1 files changed, 58 insertions, 15 deletions
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index d2ba9d0978..62f52e4331 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.32 2015/09/10 14:17:22 jmc Exp $
+.\" $OpenBSD: tls_init.3,v 1.33 2015/09/10 14:57:29 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -131,10 +131,10 @@
 .Fn tls_accept_socket "struct tls *tls" "struct tls **cctx" "int socket"
 .Ft "int"
 .Fn tls_handshake "struct tls *ctx"
-.Ft "int"
+.Ft "ssize_t"
-.Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen"
+.Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen"
-.Ft "int"
+.Ft "ssize_t"
-.Fn tls_write "struct tls *ctx" "const void *buf" "size_t buflen" "size_t *outlen"
+.Fn tls_write "struct tls *ctx" "const void *buf" "size_t buflen"
 .Ft "int"
 .Fn tls_close "struct tls *ctx"
 .Sh DESCRIPTION
@@ -431,6 +431,8 @@ or
 .Sh RETURN VALUES
 Functions that return
 .Vt int
+or 
+.Vt ssize_t 
 will return 0 on success and -1 on error.
 Functions that return a pointer will return NULL on error, which indicates an
 out of memory condition.
@@ -454,20 +456,61 @@ In the case of blocking file descriptors, the same function call should be
 repeated immediately.
 In the case of non-blocking file descriptors, the same function call should be
 repeated when the required condition has been met.
+.Pp
+Callers of these functions can not rely on the value of the global
+.Ar errno .
+To prevent mishandling of error conditions,
+.Fn tls_handshake ,
+.Fn tls_read ,
+.Fn tls_write ,
+and
+.Fn tls_close
+all explicitly clear
+.Ar errno .
 .Sh EXAMPLES
-Example showing how to handle TLS writes.
+The following example demonstrates how to handle TLS writes on a blocking
+file descriptor:
+.Bd -literal -offset indent
+\&...
+while (len > 0) {
+        ret = tls_write(ctx, buf, len);
+        if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT)
+                continue;
+        if (ret < 0)
+                err(1, "tls_write: %s", tls_error(ctx));
+        buf += ret;
+        len -= ret;
+}
+\&...
+.Ed
+.Pp
+The following example demonstrates how to handle TLS writes on a
+non-blocking file descriptor using
+.Xr poll 2
 .Bd -literal -offset indent
 \&...
+pevent = POLLOUT;
 while (len > 0) {
-        ret = tls_write(ctx, buf, len, &num_written);
+        pfd[0].fd = fd;
-        if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) {
+        pfd[0].events = pevent;
-                /* Retry - use select to wait for non-blocking. */
+        nready = poll(pfd, 1, 0);
-        } else if (ret < 0) {
+        if (nready == -1)
-                return -1;
+                err(1, "poll");
-        } else {
+        if ((pfd[0].revents & (POLLERR|POLLNVAL)))
-                buf += num_written;
+                errx(1, "bad fd %d", pfd[0].fd);
-                len -= num_written;
+        if ((pfd[0].revents & (pevent|POLLHUP))) {
-        }
+                ret = tls_write(ctx, buf, len);
+                if (ret == TLS_WANT_POLLIN)
+                        pevent = POLLIN;
+                else if (ret == TLS_WANT_POLLOUT)
+                        pevent = POLLOUT;
+                else if (ret < 0)
+                        err(1, "tls_write: %s", tls_error(ctx));
+                else {
+                        buf += ret;
+                        len -= ret;
+                }
+        }
 }
 \&...
 .Ed

diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index d2ba9d0978..62f52e4331 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.32 2015/09/10 14:17:22 jmc Exp $	1	.\" $OpenBSD: tls_init.3,v 1.33 2015/09/10 14:57:29 beck Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -131,10 +131,10 @@
131	.Fn tls_accept_socket "struct tls tls" "struct tls *cctx" "int socket"	131	.Fn tls_accept_socket "struct tls tls" "struct tls *cctx" "int socket"
132	.Ft "int"	132	.Ft "int"
133	.Fn tls_handshake "struct tls *ctx"	133	.Fn tls_handshake "struct tls *ctx"
134	.Ft "int"	134	.Ft "ssize_t"
135	.Fn tls_read "struct tls ctx" "void buf" "size_t buflen" "size_t *outlen"	135	.Fn tls_read "struct tls ctx" "void buf" "size_t buflen"
136	.Ft "int"	136	.Ft "ssize_t"
137	.Fn tls_write "struct tls ctx" "const void buf" "size_t buflen" "size_t *outlen"	137	.Fn tls_write "struct tls ctx" "const void buf" "size_t buflen"
138	.Ft "int"	138	.Ft "int"
139	.Fn tls_close "struct tls *ctx"	139	.Fn tls_close "struct tls *ctx"
140	.Sh DESCRIPTION	140	.Sh DESCRIPTION
@@ -431,6 +431,8 @@ or
431	.Sh RETURN VALUES	431	.Sh RETURN VALUES
432	Functions that return	432	Functions that return
433	.Vt int	433	.Vt int
		434	or
		435	.Vt ssize_t
434	will return 0 on success and -1 on error.	436	will return 0 on success and -1 on error.
435	Functions that return a pointer will return NULL on error, which indicates an	437	Functions that return a pointer will return NULL on error, which indicates an
436	out of memory condition.	438	out of memory condition.
@@ -454,20 +456,61 @@ In the case of blocking file descriptors, the same function call should be
454	repeated immediately.	456	repeated immediately.
455	In the case of non-blocking file descriptors, the same function call should be	457	In the case of non-blocking file descriptors, the same function call should be
456	repeated when the required condition has been met.	458	repeated when the required condition has been met.
		459	.Pp
		460	Callers of these functions can not rely on the value of the global
		461	.Ar errno .
		462	To prevent mishandling of error conditions,
		463	.Fn tls_handshake ,
		464	.Fn tls_read ,
		465	.Fn tls_write ,
		466	and
		467	.Fn tls_close
		468	all explicitly clear
		469	.Ar errno .
457	.Sh EXAMPLES	470	.Sh EXAMPLES
458	Example showing how to handle TLS writes.	471	The following example demonstrates how to handle TLS writes on a blocking
		472	file descriptor:
		473	.Bd -literal -offset indent
		474	\&...
		475	while (len > 0) {
		476	ret = tls_write(ctx, buf, len);
		477	if (ret == TLS_WANT_POLLIN \|\| ret == TLS_WANT_POLLOUT)
		478	continue;
		479	if (ret < 0)
		480	err(1, "tls_write: %s", tls_error(ctx));
		481	buf += ret;
		482	len -= ret;
		483	}
		484	\&...
		485	.Ed
		486	.Pp
		487	The following example demonstrates how to handle TLS writes on a
		488	non-blocking file descriptor using
		489	.Xr poll 2
459	.Bd -literal -offset indent	490	.Bd -literal -offset indent
460	\&...	491	\&...
		492	pevent = POLLOUT;
461	while (len > 0) {	493	while (len > 0) {
462	ret = tls_write(ctx, buf, len, &num_written);	494	pfd[0].fd = fd;
463	if (ret == TLS_WANT_POLLIN \|\| ret == TLS_WANT_POLLOUT) {	495	pfd[0].events = pevent;
464	/* Retry - use select to wait for non-blocking. */	496	nready = poll(pfd, 1, 0);
465	} else if (ret < 0) {	497	if (nready == -1)
466	return -1;	498	err(1, "poll");
467	} else {	499	if ((pfd[0].revents & (POLLERR\|POLLNVAL)))
468	buf += num_written;	500	errx(1, "bad fd %d", pfd[0].fd);
469	len -= num_written;	501	if ((pfd[0].revents & (pevent\|POLLHUP))) {
470	}	502	ret = tls_write(ctx, buf, len);
		503	if (ret == TLS_WANT_POLLIN)
		504	pevent = POLLIN;
		505	else if (ret == TLS_WANT_POLLOUT)
		506	pevent = POLLOUT;
		507	else if (ret < 0)
		508	err(1, "tls_write: %s", tls_error(ctx));
		509	else {
		510	buf += ret;
		511	len -= ret;
		512	}
		513	}
471	}	514	}
472	\&...	515	\&...
473	.Ed	516	.Ed