From b61b6f46711cf71d9da65c3508277c3dc74c08a7 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 18 Jun 2015 22:51:05 +0000 Subject: [PATCH] Remove Microsoft Server Gated Crypto. Another relic due to the old US crypto policy. From OpenSSL commit 63eab8a620944a990ab3985620966ccd9f48d681 and 95275599399e277e71d064790a1f828a99fc661a. ok jsing@ miod@ --- lib/libssl/d1_srvr.c | 23 +++------ lib/libssl/doc/BIO_f_ssl.3 | 6 +-- lib/libssl/doc/SSL_accept.3 | 16 ++---- lib/libssl/doc/SSL_do_handshake.3 | 18 ++----- lib/libssl/s3_both.c | 16 +----- lib/libssl/s3_srvr.c | 63 +++-------------------- lib/libssl/src/doc/ssl/BIO_f_ssl.3 | 6 +-- lib/libssl/src/doc/ssl/SSL_accept.3 | 16 ++---- lib/libssl/src/doc/ssl/SSL_do_handshake.3 | 18 ++----- lib/libssl/src/ssl/d1_srvr.c | 23 +++------ lib/libssl/src/ssl/s3_both.c | 16 +----- lib/libssl/src/ssl/s3_srvr.c | 63 +++-------------------- lib/libssl/src/ssl/ssl3.h | 13 +---- lib/libssl/src/ssl/ssl_locl.h | 3 +- lib/libssl/ssl3.h | 13 +---- lib/libssl/ssl_locl.h | 3 +- 16 files changed, 52 insertions(+), 264 deletions(-) diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index f3972ae9d07..698292f33fc 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -468,22 +468,13 @@ dtls1_accept(SSL *s) case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - /* Check for second client hello (MS SGC) */ - ret = ssl3_check_client_hello(s); - if (ret <= 0) - goto end; - if (ret == 2) { - dtls1_stop_timer(s); - s->state = SSL3_ST_SR_CLNT_HELLO_C; - } else { - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; + if (s->s3->tmp.cert_request) { + ret = ssl3_get_client_certificate(s); + if (ret <= 0) + goto end; } + s->init_num = 0; + s->state = SSL3_ST_SR_KEY_EXCH_A; break; case SSL3_ST_SR_KEY_EXCH_A: diff --git a/lib/libssl/doc/BIO_f_ssl.3 b/lib/libssl/doc/BIO_f_ssl.3 index 851e4f08ca4..876018a8399 100644 --- a/lib/libssl/doc/BIO_f_ssl.3 +++ b/lib/libssl/doc/BIO_f_ssl.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: BIO_f_ssl.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: BIO_f_ssl.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt BIO_F_SSL 3 .Os .Sh NAME @@ -240,7 +240,7 @@ still request a retry in exceptional circumstances. Specifically this will happen if a session renegotiation takes place during a .Xr BIO_read 3 operation. -One case where this happens is when SGC or step up occurs. +One case where this happens is when step up occurs. .Pp In OpenSSL 0.9.6 and later the SSL flag .Dv SSL_AUTO_RETRY diff --git a/lib/libssl/doc/SSL_accept.3 b/lib/libssl/doc/SSL_accept.3 index 06465d19558..8c7409d04f3 100644 --- a/lib/libssl/doc/SSL_accept.3 +++ b/lib/libssl/doc/SSL_accept.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: SSL_accept.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: SSL_accept.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt SSL_ACCEPT 3 .Os .Sh NAME @@ -29,17 +29,7 @@ If the underlying is .Em blocking , .Fn SSL_accept -will only return once the handshake has been finished or an error occurred, -except for SGC (Server Gated Cryptography). -For SGC, -.Fn SSL_accept -may return with \(mi1, but -.Fn SSL_get_error -will yield -.Dv SSL_ERROR_WANT_READ/WRITE -and -.Fn SSL_accept -should be called again. +will only return once the handshake has been finished or an error occurred. .Pp If the underlying .Vt BIO diff --git a/lib/libssl/doc/SSL_do_handshake.3 b/lib/libssl/doc/SSL_do_handshake.3 index cc29df25837..78a37b08c94 100644 --- a/lib/libssl/doc/SSL_do_handshake.3 +++ b/lib/libssl/doc/SSL_do_handshake.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: SSL_do_handshake.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: SSL_do_handshake.