Browse code

tls_wolfssl: Miscellaneous cleanup

Cleanup of OpenSSL symbols and OpenSSL-related memory warnings.

S-P Chan authored on 16/06/2022 06:42:00
Showing 6 changed files
... ...
@@ -164,7 +164,7 @@ static int tls_bio_mbuf_free(BIO* b)
164 164
 		struct tls_bio_mbuf_data* d;
165 165
 		d = wolfSSL_BIO_get_data(b);
166 166
 		if (likely(d)) {
167
-			OPENSSL_free(d);
167
+			wolfSSL_OPENSSL_free(d);
168 168
 			wolfSSL_BIO_set_data(b, NULL);
169 169
 			wolfSSL_BIO_set_init(b, 0);
170 170
 		}
... ...
@@ -45,21 +45,8 @@
45 45
 #include "tls_verify.h"
46 46
 
47 47
 /*
48
- * ECDHE is enabled only on OpenSSL 1.0.0e and later.
49
- * See http://www.openssl.org/news/secadv_20110906.txt
50
- * for details.
51
- * Also, copied from _ssl.c of Python for correct initialization.
52
- * Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
53
- * prime256v1 by default.  This is Apache mod_ssl's initialization
54
- * policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
48
+ * needed for wolfSSL
55 49
  */
56
-
57
-#ifndef OPENSSL_NO_DH
58
-
59
-/*
60
- * not needed for OpenSSL 1.1.0+ and LibreSSL
61
- */
62
-#if !defined(SSL_CTX_set_dh_auto)
63 50
 static unsigned char dh3072_p[] = {
64 51
    0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
65 52
    0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
... ...
@@ -97,7 +84,6 @@ static unsigned char dh3072_p[] = {
97 84
 };
98 85
 
99 86
 static unsigned char dh3072_g[] = { 0x02 };
100
-#endif
101 87
 
102 88
 static void setup_dh(WOLFSSL_CTX *ctx)
103 89
 {
... ...
@@ -105,7 +91,6 @@ static void setup_dh(WOLFSSL_CTX *ctx)
105 91
  * not needed for OpenSSL 1.1.0+ and LibreSSL
106 92
  * DH_new() is deprecated in OpenSSL 3
107 93
  */
108
-#if !defined(SSL_CTX_set_dh_auto)
109 94
 	DH *dh;
110 95
 	BIGNUM *p;
111 96
 	BIGNUM *g;
... ...
@@ -131,11 +116,7 @@ static void setup_dh(WOLFSSL_CTX *ctx)
131 116
    wolfSSL_CTX_set_tmp_dh(ctx, dh);
132 117
 
133 118
    DH_free(dh);
134
-#else
135
-   SSL_CTX_set_dh_auto(ctx, 1);
136
-#endif
137 119
 }
138
-#endif
139 120
 
140 121
 
141 122
 /**
... ...
@@ -677,9 +658,7 @@ static int set_cipher_list(tls_domain_t* d)
677 658
 					tls_domain_str(d), cipher_list);
678 659
 			return -1;
679 660
 		}
680
-#ifndef OPENSSL_NO_DH
681 661
                 setup_dh(d->ctx[i]);
682
-#endif
683 662
 	}
684 663
 	return 0;
685 664
 }
... ...
@@ -885,8 +864,6 @@ static int tls_ssl_ctx_set_read_ahead(WOLFSSL_CTX* ctx, long val, void* unused)
885 864
 }
886 865
 
887 866
 
888
-#ifndef OPENSSL_NO_TLSEXT
889
-
890 867
 /**
891 868
  * @brief SNI callback function
892 869
  *
... ...
@@ -948,7 +925,6 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
948 925
 	LM_DBG("tls_server_name_cb return SSL_TLSEXT_ERR_OK");
949 926
 	return SSL_TLSEXT_ERR_OK;
950 927
 }
951
-#endif
952 928
 
953 929
 
954 930
 /**
... ...
@@ -1015,7 +991,6 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)
1015 991
 		}
1016 992
 #endif	      
1017 993
 
