mirror of https://github.com/openssl/openssl
Remove heartbeats completely
Fixes #4856 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1928)
This commit is contained in:
parent
d88736df4d
commit
558ea84743
4
CHANGES
4
CHANGES
|
@ -9,6 +9,10 @@
|
|||
|
||||
Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
|
||||
|
||||
*) Removed the heartbeat message in DTLS feature, as it has very
|
||||
little usage and doesn't seem to fulfill a valuable purpose.
|
||||
[Richard Levitte]
|
||||
|
||||
*) Changed the output of 'openssl {digestname} < file' to display the
|
||||
digest name in its output.
|
||||
[Richard Levitte]
|
||||
|
|
|
@ -375,7 +375,6 @@ my @disablables = (
|
|||
"fuzz-libfuzzer",
|
||||
"fuzz-afl",
|
||||
"gost",
|
||||
"heartbeats",
|
||||
"idea",
|
||||
"makedepend",
|
||||
"md2",
|
||||
|
@ -456,7 +455,6 @@ our %disabled = ( # "what" => "comment"
|
|||
"external-tests" => "default",
|
||||
"fuzz-libfuzzer" => "default",
|
||||
"fuzz-afl" => "default",
|
||||
"heartbeats" => "default",
|
||||
"md2" => "default",
|
||||
"msan" => "default",
|
||||
"rc5" => "default",
|
||||
|
|
1
NEWS
1
NEWS
|
@ -13,6 +13,7 @@
|
|||
3.0.0
|
||||
o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
|
||||
bridge.
|
||||
o Removed the heartbeat message in DTLS feature.
|
||||
|
||||
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
|
||||
|
||||
|
|
|
@ -923,9 +923,6 @@ static void list_disabled(void)
|
|||
#ifdef OPENSSL_NO_GOST
|
||||
BIO_puts(bio_out, "GOST\n");
|
||||
#endif
|
||||
#ifdef OPENSSL_NO_HEARTBEATS
|
||||
BIO_puts(bio_out, "HEARTBEATS\n");
|
||||
#endif
|
||||
#ifdef OPENSSL_NO_IDEA
|
||||
BIO_puts(bio_out, "IDEA\n");
|
||||
#endif
|
||||
|
|
17
apps/s_cb.c
17
apps/s_cb.c
|
@ -600,22 +600,6 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
|||
case 23:
|
||||
str_content_type = ", ApplicationData";
|
||||
break;
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
case 24:
|
||||
str_details1 = ", Heartbeat";
|
||||
|
||||
if (len > 0) {
|
||||
switch (bp[0]) {
|
||||
case 1:
|
||||
str_details1 = ", HeartbeatRequest";
|
||||
break;
|
||||
case 2:
|
||||
str_details1 = ", HeartbeatResponse";
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -656,7 +640,6 @@ static STRINT_PAIR tlsext_types[] = {
|
|||
{"SRP", TLSEXT_TYPE_srp},
|
||||
{"signature algorithms", TLSEXT_TYPE_signature_algorithms},
|
||||
{"use SRTP", TLSEXT_TYPE_use_srtp},
|
||||
{"heartbeat", TLSEXT_TYPE_heartbeat},
|
||||
{"session ticket", TLSEXT_TYPE_session_ticket},
|
||||
{"renegotiation info", TLSEXT_TYPE_renegotiate},
|
||||
{"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
|
||||
|
|
|
@ -3111,15 +3111,7 @@ int s_client_main(int argc, char **argv)
|
|||
cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED
|
||||
: SSL_KEY_UPDATE_NOT_REQUESTED);
|
||||
cbuf_len = 0;
|
||||
}
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) {
|
||||
BIO_printf(bio_err, "HEARTBEATING\n");
|
||||
SSL_heartbeat(con);
|
||||
cbuf_len = 0;
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
} else {
|
||||
cbuf_len = i;
|
||||
cbuf_off = 0;
|
||||
#ifdef CHARSET_EBCDIC
|
||||
|
|
|
@ -2507,14 +2507,6 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)
|
|||
*/
|
||||
goto err;
|
||||
}
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
||||
BIO_printf(bio_err, "HEARTBEATING\n");
|
||||
SSL_heartbeat(con);
|
||||
i = 0;
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
||||
SSL_renegotiate(con);
|
||||
i = SSL_do_handshake(con);
|
||||
|
|
|
@ -1225,7 +1225,6 @@ SSL_F_DO_DTLS1_WRITE:245:do_dtls1_write
|
|||
SSL_F_DO_SSL3_WRITE:104:do_ssl3_write
|
||||
SSL_F_DTLS1_BUFFER_RECORD:247:dtls1_buffer_record
|
||||
SSL_F_DTLS1_CHECK_TIMEOUT_NUM:318:dtls1_check_timeout_num
|
||||
SSL_F_DTLS1_HEARTBEAT:305:*
|
||||
SSL_F_DTLS1_HM_FRAGMENT_NEW:623:dtls1_hm_fragment_new
|
||||
SSL_F_DTLS1_PREPROCESS_FRAGMENT:288:dtls1_preprocess_fragment
|
||||
SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS:424:dtls1_process_buffered_records
|
||||
|
@ -2974,8 +2973,6 @@ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length
|
|||
SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long
|
||||
SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch
|
||||
SSL_R_STILL_IN_INIT:121:still in init
|
||||
SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT:365:peer does not accept heartbeats
|
||||
SSL_R_TLS_HEARTBEAT_PENDING:366:heartbeat request already pending
|
||||
SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label
|
||||
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list
|
||||
SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates
|
||||
|
|
|
@ -763,10 +763,6 @@ End the current SSL connection and exit.
