diff options
| author | Vladislav Vaintroub <wlad@mariadb.com> | 2019-02-13 09:08:06 +0100 |
|---|---|---|
| committer | Vladislav Vaintroub <wlad@mariadb.com> | 2019-05-22 13:48:25 +0200 |
| commit | 5e4b657dd44dce601c91bc77a41f6e382bc32000 (patch) | |
| tree | e0c7442136ceb243768ed108db56051fd37a5762 | |
| parent | 31fe70290c54c44231aed881f5138924f32e47c5 (diff) | |
| download | mariadb-git-5e4b657dd44dce601c91bc77a41f6e382bc32000.tar.gz | |
MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library
- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
33 files changed, 262 insertions, 201 deletions
diff --git a/.gitmodules b/.gitmodules index 61d4c06dd4e..53a7787232a 100644 --- a/.gitmodules +++ b/.gitmodules @@ -8,3 +8,6 @@ path = wsrep-lib url = https://github.com/codership/wsrep-lib.git branch = master +[submodule "extra/wolfssl/wolfssl"] + path = extra/wolfssl/wolfssl + url = https://github.com/WolfSSL/wolfssl diff --git a/CMakeLists.txt b/CMakeLists.txt index c20520181db..1aff1e73b2a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -346,7 +346,7 @@ IF(NOT HAVE_CXX_NEW) ENDIF() # Find header files from the bundled libraries -# (yassl, readline, pcre, etc) +# (wolfssl, readline, pcre, etc) # before the ones installed in the system SET(CMAKE_INCLUDE_DIRECTORIES_PROJECT_BEFORE ON) @@ -359,7 +359,7 @@ INCLUDE_DIRECTORIES(${CMAKE_CURRENT_BINARY_DIR}/include) # Add bundled or system zlib. MYSQL_CHECK_ZLIB_WITH_COMPRESS() -# Add bundled yassl/taocrypt or system openssl. +# Add bundled wolfssl/wolfcrypt or system openssl. MYSQL_CHECK_SSL() # Add readline or libedit. MYSQL_CHECK_READLINE() diff --git a/cmake/libutils.cmake b/cmake/libutils.cmake index 002d5a4cabc..6b2a2e9b2bb 100644 --- a/cmake/libutils.cmake +++ b/cmake/libutils.cmake @@ -317,7 +317,7 @@ ELSEIF(UNIX) ENDIF() ENDIF() -# We try to hide the symbols in yassl/zlib to avoid name clashes with +# We try to hide the symbols in bundled libraries to avoid name clashes with # other libraries like openssl. FUNCTION(RESTRICT_SYMBOL_EXPORTS target) IF(VISIBILITY_HIDDEN_FLAG) diff --git a/cmake/mariadb_connector_c.cmake b/cmake/mariadb_connector_c.cmake index 0f08c3464c4..4fb4be44831 100644 --- a/cmake/mariadb_connector_c.cmake +++ b/cmake/mariadb_connector_c.cmake @@ -8,7 +8,7 @@ SET(CONC_WITH_SIGNCODE ${SIGNCODE}) SET(SIGN_OPTIONS ${SIGNTOOL_PARAMETERS}) SET(CONC_WITH_EXTERNAL_ZLIB ON) -IF(SSL_DEFINES MATCHES "YASSL") +IF(SSL_DEFINES MATCHES "WOLFSSL") IF(WIN32) SET(CONC_WITH_SSL "SCHANNEL") ELSE() diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake index 2ec370404df..0d2570f1336 100644 --- a/cmake/ssl.cmake +++ b/cmake/ssl.cmake @@ -15,7 +15,7 @@ # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA # We support different versions of SSL: -# - "bundled" uses source code in <source dir>/extra/yassl +# - "bundled" uses source code in <source dir>/extra/wolfssl # - "system" (typically) uses headers/libraries in /usr/lib and /usr/lib64 # - a custom installation of openssl can be used like this # - cmake -DCMAKE_PREFIX_PATH=</path/to/custom/openssl> -DWITH_SSL="system" @@ -35,7 +35,7 @@ # 'set path=</path/to/custom/openssl>\bin;%PATH% # in order to find the .dll files at runtime. -SET(WITH_SSL_DOC "bundled (use yassl)") +SET(WITH_SSL_DOC "bundled (use wolfssl)") SET(WITH_SSL_DOC "${WITH_SSL_DOC}, yes (prefer os library if present, otherwise use bundled)") SET(WITH_SSL_DOC @@ -48,29 +48,19 @@ MACRO (CHANGE_SSL_SETTINGS string) ENDMACRO() MACRO (MYSQL_USE_BUNDLED_SSL) - SET(INC_DIRS - ${CMAKE_SOURCE_DIR}/extra/yassl/include - ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/include + SET(INC_DIRS + ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl + ${CMAKE_SOURCE_DIR}/extra/wolfssl/wolfssl/wolfssl ) - SET(SSL_LIBRARIES yassl taocrypt) + SET(SSL_LIBRARIES wolfssl wolfcrypt) SET(SSL_INCLUDE_DIRS ${INC_DIRS}) - SET(SSL_INTERNAL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/mySTL) - SET(SSL_DEFINES "-DHAVE_YASSL -DYASSL_PREFIX -DHAVE_OPENSSL -DMULTI_THREADED") - SET(HAVE_ERR_remove_thread_state OFF CACHE INTERNAL "yassl doesn't have ERR_remove_thread_state") - SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "yassl doesn't support AES-CTR") - SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "yassl doesn't