Open-Source Wikis

/

OpenSSL

/

OpenSSL

/

Glossary

openssl/openssl

Glossary

OpenSSL has accumulated thirty years of vocabulary. This page collects the terms you are most likely to need when reading the source.

Core abstractions

Term What it is Where it lives
OSSL_LIB_CTX A library context. Owns providers, namemap, RNG, default property query. NULL is the default context. crypto/context.c, include/openssl/crypto.h.in
Provider A module that publishes algorithm implementations via dispatch tables. Built-in (default/base/legacy/null) or dynamically loaded (e.g. fips.so). crypto/provider_core.c, providers/
OSSL_DISPATCH {int function_id; void(*fn)(void);} array — how providers expose functions to libcrypto. include/openssl/core.h, include/openssl/core_dispatch.h
OSSL_PARAM Generic typed key-value pair, used everywhere as input/output to provider operations. include/openssl/params.h, crypto/params.c
OSSL_ALGORITHM {names; properties; dispatch; description} — what a provider returns when libcrypto asks "what do you offer for operation X?". include/openssl/core.h
Namemap Bidirectional map between algorithm names ("AES-256-GCM", "id-aes256-GCM", "2.16.840.1.101.3.4.1.46") and integer ids. crypto/core_namemap.c
Property query A string like provider=fips,fips=yes that selects which implementation EVP_*_fetch returns. crypto/property/, doc/man7/property.pod
Fetch EVP_MD_fetch, EVP_CIPHER_fetch, EVP_PKEY_fetch_*, … look up an algorithm by name + property in a libctx and return a refcounted handle. crypto/evp/evp_fetch.c
Library context default A per-OSSL_LIB_CTX cache of "use this provider for this algorithm". Set via EVP_set_default_properties or in config. crypto/property/defn_cache.c

Algorithm front-ends (the EVP layer)

Term What it is
EVP_MD Algorithm-agnostic message digest (SHA-2, SHA-3, BLAKE2, …). Pair with EVP_MD_CTX.
EVP_CIPHER Symmetric cipher (AES, ChaCha20, …) with optional AEAD. Pair with EVP_CIPHER_CTX.
EVP_MAC MAC (HMAC, CMAC, GMAC, KMAC, Poly1305, BLAKE2-MAC, SipHash). Pair with EVP_MAC_CTX.
EVP_KDF Key derivation (HKDF, PBKDF2, scrypt, Argon2, SSHKDF, KBKDF, X9.42, X9.63, KRB5, SRTP, IKEv2, …).
EVP_RAND Random bit generator. Used to build per-OSSL_LIB_CTX and per-thread DRBGs.
EVP_PKEY Algorithm-agnostic asymmetric key (RSA, EC, Ed25519, X25519, ML-KEM, ML-DSA, SLH-DSA, LMS, DH, DSA, …).
EVP_KEYMGMT Provider hook for an asymmetric algorithm's key import/export/check/copy/gen-init.
EVP_SIGNATURE Provider hook for sign/verify (with or without separate digest).
EVP_KEYEXCH Provider hook for key exchange (DH, ECDH).
EVP_KEM Provider hook for KEMs (RSA-KEM, ML-KEM).
EVP_ASYM_CIPHER Provider hook for raw asymmetric encrypt/decrypt (RSA/OAEP, SM2, etc.).
EVP_SKEYMGMT / EVP_SKEY Symmetric-key management (3.4+) — opaque symmetric keys held in providers, e.g. for HSM-backed AES.
EVP_ENCODER / EVP_DECODER Format conversion (DER ↔ PEM ↔ structured params). Replaces the old i2d_/d2i_/PEM_* family for new code.

Encoded data

Term What it is
DER Distinguished Encoding Rules — the binary on-the-wire form of ASN.1 used in X.509, CMS, PKCS#7, PKCS#8, PKCS#12, etc.
PEM Privacy-Enhanced Mail textual encoding (-----BEGIN ...-----, base64, -----END ...-----). A wrapper around DER.
ASN.1 The schema language behind DER. OpenSSL has its own ASN.1 templates in *.h.in headers and its own parser/serializer in crypto/asn1/.
X.509 The certificate format (RFC 5280). Code in crypto/x509/, headers x509.h.in, x509v3.h.in, x509_vfy.h.in.
CMS Cryptographic Message Syntax (RFC 5652) — sign/encrypt/timestamp blobs of data. Successor to PKCS#7.
PKCS#7 Older signed/enveloped-data format. Mostly superseded by CMS.
PKCS#8 Private-key wrapping format (with optional encryption).
PKCS#12 Bundle of certificates and private keys, password-protected (.p12/.pfx).
OCSP Online Certificate Status Protocol — querying revocation.
CRL Certificate Revocation List.
CMP Certificate Management Protocol (RFC 4210). Implemented in crypto/cmp/.
CRMF Certificate Request Message Format (RFC 4211). In crypto/crmf/.
TS / RFC 3161 Time-Stamp Protocol. Implemented in crypto/ts/.
CT / SCT Certificate Transparency / Signed Certificate Timestamp (RFC 6962). In crypto/ct/.

