mirror of
https://github.com/openssl/openssl.git
synced 2025-01-12 13:36:28 +08:00
b67cb09f8d
* Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
161 lines
5.9 KiB
Plaintext
161 lines
5.9 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
SSL_CTX_set1_cert_comp_preference,
|
|
SSL_set1_cert_comp_preference,
|
|
SSL_CTX_compress_certs,
|
|
SSL_compress_certs,
|
|
SSL_CTX_get1_compressed_cert,
|
|
SSL_get1_compressed_cert,
|
|
SSL_CTX_set1_compressed_cert,
|
|
SSL_set1_compressed_cert - Certificate compression functions
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
int SSL_CTX_set1_cert_comp_preference(SSL_CTX *ctx, int *algs, size_t len);
|
|
int SSL_set1_cert_comp_preference(SSL *ssl, int *algs, size_t len);
|
|
|
|
int SSL_CTX_compress_certs(SSL_CTX *ctx, int alg);
|
|
int SSL_compress_certs(SSL *ssl, int alg);
|
|
|
|
size_t SSL_CTX_get1_compressed_cert(SSL_CTX *ctx, int alg, unsigned char **data,
|
|
size_t *orig_len);
|
|
size_t SSL_get1_compressed_cert(SSL *ssl, int alg, unsigned char **data,
|
|
size_t *orig_len);
|
|
|
|
int SSL_CTX_set1_compressed_cert(SSL_CTX *ctx, int alg,
|
|
unsigned char *comp_data,
|
|
size_t comp_length, size_t orig_length);
|
|
int SSL_set1_compressed_cert(SSL *ssl, int alg, unsigned char *comp_data,
|
|
size_t comp_length, size_t orig_length);
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
These functions control the certificate compression feature. Certificate
|
|
compression is only available for TLSv1.3 as defined in RFC8879.
|
|
|
|
SSL_CTX_set1_cert_comp_preference() and SSL_set1_cert_comp_preference() are used
|
|
to specify the preferred compression algorithms. The B<algs> argument is an array
|
|
of algorithms, and B<length> is number of elements in the B<algs> array. Only
|
|
those algorithms enabled in the library will be accepted in B<algs>, unknown
|
|
algorithms in B<algs> are ignored. On an error, the preference order is left
|
|
unmodified.
|
|
|
|
The following compression algorithms (B<alg> arguments) may be used:
|
|
|
|
=over 4
|
|
|
|
=item * TLSEXT_comp_cert_brotli
|
|
|
|
=item * TLSEXT_comp_cert_zlib
|
|
|
|
=item * TLSEXT_comp_cert_zstd
|
|
|
|
=back
|
|
|
|
The above is also the default preference order. If a preference order is not
|
|
specified, then the default preference order is sent to the peer and the
|
|
received peer's preference order will be used when compressing a certificate.
|
|
Otherwise, the configured preference order is sent to the peer and is used
|
|
to filter the peer's preference order.
|
|
|
|
SSL_CTX_compress_certs() and SSL_compress_certs() are used to pre-compress all
|
|
the configured certificates on an SSL_CTX/SSL object with algorithm B<alg>. If
|
|
B<alg> is 0, then the certificates are compressed with the algorithms specified
|
|
in the preference list. Calling these functions on a client SSL_CTX/SSL object
|
|
will result in an error, as only server certificates may be pre-compressed.
|
|
|
|
SSL_CTX_get1_compressed_cert() and SSL_get1_compressed_cert() are used to get
|
|
the pre-compressed certificate most recently set that may be stored for later
|
|
use. Calling these functions on a client SSL_CTX/SSL object will result in an
|
|
error, as only server certificates may be pre-compressed. The B<data> and
|
|
B<orig_len> arguments are required.
|
|
|
|
The compressed certificate data may be passed to SSL_CTX_set1_compressed_cert()
|
|
or SSL_set1_compressed_cert() to provide a pre-compressed version of the
|
|
most recently set certificate. This pre-compressed certificate can only be used
|
|
by a server.
|
|
|
|
=head1 NOTES
|
|
|
|
Each side of the connection sends their compression algorithm preference list
|
|
to their peer indicating compressed certificate support. The received preference
|
|
list is filtered by the configured preference list (i.e. the intersection is
|
|
saved). As the default list includes all the enabled algorithms, not specifying
|
|
a preference will allow any enabled algorithm by the peer. The filtered peer's
|
|
preference order is used to determine what algorithm to use when sending a
|
|
compressed certificate.
|
|
|
|
Only server certificates may be pre-compressed. Calling any of these functions
|
|
(except SSL_CTX_set1_cert_comp_preference()/SSL_set1_cert_comp_preference())
|
|
on a client SSL_CTX/SSL object will return an error. Client certificates are
|
|
compressed on-demand as unique context data from the server is compressed along
|
|
with the certificate.
|
|
|
|
For SSL_CTX_set1_cert_comp_preference() and SSL_set1_cert_comp_preference()
|
|
the B<len> argument is the size of the B<algs> argument in bytes.
|
|
|
|
The compressed certificate returned by SSL_CTX_get1_compressed_cert() and
|
|
SSL_get1_compressed_cert() is the last certificate set on the SSL_CTX/SSL object.
|
|
The certificate is copied by the function and the caller must free B<*data> via
|
|
OPENSSL_free().
|
|
|
|
The compressed certificate data set by SSL_CTX_set1_compressed_cert() and
|
|
SSL_set1_compressed_cert() is copied into the SSL_CTX/SSL object.
|
|
|
|
SSL_CTX_compress_certs() and SSL_compress_certs() return an error under the
|
|
following conditions:
|
|
|
|
=over 4
|
|
|
|
=item * If no certificates have been configured.
|
|
|
|
=item * If the specified algorithm B<alg> is not enabled.
|
|
|
|
=item * If B<alg> is 0 and no compression algorithms are enabled.
|
|
|
|
=back
|
|
|
|
Sending compressed certificates may be disabled on a connection via the
|
|
SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option. Receiving compressed certificates
|
|
may be disabled on a connection via the SSL_OP_NO_RX_CERTIFICATE_COMPRESSION
|
|
option.
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
SSL_CTX_set1_cert_comp_preference(),
|
|
SSL_set1_cert_comp_preference(),
|
|
SSL_CTX_compress_certs(),
|
|
SSL_compress_certs(),
|
|
SSL_CTX_set1_compressed_cert(), and
|
|
SSL_set1_compressed_cert()
|
|
return 1 for success and 0 on error.
|
|
|
|
SSL_CTX_get1_compressed_cert() and
|
|
SSL_get1_compressed_cert()
|
|
return the length of the allocated memory on success and 0 on error.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<SSL_CTX_set_options(3)>,
|
|
L<SSL_CTX_use_certificate(3)>
|
|
|
|
=head1 HISTORY
|
|
|
|
These functions were added in OpenSSL 3.2.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|