support AES-GCM") + SET(SSL_DEFINES "-DHAVE_OPENSSL -DHAVE_WOLFSSL -DOPENSSL_ALL -DWOLFSSL_MYSQL_COMPATIBLE -DWC_NO_HARDEN") + SET(HAVE_ERR_remove_thread_state ON CACHE INTERNAL "wolfssl doesn't have ERR_remove_thread_state") + SET(HAVE_EncryptAes128Ctr ON CACHE INTERNAL "wolfssl does support AES-CTR") + SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM") + SET(HAVE_X509_check_host ON CACHE INTERNAL "wolfssl does support X509_check_host") CHANGE_SSL_SETTINGS("bundled") - ADD_SUBDIRECTORY(extra/yassl) - ADD_SUBDIRECTORY(extra/yassl/taocrypt) - GET_TARGET_PROPERTY(src yassl SOURCES) - FOREACH(file ${src}) - SET(SSL_SOURCES ${SSL_SOURCES} ${CMAKE_SOURCE_DIR}/extra/yassl/${file}) - ENDFOREACH() - GET_TARGET_PROPERTY(src taocrypt SOURCES) - FOREACH(file ${src}) - SET(SSL_SOURCES ${SSL_SOURCES} - ${CMAKE_SOURCE_DIR}/extra/yassl/taocrypt/${file}) - ENDFOREACH() + ADD_SUBDIRECTORY(extra/wolfssl) MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}") ENDMACRO() @@ -155,6 +145,8 @@ MACRO (MYSQL_CHECK_SSL) HAVE_EncryptAes128Ctr) CHECK_SYMBOL_EXISTS(EVP_aes_128_gcm "openssl/evp.h" HAVE_EncryptAes128Gcm) + CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h" + HAVE_X509_check_host) SET(CMAKE_REQUIRED_INCLUDES) SET(CMAKE_REQUIRED_LIBRARIES) ELSE() diff --git a/config.h.cmake b/config.h.cmake index b1092fa5df7..78fe1d9498f 100644 --- a/config.h.cmake +++ b/config.h.cmake @@ -380,6 +380,7 @@ #cmakedefine HAVE_SVR3_SIGNALS 1 #cmakedefine HAVE_V7_SIGNALS 1 #cmakedefine HAVE_ERR_remove_thread_state 1 +#cmakedefine HAVE_X509_check_host 1 #cmakedefine HAVE_SOLARIS_STYLE_GETHOST 1 diff --git a/extra/mariabackup/CMakeLists.txt b/extra/mariabackup/CMakeLists.txt index 638fa2f740a..5326ba9f8f5 100644 --- a/extra/mariabackup/CMakeLists.txt +++ b/extra/mariabackup/CMakeLists.txt @@ -52,8 +52,8 @@ ELSE() SET(NT_SERVICE_SOURCE) ENDIF() -ADD_DEFINITIONS(-DPCRE_STATIC=1 -DHAVE_OPENSSL=1) - +ADD_DEFINITIONS(-DPCRE_STATIC=1) +ADD_DEFINITIONS(${SSL_DEFINES}) MYSQL_ADD_EXECUTABLE(mariabackup xtrabackup.cc innobackupex.cc diff --git a/extra/wolfssl/CMakeLists.txt b/extra/wolfssl/CMakeLists.txt new file mode 100644 index 00000000000..6de9ea5d5d3 --- /dev/null +++ b/extra/wolfssl/CMakeLists.txt @@ -0,0 +1,89 @@ +SET(WOLFSSL_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/src) +ADD_DEFINITIONS(${SSL_DEFINES}) +ADD_DEFINITIONS( + -DHAVE_CRL + -DWOLFSSL_MYSQL_COMPATIBLE + -DHAVE_ECC + -DECC_TIMING_RESISTANT + -DBUILDING_WOLFSSL + -DHAVE_HASHDRBG + -DWOLFSSL_AES_DIRECT + -DWOLFSSL_SHA384 + -DWOLFSSL_SHA512 + -DWOLFSSL_SHA224 + -DSESSION_CERT + -DKEEP_OUR_CERT + -DWOLFSSL_STATIC_RSA + -DWC_RSA_BLINDING + -DHAVE_TLS_EXTENSIONS + -DHAVE_AES_ECB + -DWOLFSSL_AES_COUNTER + -DNO_WOLFSSL_STUB) + +SET(WOLFSSL_SOURCES + ${WOLFSSL_SRCDIR}/crl.c + ${WOLFSSL_SRCDIR}/internal.c + ${WOLFSSL_SRCDIR}/keys.c + ${WOLFSSL_SRCDIR}/tls.c + ${WOLFSSL_SRCDIR}/wolfio.c + ${WOLFSSL_SRCDIR}/ocsp.c + ${WOLFSSL_SRCDIR}/ssl.c) +ADD_DEFINITIONS(-DWOLFSSL_LIB) +INCLUDE_DIRECTORIES(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl) +IF(MSVC) + # size_t to long truncation warning + SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -wd4267") + IF(CMAKE_C_COMPILER_ID MATCHES Clang) + # Workaround a bug with clang-cl, see https://github.com/wolfSSL/wolfssl/pull/2090 + ADD_DEFINITIONS(-DMP_16BIT) + ENDIF() +ENDIF() + +ADD_CONVENIENCE_LIBRARY(wolfssl ${WOLFSSL_SOURCES}) + +# Workaround linker crash with older Ubuntu binutils +# e.g aborting at ../../bfd/merge.c line 873 in _bfd_merged_section_offset +IF(CMAKE_SYSTEM_NAME MATCHES "Linux") + STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_RELWITHDEBINFO + ${CMAKE_C_FLAGS_RELWITHDEBINFO}) + STRING(REPLACE "-g " "-g1 " CMAKE_C_FLAGS_DEBUG + ${CMAKE_C_FLAGS_DEBUG}) + STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_RELWITHDEBINFO + ${CMAKE_C_FLAGS_RELWITHDEBINFO}) + STRING(REPLACE "-ggdb3 " " " CMAKE_C_FLAGS_DEBUG + ${CMAKE_C_FLAGS_DEBUG}) +ENDIF() + +SET(WOLFCRYPT_SRCDIR ${CMAKE_CURRENT_SOURCE_DIR}/wolfssl/wolfcrypt/src) +SET(WOLFCRYPT_SOURCES +${WOLFCRYPT_SRCDIR}/aes.c +${WOLFCRYPT_SRCDIR}/arc4.c +${WOLFCRYPT_SRCDIR}/asn.c +${WOLFCRYPT_SRCDIR}/coding.c +${WOLFCRYPT_SRCDIR}/des3.c +${WOLFCRYPT_SRCDIR}/dh.c +${WOLFCRYPT_SRCDIR}/dsa.c +${WOLFCRYPT_SRCDIR}/ecc.c +${WOLFCRYPT_SRCDIR}/error.c +${WOLFCRYPT_SRCDIR}/hmac.c +${WOLFCRYPT_SRCDIR}/integer.c +${WOLFCRYPT_SRCDIR}/logging.c +${WOLFCRYPT_SRCDIR}/md4.c +${WOLFCRYPT_SRCDIR}/md5.c +${WOLFCRYPT_SRCDIR}/memory.c +${WOLFCRYPT_SRCDIR}/pkcs12.c +${WOLFCRYPT_SRCDIR}/pwdbased.c +${WOLFCRYPT_SRCDIR}/rabbit.c +${WOLFCRYPT_SRCDIR}/random.c +${WOLFCRYPT_SRCDIR}/rsa.c +${WOLFCRYPT_SRCDIR}/sha.c +${WOLFCRYPT_SRCDIR}/sha256.c +${WOLFCRYPT_SRCDIR}/sha512.c +${WOLFCRYPT_SRCDIR}/wc_port.c +${WOLFCRYPT_SRCDIR}/wc_encrypt.c +${WOLFCRYPT_SRCDIR}/hash.c +${WOLFCRYPT_SRCDIR}/wolfmath.c +) + +ADD_CONVENIENCE_LIBRARY(wolfcrypt ${WOLFCRYPT_SOURCES}) + diff --git a/extra/wolfssl/wolfssl b/extra/wolfssl/wolfssl new file mode 160000 +Subproject 21f2beca9f320199fcea4a96df3e19967804144 diff --git a/include/my_global.h b/include/my_global.h index e2b2b7635cc..248320e301f 100644 --- a/include/my_global.h +++ b/include/my_global.h @@ -989,7 +989,6 @@ typedef struct st_mysql_lex_string LEX_STRING; #if defined(__WIN__) #define socket_errno WSAGetLastError() #define SOCKET_EINTR WSAEINTR -#define SOCKET_EAGAIN WSAEINPROGRESS #define SOCKET_ETIMEDOUT WSAETIMEDOUT #define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK #define SOCKET_EADDRINUSE WSAEADDRINUSE diff --git a/include/mysql/service_my_crypt.h b/include/mysql/service_my_crypt.h index de4a8bb69da..2de698fe41c 100644 --- a/include/mysql/service_my_crypt.h +++ b/include/mysql/service_my_crypt.h @@ -45,7 +45,7 @@ extern "C" { /* The max key length of all supported algorithms */ #define MY_AES_MAX_KEY_LENGTH 32 -#define MY_AES_CTX_SIZE 512 +#define MY_AES_CTX_SIZE 560 enum my_aes_mode { MY_AES_ECB, MY_AES_CBC diff --git a/include/ssl_compat.h b/include/ssl_compat.h index c94b9671d5f..9b63c24399a 100644 --- a/include/ssl_compat.h +++ b/include/ssl_compat.h @@ -17,11 +17,7 @@ #include <openssl/opensslv.h> /* OpenSSL version specific definitions */ -#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) - -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -#define HAVE_X509_check_host 1 -#endif +#if defined(OPENSSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) #define HAVE_OPENSSL11 1 @@ -49,27 +45,39 @@ #else #define HAVE_OPENSSL10 1 +#ifdef HAVE_WOLFSSL +#define SSL_LIBRARY "WolfSSL " WOLFSSL_VERSION +#else #define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION) +#endif -#ifdef HAVE_ERR_remove_thread_state +#ifdef HAVE_WOLFSSL +#undef ERR_remove_state +#define ERR_remove_state(x) do {} while(0) +#elif defined (HAVE_ERR_remove_thread_state) #define ERR_remove_state(X) ERR_remove_thread_state(NULL) #endif /* HAVE_ERR_remove_thread_state */ #endif /* HAVE_OPENSSL11 */ +#endif -#elif defined(HAVE_YASSL) -#define SSL_LIBRARY "YaSSL " YASSL_VERSION -#define BN_free(X) do { } while(0) -#endif /* !defined(HAVE_YASSL) */ +#ifdef HAVE_WOLFSSL +#define EVP_MD_CTX_SIZE sizeof(wc_Md5) +#endif #ifndef HAVE_OPENSSL11 +#ifndef ASN1_STRING_get0_data #define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) +#endif +#ifndef EVP_MD_CTX_SIZE +#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) +#endif + #define OPENSSL_init_ssl(X,Y) SSL_library_init() #define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) #define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) -#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) #define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) #define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) diff --git a/include/sslopt-case.h b/include/sslopt-case.h index fe53088e89b..87eeff28231 100644 --- a/include/sslopt-case.h +++ b/include/sslopt-case.h @@ -29,8 +29,8 @@ One can disable SSL later by using --skip-ssl or --ssl=0 */ opt_use_ssl= 1; - /* crl has no effect in yaSSL */ -#ifdef HAVE_YASSL +#ifdef HAVE_WOLFSSL + /* CRL does not work with WolfSSL */ opt_ssl_crl= NULL; opt_ssl_crlpath= NULL; #endif diff --git a/mysql-test/main/ssl_7937.test b/mysql-test/main/ssl_7937.test index aa8cd225d7b..264da3a6daa 100644 --- a/mysql-test/main/ssl_7937.test +++ b/mysql-test/main/ssl_7937.test @@ -22,14 +22,14 @@ create procedure have_ssl() --echo mysql --ssl --ssl-verify-server-cert -e "call test.have_ssl()" # this is the test where certificate verification fails. -# but yassl doesn't support certificate verification, so -# we fake the test result for yassl -let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; -if (!$yassl) { +# but client library may not support certificate verification, so +# we fake the test result for it. We assume client is openssl, when server is openssl +let client_supports_cert_verification =`select variable_value not in('Unknown','OFF') from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; +if ($client_supports_cert_verification) { --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 } -if ($yassl) { +if (!$client_supports_cert_verification) { --echo ERROR 2026 (HY000): SSL connection error: Failed to verify the server certificate } drop procedure have_ssl; diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test index 27854654a9f..36549d76d02 100644 --- a/mysql-test/main/ssl_cipher.test +++ b/mysql-test/main/ssl_cipher.test @@ -43,7 +43,7 @@ drop user ssl_user1@localhost, ssl_user2@localhost, ssl_user3@localhost, ssl_use # # Bug#21611 Slave can't connect when master-ssl-cipher specified # - Apparently selecting a cipher doesn't work at all -# - Use a cipher that both yaSSL and OpenSSL supports +# - Use a cipher that both WolfSSL and OpenSSL supports # --write_file $MYSQLTEST_VARDIR/tmp/test.sql SHOW STATUS LIKE 'Ssl_cipher'; diff --git a/mysql-test/suite.pm b/mysql-test/suite.pm index 76bfab714df..7f9838f645e 100644 --- a/mysql-test/suite.pm +++ b/mysql-test/suite.pm @@ -66,9 +66,14 @@ sub skip_combinations { unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ and $1 ge "1.0.1d" and $1 lt "1.1.1"; + sub x509v3_ok() { + return ($::mysqld_variables{'version-ssl-library'} =~ /WolfSSL/) || + ($::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ + and $1 ge "1.0.2"); + } + $skip{'main/ssl_7937.combinations'} = [ 'x509v3' ] - unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ - and $1 ge "1.0.2"; + unless x509v3_ok(); $skip{'main/ssl_verify_ip.test'} = 'x509v3 support required' unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/ diff --git a/mysys/my_rnd.c b/mysys/my_rnd.c index c38682a2012..0af251b4ade 100644 --- a/mysys/my_rnd.c +++ b/mysys/my_rnd.c @@ -78,20 +78,11 @@ double my_rnd(struct my_rnd_struct *rand_st) double my_rnd_ssl(struct my_rnd_struct *rand_st) { - -#if defined(HAVE_YASSL) || defined(HAVE_OPENSSL) - int rc; - unsigned int res; - -#if defined(HAVE_YASSL) - rc= yaSSL::RAND_bytes((unsigned char *) &res, sizeof (unsigned int)); -#else +#if defined(HAVE_OPENSSL) rc= RAND_bytes((unsigned char *) &res, sizeof (unsigned int)); -#endif /* HAVE_YASSL */ - if (rc) return (double)res / (double)UINT_MAX; -#endif /* defined(HAVE_YASSL) || defined(HAVE_OPENSSL) */ +#endif /* defined(HAVE_OPENSSL) */ return my_rnd(rand_st); } diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt index 86749128664..1c3f60b5bb0 100644 --- a/mysys_ssl/CMakeLists.txt +++ b/mysys_ssl/CMakeLists.txt @@ -36,7 +36,6 @@ SET(MYSYS_SSL_SOURCES my_crypt.cc ) -# We do RESTRICT_SYMBOL_EXPORTS(yassl) elsewhere. # In order to get correct symbol visibility, these files # must be compiled with "-fvisibility=hidden" IF(WITH_SSL STREQUAL "bundled" AND HAVE_VISIBILITY_HIDDEN) diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc index 65dd5cd769e..e83c949f21e 100644 --- a/mysys_ssl/my_crypt.cc +++ b/mysys_ssl/my_crypt.cc @@ -18,14 +18,10 @@ #include <my_global.h> #include <string.h> -#ifdef HAVE_YASSL -#include "yassl.cc" -#else #include <openssl/evp.h> #include <openssl/aes.h> #include <openssl/err.h> #include <openssl/rand.h> -#endif #include <my_crypt.h> #include <ssl_compat.h> @@ -54,7 +50,7 @@ public: if (unlikely(!cipher)) return MY_AES_BAD_KEYSIZE; - if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) + if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt) != 1) return MY_AES_OPENSSL_ERROR; DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); @@ -64,14 +60,30 @@ public: } virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) { - if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) + if (EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen) != 1) return MY_AES_OPENSSL_ERROR; return MY_AES_OK; } virtual int finish(uchar *dst, uint *dlen) { - if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) +#ifdef HAVE_WOLFSSL + /* + Bug in WolfSSL - sometimes EVP_CipherFinal_ex + returns success without setting destination length + when it should return error. + We catch it by presetting invalid value for length, + and checking if it has changed after the call. + + See https://github.com/wolfSSL/wolfssl/issues/2224 + */ + *dlen= UINT_MAX; +#endif + if (EVP_CipherFinal_ex(ctx, dst, (int*)dlen) != 1) return MY_AES_BAD_DATA; +#ifdef HAVE_WOLFSSL + if (*dlen == UINT_MAX) + return MY_AES_BAD_DATA; +#endif return MY_AES_OK; } }; diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc index 85490c1de77..407dee3bc69 100644 --- a/mysys_ssl/my_md5.cc +++ b/mysys_ssl/my_md5.cc @@ -27,26 +27,23 @@ #include <my_md5.h> #include <stdarg.h> -#if defined(HAVE_YASSL) -#include "md5.hpp" +#if defined(HAVE_WOLFSSL) +#include <wolfssl/wolfcrypt/md5.h> #include <ssl_compat.h> - -typedef TaoCrypt::MD5 EVP_MD_CTX; - +typedef wc_Md5 EVP_MD_CTX; static void md5_init(EVP_MD_CTX *context) { - context= new(context) EVP_MD_CTX; - context->Init(); + wc_InitMd5(context);; } static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) { - context->Update((const TaoCrypt::byte *) buf, len); + wc_Md5Update(context, buf, len); } static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) { - context->Final((TaoCrypt::byte *) digest); + wc_Md5Final(context,digest); } #elif defined(HAVE_OPENSSL) @@ -74,7 +71,7 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) EVP_MD_CTX_reset(context); } -#endif /* HAVE_YASSL */ +#endif /* HAVE_WOLFSSL */ /** Wrapper function to compute MD5 message digest. diff --git a/mysys_ssl/my_sha.ic b/mysys_ssl/my_sha.ic index 97344dc0415..6bba614765e 100644 --- a/mysys_ssl/my_sha.ic +++ b/mysys_ssl/my_sha.ic @@ -28,35 +28,50 @@ #define HASH_SIZE (NUM > 1 ? NUM/8 : 20) -#if defined(HAVE_YASSL) -#include "sha.hpp" - -#define xCONTEXT(x) TaoCrypt::SHA ## x +#if defined(HAVE_WOLFSSL) +#define WOLFSSL_SHA512 +#define WOLFSSL_SHA384 +#define WOLFSSL_SHA224 +#include <wolfcrypt/sha.h> +#include <wolfcrypt/sha256.h> +#include <wolfcrypt/sha512.h> +#define xCONTEXT(x) wc_Sha ## x #define yCONTEXT(y) xCONTEXT(y) #define CONTEXT yCONTEXT(NUM) -#define SHA1 SHA +#define wc_InitSha1 wc_InitSha +#define wc_Sha1Final wc_ShaFinal +#define wc_Sha1Update wc_ShaUpdate +#define wc_Sha1 wc_Sha +#define SHA224_CTX SHA256_CTX +#define SHA384_CTX SHA512_CTX +#define xSHA_Init(x) wc_InitSha ## x +#define xSHA_Update(x) wc_Sha ## x ## Update +#define xSHA_Final(x) wc_Sha ## x ## Final +#define ySHA_Init(y) xSHA_Init(y) +#define ySHA_Update(y) xSHA_Update(y) +#define ySHA_Final(y) xSHA_Final(y) +#define SHA_Init ySHA_Init(NUM) +#define SHA_Update ySHA_Update(NUM) +#define SHA_Final ySHA_Final(NUM) static void sha_init(CONTEXT *context) { - context->Init(); + SHA_Init(context); } -/* - this is a variant of sha_init to be used in this file only. - does nothing for yassl, because the context's constructor was called automatically. -*/ static void sha_init_fast(CONTEXT *context) { + sha_init(context); } static void sha_input(CONTEXT *context, const uchar *buf, unsigned len) { - context->Update((const TaoCrypt::byte *) buf, len); + SHA_Update(context, buf, len); } static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE]) { - context->Final((TaoCrypt::byte *) digest); + SHA_Final(context, digest); } #elif defined(HAVE_OPENSSL) @@ -99,7 +114,7 @@ static void sha_result(CONTEXT *context, uchar digest[HASH_SIZE]) SHA_Final(digest, context); } -#endif /* HAVE_YASSL */ +#endif /* HAVE_WOLFSSL */ #define xmy_sha_multi(x) my_sha ## x ## _multi #define xmy_sha_context_size(x) my_sha ## x ## _context_size diff --git a/plugin/aws_key_management/aws_key_management_plugin.cc b/plugin/aws_key_management/aws_key_management_plugin.cc index d76b000b721..489dd375387 100644 --- a/plugin/aws_key_management/aws_key_management_plugin.cc +++ b/plugin/aws_key_management/aws_key_management_plugin.cc @@ -214,7 +214,7 @@ Aws::SDKOptions sdkOptions; static int aws_init() { -#ifdef HAVE_YASSL +#ifdef HAVE_WOLFSSL sdkOptions.cryptoOptions.initAndCleanupOpenSSL = true; #else /* Server initialized OpenSSL already, thus AWS must skip it */ diff --git a/plugin/file_key_management/parser.cc b/plugin/file_key_management/parser.cc index 5a9e5e55d63..818c026495f 100644 --- a/plugin/file_key_management/parser.cc +++ b/plugin/file_key_management/parser.cc @@ -96,14 +96,6 @@ openssl enc -aes-256-cbc -md sha1 -k "secret" -in keys.txt -out keys.enc @param secret [in] the given secret as String, provided by the user @param key [out] 32 Bytes of key are written to this pointer @param iv [out] 16 Bytes of iv are written to this pointer - - Note, that in openssl this whole function can be reduced to - - #include <openssl/evp.h> - EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), salt, - secret, strlen(secret), 1, key, iv); - - but alas! we want to support yassl too */ void Parser::bytes_to_key(const unsigned char *salt, const char *input, diff --git a/plugin/locale_info/CMakeLists.txt b/plugin/locale_info/CMakeLists.txt index 8f1dfa0d715..c988d652d40 100644 --- a/plugin/locale_info/CMakeLists.txt +++ b/plugin/locale_info/CMakeLists.txt @@ -1,5 +1,4 @@ -INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex - ${CMAKE_SOURCE_DIR}/extra/yassl/include) +INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex) MYSQL_ADD_PLUGIN(LOCALES locale_info.cc RECOMPILE_FOR_EMBEDDED) diff --git a/plugin/qc_info/CMakeLists.txt b/plugin/qc_info/CMakeLists.txt index 821ffb79225..b8c5f926cff 100644 --- a/plugin/qc_info/CMakeLists.txt +++ b/plugin/qc_info/CMakeLists.txt @@ -1,5 +1,4 @@ INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/sql - ${PCRE_INCLUDES} - ${CMAKE_SOURCE_DIR}/extra/yassl/include) + ${PCRE_INCLUDES}) MYSQL_ADD_PLUGIN(QUERY_CACHE_INFO qc_info.cc RECOMPILE_FOR_EMBEDDED) diff --git a/sql-common/client.c b/sql-common/client.c index 8596d1cafee..00d3464167a 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1576,9 +1576,15 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c #ifdef HAVE_X509_check_host ret_validation= - (X509_check_host(server_cert, server_hostname, - strlen(server_hostname), 0, 0) != 1) && - (X509_check_ip_asc(server_cert, server_hostname, 0) != 1); + X509_check_host(server_cert, server_hostname, + strlen(server_hostname), 0, 0) != 1; +#ifndef HAVE_WOLFSSL + if (ret_validation) + { + ret_validation= + X509_check_ip_asc(server_cert, server_hostname, 0) != 1; + } +#endif #else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 403d91b6285..5b14b9f7790 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -1453,7 +1453,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, #ifdef HAVE_OPENSSL #include <openssl/crypto.h> -#ifdef HAVE_OPENSSL10 +#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL) typedef struct CRYPTO_dynlock_value { mysql_rwlock_t lock; @@ -2112,7 +2112,7 @@ static void clean_up_mutexes() mysql_mutex_destroy(&LOCK_global_index_stats); #ifdef HAVE_OPENSSL mysql_mutex_destroy(&LOCK_des_key_file); -#ifdef HAVE_OPENSSL10 +#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL) for (int i= 0; i < CRYPTO_num_locks(); ++i) mysql_rwlock_destroy(&openssl_stdlocks[i].lock); OPENSSL_free(openssl_stdlocks); @@ -4550,7 +4550,7 @@ static int init_thread_environment() #ifdef HAVE_OPENSSL mysql_mutex_init(key_LOCK_des_key_file, &LOCK_des_key_file, MY_MUTEX_INIT_FAST); -#ifdef HAVE_OPENSSL10 +#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL) openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * sizeof(openssl_lock_t)); for (int i= 0; i < CRYPTO_num_locks(); ++i) @@ -4595,7 +4595,7 @@ static int init_thread_environment() } -#ifdef HAVE_OPENSSL10 +#if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL) static openssl_lock_t *openssl_dynlock_create(const char *file, int line) { openssl_lock_t *lock= new openssl_lock_t; @@ -4767,9 +4767,7 @@ int reinit_ssl() { my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0), sslGetErrString(error)); -#ifndef HAVE_YASSL ERR_clear_error(); -#endif return 1; } mysql_rwlock_wrlock(&LOCK_ssl_refresh); @@ -5943,7 +5941,7 @@ int mysqld_main(int argc, char **argv) CloseHandle(hEventShutdown); } #endif -#if (defined(HAVE_OPENSSL) && !defined(HAVE_YASSL)) && !defined(EMBEDDED_LIBRARY) +#if (defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)) ERR_remove_state(0); #endif mysqld_exit(0); @@ -7105,8 +7103,8 @@ struct my_option my_long_options[]= MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-period"), // HAVE_REPLICATION MYSQL_COMPATIBILITY_OPTION("slave-checkpoint-group"), // HAVE_REPLICATION