tls_wolfssl: clean-up; remove OpenSSL-isms

src/modules/tls_wolfssl/tls_cfg.c

@@ -60,8 +60,6 @@ struct cfg_group_tls default_tls_cfg = {
 		-1, /* ssl_max_send_fragment (use the default: 16k), requires openssl
 		   > 0.9.9 */
 		0,	/* ssl_read_ahead (off, not needed, we have our own buffering BIO)*/
-		-1, /* low_mem_threshold1 */
-		-1, /* low_mem_threshold2 */
 		10 * 1024 * 1024, /* ct_wq_max: 10 Mb by default */
 		64 * 1024,		  /* con_ct_wq_max: 64Kb by default */
 		4096,			  /* ct_wq_blk_size */
@@ -200,12 +198,6 @@ cfg_def_t tls_cfg_def[] = {{"force_run", CFG_VAR_INT | CFG_READONLY, 0, 1, 0, 0,
 				" module versions it is better to have read ahead disabled, "
 				"since"
 				" everything it is buffered in memory anyway"},
-		{"low_mem_threshold1", CFG_VAR_INT | CFG_ATOMIC, -1, 1 << 30, 0, 0,
-				"sets the minimum amount of free memory for accepting new TLS"
-				" connections (KB)"},
-		{"low_mem_threshold2", CFG_VAR_INT | CFG_ATOMIC, -1, 1 << 30, 0, 0,
-				"sets the minimum amount of free memory after which no more TLS"
-				" operations will be attempted (even on existing connections)"},
 		{"ct_wq_max", CFG_VAR_INT | CFG_ATOMIC, 0, 1 << 30, 0, 0,
 				"maximum bytes queued globally for write when write has to "
 				"wait due"

src/modules/tls_wolfssl/tls_cfg.h

@@ -90,8 +90,6 @@ struct cfg_group_tls
 	 * now)
 	 */
 	int ssl_read_ahead;
-	int low_mem_threshold1;
-	int low_mem_threshold2;
 	int ct_wq_max;		/* maximum overall tls write clear text queued bytes */
 	int con_ct_wq_max;	/* maximum clear text write queued bytes per con */
 	int ct_wq_blk_size; /* minimum block size for the clear text write queue */

src/modules/tls_wolfssl/tls_domain.c

@@ -598,8 +598,8 @@ static int load_crl(tls_domain_t *d)
 			return -1;
 		}
 		store = wolfSSL_CTX_get_cert_store(d->ctx[0]);
-		X509_STORE_set_flags(
-				store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+		wolfSSL_X509_STORE_set_flags(
+				store, WOLFSSL_CRL_CHECK | WOLFSSL_CRL_CHECKALL);
 	}while(0);
 	return 0;
 }
@@ -621,27 +621,6 @@ static int set_cipher_list(tls_domain_t *d)
 	char *cipher_list;
 
 	cipher_list = d->cipher_list.s;
-#ifdef TLS_KSSL_WORKAROUND
-	if(openssl_kssl_malloc_bug) { /* is openssl bug #1467 present ? */
-		if(d->cipher_list.s == 0) {
-			/* use "DEFAULT:!KRB5" */
-			cipher_list = "DEFAULT:!KRB5";
-		} else {
-			/* append ":!KRB5" */
-			cipher_list =
-					shm_malloc(d->cipher_list.len + C_NO_KRB5_SUFFIX_LEN + 1);
-			if(cipher_list) {
-				memcpy(cipher_list, d->cipher_list.s, d->cipher_list.len);
-				memcpy(cipher_list + d->cipher_list.len, C_NO_KRB5_SUFFIX,
-						C_NO_KRB5_SUFFIX_LEN);
-				cipher_list[d->cipher_list.len + C_NO_KRB5_SUFFIX_LEN] = 0;
-				shm_free(d->cipher_list.s);
-				d->cipher_list.s = cipher_list;
-				d->cipher_list.len += C_NO_KRB5_SUFFIX_LEN;
-			}
-		}
-	}
-#endif /* TLS_KSSL_WORKAROUND */
 	if(!cipher_list)
 		return 0;
 
