Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Removed the heartbeat message in DTLS feature, as it has very
+ little usage and doesn't seem to fulfill a valuable purpose.
+ [Richard Levitte]
+
*) Changed the output of 'openssl {digestname} < file' to display the
digest name in its output.
[Richard Levitte]
"fuzz-libfuzzer",
"fuzz-afl",
"gost",
- "heartbeats",
"idea",
"makedepend",
"md2",
"external-tests" => "default",
"fuzz-libfuzzer" => "default",
"fuzz-afl" => "default",
- "heartbeats" => "default",
"md2" => "default",
"msan" => "default",
"rc5" => "default",
3.0.0
o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
bridge.
+ o Removed the heartbeat message in DTLS feature.
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
#ifdef OPENSSL_NO_GOST
BIO_puts(bio_out, "GOST\n");
#endif
-#ifdef OPENSSL_NO_HEARTBEATS
- BIO_puts(bio_out, "HEARTBEATS\n");
-#endif
#ifdef OPENSSL_NO_IDEA
BIO_puts(bio_out, "IDEA\n");
#endif
case 23:
str_content_type = ", ApplicationData";
break;
-#ifndef OPENSSL_NO_HEARTBEATS
- case 24:
- str_details1 = ", Heartbeat";
-
- if (len > 0) {
- switch (bp[0]) {
- case 1:
- str_details1 = ", HeartbeatRequest";
- break;
- case 2:
- str_details1 = ", HeartbeatResponse";
- break;
- }
- }
- break;
-#endif
}
}
{"SRP", TLSEXT_TYPE_srp},
{"signature algorithms", TLSEXT_TYPE_signature_algorithms},
{"use SRTP", TLSEXT_TYPE_use_srtp},
- {"heartbeat", TLSEXT_TYPE_heartbeat},
{"session ticket", TLSEXT_TYPE_session_ticket},
{"renegotiation info", TLSEXT_TYPE_renegotiate},
{"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED
: SSL_KEY_UPDATE_NOT_REQUESTED);
cbuf_len = 0;
- }
-#ifndef OPENSSL_NO_HEARTBEATS
- else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) {
- BIO_printf(bio_err, "HEARTBEATING\n");
- SSL_heartbeat(con);
- cbuf_len = 0;
- }
-#endif
- else {
+ } else {
cbuf_len = i;
cbuf_off = 0;
#ifdef CHARSET_EBCDIC
*/
goto err;
}
-#ifndef OPENSSL_NO_HEARTBEATS
- if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
- BIO_printf(bio_err, "HEARTBEATING\n");
- SSL_heartbeat(con);
- i = 0;
- continue;
- }
-#endif
if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
SSL_renegotiate(con);
i = SSL_do_handshake(con);
SSL_F_DO_SSL3_WRITE:104:do_ssl3_write
SSL_F_DTLS1_BUFFER_RECORD:247:dtls1_buffer_record
SSL_F_DTLS1_CHECK_TIMEOUT_NUM:318:dtls1_check_timeout_num
-SSL_F_DTLS1_HEARTBEAT:305:*
SSL_F_DTLS1_HM_FRAGMENT_NEW:623:dtls1_hm_fragment_new
SSL_F_DTLS1_PREPROCESS_FRAGMENT:288:dtls1_preprocess_fragment
SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS:424:dtls1_process_buffered_records
SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long
SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch
SSL_R_STILL_IN_INIT:121:still in init
-SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT:365:peer does not accept heartbeats
-SSL_R_TLS_HEARTBEAT_PENDING:366:heartbeat request already pending
SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list
SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates
Renegotiate the SSL session (TLSv1.2 and below only).
-=item B<B>
-
-Send a heartbeat message to the server (DTLS only)
-
=item B<k>
Send a key update message to the server (TLSv1.3 only)
Print out some session cache status information.
