1105 // Nonces are dumped with connection keygen, no 1106 // benefit to doing it twice 1107 } 1108 1109 // What algs/params do we need to use? 1110 String masterAlg; 1111 PRF prf; 1112 1113 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1114 masterAlg = "SunTls12MasterSecret"; 1115 prf = cipherSuite.prfAlg; 1116 } else { 1117 masterAlg = "SunTlsMasterSecret"; 1118 prf = P_NONE; 1119 } 1120 1121 String prfHashAlg = prf.getPRFHashAlg(); 1122 int prfHashLength = prf.getPRFHashLength(); 1123 int prfBlockSize = prf.getPRFBlockSize(); 1124 1125 TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec( 1126 preMasterSecret, protocolVersion.major, protocolVersion.minor, 1127 clnt_random.random_bytes, svr_random.random_bytes, 1128 prfHashAlg, prfHashLength, prfBlockSize); 1129 1130 try { 1131 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); 1132 kg.init(spec); 1133 return kg.generateKey(); 1134 } catch (InvalidAlgorithmParameterException | 1135 NoSuchAlgorithmException iae) { 1136 // unlikely to happen, otherwise, must be a provider exception 1137 // 1138 // For RSA premaster secrets, do not signal a protocol error 1139 // due to the Bleichenbacher attack. See comments further down. 1140 if (debug != null && Debug.isOn("handshake")) { 1141 System.out.println("RSA master secret generation error:"); 1142 iae.printStackTrace(System.out); 1143 } 1144 throw new ProviderException(iae); 1145 1146 } 1147 } 1148 1149 /* 1150 * Calculate the keys needed for this connection, once the session's 1151 * master secret has been calculated. Uses the master key and nonces; 1152 * the amount of keying material generated is a function of the cipher 1153 * suite that's been negotiated. 1154 * 1155 * This gets called both on the "full handshake" (where we exchanged 1156 * a premaster secret and started a new session) as well as on the 1157 * "fast handshake" (where we just resumed a pre-existing session). 1158 */ 1159 void calculateConnectionKeys(SecretKey masterKey) { 1160 /* 1161 * For both the read and write sides of the protocol, we use the 1162 * master to generate MAC secrets and cipher keying material. Block 1163 * ciphers need initialization vectors, which we also generate. 1164 * 1165 * First we figure out how much keying material is needed. 1166 */ 1167 int hashSize = cipherSuite.macAlg.size; 1168 boolean is_exportable = cipherSuite.exportable; 1169 BulkCipher cipher = cipherSuite.cipher; 1170 int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0; 1171 1172 // Which algs/params do we need to use? 1173 String keyMaterialAlg; 1174 PRF prf; 1175 1176 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1177 keyMaterialAlg = "SunTls12KeyMaterial"; 1178 prf = cipherSuite.prfAlg; | 1105 // Nonces are dumped with connection keygen, no 1106 // benefit to doing it twice 1107 } 1108 1109 // What algs/params do we need to use? 1110 String masterAlg; 1111 PRF prf; 1112 1113 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1114 masterAlg = "SunTls12MasterSecret"; 1115 prf = cipherSuite.prfAlg; 1116 } else { 1117 masterAlg = "SunTlsMasterSecret"; 1118 prf = P_NONE; 1119 } 1120 1121 String prfHashAlg = prf.getPRFHashAlg(); 1122 int prfHashLength = prf.getPRFHashLength(); 1123 int prfBlockSize = prf.getPRFBlockSize(); 1124 1125 @SuppressWarnings("deprecation") 1126 TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec( 1127 preMasterSecret, protocolVersion.major, protocolVersion.minor, 1128 clnt_random.random_bytes, svr_random.random_bytes, 1129 prfHashAlg, prfHashLength, prfBlockSize); 1130 1131 try { 1132 KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg); 1133 kg.init(spec); 1134 return kg.generateKey(); 1135 } catch (InvalidAlgorithmParameterException | 1136 NoSuchAlgorithmException iae) { 1137 // unlikely to happen, otherwise, must be a provider exception 1138 // 1139 // For RSA premaster secrets, do not signal a protocol error 1140 // due to the Bleichenbacher attack. See comments further down. 1141 if (debug != null && Debug.isOn("handshake")) { 1142 System.out.println("RSA master secret generation error:"); 1143 iae.printStackTrace(System.out); 1144 } 1145 throw new ProviderException(iae); 1146 1147 } 1148 } 1149 1150 /* 1151 * Calculate the keys needed for this connection, once the session's 1152 * master secret has been calculated. Uses the master key and nonces; 1153 * the amount of keying material generated is a function of the cipher 1154 * suite that's been negotiated. 1155 * 1156 * This gets called both on the "full handshake" (where we exchanged 1157 * a premaster secret and started a new session) as well as on the 1158 * "fast handshake" (where we just resumed a pre-existing session). 1159 */ 1160 @SuppressWarnings("deprecation") 1161 void calculateConnectionKeys(SecretKey masterKey) { 1162 /* 1163 * For both the read and write sides of the protocol, we use the 1164 * master to generate MAC secrets and cipher keying material. Block 1165 * ciphers need initialization vectors, which we also generate. 1166 * 1167 * First we figure out how much keying material is needed. 1168 */ 1169 int hashSize = cipherSuite.macAlg.size; 1170 boolean is_exportable = cipherSuite.exportable; 1171 BulkCipher cipher = cipherSuite.cipher; 1172 int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0; 1173 1174 // Which algs/params do we need to use? 1175 String keyMaterialAlg; 1176 PRF prf; 1177 1178 if (protocolVersion.v >= ProtocolVersion.TLS12.v) { 1179 keyMaterialAlg = "SunTls12KeyMaterial"; 1180 prf = cipherSuite.prfAlg; |