1=pod 2 3=head1 NAME 4 5openssl-quic - OpenSSL QUIC 6 7=head1 DESCRIPTION 8 9OpenSSL 3.2 and later features support for the QUIC transport protocol. 10Currently, only client connectivity is supported. This man page describes the 11usage of QUIC client functionality for both existing and new applications. 12 13QUIC functionality uses the standard SSL API. A QUIC connection is represented 14by an SSL object in the same way that a TLS connection is. Only minimal changes 15are needed to existing applications making use of the libssl APIs to make use of 16QUIC client functionality. To make use of QUIC, use the SSL method 17L<OSSL_QUIC_client_method(3)> or L<OSSL_QUIC_client_thread_method(3)> with 18L<SSL_CTX_new(3)>. 19 20When a QUIC connection is created, by default, it operates in default stream 21mode, which is intended to provide compatibility with existing non-QUIC 22application usage patterns. In this mode, the connection has a single 23stream associated with it. Calls to L<SSL_read(3)> and 24L<SSL_write(3)> on the QUIC connection SSL object read and write from that 25stream. Whether the stream is client-initiated or server-initiated from a QUIC 26perspective depends on whether L<SSL_read(3)> or L<SSL_write(3)> is called 27first. See the MODES OF OPERATION section for more information. 28 29The default stream mode is intended for compatibility with existing 30applications. New applications using QUIC are recommended to disable default 31stream mode and use the multi-stream API; see the MODES OF OPERATION section and 32the RECOMMENDATIONS FOR NEW APPLICATIONS section for more information. 33 34The remainder of this man page discusses, in order: 35 36=over 4 37 38=item 39 40Default stream mode versus multi-stream mode; 41 42=item 43 44The changes to existing libssl APIs which are driven by QUIC-related implementation 45requirements, which existing applications should bear in mind; 46 47=item 48 49Aspects which must be considered by existing applications when adopting QUIC, 50including potential changes which may be needed. 51 52=item 53 54Recommended usage approaches for new applications. 55 56=item 57 58New, QUIC-specific APIs. 59 60=back 61 62=head1 MODES OF OPERATION 63 64=head2 Default Stream Mode 65 66A QUIC client connection can be used in either default stream mode or 67multi-stream mode. By default, a newly created QUIC connection SSL object uses 68default stream mode. 69 70In default stream mode, a stream is implicitly created and bound to the QUIC 71connection SSL object; L<SSL_read(3)> and L<SSL_write(3)> calls to the QUIC 72connection SSL object work by default and are mapped to that stream. 73 74When default stream mode is used, any API function which can be called on a QUIC 75stream SSL object can also be called on a QUIC connection SSL object, in which 76case it affects the default stream bound to the connection. 77 78The identity of a QUIC stream, including its stream ID, varies depending on 79whether a stream is client-initiated or server-initiated. In default stream 80mode, if a client application calls L<SSL_read(3)> first before any call to 81L<SSL_write(3)> on the connection, it is assumed that the application protocol 82is using a server-initiated stream, and the L<SSL_read(3)> call will not 83complete (either blocking, or failing appropriately if nonblocking mode is 84configured) until the server initiates a stream. Conversely, if the client 85application calls L<SSL_write(3)> before any call to L<SSL_read(3)> on the 86connection, it is assumed that a client-initiated stream is to be used 87and such a stream is created automatically. 88 89Default stream mode is intended to aid compatibility with legacy applications. 90New applications adopting QUIC should use multi-stream mode, described below, 91and avoid use of the default stream functionality. 92 93It is possible to use additional streams in default stream mode using 94L<SSL_new_stream(3)> and L<SSL_accept_stream(3)>; note that the default incoming 95stream policy will need to be changed using L<SSL_set_incoming_stream_policy(3)> 96in order to use L<SSL_accept_stream(3)> in this case. However, applications 97using additional streams are strongly recommended to use multi-stream mode 98instead. 