src.patch

--- /usr/include/openssl/ssl3.h	2012-06-13 16:37:55.000000000 +0800
+++ /usr/src/crypto/openssl/ssl/ssl3.h	2012-06-02 03:16:30.000000000 +0800
@@ -333,6 +333,17 @@
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED	0x0002
 #define SSL3_FLAGS_POP_BUFFER			0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
+ 
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE		0x0040
 
 typedef struct ssl3_state_st
 	{
--- /usr/include/openssl/ssl.h	2012-06-13 20:03:54.000000000 +0800
+++ /usr/src/crypto/openssl/ssl/ssl.h	2012-06-02 03:16:30.000000000 +0800
@@ -1739,6 +1739,7 @@
 #define SSL_F_SSL3_CALLBACK_CTRL			 233
 #define SSL_F_SSL3_CHANGE_CIPHER_STATE			 129
 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM		 130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO			 292
 #define SSL_F_SSL3_CLIENT_HELLO				 131
 #define SSL_F_SSL3_CONNECT				 132
 #define SSL_F_SSL3_CTRL					 213
@@ -1974,6 +1975,7 @@
 #define SSL_R_MISSING_TMP_RSA_KEY			 172
 #define SSL_R_MISSING_TMP_RSA_PKEY			 173
 #define SSL_R_MISSING_VERIFY_MESSAGE			 174
+#define SSL_R_MULTIPLE_SGC_RESTARTS			 325
 #define SSL_R_NON_SSLV2_INITIAL_PACKET			 175
 #define SSL_R_NO_CERTIFICATES_RETURNED			 176
 #define SSL_R_NO_CERTIFICATE_ASSIGNED			 177
--- /usr/src/sbin/hastd/pjdlog.c	2012-06-13 20:19:32.000000000 +0800
+++ pjdlog2.c	2012-06-13 20:22:03.000000000 +0800
@@ -39,8 +39,8 @@
 #include <assert.h>
 #include <errno.h>
 #include <libutil.h>
-#include <printf.h>
 #include <stdarg.h>
+#include <printf.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>