From 558ea84743918f7a93bfbfc259f86ad1fa4c8de9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 15 Nov 2016 14:55:40 +0100 Subject: [PATCH] Remove heartbeats completely Fixes #4856 Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/1928) --- CHANGES | 4 ++++ Configure | 2 -- NEWS | 1 + apps/openssl.c | 3 --- apps/s_cb.c | 17 ----------------- apps/s_client.c | 10 +--------- apps/s_server.c | 8 -------- crypto/err/openssl.txt | 3 --- doc/man1/s_client.pod | 4 ---- doc/man1/s_server.pod | 4 ---- include/openssl/ssl.h | 10 ---------- include/openssl/ssl3.h | 1 - include/openssl/sslerr.h | 3 --- include/openssl/tls1.h | 32 -------------------------------- ssl/record/rec_layer_s3.c | 6 +++--- ssl/s3_lib.c | 7 ------- ssl/ssl_err.c | 5 ----- ssl/t1_trce.c | 4 ---- 18 files changed, 9 insertions(+), 115 deletions(-) diff --git a/CHANGES b/CHANGES index 4ef63b808f..5617fab573 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) Removed the heartbeat message in DTLS feature, as it has very + little usage and doesn't seem to fulfill a valuable purpose. + [Richard Levitte] + *) Changed the output of 'openssl {digestname} < file' to display the digest name in its output. [Richard Levitte] diff --git a/Configure b/Configure index 5f0ca111ca..5aaa640107 100755 --- a/Configure +++ b/Configure @@ -375,7 +375,6 @@ my @disablables = ( "fuzz-libfuzzer", "fuzz-afl", "gost", - "heartbeats", "idea", "makedepend", "md2", @@ -456,7 +455,6 @@ our %disabled = ( # "what" => "comment" "external-tests" => "default", "fuzz-libfuzzer" => "default", "fuzz-afl" => "default", - "heartbeats" => "default", "md2" => "default", "msan" => "default", "rc5" => "default", diff --git a/NEWS b/NEWS index c743dbc62b..3c38c782ad 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,7 @@ 3.0.0 o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC bridge. + o Removed the heartbeat message in DTLS feature. Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] diff --git a/apps/openssl.c b/apps/openssl.c index 6bb27853fe..b5ec835d51 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -923,9 +923,6 @@ static void list_disabled(void) #ifdef OPENSSL_NO_GOST BIO_puts(bio_out, "GOST\n"); #endif -#ifdef OPENSSL_NO_HEARTBEATS - BIO_puts(bio_out, "HEARTBEATS\n"); -#endif #ifdef OPENSSL_NO_IDEA BIO_puts(bio_out, "IDEA\n"); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index 818266c814..935ea9022d 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -600,22 +600,6 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, case 23: str_content_type = ", ApplicationData"; break; -#ifndef OPENSSL_NO_HEARTBEATS - case 24: - str_details1 = ", Heartbeat"; - - if (len > 0) { - switch (bp[0]) { - case 1: - str_details1 = ", HeartbeatRequest"; - break; - case 2: - str_details1 = ", HeartbeatResponse"; - break; - } - } - break; -#endif } } @@ -656,7 +640,6 @@ static STRINT_PAIR tlsext_types[] = { {"SRP", TLSEXT_TYPE_srp}, {"signature algorithms", TLSEXT_TYPE_signature_algorithms}, {"use SRTP", TLSEXT_TYPE_use_srtp}, - {"heartbeat", TLSEXT_TYPE_heartbeat}, {"session ticket", TLSEXT_TYPE_session_ticket}, {"renegotiation info", TLSEXT_TYPE_renegotiate}, {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp}, diff --git a/apps/s_client.c b/apps/s_client.c index 7a41d831e9..6d7a83f3a9 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -3111,15 +3111,7 @@ int s_client_main(int argc, char **argv) cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED : SSL_KEY_UPDATE_NOT_REQUESTED); cbuf_len = 0; - } -#ifndef OPENSSL_NO_HEARTBEATS - else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) { - BIO_printf(bio_err, "HEARTBEATING\n"); - SSL_heartbeat(con); - cbuf_len = 0; - } -#endif - else { + } else { cbuf_len = i; cbuf_off = 0; #ifdef CHARSET_EBCDIC diff --git a/apps/s_server.c b/apps/s_server.c index fbbfd6c940..92d4579aeb 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2507,14 +2507,6 @@ static int sv_body(int s, int stype, int prot, unsigned char *context) */ goto err; } -#ifndef OPENSSL_NO_HEARTBEATS - if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) { - BIO_printf(bio_err, "HEARTBEATING\n"); - SSL_heartbeat(con); - i = 0; - continue; - } -#endif if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) { SSL_renegotiate(con); i = SSL_do_handshake(con); diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index f52beb131e..27e1890393 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1225,7 +1225,6 @@ SSL_F_DO_DTLS1_WRITE:245:do_dtls1_write SSL_F_DO_SSL3_WRITE:104:do_ssl3_write SSL_F_DTLS1_BUFFER_RECORD:247:dtls1_buffer_record SSL_F_DTLS1_CHECK_TIMEOUT_NUM:318:dtls1_check_timeout_num -SSL_F_DTLS1_HEARTBEAT:305:* SSL_F_DTLS1_HM_FRAGMENT_NEW:623:dtls1_hm_fragment_new SSL_F_DTLS1_PREPROCESS_FRAGMENT:288:dtls1_preprocess_fragment SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS:424:dtls1_process_buffered_records @@ -2974,8 +2973,6 @@ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch SSL_R_STILL_IN_INIT:121:still in init -SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT:365:peer does not accept heartbeats -SSL_R_TLS_HEARTBEAT_PENDING:366:heartbeat request already pending SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 03f8b7a55a..e42a6ba6df 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -763,10 +763,6 @@ End the current SSL connection and exit. Renegotiate the SSL session (TLSv1.2 and below only). -=item B - -Send a heartbeat message to the server (DTLS only) - =item B Send a key update message to the server (TLSv1.3 only) diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 71bb166c58..d28feb9844 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -783,10 +783,6 @@ cause the client to disconnect due to a protocol violation. Print out some session cache status information. -=item B - -Send a heartbeat message to the client (DTLS only) - =item B Send a key update message to the client (TLSv1.3 only) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1091b1c8b9..72c9d060f3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -618,11 +618,6 @@ unsigned long SSL_set_options(SSL *s, unsigned long op); # define SSL_get_secure_renegotiation_support(ssl) \ SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) -# ifndef OPENSSL_NO_HEARTBEATS -# define SSL_heartbeat(ssl) \ - SSL_ctrl((ssl),SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT,0,NULL) -# endif - # define SSL_CTX_set_cert_flags(ctx,op) \ SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL) # define SSL_set_cert_flags(s,op) \ @@ -1263,11 +1258,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79 # define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80 # define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81 -# ifndef OPENSSL_NO_HEARTBEATS -# define SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT 85 -# define SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING 86 -# define SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS 87 -# endif # define DTLS_CTRL_GET_TIMEOUT 73 # define DTLS_CTRL_HANDLE_TIMEOUT 74 # define SSL_CTRL_GET_RI_SUPPORT 76 diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index cb0a7929ea..cf0b51ddb5 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -214,7 +214,6 @@ extern "C" { # define SSL3_RT_ALERT 21 # define SSL3_RT_HANDSHAKE 22 # define SSL3_RT_APPLICATION_DATA 23 -# define DTLS1_RT_HEARTBEAT 24 /* Pseudo content types to indicate additional parameters */ # define TLS1_RT_CRYPTO 0x1000 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 4603ef4274..7f776f97f7 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -47,7 +47,6 @@ int ERR_load_SSL_strings(void); # define SSL_F_DO_SSL3_WRITE 104 # define SSL_F_DTLS1_BUFFER_RECORD 247 # define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 318 -# define SSL_F_DTLS1_HEARTBEAT 305 # define SSL_F_DTLS1_HM_FRAGMENT_NEW 623 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 # define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424 @@ -720,8 +719,6 @@ int ERR_load_SSL_strings(void); # define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 # define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 -# define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365 -# define SSL_R_TLS_HEARTBEAT_PENDING 366 # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 # define SSL_R_TOO_MANY_KEY_UPDATES 132 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 166f15ad5c..4db2b6a0db 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -109,9 +109,6 @@ extern "C" { /* ExtensionType value from RFC5764 */ # define TLSEXT_TYPE_use_srtp 14 -/* ExtensionType value from RFC5620 */ -# define TLSEXT_TYPE_heartbeat 15 - /* ExtensionType value from RFC7301 */ # define TLSEXT_TYPE_application_layer_protocol_negotiation 16 @@ -328,35 +325,6 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain) SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,\ (void (*)(void))cb) -# ifndef OPENSSL_NO_HEARTBEATS -# define SSL_DTLSEXT_HB_ENABLED 0x01 -# define SSL_DTLSEXT_HB_DONT_SEND_REQUESTS 0x02 -# define SSL_DTLSEXT_HB_DONT_RECV_REQUESTS 0x04 -# define SSL_get_dtlsext_heartbeat_pending(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING,0,NULL) -# define SSL_set_dtlsext_heartbeat_no_requests(ssl, arg) \ - SSL_ctrl(ssl,SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL) - -# if !OPENSSL_API_1_1_0 -# define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT \ - SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT -# define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING \ - SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING -# define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS \ - SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS -# define SSL_TLSEXT_HB_ENABLED \ - SSL_DTLSEXT_HB_ENABLED -# define SSL_TLSEXT_HB_DONT_SEND_REQUESTS \ - SSL_DTLSEXT_HB_DONT_SEND_REQUESTS -# define SSL_TLSEXT_HB_DONT_RECV_REQUESTS \ - SSL_DTLSEXT_HB_DONT_RECV_REQUESTS -# define SSL_get_tlsext_heartbeat_pending(ssl) \ - SSL_get_dtlsext_heartbeat_pending(ssl) -# define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \ - SSL_set_dtlsext_heartbeat_no_requests(ssl,arg) -# endif -# endif - /* PSK ciphersuites from 4279 */ # define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A # define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index feca76eb3f..b21227765a 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1508,9 +1508,9 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, && (s->server || rr->type != SSL3_RT_ALERT)) { /* * If we've got this far and still haven't decided on what version - * we're using then this must be a client side alert we're dealing with - * (we don't allow heartbeats yet). We shouldn't be receiving anything - * other than a ClientHello if we are a server. + * we're using then this must be a client side alert we're dealing + * with. We shouldn't be receiving anything other than a ClientHello + * if we are a server. */ s->version = rr->rec_version; SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a3639fd18c..330b9e3f0c 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3547,13 +3547,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; break; -#ifndef OPENSSL_NO_HEARTBEATS - case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT: - case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING: - case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS: - break; -#endif - case SSL_CTRL_CHAIN: if (larg) return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg); diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ceae87bbc9..afe1b58214 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -48,7 +48,6 @@ static const ERR_STRING_DATA SSL_str_functs[] = { "dtls1_buffer_record"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, 0), "dtls1_check_timeout_num"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HEARTBEAT, 0), ""}, {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HM_FRAGMENT_NEW, 0), "dtls1_hm_fragment_new"}, {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PREPROCESS_FRAGMENT, 0), @@ -1179,10 +1178,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "tlsv1 unrecognized name"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "tlsv1 unsupported extension"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), - "peer does not accept heartbeats"}, - {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PENDING), - "heartbeat request already pending"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "tls illegal exporter label"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 656fefe896..9368baf1e7 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -468,7 +468,6 @@ static const ssl_trace_tbl ssl_exts_tbl[] = { {TLSEXT_TYPE_srp, "srp"}, {TLSEXT_TYPE_signature_algorithms, "signature_algorithms"}, {TLSEXT_TYPE_use_srtp, "use_srtp"}, - {TLSEXT_TYPE_heartbeat, "tls_heartbeat"}, {TLSEXT_TYPE_application_layer_protocol_negotiation, "application_layer_protocol_negotiation"}, {TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"}, @@ -783,9 +782,6 @@ static int ssl_print_extension(BIO *bio, int indent, int server, } break; - case TLSEXT_TYPE_heartbeat: - return 0; - case TLSEXT_TYPE_session_ticket: if (extlen != 0) ssl_print_hex(bio, indent + 4, "ticket", ext, extlen); -- 2.34.1