1 files changed, 109 insertions, 12 deletions
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
index f5b59bae95..586425683c 100644
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,6 +1,10 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.2 2016/12/10 13:54:32 schwarze Exp $
+.\"     $OpenBSD: SSL_renegotiate.3,v 1.3 2017/03/28 18:19:53 schwarze Exp $
+.\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
 .\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\" This file is a derived work.
+.\" Some parts are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,23 +18,85 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 10 2016 $
+.\" Other parts were written by Matt Caswell <matt@openssl.org>.
+.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: March 28 2017 $
 .Dt SSL_RENEGOTIATE 3
 .Os
 .Sh NAME
 .Nm SSL_renegotiate
-.Nd request a new session
+.Nd initiate a new TLS handshake
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_renegotiate
 .Fa "SSL *ssl"
 .Fc
+.Ft int
+.Fo SSL_renegotiate_abbreviated
+.Fa "SSL *ssl"
+.Fc
+.Ft int
+.Fo SSL_renegotiate_pending
+.Fa "SSL *ssl"
+.Fc
 .Sh DESCRIPTION
+When called from the client side,
 .Fn SSL_renegotiate
-manually instructs
+schedules a completely new handshake over an existing TLS connection.
-.Fa ssl
+The next time an I/O operation such as
-to renegotiate and generate a new session.
+.Fn SSL_read
+or
+.Fn SSL_write
+takes place on the connection, a check is performed to confirm
+that it is a suitable time to start a renegotiation.
+If so, a new handshake is initiated immediately.
+An existing session associated with the connection is not resumed.
 .Pp
 This function is automatically called by
 .Xr SSL_read 3
@@ -41,14 +107,45 @@ whenever the renegotiation byte count set by
 or the timeout set by
 .Xr BIO_set_ssl_renegotiate_timeout 3
 are exceeded.
+.Pp
+When called from the client side,
+.Fn SSL_renegotiate_abbreviated
+is similar to
+.Fn SSL_renegotiate
+except that resuming the session associated with the current
+connection is attempted in the new handshake.
+.Pp
+When called from the server side,
+.Fn SSL_renegotiate
+and
+.Fn SSL_renegotiate_abbreviated
+behave identically.
+They both schedule a request for a new handshake to be sent to the client.
+The next time an I/O operation is performed, the same checks as on
+the client side are performed and then, if appropriate, the request
+is sent.
+The client may or may not respond with a new handshake and it may
+or may not attempt to resume an existing session.
+If a new handshake is started, it is handled transparently during
+any I/O function.
+.Pp
+If a LibreSSL client receives a renegotiation request from a server,
+it is also handled transparently during any I/O function.
+The client attempts to resume the current session in the new
+handshake.
+For historical reasons, DTLS clients do not attempt to resume
+the session in the new handshake.
 .Sh RETURN VALUES
 .Fn SSL_renegotiate
-always returns 1 unless the protocol-specific flag
+and
-.Dv SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
+.Fn SSL_renegotiate_abbreviated
-is set, in which case it may return 0.
+return 1 on success or 0 on error.
-The API provides no function to set that flag;
+.Pp
-it can only be set by manipulating internal data structures.
+.Fn SSL_renegotiate_pending
+returns 1 if a renegotiation or renegotiation request has been
+scheduled but not yet acted on, or 0 otherwise.
 .Sh SEE ALSO
+.Xr SSL_do_handshake 3 ,
 .Xr SSL_num_renegotiations 3 ,
 .Xr SSL_read 3 ,
 .Xr SSL_write 3

diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3 index f5b59bae95..586425683c 100644 --- a/src/lib/libssl/man/SSL_renegotiate.3 +++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,6 +1,10 @@
1	.\" $OpenBSD: SSL_renegotiate.3,v 1.2 2016/12/10 13:54:32 schwarze Exp $	1	.\" $OpenBSD: SSL_renegotiate.3,v 1.3 2017/03/28 18:19:53 schwarze Exp $
		2	.\" OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
2	.\"	3	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>	4	.\" This file is a derived work.
		5	.\" Some parts are covered by the following Copyright and license:
		6	.\"
		7	.\" Copyright (c) 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	8	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any	9	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above	10	.\" purpose with or without fee is hereby granted, provided that the above
@@ -14,23 +18,85 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	20	.\"
17	.Dd $Mdocdate: December 10 2016 $	21	.\" Other parts were written by Matt Caswell <matt@openssl.org>.
		22	.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
		23	.\"
		24	.\" Redistribution and use in source and binary forms, with or without
		25	.\" modification, are permitted provided that the following conditions
		26	.\" are met:
		27	.\"
		28	.\" 1. Redistributions of source code must retain the above copyright
		29	.\" notice, this list of conditions and the following disclaimer.
		30	.\"
		31	.\" 2. Redistributions in binary form must reproduce the above copyright
		32	.\" notice, this list of conditions and the following disclaimer in
		33	.\" the documentation and/or other materials provided with the
		34	.\" distribution.
