Merge pull request #6559 from dgarske/sni_defaults

Turn on SNI by default on hosts with resources

Author: SparkiDev

CMakeLists.txt

@@ -1299,7 +1299,6 @@ endif()
 #       - CRL monitor
 #       - User crypto
 #       - Whitewood netRandom client library
-#       - SNI
 #       - Max fragment length
 #       - ALPN
 #       - Trusted CA indication
@@ -1315,8 +1314,14 @@ add_option(WOLFSSL_CRL
     "Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)"
     "no" "yes;no;io")
 
+
+set(SNI_DEFAULT "no")
+if(("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "x86_64|x86|AMD64|arm64") OR
+    ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64"))
+    set(SNI_DEFAULT "yes")
+endif()
 set(WOLFSSL_SNI_HELP_STRING "Enable SNI (default: disabled)")
-add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} "no" "yes;no")
+add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} ${SNI_DEFAULT} "yes;no")
 
 set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)")
 add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no")

configure.ac

@@ -4971,21 +4971,22 @@ AC_ARG_WITH([wnr],
 
 
 # SNI
+# enable SNI automatically for x86_64/x86/aarch64/amd64
+SNI_DEFAULT=no
+if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
+then
+    SNI_DEFAULT=yes
+fi
 AC_ARG_ENABLE([sni],
-    [AS_HELP_STRING([--enable-sni],[Enable SNI (default: disabled)])],
+    [AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
     [ ENABLED_SNI=$enableval ],
-    [ ENABLED_SNI=no ]
+    [ ENABLED_SNI=$SNI_DEFAULT ]
     )
-if test "x$ENABLED_QT" = "xyes"
+if test "x$ENABLED_QT" = "xyes" || test "$ENABLED_QUIC" = "yes"
 then
     ENABLED_SNI="yes"
 fi
 
-if test "$ENABLED_QUIC" = "yes"
-then
-    ENABLED_SNI=yes
-fi
-
 if test "x$ENABLED_SNI" = "xyes"
 then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"

tests/api.c

@@ -47,6 +47,20 @@
 #endif
 #if defined(WOLFSSL_STATIC_MEMORY)
     #include <wolfssl/wolfcrypt/memory.h>
+
+#if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY)
+    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
+         defined(SESSION_CERTS)
+        #ifdef OPENSSL_EXTRA
+            #define TEST_TLS_STATIC_MEMSZ (400000)
+        #else
+            #define TEST_TLS_STATIC_MEMSZ (320000)
+        #endif
+    #else
+            #define TEST_TLS_STATIC_MEMSZ (80000)
+    #endif
+#endif
+
 #endif /* WOLFSSL_STATIC_MEMORY */
 #ifndef HEAP_HINT
     #define HEAP_HINT NULL
@@ -6800,11 +6814,11 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
     }
 #else
     ctx = wolfSSL_CTX_new(callbacks->method());
+#endif
     if (ctx == NULL) {
         fprintf(stderr, "CTX new failed\n");
         goto cleanup;
     }
-#endif
 
     /* set defaults */
     if (callbacks->caPemFile == NULL)
@@ -7053,14 +7067,12 @@ static void run_wolfssl_client(void* args)
         }
     }
 #else
-    if (ctx == NULL) {
-        ctx = wolfSSL_CTX_new(callbacks->method());
-    }
+    ctx = wolfSSL_CTX_new(callbacks->method());
+#endif
     if (ctx == NULL) {
         fprintf(stderr, "CTX new failed\n");
         goto cleanup;
     }
-#endif
 
 #ifdef WOLFSSL_TIRTOS
     fdOpenSession(Task_self());
@@ -9353,90 +9365,117 @@ static int test_wolfSSL_UseSNI_connection(void)
     callback_functions client_cb;
     callback_functions server_cb;
     size_t i;
-
+#ifdef WOLFSSL_STATIC_MEMORY
+    byte cliMem[TEST_TLS_STATIC_MEMSZ];
+    byte svrMem[TEST_TLS_STATIC_MEMSZ];
+#endif
     struct {
         method_provider client_meth;
         method_provider server_meth;
+    #ifdef WOLFSSL_STATIC_MEMORY
+        wolfSSL_method_func client_meth_ex;
+        wolfSSL_method_func server_meth_ex;
+    #endif
     } methods[] = {
 #if defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_TLS13)
-        {wolfSSLv23_client_method, wolfSSLv23_server_method},
+        {wolfSSLv23_client_method, wolfSSLv23_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfSSLv23_client_method_ex, wolfSSLv23_server_method_ex
+        #endif
+        },
 #endif
 #ifndef WOLFSSL_NO_TLS12
-        {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method},
+        {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfTLSv1_2_client_method_ex, wolfTLSv1_2_server_method_ex
+        #endif
+        },
 #endif
 #ifdef WOLFSSL_TLS13
-        {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method},
+        {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfTLSv1_3_client_method_ex, wolfTLSv1_3_server_method_ex
+        #endif
+        },
 #endif
     };
     size_t methodsSz = sizeof(methods) / sizeof(*methods);
 
     for (i = 0; i < methodsSz; i++) {
-    XMEMSET(&client_cb, 0, sizeof(callback_functions));
-    XMEMSET(&server_cb, 0, sizeof(callback_functions));
-    client_cb.method = methods[i].client_meth;
-    server_cb.method = methods[i].server_meth;
-    client_cb.devId = testDevId;
-    server_cb.devId = testDevId;
-
-    /* success case at ctx */
-    printf("success case at ctx\n");
-    client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* success case at ssl */
-    printf("success case at ssl\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* default mismatch behavior */
-    printf("default mismatch behavior\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl;       server_cb.on_result = verify_UNKNOWN_SNI_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* continue on mismatch */
-    printf("continue on mismatch\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;         client_cb.on_result = NULL;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* fake answer on mismatch */
-    printf("fake answer on mismatch\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;            client_cb.on_result = NULL;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* sni abort - success */
-    printf("sni abort - success\n");
-    client_cb.ctx_ready = use_SNI_at_ctx;           client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* sni abort - abort when absent (ctx) */
-    printf("sni abort - abort when absent (ctx)\n");
-    client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* sni abort - abort when absent (ssl) */
-    printf("sni abort - abort when absent (ssl)\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL;                     client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* sni abort - success when overwritten */
-    printf("sni abort - success when overwritten\n");
-    client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL;           client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
-
-    /* sni abort - success when allowing mismatches */
-    printf("sni abort - success when allowing mismatches\n");
-    client_cb.ctx_ready = NULL;                            client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL;                 server_cb.on_result = verify_SNI_fake_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        XMEMSET(&client_cb, 0, sizeof(callback_functions));
+        XMEMSET(&server_cb, 0, sizeof(callback_functions));
+        client_cb.method = methods[i].client_meth;
+        server_cb.method = methods[i].server_meth;
+        client_cb.devId = testDevId;
+        server_cb.devId = testDevId;
+    #ifdef WOLFSSL_STATIC_MEMORY
+        client_cb.method_ex = methods[i].client_meth_ex;
+        server_cb.method_ex = methods[i].server_meth_ex;
+        client_cb.mem = cliMem;
+        client_cb.memSz = (word32)sizeof(cliMem);
+        server_cb.mem = svrMem;
+        server_cb.memSz = (word32)sizeof(svrMem);;
+    #endif
+
+        /* success case at ctx */
+        printf("\n\tsuccess case at ctx\n");
+        client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* success case at ssl */
+        printf("\tsuccess case at ssl\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* default mismatch behavior */
+        printf("\tdefault mismatch behavior\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl;       server_cb.on_result = verify_UNKNOWN_SNI_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* continue on mismatch */
+        printf("\tcontinue on mismatch\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;         client_cb.on_result = NULL;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* fake answer on mismatch */
+        printf("\tfake answer on mismatch\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;            client_cb.on_result = NULL;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* sni abort - success */
+        printf("\tsni abort - success\n");
+        client_cb.ctx_ready = use_SNI_at_ctx;           client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* sni abort - abort when absent (ctx) */
+        printf("\tsni abort - abort when absent (ctx)\n");
+        client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* sni abort - abort when absent (ssl) */
+        printf("\tsni abort - abort when absent (ssl)\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL;                     client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* sni abort - success when overwritten */
+        printf("\tsni abort - success when overwritten\n");
+        client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL;           client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
+
+        /* sni abort - success when allowing mismatches */
+        printf("\tsni abort - success when allowing mismatches\n");
+        client_cb.ctx_ready = NULL;                            client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL;                 server_cb.on_result = verify_SNI_fake_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
     }
 
