diff options
author | Todd Short <tshort@akamai.com> | 2021-08-09 16:56:50 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-10-18 09:30:22 -0400 |
commit | b67cb09f8ddf258cf326f3e7b20be095fb53457c (patch) | |
tree | b31a978e8c71e972e84fd03b4de92491deff032a /ssl/ssl_lib.c | |
parent | 59d21298df9176b64b41cc8583c7024f7f5895d4 (diff) |
Add support for compressed certificates (RFC8879)
* Compressed Certificate extension (server/client)
* Server certificates (send/receive)
* Client certificate (send/receive)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
Diffstat (limited to 'ssl/ssl_lib.c')
-rw-r--r-- | ssl/ssl_lib.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fb43b9b369..186e60f34c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -615,6 +615,9 @@ int ossl_ssl_connection_reset(SSL *s) sc->first_packet = 0; sc->key_update = SSL_KEY_UPDATE_NONE; + memset(sc->ext.compress_certificate_from_peer, 0, + sizeof(sc->ext.compress_certificate_from_peer)); + sc->ext.compress_certificate_sent = 0; EVP_MD_CTX_free(sc->pha_dgst); sc->pha_dgst = NULL; @@ -890,6 +893,10 @@ SSL *ossl_ssl_connection_new(SSL_CTX *ctx) s->job = NULL; +#ifndef OPENSSL_NO_COMP_ALG + memcpy(s->cert_comp_prefs, ctx->cert_comp_prefs, sizeof(s->cert_comp_prefs)); +#endif + #ifndef OPENSSL_NO_CT if (!SSL_set_ct_validation_callback(ssl, ctx->ct_validation_callback, ctx->ct_validation_callback_arg)) @@ -3658,6 +3665,9 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, const SSL_METHOD *meth) { SSL_CTX *ret = NULL; +#ifndef OPENSSL_NO_COMP_ALG + int i; +#endif if (meth == NULL) { ERR_raise(ERR_LIB_SSL, SSL_R_NULL_SSL_METHOD_PASSED); @@ -3832,6 +3842,21 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, } # endif #endif + +#ifndef OPENSSL_NO_COMP_ALG + /* + * Set the default order: brotli, zlib, zstd + * Including only those enabled algorithms + */ + memset(ret->cert_comp_prefs, 0, sizeof(ret->cert_comp_prefs)); + i = 0; + if (ossl_comp_has_alg(TLSEXT_comp_cert_brotli)) + ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_brotli; + if (ossl_comp_has_alg(TLSEXT_comp_cert_zlib)) + ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zlib; + if (ossl_comp_has_alg(TLSEXT_comp_cert_zstd)) + ret->cert_comp_prefs[i++] = TLSEXT_comp_cert_zstd; +#endif /* * Disable compression by default to prevent CRIME. Applications can * re-enable compression by configuring |