make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

16 files changed, 0 insertions, 532 deletions

diff --git a/lib/libssl/src/apps/s_cb.c b/lib/libssl/src/apps/s_cb.c
index 4e9b7335437..1d6a5183c46 100644
--- a/lib/libssl/src/apps/s_cb.c
+++ b/lib/libssl/src/apps/s_cb.c
@@ -608,26 +608,6 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, size_t
 					}
 				}
 			}
-
-#ifndef OPENSSL_NO_HEARTBEATS
-		if (content_type == 24) /* Heartbeat */
-			{
-			str_details1 = ", Heartbeat";
-			
-			if (len > 0)
-				{
-				switch (((const unsigned char*)buf)[0])
-					{
-				case 1:
-					str_details1 = ", HeartbeatRequest";
-					break;
-				case 2:
-					str_details1 = ", HeartbeatResponse";
-					break;
-					}
-				}
-			}
-#endif
 		}
 
 	BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version, str_content_type, (unsigned long)len, str_details1, str_details2);
diff --git a/lib/libssl/src/apps/s_client.c b/lib/libssl/src/apps/s_client.c
index f7885ad21d2..78566a595e0 100644
--- a/lib/libssl/src/apps/s_client.c
+++ b/lib/libssl/src/apps/s_client.c
@@ -1881,14 +1881,6 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 				SSL_renegotiate(con);
 				cbuf_len=0;
 				}
-#ifndef OPENSSL_NO_HEARTBEATS
-			else if ((!c_ign_eof) && (cbuf[0] == 'B'))
- 				{
-				BIO_printf(bio_err,"HEARTBEATING\n");
-				SSL_heartbeat(con);
-				cbuf_len=0;
-				}
-#endif
 			else
 				{
 				cbuf_len=i;
diff --git a/lib/libssl/src/apps/s_server.c b/lib/libssl/src/apps/s_server.c
index 15070a44c17..53da15da23c 100644
--- a/lib/libssl/src/apps/s_server.c
+++ b/lib/libssl/src/apps/s_server.c
@@ -2199,17 +2199,6 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 					ret= -11;*/
 					goto err;
 					}
-
-#ifndef OPENSSL_NO_HEARTBEATS
-				if ((buf[0] == 'B') &&
-					((buf[1] == '\n') || (buf[1] == '\r')))
-					{
-					BIO_printf(bio_err,"HEARTBEATING\n");
-					SSL_heartbeat(con);
-					i=0;
-					continue;
-					}
-#endif
 				if ((buf[0] == 'r') && 
 					((buf[1] == '\n') || (buf[1] == '\r')))
 					{
diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c
index c051e84874a..6e51aa7f699 100644
--- a/lib/libssl/src/ssl/d1_both.c
+++ b/lib/libssl/src/ssl/d1_both.c
@@ -1041,11 +1041,7 @@ dtls1_read_failed(SSL *s, int code)
 		return code;
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
-#else
 	if (!SSL_in_init(s))  /* done, no need to send a retransmit */
-#endif
 	{
 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
 		return code;
@@ -1386,152 +1382,3 @@ dtls1_shutdown(SSL *s)
 #endif
 	return ret;
 }
-
-#ifndef OPENSSL_NO_HEARTBEATS
-int
-dtls1_process_heartbeat(SSL *s)
-{
-	unsigned char *p = &s->s3->rrec.data[0], *pl;
-	unsigned short hbtype;
-	unsigned int payload;
-	unsigned int padding = 16; /* Use minimum padding */
-
-	if (s->msg_callback)
-		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-		    &s->s3->rrec.data[0], s->s3->rrec.length,
-		    s, s->msg_callback_arg);
-
-	/* Read type and payload length first */
-	if (1 + 2 + 16 > s->s3->rrec.length)
-		return 0; /* silently discard */
-	hbtype = *p++;
-	n2s(p, payload);
-	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-		return 0; /* silently discard per RFC 6520 sec. 4 */
-	pl = p;
-
-	if (hbtype == TLS1_HB_REQUEST) {
-		unsigned char *buffer, *bp;
-		unsigned int write_length = 1 /* heartbeat type */ +
-		    2 /* heartbeat length */ +
-		    payload + padding;
-		int r;
-
-		if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-			return 0;
-
-		/* Allocate memory for the response, size is 1 byte
