Merge pull request #6559 from dgarske/sni_defaults

Turn on SNI by default on hosts with resources
2023-07-03 08:07:45 +10:00
parent a4c058649b 6052e01879
commit da4424cd0c
6 changed files with 129 additions and 93 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1299,7 +1299,6 @@ endif()
 #       - CRL monitor
 #       - User crypto
 #       - Whitewood netRandom client library
-#       - SNI
 #       - Max fragment length
 #       - ALPN
 #       - Trusted CA indication
@@ -1315,8 +1314,14 @@ add_option(WOLFSSL_CRL
    "Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)"
    "no" "yes;no;io")

+
+set(SNI_DEFAULT "no")
+if(("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "x86_64|x86|AMD64|arm64") OR
+    ("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "aarch64"))
+    set(SNI_DEFAULT "yes")
+endif()
 set(WOLFSSL_SNI_HELP_STRING "Enable SNI (default: disabled)")
-add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} "no" "yes;no")
+add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} ${SNI_DEFAULT} "yes;no")

 set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)")
 add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no")
--- a/configure.ac
+++ b/configure.ac
@@ -4971,21 +4971,22 @@ AC_ARG_WITH([wnr],


 # SNI
+# enable SNI automatically for x86_64/x86/aarch64/amd64
+SNI_DEFAULT=no
+if test "$host_cpu" = "x86_64" || test "$host_cpu" = "x86" || test "$host_cpu" = "aarch64" || test "$host_cpu" = "amd64"
+then
+    SNI_DEFAULT=yes
+fi
 AC_ARG_ENABLE([sni],
-    [AS_HELP_STRING([--enable-sni],[Enable SNI (default: disabled)])],
+    [AS_HELP_STRING([--enable-sni],[Enable SNI (default: enabled on x86_64/x86/aarch64/amd64)])],
    [ ENABLED_SNI=$enableval ],
-    [ ENABLED_SNI=no ]
+    [ ENABLED_SNI=$SNI_DEFAULT ]
    )
-if test "x$ENABLED_QT" = "xyes"
+if test "x$ENABLED_QT" = "xyes" || test "$ENABLED_QUIC" = "yes"
 then
    ENABLED_SNI="yes"
 fi

-if test "$ENABLED_QUIC" = "yes"
-then
-    ENABLED_SNI=yes
-fi
-
 if test "x$ENABLED_SNI" = "xyes"
 then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI"
--- a/tests/api.c
+++ b/tests/api.c
@@ -47,6 +47,20 @@
 #endif
 #if defined(WOLFSSL_STATIC_MEMORY)
    #include <wolfssl/wolfcrypt/memory.h>
+
+#if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY)
+    #if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
+         defined(SESSION_CERTS)
+        #ifdef OPENSSL_EXTRA
+            #define TEST_TLS_STATIC_MEMSZ (400000)
+        #else
+            #define TEST_TLS_STATIC_MEMSZ (320000)
+        #endif
+    #else
+            #define TEST_TLS_STATIC_MEMSZ (80000)
+    #endif
+#endif
+
 #endif /* WOLFSSL_STATIC_MEMORY */
 #ifndef HEAP_HINT
    #define HEAP_HINT NULL
@@ -6800,11 +6814,11 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
    }
 #else
    ctx = wolfSSL_CTX_new(callbacks->method());
+#endif
    if (ctx == NULL) {
        fprintf(stderr, "CTX new failed\n");
        goto cleanup;
    }
-#endif

    /* set defaults */
    if (callbacks->caPemFile == NULL)
@@ -7053,14 +7067,12 @@ static void run_wolfssl_client(void* args)
        }
    }
 #else
-    if (ctx == NULL) {
-        ctx = wolfSSL_CTX_new(callbacks->method());
-    }
+    ctx = wolfSSL_CTX_new(callbacks->method());
+#endif
    if (ctx == NULL) {
        fprintf(stderr, "CTX new failed\n");
        goto cleanup;
    }
-#endif