1018
-#ifndef OPENSSL_NO_TLSEXT
1019 994
 		/*
1020 995
 		* check server domains for server_name extension and register
1021 996
 		* callback function
... ...
@@ -1037,17 +1012,14 @@ static int ksr_tls_fix_domain(tls_domain_t* d, tls_domain_t* def)
1037 1012
 				return -1;
1038 1013
 			}
1039 1014
 		}
1040
-#endif
1041 1015
 	}
1042 1016
 
1043
-#ifndef OPENSSL_NO_TLSEXT
1044 1017
 	if ((d->type & TLS_DOMAIN_SRV)
1045 1018
 			&& (d->server_name.len>0 || (d->type & TLS_DOMAIN_DEF))) {
1046 1019
 		LM_NOTICE("registered server_name callback handler for socket "
1047 1020
 			"[%s:%d], server_name='%s' ...\n", ip_addr2a(&d->ip), d->port,
1048 1021
 			(d->server_name.s)?d->server_name.s:"<default>");
1049 1022
 	}
1050
-#endif
1051 1023
 
1052 1024
 	if (load_cert(d) < 0) return -1;
1053 1025
 	if (load_ca_list(d) < 0) return -1;
... ...
@@ -1192,21 +1164,12 @@ int tls_fix_domains_cfg(tls_domains_cfg_t* cfg, tls_domain_t* srv_defaults,
1192 1164
 	}
1193 1165
 	/* only in >= 1.0.0 */
1194 1166
 
1195
-#ifndef OPENSSL_NO_BUF_FREELISTS
1196 1167
 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_freelist,
1197 1168
 								ssl_freelist_max_len, 0) < 0) {
1198 1169
 		ERR("invalid ssl_freelist_max_len value (%d)\n",
1199 1170
 				ssl_freelist_max_len);
1200 1171
 		return -1;
1201 1172
 	}
1202
-#endif
1203
-
1204
-#if defined (OPENSSL_NO_BUF_FREELISTS)
1205
-	if (ssl_freelist_max_len >= 0)
1206
-		ERR("cannot change openssl freelist_max_len, openssl too old"
1207
-				"(needed at least 1.0.0) or compiled without freelist support"
1208
-				" (OPENSSL_NO_BUF_FREELIST)\n");
1209
-#endif
1210 1173
 
1211 1174
 	/* only in >= 0.9.9 */
1212 1175
 	if (tls_foreach_CTX_in_cfg(cfg, tls_ssl_ctx_set_max_send_fragment,
... ...
@@ -64,34 +64,8 @@
64 64
 static int tls_mod_preinitialized = 0;
65 65
 static int tls_mod_initialized = 0;
66 66
 
67
-
68
-/* replace openssl zlib compression with our version if necessary
69
- * (the openssl zlib compression uses the wrong malloc, see
70
- *  openssl #1468): 0.9.8-dev < version  <0.9.8e-beta1 */
71
-
72
-#ifdef TLS_KSSL_WORKARROUND
73
-#endif /* TLS_KSSL_WORKARROUND */
74
-
75
-/* openssl < 1. 0 */
76
-
77
-
78
-
79
-#ifndef OPENSSL_NO_COMP
80 67
 #define TLS_COMP_SUPPORT
81
-#else
82
-#undef TLS_COMP_SUPPORT
83
-#endif
84
-
85
-#ifndef OPENSSL_NO_KRB5
86 68
 #define TLS_KERBEROS_SUPPORT
87
-#else
88
-#undef TLS_KERBEROS_SUPPORT
89
-#endif
90
-
91
-
92
-#ifdef TLS_KSSL_WORKARROUND
93
-int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
94
-#endif
95 69
 
96 70
 sr_tls_methods_t sr_tls_methods[TLS_METHOD_MAX];
97 71
 
... ...
@@ -491,6 +465,8 @@ int tls_h_mod_init_f(void)
491 465
 		low_mem_threshold2=256*1024*get_max_procs();
492 466
 	}else
493 467
 		low_mem_threshold2*=1024; /* KB */
468
+
469
+#if 0
494 470
 	if ((low_mem_threshold1==0) || (low_mem_threshold2==0))
495 471
 	 LM_WARN("tls: openssl bug #1491 (crash/mem leaks on low memory)"
496 472
 				" workaround disabled\n");
... ...
@@ -499,6 +475,7 @@ int tls_h_mod_init_f(void)
499 475
 				" workaround enabled (on low memory tls operations will fail"
500 476
 				" preemptively) with free memory thresholds %d and %d bytes\n",
501 477
 				low_mem_threshold1, low_mem_threshold2);
478
+#endif
502 479
 
