diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-16 11:32:54 +0400 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-16 11:32:54 +0400 |
commit | 240b9c03eee7fa39d20018d82edc66d244b61d6f (patch) | |
tree | 804554d3982b2a96377dfa3a772623948a1193c5 /core/src | |
parent | 1b2efc5633397c40766389d56f0267fd94579b28 (diff) |
Use a separate PRNG for nonces
Diffstat (limited to 'core/src')
10 files changed, 33 insertions, 26 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java index 5e02892e..89e95b85 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/AbstractTlsContext.java @@ -2,9 +2,14 @@ package org.bouncycastle.crypto.tls; import java.security.SecureRandom; +import org.bouncycastle.crypto.prng.DigestRandomGenerator; +import org.bouncycastle.crypto.prng.RandomGenerator; +import org.bouncycastle.util.Times; + abstract class AbstractTlsContext implements TlsContext { + private RandomGenerator nonceRandom; private SecureRandom secureRandom; private SecurityParameters securityParameters; @@ -15,10 +20,20 @@ abstract class AbstractTlsContext AbstractTlsContext(SecureRandom secureRandom, SecurityParameters securityParameters) { + secureRandom.setSeed(Times.nanoTime()); + + this.nonceRandom = new DigestRandomGenerator(TlsUtils.createHash(HashAlgorithm.sha256)); + this.nonceRandom.addSeedMaterial(secureRandom.generateSeed(32)); + this.secureRandom = secureRandom; this.securityParameters = securityParameters; } + public RandomGenerator getNonceRandomGenerator() + { + return nonceRandom; + } + public SecureRandom getSecureRandom() { return secureRandom; diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java index 6f421955..73cfd60b 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java @@ -38,7 +38,7 @@ public class DTLSClientProtocol state.clientContext = new TlsClientContextImpl(secureRandom, securityParameters); securityParameters.clientRandom = TlsProtocol.createRandomBlock(client.shouldUseGMTUnixTime(), - state.clientContext.getSecureRandom(), ExporterLabel.client_random); + state.clientContext.getNonceRandomGenerator()); client.init(state.clientContext); diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java index 28a79eb9..5f86eff5 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java @@ -52,7 +52,7 @@ public class DTLSServerProtocol state.serverContext = new TlsServerContextImpl(secureRandom, securityParameters); securityParameters.serverRandom = TlsProtocol.createRandomBlock(server.shouldUseGMTUnixTime(), - state.serverContext.getSecureRandom(), ExporterLabel.server_random); + state.serverContext.getNonceRandomGenerator()); server.init(state.serverContext); diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java index 851bffc6..902720ac 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/ExporterLabel.java @@ -6,12 +6,6 @@ package org.bouncycastle.crypto.tls; public class ExporterLabel { /* - * BC-specific - */ - static final String client_random = "client random"; - static final String server_random = "server random"; - - /* * RFC 5246 */ public static final String client_finished = "client finished"; diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java index 320a1282..c6a447fc 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/HeartbeatMessage.java @@ -50,7 +50,7 @@ public class HeartbeatMessage output.write(payload); byte[] padding = new byte[paddingLength]; - context.getSecureRandom().nextBytes(padding); + context.getNonceRandomGenerator().nextBytes(padding); output.write(padding); } @@ -87,6 +87,9 @@ public class HeartbeatMessage int padding_length = buf.size() - payload.length; + /* + * RFC 6520 4. The padding of a received HeartbeatMessage message MUST be ignored + */ return new HeartbeatMessage(type, payload, padding_length); } diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java index d02d4876..9a79226c 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsBlockCipher.java @@ -43,7 +43,7 @@ public class TlsBlockCipher this.context = context; this.randomData = new byte[256]; - context.getSecureRandom().nextBytes(randomData); + context.getNonceRandomGenerator().nextBytes(randomData); this.useExplicitIV = TlsUtils.isTLSv11(context); this.encryptThenMAC = context.getSecurityParameters().encryptThenMAC; @@ -183,7 +183,7 @@ public class TlsBlockCipher if (useExplicitIV) { byte[] explicitIV = new byte[blockSize]; - context.getSecureRandom().nextBytes(explicitIV); + context.getNonceRandomGenerator().nextBytes(explicitIV); encryptCipher.init(true, new ParametersWithIV(null, explicitIV)); diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java index cf98ddb9..5f064560 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java @@ -81,7 +81,7 @@ public class TlsClientProtocol this.tlsClientContext = new TlsClientContextImpl(secureRandom, securityParameters); this.securityParameters.clientRandom = createRandomBlock(tlsClient.shouldUseGMTUnixTime(), - tlsClientContext.getSecureRandom(), ExporterLabel.client_random); + tlsClientContext.getNonceRandomGenerator()); this.tlsClient.init(tlsClientContext); this.recordStream.init(tlsClientContext); diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java index 33de8e36..b3d7d985 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsContext.java @@ -2,8 +2,12 @@ package org.bouncycastle.crypto.tls; import java.security.SecureRandom; +import org.bouncycastle.crypto.prng.RandomGenerator; + public interface TlsContext { + RandomGenerator getNonceRandomGenerator(); + SecureRandom getSecureRandom(); SecurityParameters getSecurityParameters(); diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java index 6abd3294..85fdd3ec 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java @@ -12,9 +12,9 @@ import java.util.Hashtable; import java.util.Vector; import org.bouncycastle.crypto.Digest; +import org.bouncycastle.crypto.prng.RandomGenerator; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.Integers; -import org.bouncycastle.util.Times; /** * An implementation of all high level protocols in TLS 1.0/1.1. @@ -823,19 +823,10 @@ public abstract class TlsProtocol } } - protected static byte[] createRandomBlock(boolean useGMTUnixTime, SecureRandom random, String asciiLabel) + protected static byte[] createRandomBlock(boolean useGMTUnixTime, RandomGenerator randomGenerator) { - /* - * We use the TLS 1.0 PRF on the SecureRandom output, to guard against RNGs where the raw - * output could be used to recover the internal state. - */ - byte[] secret = new byte[32]; - random.nextBytes(secret); - - byte[] seed = new byte[8]; - TlsUtils.writeUint64(Times.nanoTime(), seed, 0); - - byte[] result = TlsUtils.PRF_legacy(secret, asciiLabel, seed, 32); + byte[] result = new byte[32]; + randomGenerator.nextBytes(result); if (useGMTUnixTime) { diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java index 5994c90a..8499b83e 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java @@ -56,7 +56,7 @@ public class TlsServerProtocol this.tlsServerContext = new TlsServerContextImpl(secureRandom, securityParameters); this.securityParameters.serverRandom = createRandomBlock(tlsServer.shouldUseGMTUnixTime(), - tlsServerContext.getSecureRandom(), ExporterLabel.server_random); + tlsServerContext.getNonceRandomGenerator()); this.tlsServer.init(tlsServerContext); this.recordStream.init(tlsServerContext); |