diff --git a/CMakeLists.txt b/CMakeLists.txt index 8cafb4a0a..51889ebec 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1299,7 +1299,6 @@ endif() # - CRL monitor # - User crypto # - Whitewood netRandom client library -# - SNI # - Max fragment length # - ALPN # - Trusted CA indication @@ -1315,8 +1314,14 @@ add_option(WOLFSSL_CRL "Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)" "no" "yes;no;io") + +set(SNI_DEFAULT "no") +if(("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "x86_64|x86|AMD64|arm64") OR + ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64")) + set(SNI_DEFAULT "yes") +endif() set(WOLFSSL_SNI_HELP_STRING "Enable SNI (default: disabled)") -add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} "no" "yes;no") +add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} ${SNI_DEFAULT} "yes;no") set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)") add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no") diff --git a/configure.ac b/configure.ac index 596117ce5..fd3e5fa9b 100644 --- a/configure.ac +++ b/configure.ac @@ -4971,21 +4971,22 @@ AC_ARG_WITH([wnr], # SNI +# enable SNI automatically for x86_64/x86/aarch64/amd64 +SNI_DEFAULT=no +if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64" +then + SNI_DEFAULT=yes +fi AC_ARG_ENABLE([sni], - [AS_HELP_STRING([--enable-sni],[Enable SNI (default: disabled)])], + [AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])], [ ENABLED_SNI=$enableval ], - [ ENABLED_SNI=no ] + [ ENABLED_SNI=$SNI_DEFAULT ] ) -if test "x$ENABLED_QT" = "xyes" +if test "x$ENABLED_QT" = "xyes" || test "$ENABLED_QUIC" = "yes" then ENABLED_SNI="yes" fi -if test "$ENABLED_QUIC" = "yes" -then - ENABLED_SNI=yes -fi - if test "x$ENABLED_SNI" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI" diff --git a/tests/api.c b/tests/api.c index e8d57039d..6881328e0 100644 --- a/tests/api.c +++ b/tests/api.c @@ -47,6 +47,20 @@ #endif #if defined(WOLFSSL_STATIC_MEMORY) #include + +#if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY) + #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \ + defined(SESSION_CERTS) + #ifdef OPENSSL_EXTRA + #define TEST_TLS_STATIC_MEMSZ (400000) + #else + #define TEST_TLS_STATIC_MEMSZ (320000) + #endif + #else + #define TEST_TLS_STATIC_MEMSZ (80000) + #endif +#endif + #endif /* WOLFSSL_STATIC_MEMORY */ #ifndef HEAP_HINT #define HEAP_HINT NULL @@ -6800,11 +6814,11 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) } #else ctx = wolfSSL_CTX_new(callbacks->method()); +#endif if (ctx == NULL) { fprintf(stderr, "CTX new failed\n"); goto cleanup; } -#endif /* set defaults */ if (callbacks->caPemFile == NULL) @@ -7053,14 +7067,12 @@ static void run_wolfssl_client(void* args) } } #else - if (ctx == NULL) { - ctx = wolfSSL_CTX_new(callbacks->method()); - } + ctx = wolfSSL_CTX_new(callbacks->method()); +#endif if (ctx == NULL) { fprintf(stderr, "CTX new failed\n"); goto cleanup; } -#endif #ifdef WOLFSSL_TIRTOS fdOpenSession(Task_self()); @@ -9353,90 +9365,117 @@ static int test_wolfSSL_UseSNI_connection(void) callback_functions client_cb; callback_functions server_cb; size_t i; - +#ifdef WOLFSSL_STATIC_MEMORY + byte cliMem[TEST_TLS_STATIC_MEMSZ]; + byte svrMem[TEST_TLS_STATIC_MEMSZ]; +#endif struct { method_provider client_meth; method_provider server_meth; + #ifdef WOLFSSL_STATIC_MEMORY + wolfSSL_method_func client_meth_ex; + wolfSSL_method_func server_meth_ex; + #endif } methods[] = { #if defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_TLS13) - {wolfSSLv23_client_method, wolfSSLv23_server_method}, + {wolfSSLv23_client_method, wolfSSLv23_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfSSLv23_client_method_ex, wolfSSLv23_server_method_ex + #endif + }, #endif #ifndef WOLFSSL_NO_TLS12 - {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method}, + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfTLSv1_2_client_method_ex, wolfTLSv1_2_server_method_ex + #endif + }, #endif #ifdef WOLFSSL_TLS13 - {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method}, + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method + #ifdef WOLFSSL_STATIC_MEMORY + ,wolfTLSv1_3_client_method_ex, wolfTLSv1_3_server_method_ex + #endif + }, #endif }; size_t methodsSz = sizeof(methods) / sizeof(*methods); for (i = 0; i < methodsSz; i++) { - XMEMSET(&client_cb, 0, sizeof(callback_functions)); - XMEMSET(&server_cb, 0, sizeof(callback_functions)); - client_cb.method = methods[i].client_meth; - server_cb.method = methods[i].server_meth; - client_cb.devId = testDevId; - server_cb.devId = testDevId; + XMEMSET(&client_cb, 0, sizeof(callback_functions)); + XMEMSET(&server_cb, 0, sizeof(callback_functions)); + client_cb.method = methods[i].client_meth; + server_cb.method = methods[i].server_meth; + client_cb.devId = testDevId; + server_cb.devId = testDevId; + #ifdef WOLFSSL_STATIC_MEMORY + client_cb.method_ex = methods[i].client_meth_ex; + server_cb.method_ex = methods[i].server_meth_ex; + client_cb.mem = cliMem; + client_cb.memSz = (word32)sizeof(cliMem); + server_cb.mem = svrMem; + server_cb.memSz = (word32)sizeof(svrMem);; + #endif - /* success case at ctx */ - printf("success case at ctx\n"); - client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* success case at ctx */ + printf("\n\tsuccess case at ctx\n"); + client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* success case at ssl */ - printf("success case at ssl\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* success case at ssl */ + printf("\tsuccess case at ssl\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* default mismatch behavior */ - printf("default mismatch behavior\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_UNKNOWN_SNI_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* default