Topic: Where and when does the wc_AesGcmEncrypt_ex key gets initialized ?

Hello everyone,
I am working in the client/server example using TLS 1.3
I want to change the encryption key of the early_data that are sent during the resumption session.
I am running my examples with:

./client -v 4 -r -s -t -0

both client and server.

Therefore, as the documentation says, https://tools.ietf.org/html/rfc8446#section-2.3, "The client uses the PSK to authenticate the server and to encrypt the early data".
I would like to find the exact point where the client uses the PSK to encrypt the early data. I observed that this is done in the function EncryptTLS13 in the tls.c file using the function wc_AesGcmEncrypt_ex, but going there I could observe that the aes->key was already initialized.
So where does the PSK encrypt the early data or how is it used in the aes function?
Additionally, what is the relation of the aadwith the PSK ?

Share

Re: Where and when does the wc_AesGcmEncrypt_ex key gets initialized ?

Hi cxenof03,

The encryption algorithm is initialized with the call to keys.c:SetKeysSide(). Actually the internal function SetKeys() is making the calls to wc_AesInit() and wc_AesGcmSetKey().

WritePSKBinders sets the keys for early data on the client. DoPreSharedKeys sets the keys on the server.

* The PSK establishes a master secret. See SetupPskKey() and DoPreSharedKeys().
* DeriveEarlySecret() derives the secret for creating the keys. See "Early Secret" in diagram in TLS 1.3 spec, page 93.
* DeriveTls13Keys() calls DeriveEarlySecret() and then derives the key that is placed in the 'Key data' that is used in SetKeysSide. See "client_early_secret_traffic_secret" in TLS 1.3 spec, page 93.
* SetKeysSide takes the 'Key data' and extracts out the key to use.

Thanks,
David Garske, wolfSSL

Share

Re: Where and when does the wc_AesGcmEncrypt_ex key gets initialized ?

EDIT: Thanks, David, for answering!

Hello Chris,

I've asked Sean to review this post.

Thanks,
Eric @ wolfSSL Support