From a1398511036983471f4fd1d1e33099dee8a565bf Mon Sep 17 00:00:00 2001
From: S-P Chan <shihping.chan@gmail.com>
Date: Thu, 16 Jun 2022 14:42:00 +0800
Subject: [PATCH] tls_wolfssl: Miscellaneous cleanup

Cleanup of OpenSSL symbols and OpenSSL-related memory warnings.
---
 src/modules/tls_wolfssl/tls_bio.c         |  2 +-
 src/modules/tls_wolfssl/tls_domain.c      | 39 +----------------------
 src/modules/tls_wolfssl/tls_init.c        | 31 +++---------------
 src/modules/tls_wolfssl/tls_init.h        | 10 ------
 src/modules/tls_wolfssl/tls_select.c      | 16 ++--------
 src/modules/tls_wolfssl/tls_wolfssl_mod.c |  2 +-
 6 files changed, 10 insertions(+), 90 deletions(-)

diff --git a/src/modules/tls_wolfssl/tls_bio.c b/src/modules/tls_wolfssl/tls_bio.c
index 1cb0ff1f8de..e3bea2516d9 100644
--- a/src/modules/tls_wolfssl/tls_bio.c
+++ b/src/modules/tls_wolfssl/tls_bio.c
@@ -164,7 +164,7 @@ static int tls_bio_mbuf_free(BIO* b)
 		struct tls_bio_mbuf_data* d;
 		d = wolfSSL_BIO_get_data(b);
 		if (likely(d)) {
-			OPENSSL_free(d);
+			wolfSSL_OPENSSL_free(d);
 			wolfSSL_BIO_set_data(b, NULL);
 			wolfSSL_BIO_set_init(b, 0);
 		}
diff --git a/src/modules/tls_wolfssl/tls_domain.c b/src/modules/tls_wolfssl/tls_domain.c
index 57d91a257b7..a79ae93b19b 100644
--- a/src/modules/tls_wolfssl/tls_domain.c
+++ b/src/modules/tls_wolfssl/tls_domain.c
@@ -45,21 +45,8 @@
 #include "tls_verify.h"
 
 /*
- * ECDHE is enabled only on OpenSSL 1.0.0e and later.
- * See http://www.openssl.org/news/secadv_20110906.txt
- * for details.
- * Also, copied from _ssl.c of Python for correct initialization.
- * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
- * prime256v1 by default.  This is Apache mod_ssl's initialization
- * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
+ * needed for wolfSSL
  */
-
-#ifndef OPENSSL_NO_DH
-
-/*
- * not needed for OpenSSL 1.1.0+ and LibreSSL
- */
-#if !defined(SSL_CTX_set_dh_auto)
 static unsigned char dh3072_p[] = {
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
    0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
@@ -97,7 +84,6 @@ static unsigned char dh3072_p[] = {
 };
 
 static unsigned char dh3072_g[] = { 0x02 };
-#endif
 
 static void setup_dh(WOLFSSL_CTX *ctx)
 {
@@ -105,7 +91,6 @@ static void setup_dh(WOLFSSL_CTX *ctx)
  * not needed for OpenSSL 1.1.0+ and LibreSSL
  * DH_new() is deprecated in OpenSSL 3
  */
-#if !defined(SSL_CTX_set_dh_auto)
 	DH *dh;
 	BIGNUM *p;
 	BIGNUM *g;
@@ -131,11 +116,7 @@ static void setup_dh(WOLFSSL_CTX *ctx)
    wolfSSL_CTX_set_tmp_dh(ctx, dh);
 
    DH_free(dh);
-#else
-   SSL_CTX_set_dh_auto(ctx, 1);
-#endif
 }
-#endif
 
 
 /**
@@ -677,9 +658,7 @@ static int set_cipher_list(tls_domain_t* d)
 					tls_domain_str(d), cipher_list);
 			return -1;
 		}
-#ifndef OPENSSL_NO_DH
                 setup_dh(d->ctx[i]);
-#endif
 	}
 	return 0;
 }
@@ -885,8 +864,6 @@ static int tls_ssl_ctx_set_read_ahead(WOLFSSL_CTX* ctx, long val, void* unused)
 }
 
 
-#ifndef OPENSSL_NO_TLSEXT
-
 /**
  * @brief SNI callback function
  *
@@ -948,7 +925,6 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
 	LM_DBG("tls_server_name_cb return SSL_TLSEXT_ERR_OK");
 	return SSL_TLSEXT_ERR_OK;
 }
-#endif
 
 
 /**
@@ -1015,7 +991,6 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)
 		}
 #endif	      
 
-#ifndef OPENSSL_NO_TLSEXT
 		/*
 		* check server domains for server_name extension and register
 		* callback function
@@ -1037,17 +1012,14 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)
 				return -1;
 			}
 		}
-#endif
 	}
 
-#ifndef OPENSSL_NO_TLSEXT
 	if ((d->type & TLS_DOMAIN_SRV)
 			&& (d->server_name.len>0 || (d->type & TLS_DOMAIN_DEF))) {
 		LM_NOTICE("registered server_name callback handler for socket "
 			"[%s:%d], server_name='%s' ...\n", ip_addr2a(&d->ip), d->port,
 			(d->server_name.s)?d->server_name.s:"<default>");
 	}
-#endif
 
 	if (load_cert(d) < 0) return -1;
 	if (load_ca_list(d) < 0) return -1;
@@ -1192,21 +1164,12 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
 	}
 	/* only in >= 1.0.0 */
 
-#ifndef OPENSSL_NO_BUF_FREELISTS
 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_freelist,
 								ssl_freelist_max_len, 0) < 0) {
 		ERR("invalid ssl_freelist_max_len value (%d)\n",
 				ssl_freelist_max_len);
 		return -1;
 	}
-#endif
-
-#if defined (OPENSSL_NO_BUF_FREELISTS)
-	if (ssl_freelist_max_len >= 0)
-		ERR("cannot change openssl freelist_max_len, openssl too old"
-				"(needed at least 1.0.0) or compiled without freelist support"
-				" (OPENSSL_NO_BUF_FREELIST)\n");
-#endif
 
 	/* only in >= 0.9.9 */
 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_max_send_fragment,
diff --git a/src/modules/tls_wolfssl/tls_init.c b/src/modules/tls_wolfssl/tls_init.c
index 8d258724b60..595156ea8e8 100644
--- a/src/modules/tls_wolfssl/tls_init.c
+++ b/src/modules/tls_wolfssl/tls_init.c
@@ -64,34 +64,8 @@
 static int tls_mod_preinitialized = 0;
 static int tls_mod_initialized = 0;
 
-
-/* replace openssl zlib compression with our version if necessary
- * (the openssl zlib compression uses the wrong malloc, see
- *  openssl #1468): 0.9.8-dev < version  <0.9.8e-beta1 */
-
-#ifdef TLS_KSSL_WORKARROUND
-#endif /* TLS_KSSL_WORKARROUND */
-
-/* openssl < 1. 0 */
-
-
-
-#ifndef OPENSSL_NO_COMP
 #define TLS_COMP_SUPPORT
-#else
-#undef TLS_COMP_SUPPORT
-#endif
-
-#ifndef OPENSSL_NO_KRB5
 #define TLS_KERBEROS_SUPPORT
-#else
-#undef TLS_KERBEROS_SUPPORT
-#endif
-
-
-#ifdef TLS_KSSL_WORKARROUND
-int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
-#endif
 
 sr_tls_methods_t sr_tls_methods[TLS_METHOD_MAX];
 