99 100Calling L<SSL_new_stream(3)> or L<SSL_accept_stream(3)> before a default stream 101has been associated with the QUIC connection SSL object will inhibit future 102creation of a default stream. 103 104=head2 Multi-Stream Mode 105 106The recommended usage mode for new applications adopting QUIC is multi-stream 107mode, in which no default stream is attached to the QUIC connection SSL object 108and attempts to call L<SSL_read(3)> and L<SSL_write(3)> on the QUIC connection 109SSL object fail. Instead, an application calls L<SSL_new_stream(3)> or 110L<SSL_accept_stream(3)> to create individual stream SSL objects for sending and 111receiving application data using L<SSL_read(3)> and L<SSL_write(3)>. 112 113To use multi-stream mode, call L<SSL_set_default_stream_mode(3)> with an 114argument of B<SSL_DEFAULT_STREAM_MODE_NONE>; this function must be called prior 115to initiating the connection. The default stream mode cannot be changed after 116initiating a connection. 117 118When multi-stream mode is used, meaning that no default stream is associated 119with the connection, calls to API functions which are defined as operating on a 120QUIC stream fail if called on the QUIC connection SSL object. For example, calls 121such as L<SSL_write(3)> or L<SSL_get_stream_id(3)> will fail. 122 123=head1 CHANGES TO EXISTING APIS 124 125Most SSL APIs, such as L<SSL_read(3)> and L<SSL_write(3)>, function as they do 126for TLS connections and do not have changed semantics, with some exceptions. The 127changes to the semantics of existing APIs are as follows: 128 129=over 4 130 131=item 132 133Since QUIC uses UDP, L<SSL_set_bio(3)>, L<SSL_set0_rbio(3)> and 134L<SSL_set0_wbio(3)> function as before, but must now receive a BIO with datagram 135semantics. There are broadly four options for applications to use as a network 136BIO: 137 138=over 4 139 140=item 141 142L<BIO_s_datagram(3)>, recommended for most applications, replaces 143L<BIO_s_socket(3)> and provides a UDP socket. 144 145=item 146 147L<BIO_s_dgram_pair(3)> provides BIO pair-like functionality but with datagram 148semantics, and is recommended for existing applications which use a BIO pair or 149memory BIO to manage libssl's communication with the network. 150 151=item 152 153L<BIO_s_dgram_mem(3)> provides a simple memory BIO-like interface but with 154datagram semantics. Unlike L<BIO_s_dgram_pair(3)>, it is unidirectional. 155 156=item 157 158An application may also choose to implement a custom BIO. The new 159L<BIO_sendmmsg(3)> and L<BIO_recvmmsg(3)> APIs must be supported. 160 161=back 162 163=item 164 165L<SSL_set_fd(3)>, L<SSL_set_rfd(3)> and L<SSL_set_wfd(3)> traditionally 166instantiate a L<BIO_s_socket(3)>. For QUIC, these functions instead instantiate 167a L<BIO_s_datagram(3)>. This is equivalent to instantiating a 168L<BIO_s_datagram(3)> and using L<SSL_set0_rbio(3)> and L<SSL_set0_wbio(3)>. 169 170=item 171 172Traditionally, whether the application-level I/O APIs (such as L<SSL_read(3)> 173and L<SSL_write(3)> operated in a blocking fashion was directly correlated with 174whether the underlying network socket was configured in a blocking fashion. This 175is no longer the case; applications must explicitly configure the desired 176application-level blocking mode using L<SSL_set_blocking_mode(3)>. See 177L<SSL_set_blocking_mode(3)> for details. 178 179=item 180 181Network-level I/O must always be performed in a nonblocking manner. The 182application can still enjoy blocking semantics for calls to application-level 183I/O functions such as L<SSL_read(3)> and L<SSL_write(3)>, but the underlying 184network BIO provided to QUIC (such as a L<BIO_s_datagram(3)>) must be configured 185in nonblocking mode. For application-level blocking functionality, see 186L<SSL_set_blocking_mode(3)>. 187 188=item 189 190L<BIO_new_ssl_connect(3)> has been changed to automatically use a 191L<BIO_s_datagram(3)> when used with QUIC, therefore applications which use this 192do not need to change the BIO they use. 193 194=item 195 196L<BIO_new_buffer_ssl_connect(3)> cannot be used with QUIC and applications must 197change to use L<BIO_new_ssl_connect(3)> instead. 