1 files changed, 13 insertions, 8 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index c25f10bfab..87a65e3db2 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -635,18 +635,24 @@ skip_ext:
        }
 #endif
-#ifdef TLSEXT_TYPE_padding
+        /*
-        /* Add padding to workaround bugs in F5 terminators.
+         * Add padding to workaround bugs in F5 terminators.
         * See https://tools.ietf.org/html/draft-agl-tls-padding-03
         *
+         * Note that this seems to trigger issues with IronPort SMTP
+         * appliances.
+         *
         * NB: because this code works out the length of all existing
         * extensions it MUST always appear last.
         */
-        {
+        if (s->options & SSL_OP_TLSEXT_PADDING) {
                int hlen = ret - (unsigned char *)s->init_buf->data;
-        /* The code in s23_clnt.c to build ClientHello messages includes the
-         * 5-byte record header in the buffer, while the code in s3_clnt.c does
+                /*
-         * not. */
+                 * The code in s23_clnt.c to build ClientHello messages
+                 * includes the 5-byte record header in the buffer, while the
+                 * code in s3_clnt.c does not.
+                 */
                if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
                        hlen -= 5;
                if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
                        ret += hlen;
                }
        }
-#endif
        if ((extdatalen = ret - p - 2) == 0)
                return p;

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -635,18 +635,24 @@ skip_ext:
635	}	635	}
636	#endif	636	#endif
637		637
638	#ifdef TLSEXT_TYPE_padding	638	/*
639	/* Add padding to workaround bugs in F5 terminators.	639	* Add padding to workaround bugs in F5 terminators.
640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03	640	* See https://tools.ietf.org/html/draft-agl-tls-padding-03
641	*	641	*
		642	* Note that this seems to trigger issues with IronPort SMTP
		643	* appliances.
		644	*
642	* NB: because this code works out the length of all existing	645	* NB: because this code works out the length of all existing
643	* extensions it MUST always appear last.	646	* extensions it MUST always appear last.
644	*/	647	*/
645	{	648	if (s->options & SSL_OP_TLSEXT_PADDING) {
646	int hlen = ret - (unsigned char *)s->init_buf->data;	649	int hlen = ret - (unsigned char *)s->init_buf->data;
647	/* The code in s23_clnt.c to build ClientHello messages includes the	650
648	* 5-byte record header in the buffer, while the code in s3_clnt.c does	651	/*
649	* not. */	652	* The code in s23_clnt.c to build ClientHello messages
		653	* includes the 5-byte record header in the buffer, while the
		654	* code in s3_clnt.c does not.
		655	*/
650	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)	656	if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
651	hlen -= 5;	657	hlen -= 5;
652	if (hlen > 0xff && hlen < 0x200) {	658	if (hlen > 0xff && hlen < 0x200) {
@@ -662,7 +668,6 @@ skip_ext:
662	ret += hlen;	668	ret += hlen;
663	}	669	}
664	}	670	}
665	#endif
666		671
667	if ((extdatalen = ret - p - 2) == 0)	672	if ((extdatalen = ret - p - 2) == 0)
668	return p;	673	return p;