make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

author: tedu <> 2014-04-14 18:45:55 +0000
committer: tedu <> 2014-04-14 18:45:55 +0000
commit: 95635d69892027aae43126c720bdf465c55b75b4 (patch)
tree: cf54816807c3e7c50d1a7df6ceac26ecda2c9f53 /src/lib/libssl/d1_both.c
parent: 4de5e966312f32adfcbfa844e67772602bb18ed6 (diff)
download: openbsd-95635d69892027aae43126c720bdf465c55b75b4.tar.gz
openbsd-95635d69892027aae43126c720bdf465c55b75b4.tar.bz2
openbsd-95635d69892027aae43126c720bdf465c55b75b4.zip
1 files changed, 0 insertions, 153 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index c051e84874..6e51aa7f69 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1041,11 +1041,7 @@ dtls1_read_failed(SSL *s, int code)
                return code;
        }
-#ifndef OPENSSL_NO_HEARTBEATS
-        if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
-#else
        if (!SSL_in_init(s))  /* done, no need to send a retransmit */
-#endif
        {
                BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
                return code;
@@ -1386,152 +1382,3 @@ dtls1_shutdown(SSL *s)
 #endif
        return ret;
 }
-#ifndef OPENSSL_NO_HEARTBEATS
-int
-dtls1_process_heartbeat(SSL *s)
-{
-        unsigned char *p = &s->s3->rrec.data[0], *pl;
-        unsigned short hbtype;
-        unsigned int payload;
-        unsigned int padding = 16; /* Use minimum padding */
-        if (s->msg_callback)
-                s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-                    &s->s3->rrec.data[0], s->s3->rrec.length,
-                    s, s->msg_callback_arg);
-        /* Read type and payload length first */
-        if (1 + 2 + 16 > s->s3->rrec.length)
-                return 0; /* silently discard */
-        hbtype = *p++;
-        n2s(p, payload);
-        if (1 + 2 + payload + 16 > s->s3->rrec.length)
-                return 0; /* silently discard per RFC 6520 sec. 4 */
-        pl = p;
-        if (hbtype == TLS1_HB_REQUEST) {
-                unsigned char *buffer, *bp;
-                unsigned int write_length = 1 /* heartbeat type */ +
-                    2 /* heartbeat length */ +
-                    payload + padding;
-                int r;
-                if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-                        return 0;
-                /* Allocate memory for the response, size is 1 byte
-                 * message type, plus 2 bytes payload length, plus
-                 * payload, plus padding
-                 */
-                buffer = OPENSSL_malloc(write_length);
-                bp = buffer;
-                /* Enter response type, length and copy payload */
-                *bp++ = TLS1_HB_RESPONSE;
-                s2n(payload, bp);
-                memcpy(bp, pl, payload);
-                bp += payload;
-                /* Random padding */
-                RAND_pseudo_bytes(bp, padding);
-                r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
-                if (r >= 0 && s->msg_callback)
-                        s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                            buffer, write_length,
-                            s, s->msg_callback_arg);
-                OPENSSL_free(buffer);
-                if (r < 0)
-                        return r;
-        } else if (hbtype == TLS1_HB_RESPONSE) {
-                unsigned int seq;
-                /* We only send sequence numbers (2 bytes unsigned int),
-                 * and 16 random bytes, so we just try to read the
-                 * sequence number */
-                n2s(pl, seq);
-                if (payload == 18 && seq == s->tlsext_hb_seq) {
-                        dtls1_stop_timer(s);
-                        s->tlsext_hb_seq++;
-                        s->tlsext_hb_pending = 0;
-                }
-        }
-        return 0;
-}
-int
-dtls1_heartbeat(SSL *s)
-{
-        unsigned char *buf, *p;
-        int ret;
-        unsigned int payload = 18; /* Sequence number + random bytes */
-        unsigned int padding = 16; /* Use minimum padding */
-        /* Only send if peer supports and accepts HB requests... */
-        if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-                s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
-                SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-                return -1;
-        }
-        /* ...and there is none in flight yet... */
-        if (s->tlsext_hb_pending) {
-                SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
-                return -1;
-        }
-        /* ...and no handshake in progress. */
-        if (SSL_in_init(s) || s->in_handshake) {
-                SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
-                return -1;
-        }
-        /* Check if padding is too long, payload and padding
-         * must not exceed 2^14 - 3 = 16381 bytes in total.