198 199=item 200 201L<SSL_shutdown(3)> has significant changes in relation to how QUIC connections 202must be shut down. In particular, applications should be advised that the full 203RFC-conformant QUIC shutdown process may take an extended amount of time. This 204may not be suitable for short-lived processes which should exit immediately 205after their usage of a QUIC connection is completed. A rapid shutdown mode 206is available for such applications. For details, see L<SSL_shutdown(3)>. 207 208=item 209 210L<SSL_want(3)>, L<SSL_want_read(3)> and L<SSL_want_write(3)> no longer reflect 211the I/O state of the network BIO passed to the QUIC SSL object, but instead 212reflect the flow control state of the QUIC stream associated with the SSL 213object. 214 215When used in nonblocking mode, B<SSL_ERROR_WANT_READ> indicates that the 216receive part of a QUIC stream does not currently have any more data available to 217be read, and B<SSL_ERROR_WANT_WRITE> indicates that the stream's internal buffer 218is full. 219 220To determine if the QUIC implementation currently wishes to be informed of 221incoming network datagrams, use the new function L<SSL_net_read_desired(3)>; 222likewise, to determine if the QUIC implementation currently wishes to be 223informed when it is possible to transmit network datagrams, use the new function 224L<SSL_net_write_desired(3)>. Only applications which wish to manage their own event 225loops need to use these functions; see B<APPLICATION-DRIVEN EVENT LOOPS> for 226further discussion. 227 228=item 229 230The use of ALPN is mandatory when using QUIC. Attempts to connect without 231configuring ALPN will fail. For information on how to configure ALPN, see 232L<SSL_set_alpn_protos(3)>. 233 234=item 235 236Whether QUIC operates in a client or server mode is determined by the 237B<SSL_METHOD> used, rather than by calls to L<SSL_set_connect_state(3)> or 238L<SSL_set_accept_state(3)>. It is not necessary to call either of 239L<SSL_set_connect_state(3)> or L<SSL_set_accept_state(3)> before connecting, but 240if either of these are called, the function called must be congruent with the 241B<SSL_METHOD> being used. Currently, only client mode is supported. 242 243=item 244 245The L<SSL_set_min_proto_version(3)> and L<SSL_set_max_proto_version(3)> APIs are 246not used and the values passed to them are ignored, as OpenSSL QUIC currently 247always uses TLS 1.3. 248 249=item 250 251The following libssl functionality is not available when used with QUIC. 252 253=over 4 254 255=item 256 257Async functionality 258 259=item 260 261B<SSL_MODE_AUTO_RETRY> 262 263=item 264 265Record Padding and Fragmentation (L<SSL_set_block_padding(3)>, etc.) 266 267=item 268 269L<SSL_stateless(3)> support 270 271=item 272 273SRTP functionality 274 275=item 276 277TLSv1.3 Early Data 278 279=item 280 281TLS Next Protocol Negotiation cannot be used and is superseded by ALPN, which 282must be used instead. The use of ALPN is mandatory with QUIC. 283 284=item 285 286Post-Handshake Client Authentication is not available as QUIC prohibits its use. 287 288=item 289 290QUIC requires the use of TLSv1.3 or later, therefore functionality only relevant 291to older TLS versions is not available. 292 293=item 294 295Some cipher suites which are generally available for TLSv1.3 are not available 296for QUIC, such as B<TLS_AES_128_CCM_8_SHA256>. Your application may need to 297adjust the list of acceptable cipher suites it passes to libssl. 298 299=item 300 301CCM mode is not currently supported. 302 303=back 304 305The following libssl functionality is also not available when used with QUIC, 306but calls to the relevant functions are treated as no-ops: 307 308=over 4 309 310=item 311 312Readahead (L<SSL_set_read_ahead(3)>, etc.) 313 314=back 315 316=back 317 318=head1 CONSIDERATIONS FOR EXISTING APPLICATIONS 319 320Existing applications seeking to adopt QUIC should apply the following list to 321determine what changes they will need to make: 322 323=over 4 324 325=item 326 327An application wishing to use QUIC must use L<OSSL_QUIC_client_method(3)> or 328L<OSSL_QUIC_client_thread_method(3)> as its SSL method. For more information 329on the differences between these two methods, see B<THREAD ASSISTED MODE>. 330 331=item 332 333Determine how to provide QUIC with network access. Determine which of the below 334apply for your application: 335 336=over 4 337 338=item 339 340Your application uses L<BIO_s_socket(3)> to construct a BIO which is passed to 341the SSL object to provide it with network access. 342 343Changes needed: Change your application to use L<BIO_s_datagram(3)> instead when 344using QUIC. The socket must be configured in nonblocking mode. You may or may 345not need to use L<SSL_set1_initial_peer_addr(3)> to set the initial peer 346address; see the B<QUIC-SPECIFIC APIS> section for details. 347 348=item 349 350Your application uses L<BIO_new_ssl_connect(3)> to 351construct a BIO which is passed to the SSL object to provide it with network 352access. 353 354Changes needed: No changes needed. Use of QUIC is detected automatically and a 355datagram socket is created instead of a normal TCP socket. 356 357=item 358 359Your application uses any other I/O strategy in this list but combines it with a 360L<BIO_f_buffer(3)>, for example using L<BIO_push(3)>. 361 362Changes needed: Disable the usage of L<BIO_f_buffer(3)> when using QUIC. Usage 363of such a buffer is incompatible with QUIC as QUIC requires datagram semantics 364in its interaction with the network. 365 366=item 367 368Your application uses a BIO pair to cause the SSL object to read and write 369network traffic to a memory buffer. Your application manages the transmission 370and reception of buffered data itself in a way unknown to libssl. 371 372Changes needed: Switch from using a conventional BIO pair to using 373L<BIO_s_dgram_pair(3)> instead, which has the necessary datagram semantics. You 374will need to modify your application to transmit and receive using a UDP socket 375and to use datagram semantics when interacting with the L<BIO_s_dgram_pair(3)> 376instance. 377 378=item 379 380Your application uses a custom BIO method to provide the SSL object with network 381access. 382 383Changes needed: The custom BIO must be re-architected to have datagram 384semantics. L<BIO_sendmmsg(3)> and L<BIO_recvmmsg(3)> must be implemented. These 385calls must operate in a nonblocking fashion. Optionally, implement the 386L<BIO_get_rpoll_descriptor(3)> and L<BIO_get_wpoll_descriptor(3)> methods if 387desired. Implementing these methods is required if blocking semantics at the SSL 388API level are desired. 389 390=back 391 392=item 393 394An application must explicitly configure whether it wishes to use the SSL APIs 395in blocking mode or not. Traditionally, an SSL object has automatically operated 396in blocking or nonblocking mode based on whether the underlying network BIO 397operates in blocking or nonblocking mode. QUIC requires the use of a 398nonblocking network BIO, therefore the blocking mode at the application level 399must be explicitly configured by the application using the new 400L<SSL_set_blocking_mode(3)> API. The default mode is blocking. If an application 401wishes to use the SSL object APIs at application level in a nonblocking manner, 402it must add a call to L<SSL_set_blocking_mode(3)> to disable blocking mode. 403 404=item 405 406If your application does not choose to use thread assisted mode, it must ensure 407that it calls an I/O function on the SSL object (for example, L<SSL_read(3)> or 408L<SSL_write(3)>), or the new function L<SSL_handle_events(3)>, regularly. If the 409SSL object is used in blocking mode, an ongoing blocking call to an I/O function 410satisfies this requirement. This is required to ensure that timer events 411required by QUIC are handled in a timely fashion. 412 413Most applications will service the SSL object by calling L<SSL_read(3)> or 414L<SSL_write(3)> regularly. If an application does not do this, it should ensure 415that L<SSL_handle_events(3)> is called regularly. 416 417L<SSL_get_event_timeout(3)> can be used to determine when 418L<SSL_handle_events(3)> must next be called. 419 420If the SSL object is being used with an underlying network BIO which is pollable 421(such as L<BIO_s_datagram(3)>), the application can use 422L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)> to obtain 423resources which can be used to determine when L<SSL_handle_events(3)> should be 424called due to network I/O. 425 426Applications which use thread assisted mode do not need to be concerned 427with this requirement, as the QUIC implementation ensures timeout events 428are handled in a timely manner. See B<THREAD ASSISTED MODE> for details. 