openssl/openssl
Glossary
OpenSSL has accumulated thirty years of vocabulary. This page collects the terms you are most likely to need when reading the source.
Core abstractions
| Term | What it is | Where it lives |
|---|---|---|
OSSL_LIB_CTX |
A library context. Owns providers, namemap, RNG, default property query. NULL is the default context. |
crypto/context.c, include/openssl/crypto.h.in |
| Provider | A module that publishes algorithm implementations via dispatch tables. Built-in (default/base/legacy/null) or dynamically loaded (e.g. fips.so). |
crypto/provider_core.c, providers/ |
OSSL_DISPATCH |
{int function_id; void(*fn)(void);} array — how providers expose functions to libcrypto. |
include/openssl/core.h, include/openssl/core_dispatch.h |
OSSL_PARAM |
Generic typed key-value pair, used everywhere as input/output to provider operations. | include/openssl/params.h, crypto/params.c |
OSSL_ALGORITHM |
{names; properties; dispatch; description} — what a provider returns when libcrypto asks "what do you offer for operation X?". |
include/openssl/core.h |
| Namemap | Bidirectional map between algorithm names ("AES-256-GCM", "id-aes256-GCM", "2.16.840.1.101.3.4.1.46") and integer ids. | crypto/core_namemap.c |
| Property query | A string like provider=fips,fips=yes that selects which implementation EVP_*_fetch returns. |
crypto/property/, doc/man7/property.pod |
| Fetch | EVP_MD_fetch, EVP_CIPHER_fetch, EVP_PKEY_fetch_*, … look up an algorithm by name + property in a libctx and return a refcounted handle. |
crypto/evp/evp_fetch.c |
| Library context default | A per-OSSL_LIB_CTX cache of "use this provider for this algorithm". Set via EVP_set_default_properties or in config. |
crypto/property/defn_cache.c |
Algorithm front-ends (the EVP layer)
| Term | What it is |
|---|---|
EVP_MD |
Algorithm-agnostic message digest (SHA-2, SHA-3, BLAKE2, …). Pair with EVP_MD_CTX. |
EVP_CIPHER |
Symmetric cipher (AES, ChaCha20, …) with optional AEAD. Pair with EVP_CIPHER_CTX. |
EVP_MAC |
MAC (HMAC, CMAC, GMAC, KMAC, Poly1305, BLAKE2-MAC, SipHash). Pair with EVP_MAC_CTX. |
EVP_KDF |
Key derivation (HKDF, PBKDF2, scrypt, Argon2, SSHKDF, KBKDF, X9.42, X9.63, KRB5, SRTP, IKEv2, …). |
EVP_RAND |
Random bit generator. Used to build per-OSSL_LIB_CTX and per-thread DRBGs. |
EVP_PKEY |
Algorithm-agnostic asymmetric key (RSA, EC, Ed25519, X25519, ML-KEM, ML-DSA, SLH-DSA, LMS, DH, DSA, …). |
EVP_KEYMGMT |
Provider hook for an asymmetric algorithm's key import/export/check/copy/gen-init. |
EVP_SIGNATURE |
Provider hook for sign/verify (with or without separate digest). |
EVP_KEYEXCH |
Provider hook for key exchange (DH, ECDH). |
EVP_KEM |
Provider hook for KEMs (RSA-KEM, ML-KEM). |
EVP_ASYM_CIPHER |
Provider hook for raw asymmetric encrypt/decrypt (RSA/OAEP, SM2, etc.). |
EVP_SKEYMGMT / EVP_SKEY |
Symmetric-key management (3.4+) — opaque symmetric keys held in providers, e.g. for HSM-backed AES. |
EVP_ENCODER / EVP_DECODER |
Format conversion (DER ↔ PEM ↔ structured params). Replaces the old i2d_/d2i_/PEM_* family for new code. |
Encoded data
| Term | What it is |
|---|---|
| DER | Distinguished Encoding Rules — the binary on-the-wire form of ASN.1 used in X.509, CMS, PKCS#7, PKCS#8, PKCS#12, etc. |
| PEM | Privacy-Enhanced Mail textual encoding (-----BEGIN ...-----, base64, -----END ...-----). A wrapper around DER. |
| ASN.1 | The schema language behind DER. OpenSSL has its own ASN.1 templates in *.h.in headers and its own parser/serializer in crypto/asn1/. |
| X.509 | The certificate format (RFC 5280). Code in crypto/x509/, headers x509.h.in, x509v3.h.in, x509_vfy.h.in. |
| CMS | Cryptographic Message Syntax (RFC 5652) — sign/encrypt/timestamp blobs of data. Successor to PKCS#7. |
| PKCS#7 | Older signed/enveloped-data format. Mostly superseded by CMS. |
| PKCS#8 | Private-key wrapping format (with optional encryption). |
| PKCS#12 | Bundle of certificates and private keys, password-protected (.p12/.pfx). |
| OCSP | Online Certificate Status Protocol — querying revocation. |
| CRL | Certificate Revocation List. |
| CMP | Certificate Management Protocol (RFC 4210). Implemented in crypto/cmp/. |
| CRMF | Certificate Request Message Format (RFC 4211). In crypto/crmf/. |
