summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorIngo Schwarze <schwarze@cvs.openbsd.org>2017-03-28 18:19:54 +0000
committerIngo Schwarze <schwarze@cvs.openbsd.org>2017-03-28 18:19:54 +0000
commit5c201b9d6668c154881be45911b5703beea9e594 (patch)
treed7039494fe8b121110492bf0b0328747d91906ee /lib
parentf83e91afcb6164fc61025e4214b9afebe018f75c (diff)
After i wrote SSL_renegotiate(3) from scratch, OpenSSL also
documented the function. Merge the more detailed descriptions and the additional documentation of SSL_renegotiate_abbreviated(3) and SSL_renegotiate_pending(3). From Matt Caswell, OpenSSL commit 39820637.
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/man/SSL_renegotiate.3121
1 files changed, 109 insertions, 12 deletions
diff --git a/lib/libssl/man/SSL_renegotiate.3 b/lib/libssl/man/SSL_renegotiate.3
index f5b59bae958..586425683cb 100644
--- a/lib/libssl/man/SSL_renegotiate.3
+++ b/lib/libssl/man/SSL_renegotiate.3
@@ -1,6 +1,10 @@
-.\" $OpenBSD: SSL_renegotiate.3,v 1.2 2016/12/10 13:54:32 schwarze Exp $
+.\" $OpenBSD: SSL_renegotiate.3,v 1.3 2017/03/28 18:19:53 schwarze Exp $
+.\" OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\" This file is a derived work.
+.\" Some parts are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -14,23 +18,85 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: December 10 2016 $
+.\" Other parts were written by Matt Caswell <matt@openssl.org>.
+.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in
+.\" the documentation and/or other materials provided with the
+.\" distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\" software must display the following acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\" endorse or promote products derived from this software without
+.\" prior written permission. For written permission, please contact
+.\" openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\" nor may "OpenSSL" appear in their names without prior written
+.\" permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\" acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: March 28 2017 $
.Dt SSL_RENEGOTIATE 3
.Os
.Sh NAME
.Nm SSL_renegotiate
-.Nd request a new session
+.Nd initiate a new TLS handshake
.Sh SYNOPSIS
.In openssl/ssl.h
.Ft int
.Fo SSL_renegotiate
.Fa "SSL *ssl"
.Fc
+.Ft int
+.Fo SSL_renegotiate_abbreviated
+.Fa "SSL *ssl"
+.Fc
+.Ft int
+.Fo SSL_renegotiate_pending
+.Fa "SSL *ssl"
+.Fc
.Sh DESCRIPTION
+When called from the client side,
.Fn SSL_renegotiate
-manually instructs
-.Fa ssl
-to renegotiate and generate a new session.
+schedules a completely new handshake over an existing TLS connection.
+The next time an I/O operation such as
+.Fn SSL_read
+or
+.Fn SSL_write
+takes place on the connection, a check is performed to confirm
+that it is a suitable time to start a renegotiation.
+If so, a new handshake is initiated immediately.
+An existing session associated with the connection is not resumed.
.Pp
This function is automatically called by
.Xr SSL_read 3
@@ -41,14 +107,45 @@ whenever the renegotiation byte count set by
or the timeout set by
.Xr BIO_set_ssl_renegotiate_timeout 3
are exceeded.
+.Pp
+When called from the client side,
+.Fn SSL_renegotiate_abbreviated
+is similar to
+.Fn SSL_renegotiate
+except that resuming the session associated with the current
+connection is attempted in the new handshake.
+.Pp
+When called from the server side,
+.Fn SSL_renegotiate
+and
+.Fn SSL_renegotiate_abbreviated
+behave identically.
+They both schedule a request for a new handshake to be sent to the client.
+The next time an I/O operation is performed, the same checks as on
+the client side are performed and then, if appropriate, the request
+is sent.
+The client may or may not respond with a new handshake and it may
+or may not attempt to resume an existing session.
+If a new handshake is started, it is handled transparently during
+any I/O function.
+.Pp
+If a LibreSSL client receives a renegotiation request from a server,
+it is also handled transparently during any I/O function.
+The client attempts to resume the current session in the new
+handshake.
+For historical reasons, DTLS clients do not attempt to resume
+the session in the new handshake.
.Sh RETURN VALUES
.Fn SSL_renegotiate
-always returns 1 unless the protocol-specific flag
-.Dv SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
-is set, in which case it may return 0.
-The API provides no function to set that flag;
-it can only be set by manipulating internal data structures.
+and
+.Fn SSL_renegotiate_abbreviated
+return 1 on success or 0 on error.
+.Pp
+.Fn SSL_renegotiate_pending
+returns 1 if a renegotiation or renegotiation request has been
+scheduled but not yet acted on, or 0 otherwise.
.Sh SEE ALSO
+.Xr SSL_do_handshake 3 ,
.Xr SSL_num_renegotiations 3 ,
.Xr SSL_read 3 ,
.Xr SSL_write 3