openssl-quic.pod 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846
  1. =pod
  2. =head1 NAME
  3. openssl-quic - OpenSSL QUIC
  4. =head1 DESCRIPTION
  5. OpenSSL 3.2 and later features support for the QUIC transport protocol.
  6. Currently, only client connectivity is supported. This man page describes the
  7. usage of QUIC client functionality for both existing and new applications.
  8. QUIC functionality uses the standard SSL API. A QUIC connection is represented
  9. by an SSL object in the same way that a TLS connection is. Only minimal changes
  10. are needed to existing applications making use of the libssl APIs to make use of
  11. QUIC client functionality. To make use of QUIC, use the SSL method
  12. L<OSSL_QUIC_client_method(3)> or L<OSSL_QUIC_client_thread_method(3)> with
  13. L<SSL_CTX_new(3)>.
  14. When a QUIC connection is created, by default, it operates in default stream
  15. mode, which is intended to provide compatibility with existing non-QUIC
  16. application usage patterns. In this mode, the connection has a single
  17. stream associated with it. Calls to L<SSL_read(3)> and
  18. L<SSL_write(3)> on the QUIC connection SSL object read and write from that
  19. stream. Whether the stream is client-initiated or server-initiated from a QUIC
  20. perspective depends on whether L<SSL_read(3)> or L<SSL_write(3)> is called
  21. first. See the MODES OF OPERATION section for more information.
  22. The default stream mode is intended for compatibility with existing
  23. applications. New applications using QUIC are recommended to disable default
  24. stream mode and use the multi-stream API; see the MODES OF OPERATION section and
  25. the RECOMMENDATIONS FOR NEW APPLICATIONS section for more information.
  26. The remainder of this man page discusses, in order:
  27. =over 4
  28. =item
  29. Default stream mode versus multi-stream mode;
  30. =item
  31. The changes to existing libssl APIs which are driven by QUIC-related implementation
  32. requirements, which existing applications should bear in mind;
  33. =item
  34. Aspects which must be considered by existing applications when adopting QUIC,
  35. including potential changes which may be needed.
  36. =item
  37. Recommended usage approaches for new applications.
  38. =item
  39. New, QUIC-specific APIs.
  40. =back
  41. =head1 MODES OF OPERATION
  42. =head2 Default Stream Mode
  43. A QUIC client connection can be used in either default stream mode or
  44. multi-stream mode. By default, a newly created QUIC connection SSL object uses
  45. default stream mode.
  46. In default stream mode, a stream is implicitly created and bound to the QUIC
  47. connection SSL object; L<SSL_read(3)> and L<SSL_write(3)> calls to the QUIC
  48. connection SSL object work by default and are mapped to that stream.
  49. When default stream mode is used, any API function which can be called on a QUIC
  50. stream SSL object can also be called on a QUIC connection SSL object, in which
  51. case it affects the default stream bound to the connection.
  52. The identity of a QUIC stream, including its stream ID, varies depending on
  53. whether a stream is client-initiated or server-initiated. In default stream
  54. mode, if a client application calls L<SSL_read(3)> first before any call to
  55. L<SSL_write(3)> on the connection, it is assumed that the application protocol
  56. is using a server-initiated stream, and the L<SSL_read(3)> call will not
  57. complete (either blocking, or failing appropriately if nonblocking mode is
  58. configured) until the server initiates a stream. Conversely, if the client
  59. application calls L<SSL_write(3)> before any call to L<SSL_read(3)> on the
  60. connection, it is assumed that a client-initiated stream is to be used
  61. and such a stream is created automatically.
  62. Default stream mode is intended to aid compatibility with legacy applications.
  63. New applications adopting QUIC should use multi-stream mode, described below,
  64. and avoid use of the default stream functionality.
  65. It is possible to use additional streams in default stream mode using
  66. L<SSL_new_stream(3)> and L<SSL_accept_stream(3)>; note that the default incoming
  67. stream policy will need to be changed using L<SSL_set_incoming_stream_policy(3)>
  68. in order to use L<SSL_accept_stream(3)> in this case. However, applications
  69. using additional streams are strongly recommended to use multi-stream mode
  70. instead.
  71. Calling L<SSL_new_stream(3)> or L<SSL_accept_stream(3)> before a default stream
  72. has been associated with the QUIC connection SSL object will inhibit future
  73. creation of a default stream.
