untrusted comment: signature from openbsd 6.0 base secret key
RWSho3oKSqgLQxiq51WTIK3qrNKc5AWhXdPYQuvyLDUcT1XyY0eMjaeMElPHQNTmLhh71i2s2ioVSx7VX+y78HVn9KT09SJItA4=

OpenBSD 6.0 errata 022, May 7, 2017:

Incorrect DTLS cookie handling can result in a NULL pointer dereference.

Apply by doing:
   signify -Vep /etc/signify/openbsd-60-base.pub -x 022_libssl.patch.sig \
       -m - | (cd /usr/src && patch -p0)

And then rebuild and install libssl:
       cd /usr/src/lib/libssl/ssl
       make obj
       make depend
       make
       make install

Index: lib/libssl/src/ssl/s3_srvr.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/Attic/s3_srvr.c,v
retrieving revision 1.126.2.1
retrieving revision 1.126.2.2
diff -u -p -r1.126.2.1 -r1.126.2.2
--- lib/libssl/src/ssl/s3_srvr.c        3 Oct 2016 11:23:13 -0000       1.126.2.1
+++ lib/libssl/src/ssl/s3_srvr.c        30 Apr 2017 00:06:09 -0000      1.126.2.2
@@ -721,7 +721,7 @@ ssl3_send_hello_request(SSL *s)
int
ssl3_get_client_hello(SSL *s)
{
-       int i, j, ok, al, ret = -1;
+       int i, j, ok, al, ret = -1, cookie_valid = 0;
       unsigned int cookie_len;
       long n;
       unsigned long id;
@@ -887,7 +887,7 @@ ssl3_get_client_hello(SSL *s)
                               goto f_err;
                       }

-                       ret = 2;
+                       cookie_valid = 1;
               }

               p += cookie_len;
@@ -1070,8 +1070,8 @@ ssl3_get_client_hello(SSL *s)
               goto err;
       }

-       if (ret < 0)
-               ret = 1;
+       ret = cookie_valid ? 2 : 1;
+
       if (0) {
truncated:
               al = SSL_AD_DECODE_ERROR;

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.