From 735d669887723eaf587cf8f233362988d3047a2f Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Sun, 14 Aug 2016 16:32:28 +0200
Subject: [PATCH] Check for "change cipher spec" before server "finished"
 message added

---
 lib/TLS/src/Method.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp
index d78bbf4..fc29a0d 100644
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -1074,6 +1074,9 @@ void eap::method_tls::process_handshake(_In_bytecount_(msg_size) const void *_ms
                 break;
 
             case tls_handshake_type_finished: {
+                if (!m_cipher_spec)
+                    throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, __FUNCTION__ " Finished message should be encrypted.");
+
                 // According to https://tools.ietf.org/html/rfc5246#section-7.4.9 all verify_data is 12B.
                 if (rec_end - rec != 12)
                     throw win_runtime_error(EAP_E_EAPHOST_METHOD_INVALID_PACKET, string_printf(__FUNCTION__ " Finished record size incorrect (expected 12B, received %uB).", rec_end - rec));