MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library

- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)

3 files changed, 36 insertions, 52 deletions

diff --git a/vio/vio.c b/vio/vio.c
index 33533f20e85..3f92c1e6853 100644
--- a/vio/vio.c
+++ b/vio/vio.c
@@ -329,8 +329,8 @@ void vio_delete(Vio* vio)
 */
 void vio_end(void)
 {
-#ifdef HAVE_YASSL
-  yaSSL_CleanUp();
+#ifdef HAVE_WOLFSSL
+  wolfSSL_Cleanup();
 #elif defined(HAVE_OPENSSL)
   // This one is needed on the client side
   ERR_remove_state(0);
diff --git a/vio/viossl.c b/vio/viossl.c
index 30946d3261c..a5b3396953e 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -26,19 +26,7 @@
 
 #ifdef HAVE_OPENSSL
 
-#ifdef HAVE_YASSL
-/*
-  yassl seem to be different here, SSL_get_error() value can be
-  directly passed to ERR_error_string(), and these errors don't go
-  into ERR_get_error() stack.
-  in openssl, apparently, SSL_get_error() values live in a different
-  namespace, one needs to use ERR_get_error() as an argument
-  for ERR_error_string().
-*/
-#define SSL_errno(X,Y) SSL_get_error(X,Y)
-#else
 #define SSL_errno(X,Y) ERR_get_error()
-#endif
 
 /**
   Obtain the equivalent system error status for the last SSL I/O operation.
@@ -124,9 +112,7 @@ static my_bool ssl_should_retry(Vio *vio, int ret, enum enum_vio_io_event *event
   default:
     should_retry= FALSE;
     ssl_set_sys_error(ssl_error);
-#ifndef HAVE_YASSL
     ERR_clear_error();
-#endif
     break;
   }
 
@@ -197,25 +183,6 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size)
   DBUG_RETURN(ret < 0 ? -1 : ret);
 }
 
-#ifdef HAVE_YASSL
-
-/* Emulate a blocking recv() call with vio_read(). */
-static long yassl_recv(void *ptr, void *buf, size_t len,
-                       int flag __attribute__((unused)))
-{
-  return (long)vio_read(ptr, buf, len);
-}
-
-
-/* Emulate a blocking send() call with vio_write(). */
-static long yassl_send(void *ptr, const void *buf, size_t len,
-                       int flag __attribute__((unused)))
-{
-  return (long)vio_write(ptr, buf, len);
-}
-
-#endif
-
 int vio_ssl_close(Vio *vio)
 {
   int r= 0;
@@ -335,21 +302,13 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,
   SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
   SSL_set_fd(ssl, (int)sd);
 
-  /*
-    Since yaSSL does not support non-blocking send operations, use
-    special transport functions that properly handles non-blocking
-    sockets. These functions emulate the behavior of blocking I/O
-    operations by waiting for I/O to become available.
-  */
-#ifdef HAVE_YASSL
+#ifdef HAVE_WOLFSSL
   /* Set first argument of the transport functions. */
-  yaSSL_transport_set_ptr(ssl, vio);
-  /* Set functions to use in order to send and receive data. */
-  yaSSL_transport_set_recv_function(ssl, yassl_recv);
-  yaSSL_transport_set_send_function(ssl, yassl_send);
+  wolfSSL_SetIOReadCtx(ssl, vio);
+  wolfSSL_SetIOWriteCtx(ssl, vio);
 #endif
 
-#if !defined(HAVE_YASSL) && defined(SSL_OP_NO_COMPRESSION)
+#if defined(SSL_OP_NO_COMPRESSION)
   SSL_set_options(ssl, SSL_OP_NO_COMPRESSION);
 #endif
 
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 8ab7565a666..033d71779ab 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -18,10 +18,8 @@
 #include <ssl_compat.h>
 
 #ifdef HAVE_OPENSSL
-#ifndef HAVE_YASSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
-#endif
 
 static my_bool     ssl_algorithms_added    = FALSE;
 static my_bool     ssl_error_strings_loaded= FALSE;
@@ -166,6 +164,25 @@ static void check_ssl_init()
   }
 }
 
+#ifdef HAVE_WOLFSSL
+static int wolfssl_recv(WOLFSSL* ssl, char* buf, int sz, void* vio)
+{
+  size_t ret;
+  (void)ssl;
+  ret = vio_read((Vio *)vio, (uchar *)buf, sz);
+  /* check if connection was closed */
+  if (ret == 0)
+    return WOLFSSL_CBIO_ERR_CONN_CLOSE;
+
+  return (int)ret;
+}
+
+static int wolfssl_send(WOLFSSL* ssl, char* buf, int sz, void* vio)
+{
+  return (int)vio_write((Vio *)vio, (unsigned char*)buf, sz);
+}
+#endif /* HAVE_WOLFSSL */
+
 /************************ VioSSLFd **********************************/
 static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
@@ -232,7 +249,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
                  sslGetErrString(*error)));
       goto err2;
     }
-
+#ifndef HAVE_WOLFSSL
     /* otherwise go use the defaults */
     if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
@@ -240,13 +257,15 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
       DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
       goto err2;
     }
+#endif
   }
 
   if (crl_file || crl_path)
   {
-#ifdef HAVE_YASSL
-    DBUG_PRINT("warning", ("yaSSL doesn't support CRL"));
+#ifdef HAVE_WOLFSSL
+    /* CRL does not work with WolfSSL. */
     DBUG_ASSERT(0);
+    goto err2;
 #else
     X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
     /* Load crls from the trusted ca */
@@ -282,6 +301,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DH_free(dh);
   }
 
+#ifdef HAVE_WOLFSSL
+  /* set IO functions used by wolfSSL */
+   wolfSSL_SetIORecv(ssl_fd->ssl_context, wolfssl_recv);
+   wolfSSL_SetIOSend(ssl_fd->ssl_context, wolfssl_send);
+#endif
+
   DBUG_PRINT("exit", ("OK 1"));
 
   DBUG_RETURN(ssl_fd);