This is the update of my ToyTLS client in Python that now supports GCM mode. Ciphersuites now supported are: TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.
Couple of words about GCM mode (Galois/Counter Mode).
Take a look on diagram at wikipedia. The 'mult' operation is GF2 operation, yes. But it can be replaced with a regular multiplication operation without loss of security. GF2 multiplication is a close cousin of CRC function (CRC is division with remainder). CRC function could use regular division, but GF2 operations are just faster and more efficient. (I wrote about GF2 and CRC in my math notes.)
In short -- you can think that CRC is actually a division with remainder. And the 'mult' operation in GCM is actually a regular multiplication. This simplification makes things easier to understand.
Another property of CTR (counter mode) and GCM is involution. It's a property of function -- if applied twice, the result will return to the initial. Like, -(-x)=x. Or boolean: NOT(NOT(x))=x. If AES-CTR operation applied twice, plain text will be returned.
During my work on ToyTLS, I confusingly used GCM encryption operation instead of decryption and got plain text, but with attached tag/MAC (GCM encryption adds tag/MAC to the end of ciphertext). (GCM is like CTR but with simultaneous tag/MAC generation.)
The files and the patched libressl-3.8.1 I used (with additional debugging/dumping printf statements (AKA "debugging breadcrumbs").
Yes, I know about these lousy Disqus ads. Please use adblocker. I would consider to subscribe to 'pro' version of Disqus if the signal/noise ratio in comments would be good enough.