From def41b4064422a35f02e2e581781117fda4e6052 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 30 Apr 2017 00:06:09 +0000
Subject: MFC.

Fix a bug caused by the return value being set early to signal successful
DTLS cookie validation. This can mask a later failure and result in a
positive return value being returned from ssl3_get_client_hello(), when
it should return a negative value to propagate the error.

ok beck@
---
 src/lib/libssl/src/ssl/s3_srvr.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index e7be71cefb..e4f85bbad2 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.126.2.1 2016/10/03 11:23:13 bcook Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.126.2.2 2017/04/30 00:06:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -721,7 +721,7 @@ ssl3_send_hello_request(SSL *s)
 int
 ssl3_get_client_hello(SSL *s)
 {
-	int i, j, ok, al, ret = -1;
+	int i, j, ok, al, ret = -1, cookie_valid = 0;
 	unsigned int cookie_len;
 	long n;
 	unsigned long id;
@@ -887,7 +887,7 @@ ssl3_get_client_hello(SSL *s)
 				goto f_err;
 			}
 
-			ret = 2;
+			cookie_valid = 1;
 		}
 
 		p += cookie_len;
@@ -1070,8 +1070,8 @@ ssl3_get_client_hello(SSL *s)
 		goto err;
 	}
 
-	if (ret < 0)
-		ret = 1;
+	ret = cookie_valid ? 2 : 1;
+
 	if (0) {
 truncated:
 		al = SSL_AD_DECODE_ERROR;
-- 
cgit v1.2.3-55-g6feb