diff --git a/src/internal.c b/src/internal.c index fdb466d40..9db500b13 100644 --- a/src/internal.c +++ b/src/internal.c @@ -27982,7 +27982,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto out; } #endif - #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) + #ifdef HAVE_SNI if((ret=SNI_Callback(ssl))) goto out; ssl->options.side = WOLFSSL_SERVER_END; @@ -30441,8 +30441,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif /* !WOLFSSL_NO_TLS12 */ -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI int SNI_Callback(WOLFSSL* ssl) { /* Stunnel supports a custom sni callback to switch an SSL's ctx @@ -30458,7 +30457,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } return 0; } -#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* HAVE_SNI */ #endif /* NO_WOLFSSL_SERVER */ diff --git a/src/ssl.c b/src/ssl.c index 249977830..daf773dcd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -41400,17 +41400,14 @@ long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) switch (cmd) { #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) + #ifdef HAVE_SNI case SSL_CTRL_SET_TLSEXT_HOSTNAME: WOLFSSL_MSG("Entering Case: SSL_CTRL_SET_TLSEXT_HOSTNAME."); - #ifdef HAVE_SNI if (pt == NULL) { WOLFSSL_MSG("Passed in NULL Host Name."); break; } return wolfSSL_set_tlsext_host_name(ssl, (const char*) pt); - #else - WOLFSSL_MSG("SNI not enabled."); - break; #endif /* HAVE_SNI */ #endif /* WOLFSSL_NGINX || WOLFSSL_QT || OPENSSL_ALL */ default: @@ -42867,6 +42864,8 @@ VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) } +#ifdef HAVE_SNI + void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb) { WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback"); @@ -42895,6 +42894,9 @@ int wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) return WOLFSSL_FAILURE; } +#endif /* HAVE_SNI */ + + #ifndef NO_BIO void wolfSSL_ERR_load_BIO_strings(void) { WOLFSSL_ENTER("ERR_load_BIO_strings"); diff --git a/src/tls.c b/src/tls.c index e7fd14352..e0b1df0f1 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9178,9 +9178,11 @@ void TLSX_FreeAll(TLSX* list, void* heap) switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: SNI_FREE_ALL((SNI*)extension->data, heap); break; +#endif case TLSX_TRUSTED_CA_KEYS: TCA_FREE_ALL((TCA*)extension->data, heap); @@ -9312,11 +9314,13 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: /* SNI only sends the name on the request. */ if (isRequest) length += SNI_GET_SIZE((SNI*)extension->data); break; +#endif case TLSX_TRUSTED_CA_KEYS: /* TCA only sends the list on the request. */ @@ -9464,12 +9468,14 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* extension data should be written internally. */ switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: if (isRequest) { WOLFSSL_MSG("SNI extension to write"); offset += SNI_WRITE((SNI*)extension->data, output + offset); } break; +#endif case TLSX_TRUSTED_CA_KEYS: WOLFSSL_MSG("Trusted CA Indication extension to write"); @@ -10909,6 +10915,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, return BUFFER_ERROR; switch (type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: WOLFSSL_MSG("SNI extension received"); #ifdef WOLFSSL_DEBUG_TLS @@ -10929,6 +10936,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; +#endif case TLSX_TRUSTED_CA_KEYS: WOLFSSL_MSG("Trusted CA extension received"); diff --git a/src/tls13.c b/src/tls13.c index 785836ad1..d01b1098c 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -3987,12 +3987,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return ret; } -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) +#ifdef HAVE_SNI if ((ret = SNI_Callback(ssl)) != 0) return ret; ssl->options.side = WOLFSSL_SERVER_END; -#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif i += totalExtSz; *inOutIdx = i; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 832224571..aea8a6478 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1718,9 +1718,11 @@ WOLFSSL_LOCAL int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz); WOLFSSL_LOCAL int HashInput(WOLFSSL* ssl, const byte* input, int sz); -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI +#ifndef NO_WOLFSSL_SERVER WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl); #endif +#endif #ifdef WOLFSSL_TLS13 WOLFSSL_LOCAL int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, const byte* aad, word16 aadSz); @@ -2168,7 +2170,9 @@ typedef struct Keys { #ifdef HAVE_TLS_EXTENSIONS typedef enum { +#ifdef HAVE_SNI TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ +#endif TLSX_MAX_FRAGMENT_LENGTH = 0x0001, TLSX_TRUSTED_CA_KEYS = 0x0003, TLSX_TRUNCATED_HMAC = 0x0004, @@ -2828,9 +2832,7 @@ struct WOLFSSL_CTX { CallbackALPNSelect alpnSelect; void* alpnSelectArg; #endif -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) )) +#ifdef HAVE_SNI CallbackSniRecv sniRecvCb; void* sniRecvCbArg; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 320bd12c1..f8585e0b8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3323,7 +3323,6 @@ WOLFSSL_LOCAL int NIDToEccEnum(int n); /* end of object functions */ WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line); -WOLFSSL_API long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt); WOLFSSL_API long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt,void* pt); WOLFSSL_API long wolfSSL_CTX_callback_ctrl(WOLFSSL_CTX* ctx, int cmd, void (*fp)(void)); WOLFSSL_API long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx); @@ -3353,6 +3352,11 @@ WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl); #endif /* !NO_CERTS */ #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) +WOLFSSL_API long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt); +#endif + #ifdef WOLFSSL_WPAS_SMALL /* WPA Supplicant requires GEN_ values */ #include @@ -3557,9 +3561,6 @@ WOLFSSL_API int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, #include -/* SNI received callback type */ -typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); - WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); @@ -3690,12 +3691,22 @@ WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*); WOLFSSL_API VerifyCallback wolfSSL_get_verify_callback(WOLFSSL*); +#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */ + +#ifdef HAVE_SNI +/* SNI received callback type */ +typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); + WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); WOLFSSL_API int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); WOLFSSL_API int wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); +#endif + +#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ + || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) WOLFSSL_API void wolfSSL_ERR_remove_thread_state(void*); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 3e7be58d1..91df8c469 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2189,7 +2189,8 @@ extern void uITRON4_free(void *p) ; #undef HAVE_GMTIME_R /* don't trust macro with windows */ #endif /* WOLFSSL_MYSQL_COMPATIBLE */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(HAVE_LIGHTY) #define SSL_OP_NO_COMPRESSION SSL_OP_NO_COMPRESSION #define OPENSSL_NO_ENGINE #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT @@ -2210,7 +2211,7 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) +#ifdef HAVE_SNI #define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 #endif @@ -2283,7 +2284,8 @@ extern void uITRON4_free(void *p) ; #endif /* Parts of the openssl compatibility layer require peer certs */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(HAVE_LIGHTY) #undef KEEP_PEER_CERT #define KEEP_PEER_CERT #endif