-=item B<B>
-
-Send a heartbeat message to the client (DTLS only)
-
=item B<k>
Send a key update message to the client (TLSv1.3 only)
# define SSL_get_secure_renegotiation_support(ssl) \
SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
-# ifndef OPENSSL_NO_HEARTBEATS
-# define SSL_heartbeat(ssl) \
- SSL_ctrl((ssl),SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT,0,NULL)
-# endif
-
# define SSL_CTX_set_cert_flags(ctx,op) \
SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
# define SSL_set_cert_flags(s,op) \
# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
-# ifndef OPENSSL_NO_HEARTBEATS
-# define SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT 85
-# define SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING 86
-# define SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS 87
-# endif
# define DTLS_CTRL_GET_TIMEOUT 73
# define DTLS_CTRL_HANDLE_TIMEOUT 74
# define SSL_CTRL_GET_RI_SUPPORT 76
# define SSL3_RT_ALERT 21
# define SSL3_RT_HANDSHAKE 22
# define SSL3_RT_APPLICATION_DATA 23
-# define DTLS1_RT_HEARTBEAT 24
/* Pseudo content types to indicate additional parameters */
# define TLS1_RT_CRYPTO 0x1000
# define SSL_F_DO_SSL3_WRITE 104
# define SSL_F_DTLS1_BUFFER_RECORD 247
# define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 318
-# define SSL_F_DTLS1_HEARTBEAT 305
# define SSL_F_DTLS1_HM_FRAGMENT_NEW 623
# define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
# define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111
# define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
# define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
-# define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
-# define SSL_R_TLS_HEARTBEAT_PENDING 366
# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
# define SSL_R_TOO_MANY_KEY_UPDATES 132
/* ExtensionType value from RFC5764 */
# define TLSEXT_TYPE_use_srtp 14
-/* ExtensionType value from RFC5620 */
-# define TLSEXT_TYPE_heartbeat 15
-
/* ExtensionType value from RFC7301 */
# define TLSEXT_TYPE_application_layer_protocol_negotiation 16
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,\
(void (*)(void))cb)
-# ifndef OPENSSL_NO_HEARTBEATS
-# define SSL_DTLSEXT_HB_ENABLED 0x01
-# define SSL_DTLSEXT_HB_DONT_SEND_REQUESTS 0x02
-# define SSL_DTLSEXT_HB_DONT_RECV_REQUESTS 0x04
-# define SSL_get_dtlsext_heartbeat_pending(ssl) \
- SSL_ctrl(ssl,SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING,0,NULL)
-# define SSL_set_dtlsext_heartbeat_no_requests(ssl, arg) \
- SSL_ctrl(ssl,SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
-
-# if !OPENSSL_API_1_1_0
-# define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT \
- SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT
-# define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING \
- SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING
-# define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS \
- SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS
-# define SSL_TLSEXT_HB_ENABLED \
- SSL_DTLSEXT_HB_ENABLED
-# define SSL_TLSEXT_HB_DONT_SEND_REQUESTS \
- SSL_DTLSEXT_HB_DONT_SEND_REQUESTS
-# define SSL_TLSEXT_HB_DONT_RECV_REQUESTS \
- SSL_DTLSEXT_HB_DONT_RECV_REQUESTS
-# define SSL_get_tlsext_heartbeat_pending(ssl) \
- SSL_get_dtlsext_heartbeat_pending(ssl)
-# define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
- SSL_set_dtlsext_heartbeat_no_requests(ssl,arg)
-# endif
-# endif
-
/* PSK ciphersuites from 4279 */
# define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A
# define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B
&& (s->server || rr->type != SSL3_RT_ALERT)) {
/*
* If we've got this far and still haven't decided on what version
- * we're using then this must be a client side alert we're dealing with
- * (we don't allow heartbeats yet). We shouldn't be receiving anything
- * other than a ClientHello if we are a server.
+ * we're using then this must be a client side alert we're dealing
+ * with. We shouldn't be receiving anything other than a ClientHello
+ * if we are a server.
*/
s->version = rr->rec_version;
SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
ret = 1;
break;
-#ifndef OPENSSL_NO_HEARTBEATS
- case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
- case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
- case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
- break;
-#endif
-
case SSL_CTRL_CHAIN:
if (larg)
return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
"dtls1_buffer_record"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_CHECK_TIMEOUT_NUM, 0),
"dtls1_check_timeout_num"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HEARTBEAT, 0), ""},
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_HM_FRAGMENT_NEW, 0),
"dtls1_hm_fragment_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_DTLS1_PREPROCESS_FRAGMENT, 0),
"tlsv1 unrecognized name"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION),
"tlsv1 unsupported extension"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),
- "peer does not accept heartbeats"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_HEARTBEAT_PENDING),
- "heartbeat request already pending"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),
"tls illegal exporter label"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
{TLSEXT_TYPE_srp, "srp"},
{TLSEXT_TYPE_signature_algorithms, "signature_algorithms"},
{TLSEXT_TYPE_use_srtp, "use_srtp"},
- {TLSEXT_TYPE_heartbeat, "tls_heartbeat"},
{TLSEXT_TYPE_application_layer_protocol_negotiation,
"application_layer_protocol_negotiation"},
{TLSEXT_TYPE_signed_certificate_timestamp, "signed_certificate_timestamps"},
}
break;
- case TLSEXT_TYPE_heartbeat:
- return 0;
-
case TLSEXT_TYPE_session_ticket:
if (extlen != 0)
ssl_print_hex(bio, indent + 4, "ticket", ext, extlen);