Improve documentation about reading and writing

If BIO_should_retry() is false then the cause is an error condition.

BIO_should_read() is true if the cause of the condition is that a BIO

needs to read data.

BIO_should_read() is true if the cause of the condition is that the BIO

has insufficient data to return. Check for readability and/or retry the

last operation.

BIO_should_write() is true if the cause of the condition is that a BIO

needs to read data.

BIO_should_write() is true if the cause of the condition is that the BIO

has pending data to write. Check for writability and/or retry the

last operation.

BIO_should_io_special() is true if some "special" condition, that is a

reason other than reading or writing is the cause of the condition.

=head1 NAME

SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode

SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);

 long SSL_CTX_clear_mode(SSL_CTX *ctx, long mode);

 long SSL_set_mode(SSL *ssl, long mode);

 long SSL_clear_mode(SSL *ssl, long mode);

 long SSL_CTX_get_mode(SSL_CTX *ctx);

 long SSL_get_mode(SSL *ssl);

SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.

Options already set before are not cleared.

SSL_CTX_clear_mode() removes the mode set via bitmask in B<mode> from B<ctx>.

SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.

Options already set before are not cleared.

SSL_clear_mode() removes the mode set via bitmask in B<mode> from B<ssl>.

SSL_CTX_get_mode() returns the mode set for B<ctx>.

=item SSL_MODE_AUTO_RETRY

Never bother the application with retries if the transport is blocking.

If a renegotiation take place during normal operation, a

L<SSL_read_ex(3)>, L<SSL_read(3)>, L<SSL_write_ex(3)> or L<SSL_write(3)> would

return with a failure and indicate the need to retry with SSL_ERROR_WANT_READ.

During normal operations, non-application data records might need to be sent or

received that the application is not aware of.

If a non-application data record was processed,

L<SSL_read_ex(3)> and L<SSL_read(3)> can return with a failure and indicate the

need to retry with B<SSL_ERROR_WANT_READ>.

If such a non-application data record was processed, the flag

B<SSL_MODE_AUTO_RETRY> causes it to try to process the next record instead of

returning.

In a non-blocking environment applications must be prepared to handle

incomplete read/write operations.

Setting B<SSL_MODE_AUTO_RETRY> for a non-blocking B<BIO> will process

non-application data records until either no more data is available or

an application data record has been processed.

In a blocking environment, applications are not always prepared to

deal with read/write operations returning without success report. The

flag SSL_MODE_AUTO_RETRY will cause read/write operations to only

return after the handshake and successful completion.

deal with the functions returning intermediate reports such as retry

requests, and setting the B<SSL_MODE_AUTO_RETRY> flag will cause the functions

to only return after successfully processing an application data record or a

failure.

Turning off B<SSL_MODE_AUTO_RETRY> can be useful with blocking B<BIO>s in case

they are used in combination with something like select() or poll().

Otherwise the call to SSL_read() or SSL_read_ex() might hang when a

non-application record was sent and no application data was sent.

=item SSL_MODE_RELEASE_BUFFERS

=back

All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by

default since 1.1.1.

=head1 RETURN VALUES

SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask

B<x> bytes are currently required by OpenSSL, but B<y> bytes are available from

the underlying BIO (where B<y> > B<x>), then OpenSSL will read all B<y> bytes

into its buffer (providing that the buffer is large enough) if reading ahead is

on, or B<x> bytes otherwise. The parameter B<yes> or B<m> should be 0 to ensure

reading ahead is off, or non zero otherwise.

on, or B<x> bytes otherwise.

Setting the parameter B<yes> to 0 turns reading ahead is off, other values turn

it on.

SSL_CTX_set_default_read_ahead() is identical to SSL_CTX_set_read_ahead().

SSL_CTX_get_read_ahead() and SSL_get_read_ahead() indicate whether reading

ahead has been set or not.

SSL_CTX_get_default_read_ahead() is identical to SSL_CTX_get_read_ahead().

=head1 NOTES

B<read_ahead> can impact the behaviour of the SSL_pending() function

(see L<SSL_pending(3)>).

Since SSL_read() can return B<SSL_ERROR_WANT_READ> for non-application data

records, and SSL_has_pending() can't tell the difference between processed and

unprocessed data, it's recommended that if read ahead is turned on that

B<SSL_MODE_AUTO_RETRY> is not turned off using SSL_CTX_clear_mode().

That will prevent getting B<SSL_ERROR_WANT_READ> when there is still a complete

record availale that hasn't been processed.

If the application wants to continue to use the underlying transport (e.g. TCP

connection) after the SSL connection is finished using SSL_shutdown() reading

ahead should be turned off.

Otherwise the SSL structure might read data that it shouldn't.

=head1 RETURN VALUES

SSL_get_read_ahead() and SSL_CTX_get_read_ahead() return 0 if reading ahead is off,

=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

The operation did not complete; the same TLS/SSL I/O function should be

called again later.  If, by then, the underlying B<BIO> has data

available for reading (if the result code is B<SSL_ERROR_WANT_READ>)

or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL

protocol progress will take place, i.e. at least part of an TLS/SSL

record will be read or written.  Note that the retry may again lead to

a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition.

The operation did not complete and can be retried later.

B<SSL_ERROR_WANT_READ> is returned when the last operation was a read

operation from a non-blocking B<BIO>.

It means that not enough data was available at this time to complete the

operation.

If at a later time the underlying B<BIO> has data available for reading the same

function can be called again.

SSL_read() and SSL_read_ex() can also set B<SSL_ERROR_WANT_READ> when there is

still unprocessed data available at either the B<SSL> or the B<BIO> layer, even

for a blocking B<BIO>.

See L<SSL_read(3)> for more information.

B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write

to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>.

When the B<BIO> is writeable again, the same function can be called again.

Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or

B<SSL_ERROR_WANT_WRITE> condition.

There is no fixed upper limit for the number of iterations that

may be necessary until progress becomes visible at application

protocol level.

It is safe to call SSL_read() or SSL_read_ex() when more data is available

even when the call that set this error was an SSL_write() or SSL_write_ex().

However if the call was an SSL_write() or SSL_write_ex(), it should be called

again to continue sending the application data.

For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or

poll() on the underlying socket can be used to find out when the

TLS/SSL I/O function should be retried.

Caveat: Any TLS/SSL I/O function can lead to either of

B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>.  In particular,

B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>.

In particular,

SSL_read_ex(), SSL_read(), SSL_peek_ex(), or SSL_peek() may want to write data

and SSL_write() or SSL_write_ex() may want to read data.  This is mainly because

and SSL_write() or SSL_write_ex() may want to read data.

This is mainly because

TLS/SSL handshakes may occur at any time during the protocol (initiated by

either the client or the server); SSL_read_ex(), SSL_read(), SSL_peek_ex(),

SSL_peek(), SSL_write_ex(), and SSL_write() will handle any pending handshakes.

The OpenSSL error queue may contain more information on the error.

For socket I/O on Unix systems, consult B<errno> for details.

This value can also be returned for other errors, check the error queue for

details.

=item SSL_ERROR_SSL

A failure in the SSL library occurred, usually a protocol error.  The

functions will return with the bytes buffered. If no more bytes are in the

buffer, the read functions will trigger the processing of the next record.

Only when the record has been received and processed completely will the read

functions return reporting success. At most the contents of the record will

functions return reporting success. At most the contents of one record will

be returned. As the size of an SSL/TLS record may exceed the maximum packet size

of the underlying transport (e.g. TCP), it may be necessary to read several

packets from the transport layer before the record is complete and the read call

can succeed.

If B<SSL_MODE_AUTO_RETRY> has been switched off and a non-application data

record has been processed, the read function can return and set the error to

B<SSL_ERROR_WANT_READ>.

In this case there might still be unprocessed data available in the B<BIO>.

If read ahead was set using L<SSL_CTX_set_read_ahead(3)>, there might also still

be unprocessed data available in the B<SSL>.

This behaviour can be controlled using the L<SSL_CTX_set_mode(3)> call.

If the underlying BIO is B<blocking>, a read function will only return once the

read operation has been finished or an error occurred, except when a

renegotiation takes place, in which case a SSL_ERROR_WANT_READ may occur. This

behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the

L<SSL_CTX_set_mode(3)> call.

non-application data record has been processed and B<SSL_MODE_AUTO_RETRY> is

not set.

Note that if B<SSL_MODE_AUTO_RETRY> is set and only non-application data is

available the call will hang.

If the underlying BIO is B<non-blocking>, a read function will also return when

the underlying BIO could not satisfy the needs of the function to continue the

operation. In this case a call to L<SSL_get_error(3)> with the

operation.

In this case a call to L<SSL_get_error(3)> with the

return value of the read function will yield B<SSL_ERROR_WANT_READ> or

B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a

a read function can also cause write operations! The calling process then must

repeat the call after taking appropriate action to satisfy the needs of the read

function. The action depends on the underlying BIO. When using a non-blocking

socket, nothing is to be done, but select() can be used to check for the

required condition. When using a buffering BIO, like a BIO pair, data must be

written into or retrieved out of the BIO before being able to continue.

B<SSL_ERROR_WANT_WRITE>.

As at any time it's possible that non-application data needs to be sent,

a read function can also cause write operations.

The calling process then must repeat the call after taking appropriate action

to satisfy the needs of the read function.

The action depends on the underlying BIO.

When using a non-blocking socket, nothing is to be done, but select() can be

used to check for the required condition.

When using a buffering BIO, like a BIO pair, data must be written into or

retrieved out of the BIO before being able to continue.

L<SSL_pending(3)> can be used to find out whether there

are buffered bytes available for immediate retrieval. In this case

the read function can be called without blocking or actually receiving

new data from the underlying socket.

=head1 WARNING

When a read function operation has to be repeated because L<SSL_get_error(3)>

returned B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>, it must be repeated

with the same arguments.

are buffered bytes available for immediate retrieval.

In this case the read function can be called without blocking or actually

receiving new data from the underlying socket.

=head1 RETURN VALUES

=back

=head1 HISTORY

SSL_read_ex() and SSL_peek_ex() were added in OpenSSL 1.1.1.

=head1 SEE ALSO

L<SSL_get_error(3)>, L<SSL_write_ex(3)>,