2
0

SSL_key_update.pod 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
  1. =pod
  2. =head1 NAME
  3. SSL_key_update,
  4. SSL_get_key_update_type,
  5. SSL_renegotiate,
  6. SSL_renegotiate_abbreviated,
  7. SSL_renegotiate_pending
  8. - initiate and obtain information about updating connection keys
  9. =head1 SYNOPSIS
  10. #include <openssl/ssl.h>
  11. int SSL_key_update(SSL *s, int updatetype);
  12. int SSL_get_key_update_type(const SSL *s);
  13. int SSL_renegotiate(SSL *s);
  14. int SSL_renegotiate_abbreviated(SSL *s);
  15. int SSL_renegotiate_pending(const SSL *s);
  16. =head1 DESCRIPTION
  17. SSL_key_update() schedules an update of the keys for the current TLS connection.
  18. If the B<updatetype> parameter is set to B<SSL_KEY_UPDATE_NOT_REQUESTED> then
  19. the sending keys for this connection will be updated and the peer will be
  20. informed of the change. If the B<updatetype> parameter is set to
  21. B<SSL_KEY_UPDATE_REQUESTED> then the sending keys for this connection will be
  22. updated and the peer will be informed of the change along with a request for the
  23. peer to additionally update its sending keys. It is an error if B<updatetype> is
  24. set to B<SSL_KEY_UPDATE_NONE>.
  25. SSL_key_update() must only be called after the initial handshake has been
  26. completed and TLSv1.3 or QUIC has been negotiated, at the same time, the
  27. application needs to ensure that the writing of data has been completed. The key
  28. update will not take place until the next time an IO operation such as
  29. SSL_read_ex() or SSL_write_ex() takes place on the connection. Alternatively
  30. SSL_do_handshake() can be called to force the update to take place immediately.
  31. SSL_get_key_update_type() can be used to determine whether a key update
  32. operation has been scheduled but not yet performed. The type of the pending key
  33. update operation will be returned if there is one, or SSL_KEY_UPDATE_NONE
  34. otherwise.
  35. SSL_renegotiate() and SSL_renegotiate_abbreviated() should only be called for
  36. connections that have negotiated TLSv1.2 or less. Calling them on any other
  37. connection will result in an error.
  38. When called from the client side, SSL_renegotiate() schedules a completely new
  39. handshake over an existing SSL/TLS connection. The next time an IO operation
  40. such as SSL_read_ex() or SSL_write_ex() takes place on the connection a check
  41. will be performed to confirm that it is a suitable time to start a
  42. renegotiation. If so, then it will be initiated immediately. OpenSSL will not
  43. attempt to resume any session associated with the connection in the new
  44. handshake.
  45. When called from the client side, SSL_renegotiate_abbreviated() works in the
  46. same was as SSL_renegotiate() except that OpenSSL will attempt to resume the
  47. session associated with the current connection in the new handshake.
  48. When called from the server side, SSL_renegotiate() and
  49. SSL_renegotiate_abbreviated() behave identically. They both schedule a request
  50. for a new handshake to be sent to the client. The next time an IO operation is
  51. performed then the same checks as on the client side are performed and then, if
  52. appropriate, the request is sent. The client may or may not respond with a new
  53. handshake and it may or may not attempt to resume an existing session. If
  54. a new handshake is started then this will be handled transparently by calling
  55. any OpenSSL IO function.
  56. If an OpenSSL client receives a renegotiation request from a server then again
  57. this will be handled transparently through calling any OpenSSL IO function. For
  58. a TLS connection the client will attempt to resume the current session in the
  59. new handshake. For historical reasons, DTLS clients will not attempt to resume
  60. the session in the new handshake.
  61. The SSL_renegotiate_pending() function returns 1 if a renegotiation or
  62. renegotiation request has been scheduled but not yet acted on, or 0 otherwise.
  63. =head1 USAGE WITH QUIC
  64. SSL_key_update() can also be used to perform a key update when using QUIC. The
  65. function must be called on a QUIC connection SSL object. This is normally done
  66. automatically when needed. Since a locally initiated QUIC key update always
  67. causes a peer to also trigger a key update, passing
  68. B<SSL_KEY_UPDATE_NOT_REQUESTED> as B<updatetype> has the same effect as passing
  69. B<SSL_KEY_UPDATE_REQUESTED>.
  70. The QUIC connection must have been fully established before a key update can be
  71. performed, and other QUIC protocol rules govern how frequently QUIC key update
  72. can be performed. SSL_key_update() will fail if these requirements are not met.
  73. Because QUIC key updates are always handled immediately,
  74. SSL_get_key_update_type() always returns SSL_KEY_UPDATE_NONE when called on a
  75. QUIC connection SSL object.
  76. =head1 RETURN VALUES
  77. SSL_key_update(), SSL_renegotiate() and SSL_renegotiate_abbreviated() return 1
  78. on success or 0 on error.
  79. SSL_get_key_update_type() returns the update type of the pending key update
  80. operation or SSL_KEY_UPDATE_NONE if there is none.
  81. SSL_renegotiate_pending() returns 1 if a renegotiation or renegotiation request
  82. has been scheduled but not yet acted on, or 0 otherwise.
  83. =head1 SEE ALSO
  84. L<ssl(7)>, L<SSL_read_ex(3)>,
  85. L<SSL_write_ex(3)>,
  86. L<SSL_do_handshake(3)>
  87. =head1 HISTORY
  88. The SSL_key_update() and SSL_get_key_update_type() functions were added in
  89. OpenSSL 1.1.1.
  90. =head1 COPYRIGHT
  91. Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
  92. Licensed under the Apache License 2.0 (the "License"). You may not use
  93. this file except in compliance with the License. You can obtain a copy
  94. in the file LICENSE in the source distribution or at
  95. L<https://www.openssl.org/source/license.html>.
  96. =cut