MYSQL_SUGGEST_ANALOG_OPTION("slave-pending-jobs-size-max", "--slave-parallel-max-queued"), // HAVE_REPLICATION - MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL && !HAVE_YASSL - MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"), // HAVE_OPENSSL && !HAVE_YASSL + MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-private-key-path"), // HAVE_OPENSSL + MYSQL_TO_BE_IMPLEMENTED_OPTION("sha256-password-public-key-path"), // HAVE_OPENSSL /* The following options exist in 5.5 and 5.6 but not in 10.0 */ MYSQL_SUGGEST_ANALOG_OPTION("abort-slave-event-count", "--debug-abort-slave-event-count"), @@ -7338,13 +7336,13 @@ static int show_ssl_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff, { var->type= SHOW_LONG; var->value= buff; -#ifndef HAVE_YASSL +#ifndef HAVE_WOLFSSL if( thd->net.vio && thd->net.vio->ssl_arg ) *((long *)buff)= (long)SSL_get_verify_mode((SSL*)thd->net.vio->ssl_arg); else *((long *)buff)= 0; #else - *((long *)buff) = 0; + *((long *)buff)= 0; #endif return 0; } @@ -7354,14 +7352,10 @@ static int show_ssl_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff, { var->type= SHOW_LONG; var->value= buff; -#ifndef HAVE_YASSL if( thd->vio_ok() && thd->net.vio->ssl_arg ) *((long *)buff)= (long)SSL_get_verify_depth((SSL*)thd->net.vio->ssl_arg); else *((long *)buff)= 0; -#else - *((long *)buff)= 0; -#endif return 0; } @@ -7422,15 +7416,6 @@ DEF_SHOW_FUNC(net_wait_num, SHOW_LONGLONG) DEF_SHOW_FUNC(avg_net_wait_time, SHOW_LONG) DEF_SHOW_FUNC(avg_trx_wait_time, SHOW_LONG) -#ifdef HAVE_YASSL - -static char * -my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len) -{ - return yaSSL_ASN1_TIME_to_string(time, buf, len); -} - -#else /* openssl */ static char * my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len) @@ -7458,8 +7443,6 @@ end: return res; } -#endif - /** Handler function for the 'ssl_get_server_not_before' variable @@ -8145,7 +8128,7 @@ static int mysql_init_variables(void) #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) have_ssl=SHOW_OPTION_YES; -#if defined(HAVE_YASSL) +#if defined(HAVE_WOLFSSL) have_openssl= SHOW_OPTION_NO; #else have_openssl= SHOW_OPTION_YES; diff --git a/support-files/compiler_warnings.supp b/support-files/compiler_warnings.supp index 3f7a79556f9..92f856f7c35 100644 --- a/support-files/compiler_warnings.supp +++ b/support-files/compiler_warnings.supp @@ -99,17 +99,6 @@ .*/oqgraph/graphcore\.cc : may be used uninitialized in this function # -# Yassl -# -.*/include/runtime.hpp: .*pure_error.* -.*/extra/yassl/.*taocrypt/.*: comparison with string literal -.*/extra/yassl/taocrypt/src/blowfish\.cpp: array subscript is above array bounds -.*/extra/yassl/taocrypt/src/file\.cpp: ignoring return value -.*/extra/yassl/taocrypt/src/integer\.cpp: control reaches end of non-void function -.*/mySTL/algorithm\.hpp: is used uninitialized in this function -.*/include/pwdbased\.hpp: comparison of unsigned expression - -# # OpenSSL # # The following comes because of different prototype between yassl and openssl. diff --git a/unittest/json_lib/CMakeLists.txt b/unittest/json_lib/CMakeLists.txt index afe81eff64a..1b2a89b28cd 100644 --- a/unittest/json_lib/CMakeLists.txt +++ b/unittest/json_lib/CMakeLists.txt @@ -16,7 +16,6 @@ INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include ${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex - ${CMAKE_SOURCE_DIR}/extra/yassl/include ${CMAKE_SOURCE_DIR}/unittest/mytap) # diff --git a/unittest/my_decimal/CMakeLists.txt b/unittest/my_decimal/CMakeLists.txt index d8f74b87494..0b5b228276d 100644 --- a/unittest/my_decimal/CMakeLists.txt +++ b/unittest/my_decimal/CMakeLists.txt @@ -16,7 +16,6 @@ INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include ${CMAKE_SOURCE_DIR}/sql ${CMAKE_SOURCE_DIR}/regex - ${CMAKE_SOURCE_DIR}/extra/yassl/include ${CMAKE_SOURCE_DIR}/unittest/mytap) # diff --git a/vio/vio.c b/vio/vio.c index 33533f20e85..3f92c1e6853 100644 --- a/vio/vio.c +++ b/vio/vio.c @@ -329,8 +329,8 @@ void vio_delete(Vio* vio) */ void vio_end(void) { -#ifdef HAVE_YASSL - yaSSL_CleanUp(); +#ifdef HAVE_WOLFSSL + wolfSSL_Cleanup(); #elif defined(HAVE_OPENSSL) // This one is needed on the client side ERR_remove_state(0); diff --git a/vio/viossl.c b/vio/viossl.c index 30946d3261c..a5b3396953e 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -26,19 +26,7 @@ #ifdef HAVE_OPENSSL -#ifdef HAVE_YASSL -/* - yassl seem to be different here, SSL_get_error() value can be - directly passed to ERR_error_string(), and these errors don't go - into ERR_get_error() stack. - in openssl, apparently, SSL_get_error() values live in a different - namespace, one needs to use ERR_get_error() as an argument - for ERR_error_string(). -*/ -#define SSL_errno(X,Y) SSL_get_error(X,Y) -#else #define SSL_errno(X,Y) ERR_get_error() -#endif /** Obtain the equivalent system error status for the last SSL I/O operation. @@ -124,9 +112,7 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event default: should_retry= FALSE; ssl_set_sys_error(ssl_error); -#ifndef HAVE_YASSL ERR_clear_error(); -#endif break; } @@ -197,25 +183,6 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size) DBUG_RETURN(ret < 0 ? -1 : ret); } -#ifdef HAVE_YASSL - -/* Emulate a blocking recv() call with vio_read(). */ -static long yassl_recv(void *ptr, void *buf, size_t len, - int flag __attribute__((unused))) -{ - return (long)vio_read(ptr, buf, len); -} - - -/* Emulate a blocking send() call with vio_write(). */ -static long yassl_send(void *ptr, const void *buf, size_t len, - int flag __attribute__((unused))) -{ - return (long)vio_write(ptr, buf, len); -} - -#endif - int vio_ssl_close(Vio *vio) { int r= 0; @@ -335,21 +302,13 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); SSL_set_fd(ssl, (int)sd); - /* - Since yaSSL does not support non-blocking send operations, use - special transport functions that properly handles non-blocking - sockets. These functions emulate the behavior of blocking I/O - operations by waiting for I/O to become available. - */ -#ifdef HAVE_YASSL +#ifdef HAVE_WOLFSSL /* Set first argument of the transport functions. */ - yaSSL_transport_set_ptr(ssl, vio); - /* Set functions to use in order to send and receive data. */ - yaSSL_transport_set_recv_function(ssl, yassl_recv); - yaSSL_transport_set_send_function(ssl, yassl_send); + wolfSSL_SetIOReadCtx(ssl, vio); + wolfSSL_SetIOWriteCtx(ssl, vio); #endif -#if !defined(HAVE_YASSL) && defined(SSL_OP_NO_COMPRESSION) +#if defined(SSL_OP_NO_COMPRESSION) SSL_set_options(ssl, SSL_OP_NO_COMPRESSION); #endif diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 8ab7565a666..033d71779ab 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -18,10 +18,8 @@ #include <ssl_compat.h> #ifdef HAVE_OPENSSL -#ifndef HAVE_YASSL #include <openssl/dh.h> #include <openssl/bn.h> -#endif static my_bool ssl_algorithms_added = FALSE; static my_bool ssl_error_strings_loaded= FALSE; @@ -166,6 +164,25 @@ static void check_ssl_init() } } +#ifdef HAVE_WOLFSSL +static int wolfssl_recv(WOLFSSL* ssl, char* buf, int sz, void* vio) +{ + size_t ret; + (void)ssl; + ret = vio_read((Vio *)vio, (uchar *)buf, sz); + /* check if connection was closed */ + if (ret == 0) + return WOLFSSL_CBIO_ERR_CONN_CLOSE; + + return (int)ret; +} + +static int wolfssl_send(WOLFSSL* ssl, char* buf, int sz, void* vio) +{ + return (int)vio_write((Vio *)vio, (unsigned char*)buf, sz); +} +#endif /* HAVE_WOLFSSL */ + /************************ VioSSLFd **********************************/ static struct st_VioSSLFd * new_VioSSLFd(const char *key_file, const char *cert_file, @@ -232,7 +249,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, sslGetErrString(*error))); goto err2; } - +#ifndef HAVE_WOLFSSL /* otherwise go use the defaults */ if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0) { @@ -240,13 +257,15 @@ new_VioSSLFd(const char *key_file, const char *cert_file, DBUG_PRINT("error", ("%s", sslGetErrString(*error))); goto err2; } +#endif } if (crl_file || crl_path) { -#ifdef HAVE_YASSL - DBUG_PRINT("warning", ("yaSSL doesn't support CRL")); +#ifdef HAVE_WOLFSSL + /* CRL does not work with WolfSSL. */ DBUG_ASSERT(0); + goto err2; #else X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context); /* Load crls from the trusted ca */ @@ -282,6 +301,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file, DH_free(dh); } +#ifdef HAVE_WOLFSSL + /* set IO functions used by wolfSSL */ + wolfSSL_SetIORecv(ssl_fd->ssl_context, wolfssl_recv); + wolfSSL_SetIOSend(ssl_fd->ssl_context, wolfssl_send); +#endif + DBUG_PRINT("exit", ("OK 1")); DBUG_RETURN(ssl_fd); |