Cryptography Reference
In-Depth Information
Listing 9-27:
“tls.c” init_tls with AES-GCM cipher suite
void init_tls()
{
…
// Extra cipher suites not previously declared
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].id = TLS_RSA_WITH_AES_128_GCM_
SHA256;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].block_size = 0;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].IV_size = 12;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].key_size = 16;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].hash_size = 16;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].bulk_encrypt = NULL;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].bulk_decrypt = NULL;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].new_digest = NULL;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].aead_encrypt = aes_gcm_encrypt;
suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].aead_decrypt = aes_gcm_decrypt;
}
This declares the new cipher suite
TLS_RSA_WITH_AES_128_GCM_SHA256
. “But
wait,” you may be saying, “what is this 'SHA256'? Doesn't AES-GCM declare
its own MAC?” It does, in fact; RFC 5288 indicates that the SHA-256 should be
used to control the PRF. This is in response to section 5 of RFC 5246, which states
“New cipher suites MUST explicitly specify a PRF and, in general, SHOULD use
the TLS PRF with SHA-256 or a stronger standard hash function.”
At this point, all that's left to do is invoke the AEAD cipher when such a suite
becomes active. This happens in the functions
send_message
, originally defi ned
in Listing 6-64, and
tls_decrypt
, originally defi ned in Listing 6-68. You might
want to peek back to their fi nal defi nitions before continuing. After the digest
routines, these are the two most complex functions in this topic.
If you recall,
send_message
fi rst computed a MAC over the data to be sent,
prepended with a 64-bit sequence number. It then applies padding as neces-
sary, prepends the IV in the case of a block cipher (TLS 1.1+), and encrypts the
plaintext and the MAC before sending. AES-GCM is not much different, but a
single call computes the ciphertext and the MAC, and the associated data is the
sequence number and the header. The
CipherSuite
declaration from Listing 9-27
lists the
new_digest
as NULL, but the
hash_size
as 16. You can rewrite
send_
message
to take advantage of this by calculating the associated data whenever
the
hash_size
is non-zero as shown in Listing 9-28.
Listing 9-28:
“tls.c” send_message with associated data support
int send_message( int connection,
int content_type,
const unsigned char *content,
(Continued)
Search WWH ::
Custom Search