From dd7d88cbe18508044063c2e8302f53f87ee7e90d Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 28 Nov 2023 13:19:04 +0000 Subject: [PATCH] Switch to legacy method late in tls13_use_legacy_stack() If memory allocation of s->init_buf fails in ssl3_setup_init_buffer() during downgrade to the legacy stack, the legacy state machine would resume with an incorrectly set up SSL, resulting in a NULL dereference. The fix is to switch to the legacy method only after the SSL is fully set up. There is a second part to this fix, which will be committed once we manage to agree on the color of the bikeshed. Detailed analysis and patch from Masaru Masuda, many thanks! https://github.com/libressl/openbsd/issues/146 ok jsing --- lib/libssl/tls13_legacy.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c index 1d6a5a12994..e9aca070e9e 100644 --- a/lib/libssl/tls13_legacy.c +++ b/lib/libssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.40 2022/11/26 16:08:56 tb Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.41 2023/11/28 13:19:04 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -322,8 +322,6 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) memset(&cbb, 0, sizeof(cbb)); - s->method = tls_legacy_method(); - if (!ssl3_setup_init_buffer(s)) goto err; if (!ssl3_setup_buffers(s)) @@ -370,6 +368,12 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg); s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH; + /* + * Only switch the method after initialization is complete + * as we start part way into the legacy state machine. + */ + s->method = tls_legacy_method(); + return 1; err: -- 2.20.1