  74. =head2 Multi-Stream Mode
  75. The recommended usage mode for new applications adopting QUIC is multi-stream
  76. mode, in which no default stream is attached to the QUIC connection SSL object
  77. and attempts to call L<SSL_read(3)> and L<SSL_write(3)> on the QUIC connection
  78. SSL object fail. Instead, an application calls L<SSL_new_stream(3)> or
  79. L<SSL_accept_stream(3)> to create individual stream SSL objects for sending and
  80. receiving application data using L<SSL_read(3)> and L<SSL_write(3)>.
  81. To use multi-stream mode, call L<SSL_set_default_stream_mode(3)> with an
  82. argument of B<SSL_DEFAULT_STREAM_MODE_NONE>; this function must be called prior
  83. to initiating the connection. The default stream mode cannot be changed after
  84. initiating a connection.
  85. When multi-stream mode is used, meaning that no default stream is associated
  86. with the connection, calls to API functions which are defined as operating on a
  87. QUIC stream fail if called on the QUIC connection SSL object. For example, calls
  88. such as L<SSL_write(3)> or L<SSL_get_stream_id(3)> will fail.
  89. =head1 CHANGES TO EXISTING APIS
  90. Most SSL APIs, such as L<SSL_read(3)> and L<SSL_write(3)>, function as they do
  91. for TLS connections and do not have changed semantics, with some exceptions. The
  92. changes to the semantics of existing APIs are as follows:
  93. =over 4
  94. =item
  95. Since QUIC uses UDP, L<SSL_set_bio(3)>, L<SSL_set0_rbio(3)> and
  96. L<SSL_set0_wbio(3)> function as before, but must now receive a BIO with datagram
  97. semantics. There are broadly four options for applications to use as a network
  98. BIO:
  99. =over 4
  100. =item
  101. L<BIO_s_datagram(3)>, recommended for most applications, replaces
  102. L<BIO_s_socket(3)> and provides a UDP socket.
  103. =item
  104. L<BIO_s_dgram_pair(3)> provides BIO pair-like functionality but with datagram
  105. semantics, and is recommended for existing applications which use a BIO pair or
  106. memory BIO to manage libssl's communication with the network.
  107. =item
  108. L<BIO_s_dgram_mem(3)> provides a simple memory BIO-like interface but with
  109. datagram semantics. Unlike L<BIO_s_dgram_pair(3)>, it is unidirectional.
  110. =item
  111. An application may also choose to implement a custom BIO. The new
  112. L<BIO_sendmmsg(3)> and L<BIO_recvmmsg(3)> APIs must be supported.
  113. =back
  114. =item
  115. L<SSL_set_fd(3)>, L<SSL_set_rfd(3)> and L<SSL_set_wfd(3)> traditionally
  116. instantiate a L<BIO_s_socket(3)>. For QUIC, these functions instead instantiate
  117. a L<BIO_s_datagram(3)>. This is equivalent to instantiating a
  118. L<BIO_s_datagram(3)> and using L<SSL_set0_rbio(3)> and L<SSL_set0_wbio(3)>.
  119. =item
  120. Traditionally, whether the application-level I/O APIs (such as L<SSL_read(3)>
  121. and L<SSL_write(3)> operated in a blocking fashion was directly correlated with
  122. whether the underlying network socket was configured in a blocking fashion. This
  123. is no longer the case; applications must explicitly configure the desired
  124. application-level blocking mode using L<SSL_set_blocking_mode(3)>. See
  125. L<SSL_set_blocking_mode(3)> for details.
  126. =item
  127. Network-level I/O must always be performed in a nonblocking manner. The
  128. application can still enjoy blocking semantics for calls to application-level
  129. I/O functions such as L<SSL_read(3)> and L<SSL_write(3)>, but the underlying
  130. network BIO provided to QUIC (such as a L<BIO_s_datagram(3)>) must be configured
  131. in nonblocking mode. For application-level blocking functionality, see
  132. L<SSL_set_blocking_mode(3)>.
  133. =item
  134. L<BIO_new_ssl_connect(3)> has been changed to automatically use a
  135. L<BIO_s_datagram(3)> when used with QUIC, therefore applications which use this
  136. do not need to change the BIO they use.
  137. =item
  138. L<BIO_new_buffer_ssl_connect(3)> cannot be used with QUIC and applications must
  139. change to use L<BIO_new_ssl_connect(3)> instead.
  140. =item
  141. L<SSL_shutdown(3)> has significant changes in relation to how QUIC connections
  142. must be shut down. In particular, applications should be advised that the full
  143. RFC-conformant QUIC shutdown process may take an extended amount of time. This
  144. may not be suitable for short-lived processes which should exit immediately
  145. after their usage of a QUIC connection is completed. A rapid shutdown mode
  146. is available for such applications. For details, see L<SSL_shutdown(3)>.
  147. =item
  148. L<SSL_want(3)>, L<SSL_want_read(3)> and L<SSL_want_write(3)> no longer reflect
  149. the I/O state of the network BIO passed to the QUIC SSL object, but instead
  150. reflect the flow control state of the QUIC stream associated with the SSL
  151. object.
  152. When used in nonblocking mode, B<SSL_ERROR_WANT_READ> indicates that the
  153. receive part of a QUIC stream does not currently have any more data available to
  154. be read, and B<SSL_ERROR_WANT_WRITE> indicates that the stream's internal buffer
  155. is full.
  156. To determine if the QUIC implementation currently wishes to be informed of
  157. incoming network datagrams, use the new function L<SSL_net_read_desired(3)>;
  158. likewise, to determine if the QUIC implementation currently wishes to be
  159. informed when it is possible to transmit network datagrams, use the new function
  160. L<SSL_net_write_desired(3)>. Only applications which wish to manage their own event
  161. loops need to use these functions; see B<APPLICATION-DRIVEN EVENT LOOPS> for
  162. further discussion.
  163. =item
  164. The use of ALPN is mandatory when using QUIC. Attempts to connect without
  165. configuring ALPN will fail. For information on how to configure ALPN, see
  166. L<SSL_set_alpn_protos(3)>.
  167. =item
  168. Whether QUIC operates in a client or server mode is determined by the
  169. B<SSL_METHOD> used, rather than by calls to L<SSL_set_connect_state(3)> or
  170. L<SSL_set_accept_state(3)>. It is not necessary to call either of
  171. L<SSL_set_connect_state(3)> or L<SSL_set_accept_state(3)> before connecting, but
  172. if either of these are called, the function called must be congruent with the
  173. B<SSL_METHOD> being used. Currently, only client mode is supported.
  174. =item
  175. The L<SSL_set_min_proto_version(3)> and L<SSL_set_max_proto_version(3)> APIs are
  176. not used and the values passed to them are ignored, as OpenSSL QUIC currently
  177. always uses TLS 1.3.
  178. =item
  179. The following libssl functionality is not available when used with QUIC.
  180. =over 4
  181. =item
  182. Async functionality
  183. =item
  184. B<SSL_MODE_AUTO_RETRY>
  185. =item
  186. Record Padding and Fragmentation (L<SSL_set_block_padding(3)>, etc.)
  187. =item
  188. L<SSL_stateless(3)> support
  189. =item
  190. SRTP functionality
  191. =item
  192. TLSv1.3 Early Data
  193. =item
  194. TLS Next Protocol Negotiation cannot be used and is superseded by ALPN, which
  195. must be used instead. The use of ALPN is mandatory with QUIC.
  196. =item
  197. Post-Handshake Client Authentication is not available as QUIC prohibits its use.
  198. =item
  199. QUIC requires the use of TLSv1.3 or later, therefore functionality only relevant
  200. to older TLS versions is not available.
  201. =item
  202. Some cipher suites which are generally available for TLSv1.3 are not available
  203. for QUIC, such as B<TLS_AES_128_CCM_8_SHA256>. Your application may need to
  204. adjust the list of acceptable cipher suites it passes to libssl.
  205. =item
  206. CCM mode is not currently supported.
  207. =back
  208. The following libssl functionality is also not available when used with QUIC,
  209. but calls to the relevant functions are treated as no-ops:
  210. =over 4
  211. =item
  212. Readahead (L<SSL_set_read_ahead(3)>, etc.)
  213. =back
  214. =back
  215. =head1 CONSIDERATIONS FOR EXISTING APPLICATIONS
  216. Existing applications seeking to adopt QUIC should apply the following list to
  217. determine what changes they will need to make:
  218. =over 4
  219. =item
  220. An application wishing to use QUIC must use L<OSSL_QUIC_client_method(3)> or
  221. L<OSSL_QUIC_client_thread_method(3)> as its SSL method. For more information
  222. on the differences between these two methods, see B<THREAD ASSISTED MODE>.
  223. =item
  224. Determine how to provide QUIC with network access. Determine which of the below
  225. apply for your application:
  226. =over 4
  227. =item
  228. Your application uses L<BIO_s_socket(3)> to construct a BIO which is passed to
  229. the SSL object to provide it with network access.
  230. Changes needed: Change your application to use L<BIO_s_datagram(3)> instead when
  231. using QUIC. The socket must be configured in nonblocking mode. You may or may
  232. not need to use L<SSL_set1_initial_peer_addr(3)> to set the initial peer
  233. address; see the B<QUIC-SPECIFIC APIS> section for details.
  234. =item
  235. Your application uses L<BIO_new_ssl_connect(3)> to
  236. construct a BIO which is passed to the SSL object to provide it with network
  237. access.
  238. Changes needed: No changes needed. Use of QUIC is detected automatically and a
  239. datagram socket is created instead of a normal TCP socket.
  240. =item
  241. Your application uses any other I/O strategy in this list but combines it with a
  242. L<BIO_f_buffer(3)>, for example using L<BIO_push(3)>.
  243. Changes needed: Disable the usage of L<BIO_f_buffer(3)> when using QUIC. Usage
  244. of such a buffer is incompatible with QUIC as QUIC requires datagram semantics
  245. in its interaction with the network.
  246. =item
  247. Your application uses a BIO pair to cause the SSL object to read and write
  248. network traffic to a memory buffer. Your application manages the transmission
  249. and reception of buffered data itself in a way unknown to libssl.
  250. Changes needed: Switch from using a conventional BIO pair to using
  251. L<BIO_s_dgram_pair(3)> instead, which has the necessary datagram semantics. You
  252. will need to modify your application to transmit and receive using a UDP socket
  253. and to use datagram semantics when interacting with the L<BIO_s_dgram_pair(3)>
  254. instance.
  255. =item
  256. Your application uses a custom BIO method to provide the SSL object with network
  257. access.
  258. Changes needed: The custom BIO must be re-architected to have datagram
  259. semantics. L<BIO_sendmmsg(3)> and L<BIO_recvmmsg(3)> must be implemented. These
  260. calls must operate in a nonblocking fashion. Optionally, implement the
  261. L<BIO_get_rpoll_descriptor(3)> and L<BIO_get_wpoll_descriptor(3)> methods if
  262. desired. Implementing these methods is required if blocking semantics at the SSL
  263. API level are desired.
  264. =back
  265. =item
  266. An application must explicitly configure whether it wishes to use the SSL APIs
  267. in blocking mode or not. Traditionally, an SSL object has automatically operated
  268. in blocking or nonblocking mode based on whether the underlying network BIO
  269. operates in blocking or nonblocking mode. QUIC requires the use of a
  270. nonblocking network BIO, therefore the blocking mode at the application level
  271. must be explicitly configured by the application using the new
  272. L<SSL_set_blocking_mode(3)> API. The default mode is blocking. If an application
  273. wishes to use the SSL object APIs at application level in a nonblocking manner,
  274. it must add a call to L<SSL_set_blocking_mode(3)> to disable blocking mode.
  275. =item
  276. If your application does not choose to use thread assisted mode, it must ensure
  277. that it calls an I/O function on the SSL object (for example, L<SSL_read(3)> or
  278. L<SSL_write(3)>), or the new function L<SSL_handle_events(3)>, regularly. If the
  279. SSL object is used in blocking mode, an ongoing blocking call to an I/O function
  280. satisfies this requirement. This is required to ensure that timer events
  281. required by QUIC are handled in a timely fashion.
  282. Most applications will service the SSL object by calling L<SSL_read(3)> or
  283. L<SSL_write(3)> regularly. If an application does not do this, it should ensure
  284. that L<SSL_handle_events(3)> is called regularly.
  285. L<SSL_get_event_timeout(3)> can be used to determine when
  286. L<SSL_handle_events(3)> must next be called.
  287. If the SSL object is being used with an underlying network BIO which is pollable
  288. (such as L<BIO_s_datagram(3)>), the application can use
  289. L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)> to obtain
  290. resources which can be used to determine when L<SSL_handle_events(3)> should be
  291. called due to network I/O.
  292. Applications which use thread assisted mode do not need to be concerned
  293. with this requirement, as the QUIC implementation ensures timeout events
  294. are handled in a timely manner. See B<THREAD ASSISTED MODE> for details.
  295. =item
  296. Ensure that your usage of L<SSL_want(3)>, L<SSL_want_read(3)> and
  297. L<SSL_want_write(3)> reflects the API changes described in B<CHANGES TO EXISTING
  298. APIS>. In particular, you should use these APIs to determine the ability of a
  299. QUIC stream to receive or provide application data, not to to determine if
  300. network I/O is required.