@@ -749,9 +728,9 @@ static int set_ssl_options(tls_domain_t *d)
 {
 	long options;
 
-	options = SSL_OP_ALL; /* all the bug workarounds by default */
-	options |= SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-			   | SSL_OP_CIPHER_SERVER_PREFERENCE;
+	options = WOLFSSL_OP_ALL; /* all the bug workarounds by default */
+	options |= WOLFSSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+			   | WOLFSSL_OP_CIPHER_SERVER_PREFERENCE;
 
 	do {
 		wolfSSL_CTX_set_options(d->ctx[0], options);
@@ -778,8 +757,8 @@ static int set_session_cache(tls_domain_t *d)
 		 * thus sessions among processes will not be reused
 		 */
 		wolfSSL_CTX_set_session_cache_mode(d->ctx[0],
-				cfg_get(tls, tls_cfg, session_cache) ? SSL_SESS_CACHE_SERVER
-													 : SSL_SESS_CACHE_OFF);
+				cfg_get(tls, tls_cfg, session_cache) ? WOLFSSL_SESS_CACHE_SERVER
+													 : WOLFSSL_SESS_CACHE_OFF);
 		/* not really needed is SSL_SESS_CACHE_OFF */
 		wolfSSL_CTX_set_session_id_context(d->ctx[0],
 				(unsigned char *)tls_session_id.s, tls_session_id.len);
@@ -815,6 +794,7 @@ static int tls_ssl_ctx_mode(WOLFSSL_CTX *ctx, long mode, void *clear)
  */
 static int tls_ssl_ctx_set_freelist(WOLFSSL_CTX *ctx, long val, void *unused)
 {
+	/* NOOP */
 	return 0;
 }
 
@@ -828,10 +808,7 @@ static int tls_ssl_ctx_set_freelist(WOLFSSL_CTX *ctx, long val, void *unused)
 static int tls_ssl_ctx_set_max_send_fragment(
 		WOLFSSL_CTX *ctx, long val, void *unused)
 {
-	/* WOLFFIX if (val >= 0)
-		return SSL_CTX_set_max_send_fragment(ctx, val) -1;
-	*/
-
+	/* NOOP */
 	return 0;
 }
 
@@ -863,7 +840,7 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
 
 	orig_domain = (tls_domain_t *)private;
 	server_name.s =
-			(char *)wolfSSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+			(char *)wolfSSL_get_servername(ssl, WOLFSSL_SNI_HOST_NAME);
 	if(server_name.s) {
 		LM_DBG("received server_name (TLS extension): '%s'\n", server_name.s);
 	} else {

