Remove Microsoft Server Gated Crypto.

Another relic due to the old US crypto policy.

From OpenSSL commit 63eab8a620944a990ab3985620966ccd9f48d681 and
95275599399e277e71d064790a1f828a99fc661a.

ok jsing@ miod@

16 files changed, 52 insertions, 264 deletions

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index f3972ae9d0..698292f33f 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -468,22 +468,13 @@ dtls1_accept(SSL *s)
 
                 case SSL3_ST_SR_CERT_A:
                 case SSL3_ST_SR_CERT_B:
-                        /* Check for second client hello (MS SGC) */
-                        ret = ssl3_check_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (ret == 2) {
-                                dtls1_stop_timer(s);
-                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-                        } else {
-                                if (s->s3->tmp.cert_request) {
-                                        ret = ssl3_get_client_certificate(s);
-                                        if (ret <= 0)
-                                                goto end;
-                                }
-                                s->init_num = 0;
-                                s->state = SSL3_ST_SR_KEY_EXCH_A;
+                        if (s->s3->tmp.cert_request) {
+                                ret = ssl3_get_client_certificate(s);
+                                if (ret <= 0)
+                                        goto end;
                         }
+                        s->init_num = 0;
+                        s->state = SSL3_ST_SR_KEY_EXCH_A;
                         break;
 
                 case SSL3_ST_SR_KEY_EXCH_A:
diff --git a/src/lib/libssl/doc/BIO_f_ssl.3 b/src/lib/libssl/doc/BIO_f_ssl.3
index 851e4f08ca..876018a839 100644
--- a/src/lib/libssl/doc/BIO_f_ssl.3
+++ b/src/lib/libssl/doc/BIO_f_ssl.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: BIO_f_ssl.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: BIO_f_ssl.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -240,7 +240,7 @@ still request a retry in exceptional circumstances.
 Specifically this will happen if a session renegotiation takes place during a
 .Xr BIO_read 3
 operation.
-One case where this happens is when SGC or step up occurs.
+One case where this happens is when step up occurs.
 .Pp
 In OpenSSL 0.9.6 and later the SSL flag
 .Dv SSL_AUTO_RETRY
diff --git a/src/lib/libssl/doc/SSL_accept.3 b/src/lib/libssl/doc/SSL_accept.3
index 06465d1955..8c7409d04f 100644
--- a/src/lib/libssl/doc/SSL_accept.3
+++ b/src/lib/libssl/doc/SSL_accept.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_accept.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
@@ -29,17 +29,7 @@ If the underlying
 is
 .Em blocking ,
 .Fn SSL_accept
-will only return once the handshake has been finished or an error occurred,
-except for SGC (Server Gated Cryptography).
-For SGC,
-.Fn SSL_accept
-may return with \(mi1, but
-.Fn SSL_get_error
-will yield
-.Dv SSL_ERROR_WANT_READ/WRITE
-and
-.Fn SSL_accept
-should be called again.
+will only return once the handshake has been finished or an error occurred.
 .Pp
 If the underlying
 .Vt BIO
diff --git a/src/lib/libssl/doc/SSL_do_handshake.3 b/src/lib/libssl/doc/SSL_do_handshake.3
index cc29df2583..78a37b08c9 100644
--- a/src/lib/libssl/doc/SSL_do_handshake.3
+++ b/src/lib/libssl/doc/SSL_do_handshake.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
@@ -30,19 +30,7 @@ If the underlying
 is
 .Em blocking ,
 .Fn SSL_do_handshake
-will only return once the handshake has been finished or an error occurred,
-except for SGC (Server Gated Cryptography).
-For SGC,
-.Fn SSL_do_handshake
-may return with \(mi1, but
-.Xr SSL_get_error 3
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE
-and
-.Fn SSL_do_handshake
-should be called again.
+will only return once the handshake has been finished or an error occurred.
 .Pp
 If the underlying
 .Vt BIO
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 633bf5bb7b..d9484d77d8 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.38 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -450,20 +450,6 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                         SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
-                if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
-                    (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) {
-                        /* At this point we have got an MS SGC second client
-                         * hello (maybe we should always allow the client to
-                         * start a new handshake?). We need to restart the mac.
-                         * Don't increment {num,total}_renegotiations because
-                         * we have not completed the handshake. */
-                        if (!ssl3_init_finished_mac(s)) {
-                                SSLerr(SSL_F_SSL3_GET_MESSAGE,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-
                 s->s3->tmp.message_type= *(p++);
 
                 n2l3(p, l);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 867e796529..c595fa31cc 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.107 2015/06/17 07:29:33 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -273,7 +273,6 @@ ssl3_accept(SSL *s)
                         }
 
                         s->init_num = 0;
-                        s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                         if (s->state != SSL_ST_RENEGOTIATE) {
                                 /*
@@ -487,21 +486,13 @@ ssl3_accept(SSL *s)
 
                 case SSL3_ST_SR_CERT_A:
                 case SSL3_ST_SR_CERT_B:
-                        /* Check for second client hello (MS SGC) */
-                        ret = ssl3_check_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (ret == 2)
-                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-                        else {
-                                if (s->s3->tmp.cert_request) {
-                                        ret = ssl3_get_client_certificate(s);
-                                        if (ret <= 0)
-                                                goto end;
-                                }
-                                s->init_num = 0;
-                                s->state = SSL3_ST_SR_KEY_EXCH_A;
+                        if (s->s3->tmp.cert_request) {
+                                ret = ssl3_get_client_certificate(s);
+                                if (ret <= 0)
+                                        goto end;
                         }
+                        s->init_num = 0;
+                        s->state = SSL3_ST_SR_KEY_EXCH_A;
                         break;
 
                 case SSL3_ST_SR_KEY_EXCH_A:
@@ -765,46 +756,6 @@ ssl3_send_hello_request(SSL *s)
 }
 
 int
-ssl3_check_client_hello(SSL *s)
-{
-        int ok;
-        long n;
-
-        /*
-         * This function is called when we really expect a Certificate message,
-         * so permit appropriate message length
-         */
-        n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A,
-            SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok);
-        if (!ok)
-                return ((int)n);
-        s->s3->tmp.reuse_message = 1;
-        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
-                /*
-                 * We only allow the client to restart the handshake once per
-                 * negotiation.
-                 */
-                if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
-                        SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
-                            SSL_R_MULTIPLE_SGC_RESTARTS);
-                        return (-1);
-                }
-                /*
-                 * Throw away what we have done so far in the current handshake,
-                 * which will now be aborted. (A full SSL_clear would be too
-                 * much.)
-                 */
-                DH_free(s->s3->tmp.dh);
-                s->s3->tmp.dh = NULL;
-                EC_KEY_free(s->s3->tmp.ecdh);
-                s->s3->tmp.ecdh = NULL;
-                s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
-                return (2);
-        }
-        return (1);
-}
-
-int
 ssl3_get_client_hello(SSL *s)
 {
         int i, j, ok, al, ret = -1;
diff --git a/src/lib/libssl/src/doc/ssl/BIO_f_ssl.3 b/src/lib/libssl/src/doc/ssl/BIO_f_ssl.3
index 851e4f08ca..876018a839 100644
--- a/src/lib/libssl/src/doc/ssl/BIO_f_ssl.3
+++ b/src/lib/libssl/src/doc/ssl/BIO_f_ssl.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: BIO_f_ssl.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: BIO_f_ssl.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -240,7 +240,7 @@ still request a retry in exceptional circumstances.
 Specifically this will happen if a session renegotiation takes place during a
 .Xr BIO_read 3
 operation.
-One case where this happens is when SGC or step up occurs.
+One case where this happens is when step up occurs.
 .Pp
 In OpenSSL 0.9.6 and later the SSL flag
 .Dv SSL_AUTO_RETRY
diff --git a/src/lib/libssl/src/doc/ssl/SSL_accept.3 b/src/lib/libssl/src/doc/ssl/SSL_accept.3
index 06465d1955..8c7409d04f 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_accept.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_accept.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_accept.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
@@ -29,17 +29,7 @@ If the underlying
 is
 .Em blocking ,
 .Fn SSL_accept
-will only return once the handshake has been finished or an error occurred,
-except for SGC (Server Gated Cryptography).
-For SGC,
-.Fn SSL_accept
-may return with \(mi1, but
-.Fn SSL_get_error
-will yield
-.Dv SSL_ERROR_WANT_READ/WRITE
-and
-.Fn SSL_accept
-should be called again.
+will only return once the handshake has been finished or an error occurred.
 .Pp
 If the underlying
 .Vt BIO
diff --git a/src/lib/libssl/src/doc/ssl/SSL_do_handshake.3 b/src/lib/libssl/src/doc/ssl/SSL_do_handshake.3
index cc29df2583..78a37b08c9 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_do_handshake.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_do_handshake.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.3 2015/06/18 22:51:05 doug Exp $
 .\"
-.Dd $Mdocdate: December 2 2014 $
+.Dd $Mdocdate: June 18 2015 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
@@ -30,19 +30,7 @@ If the underlying
 is
 .Em blocking ,
 .Fn SSL_do_handshake
-will only return once the handshake has been finished or an error occurred,
-except for SGC (Server Gated Cryptography).
-For SGC,
-.Fn SSL_do_handshake
-may return with \(mi1, but
-.Xr SSL_get_error 3
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE
-and
-.Fn SSL_do_handshake
-should be called again.
+will only return once the handshake has been finished or an error occurred.
 .Pp
 If the underlying
 .Vt BIO
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index f3972ae9d0..698292f33f 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -468,22 +468,13 @@ dtls1_accept(SSL *s)
 