  301. =item
  302. Evaluate your application's use of L<SSL_shutdown(3)> in light of the changes
  303. discussed in B<CHANGES TO EXISTING APIS>. Depending on whether your application
  304. wishes to prioritise RFC conformance or rapid shutdown, consider using the new
  305. L<SSL_shutdown_ex(3)> API instead. See B<QUIC-SPECIFIC APIS> for details.
  306. =back
  307. =head1 RECOMMENDED USAGE IN NEW APPLICATIONS
  308. The recommended usage in new applications varies depending on three independent
  309. design decisions:
  310. =over 4
  311. =item
  312. Whether the application will use blocking or nonblocking I/O at the application
  313. level (configured using L<SSL_set_blocking_mode(3)>).
  314. If the application does nonblocking I/O at the application level it can choose
  315. to manage its own polling and event loop; see B<APPLICATION-DRIVEN EVENT LOOPS>.
  316. =item
  317. Whether the application intends to give the QUIC implementation direct access to
  318. a network socket (e.g. via L<BIO_s_datagram(3)>) or whether it intends to buffer
  319. transmitted and received datagrams via a L<BIO_s_dgram_pair(3)> or custom BIO.
  320. The former is preferred where possible as it reduces latency to the network,
  321. which enables QUIC to achieve higher performance and more accurate connection
  322. round trip time (RTT) estimation.
  323. =item
  324. Whether thread assisted mode will be used (see B<THREAD ASSISTED MODE>).
  325. =back
  326. Simple demos for QUIC usage under these various scenarios can be found at
  327. L<https://github.com/openssl/openssl/tree/master/doc/designs/ddd>.
  328. Applications which wish to implement QUIC-specific protocols should be aware of
  329. the APIs listed under B<QUIC-SPECIFIC APIS> which provide access to
  330. QUIC-specific functionality. For example, L<SSL_stream_conclude(3)> can be used
  331. to indicate the end of the sending part of a stream, and L<SSL_shutdown_ex(3)>
  332. can be used to provide a QUIC application error code when closing a connection.
  333. Regardless of the design decisions chosen above, it is recommended that new
  334. applications avoid use of the default stream mode and use the multi-stream API
  335. by calling L<SSL_set_default_stream_mode(3)>; see the MODES OF OPERATION section
  336. for details.
  337. =head1 QUIC-SPECIFIC APIS
  338. This section details new APIs which are directly or indirectly related to QUIC.
  339. For details on the operation of each API, see the referenced man pages.
  340. The following SSL APIs are new but relevant to both QUIC and DTLS:
  341. =over 4
  342. =item L<SSL_get_event_timeout(3)>
  343. Determines when the QUIC implementation should next be woken up via a call to
  344. L<SSL_handle_events(3)> (or another I/O function such as L<SSL_read(3)> or
  345. L<SSL_write(3)>), if ever.
  346. This can also be used with DTLS and supersedes L<DTLSv1_get_timeout(3)> for new
  347. usage.
  348. =item L<SSL_handle_events(3)>
  349. This is a non-specific I/O operation which makes a best effort attempt to
  350. perform any pending I/O or timeout processing. It can be used to advance the
  351. QUIC state machine by processing incoming network traffic, generating outgoing
  352. network traffic and handling any expired timeout events. Most other I/O
  353. functions on an SSL object, such as L<SSL_read(3)> and L<SSL_write(3)>
  354. implicitly perform event handling on the SSL object, so calling this function is
  355. only needed if no other I/O function is to be called.
  356. This can also be used with DTLS and supersedes L<DTLSv1_handle_timeout(3)> for
  357. new usage.
  358. =back
  359. The following SSL APIs are specific to QUIC:
  360. =over 4
  361. =item L<SSL_set_blocking_mode(3)>, L<SSL_get_blocking_mode(3)>
  362. Configures whether blocking semantics are used at the application level. This
  363. determines whether calls to functions such as L<SSL_read(3)> and L<SSL_write(3)>
  364. will block.
  365. =item L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)>
  366. These functions facilitate operation in nonblocking mode.
  367. When an SSL object is being used with an underlying network read BIO which
  368. supports polling, L<SSL_get_rpoll_descriptor(3)> outputs an OS resource which
  369. can be used to synchronise on network readability events which should result in
  370. a call to L<SSL_handle_events(3)>. L<SSL_get_wpoll_descriptor(3)> works in an
  371. analogous fashion for the underlying network write BIO.
