From 9c9a768735900610a339318bf38267c908fe8dd5 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Thu, 3 Apr 2014 10:06:00 +0700
Subject: Avoid revealing raw RNG output in the random block

---
 .../java/org/bouncycastle/crypto/tls/TlsProtocol.java    | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'core/src/main/java/org')

diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
index 22a242a6..6f09a0ff 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsProtocol.java
@@ -14,6 +14,7 @@ import java.util.Vector;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Integers;
+import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.Times;
 
 /**
@@ -825,10 +826,21 @@ public abstract class TlsProtocol
 
     protected static byte[] createRandomBlock(boolean useGMTUnixTime, SecureRandom random)
     {
-        random.setSeed(Times.nanoTime());
-
+        /*
+         * We hash the SecureRandom output here to guard against RNGs where the raw output could be
+         * used to recover the internal state.
+         */
         byte[] result = new byte[32];
+        Digest d = TlsUtils.createHash(HashAlgorithm.sha256);
+
+        TlsUtils.writeUint64(Times.nanoTime(), result, 0);
+        Strings.toByteArray("BouncyCastle TlsProtocol", result, 8);
+        d.update(result, 0, 32);
+
         random.nextBytes(result);
+        d.update(result, 0, 32);
+
+        d.doFinal(result, 0);
 
         if (useGMTUnixTime)
         {
-- 
cgit v1.2.3