-		 * message type, plus 2 bytes payload length, plus
-		 * payload, plus padding
-		 */
-		buffer = OPENSSL_malloc(write_length);
-		bp = buffer;
-
-		/* Enter response type, length and copy payload */
-		*bp++ = TLS1_HB_RESPONSE;
-		s2n(payload, bp);
-		memcpy(bp, pl, payload);
-		bp += payload;
-		/* Random padding */
-		RAND_pseudo_bytes(bp, padding);
-
-		r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
-
-		if (r >= 0 && s->msg_callback)
-			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-			    buffer, write_length,
-			    s, s->msg_callback_arg);
-
-		OPENSSL_free(buffer);
-
-		if (r < 0)
-			return r;
-	} else if (hbtype == TLS1_HB_RESPONSE) {
-		unsigned int seq;
-
-		/* We only send sequence numbers (2 bytes unsigned int),
-		 * and 16 random bytes, so we just try to read the
-		 * sequence number */
-		n2s(pl, seq);
-
-		if (payload == 18 && seq == s->tlsext_hb_seq) {
-			dtls1_stop_timer(s);
-			s->tlsext_hb_seq++;
-			s->tlsext_hb_pending = 0;
-		}
-	}
-
-	return 0;
-}
-
-int
-dtls1_heartbeat(SSL *s)
-{
-	unsigned char *buf, *p;
-	int ret;
-	unsigned int payload = 18; /* Sequence number + random bytes */
-	unsigned int padding = 16; /* Use minimum padding */
-
-	/* Only send if peer supports and accepts HB requests... */
-	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-		s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
-		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-		return -1;
-	}
-
-	/* ...and there is none in flight yet... */
-	if (s->tlsext_hb_pending) {
-		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
-		return -1;
-	}
-
-	/* ...and no handshake in progress. */
-	if (SSL_in_init(s) || s->in_handshake) {
-		SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
-		return -1;
-	}
-
-	/* Check if padding is too long, payload and padding
-	 * must not exceed 2^14 - 3 = 16381 bytes in total.
-	 */
-	OPENSSL_assert(payload + padding <= 16381);
-
-	/* Create HeartBeat message, we just use a sequence number
-	 * as payload to distuingish different messages and add
-	 * some random stuff.
-	 *  - Message Type, 1 byte
-	 *  - Payload Length, 2 bytes (unsigned int)
-	 *  - Payload, the sequence number (2 bytes uint)
-	 *  - Payload, random bytes (16 bytes uint)
-	 *  - Padding
-	 */
-	buf = OPENSSL_malloc(1 + 2 + payload + padding);
-	p = buf;
-	/* Message Type */
-	*p++ = TLS1_HB_REQUEST;
-	/* Payload length (18 bytes here) */
-	s2n(payload, p);
-	/* Sequence number */
-	s2n(s->tlsext_hb_seq, p);
-	/* 16 random bytes */
-	RAND_pseudo_bytes(p, 16);
-	p += 16;
-	/* Random padding */
-	RAND_pseudo_bytes(p, padding);
-
-	ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-	if (ret >= 0) {
-		if (s->msg_callback)
-			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-		buf, 3 + payload + padding,
-		s, s->msg_callback_arg);
-
-		dtls1_start_timer(s);
-		s->tlsext_hb_pending = 1;
-	}
-
-	OPENSSL_free(buf);
-
-	return ret;
-}
-#endif
diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c
index 4c6aac7536c..1b7cbaec15d 100644
--- a/lib/libssl/src/ssl/d1_clnt.c
+++ b/lib/libssl/src/ssl/d1_clnt.c
@@ -176,18 +176,6 @@ dtls1_connect(SSL *s)
 	    s->in_handshake, NULL);
 #endif
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* If we're awaiting a HeartbeatResponse, pretend we
-	 * already got and don't await it anymore, because
-	 * Heartbeats don't make sense during handshakes anyway.
-	 */
-	if (s->tlsext_hb_pending) {
-		dtls1_stop_timer(s);
-		s->tlsext_hb_pending = 0;
-		s->tlsext_hb_seq++;
-	}
-#endif
-
 	for (;;) {
 		state = s->state;
 
