Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

3 files changed, 30 insertions, 9 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index b842cbd39c..4ec29ea956 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.21 2020/01/21 03:40:05 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -115,14 +115,28 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
         if (s->bbio != s->wbio)
                 s->wbio = BIO_push(s->bbio, s->wbio);
 
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-                goto err;
+        /* Stash any unprocessed data from the last record. */
+        tls13_record_layer_rbuf(ctx->rl, &cbs);
+        if (CBS_len(&cbs) > 0) {
+                if (!CBS_write_bytes(&cbs,
+                    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
+                    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
+                        goto err;
 
-        if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
-                goto err;
+                S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
+                S3I(s)->rbuf.left = CBS_len(&cbs);
+                S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
+                S3I(s)->rrec.length = CBS_len(&cbs);
+                s->internal->rstate = SSL_ST_READ_BODY;
+                s->internal->packet = S3I(s)->rbuf.buf;
+                s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
+                s->internal->mac_packet = 1;
+        }
 
-        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
-            s->internal->init_buf->length - 4, NULL))
+        /* Stash the current handshake message. */
+        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
+        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
+            s->internal->init_buf->length, NULL))
                 goto err;
 
         S3I(s)->tmp.reuse_message = 1;
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 530ace41af..3ee73782ec 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.38 2020/01/21 03:40:05 beck Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.39 2020/01/21 12:08:04 jsing Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -116,6 +116,7 @@ struct tls13_record_layer *tls13_record_layer_new(tls13_read_cb wire_read,
     tls13_phh_recv_cb phh_recv_cb,
     tls13_phh_sent_cb phh_sent_cb, void *cb_arg);
 void tls13_record_layer_free(struct tls13_record_layer *rl);
+void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs);
 void tls13_record_layer_set_aead(struct tls13_record_layer *rl,
     const EVP_AEAD *aead);
 void tls13_record_layer_set_hash(struct tls13_record_layer *rl,
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index e1007b3f7b..a6b00a83b3 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.17 2020/01/20 22:04:17 beck Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.18 2020/01/21 12:08:04 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -154,6 +154,12 @@ tls13_record_layer_free(struct tls13_record_layer *rl)
         freezero(rl, sizeof(struct tls13_record_layer));
 }
 
+void
+tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs)
+{
+        CBS_dup(&rl->rbuf_cbs, cbs);
+}
+
 static int
 tls13_record_layer_inc_seq_num(uint8_t *seq_num)
 {