Switch to legacy method late in tls13_use_legacy_stack()

If memory allocation of s->init_buf fails in ssl3_setup_init_buffer()
during downgrade to the legacy stack, the legacy state machine would
resume with an incorrectly set up SSL, resulting in a NULL dereference.
The fix is to switch to the legacy method only after the SSL is fully
set up. There is a second part to this fix, which will be committed
once we manage to agree on the color of the bikeshed.

Detailed analysis and patch from Masaru Masuda, many thanks!
https://github.com/libressl/openbsd/issues/146

ok jsing

diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c
index 1d6a5a1..e9aca07 100644 (file)
--- a/lib/libssl/tls13_legacy.c
+++ b/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tls13_legacy.c,v 1.40 2022/11/26 16:08:56 tb Exp $ */
+/*     $OpenBSD: tls13_legacy.c,v 1.41 2023/11/28 13:19:04 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -322,8 +322,6 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
 
        memset(&cbb, 0, sizeof(cbb));
 
-       s->method = tls_legacy_method();
-
        if (!ssl3_setup_init_buffer(s))
                goto err;
        if (!ssl3_setup_buffers(s))
@@ -370,6 +368,12 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
        s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
        s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
 
+       /*
+        * Only switch the method after initialization is complete
+        * as we start part way into the legacy state machine.
+        */
+       s->method = tls_legacy_method();
+
        return 1;
 
  err: