[openssl] master update

Richard Levitte levitte at openssl.org
Fri Mar 29 12:52:04 UTC 2019


The branch master has been updated
       via  558ea84743918f7a93bfbfc259f86ad1fa4c8de9 (commit)
      from  d88736df4d19521664ebb125ff66e0d7b085a53c (commit)


- Log -----------------------------------------------------------------
commit 558ea84743918f7a93bfbfc259f86ad1fa4c8de9
Author: Richard Levitte <levitte at openssl.org>
Date:   Tue Nov 15 14:55:40 2016 +0100

    Remove heartbeats completely
    
    Fixes #4856
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1928)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                   |  4 ++++
 Configure                 |  2 --
 NEWS                      |  1 +
 apps/openssl.c            |  3 ---
 apps/s_cb.c               | 17 -----------------
 apps/s_client.c           | 10 +---------
 apps/s_server.c           |  8 --------
 crypto/err/openssl.txt    |  3 ---
 doc/man1/s_client.pod     |  4 ----
 doc/man1/s_server.pod     |  4 ----
 include/openssl/ssl.h     | 10 ----------
 include/openssl/ssl3.h    |  1 -
 include/openssl/sslerr.h  |  3 ---
 include/openssl/tls1.h    | 32 --------------------------------
 ssl/record/rec_layer_s3.c |  6 +++---
 ssl/s3_lib.c              |  7 -------
 ssl/ssl_err.c             |  5 -----
 ssl/t1_trce.c             |  4 ----
 18 files changed, 9 insertions(+), 115 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4ef63b8..5617fab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,10 @@
 
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
 
+  *) Removed the heartbeat message in DTLS feature, as it has very
+     little usage and doesn't seem to fulfill a valuable purpose.
+     [Richard Levitte]
+
   *) Changed the output of 'openssl {digestname} < file' to display the
      digest name in its output.
      [Richard Levitte]
diff --git a/Configure b/Configure
index 5f0ca11..5aaa640 100755
--- a/Configure
+++ b/Configure
@@ -375,7 +375,6 @@ my @disablables = (
     "fuzz-libfuzzer",
     "fuzz-afl",
     "gost",
-    "heartbeats",
     "idea",
     "makedepend",
     "md2",
@@ -456,7 +455,6 @@ our %disabled = ( # "what"         => "comment"
                   "external-tests"      => "default",
                   "fuzz-libfuzzer"      => "default",
                   "fuzz-afl"            => "default",
-                  "heartbeats"          => "default",
                   "md2"                 => "default",
                   "msan"                => "default",
                   "rc5"                 => "default",
diff --git a/NEWS b/NEWS
index c743dbc..3c38c78 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,7 @@
         3.0.0
       o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
         bridge.
+      o Removed the heartbeat message in DTLS feature.
 
   Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
 
diff --git a/apps/openssl.c b/apps/openssl.c
index 6bb2785..b5ec835 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -923,9 +923,6 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_GOST
     BIO_puts(bio_out, "GOST\n");
 #endif
-#ifdef OPENSSL_NO_HEARTBEATS
-    BIO_puts(bio_out, "HEARTBEATS\n");
-#endif
 #ifdef OPENSSL_NO_IDEA
     BIO_puts(bio_out, "IDEA\n");
 #endif
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 818266c..935ea90 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -600,22 +600,6 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
         case 23:
             str_content_type = ", ApplicationData";
             break;
-#ifndef OPENSSL_NO_HEARTBEATS
-        case 24:
-            str_details1 = ", Heartbeat";
-
-            if (len > 0) {
-                switch (bp[0]) {
-                case 1:
-                    str_details1 = ", HeartbeatRequest";
-                    break;
-                case 2:
-                    str_details1 = ", HeartbeatResponse";
-                    break;
-                }
-            }
-            break;
-#endif
         }
     }
 
@@ -656,7 +640,6 @@ static STRINT_PAIR tlsext_types[] = {
     {"SRP", TLSEXT_TYPE_srp},
     {"signature algorithms", TLSEXT_TYPE_signature_algorithms},
     {"use SRTP", TLSEXT_TYPE_use_srtp},
-    {"heartbeat", TLSEXT_TYPE_heartbeat},
     {"session ticket", TLSEXT_TYPE_session_ticket},
     {"renegotiation info", TLSEXT_TYPE_renegotiate},
     {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
diff --git a/apps/s_client.c b/apps/s_client.c
index 7a41d83..6d7a83f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3111,15 +3111,7 @@ int s_client_main(int argc, char **argv)
                                cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED
                                               : SSL_KEY_UPDATE_NOT_REQUESTED);
                 cbuf_len = 0;
-            }
-#ifndef OPENSSL_NO_HEARTBEATS
-            else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) {
-                BIO_printf(bio_err, "HEARTBEATING\n");
-                SSL_heartbeat(con);
-                cbuf_len = 0;
-            }
-#endif
-            else {
+            } else {
                 cbuf_len = i;
                 cbuf_off = 0;
 #ifdef CHARSET_EBCDIC
diff --git a/apps/s_server.c b/apps/s_server.c
index fbbfd6c..92d4579 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2507,14 +2507,6 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)
                      */
                     goto err;
                 }
-#ifndef OPENSSL_NO_HEARTBEATS
-                if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
-                    BIO_printf(bio_err, "HEARTBEATING\n");
-                    SSL_heartbeat(con);
-                    i = 0;
-                    continue;
-                }
-#endif
                 if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
                     SSL_renegotiate(con);
                     i = SSL_do_handshake(con);
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index f52beb1..27e1890 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1225,7 +1225,6 @@ SSL_F_DO_DTLS1_WRITE:245:do_dtls1_write
 SSL_F_DO_SSL3_WRITE:104:do_ssl3_write
 SSL_F_DTLS1_BUFFER_RECORD:247:dtls1_buffer_record
 SSL_F_DTLS1_CHECK_TIMEOUT_NUM:318:dtls1_check_timeout_num
-SSL_F_DTLS1_HEARTBEAT:305:*
 SSL_F_DTLS1_HM_FRAGMENT_NEW:623:dtls1_hm_fragment_new
 SSL_F_DTLS1_PREPROCESS_FRAGMENT:288:dtls1_preprocess_fragment
 SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS:424:dtls1_process_buffered_records
@@ -2974,8 +2973,6 @@ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length
 SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long
 SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch
 SSL_R_STILL_IN_INIT:121:still in init
-SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT:365:peer does not accept heartbeats
-SSL_R_TLS_HEARTBEAT_PENDING:366:heartbeat request already pending
 SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label
 SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list
 SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 03f8b7a..e42a6ba 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -763,10 +763,6 @@ End the current SSL connection and exit.
 
 Renegotiate the SSL session (TLSv1.2 and below only).
 
-=item B<B>
-
-Send a heartbeat message to the server (DTLS only)
-
 =item B<k>
 
 Send a key update message to the server (TLSv1.3 only)
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index 71bb166..d28feb9 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -783,10 +783,6 @@ cause the client to disconnect due to a protocol violation.
 
 Print out some session cache status information.
 
-=item B<B>
-
-Send a heartbeat message to the client (DTLS only)
-
 =item B<k>
 
 Send a key update message to the client (TLSv1.3 only)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1091b1c..72c9d06 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -618,11 +618,6 @@ unsigned long SSL_set_options(SSL *s, unsigned long op);
 # define SSL_get_secure_renegotiation_support(ssl) \
         SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
 
-# ifndef OPENSSL_NO_HEARTBEATS
-#  define SSL_heartbeat(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT,0,NULL)
-# endif
-
 # define SSL_CTX_set_cert_flags(ctx,op) \
         SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
 # define SSL_set_cert_flags(s,op) \
@@ -1263,11 +1258,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME               79
 # define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH               80
 # define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD               81
-# ifndef OPENSSL_NO_HEARTBEATS
-#  define SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT               85
-#  define SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING        86
-#  define SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS    87
-# endif
 # define DTLS_CTRL_GET_TIMEOUT           73
 # define DTLS_CTRL_HANDLE_TIMEOUT        74
 # define SSL_CTRL_GET_RI_SUPPORT                 76
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index cb0a792..cf0b51d 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -214,7 +214,6 @@ extern "C" {
 # define SSL3_RT_ALERT                   21
 # define SSL3_RT_HANDSHAKE               22
 # define SSL3_RT_APPLICATION_DATA        23
-# define DTLS1_RT_HEARTBEAT              24
 
 /* Pseudo content types to indicate additional parameters */
 # define TLS1_RT_CRYPTO                  0x1000
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 4603ef4..7f776f9 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -47,7 +47,6 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_DO_SSL3_WRITE                              104
 # define SSL_F_DTLS1_BUFFER_RECORD                        247
 # define SSL_F_DTLS1_CHECK_TIMEOUT_NUM                    318
-# define SSL_F_DTLS1_HEARTBEAT                            305
 # define SSL_F_DTLS1_HM_FRAGMENT_NEW                      623
 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
 # define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             424
@@ -720,8 +719,6 @@ int ERR_load_SSL_strings(void);
 # define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE             1111
 # define SSL_R_TLSV1_UNRECOGNIZED_NAME                    1112
 # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION                1110
-# define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT           365
-# define SSL_R_TLS_HEARTBEAT_PENDING                      366
 # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
 # define SSL_R_TOO_MANY_KEY_UPDATES                       132
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 166f15a..4db2b6a 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -109,9 +109,6 @@ extern "C" {
 /* ExtensionType value from RFC5764 */
 # define TLSEXT_TYPE_use_srtp    14
 
