Correct legacy fallback for TLSv1.3 client.

When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.

ok beck@ tb@

1 files changed, 21 insertions, 7 deletions

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index b842cbd39cb..4ec29ea9564 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.21 2020/01/21 03:40:05 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.22 2020/01/21 12:08:04 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -115,14 +115,28 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
 	if (s->bbio != s->wbio)
 		s->wbio = BIO_push(s->bbio, s->wbio);
 
-	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-		goto err;
+	/* Stash any unprocessed data from the last record. */
+	tls13_record_layer_rbuf(ctx->rl, &cbs);
+	if (CBS_len(&cbs) > 0) {
+		if (!CBS_write_bytes(&cbs,
+		    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
+		    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
+			goto err;
 
-	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
-		goto err;
+		S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
+		S3I(s)->rbuf.left = CBS_len(&cbs);
+		S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
+		S3I(s)->rrec.length = CBS_len(&cbs);
+		s->internal->rstate = SSL_ST_READ_BODY;
+		s->internal->packet = S3I(s)->rbuf.buf;
+		s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
+		s->internal->mac_packet = 1;
+	}
 
-	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
-	    s->internal->init_buf->length - 4, NULL))
+	/* Stash the current handshake message. */
+	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
+	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
+	    s->internal->init_buf->length, NULL))
 		goto err;
 
 	S3I(s)->tmp.reuse_message = 1;