-         */
-        OPENSSL_assert(payload + padding <= 16381);
-        /* Create HeartBeat message, we just use a sequence number
-         * as payload to distuingish different messages and add
-         * some random stuff.
-         *  - Message Type, 1 byte
-         *  - Payload Length, 2 bytes (unsigned int)
-         *  - Payload, the sequence number (2 bytes uint)
-         *  - Payload, random bytes (16 bytes uint)
-         *  - Padding
-         */
-        buf = OPENSSL_malloc(1 + 2 + payload + padding);
-        p = buf;
-        /* Message Type */
-        *p++ = TLS1_HB_REQUEST;
-        /* Payload length (18 bytes here) */
-        s2n(payload, p);
-        /* Sequence number */
-        s2n(s->tlsext_hb_seq, p);
-        /* 16 random bytes */
-        RAND_pseudo_bytes(p, 16);
-        p += 16;
-        /* Random padding */
-        RAND_pseudo_bytes(p, padding);
-        ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-        if (ret >= 0) {
-                if (s->msg_callback)
-                        s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                buf, 3 + payload + padding,
-                s, s->msg_callback_arg);
-                dtls1_start_timer(s);
-                s->tlsext_hb_pending = 1;
-        }
-        OPENSSL_free(buf);
-        return ret;
-}
-#endif
author	tedu <>	2014-04-14 18:45:55 +0000
committer	tedu <>	2014-04-14 18:45:55 +0000
commit	95635d69892027aae43126c720bdf465c55b75b4 (patch)
tree	cf54816807c3e7c50d1a7df6ceac26ecda2c9f53 /src/lib/libssl/d1_both.c
parent	4de5e966312f32adfcbfa844e67772602bb18ed6 (diff)
download	openbsd-95635d69892027aae43126c720bdf465c55b75b4.tar.gz openbsd-95635d69892027aae43126c720bdf465c55b75b4.tar.bz2 openbsd-95635d69892027aae43126c720bdf465c55b75b4.zip

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index c051e84874..6e51aa7f69 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c
@@ -1041,11 +1041,7 @@ dtls1_read_failed(SSL *s, int code)
1041	return code;	1041	return code;
1042	}	1042	}
1043		1043
1044	#ifndef OPENSSL_NO_HEARTBEATS
1045	if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */
1046	#else
1047	if (!SSL_in_init(s)) /* done, no need to send a retransmit */	1044	if (!SSL_in_init(s)) /* done, no need to send a retransmit */
1048	#endif
1049	{	1045	{
1050	BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);	1046	BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
1051	return code;	1047	return code;
@@ -1386,152 +1382,3 @@ dtls1_shutdown(SSL *s)
1386	#endif	1382	#endif
1387	return ret;	1383	return ret;
1388	}	1384	}
1389
1390	#ifndef OPENSSL_NO_HEARTBEATS
1391	int
1392	dtls1_process_heartbeat(SSL *s)
1393	{
1394	unsigned char p = &s->s3->rrec.data[0], pl;
1395	unsigned short hbtype;
1396	unsigned int payload;
1397	unsigned int padding = 16; /* Use minimum padding */
1398
1399	if (s->msg_callback)
1400	s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1401	&s->s3->rrec.data[0], s->s3->rrec.length,
1402	s, s->msg_callback_arg);
1403
1404	/* Read type and payload length first */
1405	if (1 + 2 + 16 > s->s3->rrec.length)
1406	return 0; /* silently discard */
1407	hbtype = *p++;
1408	n2s(p, payload);
1409	if (1 + 2 + payload + 16 > s->s3->rrec.length)
1410	return 0; /* silently discard per RFC 6520 sec. 4 */
1411	pl = p;
1412
1413	if (hbtype == TLS1_HB_REQUEST) {
1414	unsigned char buffer, bp;
1415	unsigned int write_length = 1 /* heartbeat type */ +