429 430=item 431 432Ensure that your usage of L<SSL_want(3)>, L<SSL_want_read(3)> and 433L<SSL_want_write(3)> reflects the API changes described in B<CHANGES TO EXISTING 434APIS>. In particular, you should use these APIs to determine the ability of a 435QUIC stream to receive or provide application data, not to to determine if 436network I/O is required. 437 438=item 439 440Evaluate your application's use of L<SSL_shutdown(3)> in light of the changes 441discussed in B<CHANGES TO EXISTING APIS>. Depending on whether your application 442wishes to prioritise RFC conformance or rapid shutdown, consider using the new 443L<SSL_shutdown_ex(3)> API instead. See B<QUIC-SPECIFIC APIS> for details. 444 445=back 446 447=head1 RECOMMENDED USAGE IN NEW APPLICATIONS 448 449The recommended usage in new applications varies depending on three independent 450design decisions: 451 452=over 4 453 454=item 455 456Whether the application will use blocking or nonblocking I/O at the application 457level (configured using L<SSL_set_blocking_mode(3)>). 458 459If the application does nonblocking I/O at the application level it can choose 460to manage its own polling and event loop; see B<APPLICATION-DRIVEN EVENT LOOPS>. 461 462=item 463 464Whether the application intends to give the QUIC implementation direct access to 465a network socket (e.g. via L<BIO_s_datagram(3)>) or whether it intends to buffer 466transmitted and received datagrams via a L<BIO_s_dgram_pair(3)> or custom BIO. 467 468The former is preferred where possible as it reduces latency to the network, 469which enables QUIC to achieve higher performance and more accurate connection 470round trip time (RTT) estimation. 471 472=item 473 474Whether thread assisted mode will be used (see B<THREAD ASSISTED MODE>). 475 476=back 477 478Simple demos for QUIC usage under these various scenarios can be found at 479L<https://github.com/openssl/openssl/tree/master/doc/designs/ddd>. 480 481Applications which wish to implement QUIC-specific protocols should be aware of 482the APIs listed under B<QUIC-SPECIFIC APIS> which provide access to 483QUIC-specific functionality. For example, L<SSL_stream_conclude(3)> can be used 484to indicate the end of the sending part of a stream, and L<SSL_shutdown_ex(3)> 485can be used to provide a QUIC application error code when closing a connection. 486 487Regardless of the design decisions chosen above, it is recommended that new 488applications avoid use of the default stream mode and use the multi-stream API 489by calling L<SSL_set_default_stream_mode(3)>; see the MODES OF OPERATION section 490for details. 491 492=head1 QUIC-SPECIFIC APIS 493 494This section details new APIs which are directly or indirectly related to QUIC. 495For details on the operation of each API, see the referenced man pages. 496 497The following SSL APIs are new but relevant to both QUIC and DTLS: 498 499=over 4 500 501=item L<SSL_get_event_timeout(3)> 502 503Determines when the QUIC implementation should next be woken up via a call to 504L<SSL_handle_events(3)> (or another I/O function such as L<SSL_read(3)> or 505L<SSL_write(3)>), if ever. 506 507This can also be used with DTLS and supersedes L<DTLSv1_get_timeout(3)> for new 508usage. 509 510=item L<SSL_handle_events(3)> 511 512This is a non-specific I/O operation which makes a best effort attempt to 513perform any pending I/O or timeout processing. It can be used to advance the 514QUIC state machine by processing incoming network traffic, generating outgoing 515network traffic and handling any expired timeout events. Most other I/O 516functions on an SSL object, such as L<SSL_read(3)> and L<SSL_write(3)> 517implicitly perform event handling on the SSL object, so calling this function is 518only needed if no other I/O function is to be called. 519 520This can also be used with DTLS and supersedes L<DTLSv1_handle_timeout(3)> for 521new usage. 522 523=back 524 525The following SSL APIs are specific to QUIC: 526 527=over 4 528 529=item L<SSL_set_blocking_mode(3)>, L<SSL_get_blocking_mode(3)> 530 531Configures whether blocking semantics are used at the application level. This 532determines whether calls to functions such as L<SSL_read(3)> and L<SSL_write(3)> 533will block. 