diff --git a/lib/libssl/src/ssl/d1_lib.c b/lib/libssl/src/ssl/d1_lib.c
index 3da7c36545e..73c44c807a9 100644
--- a/lib/libssl/src/ssl/d1_lib.c
+++ b/lib/libssl/src/ssl/d1_lib.c
@@ -433,13 +433,6 @@ dtls1_handle_timeout(SSL *s)
 		s->d1->timeout.read_timeouts = 1;
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	if (s->tlsext_hb_pending) {
-		s->tlsext_hb_pending = 0;
-		return dtls1_heartbeat(s);
-	}
-#endif
-
 	dtls1_start_timer(s);
 	return dtls1_retransmit_buffered_messages(s);
 }
diff --git a/lib/libssl/src/ssl/d1_pkt.c b/lib/libssl/src/ssl/d1_pkt.c
index 30fe8460fb9..830dc2d2d02 100644
--- a/lib/libssl/src/ssl/d1_pkt.c
+++ b/lib/libssl/src/ssl/d1_pkt.c
@@ -937,18 +937,6 @@ start:
 			dest = s->d1->alert_fragment;
 			dest_len = &s->d1->alert_fragment_len;
 		}
-#ifndef OPENSSL_NO_HEARTBEATS
-		else if (rr->type == TLS1_RT_HEARTBEAT) {
-			dtls1_process_heartbeat(s);
-
-			/* Exit and notify application to read again */
-			rr->length = 0;
-			s->rwstate = SSL_READING;
-			BIO_clear_retry_flags(SSL_get_rbio(s));
-			BIO_set_retry_read(SSL_get_rbio(s));
-			return (-1);
-		}
-#endif
 		/* else it's a CCS message, or application data or wrong */
 		else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) {
 			/* Application data while renegotiating
diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c
index 164fcfbf1ff..47a0c0e2a26 100644
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -185,18 +185,6 @@ dtls1_accept(SSL *s)
 		return (-1);
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* If we're awaiting a HeartbeatResponse, pretend we
-	 * already got and don't await it anymore, because
-	 * Heartbeats don't make sense during handshakes anyway.
-	 */
-	if (s->tlsext_hb_pending) {
-		dtls1_stop_timer(s);
-		s->tlsext_hb_pending = 0;
-		s->tlsext_hb_seq++;
-	}
-#endif
-
 	for (;;) {
 		state = s->state;
 
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index 4ad8d3943ef..c1460266fe4 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -202,17 +202,6 @@ ssl3_connect(SSL *s)
 	if (!SSL_in_init(s) || SSL_in_before(s))
 		SSL_clear(s);
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* If we're awaiting a HeartbeatResponse, pretend we
-	 * already got and don't await it anymore, because
-	 * Heartbeats don't make sense during handshakes anyway.
-	 */
-	if (s->tlsext_hb_pending) {
-		s->tlsext_hb_pending = 0;
-		s->tlsext_hb_seq++;
-	}
-#endif
-
 	for (;;) {
 		state = s->state;
 