mismatch behavior */ + printf("\tdefault mismatch behavior\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_UNKNOWN_SNI_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* continue on mismatch */ - printf("continue on mismatch\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* continue on mismatch */ + printf("\tcontinue on mismatch\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* fake answer on mismatch */ - printf("fake answer on mismatch\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* fake answer on mismatch */ + printf("\tfake answer on mismatch\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* sni abort - success */ - printf("sni abort - success\n"); - client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* sni abort - success */ + printf("\tsni abort - success\n"); + client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* sni abort - abort when absent (ctx) */ - printf("sni abort - abort when absent (ctx)\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* sni abort - abort when absent (ctx) */ + printf("\tsni abort - abort when absent (ctx)\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* sni abort - abort when absent (ssl) */ - printf("sni abort - abort when absent (ssl)\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; - server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* sni abort - abort when absent (ssl) */ + printf("\tsni abort - abort when absent (ssl)\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client; + server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* sni abort - success when overwritten */ - printf("sni abort - success when overwritten\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; - server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* sni abort - success when overwritten */ + printf("\tsni abort - success when overwritten\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL; client_cb.on_result = NULL; + server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); - /* sni abort - success when allowing mismatches */ - printf("sni abort - success when allowing mismatches\n"); - client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; - server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_fake_matching; - test_wolfSSL_client_server(&client_cb, &server_cb); + /* sni abort - success when allowing mismatches */ + printf("\tsni abort - success when allowing mismatches\n"); + client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL; + server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_fake_matching; + test_wolfSSL_client_server(&client_cb, &server_cb); } res = TEST_RES_CHECK(1); @@ -57657,17 +57696,6 @@ static int test_wolfSSL_CTX_StaticMemory_TLS(int tlsVer, #endif /* WOLFSSL_STATIC_MEMORY && HAVE_IO_TESTS_DEPENDENCIES */ #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY) -#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \ - defined(SESSION_CERTS) - #ifdef OPENSSL_EXTRA - #define TEST_TLS_STATIC_MEMSZ (400000) - #else - #define TEST_TLS_STATIC_MEMSZ (320000) - #endif -#else - #define TEST_TLS_STATIC_MEMSZ (80000) -#endif - static int test_wolfSSL_CTX_StaticMemory_SSL(WOLFSSL_CTX* ctx) { EXPECT_DECLS; diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 0c5f01baa..1318e78d9 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -385,7 +385,7 @@ int wolfCrypt_Init(void) return ret; } -#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE +#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY) long wolfCrypt_heap_peakAllocs_checkpoint(void) { long ret = ourMemStats.peakAllocsTripOdometer; ourMemStats.peakAllocsTripOdometer = ourMemStats.totalAllocs - diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index de5ba1fb9..bfafb93c8 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -55,7 +55,7 @@ #endif #endif -#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE +#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY) #ifdef WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS static ssize_t max_relative_heap_allocs = WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS; #else @@ -84,7 +84,7 @@ } #else #define PRINT_HEAP_CHECKPOINT() -#endif +#endif /* WOLFSSL_TRACK_MEMORY_VERBOSE && !WOLFSSL_STATIC_MEMORY */ #ifdef USE_FLAT_TEST_H #ifdef HAVE_CONFIG_H @@ -832,7 +832,7 @@ wc_test_ret_t wolfcrypt_test(void* args) #endif { wc_test_ret_t ret; -#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE +#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY) long heap_baselineAllocs, heap_baselineBytes; #endif #ifdef TEST_ALWAYS_RUN_TO_END @@ -840,7 +840,7 @@ wc_test_ret_t wolfcrypt_test(void* args) #endif STACK_SIZE_INIT(); -#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE +#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY) (void)wolfCrypt_heap_peakAllocs_checkpoint(); heap_baselineAllocs = wolfCrypt_heap_peakAllocs_checkpoint(); (void)wolfCrypt_heap_peakBytes_checkpoint(); diff --git a/wolfssl/test.h b/wolfssl/test.h index a46e0c60b..0b36a5e74 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -2903,7 +2903,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) char buffer[WOLFSSL_MAX_ERROR_SZ]; #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_X509* peer; -#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) +#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_BIO* bio = NULL; WOLFSSL_STACK* sk = NULL; X509* x509 = NULL; @@ -2948,7 +2949,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); -#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) +#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \ + !defined(OPENSSL_EXTRA_X509_SMALL) /* avoid printing duplicate certs */ if (store->depth == 1) { int i;