src/modules/tls_wolfssl/tls_dump_vf.c

@@ -1,170 +0,0 @@
-/*
- * TLS module
- *
- * Copyright (C) 2006 enum.at
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Exception: permission to copy, modify, propagate, and distribute a work
- * formed by combining OpenSSL toolkit software and the code in this file,
- * such as linking with software components and libraries released under
- * OpenSSL project license.
- */
-
-/** log the verification failure reason.
- * @file tls_dump_vf.c
- * @ingroup: tls
- * Module: @ref tls
- */
-
-#include "tls_dump_vf.h"
-
-#include <wolfssl/options.h>
-#include <wolfssl/ssl.h>
-#include "../../core/dprint.h"
-#include "tls_wolfssl_mod.h"
-#include "tls_cfg.h"
-
-/** log the verification failure reason.
- */
-void tls_dump_verification_failure(long verification_result)
-{
-	int tls_log;
-
-	tls_log = cfg_get(tls, tls_cfg, log);
-	switch(verification_result) {
-		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-			LOG(tls_log,
-					"verification failure: unable to get issuer certificate\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_GET_CRL:
-			LOG(tls_log,
-					"verification failure: unable to get certificate CRL\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
-			LOG(tls_log, "verification failure: unable to decrypt "
-						 "certificate's signature\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
-			LOG(tls_log, "verification failure: unable to decrypt CRL's "
-						 "signature\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
-			LOG(tls_log, "verification failure: unable to decode issuer public "
-						 "key\n");
-			break;
-		case X509_V_ERR_CERT_SIGNATURE_FAILURE:
-			LOG(tls_log,
-					"verification failure: certificate signature failure\n");
-			break;
-		case X509_V_ERR_CRL_SIGNATURE_FAILURE:
-			LOG(tls_log, "verification failure: CRL signature failure\n");
-			break;
-		case X509_V_ERR_CERT_NOT_YET_VALID:
-			LOG(tls_log,
-					"verification failure: certificate is not yet valid\n");
-			break;
-		case X509_V_ERR_CERT_HAS_EXPIRED:
-			LOG(tls_log, "verification failure: certificate has expired\n");
-			break;
-		case X509_V_ERR_CRL_NOT_YET_VALID:
-			LOG(tls_log, "verification failure: CRL is not yet valid\n");
-			break;
-		case X509_V_ERR_CRL_HAS_EXPIRED:
-			LOG(tls_log, "verification failure: CRL has expired\n");
-			break;
-		case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-			LOG(tls_log, "verification failure: format error in certificate's "
-						 "notBefore field\n");
-			break;
-		case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-			LOG(tls_log, "verification failure: format error in certificate's "
-						 "notAfter field\n");
-			break;
-		case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
-			LOG(tls_log, "verification failure: format error in CRL's "
-						 "lastUpdate field\n");
-			break;
-		case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
-			LOG(tls_log, "verification failure: format error in CRL's "
-						 "nextUpdate field\n");
-			break;
-		case X509_V_ERR_OUT_OF_MEM:
-			LOG(tls_log, "verification failure: out of memory\n");
-			break;
-		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-			LOG(tls_log, "verification failure: self signed certificate\n");
-			break;
-		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-			LOG(tls_log, "verification failure: self signed certificate in "
-						 "certificate chain\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-			LOG(tls_log, "verification failure: unable to get local issuer "
-						 "certificate\n");
-			break;
-		case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-			LOG(tls_log, "verification failure: unable to verify the first "
-						 "certificate\n");
-			break;
-		case X509_V_ERR_CERT_CHAIN_TOO_LONG:
-			LOG(tls_log, "verification failure: certificate chain too long\n");
-			break;
-		case X509_V_ERR_CERT_REVOKED:
-			LOG(tls_log, "verification failure: certificate revoked\n");
-			break;
-		case X509_V_ERR_INVALID_CA:
-			LOG(tls_log, "verification failure: invalid CA certificate\n");
-			break;
-		case X509_V_ERR_PATH_LENGTH_EXCEEDED:
-			LOG(tls_log,
-					"verification failure: path length constraint exceeded\n");
-			break;
-		case X509_V_ERR_INVALID_PURPOSE:
-			LOG(tls_log,
-					"verification failure: unsupported certificate purpose\n");
-			break;
-		case X509_V_ERR_CERT_UNTRUSTED:
-			LOG(tls_log, "verification failure: certificate not trusted\n");
-			break;
-		case X509_V_ERR_CERT_REJECTED:
-			LOG(tls_log, "verification failure: certificate rejected\n");
-			break;
-		case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
-			LOG(tls_log, "verification failure: subject issuer mismatch\n");
-			break;
-		case X509_V_ERR_AKID_SKID_MISMATCH:
-			LOG(tls_log, "verification failure: authority and subject key "
-						 "identifier mismatch\n");
-			break;
-		case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
-			LOG(tls_log, "verification failure: authority and issuer serial "
-						 "number mismatch\n");
-			break;
-		case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
-			LOG(tls_log, "verification failure: key usage does not include "
-						 "certificate signing\n");
-			break;
-		case X509_V_ERR_APPLICATION_VERIFICATION:
-			LOG(tls_log,
-					"verification failure: application verification failure\n");
-			break;
-	}
-}
-
-
-/* vi: set ts=4 sw=4 tw=79:ai:cindent: */

src/modules/tls_wolfssl/tls_dump_vf.h

@@ -1,41 +0,0 @@
-/*
- * TLS module
- *
- * Copyright (C) 2006 enum.at
- *
- * This file is part of Kamailio, a free SIP server.
- *
- * Kamailio is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version
- *
- * Kamailio is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * Exception: permission to copy, modify, propagate, and distribute a work
- * formed by combining OpenSSL toolkit software and the code in this file,
- * such as linking with software components and libraries released under
- * OpenSSL project license.
- */
-/** log the verification failure reason.
- * @file tls_dump_vf.h
- * @ingroup: tls
- * Module: @ref tls
- */
-
-#ifndef __tls_dump_vf_h
-#define __tls_dump_vf_h
-
-
-void tls_dump_verification_failure(long verification_result);
-
-#endif /*__tls_dump_vf_h*/
-
-/* vi: set ts=4 sw=4 tw=79:ai:cindent: */

src/modules/tls_wolfssl/tls_init.c

@@ -318,73 +318,61 @@ static void init_ssl_methods(void)
 	memset(sr_tls_methods, 0, sizeof(sr_tls_methods));
 
 	/* any SSL/TLS version */
-	sr_tls_methods[TLS_USE_SSLv23_cli - 1].TLSMethod = TLS_client_method();
-	sr_tls_methods[TLS_USE_SSLv23_srv - 1].TLSMethod = TLS_server_method();
-	sr_tls_methods[TLS_USE_SSLv23 - 1].TLSMethod = TLS_method();
-
-#ifndef OPENSSL_NO_SSL3_METHOD
-	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethod = TLS_client_method();
-	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMin = SSL3_VERSION;
-	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMax = SSL3_VERSION;
-	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethod = TLS_server_method();
-	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMin = SSL3_VERSION;
-	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMax = SSL3_VERSION;
-	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethod = TLS_method();
-	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMin = SSL3_VERSION;
-	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMax = SSL3_VERSION;
-#endif
+	sr_tls_methods[TLS_USE_SSLv23_cli - 1].TLSMethod = wolfTLS_client_method();
+	sr_tls_methods[TLS_USE_SSLv23_srv - 1].TLSMethod = wolfTLS_server_method();
+	sr_tls_methods[TLS_USE_SSLv23 - 1].TLSMethod = wolfSSLv23_method();
 
-	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethod = wolfTLS_client_method();
 	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMin = TLS1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMax = TLS1_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethod = wolfTLS_server_method();
 	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMin = TLS1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMax = TLS1_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMin = TLS1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMax = TLS1_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethod = wolfTLS_client_method();
 	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMin = TLS1_1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMax = TLS1_1_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethod = wolfTLS_server_method();
 	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMin = TLS1_1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMax = TLS1_1_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMin = TLS1_1_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMax = TLS1_1_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethod = wolfTLS_client_method();
 	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMin = TLS1_2_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMax = TLS1_2_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethod = wolfTLS_server_method();
 	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMin = TLS1_2_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMax = TLS1_2_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMin = TLS1_2_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMax = TLS1_2_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethod = TLS_client_method();
+	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethod = wolfTLS_client_method();
 	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethodMin = TLS1_3_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_3_cli - 1].TLSMethodMax = TLS1_3_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethod = TLS_server_method();
+	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethod = wolfTLS_server_method();
 	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethodMin = TLS1_3_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_3_srv - 1].TLSMethodMax = TLS1_3_VERSION;
-	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethodMin = TLS1_3_VERSION;
 	sr_tls_methods[TLS_USE_TLSv1_3 - 1].TLSMethodMax = TLS1_3_VERSION;
 
 	/* ranges of TLS versions (require a minimum TLS version) */
-	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethodMin = TLS1_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethodMin = TLS1_1_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethodMin = TLS1_2_VERSION;
 