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c
index 926071fffaa..68a4b8ca2de 100644
--- a/lib/libssl/src/ssl/s3_lib.c
+++ b/lib/libssl/src/ssl/s3_lib.c
@@ -3319,27 +3319,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 		ret = 1;
 		break;
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
-		if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
-			ret = dtls1_heartbeat(s);
-		else
-			ret = tls1_heartbeat(s);
-		break;
-
-	case SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING:
-		ret = s->tlsext_hb_pending;
-		break;
-
-	case SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS:
-		if (larg)
-			s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
-		else
-			s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
-		ret = 1;
-		break;
-#endif
-
 #endif /* !OPENSSL_NO_TLSEXT */
 	default:
 		break;
diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
index 6c677d9f6b8..70e6acad4f9 100644
--- a/lib/libssl/src/ssl/s3_pkt.c
+++ b/lib/libssl/src/ssl/s3_pkt.c
@@ -1022,19 +1022,6 @@ start:
 			dest = s->s3->alert_fragment;
 			dest_len = &s->s3->alert_fragment_len;
 		}
-#ifndef OPENSSL_NO_HEARTBEATS
-		else if (rr->type == TLS1_RT_HEARTBEAT) {
-			tls1_process_heartbeat(s);
-
-			/* Exit and notify application to read again */
-			rr->length = 0;
-			s->rwstate = SSL_READING;
-			BIO_clear_retry_flags(SSL_get_rbio(s));
-			BIO_set_retry_read(SSL_get_rbio(s));
-			return (-1);
-		}
-#endif
-
 		if (dest_maxlen > 0) {
 			n = dest_maxlen - *dest_len; /* available space in 'dest' */
 			if (rr->length < n)
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 14066031caa..1f0afc23533 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -233,17 +233,6 @@ ssl3_accept(SSL *s)
 		return (-1);
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* If we're awaiting a HeartbeatResponse, pretend we
-	 * already got and don't await it anymore, because
-	 * Heartbeats don't make sense during handshakes anyway.
-	 */
-	if (s->tlsext_hb_pending) {
-		s->tlsext_hb_pending = 0;
-		s->tlsext_hb_seq++;
-	}
-#endif
-
 	for (;;) {
 		state = s->state;
 
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h
index f524d0d80c5..bf4b2f2cb65 100644
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -684,11 +684,6 @@ struct ssl_session_st
 #define SSL_get_secure_renegotiation_support(ssl) \
 	SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
 
-#ifndef OPENSSL_NO_HEARTBEATS
-#define SSL_heartbeat(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
-#endif
-
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
 #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
@@ -1595,11 +1590,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME		79
 #define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH		80
 #define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD		81
-#ifndef OPENSSL_NO_HEARTBEATS
-#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT				85
-#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING		86
-#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS	87
-#endif
 #endif
 
 #define DTLS_CTRL_GET_TIMEOUT		73
diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h
index 42271d634f9..7311d984ae4 100644
--- a/lib/libssl/src/ssl/ssl_locl.h
+++ b/lib/libssl/src/ssl/ssl_locl.h
@@ -1108,13 +1108,6 @@ int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_clienthello_tlsext_late(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
 
