Switch to legacy method late in tls13_use_legacy_stack()

If memory allocation of s->init_buf fails in ssl3_setup_init_buffer()
during downgrade to the legacy stack, the legacy state machine would
resume with an incorrectly set up SSL, resulting in a NULL dereference.
The fix is to switch to the legacy method only after the SSL is fully
set up. There is a second part to this fix, which will be committed
once we manage to agree on the color of the bikeshed.

Detailed analysis and patch from Masaru Masuda, many thanks!
https://github.com/libressl/openbsd/issues/146

ok jsing

1 files changed, 7 insertions, 3 deletions

diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 1d6a5a1299..e9aca070e9 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.40 2022/11/26 16:08:56 tb Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.41 2023/11/28 13:19:04 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -322,8 +322,6 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
 
         memset(&cbb, 0, sizeof(cbb));
 
-        s->method = tls_legacy_method();
-
         if (!ssl3_setup_init_buffer(s))
                 goto err;
         if (!ssl3_setup_buffers(s))
@@ -370,6 +368,12 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
         s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
         s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
 
+        /*
+         * Only switch the method after initialization is complete
+         * as we start part way into the legacy state machine.
+         */
+        s->method = tls_legacy_method();
+
         return 1;
 
  err: