Use the TLS 1.0 PRF for the random block

Remove redundant Mac.init calls

7 files changed, 31 insertions, 19 deletions

diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
index fb058e79..75b3b58d 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
@@ -32,7 +32,8 @@ public class DTLSClientProtocol
 
         SecurityParameters securityParameters = new SecurityParameters();
         securityParameters.entity = ConnectionEnd.client;
-        securityParameters.clientRandom = TlsProtocol.createRandomBlock(client.shouldUseGMTUnixTime(), secureRandom);
+        securityParameters.clientRandom = TlsProtocol.createRandomBlock(client.shouldUseGMTUnixTime(), secureRandom,
+            ExporterLabel.client_random);
 
         ClientHandshakeState state = new ClientHandshakeState();
         state.client = client;
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
index d6d6a8d9..c78cb95c 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
@@ -46,7 +46,8 @@ public class DTLSServerProtocol
 
         SecurityParameters securityParameters = new SecurityParameters();
         securityParameters.entity = ConnectionEnd.server;
-        securityParameters.serverRandom = TlsProtocol.createRandomBlock(server.shouldUseGMTUnixTime(), secureRandom);
+        securityParameters.serverRandom = TlsProtocol.createRandomBlock(server.shouldUseGMTUnixTime(), secureRandom,
+            ExporterLabel.server_random);
 
         ServerHandshakeState state = new ServerHandshakeState();
         state.server = server;
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
index 902720ac..851bffc6 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
@@ -6,6 +6,12 @@ package org.bouncycastle.crypto.tls;
 public class ExporterLabel
 {
     /*
+     * BC-specific
+     */
+    static final String client_random = "client random";
+    static final String server_random = "server random";
+
+    /*
      * RFC 5246
      */
     public static final String client_finished = "client finished";
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
index a51b788f..ed23230b 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
@@ -74,7 +74,8 @@ public class TlsClientProtocol
 
         this.securityParameters = new SecurityParameters();
         this.securityParameters.entity = ConnectionEnd.client;
-        this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(), secureRandom);
+        this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(), secureRandom,
+            ExporterLabel.client_random);
 
         this.tlsClientContext = new TlsClientContextImpl(secureRandom, securityParameters);
         this.tlsClient.init(tlsClientContext);
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
index 6f09a0ff..088b753e 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
@@ -824,23 +824,19 @@ public abstract class TlsProtocol
         }
     }
 
-    protected static byte[] createRandomBlock(boolean useGMTUnixTime, SecureRandom random)
+    protected static byte[] createRandomBlock(boolean useGMTUnixTime, SecureRandom random, String asciiLabel)
     {
         /*
-         * We hash the SecureRandom output here to guard against RNGs where the raw output could be
-         * used to recover the internal state.
+         * We use the TLS 1.0 PRF on the SecureRandom output, to guard against RNGs where the raw
+         * output could be used to recover the internal state.
          */
-        byte[] result = new byte[32];
-        Digest d = TlsUtils.createHash(HashAlgorithm.sha256);
+        byte[] secret = new byte[32];
+        random.nextBytes(secret);
 
-        TlsUtils.writeUint64(Times.nanoTime(), result, 0);
-        Strings.toByteArray("BouncyCastle TlsProtocol", result, 8);
-        d.update(result, 0, 32);
+        byte[] seed = new byte[8];
+        TlsUtils.writeUint64(Times.nanoTime(), seed, 0);
 
-        random.nextBytes(result);
-        d.update(result, 0, 32);
-
-        d.doFinal(result, 0);
+        byte[] result = TlsUtils.PRF_legacy(secret, asciiLabel, seed, 32);
 
         if (useGMTUnixTime)
         {
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index c09e8050..44b4998c 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -52,7 +52,8 @@ public class TlsServerProtocol
 
         this.securityParameters = new SecurityParameters();
         this.securityParameters.entity = ConnectionEnd.server;
-        this.securityParameters.serverRandom = createRandomBlock(tlsServer.shouldUseGMTUnixTime(), secureRandom);
+        this.securityParameters.serverRandom = createRandomBlock(tlsServer.shouldUseGMTUnixTime(), secureRandom,
+            ExporterLabel.server_random);
 
         this.tlsServerContext = new TlsServerContextImpl(secureRandom, securityParameters);
         this.tlsServer.init(tlsServerContext);
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java
index 9f5c4f32..c6cd5300 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java
@@ -850,6 +850,14 @@ public class TlsUtils
         return buf;
     }
 
+    public static byte[] PRF_legacy(byte[] secret, String asciiLabel, byte[] seed, int size)
+    {
+        byte[] label = Strings.toByteArray(asciiLabel);
+        byte[] labelSeed = concat(label, seed);
+
+        return PRF_legacy(secret, label, labelSeed, size);
+    }
+
     static byte[] PRF_legacy(byte[] secret, byte[] label, byte[] labelSeed, int size)
     {
         int s_half = (secret.length + 1) / 2;
@@ -880,7 +888,7 @@ public class TlsUtils
     static void hmac_hash(Digest digest, byte[] secret, byte[] seed, byte[] out)
     {
         HMac mac = new HMac(digest);
-        KeyParameter param = new KeyParameter(secret);
+        mac.init(new KeyParameter(secret));
         byte[] a = seed;
         int size = digest.getDigestSize();
         int iterations = (out.length + size - 1) / size;
@@ -888,11 +896,9 @@ public class TlsUtils
         byte[] buf2 = new byte[mac.getMacSize()];
         for (int i = 0; i < iterations; i++)
         {
-            mac.init(param);
             mac.update(a, 0, a.length);
             mac.doFinal(buf, 0);
             a = buf;
-            mac.init(param);
             mac.update(a, 0, a.length);
             mac.update(seed, 0, seed.length);
             mac.doFinal(buf2, 0);