Updating to latest - SecurityParameters change

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Updating to latest - SecurityParameters change

Andrew Kennedy
Hi,

I have an old project that I am updating and have run into a small issue which I need some guidance on.

I have been running bc153 and wanted to move to the latest or at least something newer so I moved to 159, which failed and have tracked back to the 156 release when my code stops working.

From my current investigation I can see that in the SecurityParameters object the getMasterSecret is no longer populated - so I assume is no longer calculated for some reason, which I need to export key material.

I will be digging through the source code differences between 155 and 156 (will take me some time) and thought someone where may know of a change/fix/issue which is causing this ? and any pointers where I can look to speed up my investigation.

Andrew.
Reply | Threaded
Open this post in threaded view
|

Re: Updating to latest - SecurityParameters change

Peter Dettman-3
Hi Andrew,

I think what changed is that the master secret is now cleared from the
context after the handshake completes. The intended place to call
TlsContext.exportKeyingMaterial is from the notifyHandshakeComplete
callback, when the handshake has succeeded and the master secret is
still available.

If you are still using the classes in org.bouncycastle.crypto.tls,
please consider moving to the new API (org.bouncycastle.tls), which is
available in a separate jar (bctls-jdk15on). New development happens
there, although security fixes are still applied to the old one. Apart
from the package name, the API changes should be minor for most users.
The new jar also includes a JSSE provider ("BCJSSE").

Regards,
Pete Dettman


On 12/2/18 9:58 pm, Andrew Kennedy wrote:

> Hi,
>
> I have an old project that I am updating and have run into a small issue
> which I need some guidance on.
>
> I have been running bc153 and wanted to move to the latest or at least
> something newer so I moved to 159, which failed and have tracked back to
> the 156 release when my code stops working.
>
> From my current investigation I can see that in the SecurityParameters
> object the getMasterSecret is no longer populated - so I assume is no
> longer calculated for some reason, which I need to export key material.
>
> I will be digging through the source code differences between 155 and
> 156 (will take me some time) and thought someone where may know of a
> change/fix/issue which is causing this ? and any pointers where I can
> look to speed up my investigation.
>
> Andrew.


Reply | Threaded
Open this post in threaded view
|

Re: Updating to latest - SecurityParameters change

Andrew Kennedy
Pete,

That did trick and certainly saved some digging around. It also appears to the only hurdle to get to the latest, which is brilliant, so thank you.

I think moving to the new API is in order, just somewhat more challenging based on testing etc. and no doubt I'll be back for more help when I do :)

Thanks again,

Andrew.


On Tue, Feb 13, 2018 at 2:10 AM, Peter Dettman <[hidden email]> wrote:
Hi Andrew,

I think what changed is that the master secret is now cleared from the
context after the handshake completes. The intended place to call
TlsContext.exportKeyingMaterial is from the notifyHandshakeComplete
callback, when the handshake has succeeded and the master secret is
still available.

If you are still using the classes in org.bouncycastle.crypto.tls,
please consider moving to the new API (org.bouncycastle.tls), which is
available in a separate jar (bctls-jdk15on). New development happens
there, although security fixes are still applied to the old one. Apart
from the package name, the API changes should be minor for most users.
The new jar also includes a JSSE provider ("BCJSSE").

Regards,
Pete Dettman


On 12/2/18 9:58 pm, Andrew Kennedy wrote:
> Hi,
>
> I have an old project that I am updating and have run into a small issue
> which I need some guidance on.
>
> I have been running bc153 and wanted to move to the latest or at least
> something newer so I moved to 159, which failed and have tracked back to
> the 156 release when my code stops working.
>
> From my current investigation I can see that in the SecurityParameters
> object the getMasterSecret is no longer populated - so I assume is no
> longer calculated for some reason, which I need to export key material.
>
> I will be digging through the source code differences between 155 and
> 156 (will take me some time) and thought someone where may know of a
> change/fix/issue which is causing this ? and any pointers where I can
> look to speed up my investigation.
>
> Andrew.