From 1b8c86092fac86fc5d2af1528306b1d320cbfcbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20Grubbstr=C3=B6m=20=28Grubba=29?=
 <grubba@grubba.org>
Date: Thu, 10 Mar 2011 13:29:42 +0100
Subject: [PATCH] SSL: Validate the server handshake in client mode.

---
 lib/modules/SSL.pmod/handshake.pike | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/modules/SSL.pmod/handshake.pike b/lib/modules/SSL.pmod/handshake.pike
index c347d256e0..fb02188f9e 100644
--- a/lib/modules/SSL.pmod/handshake.pike
+++ b/lib/modules/SSL.pmod/handshake.pike
@@ -1609,6 +1609,15 @@ werror("sending certificate: " + Standards.PKCS.Certificate.get_dn_string(Tools.
 
       server_verify_data = input->get_fix_string(12);
 
+      string my_digest = hash_messages(version[1]?"server finished":"SRVR");
+      if (my_digest != server_verify_data) {
+	SSL3_DEBUG_MSG("digests differ\n");
+	send_packet(Alert(ALERT_fatal, ALERT_unexpected_message, version[1],
+			  "SSL.session->handle_handshake: unexpected message\n",
+			  backtrace()));
+	return -1;
+      }
+
       return 1;			// We're done shaking hands
     }
     }
-- 
GitLab