-	sr_tls_methods[TLS_USE_TLSv1_3_PLUS - 1].TLSMethod = TLS_method();
+	sr_tls_methods[TLS_USE_TLSv1_3_PLUS - 1].TLSMethod = wolfSSLv23_method();
 	sr_tls_methods[TLS_USE_TLSv1_3_PLUS - 1].TLSMethodMin = TLS1_3_VERSION;
 }
 

src/modules/tls_wolfssl/tls_init.h

@@ -32,7 +32,7 @@
 
 typedef struct sr_tls_methods_s
 {
-	const SSL_METHOD *TLSMethod;
+	const WOLFSSL_METHOD *TLSMethod;
 	int TLSMethodMin;
 	int TLSMethodMax;
 } sr_tls_methods_t;

src/modules/tls_wolfssl/tls_map.c

@@ -1,213 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "../../core/mem/mem.h"
-#include "tls_map.h"
-
-struct map_node_t
-{
-	unsigned hash;
-	void *value;
-	map_node_t *next;
-	/* char key[]; */
-	/* char value[]; */
-};
-
-
-static unsigned map_hash(const char *str)
-{
-	unsigned hash = 5381;
-	while(*str) {
-		hash = ((hash << 5) + hash) ^ *str++;
-	}
-	return hash;
-}
-
-
-static map_node_t *map_newnode(const char *key, void *value, int vsize)
-{
-	map_node_t *node;
-	int ksize = strlen(key) + 1;
-	int voffset = ksize + ((sizeof(void *) - ksize) % sizeof(void *));
-	node = pkg_malloc(sizeof(*node) + voffset + vsize);
-	if(!node)
-		return NULL;
-	memcpy(node + 1, key, ksize);
-	node->hash = map_hash(key);
-	node->value = ((char *)(node + 1)) + voffset;
-	memcpy(node->value, value, vsize);
-	return node;
-}
-
-
-static int map_bucketidx(map_base_t *m, unsigned hash)
-{
-	/* If the implementation is changed to allow a non-power-of-2 bucket count,
-   * the line below should be changed to use mod instead of AND */
-	return hash & (m->nbuckets - 1);
-}
-
-
-static void map_addnode(map_base_t *m, map_node_t *node)
-{
-	int n = map_bucketidx(m, node->hash);
-	node->next = m->buckets[n];
-	m->buckets[n] = node;
-}
-
-
-static int map_resize(map_base_t *m, int nbuckets)
-{
-	map_node_t *nodes, *node, *next;
-	map_node_t **buckets;
-	int i;
-	/* Chain all nodes together */
-	nodes = NULL;
-	i = m->nbuckets;
-	while(i--) {
-		node = (m->buckets)[i];
-		while(node) {
-			next = node->next;
-			node->next = nodes;
-			nodes = node;
-			node = next;
-		}
-	}
-	/* Reset buckets */
-	buckets = realloc(m->buckets, sizeof(*m->buckets) * nbuckets);
-	if(buckets != NULL) {
-		m->buckets = buckets;
-		m->nbuckets = nbuckets;
-	}
-	if(m->buckets) {
-		memset(m->buckets, 0, sizeof(*m->buckets) * m->nbuckets);
-		/* Re-add nodes to buckets */
-		node = nodes;
-		while(node) {
-			next = node->next;
-			map_addnode(m, node);
-			node = next;
-		}
-	}
-	/* Return error code if realloc() failed */
-	return (buckets == NULL) ? -1 : 0;
-}
-
-
-static map_node_t **map_getref(map_base_t *m, const char *key)
-{
-	unsigned hash = map_hash(key);
-	map_node_t **next;
-	if(m->nbuckets > 0) {
-		next = &m->buckets[map_bucketidx(m, hash)];
-		while(*next) {
-			if((*next)->hash == hash && !strcmp((char *)(*next + 1), key)) {
-				return next;
-			}
-			next = &(*next)->next;
-		}
-	}
-	return NULL;
-}
-
-
-void map_deinit_(map_base_t *m)
-{
-	map_node_t *next, *node;
-	int i;
-	i = m->nbuckets;
-	while(i--) {
-		node = m->buckets[i];
-		while(node) {
-			next = node->next;
-			pkg_free(node);
-			node = next;
-		}
-	}
-	pkg_free(m->buckets);
-}
-
-
-void *map_get_(map_base_t *m, const char *key)
-{
-	map_node_t **next = map_getref(m, key);
-	return next ? (*next)->value : NULL;
-}
-
-
-int map_set_(map_base_t *m, const char *key, void *value, int vsize)
-{
-	int n, err;
-	map_node_t **next, *node;
-	/* Find & replace existing node */
-	next = map_getref(m, key);
-	if(next) {
-		memcpy((*next)->value, value, vsize);
-		return 0;
-	}
-	/* Add new node */
-	node = map_newnode(key, value, vsize);
-	if(node == NULL)
-		goto fail;
-	if(m->nnodes >= m->nbuckets) {
-		n = (m->nbuckets > 0) ? (m->nbuckets << 1) : 1;
-		err = map_resize(m, n);
-		if(err)
-			goto fail;
-	}
-	map_addnode(m, node);
-	m->nnodes++;
-	return 0;
-fail:
-	if(node)
-		pkg_free(node);
-	return -1;
-}
-
-
-void map_remove_(map_base_t *m, const char *key)
-{
-	map_node_t *node;
-	map_node_t **next = map_getref(m, key);
-	if(next) {
-		node = *next;
-		*next = (*next)->next;
-		pkg_free(node);
-		m->nnodes--;
-	}
-}
-
-
-map_iter_t map_iter_(void)
-{
-	map_iter_t iter;
-	iter.bucketidx = -1;
-	iter.node = NULL;
-	return iter;
-}
-
-
-const char *map_next_(map_base_t *m, map_iter_t *iter)
-{
-	if(iter->node) {
-		iter->node = iter->node->next;
-		if(iter->node == NULL)
-			goto nextBucket;
-	} else {
-	nextBucket:
-		do {
-			if(++iter->bucketidx >= m->nbuckets) {
-				return NULL;
-			}
-			iter->node = m->buckets[iter->bucketidx];
-		} while(iter->node == NULL);
-	}
-	return (char *)(iter->node + 1);
-}

src/modules/tls_wolfssl/tls_map.h

@@ -1,77 +0,0 @@
-/**
- * Copyright (c) 2014 rxi
- *
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the MIT license. See LICENSE for details.
- */
-
-#ifndef _TLS_MAP_H
-#define _TLS_MAP_H
-
-#include <string.h>
-
-#define MAP_VERSION "0.1.0"
-
-struct map_node_t;
-typedef struct map_node_t map_node_t;
-
-typedef struct
-{
-	map_node_t **buckets;
-	unsigned nbuckets, nnodes;
-} map_base_t;
-
-typedef struct
-{
-	unsigned bucketidx;
-	map_node_t *node;
-} map_iter_t;
-
-
-#define map_t(T)         \
-	struct               \
-	{                    \
-		map_base_t base; \
-		T *ref;          \
-		T tmp;           \
-	}
-
-
-#define map_init(m) memset(m, 0, sizeof(*(m)))
-
-
-#define map_deinit(m) map_deinit_(&(m)->base)
-
-
-#define map_get(m, key) ((m)->ref = map_get_(&(m)->base, key))
-
-
-#define map_set(m, key, value) \
-	((m)->tmp = (value), map_set_(&(m)->base, key, &(m)->tmp, sizeof((m)->tmp)))
-
-
-#define map_remove(m, key) map_remove_(&(m)->base, key)
-
-
-#define map_iter(m) map_iter_()
-
-
-#define map_next(m, iter) map_next_(&(m)->base, iter)
-
-
-void map_deinit_(map_base_t *m);
-void *map_get_(map_base_t *m, const char *key);
-int map_set_(map_base_t *m, const char *key, void *value, int vsize);
-void map_remove_(map_base_t *m, const char *key);
-map_iter_t map_iter_(void);
-const char *map_next_(map_base_t *m, map_iter_t *iter);
-
-
-typedef map_t(void *) map_void_t;
-typedef map_t(char *) map_str_t;
-typedef map_t(int) map_int_t;
-typedef map_t(char) map_char_t;
-typedef map_t(float) map_float_t;
-typedef map_t(double) map_double_t;
-
-#endif /* _TLS_MAP_H */

