add missing part for SGC restart fix (CVE-2011-4619)

2012-01-04 16:46:10 +00:00 · 2012-01-04 16:46:10 +00:00 · 63819e6f00
commit 63819e6f00
parent 8206dba75c
1 changed files with 11 additions and 0 deletions
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@ -380,6 +380,17 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE		0x0040
+
 typedef struct ssl3_state_st
 	{
 	long flags;