1 files changed, 0 insertions, 214 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 08f7a444ad..8796651806 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -615,20 +615,6 @@ unsigned char
                        i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
        }
-#ifndef OPENSSL_NO_HEARTBEATS
-        /* Add Heartbeat extension */
-        s2n(TLSEXT_TYPE_heartbeat, ret);
-        s2n(1, ret);
-        /* Set mode:
-         * 1: peer may send requests
-         * 2: peer not allowed to send requests
-         */
-        if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-                *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-        else
-                *(ret++) = SSL_TLSEXT_HB_ENABLED;
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
                /* The client advertises an emtpy extension to indicate its
@@ -838,23 +824,6 @@ unsigned char
                ret += 36;
        }
-#ifndef OPENSSL_NO_HEARTBEATS
-        /* Add Heartbeat extension if we've received one */
-        if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
-                s2n(TLSEXT_TYPE_heartbeat, ret);
-                s2n(1, ret);
-                /* Set mode:
-                 * 1: peer may send requests
-                 * 2: peer not allowed to send requests
-                 */
-                if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-                        *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-                else
-                        *(ret++) = SSL_TLSEXT_HB_ENABLED;
-        }
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
        next_proto_neg_seen = s->s3->next_proto_neg_seen;
        s->s3->next_proto_neg_seen = 0;
@@ -980,11 +949,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
        s->s3->next_proto_neg_seen = 0;
 #endif
-#ifndef OPENSSL_NO_HEARTBEATS
-        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-        SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-#endif
 #ifndef OPENSSL_NO_EC
        if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
                ssl_check_for_safari(s, data, d, n);
@@ -1342,22 +1306,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                        else
                                s->tlsext_status_type = -1;
                }
-#ifndef OPENSSL_NO_HEARTBEATS
-                else if (type == TLSEXT_TYPE_heartbeat) {
-                        switch (data[0]) {
-                        case 0x01:      /* Client allows us to send HB requests */
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                                break;
-                        case 0x02:      /* Client doesn't accept HB requests */
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-                                break;
-                        default:
-                                *al = SSL_AD_ILLEGAL_PARAMETER;
-                                return 0;
-                        }
-                }
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
                else if (type == TLSEXT_TYPE_next_proto_neg &&
                    s->s3->tmp.finish_md_len == 0) {
@@ -1443,11 +1391,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
        s->s3->next_proto_neg_seen = 0;
 #endif
-#ifndef OPENSSL_NO_HEARTBEATS
-        s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-        SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-#endif
        if (data >= (d + n - 2))
                goto ri_check;
@@ -1595,22 +1538,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
                                return 0;
                        renegotiate_seen = 1;
                }
-#ifndef OPENSSL_NO_HEARTBEATS
-                else if (type == TLSEXT_TYPE_heartbeat) {
-                        switch (data[0]) {
-                        case 0x01:      /* Server allows us to send HB requests */
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                                break;
-                        case 0x02:      /* Server doesn't accept HB requests */
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-                                s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-                                break;
-                        default:
-                                *al = SSL_AD_ILLEGAL_PARAMETER;
-                                return 0;
-                        }
-                }
-#endif
 #ifndef OPENSSL_NO_SRTP
                else if (type == TLSEXT_TYPE_use_srtp) {
                        if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