1416	2 /* heartbeat length */ +
1417	payload + padding;
1418	int r;
1419
1420	if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
1421	return 0;
1422
1423	/* Allocate memory for the response, size is 1 byte
1424	* message type, plus 2 bytes payload length, plus
1425	* payload, plus padding
1426	*/
1427	buffer = OPENSSL_malloc(write_length);
1428	bp = buffer;
1429
1430	/* Enter response type, length and copy payload */
1431	*bp++ = TLS1_HB_RESPONSE;
1432	s2n(payload, bp);
1433	memcpy(bp, pl, payload);
1434	bp += payload;
1435	/* Random padding */
1436	RAND_pseudo_bytes(bp, padding);
1437
1438	r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
1439
1440	if (r >= 0 && s->msg_callback)
1441	s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1442	buffer, write_length,
1443	s, s->msg_callback_arg);
1444
1445	OPENSSL_free(buffer);
1446
1447	if (r < 0)
1448	return r;
1449	} else if (hbtype == TLS1_HB_RESPONSE) {
1450	unsigned int seq;
1451
1452	/* We only send sequence numbers (2 bytes unsigned int),
1453	* and 16 random bytes, so we just try to read the
1454	* sequence number */
1455	n2s(pl, seq);
1456
1457	if (payload == 18 && seq == s->tlsext_hb_seq) {
1458	dtls1_stop_timer(s);
1459	s->tlsext_hb_seq++;
1460	s->tlsext_hb_pending = 0;
1461	}
1462	}
1463
1464	return 0;
1465	}
1466
1467	int
1468	dtls1_heartbeat(SSL *s)
1469	{
1470	unsigned char buf, p;
1471	int ret;
1472	unsigned int payload = 18; /* Sequence number + random bytes */
1473	unsigned int padding = 16; /* Use minimum padding */
1474
1475	/* Only send if peer supports and accepts HB requests... */
1476	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) \|\|
1477	s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
1478	SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
1479	return -1;
1480	}
1481
1482	/* ...and there is none in flight yet... */
1483	if (s->tlsext_hb_pending) {
1484	SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
1485	return -1;
1486	}
1487
1488	/* ...and no handshake in progress. */
1489	if (SSL_in_init(s) \|\| s->in_handshake) {
1490	SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
1491	return -1;
1492	}
1493
1494	/* Check if padding is too long, payload and padding
1495	* must not exceed 2^14 - 3 = 16381 bytes in total.
1496	*/
1497	OPENSSL_assert(payload + padding <= 16381);
1498
1499	/* Create HeartBeat message, we just use a sequence number
1500	* as payload to distuingish different messages and add
1501	* some random stuff.
1502	* - Message Type, 1 byte
1503	* - Payload Length, 2 bytes (unsigned int)
1504	* - Payload, the sequence number (2 bytes uint)
1505	* - Payload, random bytes (16 bytes uint)
1506	* - Padding
1507	*/
1508	buf = OPENSSL_malloc(1 + 2 + payload + padding);
1509	p = buf;
1510	/* Message Type */
1511	*p++ = TLS1_HB_REQUEST;
1512	/* Payload length (18 bytes here) */
1513	s2n(payload, p);
1514	/* Sequence number */
1515	s2n(s->tlsext_hb_seq, p);
1516	/* 16 random bytes */
1517	RAND_pseudo_bytes(p, 16);
1518	p += 16;
1519	/* Random padding */
1520	RAND_pseudo_bytes(p, padding);
1521
1522	ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
1523	if (ret >= 0) {
1524	if (s->msg_callback)
1525	s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1526	buf, 3 + payload + padding,
1527	s, s->msg_callback_arg);
1528
1529	dtls1_start_timer(s);
1530	s->tlsext_hb_pending = 1;
1531	}
1532
1533	OPENSSL_free(buf);
1534
1535	return ret;
1536	}
1537	#endif