Prune some dead quirks and document the SSL_OP_ALL ones.

Update SSL_OP_ALL to account for SSL_OP_CRYPTOPRO_TLSEXT_BUG being gone,
and update ssl3_setup_write_buffer to account for SSL_MODE_CBC_RECORD_SPLITTING
rather than the now defunct SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.

Also remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is to allow for a buggy peer
which pads CBC with N bytes of value N rather than N+1 bytes of value N. This
quirk has been broken since CBC padding checks became constant-time, as
demonstrated by this attempt at a test. (Instead of just decrementing
padding_length, it needs to also keep track of a separate padding_value and not
decrement that one.)

https://boringssl-review.googlesource.com/#/c/1690/

(The quirk would also fall over anyway if the buggy client ever did a session
resumption; then the server speaks first rather than the client, and the quirk
triggered on reading the first encrypted record from the peer.)

Change-Id: I19942dc629a47832aead77a46bb50e0b0a9780b3
Reviewed-on: https://boringssl-review.googlesource.com/1694
Reviewed-by: Adam Langley <agl@google.com>

1 files changed, 0 insertions, 15 deletions

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e1b18afc..6a0de9c1 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -165,21 +165,6 @@ int tls1_cbc_remove_padding(const SSL* s,
 
 	padding_length = rec->data[rec->length-1];
 
-	if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
-		{
-		/* First packet is even in size, so check */
-		if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
-		    !(padding_length & 1))
-			{
-			s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-			}
-		if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
-		    padding_length > 0)
-			{
-			padding_length--;
-			}
-		}
-
 	good = constant_time_ge(rec->length, overhead+padding_length);
 	/* The padding consists of a length byte at the end of the record and
 	 * then that many bytes of padding, all with the same value as the