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt SSL_DO_HANDSHAKE 3 .Os .Sh NAME @@ -30,19 +30,7 @@ If the underlying is .Em blocking , .Fn SSL_do_handshake -will only return once the handshake has been finished or an error occurred, -except for SGC (Server Gated Cryptography). -For SGC, -.Fn SSL_do_handshake -may return with \(mi1, but -.Xr SSL_get_error 3 -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE -and -.Fn SSL_do_handshake -should be called again. +will only return once the handshake has been finished or an error occurred. .Pp If the underlying .Vt BIO diff --git a/lib/libssl/s3_both.c b/lib/libssl/s3_both.c index 633bf5bb7b9..d9484d77d86 100644 --- a/lib/libssl/s3_both.c +++ b/lib/libssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.38 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -450,20 +450,6 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } - if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) && - (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) { - /* At this point we have got an MS SGC second client - * hello (maybe we should always allow the client to - * start a new handshake?). We need to restart the mac. - * Don't increment {num,total}_renegotiations because - * we have not completed the handshake. */ - if (!ssl3_init_finished_mac(s)) { - SSLerr(SSL_F_SSL3_GET_MESSAGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - } - s->s3->tmp.message_type= *(p++); n2l3(p, l); diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 867e796529c..c595fa31cc1 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.107 2015/06/17 07:29:33 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -273,7 +273,6 @@ ssl3_accept(SSL *s) } s->init_num = 0; - s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; if (s->state != SSL_ST_RENEGOTIATE) { /* @@ -487,21 +486,13 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - /* Check for second client hello (MS SGC) */ - ret = ssl3_check_client_hello(s); - if (ret <= 0) - goto end; - if (ret == 2) - s->state = SSL3_ST_SR_CLNT_HELLO_C; - else { - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; + if (s->s3->tmp.cert_request) { + ret = ssl3_get_client_certificate(s); + if (ret <= 0) + goto end; } + s->init_num = 0; + s->state = SSL3_ST_SR_KEY_EXCH_A; break; case SSL3_ST_SR_KEY_EXCH_A: @@ -764,46 +755,6 @@ ssl3_send_hello_request(SSL *s) return (ssl3_handshake_write(s)); } -int -ssl3_check_client_hello(SSL *s) -{ - int ok; - long n; - - /* - * This function is called when we really expect a Certificate message, - * so permit appropriate message length - */ - n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, - SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); - if (!ok) - return ((int)n); - s->s3->tmp.reuse_message = 1; - if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { - /* - * We only allow the client to restart the handshake once per - * negotiation. - */ - if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { - SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, - SSL_R_MULTIPLE_SGC_RESTARTS); - return (-1); - } - /* - * Throw away what we have done so far in the current handshake, - * which will now be aborted. (A full SSL_clear would be too - * much.) - */ - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; - return (2); - } - return (1); -} - int ssl3_get_client_hello(SSL *s) { diff --git a/lib/libssl/src/doc/ssl/BIO_f_ssl.3 b/lib/libssl/src/doc/ssl/BIO_f_ssl.3 index 851e4f08ca4..876018a8399 100644 --- a/lib/libssl/src/doc/ssl/BIO_f_ssl.3 +++ b/lib/libssl/src/doc/ssl/BIO_f_ssl.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: BIO_f_ssl.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: BIO_f_ssl.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt BIO_F_SSL 3 .Os .Sh NAME @@ -240,7 +240,7 @@ still request a retry in exceptional circumstances. Specifically this will happen if a session renegotiation takes place during a .Xr BIO_read 3 operation. -One case where this happens is when SGC or step up occurs. +One case where this happens is when step up occurs. .Pp In OpenSSL 0.9.6 and later the SSL flag .Dv SSL_AUTO_RETRY diff --git a/lib/libssl/src/doc/ssl/SSL_accept.3 b/lib/libssl/src/doc/ssl/SSL_accept.3 index 06465d19558..8c7409d04f3 100644 --- a/lib/libssl/src/doc/ssl/SSL_accept.3 +++ b/lib/libssl/src/doc/ssl/SSL_accept.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: SSL_accept.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: SSL_accept.