untrusted comment: verify with openbsd-65-base.pub
RWSZaRmt1LEQT3TThgQiq2HdT7FAYv5cled4KUjgqIgZTO8TP4k0TyYknYO9o/X0LNPj6f7FAHY0j9s0zcyOGhzr35whT4ycNQs=

OpenBSD 6.5 errata 005, June 10, 2019:

TLS handshake fails if a client supporting TLS 1.3 tries to connect to
an OpenBSD server and sends a key share extension that does not include
X25519.

Apply by doing:
   signify -Vep /etc/signify/openbsd-65-base.pub -x 005_libssl.patch.sig \
       -m - | (cd /usr/src && patch -p0)

And then rebuild and install libssl:
   cd /usr/src/lib/libssl
   make obj
   make
   make install

Index: lib/libssl/ssl_tlsext.c
===================================================================
RCS file: /cvs/src/lib/libssl/ssl_tlsext.c,v
retrieving revision 1.44.2.1
diff -u -p -r1.44.2.1 ssl_tlsext.c
--- lib/libssl/ssl_tlsext.c     15 May 2019 19:25:15 -0000      1.44.2.1
+++ lib/libssl/ssl_tlsext.c     5 Jun 2019 14:26:13 -0000
@@ -1269,7 +1269,6 @@ tlsext_keyshare_server_parse(SSL *s, CBS
       CBS key_exchange;
       uint16_t group;
       size_t out_len;
-       int ret = 0;

       if (!CBS_get_u16_length_prefixed(cbs, &client_shares))
               goto err;
@@ -1301,11 +1300,9 @@ tlsext_keyshare_server_parse(SSL *s, CBS
               if (!CBS_stow(&key_exchange, &S3I(s)->hs_tls13.x25519_peer_public,
                   &out_len))
                       goto err;
-
-               ret = 1;
       }

-       return ret;
+       return 1;

 err:
       *alert = SSL_AD_DECODE_ERROR;

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.