Remove workaround for TLS padding bug from SSLeay days.

OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.

Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.

ok jsing@

13 files changed, 25 insertions, 79 deletions

diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index 7eac48785e..c58e109ae5 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.9 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.10 2015/07/17 07:04:40 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -187,10 +187,6 @@ dtls1_enc(SSL *s, int send)
 
                         /* we need to add 'i' padding bytes of value j */
                         j = i - 1;
-                        if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        j++;
-                        }
                         for (k = (int)l; k < (int)(l + i); k++)
                                 rec->input[k] = j;
                         l += i;
diff --git a/src/lib/libssl/doc/SSL_CTX_set_options.3 b/src/lib/libssl/doc/SSL_CTX_set_options.3
index 53a7a6c9c0..922522a33c 100644
--- a/src/lib/libssl/doc/SSL_CTX_set_options.3
+++ b/src/lib/libssl/doc/SSL_CTX_set_options.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
+.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $
 .\"
-.Dd $Mdocdate: June 15 2015 $
+.Dd $Mdocdate: July 17 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -125,7 +125,9 @@ this option has no effect.
 .It Dv SSL_OP_TLS_D5_BUG
 \&...
 .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
 affecting CBC ciphers, which cannot be handled by some broken SSL
diff --git a/src/lib/libssl/s3_cbc.c b/src/lib/libssl/s3_cbc.c
index fd4781b64c..57485caacf 100644
--- a/src/lib/libssl/s3_cbc.c
+++ b/src/lib/libssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.9 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.10 2015/07/17 07:04:40 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -165,24 +165,6 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
 
         padding_length = rec->data[rec->length - 1];
 
-        /* NB: if compression is in operation the first packet may not be of
-         * even length so the padding bug check cannot be performed. This bug
-         * workaround has been around since SSLeay so hopefully it is either
-         * fixed now or no buggy implementation supports compression [steve]
-         * (We don't support compression either, so it's not in operation.)
-         */
-        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)) {
-                /* First packet is even in size, so check */
-                if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",
-                    SSL3_SEQUENCE_SIZE) == 0) && !(padding_length & 1)) {
-                        s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-                }
-                if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
-                    padding_length > 0) {
-                        padding_length--;
-                }
-        }
-
         if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
                 /* padding is already verified */
                 rec->length -= padding_length + 1;
diff --git a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3 b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
index 53a7a6c9c0..922522a33c 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
+++ b/src/lib/libssl/src/doc/ssl/SSL_CTX_set_options.3
@@ -1,7 +1,7 @@
 .\"
-.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.6 2015/06/15 05:32:58 doug Exp $
+.\"     $OpenBSD: SSL_CTX_set_options.3,v 1.7 2015/07/17 07:04:40 doug Exp $
 .\"
-.Dd $Mdocdate: June 15 2015 $
+.Dd $Mdocdate: July 17 2015 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -125,7 +125,9 @@ this option has no effect.
 .It Dv SSL_OP_TLS_D5_BUG
 \&...
 .It Dv SSL_OP_TLS_BLOCK_PADDING_BUG
-\&...
+As of
+.Ox 5.8 ,
+this option has no effect.
 .It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol vulnerability
 affecting CBC ciphers, which cannot be handled by some broken SSL
diff --git a/src/lib/libssl/src/ssl/d1_enc.c b/src/lib/libssl/src/ssl/d1_enc.c
index 7eac48785e..c58e109ae5 100644
--- a/src/lib/libssl/src/ssl/d1_enc.c
+++ b/src/lib/libssl/src/ssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.9 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.10 2015/07/17 07:04:40 doug Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -187,10 +187,6 @@ dtls1_enc(SSL *s, int send)
 
                         /* we need to add 'i' padding bytes of value j */
                         j = i - 1;
-                        if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        j++;
-                        }
                         for (k = (int)l; k < (int)(l + i); k++)
                                 rec->input[k] = j;
                         l += i;
diff --git a/src/lib/libssl/src/ssl/s3_cbc.c b/src/lib/libssl/src/ssl/s3_cbc.c
index fd4781b64c..57485caacf 100644
--- a/src/lib/libssl/src/ssl/s3_cbc.c
+++ b/src/lib/libssl/src/ssl/s3_cbc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_cbc.c,v 1.9 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_cbc.c,v 1.10 2015/07/17 07:04:40 doug Exp $ */
 /* ====================================================================
  * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
  *
@@ -165,24 +165,6 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size,
 
         padding_length = rec->data[rec->length - 1];
 
