net: don't add padding extension for SSLv3.

net/third_party/nss/ssl/ssl3ext.c

 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TLS extension code moved here from ssl3ecc.c */
 
 #include "nssrenam.h"
@@ skipping 2280 matching lines @@
         PORT_Assert(0);
         return 0;
     }
 
     return extension_length;
 
 loser:
     return -1;
 }
 
-unsigned int
+PRInt32
 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
 {
     unsigned int recordLength = 1 /* handshake message type */ +
                                 3 /* handshake message length */ +
                                 clientHelloLength;
     unsigned int extensionLength;
 
     if (recordLength < 256 || recordLength >= 512) {
         return 0;
     }
@@ skipping 18 matching lines @@
     unsigned char padding[256];
 
     if (extensionLen == 0) {
         return 0;
     }
 
     if (extensionLen < 4 ||
         extensionLen > maxBytes ||
         paddingLen > sizeof(padding)) {
         PORT_Assert(0);
         return 0;

[wtc, 2013/11/11 21:50:33]

It is this return statement that I think should be changed to -1 because we have
detected an internal error. The return statement on line 2333 should still be
"return 0".

[agl, 2013/11/12 16:21:57]

Gah, sorry. I thought you were talking about
ssl3_CalculatePaddingExtensionLength. Yes, this one should be signed because it
returns -1! Thanks.

     }
 
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
         return -1;
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
         return -1;
     memset(padding, ' ', paddingLen);
     if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
         return -1;
 
     return extensionLen;
 }