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt SSL_ACCEPT 3 .Os .Sh NAME @@ -29,17 +29,7 @@ If the underlying is .Em blocking , .Fn SSL_accept -will only return once the handshake has been finished or an error occurred, -except for SGC (Server Gated Cryptography). -For SGC, -.Fn SSL_accept -may return with \(mi1, but -.Fn SSL_get_error -will yield -.Dv SSL_ERROR_WANT_READ/WRITE -and -.Fn SSL_accept -should be called again. +will only return once the handshake has been finished or an error occurred. .Pp If the underlying .Vt BIO diff --git a/lib/libssl/src/doc/ssl/SSL_do_handshake.3 b/lib/libssl/src/doc/ssl/SSL_do_handshake.3 index cc29df25837..78a37b08c94 100644 --- a/lib/libssl/src/doc/ssl/SSL_do_handshake.3 +++ b/lib/libssl/src/doc/ssl/SSL_do_handshake.3 @@ -1,7 +1,7 @@ .\" -.\" $OpenBSD: SSL_do_handshake.3,v 1.2 2014/12/02 14:11:01 jmc Exp $ +.\" $OpenBSD: SSL_do_handshake.3,v 1.3 2015/06/18 22:51:05 doug Exp $ .\" -.Dd $Mdocdate: December 2 2014 $ +.Dd $Mdocdate: June 18 2015 $ .Dt SSL_DO_HANDSHAKE 3 .Os .Sh NAME @@ -30,19 +30,7 @@ If the underlying is .Em blocking , .Fn SSL_do_handshake -will only return once the handshake has been finished or an error occurred, -except for SGC (Server Gated Cryptography). -For SGC, -.Fn SSL_do_handshake -may return with \(mi1, but -.Xr SSL_get_error 3 -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE -and -.Fn SSL_do_handshake -should be called again. +will only return once the handshake has been finished or an error occurred. .Pp If the underlying .Vt BIO diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c index f3972ae9d07..698292f33fc 100644 --- a/lib/libssl/src/ssl/d1_srvr.c +++ b/lib/libssl/src/ssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.54 2015/06/18 22:30:47 doug Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.55 2015/06/18 22:51:05 doug Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -468,22 +468,13 @@ dtls1_accept(SSL *s) case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - /* Check for second client hello (MS SGC) */ - ret = ssl3_check_client_hello(s); - if (ret <= 0) - goto end; - if (ret == 2) { - dtls1_stop_timer(s); - s->state = SSL3_ST_SR_CLNT_HELLO_C; - } else { - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; + if (s->s3->tmp.cert_request) { + ret = ssl3_get_client_certificate(s); + if (ret <= 0) + goto end; } + s->init_num = 0; + s->state = SSL3_ST_SR_KEY_EXCH_A; break; case SSL3_ST_SR_KEY_EXCH_A: diff --git a/lib/libssl/src/ssl/s3_both.c b/lib/libssl/src/ssl/s3_both.c index 633bf5bb7b9..d9484d77d86 100644 --- a/lib/libssl/src/ssl/s3_both.c +++ b/lib/libssl/src/ssl/s3_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_both.c,v 1.38 2015/03/27 12:29:54 jsing Exp $ */ +/* $OpenBSD: s3_both.c,v 1.39 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -450,20 +450,6 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); goto f_err; } - if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) && - (st1 == SSL3_ST_SR_CERT_A) && (stn == SSL3_ST_SR_CERT_B)) { - /* At this point we have got an MS SGC second client - * hello (maybe we should always allow the client to - * start a new handshake?). We need to restart the mac. - * Don't increment {num,total}_renegotiations because - * we have not completed the handshake. */ - if (!ssl3_init_finished_mac(s)) { - SSLerr(SSL_F_SSL3_GET_MESSAGE, - ERR_R_MALLOC_FAILURE); - goto err; - } - } - s->s3->tmp.message_type= *(p++); n2l3(p, l); diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 867e796529c..c595fa31cc1 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.107 2015/06/17 07:29:33 doug Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -273,7 +273,6 @@ ssl3_accept(SSL *s) } s->init_num = 0; - s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE; if (s->state != SSL_ST_RENEGOTIATE) { /* @@ -487,21 +486,13 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - /* Check for second client hello (MS SGC) */ - ret = ssl3_check_client_hello(s); - if (ret <= 0) - goto end; - if (ret == 2) - s->state = SSL3_ST_SR_CLNT_HELLO_C; - else { - if (s->s3->tmp.cert_request) { - ret = ssl3_get_client_certificate(s); - if (ret <= 0) - goto end; - } - s->init_num = 0; - s->state = SSL3_ST_SR_KEY_EXCH_A; + if (s->s3->tmp.cert_request) { + ret = ssl3_get_client_certificate(s); + if (ret <= 0) + goto end; } + s->init_num = 0; + s->state = SSL3_ST_SR_KEY_EXCH_A; break; case SSL3_ST_SR_KEY_EXCH_A: @@ -764,46 +755,6 @@ ssl3_send_hello_request(SSL *s) return (ssl3_handshake_write(s)); } -int -ssl3_check_client_hello(SSL *s) -{ - int ok; - long n; - - /* - * This function is called when we really expect a Certificate message, - * so permit appropriate message length - */ - n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, - SSL3_ST_SR_CERT_B, -1, s->max_cert_list, &ok); - if (!ok) - return ((int)n); - s->s3->tmp.reuse_message = 1; - if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { - /* - * We only allow the client to restart the handshake once per - * negotiation. - */ - if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE) { - SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, - SSL_R_MULTIPLE_SGC_RESTARTS); - return (-1); - } - /* - * Throw away what we have done so far in the current handshake, - * which will now be aborted. (A full SSL_clear would be too - * much.) - */ - DH_free(s->s3->tmp.dh); - s->s3->tmp.dh = NULL; - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE; - return (2); - } - return (1); -} - int ssl3_get_client_hello(SSL *s) { diff --git a/lib/libssl/src/ssl/ssl3.h b/lib/libssl/src/ssl/ssl3.h index 61f600c55d0..265d18810e4 100644 --- a/lib/libssl/src/ssl/ssl3.h +++ b/lib/libssl/src/ssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -356,17 +356,6 @@ typedef struct ssl3_buffer_st { #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 #define SSL3_FLAGS_CCS_OK 0x0080 -/* SSL3_FLAGS_SGC_RESTART_DONE is set when we - * restart a handshake because of MS SGC and so prevents us - * from restarting the handshake in a loop. It's reset on a - * renegotiation, so effectively limits the client to one restart - * per negotiation. This limits the possibility of a DDoS - * attack where the client handshakes in a loop using SGC to - * restart. Servers which permit renegotiation can still be - * effected, but we can't prevent that. - */ -#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 - #ifndef OPENSSL_NO_SSL_INTERN typedef struct ssl3_state_st { diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index 7b3ecdf6654..794769b79cc 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.90 2015/04/15 16:25:43 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.91 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -741,7 +741,6 @@ int ssl3_send_hello_request(SSL *s); int ssl3_send_server_key_exchange(SSL *s); int ssl3_send_certificate_request(SSL *s); int ssl3_send_server_done(SSL *s); -int ssl3_check_client_hello(SSL *s); int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); diff --git a/lib/libssl/ssl3.h b/lib/libssl/ssl3.h index 61f600c55d0..265d18810e4 100644 --- a/lib/libssl/ssl3.h +++ b/lib/libssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -356,17 +356,6 @@ typedef struct ssl3_buffer_st { #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 #define SSL3_FLAGS_CCS_OK 0x0080 -/* SSL3_FLAGS_SGC_RESTART_DONE is set when we - * restart a handshake because of MS SGC and so prevents us - * from restarting the handshake in a loop. It's reset on a - * renegotiation, so effectively limits the client to one restart - * per negotiation. This limits the possibility of a DDoS - * attack where the client handshakes in a loop using SGC to - * restart. Servers which permit renegotiation can still be - * effected, but we can't prevent that. - */ -#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 - #ifndef OPENSSL_NO_SSL_INTERN typedef struct ssl3_state_st { diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 7b3ecdf6654..794769b79cc 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.90 2015/04/15 16:25:43 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.91 2015/06/18 22:51:05 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -741,7 +741,6 @@ int ssl3_send_hello_request(SSL *s); int ssl3_send_server_key_exchange(SSL *s); int ssl3_send_certificate_request(SSL *s); int ssl3_send_server_done(SSL *s); -int ssl3_check_client_hello(SSL *s); int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); -- 2.20.1