From ca24748b80987ee49073bb07a4dda73f6eb12c8c Mon Sep 17 00:00:00 2001 From: Alexandr Nedvedicky Date: Wed, 5 Nov 2025 08:24:59 +0100 Subject: [PATCH] Clarify processing of CRYPTO frame in SSL_set_quic_tls_cbs(3ossl) We should remind 3rd-party QUIC stack implementors their QUIC stack must ensure to provide all CRYPTO frames to OpeNSSL/TLS for processing. The CRYPTO frames keeping coming even after confirmation of TLS hanndshake. Fixes #28963 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/29070) --- doc/man3/SSL_set_quic_tls_cbs.pod | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/man3/SSL_set_quic_tls_cbs.pod b/doc/man3/SSL_set_quic_tls_cbs.pod index 75d217bdeaa..65dab1d974b 100644 --- a/doc/man3/SSL_set_quic_tls_cbs.pod +++ b/doc/man3/SSL_set_quic_tls_cbs.pod @@ -70,6 +70,11 @@ given SSL object I, a set of callbacks are supplied in an B table via I. The I parameter will be passed as an argument when the various callbacks are called. +The above callbacks are invoked, as needed, by SSL_do_handshake() and SSL_read() (including +SSL_read_ex, SSL_peek, SSL_peek_ex). Once the SSL handshake is complete, the QUIC +stack must arrange to call one of the SSL_read() variants whenever a post-handshake CRYPTO +frame is received. The number of bytes requested may be zero. + An B table should consist of an array of B entries where each entry is a function id, and a function pointer. The array should be terminated with an empty entry (i.e. a 0 function id, and a NULL function -- 2.47.3