@@ -491,6 +465,8 @@ int tls_h_mod_init_f(void)
 		low_mem_threshold2=256*1024*get_max_procs();
 	}else
 		low_mem_threshold2*=1024; /* KB */
+
+#if 0
 	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))
 	 LM_WARN("tls: openssl bug #1491 (crash/mem leaks on low memory)"
 				" workaround disabled\n");
@@ -499,6 +475,7 @@ int tls_h_mod_init_f(void)
 				" workaround enabled (on low memory tls operations will fail"
 				" preemptively) with free memory thresholds %d and %d bytes\n",
 				low_mem_threshold1, low_mem_threshold2);
+#endif
 
 	if (shm_available()==(unsigned long)(-1)){
 		LM_WARN(NAME " is compiled without MALLOC_STATS support:"
@@ -579,5 +556,5 @@ void tls_h_mod_destroy_f(void)
 	/* explicit execution of libssl cleanup to avoid being executed again
 	 * by atexit(), when shm is gone */
 	LM_DBG("executing openssl v1.1+ cleanup\n");
-	OPENSSL_cleanup();
+	wolfSSL_Cleanup();
 }
diff --git a/src/modules/tls_wolfssl/tls_init.h b/src/modules/tls_wolfssl/tls_init.h
index 582bd5c2f76..319e8a4d107 100644
--- a/src/modules/tls_wolfssl/tls_init.h
+++ b/src/modules/tls_wolfssl/tls_init.h
@@ -32,16 +32,6 @@
 #include "../../core/ip_addr.h"
 #include "tls_domain.h"
 
-/* openssl < 1. 0 */
-#ifndef OPENSSL_NO_KRB5
-/* enable workarround for openssl kerberos wrong malloc bug
- * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc &
- * friends)*/
-#define TLS_KSSL_WORKARROUND
-extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
-#endif
-
-
 typedef struct sr_tls_methods_s {
 	const SSL_METHOD* TLSMethod;
 	int TLSMethodMin;
diff --git a/src/modules/tls_wolfssl/tls_select.c b/src/modules/tls_wolfssl/tls_select.c
index ecf2d3ead9d..0cb2d59c36c 100644
--- a/src/modules/tls_wolfssl/tls_select.c
+++ b/src/modules/tls_wolfssl/tls_select.c
@@ -940,14 +940,14 @@ static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
 	res->s = buf;
 	res->len = text_len;
 
-	OPENSSL_free(text_s);
+	wolfSSL_OPENSSL_free(text_s);
 	if (!local) X509_free(cert);
 	tcpconn_put(c);
 	return 0;
 
  err:
-	if (text_s) OPENSSL_free(text_s);
-	if (!local) X509_free(cert);
+	if (text_s) wolfSSL_OPENSSL_free(text_s);
+	if (!local) wolfSSL_X509_free(cert);
 	tcpconn_put(c);
 	return -1;
 }
@@ -1173,15 +1173,6 @@ static int sel_cert(str* res, select_t* s, struct sip_msg* msg)
 }
 
 
-#ifdef OPENSSL_NO_TLSEXT
-static int get_tlsext_sn(str* res, sip_msg_t* msg)
-{
-	ERR("TLS extension 'server name' is not available! "
-		"please install openssl with TLS extension support and recompile "
-		"the server\n");
-	return -1;
-}
-#else
 static int get_tlsext_sn(str* res, sip_msg_t* msg)
 {
 	static char buf[1024];
@@ -1231,7 +1222,6 @@ static int get_tlsext_sn(str* res, sip_msg_t* msg)
 	if (c) tcpconn_put(c);
 	return -1;
 }
-#endif
 
 
 static int sel_tlsext_sn(str* res, select_t* s, sip_msg_t* msg)
diff --git a/src/modules/tls_wolfssl/tls_wolfssl_mod.c b/src/modules/tls_wolfssl/tls_wolfssl_mod.c
index 1b0a925770a..3f165b35371 100644
--- a/src/modules/tls_wolfssl/tls_wolfssl_mod.c
+++ b/src/modules/tls_wolfssl/tls_wolfssl_mod.c
@@ -376,7 +376,7 @@ static int mod_init(void)
 	if (tls_check_sockets(*tls_domains_cfg) < 0)
 		goto error;
 
-	LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER));
+	LM_INFO("use wolfSSL version: %08x\n", (uint32_t)(LIBWOLFSSL_VERSION_HEX));
 #ifndef OPENSSL_NO_ECDH
 	LM_INFO("With ECDH-Support!\n");
 #endif