Protocols

Term What it is
TLS Transport Layer Security 1.0–1.3. The current code supports up to TLSv1.3 (RFC 8446). ssl/.
DTLS Datagram TLS 1.0–1.2 (RFC 6347). Lives alongside TLS in ssl/d1_*.c and ssl/statem/statem_dtls.c.
QUIC RFC 9000. OpenSSL added a QUIC client in 3.2 and a server in 3.5. ssl/quic/.
ECH Encrypted Client Hello (draft) — encrypted SNI + handshake hints. ssl/ech/, design in doc/designs/ech-api.md.
ALPN Application-Layer Protocol Negotiation.
SRTP / DTLS-SRTP Secure RTP keying via DTLS. ssl/d1_srtp.c.
HPKE Hybrid Public Key Encryption (RFC 9180). crypto/hpke/.

Cryptographic primitives

Term What it is
RNG / DRBG / RAND Random number generator. OpenSSL builds a hierarchy of HMAC/HASH/CTR DRBGs over an entropy source (os by default; jitter available with enable-fips-jitter). crypto/rand/, providers/implementations/rands/.
AEAD Authenticated Encryption with Associated Data (AES-GCM, AES-CCM, ChaCha20-Poly1305, AES-GCM-SIV, AES-OCB).
AES-NI / vector instructions Hardware acceleration. CPU detection in crypto/cpuid.c, crypto/x86_64cpuid.pl, etc.; per-arch asm in crypto/{aes,sha,modes,…}/asm/.
ML-KEM Module-Lattice KEM (FIPS 203). crypto/ml_kem/.
ML-DSA Module-Lattice DSA (FIPS 204). crypto/ml_dsa/.
SLH-DSA Stateless Hash-Based Signatures (FIPS 205). crypto/slh_dsa/.
LMS Leighton-Micali stateful Hash-Based Signatures (RFC 8554). crypto/lms/.

TLS-specific

Term What it is
SSL_CTX Per-process configuration: certificates, trust store, cipher list, callbacks.
SSL Per-connection state: handshake progress, session, peer cert, IO buffers.
BIO Block I/O abstraction. TLS reads/writes go through a pair of BIOs (read BIO and write BIO). crypto/bio/.
Record layer Frames bytes into TLS records (or DTLS datagrams or QUIC packets) and applies record-level crypto. ssl/record/, ssl/quic/quic_record_*.c.
State machine Drives the handshake message-by-message. ssl/statem/.
Extensions TLS 1.3 builds heavily on extensions; client and server have separate handlers. ssl/statem/extensions_clnt.c, extensions_srvr.c.
Session ticket A server-encrypted blob that allows resumption without server-side state.
Group A TLS 1.3 named group for key share (e.g. x25519, secp256r1, mlkem768).
SignatureScheme A TLS 1.3 signature algorithm code point (e.g. rsa_pss_rsae_sha256, ed25519, mldsa44).

Build / packaging

Term What it is
Configure Top-level Perl configuration script. Reads Configurations/*.conf and your flags, emits Makefile and configdata.pm.
build.info Per-directory file describing what to build there. Compiled into the Makefile by Configurations/unix-Makefile.tmpl etc.
libcrypto.num / libssl.num The list of exported symbols and their ordinal numbers. Updated by make update.
POD Plain Old Documentation — Perl's man-page format. All of doc/man*/ is POD; rendered to nroff/HTML at install time.
DDD Demo-Driven Design — small motivating example programs in doc/designs/ddd/.

Things you might mis-Google

Term What it really is
ENGINE The pre-3.0 plugin mechanism for hardware/software accelerators. Deprecated in 3.0 in favor of providers. Code is still in crypto/engine/ for backward compatibility.
EVP_PKEY_CTX_ctrl The legacy controller-style API for setting per-operation parameters. New code uses OSSL_PARAM instead. The translator lives in crypto/evp/ctrl_params_translate.c.
SSL_OP_*, SSL_VERIFY_* flags TLS knobs. The canonical references are doc/man3/SSL_CTX_set_options.pod and friends.
OPENSSL_NO_* macros Compile-time feature flags. Generated into include/openssl/opensslconf.h from Configurations/*.conf.
WPACKET / PACKET Internal helpers for TLS-style "write into a length-prefixed buffer" / "read with a sliding cursor". ssl/packet_local.h, crypto/packet.c.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Glossary – OpenSSL wiki | Factory