  372. The poll descriptors provided by these functions need only be used when
  373. L<SSL_net_read_desired(3)> and L<SSL_net_write_desired(3)> return 1, respectively.
  374. =item L<SSL_net_read_desired(3)>, L<SSL_net_write_desired(3)>
  375. These functions facilitate operation in nonblocking mode and are used in
  376. conjunction with L<SSL_get_rpoll_descriptor(3)> and
  377. L<SSL_get_wpoll_descriptor(3)> respectively. They determine whether the
  378. respective poll descriptor is currently relevant for the purposes of polling.
  379. =item L<SSL_set1_initial_peer_addr(3)>
  380. This function can be used to set the initial peer address for an outgoing QUIC
  381. connection. This function must be used in the general case when creating an
  382. outgoing QUIC connection; however, the correct initial peer address can be
  383. autodetected in some cases. See L<SSL_set1_initial_peer_addr(3)> for details.
  384. =item L<SSL_shutdown_ex(3)>
  385. This augments L<SSL_shutdown(3)> by allowing an application error code to be
  386. specified. It also allows a client to decide how quickly it wants a shutdown to
  387. be performed, potentially by trading off strict RFC compliance.
  388. =item L<SSL_stream_conclude(3)>
  389. This allows an application to indicate the normal end of the sending part of a
  390. QUIC stream. This corresponds to the FIN flag in the QUIC RFC. The receiving
  391. part of a stream remains usable.
  392. =item L<SSL_stream_reset(3)>
  393. This allows an application to indicate the non-normal termination of the sending
  394. part of a stream. This corresponds to the RESET_STREAM frame in the QUIC RFC.
  395. =item L<SSL_get_stream_write_state(3)> and L<SSL_get_stream_read_state(3)>
  396. This allows an application to determine the current stream states for the
  397. sending and receiving parts of a stream respectively.
  398. =item L<SSL_get_stream_write_error_code(3)> and L<SSL_get_stream_read_error_code(3)>
  399. This allows an application to determine the application error code which was
  400. signalled by a peer which has performed a non-normal stream termination of the
  401. respective sending or receiving part of a stream, if any.
  402. =item L<SSL_get_conn_close_info(3)>
  403. This allows an application to determine the error code which was signalled when
  404. the local or remote endpoint terminated the QUIC connection.
  405. =item L<SSL_get0_connection(3)>
  406. Gets the QUIC connection SSL object from a QUIC stream SSL object.
  407. =item L<SSL_is_connection(3)>
  408. Returns 1 if a SSL object is not a QUIC stream SSL object.
  409. =item L<SSL_get_stream_type(3)>
  410. Provides information on the kind of QUIC stream which is attached
  411. to the SSL object.
  412. =item L<SSL_get_stream_id(3)>
  413. Returns the QUIC stream ID which the QUIC protocol has associated with a QUIC
  414. stream.
  415. =item L<SSL_new_stream(3)>
  416. Creates a new QUIC stream SSL object representing a new, locally-initiated QUIC
  417. stream.
  418. =item L<SSL_accept_stream(3)>
  419. Potentially yields a new QUIC stream SSL object representing a new
  420. remotely-initiated QUIC stream, blocking until one is available if the
  421. connection is configured to do so.
  422. =item L<SSL_get_accept_stream_queue_len(3)>
  423. Provides information on the number of pending remotely-initiated streams.
  424. =item L<SSL_set_incoming_stream_policy(3)>
  425. Configures how incoming, remotely-initiated streams are handled. The incoming
  426. stream policy can be used to automatically reject streams created by the peer,
  427. or allow them to be handled using L<SSL_accept_stream(3)>.
  428. =item L<SSL_set_default_stream_mode(3)>
  429. Used to configure or disable default stream mode; see the MODES OF OPERATION
  430. section for details.
  431. =back
  432. The following BIO APIs are not specific to QUIC but have been added to
  433. facilitate QUIC-specific requirements and are closely associated with its use:
  434. =over 4
  435. =item L<BIO_s_dgram_pair(3)>
  436. This is a new BIO method which is similar to a conventional BIO pair but
  437. provides datagram semantics.
  438. =item L<BIO_get_rpoll_descriptor(3)>, L<BIO_get_wpoll_descriptor(3)>
  439. This is a new BIO API which allows a BIO to expose a poll descriptor. This API
  440. is used to implement the corresponding SSL APIs L<SSL_get_rpoll_descriptor(3)>
  441. and L<SSL_get_wpoll_descriptor(3)>.
  442. =item L<BIO_sendmmsg(3)>, L<BIO_recvmmsg(3)>
  443. This is a new BIO API which can be implemented by BIOs which implement datagram
  444. semantics. It is implemented by L<BIO_s_datagram(3)> and L<BIO_s_dgram_pair(3)>.
  445. It is used by the QUIC implementation to send and receive UDP datagrams.
  446. =item L<BIO_dgram_set_no_trunc(3)>, L<BIO_dgram_get_no_trunc(3)>
  447. By default, L<BIO_s_dgram_pair(3)> has semantics comparable to those of Berkeley
  448. sockets being used with datagram semantics. This allows an alternative mode
  449. to be enabled in which datagrams will not be silently truncated if they are
  450. too large.
  451. =item L<BIO_dgram_set_caps(3)>, L<BIO_dgram_get_caps(3)>
  452. These functions are used to allow the user of one end of a
  453. L<BIO_s_dgram_pair(3)> to indicate its capabilities to the other end of a
  454. L<BIO_s_dgram_pair(3)>. In particular, this allows an application to inform the
  455. QUIC implementation of whether it is prepared to handle local and/or peer
  456. addresses in transmitted datagrams and to provide the applicable information in
  457. received datagrams.
  458. =item L<BIO_dgram_get_local_addr_cap(3)>, L<BIO_dgram_set_local_addr_enable(3)>,
  459. L<BIO_dgram_get_local_addr_enable(3)>
  460. Local addressing support refers to the ability of a BIO with datagram semantics
  461. to allow a source address to be specified on transmission and to report the
  462. destination address on reception. These functions can be used to determine if a
  463. BIO can support local addressing and to enable local addressing support if it
  464. can.
  465. =item L<BIO_err_is_non_fatal(3)>
  466. This is used to determine if an error while calling L<BIO_sendmmsg(3)> or
  467. L<BIO_recvmmsg(3)> is ephemeral in nature, such as "would block" errors.
  468. =back
  469. =head1 THREAD ASSISTED MODE
  470. The optional thread assisted mode can be used with
  471. L<OSSL_QUIC_client_thread_method(3)>. In this mode, a background thread is
  472. created automatically. The OpenSSL QUIC implementation then takes responsibility
  473. for ensuring that timeout events are handled on a timely basis even if no SSL
  474. I/O function such as L<SSL_read(3)> or L<SSL_write(3)> is called by the
  475. application for a long time.
  476. All necessary locking is handled automatically internally, but the thread safety
  477. guarantees for the public SSL API are unchanged. Therefore, an application must
  478. still do its own locking if it wishes to make concurrent use of the public SSL
  479. APIs.
  480. Because this method relies on threads, it is not available on platforms where
  481. threading support is not available or not supported by OpenSSL. However, it
  482. does provide the simplest mode of usage for an application.
  483. The implementation may or may not use a common thread or thread pool to service
  484. multiple SSL objects in the same B<SSL_CTX>.
  485. =head1 APPLICATION-DRIVEN EVENT LOOPS
  486. OpenSSL's QUIC implementation is designed to facilitate applications which wish
  487. to use the SSL APIs in a blocking fashion, but is also designed to facilitate
  488. applications which wish to use the SSL APIs in a nonblocking fashion and manage
  489. their own event loops and polling directly. This is useful when it is desirable
  490. to host OpenSSL's QUIC implementation on top of an application's existing
  491. nonblocking I/O infrastructure.
  492. This is supported via the concept of poll descriptors; see
  493. L<BIO_get_rpoll_descriptor(3)> for details. Broadly, a B<BIO_POLL_DESCRIPTOR> is
  494. a structure which expresses some kind of OS resource which can be used to
  495. synchronise on I/O events. The QUIC implementation provides a
  496. B<BIO_POLL_DESCRIPTOR> based on the poll descriptor provided by the underlying
  497. network BIO. This is typically an OS socket handle, though custom BIOs could
  498. choose to implement their own custom poll descriptor format.
  499. Broadly, an application which wishes to manage its own event loop should
  500. interact with the SSL object as follows:
  501. =over 4
  502. =item
  503. It should provide read and write BIOs with nonblocking datagram semantics to
  504. the SSL object using L<SSL_set0_rbio(3)> and L<SSL_set0_wbio(3)>. This could be
  505. a BIO abstracting a network socket such as L<BIO_s_datagram(3)>, or a BIO
  506. abstracting some kind of memory buffer such as L<BIO_s_dgram_pair(3)>. Use of a
  507. custom BIO is also possible.