                 case SSL3_ST_SR_CERT_A:
                 case SSL3_ST_SR_CERT_B:
-                        /* Check for second client hello (MS SGC) */
-                        ret = ssl3_check_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (ret == 2) {
-                                dtls1_stop_timer(s);
-                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-                        } else {
-                                if (s->s3->tmp.cert_request) {
-                                        ret = ssl3_get_client_certificate(s);
-                                        if (ret <= 0)
-                                                goto end;
-                                }
-                                s->init_num = 0;
-                                s->state = SSL3_ST_SR_KEY_EXCH_A;
+                        if (s->s3->tmp.cert_request) {
+                                ret = ssl3_get_client_certificate(s);
+                                if (ret <= 0)
+                                        goto end;
                         }
+                        s->init_num = 0;
+                        s->state = SSL3_ST_SR_KEY_EXCH_A;
                         break;
 
                 case SSL3_ST_SR_KEY_EXCH_A:
diff --git a/src/lib/libssl/src/ssl/s3_both.c b/src/lib/libssl/src/ssl/s3_both.c
index 633bf5bb7b..d9484d77d8 100644
--- a/src/lib/libssl/src/ssl/s3_both.c
+++ b/src/lib/libssl/src/ssl/s3_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_both.c,v 1.38 2015/03/27 12:29:54 jsing Exp $ */
+/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -450,20 +450,6 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                         SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
                         goto f_err;
                 }
-                if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
-                    (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) {
-                        /* At this point we have got an MS SGC second client
-                         * hello (maybe we should always allow the client to
-                         * start a new handshake?). We need to restart the mac.
-                         * Don't increment {num,total}_renegotiations because
-                         * we have not completed the handshake. */
-                        if (!ssl3_init_finished_mac(s)) {
-                                SSLerr(SSL_F_SSL3_GET_MESSAGE,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-
                 s->s3->tmp.message_type= *(p++);
 
                 n2l3(p, l);
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 867e796529..c595fa31cc 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.107 2015/06/17 07:29:33 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -273,7 +273,6 @@ ssl3_accept(SSL *s)
                         }
 
                         s->init_num = 0;
-                        s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                         if (s->state != SSL_ST_RENEGOTIATE) {
                                 /*
@@ -487,21 +486,13 @@ ssl3_accept(SSL *s)
 
                 case SSL3_ST_SR_CERT_A:
                 case SSL3_ST_SR_CERT_B:
-                        /* Check for second client hello (MS SGC) */
-                        ret = ssl3_check_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (ret == 2)
-                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-                        else {
-                                if (s->s3->tmp.cert_request) {
-                                        ret = ssl3_get_client_certificate(s);
-                                        if (ret <= 0)
-                                                goto end;
-                                }
-                                s->init_num = 0;
-                                s->state = SSL3_ST_SR_KEY_EXCH_A;
+                        if (s->s3->tmp.cert_request) {
+                                ret = ssl3_get_client_certificate(s);
+                                if (ret <= 0)
+                                        goto end;
                         }
+                        s->init_num = 0;
+                        s->state = SSL3_ST_SR_KEY_EXCH_A;
                         break;
 
