Mbed forum

To support partial decryption

mbed_tls

(Junhyuk Jang) #1

Hi, I’m adapting mbedtls library on my embeded system. So, I’m not able to set large buffer size(MBEDTLS_SSL_BUFFER_LEN) to transfer data. In current implementation of mbedtls, mbedtls_ssl_read function descrypts data after checking length of TLS record header. If length is larger than mbedtls buffer, error code will be returned. The issue is related with the buffer size. I think the large size data could be decrypted if mbedtls library supports partial decryption. It’s because the data would be transfered over TCP protocol. Actually, TCP protocol transfers data fragmented. That means, a packet size is smaller than total data size. So, if the partial decryption can be supported, I could get large size data. Please, check it.
Thanks and Regards,
Jang


(Ron Eldor) #2

Hi Jang,
I believe your request is not for partial decryption ( which is supported by the cipher update functionality), but for fragmentation in TLS library.
I suggest you look at this article which addresses your problem. Note that fragmentation is indeed not fully supported for TLS, but only for DTLS, as in TLS it is less a problem, where you can adjust the buffer incoming buffer size to be as the maximal certificate size that is believe to be used, and you can consider supporting only ECDSA \ ECDH based ciphersuites, which have shorter key size with similar security, and thus smaller certificates. Note the certificate messages sizes are usually the bottle neck in the handshake phase. Once the handshake is done, the application data can be sent from your server witrh the requested size.
If you still have problems with this issue, please continue this thread.
Regards,
Mbed TLS Team member
Ron