| /openssl/doc/designs/ddd/ |
| H A D | REPORT.md | 5 requirement to develop a QUIC API that required only minimal changes to existing
6 applications to be able to adapt their code to use QUIC. The demo-driven design
14 able to support QUIC. This analysis concluded that the changes needed to
80 - A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2)
84 timeouts related to QUIC (`get_conn_pump_timeout`) and to pump
108 - The strategy for how to determine when to poll for `POLLIN`, when to
151 - A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2)
206 - A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2)
230 - The strategy for how to determine when to poll for `POLLIN`, when to
250 - A change to how the `POLLIN`/`POLLOUT`/`POLLERR` flags to pass to poll(2)
[all …]
|
| /openssl/doc/designs/quic-design/ |
| H A D | quic-requirements.md | 22 a pluggable record layer interface to be implemented to enable this to be less
43 be able to use OpenSSL to build an HTTP/3 client on top of OpenSSL for the
47 it should be possible for external libraries to be able to use the pluggable
91 treated separately by our APIs. In the context of QUIC, APIs to be able to
101 to work in a QUIC environment while expanding our APIs to enable future
126 interactions. We want to be able to enable them to transfer to using single
130 interactions. We want to be able to enable them to transfer to using single
131 stream QUIC easily. More likely to want to do multi-stream.
150 applications should be able to pick whatever protocol they want to use
168 received via QUIC to only be copied from one buffer to another once. The
[all …]
|
| H A D | quic-io-arch.md | 37 - We want to support custom BIOs on the network side and to the extent
49 to make substantial changes to the implementation of those custom BIOs to model
61 underlying BIO provided to the QUIC implementation to provide it access to the
183 way to force these calls to return once `SSL_free` is called and we need to
196 appear to be any viable solution to the teardown issue.
212 our internal approach to I/O to be flexibly adapted in the future as
271 BIO pair to a `BIO_s_dgram_pair`. Custom BIOs will need to be
314 reworked to support concurrent calls to it.
379 primitive, but its state only changes in response to calls made to it (or to
522 equivalent to a call to `SSL_set_blocking_mode()`.
[all …]
|
| H A D | dgram-api.md | 4 We need to evolve the API surface of BIO which is relevant to BIO_dgram (and the
5 eventual BIO_dgram_mem) to support APIs which allow multiple datagrams to be
134 - `data` points to the buffer of data to be sent or to be filled with received
155 attempts to use it fail.
241 If the first message passed to a call to `BIO_writem` has 64 iovecs
261 - We also need to decide what to do for OSes which don't support at least
307 One option would be to allow the user to set a callback on BIO_dgram it can use
328 extra call to allow a buffer to be pushed back into the BIO_dgram's internal
424 whereas with (b) the buffer passed to `BIO_read` gets passed through to the
480 BIO_dgram will call the allocation function to get buffers for `recvmmsg` to
[all …]
|
| H A D | quic-fault-injector.md | 19 in libssl does not offer the capability to send faults since it is designed to
26 point does not require any changes to libssl to work.
91 algorithm prior to it being sent. Fault Injector based tests may need to inject
119 been applied to it. The header for the packet will be pointed to by `hdrin` and
151 requires a modification to be made, that will occur prior to the datagram being
174 structure. Additional helper functions will be provided to make changes to the
181 we need to do this during MVP in order to be able to observe protocol elements
265 * wants to resize the packet (either to add new data to it, or to truncate it).
295 * to resize the handshake message (either to add new data to it, or to truncate
500 * connected to.
[all …]
|
| H A D | glossary.md | 11 application to be signalled as an error code value by QUIC. See QUIC RFCs
53 dispatches calls to libssl public APIs to the APL.
101 due to different path MTUs.
105 packet, but we may need to add PADDING frames to the final packet added to a
157 **QRL:** QUIC record layer. Refers collectively to the QRX and QTX.
166 IDs to those objects. Allows iteration of active streams.
196 associated with it and belongs to a `QUIC_ENGINE`.
201 `QUIC_XSO` is to a `QUIC_STREAM`.
203 **RCID:** Remote CID. Refers to a CID which has been provided to us by a peer
224 to reach the local machine, assuming the peer responds immediately.
