DIR}/unittest/mytap) ${CMAKE_SOURCE_DIR}/unittest/mytap)
# #
......
...@@ -16,7 +16,6 @@ ...@@ -16,7 +16,6 @@
INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include
${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/sql
${CMAKE_SOURCE_DIR}/regex ${CMAKE_SOURCE_DIR}/regex
${CMAKE_SOURCE_DIR}/extra/yassl/include
${CMAKE_SOURCE_DIR}/unittest/mytap) ${CMAKE_SOURCE_DIR}/unittest/mytap)
# #
......
...@@ -329,8 +329,8 @@ void vio_delete(Vio* vio) ...@@ -329,8 +329,8 @@ void vio_delete(Vio* vio)
*/ */
void vio_end(void) void vio_end(void)
{ {
#ifdef HAVE_YASSL #ifdef HAVE_WOLFSSL
yaSSL_CleanUp(); wolfSSL_Cleanup();
#elif defined(HAVE_OPENSSL) #elif defined(HAVE_OPENSSL)
// This one is needed on the client side // This one is needed on the client side
ERR_remove_state(0); ERR_remove_state(0);
......
...@@ -26,19 +26,7 @@ ...@@ -26,19 +26,7 @@
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
#ifdef HAVE_YASSL
/*
yassl seem to be different here, SSL_get_error() value can be
directly passed to ERR_error_string(), and these errors don't go
into ERR_get_error() stack.
in openssl, apparently, SSL_get_error() values live in a different
namespace, one needs to use ERR_get_error() as an argument
for ERR_error_string().
*/
#define SSL_errno(X,Y) SSL_get_error(X,Y)
#else
#define SSL_errno(X,Y) ERR_get_error() #define SSL_errno(X,Y) ERR_get_error()
#endif
/** /**
Obtain the equivalent system error status for the last SSL I/O operation. Obtain the equivalent system error status for the last SSL I/O operation.
...@@ -124,9 +112,7 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event ...@@ -124,9 +112,7 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event
default: default:
should_retry= FALSE; should_retry= FALSE;
ssl_set_sys_error(ssl_error); ssl_set_sys_error(ssl_error);
#ifndef HAVE_YASSL
ERR_clear_error(); ERR_clear_error();
#endif
break; break;
} }
...@@ -197,25 +183,6 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size) ...@@ -197,25 +183,6 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size)
DBUG_RETURN(ret < 0 ? -1 : ret); DBUG_RETURN(ret < 0 ? -1 : ret);
} }
#ifdef HAVE_YASSL
/* Emulate a blocking recv() call with vio_read(). */
static long yassl_recv(void *ptr, void *buf, size_t len,
int flag __attribute__((unused)))
{
return (long)vio_read(ptr, buf, len);
}
/* Emulate a blocking send() call with vio_write(). */
static long yassl_send(void *ptr, const void *buf, size_t len,
int flag __attribute__((unused)))
{
return (long)vio_write(ptr, buf, len);
}
#endif
int vio_ssl_close(Vio *vio) int vio_ssl_close(Vio *vio)
{ {
int r= 0; int r= 0;
...@@ -335,21 +302,13 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, ...@@ -335,21 +302,13 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
SSL_set_fd(ssl, (int)sd); SSL_set_fd(ssl, (int)sd);
/* #ifdef HAVE_WOLFSSL
Since yaSSL does not support non-blocking send operations, use
special transport functions that properly handles non-blocking
sockets. These functions emulate the behavior of blocking I/O
operations by waiting for I/O to become available.
*/
#ifdef HAVE_YASSL
/* Set first argument of the transport functions. */ /* Set first argument of the transport functions. */
yaSSL_transport_set_ptr(ssl, vio); wolfSSL_SetIOReadCtx(ssl, vio);
/* Set functions to use in order to send and receive data. */ wolfSSL_SetIOWriteCtx(ssl, vio);
yaSSL_transport_set_recv_function(ssl, yassl_recv);
yaSSL_transport_set_send_function(ssl, yassl_send);
#endif #endif
#if !defined(HAVE_YASSL) && defined(SSL_OP_NO_COMPRESSION) #if defined(SSL_OP_NO_COMPRESSION)
SSL_set_options(ssl, SSL_OP_NO_COMPRESSION); SSL_set_options(ssl, SSL_OP_NO_COMPRESSION);
#endif #endif
......
...@@ -18,10 +18,8 @@ ...@@ -18,10 +18,8 @@
#include <ssl_compat.h> #include <ssl_compat.h>
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
#ifndef HAVE_YASSL
#include <openssl/dh.h> #include <openssl/dh.h>
#include <openssl/bn.h> #include <openssl/bn.h>
#endif
static my_bool ssl_algorithms_added = FALSE; static my_bool ssl_algorithms_added = FALSE;
static my_bool ssl_error_strings_loaded= FALSE; static my_bool ssl_error_strings_loaded= FALSE;
...@@ -166,6 +164,25 @@ static void check_ssl_init() ...@@ -166,6 +164,25 @@ static void check_ssl_init()
} }
} }
#ifdef HAVE_WOLFSSL
static int wolfssl_recv(WOLFSSL* ssl, char* buf, int sz, void* vio)
{
size_t ret;
(void)ssl;
ret = vio_read((Vio *)vio, (uchar *)buf, sz);
/* check if connection was closed */
if (ret == 0)
return WOLFSSL_CBIO_ERR_CONN_CLOSE;
return (int)ret;
}
static int wolfssl_send(WOLFSSL* ssl, char* buf, int sz, void* vio)
{
return (int)vio_write((Vio *)vio, (unsigned char*)buf, sz);
}
#endif /* HAVE_WOLFSSL */
/************************ VioSSLFd **********************************/ /************************ VioSSLFd **********************************/
static struct st_VioSSLFd * static struct st_VioSSLFd *
new_VioSSLFd(const char *key_file, const char *cert_file, new_VioSSLFd(const char *key_file, const char *cert_file,
...@@ -232,7 +249,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -232,7 +249,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
sslGetErrString(*error))); sslGetErrString(*error)));
goto err2; goto err2;
} }
#ifndef HAVE_WOLFSSL
/* otherwise go use the defaults */ /* otherwise go use the defaults */
if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0) if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
{ {
...@@ -240,13 +257,15 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -240,13 +257,15 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_PRINT("error", ("%s", sslGetErrString(*error))); DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
goto err2; goto err2;
} }
#endif
} }
if (crl_file || crl_path) if (crl_file || crl_path)
{ {
#ifdef HAVE_YASSL #ifdef HAVE_WOLFSSL
DBUG_PRINT("warning", ("yaSSL doesn't support CRL")); /* CRL does not work with WolfSSL. */
DBUG_ASSERT(0); DBUG_ASSERT(0);
goto err2;
#else #else
X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context); X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
/* Load crls from the trusted ca */ /* Load crls from the trusted ca */
...@@ -282,6 +301,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file, ...@@ -282,6 +301,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DH_free(dh); DH_free(dh);
} }
#ifdef HAVE_WOLFSSL
/* set IO functions used by wolfSSL */
wolfSSL_SetIORecv(ssl_fd->ssl_context, wolfssl_recv);
wolfSSL_SetIOSend(ssl_fd->ssl_context, wolfssl_send);
#endif
DBUG_PRINT("exit", ("OK 1")); DBUG_PRINT("exit", ("OK 1"));
DBUG_RETURN(ssl_fd); DBUG_RETURN(ssl_fd);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment