Adding TLS 1.2 Support to Your TLS Library - Implementing SSL/TLS Using Cryptography and PKI

Cryptography Reference

In-Depth Information

Listing 9-27: “tls.c” init_tls with AES-GCM cipher suite

void init_tls()

{

…

// Extra cipher suites not previously declared

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].id = TLS_RSA_WITH_AES_128_GCM_

SHA256;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].block_size = 0;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].IV_size = 12;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].key_size = 16;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].hash_size = 16;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].bulk_encrypt = NULL;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].bulk_decrypt = NULL;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].new_digest = NULL;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].aead_encrypt = aes_gcm_encrypt;

suites[ TLS_RSA_WITH_AES_128_GCM_SHA256 ].aead_decrypt = aes_gcm_decrypt;

}

This declares the new cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 . “But

wait,” you may be saying, “what is this 'SHA256'? Doesn't AES-GCM declare

its own MAC?” It does, in fact; RFC 5288 indicates that the SHA-256 should be

used to control the PRF. This is in response to section 5 of RFC 5246, which states

“New cipher suites MUST explicitly specify a PRF and, in general, SHOULD use

the TLS PRF with SHA-256 or a stronger standard hash function.”

At this point, all that's left to do is invoke the AEAD cipher when such a suite

becomes active. This happens in the functions send_message , originally defi ned

in Listing 6-64, and tls_decrypt , originally defi ned in Listing 6-68. You might

want to peek back to their fi nal defi nitions before continuing. After the digest

routines, these are the two most complex functions in this topic.

If you recall, send_message fi rst computed a MAC over the data to be sent,

prepended with a 64-bit sequence number. It then applies padding as neces-

sary, prepends the IV in the case of a block cipher (TLS 1.1+), and encrypts the

plaintext and the MAC before sending. AES-GCM is not much different, but a

single call computes the ciphertext and the MAC, and the associated data is the

sequence number and the header. The CipherSuite declaration from Listing 9-27

lists the new_digest as NULL, but the hash_size as 16. You can rewrite send_

message to take advantage of this by calculating the associated data whenever

the hash_size is non-zero as shown in Listing 9-28.

Listing 9-28: “tls.c” send_message with associated data support

int send_message( int connection,

int content_type,

const unsigned char *content,

(Continued)

Search WWH ::

Custom Search

Home