-/* ExtensionType value from RFC5620 */
-# define TLSEXT_TYPE_heartbeat   15
-
 /* ExtensionType value from RFC7301 */
 # define TLSEXT_TYPE_application_layer_protocol_negotiation 16
 
@@ -328,35 +325,6 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
         SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,\
                 (void (*)(void))cb)
 
-# ifndef OPENSSL_NO_HEARTBEATS
-#  define SSL_DTLSEXT_HB_ENABLED                   0x01
-#  define SSL_DTLSEXT_HB_DONT_SEND_REQUESTS        0x02
-#  define SSL_DTLSEXT_HB_DONT_RECV_REQUESTS        0x04
-#  define SSL_get_dtlsext_heartbeat_pending(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING,0,NULL)
-#  define SSL_set_dtlsext_heartbeat_no_requests(ssl, arg) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
-
-#  if !OPENSSL_API_1_1_0
-#   define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT \
-        SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT
-#   define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING \
-        SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING
-#   define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS \
-        SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS
-#   define SSL_TLSEXT_HB_ENABLED \
-        SSL_DTLSEXT_HB_ENABLED
-#   define SSL_TLSEXT_HB_DONT_SEND_REQUESTS \
-        SSL_DTLSEXT_HB_DONT_SEND_REQUESTS
-#   define SSL_TLSEXT_HB_DONT_RECV_REQUESTS \
-        SSL_DTLSEXT_HB_DONT_RECV_REQUESTS
-#   define SSL_get_tlsext_heartbeat_pending(ssl) \
-        SSL_get_dtlsext_heartbeat_pending(ssl)
-#   define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
-        SSL_set_dtlsext_heartbeat_no_requests(ssl,arg)
-#  endif
-# endif
-
 /* PSK ciphersuites from 4279 */
 # define TLS1_CK_PSK_WITH_RC4_128_SHA                    0x0300008A
 # define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA               0x0300008B
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index feca76e..b212277 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1508,9 +1508,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
         && (s->server || rr->type != SSL3_RT_ALERT)) {
         /*
          * If we've got this far and still haven't decided on what version
-         * we're using then this must be a client side alert we're dealing with
-         * (we don't allow heartbeats yet). We shouldn't be receiving anything
-         * other than a ClientHello if we are a server.
+         * we're using then this must be a client side alert we're dealing
+         * with. We shouldn't be receiving anything other than a ClientHello
+         * if we are a server.
          */
         s->version = rr->rec_version;
         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index a3639fd..330b9e3 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3547,13 +3547,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         ret = 1;
         break;
 
-#ifndef OPENSSL_NO_HEARTBEATS
-    case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
-    case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
-    case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
-        break;
-#endif
-
     case SSL_CTRL_CHAIN:
         if (larg)
             return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index ceae87b..afe1b58 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -48,7 +48,6 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
      "dtls1_buffer_record"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, 0),
      "dtls1_check_timeout_num"},
-    {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HEARTBEAT, 0), ""},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HM_FRAGMENT_NEW, 0),
      "dtls1_hm_fragment_new"},
     {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PREPROCESS_FRAGMENT, 0),
@@ -1179,10 +1178,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
     "tlsv1 unrecognized name"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION),
     "tlsv1 unsupported extension"},
-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),
-    "peer does not accept heartbeats"},
-    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PENDING),
-    "heartbeat request already pending"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),
     "tls illegal exporter label"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 656fefe..9368baf 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -468,7 +468,6 @@ static const ssl_trace_tbl ssl_exts_tbl[] = {
     {TLSEXT_TYPE_srp, "srp"},
     {TLSEXT_TYPE_signature_algorithms, "signature_algorithms"},
     {TLSEXT_TYPE_use_srtp, "use_srtp"},
-    {TLSEXT_TYPE_heartbeat, "tls_heartbeat"},
     {TLSEXT_TYPE_application_layer_protocol_negotiation,
      "application_layer_protocol_negotiation"},
     {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"},
@@ -783,9 +782,6 @@ static int ssl_print_extension(BIO *bio, int indent, int server,
         }
         break;
 
-    case TLSEXT_TYPE_heartbeat:
-        return 0;
-
     case TLSEXT_TYPE_session_ticket:
         if (extlen != 0)
             ssl_print_hex(bio, indent + 4, "ticket", ext, extlen);


More information about the openssl-commits mailing list