xref: /freebsd/crypto/openssl/doc/man3/SSL_key_update.pod (revision 02e9120893770924227138ba49df1edb3896112a)
1=pod
2
3=head1 NAME
4
5SSL_key_update,
6SSL_get_key_update_type,
7SSL_renegotiate,
8SSL_renegotiate_abbreviated,
9SSL_renegotiate_pending
10- initiate and obtain information about updating connection keys
11
12=head1 SYNOPSIS
13
14 #include <openssl/ssl.h>
15
16 int SSL_key_update(SSL *s, int updatetype);
17 int SSL_get_key_update_type(const SSL *s);
18
19 int SSL_renegotiate(SSL *s);
20 int SSL_renegotiate_abbreviated(SSL *s);
21 int SSL_renegotiate_pending(const SSL *s);
22
23=head1 DESCRIPTION
24
25SSL_key_update() schedules an update of the keys for the current TLS connection.
26If the B<updatetype> parameter is set to B<SSL_KEY_UPDATE_NOT_REQUESTED> then
27the sending keys for this connection will be updated and the peer will be
28informed of the change. If the B<updatetype> parameter is set to
29B<SSL_KEY_UPDATE_REQUESTED> then the sending keys for this connection will be
30updated and the peer will be informed of the change along with a request for the
31peer to additionally update its sending keys. It is an error if B<updatetype> is
32set to B<SSL_KEY_UPDATE_NONE>.
33
34SSL_key_update() must only be called after the initial handshake has been
35completed and TLSv1.3 has been negotiated, at the same time, the application
36needs to ensure that the writing of data has been completed. The key update
37will not take place until the next time an IO operation such as SSL_read_ex()
38or SSL_write_ex() takes place on the connection. Alternatively SSL_do_handshake()
39can be called to force the update to take place immediately.
40
41SSL_get_key_update_type() can be used to determine whether a key update
42operation has been scheduled but not yet performed. The type of the pending key
43update operation will be returned if there is one, or SSL_KEY_UPDATE_NONE
44otherwise.
45
46SSL_renegotiate() and SSL_renegotiate_abbreviated() should only be called for
47connections that have negotiated TLSv1.2 or less. Calling them on any other
48connection will result in an error.
49
50When called from the client side, SSL_renegotiate() schedules a completely new
51handshake over an existing SSL/TLS connection. The next time an IO operation
52such as SSL_read_ex() or SSL_write_ex() takes place on the connection a check
53will be performed to confirm that it is a suitable time to start a
54renegotiation. If so, then it will be initiated immediately. OpenSSL will not
55attempt to resume any session associated with the connection in the new
56handshake.
57
58When called from the client side, SSL_renegotiate_abbreviated() works in the
59same was as SSL_renegotiate() except that OpenSSL will attempt to resume the
60session associated with the current connection in the new handshake.
61
62When called from the server side, SSL_renegotiate() and
63SSL_renegotiate_abbreviated() behave identically. They both schedule a request
64for a new handshake to be sent to the client. The next time an IO operation is
65performed then the same checks as on the client side are performed and then, if
66appropriate, the request is sent. The client may or may not respond with a new
67handshake and it may or may not attempt to resume an existing session. If
68a new handshake is started then this will be handled transparently by calling
69any OpenSSL IO function.
70
71If an OpenSSL client receives a renegotiation request from a server then again
72this will be handled transparently through calling any OpenSSL IO function. For
73a TLS connection the client will attempt to resume the current session in the
74new handshake. For historical reasons, DTLS clients will not attempt to resume
75the session in the new handshake.
76
77The SSL_renegotiate_pending() function returns 1 if a renegotiation or
78renegotiation request has been scheduled but not yet acted on, or 0 otherwise.
79
80=head1 RETURN VALUES
81
82SSL_key_update(), SSL_renegotiate() and SSL_renegotiate_abbreviated() return 1
83on success or 0 on error.
84
85SSL_get_key_update_type() returns the update type of the pending key update
86operation or SSL_KEY_UPDATE_NONE if there is none.
87
88SSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation request
89has been scheduled but not yet acted on, or 0 otherwise.
90
91=head1 SEE ALSO
92
93L<ssl(7)>, L<SSL_read_ex(3)>,
94L<SSL_write_ex(3)>,
95L<SSL_do_handshake(3)>
96
97=head1 HISTORY
98
99The SSL_key_update() and SSL_get_key_update_type() functions were added in
100OpenSSL 1.1.1.
101
102=head1 COPYRIGHT
103
104Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
105
106Licensed under the Apache License 2.0 (the "License").  You may not use
107this file except in compliance with the License.  You can obtain a copy
108in the file LICENSE in the source distribution or at
109L<https://www.openssl.org/source/license.html>.
110
111=cut
112