534 535=item L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)> 536 537These functions facilitate operation in nonblocking mode. 538 539When an SSL object is being used with an underlying network read BIO which 540supports polling, L<SSL_get_rpoll_descriptor(3)> outputs an OS resource which 541can be used to synchronise on network readability events which should result in 542a call to L<SSL_handle_events(3)>. L<SSL_get_wpoll_descriptor(3)> works in an 543analogous fashion for the underlying network write BIO. 544 545The poll descriptors provided by these functions need only be used when 546L<SSL_net_read_desired(3)> and L<SSL_net_write_desired(3)> return 1, respectively. 547 548=item L<SSL_net_read_desired(3)>, L<SSL_net_write_desired(3)> 549 550These functions facilitate operation in nonblocking mode and are used in 551conjunction with L<SSL_get_rpoll_descriptor(3)> and 552L<SSL_get_wpoll_descriptor(3)> respectively. They determine whether the 553respective poll descriptor is currently relevant for the purposes of polling. 554 555=item L<SSL_set1_initial_peer_addr(3)> 556 557This function can be used to set the initial peer address for an outgoing QUIC 558connection. This function must be used in the general case when creating an 559outgoing QUIC connection; however, the correct initial peer address can be 560autodetected in some cases. See L<SSL_set1_initial_peer_addr(3)> for details. 561 562=item L<SSL_shutdown_ex(3)> 563 564This augments L<SSL_shutdown(3)> by allowing an application error code to be 565specified. It also allows a client to decide how quickly it wants a shutdown to 566be performed, potentially by trading off strict RFC compliance. 567 568=item L<SSL_stream_conclude(3)> 569 570This allows an application to indicate the normal end of the sending part of a 571QUIC stream. This corresponds to the FIN flag in the QUIC RFC. The receiving 572part of a stream remains usable. 573 574=item L<SSL_stream_reset(3)> 575 576This allows an application to indicate the non-normal termination of the sending 577part of a stream. This corresponds to the RESET_STREAM frame in the QUIC RFC. 578 579=item L<SSL_get_stream_write_state(3)> and L<SSL_get_stream_read_state(3)> 580 581This allows an application to determine the current stream states for the 582sending and receiving parts of a stream respectively. 583 584=item L<SSL_get_stream_write_error_code(3)> and L<SSL_get_stream_read_error_code(3)> 585 586This allows an application to determine the application error code which was 587signalled by a peer which has performed a non-normal stream termination of the 588respective sending or receiving part of a stream, if any. 589 590=item L<SSL_get_conn_close_info(3)> 591 592This allows an application to determine the error code which was signalled when 593the local or remote endpoint terminated the QUIC connection. 594 595=item L<SSL_get0_connection(3)> 596 597Gets the QUIC connection SSL object from a QUIC stream SSL object. 598 599=item L<SSL_is_connection(3)> 600 601Returns 1 if an SSL object is not a QUIC stream SSL object. 602 603=item L<SSL_get_stream_type(3)> 604 605Provides information on the kind of QUIC stream which is attached 606to the SSL object. 607 608=item L<SSL_get_stream_id(3)> 609 610Returns the QUIC stream ID which the QUIC protocol has associated with a QUIC 611stream. 612 613=item L<SSL_new_stream(3)> 614 615Creates a new QUIC stream SSL object representing a new, locally-initiated QUIC 616stream. 617 618=item L<SSL_accept_stream(3)> 619 620Potentially yields a new QUIC stream SSL object representing a new 621remotely-initiated QUIC stream, blocking until one is available if the 622connection is configured to do so. 623 624=item L<SSL_get_accept_stream_queue_len(3)> 625 626Provides information on the number of pending remotely-initiated streams. 627 628=item L<SSL_set_incoming_stream_policy(3)> 629 630Configures how incoming, remotely-initiated streams are handled. The incoming 631stream policy can be used to automatically reject streams created by the peer, 632or allow them to be handled using L<SSL_accept_stream(3)>. 633 634=item L<SSL_set_default_stream_mode(3)> 635 636Used to configure or disable default stream mode; see the MODES OF OPERATION 637section for details. 