 #ifdef WOLFSSL_TIRTOS
    fdOpenSession(Task_self());
@@ -9353,90 +9365,117 @@ static int test_wolfSSL_UseSNI_connection(void)
    callback_functions client_cb;
    callback_functions server_cb;
    size_t i;
-
+#ifdef WOLFSSL_STATIC_MEMORY
+    byte cliMem[TEST_TLS_STATIC_MEMSZ];
+    byte svrMem[TEST_TLS_STATIC_MEMSZ];
+#endif
    struct {
        method_provider client_meth;
        method_provider server_meth;
+    #ifdef WOLFSSL_STATIC_MEMORY
+        wolfSSL_method_func client_meth_ex;
+        wolfSSL_method_func server_meth_ex;
+    #endif
    } methods[] = {
 #if defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_TLS13)
-        {wolfSSLv23_client_method, wolfSSLv23_server_method},
+        {wolfSSLv23_client_method, wolfSSLv23_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfSSLv23_client_method_ex, wolfSSLv23_server_method_ex
+        #endif
+        },
 #endif
 #ifndef WOLFSSL_NO_TLS12
-        {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method},
+        {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfTLSv1_2_client_method_ex, wolfTLSv1_2_server_method_ex
+        #endif
+        },
 #endif
 #ifdef WOLFSSL_TLS13
-        {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method},
+        {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method
+        #ifdef WOLFSSL_STATIC_MEMORY
+            ,wolfTLSv1_3_client_method_ex, wolfTLSv1_3_server_method_ex
+        #endif
+        },
 #endif
    };
    size_t methodsSz = sizeof(methods) / sizeof(*methods);

    for (i = 0; i < methodsSz; i++) {
-    XMEMSET(&client_cb, 0, sizeof(callback_functions));
-    XMEMSET(&server_cb, 0, sizeof(callback_functions));
-    client_cb.method = methods[i].client_meth;
-    server_cb.method = methods[i].server_meth;
-    client_cb.devId = testDevId;
-    server_cb.devId = testDevId;
+        XMEMSET(&client_cb, 0, sizeof(callback_functions));
+        XMEMSET(&server_cb, 0, sizeof(callback_functions));
+        client_cb.method = methods[i].client_meth;
+        server_cb.method = methods[i].server_meth;
+        client_cb.devId = testDevId;
+        server_cb.devId = testDevId;
+    #ifdef WOLFSSL_STATIC_MEMORY
+        client_cb.method_ex = methods[i].client_meth_ex;
+        server_cb.method_ex = methods[i].server_meth_ex;
+        client_cb.mem = cliMem;
+        client_cb.memSz = (word32)sizeof(cliMem);
+        server_cb.mem = svrMem;
+        server_cb.memSz = (word32)sizeof(svrMem);;
+    #endif

-    /* success case at ctx */
-    printf("success case at ctx\n");
-    client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* success case at ctx */
+        printf("\n\tsuccess case at ctx\n");
+        client_cb.ctx_ready = use_SNI_at_ctx; client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* success case at ssl */
-    printf("success case at ssl\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* success case at ssl */
+        printf("\tsuccess case at ssl\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = use_SNI_at_ssl; client_cb.on_result = verify_SNI_real_matching;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* default mismatch behavior */
-    printf("default mismatch behavior\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl;       server_cb.on_result = verify_UNKNOWN_SNI_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* default mismatch behavior */
+        printf("\tdefault mismatch behavior\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_at_ssl;       server_cb.on_result = verify_UNKNOWN_SNI_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* continue on mismatch */
-    printf("continue on mismatch\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;         client_cb.on_result = NULL;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* continue on mismatch */
+        printf("\tcontinue on mismatch\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;         client_cb.on_result = NULL;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_CONTINUE_at_ssl; server_cb.on_result = verify_SNI_no_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* fake answer on mismatch */
-    printf("fake answer on mismatch\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;            client_cb.on_result = NULL;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* fake answer on mismatch */
+        printf("\tfake answer on mismatch\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = different_SNI_at_ssl;            client_cb.on_result = NULL;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_SNI_WITH_FAKE_ANSWER_at_ssl; server_cb.on_result = verify_SNI_fake_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* sni abort - success */
-    printf("sni abort - success\n");
-    client_cb.ctx_ready = use_SNI_at_ctx;           client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* sni abort - success */
+        printf("\tsni abort - success\n");
+        client_cb.ctx_ready = use_SNI_at_ctx;           client_cb.ssl_ready = NULL; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_real_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* sni abort - abort when absent (ctx) */
-    printf("sni abort - abort when absent (ctx)\n");
-    client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* sni abort - abort when absent (ctx) */
+        printf("\tsni abort - abort when absent (ctx)\n");
+        client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL; client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL; server_cb.on_result = verify_SNI_ABSENT_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* sni abort - abort when absent (ssl) */
-    printf("sni abort - abort when absent (ssl)\n");
-    client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL;                     client_cb.on_result = verify_FATAL_ERROR_on_client;
-    server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* sni abort - abort when absent (ssl) */
+        printf("\tsni abort - abort when absent (ssl)\n");
+        client_cb.ctx_ready = NULL; client_cb.ssl_ready = NULL;                     client_cb.on_result = verify_FATAL_ERROR_on_client;
+        server_cb.ctx_ready = NULL; server_cb.ssl_ready = use_MANDATORY_SNI_at_ssl; server_cb.on_result = verify_SNI_ABSENT_on_server;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* sni abort - success when overwritten */
-    printf("sni abort - success when overwritten\n");
-    client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL;           client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* sni abort - success when overwritten */
+        printf("\tsni abort - success when overwritten\n");
+        client_cb.ctx_ready = NULL;                     client_cb.ssl_ready = NULL;           client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = use_SNI_at_ssl; server_cb.on_result = verify_SNI_no_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);

