@@ -164,7 +164,7 @@ static int tls_bio_mbuf_free(BIO* b)

 		struct tls_bio_mbuf_data* d;

 		d = wolfSSL_BIO_get_data(b);

 		if (likely(d)) {

-			OPENSSL_free(d);

+			wolfSSL_OPENSSL_free(d);

 			wolfSSL_BIO_set_data(b, NULL);

 			wolfSSL_BIO_set_init(b, 0);

 		}

@@ -45,21 +45,8 @@

 #include "tls_verify.h"

 /*

- * ECDHE is enabled only on OpenSSL 1.0.0e and later.

- * See http://www.openssl.org/news/secadv_20110906.txt

- * for details.

- * Also, copied from _ssl.c of Python for correct initialization.

- * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use

- * prime256v1 by default.  This is Apache mod_ssl's initialization

- * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.

+ * needed for wolfSSL

  */

-

-#ifndef OPENSSL_NO_DH

-

-/*

- * not needed for OpenSSL 1.1.0+ and LibreSSL

- */

-#if !defined(SSL_CTX_set_dh_auto)

 static unsigned char dh3072_p[] = {

    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,

    0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,

@@ -97,7 +84,6 @@ static unsigned char dh3072_p[] = {

 };

 static unsigned char dh3072_g[] = { 0x02 };

-#endif

 static void setup_dh(WOLFSSL_CTX *ctx)

 {

@@ -105,7 +91,6 @@ static void setup_dh(WOLFSSL_CTX *ctx)

  * not needed for OpenSSL 1.1.0+ and LibreSSL

  * DH_new() is deprecated in OpenSSL 3

  */

-#if !defined(SSL_CTX_set_dh_auto)

 	DH *dh;

 	BIGNUM *p;

 	BIGNUM *g;

@@ -131,11 +116,7 @@ static void setup_dh(WOLFSSL_CTX *ctx)

    wolfSSL_CTX_set_tmp_dh(ctx, dh);

    DH_free(dh);

-#else

-   SSL_CTX_set_dh_auto(ctx, 1);

-#endif

 }

-#endif

 /**

@@ -677,9 +658,7 @@ static int set_cipher_list(tls_domain_t* d)

 					tls_domain_str(d), cipher_list);

 			return -1;

 		}

-#ifndef OPENSSL_NO_DH

                 setup_dh(d->ctx[i]);

-#endif

 	}

 	return 0;

 }

@@ -885,8 +864,6 @@ static int tls_ssl_ctx_set_read_ahead(WOLFSSL_CTX* ctx, long val, void* unused)

 }

-#ifndef OPENSSL_NO_TLSEXT

-

 /**

  * @brief SNI callback function

  *

@@ -948,7 +925,6 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)

 	LM_DBG("tls_server_name_cb return SSL_TLSEXT_ERR_OK");

 	return SSL_TLSEXT_ERR_OK;

 }

-#endif

 /**

@@ -1015,7 +991,6 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)

 		}

 #endif	      

-#ifndef OPENSSL_NO_TLSEXT

 		/*

 		* check server domains for server_name extension and register

 		* callback function

@@ -1037,17 +1012,14 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)

 				return -1;

 			}

 		}

-#endif

 	}

-#ifndef OPENSSL_NO_TLSEXT

 	if ((d->type & TLS_DOMAIN_SRV)

 			&& (d->server_name.len>0 || (d->type & TLS_DOMAIN_DEF))) {

 		LM_NOTICE("registered server_name callback handler for socket "

 			"[%s:%d], server_name='%s' ...\n", ip_addr2a(&d->ip), d->port,

 			(d->server_name.s)?d->server_name.s:"<default>");

 	}

-#endif

 	if (load_cert(d) < 0) return -1;

 	if (load_ca_list(d) < 0) return -1;

@@ -1192,21 +1164,12 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,

 	}

 	/* only in >= 1.0.0 */

-#ifndef OPENSSL_NO_BUF_FREELISTS

 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_freelist,

 								ssl_freelist_max_len, 0) < 0) {

 		ERR("invalid ssl_freelist_max_len value (%d)\n",

 				ssl_freelist_max_len);

 		return -1;

 	}

-#endif

-

-#if defined (OPENSSL_NO_BUF_FREELISTS)

-	if (ssl_freelist_max_len >= 0)

-		ERR("cannot change openssl freelist_max_len, openssl too old"

-				"(needed at least 1.0.0) or compiled without freelist support"

-				" (OPENSSL_NO_BUF_FREELIST)\n");