| TS / RFC 3161 | Time-Stamp Protocol. Implemented in crypto/ts/. |
| CT / SCT | Certificate Transparency / Signed Certificate Timestamp (RFC 6962). In crypto/ct/. |
Protocols
| Term | What it is |
|---|---|
| TLS | Transport Layer Security 1.0–1.3. The current code supports up to TLSv1.3 (RFC 8446). ssl/. |
| DTLS | Datagram TLS 1.0–1.2 (RFC 6347). Lives alongside TLS in ssl/d1_*.c and ssl/statem/statem_dtls.c. |
| QUIC | RFC 9000. OpenSSL added a QUIC client in 3.2 and a server in 3.5. ssl/quic/. |
| ECH | Encrypted Client Hello (draft) — encrypted SNI + handshake hints. ssl/ech/, design in doc/designs/ech-api.md. |
| ALPN | Application-Layer Protocol Negotiation. |
| SRTP / DTLS-SRTP | Secure RTP keying via DTLS. ssl/d1_srtp.c. |
| HPKE | Hybrid Public Key Encryption (RFC 9180). crypto/hpke/. |
Cryptographic primitives
| Term | What it is |
|---|---|
| RNG / DRBG / RAND | Random number generator. OpenSSL builds a hierarchy of HMAC/HASH/CTR DRBGs over an entropy source (os by default; jitter available with enable-fips-jitter). crypto/rand/, providers/implementations/rands/. |
| AEAD | Authenticated Encryption with Associated Data (AES-GCM, AES-CCM, ChaCha20-Poly1305, AES-GCM-SIV, AES-OCB). |
| AES-NI / vector instructions | Hardware acceleration. CPU detection in crypto/cpuid.c, crypto/x86_64cpuid.pl, etc.; per-arch asm in crypto/{aes,sha,modes,…}/asm/. |
| ML-KEM | Module-Lattice KEM (FIPS 203). crypto/ml_kem/. |
| ML-DSA | Module-Lattice DSA (FIPS 204). crypto/ml_dsa/. |
| SLH-DSA | Stateless Hash-Based Signatures (FIPS 205). crypto/slh_dsa/. |
| LMS | Leighton-Micali stateful Hash-Based Signatures (RFC 8554). crypto/lms/. |
TLS-specific
| Term | What it is |
|---|---|
SSL_CTX |
Per-process configuration: certificates, trust store, cipher list, callbacks. |
SSL |
Per-connection state: handshake progress, session, peer cert, IO buffers. |
BIO |
Block I/O abstraction. TLS reads/writes go through a pair of BIOs (read BIO and write BIO). crypto/bio/. |
| Record layer | Frames bytes into TLS records (or DTLS datagrams or QUIC packets) and applies record-level crypto. ssl/record/, ssl/quic/quic_record_*.c. |
| State machine | Drives the handshake message-by-message. ssl/statem/. |
| Extensions | TLS 1.3 builds heavily on extensions; client and server have separate handlers. ssl/statem/extensions_clnt.c, extensions_srvr.c. |
| Session ticket | A server-encrypted blob that allows resumption without server-side state. |
| Group | A TLS 1.3 named group for key share (e.g. x25519, secp256r1, mlkem768). |
| SignatureScheme | A TLS 1.3 signature algorithm code point (e.g. rsa_pss_rsae_sha256, ed25519, mldsa44). |
Build / packaging
| Term | What it is |
|---|---|
Configure |
Top-level Perl configuration script. Reads Configurations/*.conf and your flags, emits Makefile and configdata.pm. |
build.info |
Per-directory file describing what to build there. Compiled into the Makefile by Configurations/unix-Makefile.tmpl etc. |
libcrypto.num / libssl.num |
The list of exported symbols and their ordinal numbers. Updated by make update. |
| POD | Plain Old Documentation — Perl's man-page format. All of doc/man*/ is POD; rendered to nroff/HTML at install time. |
| DDD | Demo-Driven Design — small motivating example programs in doc/designs/ddd/. |
Things you might mis-Google
| Term | What it really is |
|---|---|
| ENGINE | The pre-3.0 plugin mechanism for hardware/software accelerators. Deprecated in 3.0 in favor of providers. Code is still in crypto/engine/ for backward compatibility. |
EVP_PKEY_CTX_ctrl |
The legacy controller-style API for setting per-operation parameters. New code uses OSSL_PARAM instead. The translator lives in crypto/evp/ctrl_params_translate.c. |
SSL_OP_*, SSL_VERIFY_* flags |
TLS knobs. The canonical references are doc/man3/SSL_CTX_set_options.pod and friends. |
OPENSSL_NO_* macros |
Compile-time feature flags. Generated into include/openssl/opensslconf.h from Configurations/*.conf. |
| WPACKET / PACKET | Internal helpers for TLS-style "write into a length-prefixed buffer" / "read with a sliding cursor". ssl/packet_local.h, crypto/packet.c. |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.