Release key exchange earlier

Author: peterdettman

tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java

@@ -322,6 +322,8 @@ protected DTLSTransport clientHandshake(ClientHandshakeState state)
         securityParameters.sessionHash = TlsUtils.getCurrentPRFHash(handshake.getHandshakeHash());
 
         TlsProtocol.establishMasterSecret(clientContext, state.keyExchange);
+        state.keyExchange = null;
+
         recordLayer.initPendingEpoch(TlsUtils.initCipher(clientContext));
 
         if (clientAuthSigner != null)

tls/src/main/java/org/bouncycastle/tls/DTLSServerProtocol.java

@@ -345,6 +345,8 @@ protected DTLSTransport serverHandshake(ServerHandshakeState state, DTLSRequest
         securityParameters.sessionHash = TlsUtils.getCurrentPRFHash(handshake.getHandshakeHash());
 
         TlsProtocol.establishMasterSecret(serverContext, state.keyExchange);
+        state.keyExchange = null;
+
         recordLayer.initPendingEpoch(TlsUtils.initCipher(serverContext));
 
         /*

tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java

@@ -551,7 +551,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                 handleServerCertificate();
 
                 // There was no server key exchange message; check it's OK
-                this.keyExchange.skipServerKeyExchange();
+                keyExchange.skipServerKeyExchange();
 
                 // NB: Fall through to next case label
             }
@@ -645,6 +645,8 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                     establishMasterSecret(tlsClientContext, keyExchange);
                 }
 
+                this.keyExchange = null;
+
                 recordStream.setPendingCipher(TlsUtils.initCipher(tlsClientContext));
 
                 if (clientAuthSigner != null)
@@ -688,7 +690,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
             {
                 handleServerCertificate();
 
-                this.keyExchange.processServerKeyExchange(buf);
+                keyExchange.processServerKeyExchange(buf);
 
                 assertEmpty(buf);
                 break;
@@ -710,7 +712,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                 handleServerCertificate();
 
                 // There was no server key exchange message; check it's OK
-                this.keyExchange.skipServerKeyExchange();
+                keyExchange.skipServerKeyExchange();
 
                 // NB: Fall through to next case label
             }
@@ -1993,7 +1995,7 @@ protected void sendClientKeyExchange()
         throws IOException
     {
         HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.client_key_exchange);
-        this.keyExchange.generateClientKeyExchange(message);
+        keyExchange.generateClientKeyExchange(message);
         message.send(this);
     }
 

tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java

@@ -1121,11 +1121,11 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                     ByteArrayOutputStream endPointHash = new ByteArrayOutputStream();
                     if (null == serverCredentials)
                     {
-                        this.keyExchange.skipServerCredentials();
+                        keyExchange.skipServerCredentials();
                     }
                     else
                     {
-                        this.keyExchange.processServerCredentials(serverCredentials);
+                        keyExchange.processServerCredentials(serverCredentials);
 
                         serverCertificate = serverCredentials.getCertificate();
                         sendCertificateMessage(serverCertificate, endPointHash);
@@ -1151,7 +1151,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                     }
                 }
 
-                byte[] serverKeyExchange = this.keyExchange.generateServerKeyExchange();
+                byte[] serverKeyExchange = keyExchange.generateServerKeyExchange();
                 if (serverKeyExchange != null)
                 {
                     sendServerKeyExchangeMessage(serverKeyExchange);
@@ -1181,7 +1181,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                             throw new TlsFatalAlert(AlertDescription.internal_error);
                         }
 
-                        this.certificateRequest = TlsUtils.validateCertificateRequest(this.certificateRequest, this.keyExchange);
+                        this.certificateRequest = TlsUtils.validateCertificateRequest(certificateRequest, keyExchange);
 
                         TlsUtils.establishServerSigAlgs(securityParameters, certificateRequest);
 
@@ -1270,7 +1270,7 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
             {
                 if (null == certificateRequest)
                 {
-                    this.keyExchange.skipClientCredentials();
+                    keyExchange.skipClientCredentials();
                 }
                 else if (TlsUtils.isTLSv12(tlsServerContext))
                 {
@@ -1536,6 +1536,8 @@ protected void receiveClientKeyExchangeMessage(ByteArrayInputStream buf)
             establishMasterSecret(tlsServerContext, keyExchange);
         }
 
+        this.keyExchange = null;
+
         recordStream.setPendingCipher(TlsUtils.initCipher(tlsServerContext));
 
         if (!expectCertificateVerifyMessage())