[all …]
|
| H A D | debugging.md | 36 - Pro: No need to obtain a keylog
40 - Con: Need to obtain a keylog
50 are to be written;
91 commonly used for QUIC, you may need to tell Wireshark to try and decode a flow
97 (though it is able to decrypt Initial packets).
99 In order to provide this information you need to provide Wireshark with a keylog
102 such a file is to enable a TLS or QUIC session to be decrypted for development
110 to enable this functionality directly.
112 If you are using OpenSSL QUIC to talk to another QUIC implementation, you also
117 There are two ways to do this:
[all …]
|
| H A D | quic-thread-assist.md | 4 In thread assisted mode, we create a background thread to ensure that periodic
9 access to this is extremely difficult.
13 the handshake layer. Since we forward a very large number of APIs to the
15 the locking to every single public HL-related API call.
35 calls, would be required to take the lock. As a special exemption, an
36 application is not required to take the lock prior to connection
50 - **2. Handshake layer always belongs to the application thread.**
53 and the assist thread is never allowed to touch it:
65 which doesn't need to be acknowledged and isn't “urgent”. The other
93 Con: Many applications probably expect to be able to query the HL after
[all …]
|
| /openssl/test/ssl-tests/ |
| H A D | 18-dtls-renegotiate.cnf | 10 test-5 = 5-renegotiate-aead-to-non-aead
11 test-6 = 6-renegotiate-non-aead-to-aead
12 test-7 = 7-renegotiate-non-aead-to-non-aead
13 test-8 = 8-renegotiate-aead-to-aead
165 [5-renegotiate-aead-to-non-aead]
168 [5-renegotiate-aead-to-non-aead-ssl]
198 [6-renegotiate-non-aead-to-aead]
264 [8-renegotiate-aead-to-aead]
267 [8-renegotiate-aead-to-aead-ssl]
271 [8-renegotiate-aead-to-aead-server]
[all …]
|
| /openssl/doc/man7/ |
| H A D | ossl-guide-tls-client-non-block.pod | 28 until data is available to read if you attempt to read from it when there is no
31 not have to worry about what to do in these cases. The execution of the code
37 With a nonblocking socket attempting to read or write to a socket that is
51 exact details on how to do this can differ from one platform to another.
67 we want to read or write to the socket, but we are currently unable to. In fact
70 application has to do, it must also be prepared to come back and retry the
79 socket is currently unable to write, then you cannot then attempt to write
152 if the application is only trying to read data. Similarly calls to
234 printf("Failed to connect to server\n");
307 * we're going to print it to stdout anyway.
[all …]
|
| H A D | ossl-guide-quic-client-non-block.pod | 30 it waits (blocks) until data is available to read if you attempt to read from
33 development of code because you do not have to worry about what to do in these
52 we want to read or write to the B<SSL> object but we are currently unable to.
55 the application has to do, it must also be prepared to come back and retry the
64 B<SSL> object is currently unable to write, then you cannot then attempt to
114 * a GUI every 100ms. One way to do that would be to use the timeout in
150 An alternative to using L<SSL_get_event_timeout(3)> to find the next deadline
168 to be prepared to handle errors returned from OpenSSL I/O functions such as
182 from the stream but was unable to. Note that a call to L<SSL_read_ex(3)> or
322 printf("Failed to connect to server\n");
[all …]
|
| H A D | ossl-guide-tls-client-block.pod | 22 attempting to read data from a socket that has no data available on it to read
25 waiting for the server's response. Similarly any attempts to write to a socket
69 pass the B<SSL_VERIFY_PEER> value to it. The final argument to this function
72 can safely be set to NULL to get the default handling.
92 We would also like to restrict the TLS versions that we are willing to accept to
217 to allow specific connections to an ipv4 or ipv6 enabled host.
275 * to connect to in case the server supports multiple hosts.
285 Secondly, we need to tell OpenSSL what hostname we expect to see in the
314 printf("Failed to connect to the server\n");
328 indicates that we have failed to connect to the server.
[all …]
|
| H A D | openssl-quic.pod | 15 are needed to existing applications making use of the libssl APIs to make use of
222 likewise, to determine if the QUIC implementation currently wishes to be
345 not need to use L<SSL_set1_initial_peer_addr(3)> to set the initial peer
351 construct a BIO which is passed to the SSL object to provide it with network
368 Your application uses a BIO pair to cause the SSL object to read and write
402 it must add a call to L<SSL_set_blocking_mode(3)> to disable blocking mode.
435 QUIC stream to receive or provide application data, not to to determine if
606 to the SSL object.
641 The following BIO APIs are not specific to QUIC but have been added to
673 L<BIO_s_dgram_pair(3)> to indicate its capabilities to the other end of a
[all …]
|
| H A D | ossl-guide-quic-introduction.pod | 6 - OpenSSL Guide: An introduction to QUIC in OpenSSL
44 to use HTTP/3 using a suitable third-party library.
49 allowing a connection to be initiated to a server and application data to be
69 update to be deployed. Future evolutions and enhancements to the QUIC protocol
98 arrange to call these functions.
104 logic to accomplish it.
110 QUIC protocol messages in order to send them to the peer. Once the TLS handshake
116 OpenSSL that apply to TLS connections also apply to QUIC connections and
118 to QUIC at all, and others have altered semantics. You should refer to the
121 to both TLS and QUIC.
[all …]
|
| H A D | provider-encoder.pod | 27 /* Functions to check selection support */
30 /* Functions to encode object data */
38 /* Functions to import and free a temporary object to be encoded */
47 not limited to serialization.>
56 pointer than being able to pass it to the appropriate BIO upcalls (see
60 passed from one to the next. For example, there may be an
61 implementation to encode an object to DER (that object is assumed to
187 treat separately or together. It's possible to specify what subsets are to
230 object to be passed to OSSL_FUNC_encoder_encode()'s I<obj_raw>.
234 passed as I<obj_raw> to OSSL_FUNC_encoder_encode().
[all …]
|
| /openssl/ |
| H A D | NOTES-ANDROID.md | 7 Beside basic tools like perl and make, you'll need to download the Android
9 version was actually tested. There is no reason to believe that macOS
12 role, the goal is to support a range of most recent versions.
18 to find out the configuration target for you. You have to name your
25 you still need to know the prefix to extend your PATH, in order to
38 to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570
55 variable set to `$ANDROID_NDK_ROOT/platforms/android-<api>/arch-<arch>` to
63 keep in mind that if you miss it, Configure will try to use gcc...
70 location to `ANDROID_NDK_ROOT`. In such case, you have to pass matching
84 work. Once built, you should be able to
[all …]
|
| H A D | README-ENGINES.md | 42 With respect to EVP, this relates to support for ciphers and digests in
51 form of "control commands". These allow an application to expose to the
95 the OpenSSL "README" file. As for which list to send it to:
113 may need to be applied to an ENGINE for it to function as expected/hoped.
118 also) to provide any such input directly to the ENGINE implementation.
119 This way, applications do not need to know anything specific to any
120 device, they only need to provide the means to carry such user/admin
146 their own shared-libraries to support arbitrary hardware to work with
248 would have to use "dynamic" to load any such ENGINE - but on the other
308 the "-t" switch to the utility if you want it to try and initialise
[all …]
|
| H A D | NOTES-UNIX.md | 7 OpenSSL uses the compiler to link programs and shared libraries
10 OpenSSL's generated Makefile uses the C compiler command line to
12 objects. Because of this, any linking option that's given to the
16 to read your compiler documentation to figure out what is acceptable,
17 and `ld(1)` to figure out what linker options are available.
30 you. It's therefore advisable to set it explicitly when configuring,
32 to be in the default list.
78 depend on the system. For example, according to documentation,
83 How to choose which runtime search path tag is to be set depends on
86 Debian GNU/Linux systems rather than DT_RPATH is to tell the linker to
[all …]
|
| /openssl/doc/man3/ |
| H A D | SSL_handle_events.pod | 18 timeout events which have become due, or may attempt, to the extent currently
19 possible, to perform network I/O operations on one of the BIOs underlying the
23 OpenSSL in nonblocking mode to give OpenSSL an opportunity to handle timer
24 events, or to respond to the availability of new data to be read from an
25 underlying BIO, or to respond to the opportunity to write pending data to an
35 events to be handled properly. This is equivalent to a call to
41 calls to L<SSL_get_event_timeout(3)>; event handling is not performed
42 automatically by calls to other SSL functions such as L<SSL_read(3)> or
49 timeout events to be handled properly, as well as incoming network data to be
51 has the capacity to accept it.