-        /* NB: if compression is in operation the first packet may not be of
-         * even length so the padding bug check cannot be performed. This bug
-         * workaround has been around since SSLeay so hopefully it is either
-         * fixed now or no buggy implementation supports compression [steve]
-         * (We don't support compression either, so it's not in operation.)
-         */
-        if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)) {
-                /* First packet is even in size, so check */
-                if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",
-                    SSL3_SEQUENCE_SIZE) == 0) && !(padding_length & 1)) {
-                        s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-                }
-                if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
-                    padding_length > 0) {
-                        padding_length--;
-                }
-        }
-
         if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
                 /* padding is already verified */
                 rec->length -= padding_length + 1;
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index c47ae4632f..84154a5176 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.87 2015/06/20 12:29:39 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -522,7 +522,6 @@ struct ssl_session_st {
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
-#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
@@ -578,7 +577,6 @@ struct ssl_session_st {
      SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | \
      SSL_OP_SAFARI_ECDHE_ECDSA_BUG | \
      SSL_OP_TLS_D5_BUG | \
-     SSL_OP_TLS_BLOCK_PADDING_BUG | \
      SSL_OP_CRYPTOPRO_TLSEXT_BUG)
 
 /* Obsolete flags kept for compatibility. No sane code should use them. */
@@ -594,6 +592,7 @@ struct ssl_session_st {
 #define SSL_OP_PKCS1_CHECK_2                            0x0
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
+#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 265d18810e..8bcf9e37e8 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */
+/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -351,7 +351,7 @@ typedef struct ssl3_buffer_st {
 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS       0x0001
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED        0x0002
 #define SSL3_FLAGS_POP_BUFFER                   0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG              0x0008
+#define TLS1_FLAGS_TLS_PADDING_BUG              0x0
 #define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE               0x0020
 #define SSL3_FLAGS_CCS_OK                       0x0080
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index b48e248b23..5cd1688a37 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.78 2015/06/17 14:27:56 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.79 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -875,10 +875,6 @@ tls1_enc(SSL *s, int send)
 
                         /* we need to add 'i' padding bytes of value j */
                         j = i - 1;
-                        if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        j++;
-                        }
                         for (k = (int)l; k < (int)(l + i); k++)
                                 rec->input[k] = j;
                         l += i;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index c47ae4632f..84154a5176 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.87 2015/06/20 12:29:39 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.88 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -522,7 +522,6 @@ struct ssl_session_st {
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x00000040L
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
-#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
 
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
@@ -578,7 +577,6 @@ struct ssl_session_st {
      SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | \
      SSL_OP_SAFARI_ECDHE_ECDSA_BUG | \
      SSL_OP_TLS_D5_BUG | \
-     SSL_OP_TLS_BLOCK_PADDING_BUG | \
      SSL_OP_CRYPTOPRO_TLSEXT_BUG)
 
 /* Obsolete flags kept for compatibility. No sane code should use them. */
@@ -594,6 +592,7 @@ struct ssl_session_st {
 #define SSL_OP_PKCS1_CHECK_2                            0x0
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
+#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 265d18810e..8bcf9e37e8 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.37 2015/06/18 22:51:05 doug Exp $ */
+/* $OpenBSD: ssl3.h,v 1.38 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -351,7 +351,7 @@ typedef struct ssl3_buffer_st {
 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS       0x0001
 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED        0x0002
 #define SSL3_FLAGS_POP_BUFFER                   0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG              0x0008
+#define TLS1_FLAGS_TLS_PADDING_BUG              0x0
 #define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE               0x0020
 #define SSL3_FLAGS_CCS_OK                       0x0080
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index b48e248b23..5cd1688a37 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.78 2015/06/17 14:27:56 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.79 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -875,10 +875,6 @@ tls1_enc(SSL *s, int send)
 
                         /* we need to add 'i' padding bytes of value j */
                         j = i - 1;
-                        if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) {
-                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-                                        j++;
-                        }
                         for (k = (int)l; k < (int)(l + i); k++)
                                 rec->input[k] = j;
                         l += i;
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 61b70a5569..066588f01b 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.11 2015/06/15 05:16:56 doug Exp $ */
+/* $OpenBSD: s_server.c,v 1.12 2015/07/17 07:04:41 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1692,10 +1692,6 @@ init_ssl_connection(SSL * con)
 #endif
         if (SSL_cache_hit(con))
                 BIO_printf(bio_s_out, "Reused session-id\n");
-        if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
-            TLS1_FLAGS_TLS_PADDING_BUG)
-                BIO_printf(bio_s_out,
-                    "Peer has incorrect TLSv1 block padding\n");
         BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
             SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
         if (keymatexportlabel != NULL) {