1.\" $OpenBSD: SSL_read.3,v 1.7 2020/05/26 19:45:58 schwarze Exp $ 2.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 3.\" partial merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100 4.\" 5.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and 6.\" Matt Caswell <matt@openssl.org>. 7.\" Copyright (c) 2000, 2001, 2008, 2016 The OpenSSL Project. 8.\" All rights reserved. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 17.\" 2. Redistributions in binary form must reproduce the above copyright 18.\" notice, this list of conditions and the following disclaimer in 19.\" the documentation and/or other materials provided with the 20.\" distribution. 21.\" 22.\" 3. All advertising materials mentioning features or use of this 23.\" software must display the following acknowledgment: 24.\" "This product includes software developed by the OpenSSL Project 25.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 26.\" 27.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 28.\" endorse or promote products derived from this software without 29.\" prior written permission. For written permission, please contact 30.\" openssl-core@openssl.org. 31.\" 32.\" 5. Products derived from this software may not be called "OpenSSL" 33.\" nor may "OpenSSL" appear in their names without prior written 34.\" permission of the OpenSSL Project. 35.\" 36.\" 6. Redistributions of any form whatsoever must retain the following 37.\" acknowledgment: 38.\" "This product includes software developed by the OpenSSL Project 39.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" 40.\" 41.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 42.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 44.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 45.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 46.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 47.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 48.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 49.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 50.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 51.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 52.\" OF THE POSSIBILITY OF SUCH DAMAGE. 53.\" 54.Dd $Mdocdate: May 26 2020 $ 55.Dt SSL_READ 3 56.Os 57.Sh NAME 58.Nm SSL_read , 59.Nm SSL_peek 60.Nd read bytes from a TLS connection 61.Sh SYNOPSIS 62.In openssl/ssl.h 63.Ft int 64.Fn SSL_read "SSL *ssl" "void *buf" "int num" 65.Ft int 66.Fn SSL_peek "SSL *ssl" "void *buf" "int num" 67.Sh DESCRIPTION 68.Fn SSL_read 69tries to read 70.Fa num 71bytes from the specified 72.Fa ssl 73into the buffer 74.Fa buf . 75.Pp 76.Fn SSL_peek 77is identical to 78.Fn SSL_read 79except that no bytes are removed from the underlying BIO during 80the read, such that a subsequent call to 81.Fn SSL_read 82will yield at least the same bytes once again. 83.Pp 84In the following, 85.Fn SSL_read 86and 87.Fn SSL_peek 88are called 89.Dq read functions . 90.Pp 91If necessary, a read function will negotiate a TLS session, if 92not already explicitly performed by 93.Xr SSL_connect 3 94or 95.Xr SSL_accept 3 . 96If the peer requests a re-negotiation, it will be performed 97transparently during the read function operation. 98The behaviour of the read functions depends on the underlying 99.Vt BIO . 100.Pp 101For the transparent negotiation to succeed, the 102.Fa ssl 103must have been initialized to client or server mode. 104This is done by calling 105.Xr SSL_set_connect_state 3 106or 107.Xr SSL_set_accept_state 3 108before the first call to a read function. 109.Pp 110The read functions works based on the TLS records. 111The data are received in records (with a maximum record size of 16kB). 112Only when a record has been completely received, it can be processed 113(decrypted and checked for integrity). 114Therefore data that was not retrieved at the last read call can 115still be buffered inside the TLS layer and will be retrieved on the 116next read call. 117If 118.Fa num 119is higher than the number of bytes buffered, the read functions 120will return with the bytes buffered. 121If no more bytes are in the buffer, the read functions will trigger 122the processing of the next record. 123Only when the record has been received and processed completely 124will the read functions return reporting success. 125At most the contents of the record will be returned. 126As the size of a TLS record may exceed the maximum packet size 127of the underlying transport (e.g., TCP), it may be necessary to 128read several packets from the transport layer before the record is 129complete and the read call can succeed. 130.Pp 131If the underlying 132.Vt BIO 133is blocking, 134a read function will only return once the read operation has been 135finished or an error occurred, except when a renegotiation takes 136place, in which case an 137.Dv SSL_ERROR_WANT_READ 138may occur. 139This behavior can be controlled with the 140.Dv SSL_MODE_AUTO_RETRY 141flag of the 142.Xr SSL_CTX_set_mode 3 143call. 144.Pp 145If the underlying 146.Vt BIO 147is non-blocking, a read function will also return when the underlying 148.Vt BIO 149could not satisfy the needs of the function to continue the operation. 150In this case a call to 151.Xr SSL_get_error 3 152with the return value of the read function will yield 153.Dv SSL_ERROR_WANT_READ 154or 155.Dv SSL_ERROR_WANT_WRITE . 156As at any time a re-negotiation is possible, a read function may 157also cause write operations. 158The calling process must then repeat the call after taking appropriate 159action to satisfy the needs of the read function. 160The action depends on the underlying 161.Vt BIO . 162When using a non-blocking socket, nothing is to be done, but 163.Xr select 2 164can be used to check for the required condition. 165When using a buffering 166.Vt BIO , 167like a 168.Vt BIO 169pair, data must be written into or retrieved out of the 170.Vt BIO 171before being able to continue. 172.Pp 173.Xr SSL_pending 3 174can be used to find out whether there are buffered bytes available for 175immediate retrieval. 176In this case a read function can be called without blocking or 177actually receiving new data from the underlying socket. 178.Pp 179When a read function operation has to be repeated because of 180.Dv SSL_ERROR_WANT_READ 181or 182.Dv SSL_ERROR_WANT_WRITE , 183it must be repeated with the same arguments. 184.Sh RETURN VALUES 185The following return values can occur: 186.Bl -tag -width Ds 187.It >0 188The read operation was successful. 189The return value is the number of bytes actually read from the 190TLS connection. 191.It 0 192The read operation was not successful. 193The reason may either be a clean shutdown due to a 194.Dq close notify 195alert sent by the peer (in which case the 196.Dv SSL_RECEIVED_SHUTDOWN 197flag in the ssl shutdown state is set (see 198.Xr SSL_shutdown 3 199and 200.Xr SSL_set_shutdown 3 ) . 201It is also possible that the peer simply shut down the underlying transport and 202the shutdown is incomplete. 203Call 204.Xr SSL_get_error 3 205with the return value to find out whether an error occurred or the connection 206was shut down cleanly 207.Pq Dv SSL_ERROR_ZERO_RETURN . 208.It <0 209The read operation was not successful, because either an error occurred or 210action must be taken by the calling process. 211Call 212.Xr SSL_get_error 3 213with the return value to find out the reason. 214.El 215.Sh SEE ALSO 216.Xr BIO_new 3 , 217.Xr ssl 3 , 218.Xr SSL_accept 3 , 219.Xr SSL_connect 3 , 220.Xr SSL_CTX_new 3 , 221.Xr SSL_CTX_set_mode 3 , 222.Xr SSL_get_error 3 , 223.Xr SSL_pending 3 , 224.Xr SSL_set_connect_state 3 , 225.Xr SSL_set_shutdown 3 , 226.Xr SSL_shutdown 3 , 227.Xr SSL_write 3 228.Sh HISTORY 229.Fn SSL_read 230appeared in SSLeay 0.4 or earlier. 231.Fn SSL_peek 232first appeared in SSLeay 0.6.6. 233Both functions have been available since 234.Ox 2.4 . 235