638 639=back 640 641The following BIO APIs are not specific to QUIC but have been added to 642facilitate QUIC-specific requirements and are closely associated with its use: 643 644=over 4 645 646=item L<BIO_s_dgram_pair(3)> 647 648This is a new BIO method which is similar to a conventional BIO pair but 649provides datagram semantics. 650 651=item L<BIO_get_rpoll_descriptor(3)>, L<BIO_get_wpoll_descriptor(3)> 652 653This is a new BIO API which allows a BIO to expose a poll descriptor. This API 654is used to implement the corresponding SSL APIs L<SSL_get_rpoll_descriptor(3)> 655and L<SSL_get_wpoll_descriptor(3)>. 656 657=item L<BIO_sendmmsg(3)>, L<BIO_recvmmsg(3)> 658 659This is a new BIO API which can be implemented by BIOs which implement datagram 660semantics. It is implemented by L<BIO_s_datagram(3)> and L<BIO_s_dgram_pair(3)>. 661It is used by the QUIC implementation to send and receive UDP datagrams. 662 663=item L<BIO_dgram_set_no_trunc(3)>, L<BIO_dgram_get_no_trunc(3)> 664 665By default, L<BIO_s_dgram_pair(3)> has semantics comparable to those of Berkeley 666sockets being used with datagram semantics. This allows an alternative mode 667to be enabled in which datagrams will not be silently truncated if they are 668too large. 669 670=item L<BIO_dgram_set_caps(3)>, L<BIO_dgram_get_caps(3)> 671 672These functions are used to allow the user of one end of a 673L<BIO_s_dgram_pair(3)> to indicate its capabilities to the other end of a 674L<BIO_s_dgram_pair(3)>. In particular, this allows an application to inform the 675QUIC implementation of whether it is prepared to handle local and/or peer 676addresses in transmitted datagrams and to provide the applicable information in 677received datagrams. 678 679=item L<BIO_dgram_get_local_addr_cap(3)>, L<BIO_dgram_set_local_addr_enable(3)>, 680L<BIO_dgram_get_local_addr_enable(3)> 681 682Local addressing support refers to the ability of a BIO with datagram semantics 683to allow a source address to be specified on transmission and to report the 684destination address on reception. These functions can be used to determine if a 685BIO can support local addressing and to enable local addressing support if it 686can. 687 688=item L<BIO_err_is_non_fatal(3)> 689 690This is used to determine if an error while calling L<BIO_sendmmsg(3)> or 691L<BIO_recvmmsg(3)> is ephemeral in nature, such as "would block" errors. 692 693=back 694 695=head1 THREAD ASSISTED MODE 696 697The optional thread assisted mode can be used with 698L<OSSL_QUIC_client_thread_method(3)>. In this mode, a background thread is 699created automatically. The OpenSSL QUIC implementation then takes responsibility 700for ensuring that timeout events are handled on a timely basis even if no SSL 701I/O function such as L<SSL_read(3)> or L<SSL_write(3)> is called by the 702application for a long time. 703 704All necessary locking is handled automatically internally, but the thread safety 705guarantees for the public SSL API are unchanged. Therefore, an application must 706still do its own locking if it wishes to make concurrent use of the public SSL 707APIs. 708 709Because this method relies on threads, it is not available on platforms where 710threading support is not available or not supported by OpenSSL. However, it 711does provide the simplest mode of usage for an application. 712 713The implementation may or may not use a common thread or thread pool to service 714multiple SSL objects in the same B<SSL_CTX>. 715 716=head1 APPLICATION-DRIVEN EVENT LOOPS 717 718OpenSSL's QUIC implementation is designed to facilitate applications which wish 719to use the SSL APIs in a blocking fashion, but is also designed to facilitate 720applications which wish to use the SSL APIs in a nonblocking fashion and manage 721their own event loops and polling directly. This is useful when it is desirable 722to host OpenSSL's QUIC implementation on top of an application's existing 723nonblocking I/O infrastructure. 724 725This is supported via the concept of poll descriptors; see 726L<BIO_get_rpoll_descriptor(3)> for details. Broadly, a B<BIO_POLL_DESCRIPTOR> is 727a structure which expresses some kind of OS resource which can be used to 728synchronise on I/O events. The QUIC implementation provides a 729B<BIO_POLL_DESCRIPTOR> based on the poll descriptor provided by the underlying 730network BIO. This is typically an OS socket handle, though custom BIOs could 731choose to implement their own custom poll descriptor format. 