1TLS_READ(3)              BSD Library Functions Manual              TLS_READ(3)
2

NAME

4     tls_read, tls_write, tls_handshake, tls_error, tls_close, tls_reset — use
5     a TLS connection
6

SYNOPSIS

8     #include <tls.h>
9
10     ssize_t
11     tls_read(struct tls *ctx, void *buf, size_t buflen);
12
13     ssize_t
14     tls_write(struct tls *ctx, const void *buf, size_t buflen);
15
16     int
17     tls_handshake(struct tls *ctx);
18
19     const char *
20     tls_error(struct tls *ctx);
21
22     int
23     tls_close(struct tls *ctx);
24
25     void
26     tls_reset(struct tls *ctx);
27

DESCRIPTION

29     tls_read() reads buflen bytes of data from the socket into buf.  It
30     returns the amount of data read.
31
32     tls_write() writes buflen bytes of data from buf to the socket.  It
33     returns the amount of data written.
34
35     tls_handshake() explicitly performs the TLS handshake.  It is only neces‐
36     sary to call this function if you need to guarantee that the handshake
37     has completed, as both tls_read() and tls_write() automatically perform
38     the TLS handshake when necessary.
39
40     The tls_error() function may be used to retrieve a string containing more
41     information about the most recent error relating to a context.
42
43     tls_close() closes a connection after use.  Only the TLS layer will be
44     shut down and the caller is responsible for closing the file descriptors,
45     unless the connection was established using tls_connect(3) or
46     tls_connect_servername(3).  After closing the connection, ctx can be
47     passed to tls_free(3).
48

RETURN VALUES

50     tls_read() and tls_write() return a size on success or -1 on error.
51
52     tls_handshake() and tls_close() return 0 on success or -1 on error.
53
54     The tls_read(), tls_write(), tls_handshake(), and tls_close() functions
55     also have two special return values:
56
57           TLS_WANT_POLLIN   The underlying read file descriptor needs to be
58                             readable in order to continue.
59           TLS_WANT_POLLOUT  The underlying write file descriptor needs to be
60                             writeable in order to continue.
61
62     In the case of blocking file descriptors, the same function call should
63     be repeated immediately.  In the case of non-blocking file descriptors,
64     the same function call should be repeated when the required condition has
65     been met.
66
67     Callers of these functions cannot rely on the value of the global errno.
68     To prevent mishandling of error conditions, tls_read(), tls_write(),
69     tls_handshake(), and tls_close() all explicitly clear errno.
70
71     tls_error() returns NULL if no error occurred with ctx during or since
72     the last call to tls_handshake(), tls_read(), tls_write(), tls_close(),
73     or tls_reset() involving ctx, or if memory allocation failed while trying
74     to assemble the string describing the most recent error related to ctx.
75

EXAMPLES

77     The following example demonstrates how to handle TLS writes on a blocking
78     file descriptor:
79
80           ...
81           while (len > 0) {
82                   ssize_t ret;
83
84                   ret = tls_write(ctx, buf, len);
85                   if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT)
86                           continue;
87                   if (ret == -1)
88                           errx(1, "tls_write: %s", tls_error(ctx));
89                   buf += ret;
90                   len -= ret;
91           }
92           ...
93
94     The following example demonstrates how to handle TLS writes on a non-
95     blocking file descriptor using poll(2):
96
97           ...
98           pfd[0].fd = fd;
99           pfd[0].events = POLLIN|POLLOUT;
100           while (len > 0) {
101                   nready = poll(pfd, 1, 0);
102                   if (nready == -1)
103                           err(1, "poll");
104                   if ((pfd[0].revents & (POLLERR|POLLNVAL)))
105                           errx(1, "bad fd %d", pfd[0].fd);
106                   if ((pfd[0].revents & (pfd[0].events|POLLHUP))) {
107                           ssize_t ret;
108
109                           ret = tls_write(ctx, buf, len);
110                           if (ret == TLS_WANT_POLLIN)
111                                   pfd[0].events = POLLIN;
112                           else if (ret == TLS_WANT_POLLOUT)
113                                   pfd[0].events = POLLOUT;
114                           else if (ret == -1)
115                                   errx(1, "tls_write: %s", tls_error(ctx));
116                           else {
117                                   buf += ret;
118                                   len -= ret;
119                           }
120                   }
121           }
122           ...
123

SEE ALSO

125     tls_accept_socket(3), tls_configure(3), tls_conn_version(3),
126     tls_connect(3), tls_init(3), tls_ocsp_process_response(3)
127

HISTORY

129     tls_read(), tls_write(), tls_error(), tls_close(), and tls_reset()
130     appeared in OpenBSD 5.6 and got their final names in OpenBSD 5.7.
131
132     tls_handshake() appeared in OpenBSD 5.9.
133

AUTHORS

135     Joel Sing <jsing@openbsd.org> with contributions from
136     Bob Beck <beck@openbsd.org>
137

CAVEATS

139     The function tls_error() returns an internal pointer.  It must not be
140     freed by the application, or a double free error will occur.  The pointer
141     will become invalid when the next error occurs with ctx.  Consequently,
142     if the application may need the message at a later time, it has to copy
143     the string before calling the next libtls function involving ctx, or a
144     segmentation fault or read access to unintended data is the likely
145     result.
146
147BSD                              July 9, 2019                              BSD
Impressum