-#ifndef OPENSSL_NO_HEARTBEATS
-int tls1_heartbeat(SSL *s);
-int dtls1_heartbeat(SSL *s);
-int tls1_process_heartbeat(SSL *s);
-int dtls1_process_heartbeat(SSL *s);
-#endif
-
 #ifdef OPENSSL_NO_SHA256
 #define tlsext_tick_md	EVP_sha1
 #else
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c
index 08f7a444ad5..87966518067 100644
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c
@@ -615,20 +615,6 @@ unsigned char
 			i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* Add Heartbeat extension */
-	s2n(TLSEXT_TYPE_heartbeat, ret);
-	s2n(1, ret);
-	/* Set mode:
-	 * 1: peer may send requests
-	 * 2: peer not allowed to send requests
-	 */
-	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-		*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-	else
-		*(ret++) = SSL_TLSEXT_HB_ENABLED;
-#endif
-
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
 		/* The client advertises an emtpy extension to indicate its
@@ -838,23 +824,6 @@ unsigned char
 		ret += 36;
 	}
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	/* Add Heartbeat extension if we've received one */
-	if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
-		s2n(TLSEXT_TYPE_heartbeat, ret);
-		s2n(1, ret);
-		/* Set mode:
-		 * 1: peer may send requests
-		 * 2: peer not allowed to send requests
-		 */
-		if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
-			*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-		else
-			*(ret++) = SSL_TLSEXT_HB_ENABLED;
-
-	}
-#endif
-
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	next_proto_neg_seen = s->s3->next_proto_neg_seen;
 	s->s3->next_proto_neg_seen = 0;
@@ -980,11 +949,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 	s->s3->next_proto_neg_seen = 0;
 #endif
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-	SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-#endif
-
 #ifndef OPENSSL_NO_EC
 	if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
 		ssl_check_for_safari(s, data, d, n);
@@ -1342,22 +1306,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
 			else
 				s->tlsext_status_type = -1;
 		}
-#ifndef OPENSSL_NO_HEARTBEATS
-		else if (type == TLSEXT_TYPE_heartbeat) {
-			switch (data[0]) {
-			case 0x01:	/* Client allows us to send HB requests */
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-				break;
-			case 0x02:	/* Client doesn't accept HB requests */
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-				break;
-			default:
-				*al = SSL_AD_ILLEGAL_PARAMETER;
-				return 0;
-			}
-		}
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
 		else if (type == TLSEXT_TYPE_next_proto_neg &&
 		    s->s3->tmp.finish_md_len == 0) {
@@ -1443,11 +1391,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
 	s->s3->next_proto_neg_seen = 0;
 #endif
 
-#ifndef OPENSSL_NO_HEARTBEATS
-	s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
-	SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
-#endif
-
 	if (data >= (d + n - 2))
 		goto ri_check;
 
@@ -1595,22 +1538,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
 				return 0;
 			renegotiate_seen = 1;
 		}
-#ifndef OPENSSL_NO_HEARTBEATS
-		else if (type == TLSEXT_TYPE_heartbeat) {
-			switch (data[0]) {
-			case 0x01:	/* Server allows us to send HB requests */
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-				break;
-			case 0x02:	/* Server doesn't accept HB requests */
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
-				s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
-				break;
-			default:
-				*al = SSL_AD_ILLEGAL_PARAMETER;
-				return 0;
-			}
-		}
-#endif
 #ifndef OPENSSL_NO_SRTP
 		else if (type == TLSEXT_TYPE_use_srtp) {
 			if (ssl_parse_serverhello_use_srtp_ext(s, data, size,
@@ -2454,144 +2381,3 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 }
 