@@ -2454,144 +2381,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 }
 #endif
-#ifndef OPENSSL_NO_HEARTBEATS
-int
-tls1_process_heartbeat(SSL *s)
-{
-        unsigned char *p = &s->s3->rrec.data[0], *pl;
-        unsigned short hbtype;
-        unsigned int payload;
-        unsigned int padding = 16; /* Use minimum padding */
-        if (s->msg_callback)
-                s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-        &s->s3->rrec.data[0], s->s3->rrec.length,
-        s, s->msg_callback_arg);
-        /* Read type and payload length first */
-        if (1 + 2 + 16 > s->s3->rrec.length)
-                return 0; /* silently discard */
-        hbtype = *p++;
-        n2s(p, payload);
-        if (1 + 2 + payload + 16 > s->s3->rrec.length)
-                return 0; /* silently discard per RFC 6520 sec. 4 */
-        pl = p;
-        if (hbtype == TLS1_HB_REQUEST) {
-                unsigned char *buffer, *bp;
-                int r;
-                /* Allocate memory for the response, size is 1 bytes
-                 * message type, plus 2 bytes payload length, plus
-                 * payload, plus padding
-                 */
-                buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-                bp = buffer;
-                /* Enter response type, length and copy payload */
-                *bp++ = TLS1_HB_RESPONSE;
-                s2n(payload, bp);
-                memcpy(bp, pl, payload);
-                bp += payload;
-                /* Random padding */
-                RAND_pseudo_bytes(bp, padding);
-                r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-                if (r >= 0 && s->msg_callback)
-                        s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                buffer, 3 + payload + padding,
-                s, s->msg_callback_arg);
-                OPENSSL_free(buffer);
-                if (r < 0)
-                        return r;
-        } else if (hbtype == TLS1_HB_RESPONSE) {
-                unsigned int seq;
-                /* We only send sequence numbers (2 bytes unsigned int),
-                 * and 16 random bytes, so we just try to read the
-                 * sequence number */
-                n2s(pl, seq);
-                if (payload == 18 && seq == s->tlsext_hb_seq) {
-                        s->tlsext_hb_seq++;
-                        s->tlsext_hb_pending = 0;
-                }
-        }
-        return 0;
-}
-int
-tls1_heartbeat(SSL *s)
-{
-        unsigned char *buf, *p;
-        int ret;
-        unsigned int payload = 18; /* Sequence number + random bytes */
-        unsigned int padding = 16; /* Use minimum padding */
-        /* Only send if peer supports and accepts HB requests... */
-        if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-                s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
-                SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-                return -1;
-        }
-        /* ...and there is none in flight yet... */
-        if (s->tlsext_hb_pending) {
-                SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
-                return -1;
-        }
-        /* ...and no handshake in progress. */
-        if (SSL_in_init(s) || s->in_handshake) {
-                SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
-                return -1;
-        }
-        /* Check if padding is too long, payload and padding
-         * must not exceed 2^14 - 3 = 16381 bytes in total.
-         */
-        OPENSSL_assert(payload + padding <= 16381);
-        /* Create HeartBeat message, we just use a sequence number
-         * as payload to distuingish different messages and add
-         * some random stuff.
-         *  - Message Type, 1 byte
-         *  - Payload Length, 2 bytes (unsigned int)
-         *  - Payload, the sequence number (2 bytes uint)
-         *  - Payload, random bytes (16 bytes uint)
-         *  - Padding
-         */
-        buf = OPENSSL_malloc(1 + 2 + payload + padding);
-        p = buf;
-        /* Message Type */
-        *p++ = TLS1_HB_REQUEST;
-        /* Payload length (18 bytes here) */
-        s2n(payload, p);
-        /* Sequence number */
-        s2n(s->tlsext_hb_seq, p);
-        /* 16 random bytes */
-        RAND_pseudo_bytes(p, 16);
-        p += 16;
-        /* Random padding */
-        RAND_pseudo_bytes(p, padding);
-        ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-        if (ret >= 0) {
-                if (s->msg_callback)
-                        s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                buf, 3 + payload + padding,
-                s, s->msg_callback_arg);
-                s->tlsext_hb_pending = 1;
-        }
-        OPENSSL_free(buf);
-        return ret;
-}
-#endif

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 08f7a444ad..8796651806 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -615,20 +615,6 @@ unsigned char
615	i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);	615	i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
616	}	616	}
617		617
618	#ifndef OPENSSL_NO_HEARTBEATS
619	/* Add Heartbeat extension */
620	s2n(TLSEXT_TYPE_heartbeat, ret);
621	s2n(1, ret);
622	/* Set mode:
623	* 1: peer may send requests
624	* 2: peer not allowed to send requests
625	*/
626	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
627	*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
628	else
629	*(ret++) = SSL_TLSEXT_HB_ENABLED;
630	#endif
631
632	#ifndef OPENSSL_NO_NEXTPROTONEG	618	#ifndef OPENSSL_NO_NEXTPROTONEG
633	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {	619	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
634	/* The client advertises an emtpy extension to indicate its	620	/* The client advertises an emtpy extension to indicate its
@@ -838,23 +824,6 @@ unsigned char
838	ret += 36;	824	ret += 36;
839	}	825	}
840		826
841	#ifndef OPENSSL_NO_HEARTBEATS
842	/* Add Heartbeat extension if we've received one */
843	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
844	s2n(TLSEXT_TYPE_heartbeat, ret);
845	s2n(1, ret);
846	/* Set mode:
847	* 1: peer may send requests
848	* 2: peer not allowed to send requests
849	*/
850	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
851	*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
852	else
853	*(ret++) = SSL_TLSEXT_HB_ENABLED;
854
855	}
856	#endif
857
858	#ifndef OPENSSL_NO_NEXTPROTONEG	827	#ifndef OPENSSL_NO_NEXTPROTONEG
859	next_proto_neg_seen = s->s3->next_proto_neg_seen;	828	next_proto_neg_seen = s->s3->next_proto_neg_seen;
860	s->s3->next_proto_neg_seen = 0;	829	s->s3->next_proto_neg_seen = 0;
@@ -980,11 +949,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
980	s->s3->next_proto_neg_seen = 0;	949	s->s3->next_proto_neg_seen = 0;
981	#endif	950	#endif
982		951
983	#ifndef OPENSSL_NO_HEARTBEATS
984	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED \|
985	SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
986	#endif
987
988	#ifndef OPENSSL_NO_EC	952	#ifndef OPENSSL_NO_EC
989	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)	953	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
990	ssl_check_for_safari(s, data, d, n);	954	ssl_check_for_safari(s, data, d, n);
@@ -1342,22 +1306,6 @@ ssl_parse_clienthello_tlsext(SSL s, unsigned char p, unsigned char d,
1342	else	1306	else
1343	s->tlsext_status_type = -1;	1307	s->tlsext_status_type = -1;
1344	}	1308	}
1345	#ifndef OPENSSL_NO_HEARTBEATS
1346	else if (type == TLSEXT_TYPE_heartbeat) {
1347	switch (data[0]) {
1348	case 0x01: /* Client allows us to send HB requests */
1349	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_ENABLED;
1350	break;
1351	case 0x02: /* Client doesn't accept HB requests */
1352	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_ENABLED;
1353	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1354	break;
1355	default:
1356	*al = SSL_AD_ILLEGAL_PARAMETER;
1357	return 0;
1358	}
1359	}
1360	#endif
1361	#ifndef OPENSSL_NO_NEXTPROTONEG	1309	#ifndef OPENSSL_NO_NEXTPROTONEG
1362	else if (type == TLSEXT_TYPE_next_proto_neg &&	1310	else if (type == TLSEXT_TYPE_next_proto_neg &&
1363	s->s3->tmp.finish_md_len == 0) {	1311	s->s3->tmp.finish_md_len == 0) {
@@ -1443,11 +1391,6 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, int n,
1443	s->s3->next_proto_neg_seen = 0;	1391	s->s3->next_proto_neg_seen = 0;
1444	#endif	1392	#endif
1445		1393
1446	#ifndef OPENSSL_NO_HEARTBEATS
1447	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED \|
1448	SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1449	#endif
1450
1451	if (data >= (d + n - 2))	1394	if (data >= (d + n - 2))
1452	goto ri_check;	1395	goto ri_check;
1453		1396
@@ -1595,22 +1538,6 @@ ssl_parse_serverhello_tlsext(SSL s, unsigned char p, unsigned char d, int n,
1595	return 0;	1538	return 0;
1596	renegotiate_seen = 1;	1539	renegotiate_seen = 1;
1597	}	1540	}
1598	#ifndef OPENSSL_NO_HEARTBEATS
1599	else if (type == TLSEXT_TYPE_heartbeat) {
1600	switch (data[0]) {
1601	case 0x01: /* Server allows us to send HB requests */
1602	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_ENABLED;
1603	break;
1604	case 0x02: /* Server doesn't accept HB requests */
1605	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_ENABLED;