-#endif

 	/* only in >= 0.9.9 */

 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_max_send_fragment,

@@ -64,34 +64,8 @@

 static int tls_mod_preinitialized = 0;

 static int tls_mod_initialized = 0;

-

-/* replace openssl zlib compression with our version if necessary

- * (the openssl zlib compression uses the wrong malloc, see

- *  openssl #1468): 0.9.8-dev < version  <0.9.8e-beta1 */

-

-#ifdef TLS_KSSL_WORKARROUND

-#endif /* TLS_KSSL_WORKARROUND */

-

-/* openssl < 1. 0 */

-

-

-

-#ifndef OPENSSL_NO_COMP

 #define TLS_COMP_SUPPORT

-#else

-#undef TLS_COMP_SUPPORT

-#endif

-

-#ifndef OPENSSL_NO_KRB5

 #define TLS_KERBEROS_SUPPORT

-#else

-#undef TLS_KERBEROS_SUPPORT

-#endif

-

-

-#ifdef TLS_KSSL_WORKARROUND

-int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */

-#endif

 sr_tls_methods_t sr_tls_methods[TLS_METHOD_MAX];

@@ -491,6 +465,8 @@ int tls_h_mod_init_f(void)

 		low_mem_threshold2=256*1024*get_max_procs();

 	}else

 		low_mem_threshold2*=1024; /* KB */

+

+#if 0

 	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))

 	 LM_WARN("tls: openssl bug #1491 (crash/mem leaks on low memory)"

 				" workaround disabled\n");

@@ -499,6 +475,7 @@ int tls_h_mod_init_f(void)

 				" workaround enabled (on low memory tls operations will fail"

 				" preemptively) with free memory thresholds %d and %d bytes\n",

 				low_mem_threshold1, low_mem_threshold2);

+#endif

 	if (shm_available()==(unsigned long)(-1)){

 		LM_WARN(NAME " is compiled without MALLOC_STATS support:"

@@ -579,5 +556,5 @@ void tls_h_mod_destroy_f(void)

 	/* explicit execution of libssl cleanup to avoid being executed again

 	 * by atexit(), when shm is gone */

 	LM_DBG("executing openssl v1.1+ cleanup\n");

-	OPENSSL_cleanup();

+	wolfSSL_Cleanup();

 }

@@ -32,16 +32,6 @@

 #include "../../core/ip_addr.h"

 #include "tls_domain.h"

-/* openssl < 1. 0 */

-#ifndef OPENSSL_NO_KRB5

-/* enable workarround for openssl kerberos wrong malloc bug

- * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc &

- * friends)*/

-#define TLS_KSSL_WORKARROUND

-extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */

-#endif

-

-

 typedef struct sr_tls_methods_s {

 	const SSL_METHOD* TLSMethod;

 	int TLSMethodMin;

@@ -940,14 +940,14 @@ static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)

 	res->s = buf;

 	res->len = text_len;

-	OPENSSL_free(text_s);

+	wolfSSL_OPENSSL_free(text_s);

 	if (!local) X509_free(cert);

 	tcpconn_put(c);

 	return 0;

  err:

-	if (text_s) OPENSSL_free(text_s);

-	if (!local) X509_free(cert);

+	if (text_s) wolfSSL_OPENSSL_free(text_s);

+	if (!local) wolfSSL_X509_free(cert);

 	tcpconn_put(c);

 	return -1;

 }

@@ -1173,15 +1173,6 @@ static int sel_cert(str* res, select_t* s, struct sip_msg* msg)

 }

-#ifdef OPENSSL_NO_TLSEXT

-static int get_tlsext_sn(str* res, sip_msg_t* msg)

-{

-	ERR("TLS extension 'server name' is not available! "

-		"please install openssl with TLS extension support and recompile "

-		"the server\n");

-	return -1;

-}

-#else

 static int get_tlsext_sn(str* res, sip_msg_t* msg)

 {

 	static char buf[1024];

@@ -1231,7 +1222,6 @@ error:

 	if (c) tcpconn_put(c);

 	return -1;

 }

-#endif

 static int sel_tlsext_sn(str* res, select_t* s, sip_msg_t* msg)

@@ -376,7 +376,7 @@ static int mod_init(void)

 	if (tls_check_sockets(*tls_domains_cfg) < 0)

 		goto error;

-	LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER));

+	LM_INFO("use wolfSSL version: %08x\n", (uint32_t)(LIBWOLFSSL_VERSION_HEX));

 #ifndef OPENSSL_NO_ECDH

 	LM_INFO("With ECDH-Support!\n");

 #endif