X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=doc%2Fssl%2FSSL_read.pod;h=947c8687f42b7428f4f09ad311f8b1e8f558ac64;hp=708b20fdb5e3fd4831e6bcf59d6f27e2a1e72b6c;hb=a528d4f0a9a71405f3ca06e20cbd27aa1b8c0df9;hpb=c19b6c922a6575974455404be3c1409de60fb1eb diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index 708b20fdb5..947c8687f4 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection. #include - int SSL_read(SSL *ssl, char *buf, int num); + int SSL_read(SSL *ssl, void *buf, int num); =head1 DESCRIPTION @@ -18,17 +18,43 @@ buffer B. =head1 NOTES If necessary, SSL_read() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L or +L. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the underlying BIO. +For the transparent negotiation to succeed, the B must have been +initialized to client or server mode. This is being done by calling +L or SSL_set_accept_state() +before the first call to an SSL_read() or L +function. + +SSL_read() works based on the SSL/TLS records. The data are received in +records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a +record has been completely received, it can be processed (decryption and +check of integrity). Therefore data that was not retrieved at the last +call of SSL_read() can still be buffered inside the SSL layer and will be +retrieved on the next call to SSL_read(). If B is higher than the +number of bytes buffered, SSL_read() will return with the bytes buffered. +If no more bytes are in the buffer, SSL_read() will trigger the processing +of the next record. Only when the record has been received and processed +completely, SSL_read() will return reporting success. At most the contents +of the record will be returned. As the size of an SSL/TLS record may exceed +the maximum packet size of the underlying transport (e.g. TCP), it may +be necessary to read several packets from the transport layer before the +record is complete and SSL_read() can succeed. + If the underlying BIO is B, SSL_read() will only return, once the -read operation has been finished or an error occurred. +read operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L call. If the underlying BIO is B, SSL_read() will also return when the underlying BIO could not satisfy the needs of SSL_read() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L with the return value of SSL_read() will yield B or B. As at any time a re-negotiation is possible, a call to SSL_read() can also cause write operations! The calling process @@ -38,7 +64,12 @@ non-blocking socket, nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. -=head1 IMPORTANT +L can be used to find out whether there +are buffered bytes available for immediate retrieval. In this case +SSL_read() can be called without blocking or actually receiving new +data from the underlying socket. + +=head1 WARNING When an SSL_read() operation has to be repeated because of B or B, it must be repeated @@ -55,13 +86,24 @@ The following return values can occur: The read operation was successful; the return value is the number of bytes actually read from the TLS/SSL connection. -=item 0 +=item Z<>0 + +The read operation was not successful. The reason may either be a clean +shutdown due to a "close notify" alert sent by the peer (in which case +the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set +(see L, +L). It is also possible, that +the peer simply shut down the underlying transport and the shutdown is +incomplete. Call SSL_get_error() with the return value B to find out, +whether an error occurred or the connection was shut down cleanly +(SSL_ERROR_ZERO_RETURN). -The read operation was not successful, probably because no data was -available. Call SSL_get_error() with the return value B to find out, -whether an error occurred. +SSLv2 (deprecated) does not support a shutdown alert protocol, so it can +only be detected, whether the underlying connection was closed. It cannot +be checked, whether the closure was initiated by the peer or by something +else. -=item -1 +=item E0 The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the @@ -71,7 +113,12 @@ return value B to find out the reason. =head1 SEE ALSO -L, L, -L, L +L, L, +L, L, +L, L +L, +L, +L, L, +L, L =cut