 #endif
-
-#ifndef OPENSSL_NO_HEARTBEATS
-int
-tls1_process_heartbeat(SSL *s)
-{
-	unsigned char *p = &s->s3->rrec.data[0], *pl;
-	unsigned short hbtype;
-	unsigned int payload;
-	unsigned int padding = 16; /* Use minimum padding */
-
-	if (s->msg_callback)
-		s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
-	&s->s3->rrec.data[0], s->s3->rrec.length,
-	s, s->msg_callback_arg);
-
-	/* Read type and payload length first */
-	if (1 + 2 + 16 > s->s3->rrec.length)
-		return 0; /* silently discard */
-	hbtype = *p++;
-	n2s(p, payload);
-	if (1 + 2 + payload + 16 > s->s3->rrec.length)
-		return 0; /* silently discard per RFC 6520 sec. 4 */
-	pl = p;
-
-	if (hbtype == TLS1_HB_REQUEST) {
-		unsigned char *buffer, *bp;
-		int r;
-
-		/* Allocate memory for the response, size is 1 bytes
-		 * message type, plus 2 bytes payload length, plus
-		 * payload, plus padding
-		 */
-		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-		bp = buffer;
-
-		/* Enter response type, length and copy payload */
-		*bp++ = TLS1_HB_RESPONSE;
-		s2n(payload, bp);
-		memcpy(bp, pl, payload);
-		bp += payload;
-		/* Random padding */
-		RAND_pseudo_bytes(bp, padding);
-
-		r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-
-		if (r >= 0 && s->msg_callback)
-			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-		buffer, 3 + payload + padding,
-		s, s->msg_callback_arg);
-
-		OPENSSL_free(buffer);
-
-		if (r < 0)
-			return r;
-	} else if (hbtype == TLS1_HB_RESPONSE) {
-		unsigned int seq;
-
-		/* We only send sequence numbers (2 bytes unsigned int),
-		 * and 16 random bytes, so we just try to read the
-		 * sequence number */
-		n2s(pl, seq);
-
-		if (payload == 18 && seq == s->tlsext_hb_seq) {
-			s->tlsext_hb_seq++;
-			s->tlsext_hb_pending = 0;
-		}
-	}
-
-	return 0;
-}
-
-int
-tls1_heartbeat(SSL *s)
-{
-	unsigned char *buf, *p;
-	int ret;
-	unsigned int payload = 18; /* Sequence number + random bytes */
-	unsigned int padding = 16; /* Use minimum padding */
-
-	/* Only send if peer supports and accepts HB requests... */
-	if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
-		s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
-		SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
-		return -1;
-	}
-
-	/* ...and there is none in flight yet... */
-	if (s->tlsext_hb_pending) {
-		SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
-		return -1;
-	}
-
-	/* ...and no handshake in progress. */
-	if (SSL_in_init(s) || s->in_handshake) {
-		SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
-		return -1;
-	}
-
-	/* Check if padding is too long, payload and padding
-	 * must not exceed 2^14 - 3 = 16381 bytes in total.
-	 */
-	OPENSSL_assert(payload + padding <= 16381);
-
-	/* Create HeartBeat message, we just use a sequence number
-	 * as payload to distuingish different messages and add
-	 * some random stuff.
-	 *  - Message Type, 1 byte
-	 *  - Payload Length, 2 bytes (unsigned int)
-	 *  - Payload, the sequence number (2 bytes uint)
-	 *  - Payload, random bytes (16 bytes uint)
-	 *  - Padding
-	 */
-	buf = OPENSSL_malloc(1 + 2 + payload + padding);
-	p = buf;
-	/* Message Type */
-	*p++ = TLS1_HB_REQUEST;
-	/* Payload length (18 bytes here) */
-	s2n(payload, p);
-	/* Sequence number */
-	s2n(s->tlsext_hb_seq, p);
-	/* 16 random bytes */
-	RAND_pseudo_bytes(p, 16);
-	p += 16;
-	/* Random padding */
-	RAND_pseudo_bytes(p, padding);
-
-	ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
-	if (ret >= 0) {
-		if (s->msg_callback)
-			s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-		buf, 3 + payload + padding,
-		s, s->msg_callback_arg);
-
-		s->tlsext_hb_pending = 1;
-	}
-
-	OPENSSL_free(buf);
-
-	return ret;
-}
-#endif
diff --git a/lib/libssl/src/ssl/tls1.h b/lib/libssl/src/ssl/tls1.h
index c992091e305..7e35f13849d 100644
--- a/lib/libssl/src/ssl/tls1.h
+++ b/lib/libssl/src/ssl/tls1.h
@@ -360,16 +360,6 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG, 0, arg)
 #define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
 SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 
-#ifndef OPENSSL_NO_HEARTBEATS
-#define SSL_TLSEXT_HB_ENABLED				0x01
-#define SSL_TLSEXT_HB_DONT_SEND_REQUESTS	0x02
-#define SSL_TLSEXT_HB_DONT_RECV_REQUESTS	0x04
-
-#define SSL_get_tlsext_heartbeat_pending(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING,0,NULL)
-#define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
-        SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
-#endif
 #endif
 
 /* PSK ciphersuites from 4279 */