[0xcde4c3db]

Okay, thanks for the clarification. I guess my main point of confusion is why it would work (edit: that is, why an OpenBSD client would be able to connect pre-patch), but I guess if there's no actual state machine that makes it possible for an attacker to "skip to the end"?

[gipsies]

Exactly, since there is no state machine, an attacker can immediately send the last message. The client will try to check the integrity of this message. But it will use an uninitialized all-zero key to do this! So an attacker can spoof the last message. And once the client receives this message, it will accept all traffic.