     res = TEST_RES_CHECK(1);
@@ -57657,17 +57696,6 @@ static int test_wolfSSL_CTX_StaticMemory_TLS(int tlsVer,
 #endif /* WOLFSSL_STATIC_MEMORY && HAVE_IO_TESTS_DEPENDENCIES */
 
 #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY)
-#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
-        defined(SESSION_CERTS)
-    #ifdef OPENSSL_EXTRA
-    #define TEST_TLS_STATIC_MEMSZ (400000)
-    #else
-    #define TEST_TLS_STATIC_MEMSZ (320000)
-    #endif
-#else
-    #define TEST_TLS_STATIC_MEMSZ (80000)
-#endif
-
 static int test_wolfSSL_CTX_StaticMemory_SSL(WOLFSSL_CTX* ctx)
 {
     EXPECT_DECLS;

wolfcrypt/src/wc_port.c

@@ -385,7 +385,7 @@ int wolfCrypt_Init(void)
     return ret;
 }
 
-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
 long wolfCrypt_heap_peakAllocs_checkpoint(void) {
     long ret = ourMemStats.peakAllocsTripOdometer;
     ourMemStats.peakAllocsTripOdometer = ourMemStats.totalAllocs -

wolfcrypt/test/test.c

@@ -55,7 +55,7 @@
 #endif
 #endif
 
-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
 #ifdef WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS
     static ssize_t max_relative_heap_allocs = WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS;
 #else
@@ -84,7 +84,7 @@
     }
 #else
 #define PRINT_HEAP_CHECKPOINT()
-#endif
+#endif /* WOLFSSL_TRACK_MEMORY_VERBOSE && !WOLFSSL_STATIC_MEMORY */
 
 #ifdef USE_FLAT_TEST_H
     #ifdef HAVE_CONFIG_H
@@ -832,15 +832,15 @@ wc_test_ret_t wolfcrypt_test(void* args)
 #endif
 {
     wc_test_ret_t ret;
-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
     long heap_baselineAllocs, heap_baselineBytes;
 #endif
 #ifdef TEST_ALWAYS_RUN_TO_END
     int last_failed_test_ret = 0;
 #endif
     STACK_SIZE_INIT();
 
-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
     (void)wolfCrypt_heap_peakAllocs_checkpoint();
     heap_baselineAllocs = wolfCrypt_heap_peakAllocs_checkpoint();
     (void)wolfCrypt_heap_peakBytes_checkpoint();

wolfssl/test.h

@@ -2903,7 +2903,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
     char buffer[WOLFSSL_MAX_ERROR_SZ];
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     WOLFSSL_X509* peer;
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
+#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(OPENSSL_EXTRA_X509_SMALL)
     WOLFSSL_BIO* bio = NULL;
     WOLFSSL_STACK* sk = NULL;
     X509* x509 = NULL;
@@ -2948,7 +2949,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 
         XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
         XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
+#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(OPENSSL_EXTRA_X509_SMALL)
         /* avoid printing duplicate certs */
         if (store->depth == 1) {
             int i;