From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 28 Jun 2023 15:12:13 +0000 (+0200)
Subject: Document the effect of SSL_OP_CLEANSE_PLAINTEXT on send stream data
X-Git-Tag: openssl-3.2.0-alpha1~538
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42926ca7f237126331a46cad159e6d31e2eafcc8;p=thirdparty%2Fopenssl.git

Document the effect of SSL_OP_CLEANSE_PLAINTEXT on send stream data

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21311)
---

diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 44d2fd1342c..3605c7e6427 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -129,7 +129,7 @@ connection. Only available when using the deprecated DTLSv1_client_method() API.
 
 =item SSL_OP_CLEANSE_PLAINTEXT
 
-By default TLS connections keep a copy of received plaintext
+By default TLS and QUIC SSL objects keep a copy of received plaintext
 application data in a static buffer until it is overwritten by the
 next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT
 deciphered application data is cleansed by calling OPENSSL_cleanse(3)
@@ -141,6 +141,14 @@ responsible for cleansing all other buffers. Most notably, this
 applies to buffers passed to functions like L<SSL_read(3)>,
 L<SSL_peek(3)> but also like L<SSL_write(3)>.
 
+TLS connections do not buffer data to be sent in plaintext. QUIC stream
+objects do buffer plaintext data to be sent and this option will also cause
+that data to be cleansed when it is discarded.
+
+This option can be set differently on individual QUIC stream objects and
+has no effect on QUIC connection objects (except where a default stream is
+being used).
+
 =item SSL_OP_COOKIE_EXCHANGE
 
 Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects