You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL → Limit wolfSSL_read() to return bytes of (at most) one SSL record
How can wolfSSL_read() be modified to return only the data from (at most) one SSL record?
I.e. I want to prevent wolfSSL from reading up to my 'size' argument, possibly decrypting multiple SSL records.
int ret = wolfSSL_read(ssl, (void *)buffer, size);
Hi likewise,
The IO interface for wolfSSL is very flexible. You can use the IO callbacks to accomplish your goals:
https://www.wolfssl.com/documentation/m … tion-layer
As Anthony mentioned before, please feel free to direct your questions to support@wolfssl.com
Could you tell us a bit about your project using wolfSSL?
Thanks,
Eric - wolfSSL Support
Thanks. I already implemented custom IO callbacks and these work fine, but I do not see an option or point where I could convince wolfSSL to return data for the current fragment (and leave succeeding fragments for subsequent reads to be processed).
The wolfSSL IO layer is only requesting reads from the driver layer. So first it requests 5 bytes (the TLS header) which contains the packet size. Then we ask for the full remainder of the TLS packet, however they can return less. The read callback will continue to be called until the full TLS header has been read. Then it will ask for 5 bytes again. If you return more than asked it would be an error.
Unfortunately, that seems like a chicken-egg scenario.
I want wolfSSL to only return the deciphered bytes from (at most) one fragment.
Interpreting 5 bytes as being a header (potentially also checking) in my receive callback is not very sound software engineering, as the state of the TLS connection is already kept inside wolfSSL. Besides, wolfSSL could potentially ask for 5 bytes even when it's not a header. Having my callback function keep state (as well as wolfSSL) sounds like overhead.
I'm mainly asking for where to modify the wolfSSL state machine to NOT try to give me all the bytes that the application requested for, but only those of one deciphered fragment. The application has no way of knowing how many bytes it should ask for, but is legal for the API contract of wolfSSL_read() to return less bytes then requested.
I really should have mentioned this before, but you should review the sniffer code:
https://github.com/wolfSSL/wolfssl/tree … sslSniffer
Specifically the code around checking for application data:
https://github.com/wolfSSL/wolfssl/blob … er.c#L6413
wolfSSL - Embedded SSL Library → wolfSSL → Limit wolfSSL_read() to return bytes of (at most) one SSL record
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.018 seconds (89% PHP - 11% DB) with 12 queries