1606	s->tlsext_heartbeat \|= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1607	break;
1608	default:
1609	*al = SSL_AD_ILLEGAL_PARAMETER;
1610	return 0;
1611	}
1612	}
1613	#endif
1614	#ifndef OPENSSL_NO_SRTP	1541	#ifndef OPENSSL_NO_SRTP
1615	else if (type == TLSEXT_TYPE_use_srtp) {	1542	else if (type == TLSEXT_TYPE_use_srtp) {
1616	if (ssl_parse_serverhello_use_srtp_ext(s, data, size,	1543	if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
@@ -2454,144 +2381,3 @@ tls1_process_sigalgs(SSL s, const unsigned char data, int dsize)
2454	}	2381	}
2455		2382
2456	#endif	2383	#endif
2457
2458	#ifndef OPENSSL_NO_HEARTBEATS
2459	int
2460	tls1_process_heartbeat(SSL *s)
2461	{
2462	unsigned char p = &s->s3->rrec.data[0], pl;
2463	unsigned short hbtype;
2464	unsigned int payload;
2465	unsigned int padding = 16; /* Use minimum padding */
2466
2467	if (s->msg_callback)
2468	s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2469	&s->s3->rrec.data[0], s->s3->rrec.length,
2470	s, s->msg_callback_arg);
2471
2472	/* Read type and payload length first */
2473	if (1 + 2 + 16 > s->s3->rrec.length)
2474	return 0; /* silently discard */
2475	hbtype = *p++;
2476	n2s(p, payload);
2477	if (1 + 2 + payload + 16 > s->s3->rrec.length)
2478	return 0; /* silently discard per RFC 6520 sec. 4 */
2479	pl = p;
2480
2481	if (hbtype == TLS1_HB_REQUEST) {
2482	unsigned char buffer, bp;
2483	int r;
2484
2485	/* Allocate memory for the response, size is 1 bytes
2486	* message type, plus 2 bytes payload length, plus
2487	* payload, plus padding
2488	*/
2489	buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2490	bp = buffer;
2491
2492	/* Enter response type, length and copy payload */
2493	*bp++ = TLS1_HB_RESPONSE;
2494	s2n(payload, bp);
2495	memcpy(bp, pl, payload);
2496	bp += payload;
2497	/* Random padding */
2498	RAND_pseudo_bytes(bp, padding);
2499
2500	r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2501
2502	if (r >= 0 && s->msg_callback)
2503	s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2504	buffer, 3 + payload + padding,
2505	s, s->msg_callback_arg);
2506
2507	OPENSSL_free(buffer);
2508
2509	if (r < 0)
2510	return r;
2511	} else if (hbtype == TLS1_HB_RESPONSE) {
2512	unsigned int seq;
2513
2514	/* We only send sequence numbers (2 bytes unsigned int),
2515	* and 16 random bytes, so we just try to read the
2516	* sequence number */
2517	n2s(pl, seq);
2518
2519	if (payload == 18 && seq == s->tlsext_hb_seq) {
2520	s->tlsext_hb_seq++;
2521	s->tlsext_hb_pending = 0;
2522	}
2523	}
2524
2525	return 0;
2526	}
2527
2528	int
2529	tls1_heartbeat(SSL *s)
2530	{
2531	unsigned char buf, p;
2532	int ret;
2533	unsigned int payload = 18; /* Sequence number + random bytes */
2534	unsigned int padding = 16; /* Use minimum padding */
2535
2536	/* Only send if peer supports and accepts HB requests... */
2537	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) \|\|
2538	s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
2539	SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2540	return -1;
2541	}
2542
2543	/* ...and there is none in flight yet... */
2544	if (s->tlsext_hb_pending) {
2545	SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
2546	return -1;
2547	}
2548
2549	/* ...and no handshake in progress. */
2550	if (SSL_in_init(s) \|\| s->in_handshake) {
2551	SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
2552	return -1;
2553	}
2554
2555	/* Check if padding is too long, payload and padding
2556	* must not exceed 2^14 - 3 = 16381 bytes in total.
2557	*/
2558	OPENSSL_assert(payload + padding <= 16381);
2559
2560	/* Create HeartBeat message, we just use a sequence number
2561	* as payload to distuingish different messages and add
2562	* some random stuff.
2563	* - Message Type, 1 byte
2564	* - Payload Length, 2 bytes (unsigned int)
2565	* - Payload, the sequence number (2 bytes uint)
2566	* - Payload, random bytes (16 bytes uint)
2567	* - Padding
2568	*/
2569	buf = OPENSSL_malloc(1 + 2 + payload + padding);
2570	p = buf;
2571	/* Message Type */
2572	*p++ = TLS1_HB_REQUEST;
2573	/* Payload length (18 bytes here) */
2574	s2n(payload, p);
2575	/* Sequence number */
2576	s2n(s->tlsext_hb_seq, p);
2577	/* 16 random bytes */
2578	RAND_pseudo_bytes(p, 16);
2579	p += 16;
2580	/* Random padding */
2581	RAND_pseudo_bytes(p, padding);
2582
2583	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2584	if (ret >= 0) {
2585	if (s->msg_callback)
2586	s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2587	buf, 3 + payload + padding,
2588	s, s->msg_callback_arg);
2589
2590	s->tlsext_hb_pending = 1;
2591	}
2592
2593	OPENSSL_free(buf);
2594
2595	return ret;
2596	}
2597	#endif