		35	.\"
		36	.\" 3. All advertising materials mentioning features or use of this
		37	.\" software must display the following acknowledgment:
		38	.\" "This product includes software developed by the OpenSSL Project
		39	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		40	.\"
		41	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		42	.\" endorse or promote products derived from this software without
		43	.\" prior written permission. For written permission, please contact
		44	.\" openssl-core@openssl.org.
		45	.\"
		46	.\" 5. Products derived from this software may not be called "OpenSSL"
		47	.\" nor may "OpenSSL" appear in their names without prior written
		48	.\" permission of the OpenSSL Project.
		49	.\"
		50	.\" 6. Redistributions of any form whatsoever must retain the following
		51	.\" acknowledgment:
		52	.\" "This product includes software developed by the OpenSSL Project
		53	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		54	.\"
		55	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		56	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		57	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		58	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		59	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		60	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		61	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		62	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		63	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		64	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		67	.\"
		68	.Dd $Mdocdate: March 28 2017 $
18	.Dt SSL_RENEGOTIATE 3	69	.Dt SSL_RENEGOTIATE 3
19	.Os	70	.Os
20	.Sh NAME	71	.Sh NAME
21	.Nm SSL_renegotiate	72	.Nm SSL_renegotiate
22	.Nd request a new session	73	.Nd initiate a new TLS handshake
23	.Sh SYNOPSIS	74	.Sh SYNOPSIS
24	.In openssl/ssl.h	75	.In openssl/ssl.h
25	.Ft int	76	.Ft int
26	.Fo SSL_renegotiate	77	.Fo SSL_renegotiate
27	.Fa "SSL *ssl"	78	.Fa "SSL *ssl"
28	.Fc	79	.Fc
		80	.Ft int
		81	.Fo SSL_renegotiate_abbreviated
		82	.Fa "SSL *ssl"
		83	.Fc
		84	.Ft int
		85	.Fo SSL_renegotiate_pending
		86	.Fa "SSL *ssl"
		87	.Fc
29	.Sh DESCRIPTION	88	.Sh DESCRIPTION
		89	When called from the client side,
30	.Fn SSL_renegotiate	90	.Fn SSL_renegotiate
31	manually instructs	91	schedules a completely new handshake over an existing TLS connection.
32	.Fa ssl	92	The next time an I/O operation such as
33	to renegotiate and generate a new session.	93	.Fn SSL_read
		94	or
		95	.Fn SSL_write
		96	takes place on the connection, a check is performed to confirm
		97	that it is a suitable time to start a renegotiation.
		98	If so, a new handshake is initiated immediately.
		99	An existing session associated with the connection is not resumed.
34	.Pp	100	.Pp
35	This function is automatically called by	101	This function is automatically called by
36	.Xr SSL_read 3	102	.Xr SSL_read 3
@@ -41,14 +107,45 @@ whenever the renegotiation byte count set by
41	or the timeout set by	107	or the timeout set by
42	.Xr BIO_set_ssl_renegotiate_timeout 3	108	.Xr BIO_set_ssl_renegotiate_timeout 3
43	are exceeded.	109	are exceeded.
		110	.Pp
		111	When called from the client side,
		112	.Fn SSL_renegotiate_abbreviated
		113	is similar to
		114	.Fn SSL_renegotiate
		115	except that resuming the session associated with the current
		116	connection is attempted in the new handshake.
		117	.Pp
		118	When called from the server side,
		119	.Fn SSL_renegotiate
		120	and
		121	.Fn SSL_renegotiate_abbreviated
		122	behave identically.
		123	They both schedule a request for a new handshake to be sent to the client.
		124	The next time an I/O operation is performed, the same checks as on
		125	the client side are performed and then, if appropriate, the request
		126	is sent.
		127	The client may or may not respond with a new handshake and it may
		128	or may not attempt to resume an existing session.
		129	If a new handshake is started, it is handled transparently during
		130	any I/O function.
		131	.Pp
		132	If a LibreSSL client receives a renegotiation request from a server,
		133	it is also handled transparently during any I/O function.
		134	The client attempts to resume the current session in the new
		135	handshake.
		136	For historical reasons, DTLS clients do not attempt to resume
		137	the session in the new handshake.
44	.Sh RETURN VALUES	138	.Sh RETURN VALUES
45	.Fn SSL_renegotiate	139	.Fn SSL_renegotiate
46	always returns 1 unless the protocol-specific flag	140	and
47	.Dv SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS	141	.Fn SSL_renegotiate_abbreviated
48	is set, in which case it may return 0.	142	return 1 on success or 0 on error.
49	The API provides no function to set that flag;	143	.Pp
50	it can only be set by manipulating internal data structures.	144	.Fn SSL_renegotiate_pending
		145	returns 1 if a renegotiation or renegotiation request has been
		146	scheduled but not yet acted on, or 0 otherwise.
51	.Sh SEE ALSO	147	.Sh SEE ALSO
		148	.Xr SSL_do_handshake 3 ,
52	.Xr SSL_num_renegotiations 3 ,	149	.Xr SSL_num_renegotiations 3 ,
53	.Xr SSL_read 3 ,	150	.Xr SSL_read 3 ,
54	.Xr SSL_write 3	151	.Xr SSL_write 3