OpenSSL 1.0.0f: merge

author: djm <> 2012-01-05 23:01:39 +0000
committer: djm <> 2012-01-05 23:01:39 +0000
commit: 1323613b1aa20bc25bc1ca71f1926d7e11788b87 (patch)
tree: 866512933d8f0c1ea5465d0169915b36c1ca3cae /src/lib/libssl/ssl3.h
parent: 01b1f5ed381fe1d6d9a28e1b11285d194d167080 (diff)
download: openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.gz
openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.bz2
openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index baaa89e717..9c2c41287a 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
 #define SSL3_FLAGS_POP_BUFFER                   0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG              0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
+ 
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE             0x0040
 typedef struct ssl3_state_st
        {
author	djm <>	2012-01-05 23:01:39 +0000
committer	djm <>	2012-01-05 23:01:39 +0000
commit	1323613b1aa20bc25bc1ca71f1926d7e11788b87 (patch)
tree	866512933d8f0c1ea5465d0169915b36c1ca3cae /src/lib/libssl/ssl3.h
parent	01b1f5ed381fe1d6d9a28e1b11285d194d167080 (diff)
download	openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.gz openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.bz2 openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.zip

diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index baaa89e717..9c2c41287a 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
379	#define SSL3_FLAGS_POP_BUFFER 0x0004	379	#define SSL3_FLAGS_POP_BUFFER 0x0004
380	#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008	380	#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381	#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010	381	#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
		382
		383	/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
		384	* restart a handshake because of MS SGC and so prevents us
		385	* from restarting the handshake in a loop. It's reset on a
		386	* renegotiation, so effectively limits the client to one restart
		387	* per negotiation. This limits the possibility of a DDoS
		388	* attack where the client handshakes in a loop using SGC to
		389	* restart. Servers which permit renegotiation can still be
		390	* effected, but we can't prevent that.
		391	*/
		392	#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
382		393
383	typedef struct ssl3_state_st	394	typedef struct ssl3_state_st
384	{	395	{