503 480
 	if (shm_available()==(unsigned long)(-1)){
504 481
 		LM_WARN(NAME " is compiled without MALLOC_STATS support:"
... ...
@@ -579,5 +556,5 @@ void tls_h_mod_destroy_f(void)
579 556
 	/* explicit execution of libssl cleanup to avoid being executed again
580 557
 	 * by atexit(), when shm is gone */
581 558
 	LM_DBG("executing openssl v1.1+ cleanup\n");
582
-	OPENSSL_cleanup();
559
+	wolfSSL_Cleanup();
583 560
 }
... ...
@@ -32,16 +32,6 @@
32 32
 #include "../../core/ip_addr.h"
33 33
 #include "tls_domain.h"
34 34
 
35
-/* openssl < 1. 0 */
36
-#ifndef OPENSSL_NO_KRB5
37
-/* enable workarround for openssl kerberos wrong malloc bug
38
- * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc &
39
- * friends)*/
40
-#define TLS_KSSL_WORKARROUND
41
-extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
42
-#endif
43
-
44
-
45 35
 typedef struct sr_tls_methods_s {
46 36
 	const SSL_METHOD* TLSMethod;
47 37
 	int TLSMethodMin;
... ...
@@ -940,14 +940,14 @@ static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg)
940 940
 	res->s = buf;
941 941
 	res->len = text_len;
942 942
 
943
-	OPENSSL_free(text_s);
943
+	wolfSSL_OPENSSL_free(text_s);
944 944
 	if (!local) X509_free(cert);
945 945
 	tcpconn_put(c);
946 946
 	return 0;
947 947
 
948 948
  err:
949
-	if (text_s) OPENSSL_free(text_s);
950
-	if (!local) X509_free(cert);
949
+	if (text_s) wolfSSL_OPENSSL_free(text_s);
950
+	if (!local) wolfSSL_X509_free(cert);
951 951
 	tcpconn_put(c);
952 952
 	return -1;
953 953
 }
... ...
@@ -1173,15 +1173,6 @@ static int sel_cert(str* res, select_t* s, struct sip_msg* msg)
1173 1173
 }
1174 1174
 
1175 1175
 
1176
-#ifdef OPENSSL_NO_TLSEXT
1177
-static int get_tlsext_sn(str* res, sip_msg_t* msg)
1178
-{
1179
-	ERR("TLS extension 'server name' is not available! "
1180
-		"please install openssl with TLS extension support and recompile "
1181
-		"the server\n");
1182
-	return -1;
1183
-}
1184
-#else
1185 1176
 static int get_tlsext_sn(str* res, sip_msg_t* msg)
1186 1177
 {
1187 1178
 	static char buf[1024];
... ...
@@ -1231,7 +1222,6 @@ error:
1231 1222
 	if (c) tcpconn_put(c);
1232 1223
 	return -1;
1233 1224
 }
1234
-#endif
1235 1225
 
1236 1226
 
1237 1227
 static int sel_tlsext_sn(str* res, select_t* s, sip_msg_t* msg)
... ...
@@ -376,7 +376,7 @@ static int mod_init(void)
376 376
 	if (tls_check_sockets(*tls_domains_cfg) < 0)
377 377
 		goto error;
378 378
 
379
-	LM_INFO("use OpenSSL version: %08x\n", (uint32_t)(OPENSSL_VERSION_NUMBER));
379
+	LM_INFO("use wolfSSL version: %08x\n", (uint32_t)(LIBWOLFSSL_VERSION_HEX));
380 380
 #ifndef OPENSSL_NO_ECDH
381 381
 	LM_INFO("With ECDH-Support!\n");
382 382
 #endif