  508. =item
  509. It should configure the SSL object into nonblocking mode by calling
  510. L<SSL_set_blocking_mode(3)>.
  511. =item
  512. It should configure the SSL object as desired, set an initial peer as needed
  513. using L<SSL_set1_initial_peer_addr(3)>, and trigger the connection process by
  514. calling L<SSL_connect(3)>.
  515. =item
  516. If the network read and write BIOs provided were pollable (for example,
  517. a L<BIO_s_datagram(3)>, or a custom BIO which implements
  518. L<BIO_get_rpoll_descriptor(3)> and L<BIO_get_wpoll_descriptor(3)>), it should
  519. perform the following steps repeatedly:
  520. =over 4
  521. =item
  522. The application should call L<SSL_get_rpoll_descriptor(3)> and
  523. L<SSL_get_wpoll_descriptor(3)> to identify OS resources which can be used for
  524. synchronisation.
  525. =item
  526. It should call L<SSL_net_read_desired(3)> and L<SSL_net_write_desired(3)> to determine
  527. whether the QUIC implementation is currently interested in readability and
  528. writability events on the underlying network BIO which was provided, and call
  529. L<SSL_get_event_timeout(3)> to determine if any timeout event will become
  530. applicable in the future.
  531. =item
  532. It should wait until one of the following events occurs:
  533. =over 4
  534. =item
  535. The poll descriptor returned by L<SSL_get_rpoll_descriptor(3)> becomes readable
  536. (if L<SSL_net_read_desired(3)> returned 1);
  537. =item
  538. The poll descriptor returned by L<SSL_get_wpoll_descriptor(3)> becomes writable
  539. (if L<SSL_net_write_desired(3)> returned 1);
  540. =item
  541. The timeout returned by L<SSL_get_event_timeout(3)> (if any) expires.
  542. =back
  543. Once any of these events occurs, L<SSL_handle_events(3)> should be called.
  544. =back
  545. =item
  546. If the network read and write BIOs provided were not pollable (for example, in
  547. the case of L<BIO_s_dgram_pair(3)>), the application is responsible for managing
  548. and synchronising network I/O. It should call L<SSL_handle_events(3)> after it
  549. writes data to a L<BIO_s_dgram_pair(3)> or otherwise takes action so that the
  550. QUIC implementation can read new datagrams via a call to L<BIO_recvmmsg(3)> on
  551. the underlying network BIO. The QUIC implementation may output datagrams via a
  552. call to L<BIO_sendmmsg(3)> and the application is responsible for ensuring these
  553. are transmitted.
  554. The application must call L<SSL_get_event_timeout(3)> after every call to
  555. L<SSL_handle_events(3)> (or another I/O function on the SSL object), and ensure
  556. that a call to L<SSL_handle_events(3)> is performed after the specified timeout
  557. (if any).
  558. =back
  559. =head1 SEE ALSO
  560. L<SSL_handle_events(3)>, L<SSL_get_event_timeout(3)>,
  561. L<SSL_net_read_desired(3)>, L<SSL_net_write_desired(3)>,
  562. L<SSL_get_rpoll_descriptor(3)>, L<SSL_get_wpoll_descriptor(3)>,
  563. L<SSL_set_blocking_mode(3)>, L<SSL_shutdown_ex(3)>,
  564. L<SSL_set1_initial_peer_addr(3)>, L<SSL_stream_conclude(3)>,
  565. L<SSL_stream_reset(3)>, L<SSL_get_stream_read_state(3)>,
  566. L<SSL_get_stream_read_error_code(3)>, L<SSL_get_conn_close_info(3)>,
  567. L<SSL_get0_connection(3)>, L<SSL_get_stream_type(3)>, L<SSL_get_stream_id(3)>,
  568. L<SSL_new_stream(3)>, L<SSL_accept_stream(3)>,
  569. L<SSL_set_incoming_stream_policy(3)>, L<SSL_set_default_stream_mode(3)>
  570. =head1 COPYRIGHT
  571. Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
  572. Licensed under the Apache License 2.0 (the "License"). You may not use
  573. this file except in compliance with the License. You can obtain a copy
  574. in the file LICENSE in the source distribution or at
  575. L<https://www.openssl.org/source/license.html>.
  576. =cut