Use a separate PRNG for nonces

author: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-16 11:32:54 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-16 11:32:54 +0400
commit: 240b9c03eee7fa39d20018d82edc66d244b61d6f (patch)
tree: 804554d3982b2a96377dfa3a772623948a1193c5 /core/src
parent: 1b2efc5633397c40766389d56f0267fd94579b28 (diff)
10 files changed, 33 insertions, 26 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java
index 5e02892e..89e95b85 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java
@@ -2,9 +2,14 @@ package org.bouncycastle.crypto.tls;
 
 import java.security.SecureRandom;
 
+import org.bouncycastle.crypto.prng.DigestRandomGenerator;
+import org.bouncycastle.crypto.prng.RandomGenerator;
+import org.bouncycastle.util.Times;
+
 abstract class AbstractTlsContext
     implements TlsContext
 {
+    private RandomGenerator nonceRandom;
     private SecureRandom secureRandom;
     private SecurityParameters securityParameters;
 
@@ -15,10 +20,20 @@ abstract class AbstractTlsContext
 
     AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters)
     {
+        secureRandom.setSeed(Times.nanoTime());
+
+        this.nonceRandom = new DigestRandomGenerator(TlsUtils.createHash(HashAlgorithm.sha256));
+        this.nonceRandom.addSeedMaterial(secureRandom.generateSeed(32));
+
         this.secureRandom = secureRandom;
         this.securityParameters = securityParameters;
     }
 
+    public RandomGenerator getNonceRandomGenerator()
+    {
+        return nonceRandom;
+    }
+
     public SecureRandom getSecureRandom()
     {
         return secureRandom;
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
index 6f421955..73cfd60b 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java
@@ -38,7 +38,7 @@ public class DTLSClientProtocol
         state.clientContext = new TlsClientContextImpl(secureRandom, securityParameters);
 
         securityParameters.clientRandom = TlsProtocol.createRandomBlock(client.shouldUseGMTUnixTime(),
-            state.clientContext.getSecureRandom(), ExporterLabel.client_random);
+            state.clientContext.getNonceRandomGenerator());
 
         client.init(state.clientContext);
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
index 28a79eb9..5f86eff5 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
@@ -52,7 +52,7 @@ public class DTLSServerProtocol
         state.serverContext = new TlsServerContextImpl(secureRandom, securityParameters);
 
         securityParameters.serverRandom = TlsProtocol.createRandomBlock(server.shouldUseGMTUnixTime(),
-            state.serverContext.getSecureRandom(), ExporterLabel.server_random);
+            state.serverContext.getNonceRandomGenerator());
 
         server.init(state.serverContext);
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
index 851bffc6..902720ac 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java
@@ -6,12 +6,6 @@ package org.bouncycastle.crypto.tls;
 public class ExporterLabel
 {
     /*
-     * BC-specific
-     */
-    static final String client_random = "client random";
-    static final String server_random = "server random";
-
-    /*
      * RFC 5246
      */
     public static final String client_finished = "client finished";
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java
index 320a1282..c6a447fc 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java
@@ -50,7 +50,7 @@ public class HeartbeatMessage
         output.write(payload);
 
         byte[] padding = new byte[paddingLength];
-        context.getSecureRandom().nextBytes(padding);
+        context.getNonceRandomGenerator().nextBytes(padding);
         output.write(padding);
     }
 
@@ -87,6 +87,9 @@ public class HeartbeatMessage
 
         int padding_length = buf.size() - payload.length;
 
+        /*
+         * RFC 6520 4. The padding of a received HeartbeatMessage message MUST be ignored
+         */
         return new HeartbeatMessage(type, payload, padding_length);
     }
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java
index d02d4876..9a79226c 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java
@@ -43,7 +43,7 @@ public class TlsBlockCipher
         this.context = context;
 
         this.randomData = new byte[256];
-        context.getSecureRandom().nextBytes(randomData);
+        context.getNonceRandomGenerator().nextBytes(randomData);
 
         this.useExplicitIV = TlsUtils.isTLSv11(context);
         this.encryptThenMAC = context.getSecurityParameters().encryptThenMAC;
@@ -183,7 +183,7 @@ public class TlsBlockCipher
         if (useExplicitIV)
         {
             byte[] explicitIV = new byte[blockSize];
-            context.getSecureRandom().nextBytes(explicitIV);
+            context.getNonceRandomGenerator().nextBytes(explicitIV);
 
             encryptCipher.init(true, new ParametersWithIV(null, explicitIV));
 
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
index cf98ddb9..5f064560 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
@@ -81,7 +81,7 @@ public class TlsClientProtocol
         this.tlsClientContext = new TlsClientContextImpl(secureRandom, securityParameters);
 
         this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(),
-            tlsClientContext.getSecureRandom(), ExporterLabel.client_random);
+            tlsClientContext.getNonceRandomGenerator());
 
         this.tlsClient.init(tlsClientContext);
         this.recordStream.init(tlsClientContext);
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java
index 33de8e36..b3d7d985 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java
@@ -2,8 +2,12 @@ package org.bouncycastle.crypto.tls;
 
 import java.security.SecureRandom;
 
+import org.bouncycastle.crypto.prng.RandomGenerator;
+
 public interface TlsContext
 {
+    RandomGenerator getNonceRandomGenerator();
+
     SecureRandom getSecureRandom();
 
     SecurityParameters getSecurityParameters();
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
index 6abd3294..85fdd3ec 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
@@ -12,9 +12,9 @@ import java.util.Hashtable;
 import java.util.Vector;
 
 import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.prng.RandomGenerator;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Integers;
-import org.bouncycastle.util.Times;
 
 /**
  * An implementation of all high level protocols in TLS 1.0/1.1.
@@ -823,19 +823,10 @@ public abstract class TlsProtocol
         }
     }
 
-    protected static byte[] createRandomBlock(boolean useGMTUnixTime, SecureRandom random, String asciiLabel)
+    protected static byte[] createRandomBlock(boolean useGMTUnixTime, RandomGenerator randomGenerator)
     {
-        /*
-         * We use the TLS 1.0 PRF on the SecureRandom output, to guard against RNGs where the raw
-         * output could be used to recover the internal state.
-         */
-        byte[] secret = new byte[32];
-        random.nextBytes(secret);
-
-        byte[] seed = new byte[8];
-        TlsUtils.writeUint64(Times.nanoTime(), seed, 0);
-
-        byte[] result = TlsUtils.PRF_legacy(secret, asciiLabel, seed, 32);
+        byte[] result = new byte[32];
+        randomGenerator.nextBytes(result);
 
         if (useGMTUnixTime)
         {
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index 5994c90a..8499b83e 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -56,7 +56,7 @@ public class TlsServerProtocol
         this.tlsServerContext = new TlsServerContextImpl(secureRandom, securityParameters);
 
         this.securityParameters.serverRandom = createRandomBlock(tlsServer.shouldUseGMTUnixTime(),
-            tlsServerContext.getSecureRandom(), ExporterLabel.server_random);
+            tlsServerContext.getNonceRandomGenerator());
 
         this.tlsServer.init(tlsServerContext);
         this.recordStream.init(tlsServerContext);
author	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-16 11:32:54 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-16 11:32:54 +0400
commit	240b9c03eee7fa39d20018d82edc66d244b61d6f (patch)
tree	804554d3982b2a96377dfa3a772623948a1193c5 /core/src
parent	1b2efc5633397c40766389d56f0267fd94579b28 (diff)