src/modules/tls_wolfssl/tls_rpc.c

@@ -186,12 +186,12 @@ static void tls_list(rpc_t *rpc, void *c)
 						state = "established";
 						break;
 				}
-				rpc->struct_add(handle, "sddds", "cipher", tls_info,
+				rpc->struct_add(handle, "sdds", "cipher", tls_info,
 						"ct_wq_size", tls_d->ct_wq ? tls_d->ct_wq->queued : 0,
 						"flags", tls_d->flags, "state", state);
 				lock_release(&con->write_lock);
 			} else {
-				rpc->struct_add(handle, "sddds", "cipher", "unknown",
+				rpc->struct_add(handle, "sdds", "cipher", "unknown",
 						"ct_wq_size", 0, "flags", 0, "state",
 						"pre-init");
 			}
@@ -223,36 +223,33 @@ static void tls_options(rpc_t *rpc, void *c)
 {
 	void *handle;
 	rpc->add(c, "{", &handle);
-	rpc->struct_add(handle, "dSdddSSSSSdSSdddddddddddddd", "force_run",
-			cfg_get(tls, tls_cfg, force_run), "method",
-			&cfg_get(tls, tls_cfg, method), "verify_certificate",
-			cfg_get(tls, tls_cfg, verify_cert),
-
-			"verify_depth", cfg_get(tls, tls_cfg, verify_depth),
-			"require_certificate", cfg_get(tls, tls_cfg, require_cert),
-			"verify_client", &cfg_get(tls, tls_cfg, verify_client),
-			"private_key", &cfg_get(tls, tls_cfg, private_key), "ca_list",
-			&cfg_get(tls, tls_cfg, ca_list), "certificate",
-			&cfg_get(tls, tls_cfg, certificate), "cipher_list",
-			&cfg_get(tls, tls_cfg, cipher_list), "session_cache",
-			cfg_get(tls, tls_cfg, session_cache), "session_id",
-			&cfg_get(tls, tls_cfg, session_id), "config",
-			&cfg_get(tls, tls_cfg, config_file), "log",
-			cfg_get(tls, tls_cfg, log), "debug", cfg_get(tls, tls_cfg, debug),
-			"connection_timeout",
-			TICKS_TO_S(cfg_get(tls, tls_cfg, con_lifetime)),
-			"disable_compression", cfg_get(tls, tls_cfg, disable_compression),
-			"ssl_release_buffers", cfg_get(tls, tls_cfg, ssl_release_buffers),
-			"ssl_freelist_max", cfg_get(tls, tls_cfg, ssl_freelist_max),
-			"ssl_max_send_fragment",
-			cfg_get(tls, tls_cfg, ssl_max_send_fragment), "ssl_read_ahead",
-			cfg_get(tls, tls_cfg, ssl_read_ahead), "send_close_notify",
-			cfg_get(tls, tls_cfg, send_close_notify), "low_mem_threshold1",
-			cfg_get(tls, tls_cfg, low_mem_threshold1), "low_mem_threshold2",
-			cfg_get(tls, tls_cfg, low_mem_threshold2), "ct_wq_max",
-			cfg_get(tls, tls_cfg, ct_wq_max), "con_ct_wq_max",
-			cfg_get(tls, tls_cfg, con_ct_wq_max), "ct_wq_blk_size",
-			cfg_get(tls, tls_cfg, ct_wq_blk_size));
+	rpc->struct_add(
+		handle, "dSdddSSSSSdSSdddddddddddd",
+		"force_run", cfg_get(tls, tls_cfg, force_run),
+		"method", &cfg_get(tls, tls_cfg, method),
+		"verify_certificate", cfg_get(tls, tls_cfg, verify_cert),
+		"verify_depth", cfg_get(tls, tls_cfg, verify_depth),
+		"require_certificate", cfg_get(tls, tls_cfg, require_cert),
+		"verify_client", &cfg_get(tls, tls_cfg, verify_client),
+		"private_key", &cfg_get(tls, tls_cfg, private_key),
+		"ca_list", &cfg_get(tls, tls_cfg, ca_list),
+		"certificate", &cfg_get(tls, tls_cfg, certificate),
+		"cipher_list", &cfg_get(tls, tls_cfg, cipher_list),
+		"session_cache", cfg_get(tls, tls_cfg, session_cache),
+		"session_id", &cfg_get(tls, tls_cfg, session_id),
+		"config", &cfg_get(tls, tls_cfg, config_file),
+		"log", cfg_get(tls, tls_cfg, log),
+		"debug", cfg_get(tls, tls_cfg, debug),
+		"connection_timeout", TICKS_TO_S(cfg_get(tls, tls_cfg, con_lifetime)),
+		"disable_compression", cfg_get(tls, tls_cfg, disable_compression),
+		"ssl_release_buffers", cfg_get(tls, tls_cfg, ssl_release_buffers),
+		"ssl_freelist_max", cfg_get(tls, tls_cfg, ssl_freelist_max),
+		"ssl_max_send_fragment", cfg_get(tls, tls_cfg, ssl_max_send_fragment),
+		"ssl_read_ahead", cfg_get(tls, tls_cfg, ssl_read_ahead),
+		"send_close_notify", cfg_get(tls, tls_cfg, send_close_notify),
+		"ct_wq_max", cfg_get(tls, tls_cfg, ct_wq_max),
+		"con_ct_wq_max", cfg_get(tls, tls_cfg, con_ct_wq_max),
+		"ct_wq_blk_size", cfg_get(tls, tls_cfg, ct_wq_blk_size));
 }
 