-    /* sni abort - success when allowing mismatches */
-    printf("sni abort - success when allowing mismatches\n");
-    client_cb.ctx_ready = NULL;                            client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL;
-    server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL;                 server_cb.on_result = verify_SNI_fake_matching;
-    test_wolfSSL_client_server(&client_cb, &server_cb);
+        /* sni abort - success when allowing mismatches */
+        printf("\tsni abort - success when allowing mismatches\n");
+        client_cb.ctx_ready = NULL;                            client_cb.ssl_ready = different_SNI_at_ssl; client_cb.on_result = NULL;
+        server_cb.ctx_ready = use_PSEUDO_MANDATORY_SNI_at_ctx; server_cb.ssl_ready = NULL;                 server_cb.on_result = verify_SNI_fake_matching;
+        test_wolfSSL_client_server(&client_cb, &server_cb);
    }

    res = TEST_RES_CHECK(1);
@@ -57657,17 +57696,6 @@ static int test_wolfSSL_CTX_StaticMemory_TLS(int tlsVer,
 #endif /* WOLFSSL_STATIC_MEMORY && HAVE_IO_TESTS_DEPENDENCIES */

 #if defined(WOLFSSL_STATIC_MEMORY) && !defined(WOLFCRYPT_ONLY)
-#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) || \
-        defined(SESSION_CERTS)
-    #ifdef OPENSSL_EXTRA
-    #define TEST_TLS_STATIC_MEMSZ (400000)
-    #else
-    #define TEST_TLS_STATIC_MEMSZ (320000)
-    #endif
-#else
-    #define TEST_TLS_STATIC_MEMSZ (80000)
-#endif
-
 static int test_wolfSSL_CTX_StaticMemory_SSL(WOLFSSL_CTX* ctx)
 {
    EXPECT_DECLS;
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -385,7 +385,7 @@ int wolfCrypt_Init(void)
    return ret;
 }

-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
 long wolfCrypt_heap_peakAllocs_checkpoint(void) {
    long ret = ourMemStats.peakAllocsTripOdometer;
    ourMemStats.peakAllocsTripOdometer = ourMemStats.totalAllocs -
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -55,7 +55,7 @@
 #endif
 #endif

-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
 #ifdef WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS
    static ssize_t max_relative_heap_allocs = WOLFSSL_TEST_MAX_RELATIVE_HEAP_ALLOCS;
 #else
@@ -84,7 +84,7 @@
    }
 #else
 #define PRINT_HEAP_CHECKPOINT()
-#endif
+#endif /* WOLFSSL_TRACK_MEMORY_VERBOSE && !WOLFSSL_STATIC_MEMORY */

 #ifdef USE_FLAT_TEST_H
    #ifdef HAVE_CONFIG_H
@@ -832,7 +832,7 @@ wc_test_ret_t wolfcrypt_test(void* args)
 #endif
 {
    wc_test_ret_t ret;
-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
    long heap_baselineAllocs, heap_baselineBytes;
 #endif
 #ifdef TEST_ALWAYS_RUN_TO_END
@@ -840,7 +840,7 @@ wc_test_ret_t wolfcrypt_test(void* args)
 #endif
    STACK_SIZE_INIT();

-#ifdef WOLFSSL_TRACK_MEMORY_VERBOSE
+#if defined(WOLFSSL_TRACK_MEMORY_VERBOSE) && !defined(WOLFSSL_STATIC_MEMORY)
    (void)wolfCrypt_heap_peakAllocs_checkpoint();
    heap_baselineAllocs = wolfCrypt_heap_peakAllocs_checkpoint();
    (void)wolfCrypt_heap_peakBytes_checkpoint();
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -2903,7 +2903,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
    char buffer[WOLFSSL_MAX_ERROR_SZ];
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
    WOLFSSL_X509* peer;
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
+#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(OPENSSL_EXTRA_X509_SMALL)
    WOLFSSL_BIO* bio = NULL;
    WOLFSSL_STACK* sk = NULL;
    X509* x509 = NULL;
@@ -2948,7 +2949,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)

        XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
        XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
+#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
+    !defined(OPENSSL_EXTRA_X509_SMALL)
        /* avoid printing duplicate certs */
        if (store->depth == 1) {
            int i;