Topic: Limit wolfSSL_read() to return bytes of (at most) one SSL record

How can  wolfSSL_read() be modified to return only the data from (at most) one SSL record?

I.e. I want to prevent wolfSSL from reading up to my 'size' argument, possibly decrypting multiple SSL records.

int ret = wolfSSL_read(ssl, (void *)buffer, size);

Share

Re: Limit wolfSSL_read() to return bytes of (at most) one SSL record

Hi likewise,

The IO interface for wolfSSL is very flexible. You can use the IO callbacks to accomplish your goals:
https://www.wolfssl.com/documentation/m … tion-layer

As Anthony mentioned before, please feel free to direct your questions to support@wolfssl.com

Could you tell us a bit about your project using wolfSSL?

Thanks,
Eric - wolfSSL Support

Re: Limit wolfSSL_read() to return bytes of (at most) one SSL record

Thanks. I already implemented custom IO callbacks and these work fine, but I do not see an option or point where I could convince wolfSSL to return data for the current fragment (and leave succeeding fragments for subsequent reads to be processed).

Share

Re: Limit wolfSSL_read() to return bytes of (at most) one SSL record

The wolfSSL IO layer is only requesting reads from the driver layer. So first it requests 5 bytes (the TLS header) which contains the packet size. Then we ask for the full remainder of the TLS packet, however they can return less. The read callback will continue to be called until the full TLS header has been read. Then it will ask for 5 bytes again. If you return more than asked it would be an error.

Re: Limit wolfSSL_read() to return bytes of (at most) one SSL record

Unfortunately, that seems like a chicken-egg scenario.

I want wolfSSL to only return the deciphered bytes from (at most) one fragment.

Interpreting 5 bytes as being a header (potentially also checking) in my receive callback is not very sound software engineering, as the state of the TLS connection is already kept inside wolfSSL. Besides, wolfSSL could potentially ask for 5 bytes even when it's not a header. Having my callback function keep state (as well as wolfSSL) sounds like overhead.

I'm mainly asking for where to modify the wolfSSL state machine to NOT try to give me all the bytes that the application requested for, but only those of one deciphered fragment. The application has no way of knowing how many bytes it should ask for, but is legal for the API contract of wolfSSL_read() to return less bytes then requested.

Share

Re: Limit wolfSSL_read() to return bytes of (at most) one SSL record

I really should have mentioned this before, but you should review the sniffer code:
https://github.com/wolfSSL/wolfssl/tree … sslSniffer

Specifically the code around checking for application data:
https://github.com/wolfSSL/wolfssl/blob … er.c#L6413