 

src/modules/tls_wolfssl/tls_server.c

@@ -58,7 +58,6 @@
 #include "tls_server.h"
 #include "tls_select.h"
 
-#include "tls_dump_vf.h"
 #include "tls_cfg.h"
 
 int tls_run_event_routes(struct tcp_connection *c);

src/modules/tls_wolfssl/tls_util.c

@@ -96,3 +96,19 @@ void collect_garbage(void)
 
 	lock_release(tls_domains_cfg_lock);
 }
+
+
+/** log the verification failure reason.
+ * wolfSSL has a different set of return values
+ * than OpenSSL
+ */
+void tls_dump_verification_failure(long verification_result)
+{
+	int tls_log;
+
+	tls_log = cfg_get(tls, tls_cfg, log);
+	LOG(tls_log, "%s\n", wolfSSL_ERR_reason_error_string(verification_result));
+}
+
+
+/* vi: set ts=4 sw=4 tw=79:ai:cindent: */

src/modules/tls_wolfssl/tls_util.h

@@ -28,6 +28,7 @@
 
 #include "../../core/dprint.h"
 #include "../../core/str.h"
+#include "tls_cfg.h"
 #include "tls_domain.h"
 
 static inline int tls_err_ret(
@@ -80,4 +81,6 @@ int shm_asciiz_dup(char **dest, char *val);
  */
 void collect_garbage(void);
 
+void tls_dump_verification_failure(long verification_result);
+
 #endif /* _TLS_UTIL_H */

src/modules/tls_wolfssl/tls_wolfssl_mod.c

@@ -222,8 +222,6 @@ static param_export_t params[] = {
 		{"ct_wq_max", PARAM_INT, &default_tls_cfg.ct_wq_max},
 		{"ct_wq_blk_size", PARAM_INT, &default_tls_cfg.ct_wq_blk_size},
 		{"tls_force_run", PARAM_INT, &default_tls_cfg.force_run},
-		{"low_mem_threshold1", PARAM_INT, &default_tls_cfg.low_mem_threshold1},
-		{"low_mem_threshold2", PARAM_INT, &default_tls_cfg.low_mem_threshold2},
 		{"renegotiation", PARAM_INT, &sr_tls_renegotiation},
 		{"xavp_cfg", PARAM_STR, &sr_tls_xavp_cfg},
 		{"event_callback", PARAM_STR, &sr_tls_event_callback},