732 733Broadly, an application which wishes to manage its own event loop should 734interact with the SSL object as follows: 735 736=over 4 737 738=item 739 740It should provide read and write BIOs with nonblocking datagram semantics to 741the SSL object using L<SSL_set0_rbio(3)> and L<SSL_set0_wbio(3)>. This could be 742a BIO abstracting a network socket such as L<BIO_s_datagram(3)>, or a BIO 743abstracting some kind of memory buffer such as L<BIO_s_dgram_pair(3)>. Use of a 744custom BIO is also possible. 745 746=item 747 748It should configure the SSL object into nonblocking mode by calling 749L<SSL_set_blocking_mode(3)>. 750 751=item 752 753It should configure the SSL object as desired, set an initial peer as needed 754using L<SSL_set1_initial_peer_addr(3)>, and trigger the connection process by 755calling L<SSL_connect(3)>. 756 757=item 758 759If the network read and write BIOs provided were pollable (for example, 760a L<BIO_s_datagram(3)>, or a custom BIO which implements 761L<BIO_get_rpoll_descriptor(3)> and L<BIO_get_wpoll_descriptor(3)>), it should 762perform the following steps repeatedly: 763 764=over 4 765 766=item 767 768The application should call L<SSL_get_rpoll_descriptor(3)> and 769L<SSL_get_wpoll_descriptor(3)> to identify OS resources which can be used for 770synchronisation. 771 772=item 773 774It should call L<SSL_net_read_desired(3)> and L<SSL_net_write_desired(3)> to determine 775whether the QUIC implementation is currently interested in readability and 776writability events on the underlying network BIO which was provided, and call 777L<SSL_get_event_timeout(3)> to determine if any timeout event will become 778applicable in the future. 779 780=item 781 782It should wait until one of the following events occurs: 783 784=over 4 785 786=item 787 788The poll descriptor returned by L<SSL_get_rpoll_descriptor(3)> becomes readable 789(if L<SSL_net_read_desired(3)> returned 1); 790 791=item 792 793The poll descriptor returned by L<SSL_get_wpoll_descriptor(3)> becomes writable 794(if L<SSL_net_write_desired(3)> returned 1); 795 796=item 797 798The timeout returned by L<SSL_get_event_timeout(3)> (if any) expires. 799 800=back 801 802Once any of these events occurs, L<SSL_handle_events(3)> should be called. 803 804=back 805 806=item 807 808If the network read and write BIOs provided were not pollable (for example, in 809the case of L<BIO_s_dgram_pair(3)>), the application is responsible for managing 810and synchronising network I/O. It should call L<SSL_handle_events(3)> after it 811writes data to a L<BIO_s_dgram_pair(3)> or otherwise takes action so that the 812QUIC implementation can read new datagrams via a call to L<BIO_recvmmsg(3)> on 813the underlying network BIO. The QUIC implementation may output datagrams via a 814call to L<BIO_sendmmsg(3)> and the application is responsible for ensuring these 815are transmitted. 816 817The application must call L<SSL_get_event_timeout(3)> after every call to 818L<SSL_handle_events(3)> (or another I/O function on the SSL object), and ensure 819that a call to L<SSL_handle_events(3)> is performed after the specified timeout 820(if any). 821 822=back 823 824=head1 SEE ALSO 825 826L<SSL_handle_events(3)>, L<SSL_get_event_timeout(3)>, 827L<SSL_net_read_desired(3)>, L<SSL_net_write_desired(3)>, 828L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)>, 829L<SSL_set_blocking_mode(3)>, L<SSL_shutdown_ex(3)>, 830L<SSL_set1_initial_peer_addr(3)>, L<SSL_stream_conclude(3)>, 831L<SSL_stream_reset(3)>, L<SSL_get_stream_read_state(3)>, 832L<SSL_get_stream_read_error_code(3)>, L<SSL_get_conn_close_info(3)>, 833L<SSL_get0_connection(3)>, L<SSL_get_stream_type(3)>, L<SSL_get_stream_id(3)>, 834L<SSL_new_stream(3)>, L<SSL_accept_stream(3)>, 835L<SSL_set_incoming_stream_policy(3)>, L<SSL_set_default_stream_mode(3)> 836 837=head1 COPYRIGHT 838 839Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. 840 841Licensed under the Apache License 2.0 (the "License"). You may not use 842this file except in compliance with the License. You can obtain a copy 843in the file LICENSE in the source distribution or at 844L<https://www.openssl.org/source/license.html>. 845 846=cut 847