                 case SSL3_ST_SR_KEY_EXCH_A:
@@ -765,46 +756,6 @@ ssl3_send_hello_request(SSL *s)
 }
 
 int
-ssl3_check_client_hello(SSL *s)
-{
-        int ok;
-        long n;
-
-        /*
-         * This function is called when we really expect a Certificate message,
-         * so permit appropriate message length
-         */
-        n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A,
-            SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok);
-        if (!ok)
-                return ((int)n);
-        s->s3->tmp.reuse_message = 1;
-        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) {
-                /*
-                 * We only allow the client to restart the handshake once per
-                 * negotiation.
-                 */
-                if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) {
-                        SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO,
-                            SSL_R_MULTIPLE_SGC_RESTARTS);
-                        return (-1);
-                }
-                /*
-                 * Throw away what we have done so far in the current handshake,
-                 * which will now be aborted. (A full SSL_clear would be too
-                 * much.)
-                 */
-                DH_free(s->s3->tmp.dh);
-                s->s3->tmp.dh = NULL;
-                EC_KEY_free(s->s3->tmp.ecdh);
-                s->s3->tmp.ecdh = NULL;
-                s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
-                return (2);
-        }
-        return (1);
-}
-
-int
 ssl3_get_client_hello(SSL *s)
 {
         int i, j, ok, al, ret = -1;
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 61f600c55d..265d18810e 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -356,17 +356,6 @@ typedef struct ssl3_buffer_st {
 #define TLS1_FLAGS_KEEP_HANDSHAKE               0x0020
 #define SSL3_FLAGS_CCS_OK                       0x0080
 
-/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
- * restart a handshake because of MS SGC and so prevents us
- * from restarting the handshake in a loop. It's reset on a
- * renegotiation, so effectively limits the client to one restart
- * per negotiation. This limits the possibility of a DDoS
- * attack where the client handshakes in a loop using SGC to
- * restart. Servers which permit renegotiation can still be
- * effected, but we can't prevent that.
- */
-#define SSL3_FLAGS_SGC_RESTART_DONE             0x0040
-
 #ifndef OPENSSL_NO_SSL_INTERN
 
 typedef struct ssl3_state_st {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 7b3ecdf665..794769b79c 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.90 2015/04/15 16:25:43 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.91 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -741,7 +741,6 @@ int ssl3_send_hello_request(SSL *s);
 int ssl3_send_server_key_exchange(SSL *s);
 int ssl3_send_certificate_request(SSL *s);
 int ssl3_send_server_done(SSL *s);
-int ssl3_check_client_hello(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 61f600c55d..265d18810e 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -356,17 +356,6 @@ typedef struct ssl3_buffer_st {
 #define TLS1_FLAGS_KEEP_HANDSHAKE               0x0020
 #define SSL3_FLAGS_CCS_OK                       0x0080
 
-/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
- * restart a handshake because of MS SGC and so prevents us
- * from restarting the handshake in a loop. It's reset on a
- * renegotiation, so effectively limits the client to one restart
- * per negotiation. This limits the possibility of a DDoS
- * attack where the client handshakes in a loop using SGC to
- * restart. Servers which permit renegotiation can still be
- * effected, but we can't prevent that.
- */
-#define SSL3_FLAGS_SGC_RESTART_DONE             0x0040
-
 #ifndef OPENSSL_NO_SSL_INTERN
 
 typedef struct ssl3_state_st {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 7b3ecdf665..794769b79c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.90 2015/04/15 16:25:43 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.91 2015/06/18 22:51:05 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -741,7 +741,6 @@ int ssl3_send_hello_request(SSL *s);
 int ssl3_send_server_key_exchange(SSL *s);
 int ssl3_send_certificate_request(SSL *s);
 int ssl3_send_server_done(SSL *s);
-int ssl3_check_client_hello(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);