Add calls to TlsHandshakeHash.stopTracking()

Add TODOs to reconsider how the server calculates the CertificateVerify
handshake hash for TLS 1.2

1 files changed, 9 insertions, 1 deletions

diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index 9f8494d3..fdde1beb 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -5,7 +5,6 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.SecureRandom;
-import java.util.Hashtable;
 import java.util.Vector;
 
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
@@ -287,8 +286,12 @@ public class TlsServerProtocol
                 {
                     throw new TlsFatalAlert(AlertDescription.unexpected_message);
                 }
+
                 receiveCertificateVerifyMessage(buf);
                 this.connection_state = CS_CERTIFICATE_VERIFY;
+
+                this.recordStream.getHandshakeHash().stopTracking();
+
                 break;
             }
             default:
@@ -572,8 +575,13 @@ public class TlsServerProtocol
 
         if (expectCertificateVerifyMessage())
         {
+            // TODO For TLS 1.2, this can't be calculated until we see what hash algorithm the sender used
             this.certificateVerifyHash = recordStream.getCurrentHash(null);
         }
+        else
+        {
+            this.recordStream.getHandshakeHash().stopTracking();
+        }
     }
 
     protected void sendCertificateRequestMessage(CertificateRequest certificateRequest)