|
|||
|
||||
Renegotiate the SSL session (TLSv1.2 and below only).
|
||||
|
||||
=item B<B>
|
||||
|
||||
Send a heartbeat message to the server (DTLS only)
|
||||
|
||||
=item B<k>
|
||||
|
||||
Send a key update message to the server (TLSv1.3 only)
|
||||
|
|
|
@ -783,10 +783,6 @@ cause the client to disconnect due to a protocol violation.
|
|||
|
||||
Print out some session cache status information.
|
||||
|
||||
=item B<B>
|
||||
|
||||
Send a heartbeat message to the client (DTLS only)
|
||||
|
||||
=item B<k>
|
||||
|
||||
Send a key update message to the client (TLSv1.3 only)
|
||||
|
|
|
@ -618,11 +618,6 @@ unsigned long SSL_set_options(SSL *s, unsigned long op);
|
|||
# define SSL_get_secure_renegotiation_support(ssl) \
|
||||
SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
|
||||
|
||||
# ifndef OPENSSL_NO_HEARTBEATS
|
||||
# define SSL_heartbeat(ssl) \
|
||||
SSL_ctrl((ssl),SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT,0,NULL)
|
||||
# endif
|
||||
|
||||
# define SSL_CTX_set_cert_flags(ctx,op) \
|
||||
SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
|
||||
# define SSL_set_cert_flags(s,op) \
|
||||
|
@ -1263,11 +1258,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|||
# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
|
||||
# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
|
||||
# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
|
||||
# ifndef OPENSSL_NO_HEARTBEATS
|
||||
# define SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT 85
|
||||
# define SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING 86
|
||||
# define SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS 87
|
||||
# endif
|
||||
# define DTLS_CTRL_GET_TIMEOUT 73
|
||||
# define DTLS_CTRL_HANDLE_TIMEOUT 74
|
||||
# define SSL_CTRL_GET_RI_SUPPORT 76
|
||||
|
|
|
@ -214,7 +214,6 @@ extern "C" {
|
|||
# define SSL3_RT_ALERT 21
|
||||
# define SSL3_RT_HANDSHAKE 22
|
||||
# define SSL3_RT_APPLICATION_DATA 23
|
||||
# define DTLS1_RT_HEARTBEAT 24
|
||||
|
||||
/* Pseudo content types to indicate additional parameters */
|
||||
# define TLS1_RT_CRYPTO 0x1000
|
||||
|
|
|
@ -47,7 +47,6 @@ int ERR_load_SSL_strings(void);
|
|||
# define SSL_F_DO_SSL3_WRITE 104
|
||||
# define SSL_F_DTLS1_BUFFER_RECORD 247
|
||||
# define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 318
|
||||
# define SSL_F_DTLS1_HEARTBEAT 305
|
||||
# define SSL_F_DTLS1_HM_FRAGMENT_NEW 623
|
||||
# define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
|
||||
# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
|
||||
|
@ -720,8 +719,6 @@ int ERR_load_SSL_strings(void);
|
|||
# define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
|
||||
# define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
|
||||
# define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
|
||||
# define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
|
||||
# define SSL_R_TLS_HEARTBEAT_PENDING 366
|
||||
# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
|
||||
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
|
||||
# define SSL_R_TOO_MANY_KEY_UPDATES 132
|
||||
|
|
|
@ -109,9 +109,6 @@ extern "C" {
|
|||
/* ExtensionType value from RFC5764 */
|
||||
# define TLSEXT_TYPE_use_srtp 14
|
||||
|
||||
/* ExtensionType value from RFC5620 */
|
||||
# define TLSEXT_TYPE_heartbeat 15
|
||||
|
||||
/* ExtensionType value from RFC7301 */
|
||||
# define TLSEXT_TYPE_application_layer_protocol_negotiation 16
|
||||
|
||||
|
@ -328,35 +325,6 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
|
|||
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,\
|
||||
(void (*)(void))cb)
|
||||
|
||||
# ifndef OPENSSL_NO_HEARTBEATS
|
||||
# define SSL_DTLSEXT_HB_ENABLED 0x01
|
||||
# define SSL_DTLSEXT_HB_DONT_SEND_REQUESTS 0x02
|
||||
# define SSL_DTLSEXT_HB_DONT_RECV_REQUESTS 0x04
|
||||
# define SSL_get_dtlsext_heartbeat_pending(ssl) \
|
||||
SSL_ctrl(ssl,SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING,0,NULL)
|
||||
# define SSL_set_dtlsext_heartbeat_no_requests(ssl, arg) \
|
||||
SSL_ctrl(ssl,SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
|
||||
|
||||
# if !OPENSSL_API_1_1_0
|
||||
# define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT \
|
||||
SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT
|
||||
# define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING \
|
||||
SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING
|
||||
# define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS \
|
||||
SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS
|
||||
# define SSL_TLSEXT_HB_ENABLED \
|
||||
SSL_DTLSEXT_HB_ENABLED
|
||||
# define SSL_TLSEXT_HB_DONT_SEND_REQUESTS \
|
||||
SSL_DTLSEXT_HB_DONT_SEND_REQUESTS
|
||||
# define SSL_TLSEXT_HB_DONT_RECV_REQUESTS \
|
||||
SSL_DTLSEXT_HB_DONT_RECV_REQUESTS
|
||||
# define SSL_get_tlsext_heartbeat_pending(ssl) \
|
||||
SSL_get_dtlsext_heartbeat_pending(ssl)
|
||||
# define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
|
||||
SSL_set_dtlsext_heartbeat_no_requests(ssl,arg)
|
||||
# endif
|
||||
# endif
|
||||
|
||||
/* PSK ciphersuites from 4279 */
|
||||
# define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A
|
||||
# define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B
|
||||
|
|
|
@ -1508,9 +1508,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
|
|||
&& (s->server || rr->type != SSL3_RT_ALERT)) {
|
||||
/*
|
||||
* If we've got this far and still haven't decided on what version
|
||||
* we're using then this must be a client side alert we're dealing with
|
||||
* (we don't allow heartbeats yet). We shouldn't be receiving anything
|
||||
* other than a ClientHello if we are a server.
|
||||
* we're using then this must be a client side alert we're dealing
|
||||
* with. We shouldn't be receiving anything other than a ClientHello
|
||||
* if we are a server.
|
||||
*/
|
||||
s->version = rr->rec_version;
|
||||
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
|
||||
|
|
|
@ -3547,13 +3547,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|||
ret = 1;
|
||||
break;
|
||||
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
|
||||
case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
|
||||
case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
|
||||
break;
|
||||
#endif
|
||||
|
||||
case SSL_CTRL_CHAIN:
|
||||
if (larg)
|
||||
return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
|
||||
|
|
|
@ -48,7 +48,6 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
|
|||
"dtls1_buffer_record"},
|
||||
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, 0),
|
||||
"dtls1_check_timeout_num"},
|
||||
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HEARTBEAT, 0), ""},
|
||||
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HM_FRAGMENT_NEW, 0),
|
||||
"dtls1_hm_fragment_new"},
|
||||
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PREPROCESS_FRAGMENT, 0),
|
||||
|
@ -1179,10 +1178,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
|
|||
"tlsv1 unrecognized name"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION),
|
||||
"tlsv1 unsupported extension"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),
|
||||
"peer does not accept heartbeats"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PENDING),
|
||||
"heartbeat request already pending"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),
|
||||
"tls illegal exporter label"},
|
||||
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
|
||||
|
|
|
@ -468,7 +468,6 @@ static const ssl_trace_tbl ssl_exts_tbl[] = {
|
|||
{TLSEXT_TYPE_srp, "srp"},
|
||||
{TLSEXT_TYPE_signature_algorithms, "signature_algorithms"},
|
||||
{TLSEXT_TYPE_use_srtp, "use_srtp"},
|
||||
{TLSEXT_TYPE_heartbeat, "tls_heartbeat"},
|
||||
{TLSEXT_TYPE_application_layer_protocol_negotiation,
|
||||
"application_layer_protocol_negotiation"},
|
||||
{TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"},
|
||||
|
@ -783,9 +782,6 @@ static int ssl_print_extension(BIO *bio, int indent, int server,
|
|||
}
|
||||
break;
|
||||
|
||||
case TLSEXT_TYPE_heartbeat:
|
||||
return 0;
|
||||
|
||||
case TLSEXT_TYPE_session_ticket:
|
||||
if (extlen != 0)
|
||||
ssl_print_hex(bio, indent + 4, "ticket", ext, extlen);
|
||||
|
|
Loading…
Reference in New Issue