Introduction

The book examines the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols in detail, taking a bottom-up approach.

SSL

standardized, widely implemented, peer-reviewed protocol for applying cryptographic primitives to arbitrary networked communications. It provides:

• privacy,
• integrity,
• some measure of authenticity
• to otherwise inherently untrustworthy network connections.

This book develops, incrementally, a relatively complete SSL/TLS library.

• First, all of the relevant cryptographic protocols are examined and developed;
• Then, the library itself is built piece by piece.

All of the code developed in this book is C (not C++) code.

All of the protocols and examples are presented in general form as well as in source code form so that if you’re interested in a higher-level overview, you can skip the code examples and the book should still make sense.

Why Source Code is Partially Incomplete

Effectively, production-grade libraries have at least five primary concerns regarding their source code:

1. It must work
2. It must be secure
3. It should be as fast as reasonably possible
4. It must be modular and extensible
5. It must be easy to read and understand

When a higher-numbered concern conflicts with a lower-numbered concern, the lower-numbered concern wins. This must be the case for cade that’s actually used by real people to perform real tasks. The code is not always pretty, nor is it particularly readable, when security-speed-modularity take precedence.

The priorities for the code in this book are:

1. It must work
2. It should be as readable as possible.

Security, speed and modularity are not concerns. The code presented in this book is not particularly secure. For example, when the algorithms call for random bytes, the code in this book just returns sequentially numbered bytes, which is the exact opposite of the random bytes that the algorithm calls for. This is done to simplify the code as well as to make sure that what you see if you try it out yourself matches what you see in the book.

There isn’t any bounds-checking on buffers or verification that the input matches what’s expected, which are things that a proper library ought to be doing. I’ve omitted these things to keep this book’s page count under control as well as to avoid obscuring the purpose of the example code with hundreds of lines of error checking.

If you are working with any production code you should prefer a well-established library such as OpenSSL, GnuTLS, or NSS over home-grown code any day. This book should help you understand the internals of these libraries so that, when it comes time to use one, you know exactly what’s going on at all stages.