[all …]
|
| H A D | SSL_read_early_data.pod | 60 ClientHello without having to wait for the server to complete the handshake.
64 to send data from the server to the client when the client has not yet completed
96 differences. See L<SSL_write_ex(3)> for information on how to write bytes to
104 or other similar functions. It may be called multiple times to stream data to
108 calls to L<SSL_read_ex(3)> and L<SSL_read(3)> with calls to
120 A server may choose to ignore early data that has been sent to it. Once the
163 server may choose to write data immediately to the unauthenticated client using
167 to SSL_write_early_data() are not allowed. Call L<SSL_is_init_finished(3)> to
170 calls to SSL_read_early_data() as required.
251 The whole purpose of early data is to enable a client to start sending data to
[all …]
|
| H A D | SSL_set_default_stream_mode.pod | 23 stream is a QUIC stream to which calls to L<SSL_read(3)> and L<SSL_write(3)>
25 allows legacy applications to use QUIC similarly to a traditional TLS
34 first. As such, if L<SSL_read(3)> is called first (before any call to
42 stream is desired, or if the application wishes to disable default stream
65 This is the default setting. If L<SSL_write(3)> is called prior to any call to
67 the default stream. If L<SSL_read(3)> is called prior to any call to
73 determine the type of a stream after a call to L<SSL_read(3)>, use
78 In this mode, if L<SSL_write(3)> is called prior to any call to L<SSL_read(3)>,
80 stream. The behaviour is otherwise identical to that of
82 called prior to any call to L<SSL_write(3)> is unchanged.
[all …]
|
| H A D | BIO_s_dgram_pair.pod | 37 A typical application of a BIO datagram pair is to allow an application to keep
43 The BIO datagram pair allows each half of a pair to signal to the other half
73 this function to ensure it provides an adequate buffer to a subsequent read
77 zero-length buffer to BIO_write is treated as a no-op.
80 connected to a peer BIO.
84 enough space in the write buffer to accept another datagram equal in size to the
87 intending to write it to a BIO datagram pair, but where the received datagram
88 ends up being too large to write to the BIO datagram pair.
103 MTU is set to an unspecified but valid value.
150 with datagrams written to the BIO pair.
[all …]
|
| H A D | SSL_CTX_set_session_ticket_cb.pod | 33 be set to NULL. The value of B<arg> is passed to the callbacks.
37 at this time to add application data to the session ticket. The value of B<arg>
55 the application that a session ticket is about to be generated.
61 to B<data> and 0 will be assigned to B<len> if there is no session ticket
73 The B<keyname> and B<keyname_len> arguments to B<dec_cb> may be used to identify
74 the key that was used to encrypt the session ticket.
84 valid for a client to send an empty ticket.
89 should be sent to the client.
94 be available. A new ticket should not be sent to the client.
138 callback to return this value if B<status> has a value other than
[all …]
|
| /openssl/test/recipes/ |
| H A D | tconversion.pl | 72 foreach my $to (@conversionforms) {
76 "-out", "$prefix-f.$to",
77 "-outform", $to])),
78 "p -> $to");
81 foreach my $to (@conversionforms) {
86 "-out", "$prefix-ff.$from$to",
87 "-outform", $to])),
88 "$from -> $to");
98 next if $to eq "d" or $to eq "pvk";
100 is(cmp_text("$prefix-f.$to", "$prefix-ff.$from$to"), 0,
[all …]
|
| /openssl/doc/designs/ |
| H A D | xof.md | 10 At a minimum an XOF needs to support the following pseudo-code
38 A decision has to be made as to whether a new API is required, as well as
88 needs to run for the multi squeeze case.
124 The proposed API name to use is EVP_DigestSqueeze.
144 Absorb can be done by multiple calls to:
152 Do we want to have an Alias function?
196 way of knowing where to start from if another call to SHA_squeeze() was
202 Modify the SHA3_squeeze code to accept a input/output parameter to track the
253 An alternative approach to solution 2 is to modify the SHA3_squeeze() slightly
259 - C code is fairly simple to implement.
[all …]
|
