Mailing List Archive: [Bug 665] GnuTLS: Please allow disabling of MAC Padding

[Bug 665] GnuTLS: Please allow disabling of MAC Padding

Aug 13, 2008, 11:15 PM

Post #1 of 4 (1508 views)

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=665

Phil Pennock <exim-dev@spodhuis.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |exim-dev@spodhuis.org

--- Comment #4 from Phil Pennock <exim-dev@spodhuis.org> 2008-08-14 07:15:58 ---
Finally, I remember what I meant to say.

There is no documentation in the man-page of the first version of GnuTLS this
feature appears in, so there's a risk of problems compiling against an older
release.

Commit log for function addition:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=91b8389c34b89eba1e2b3f13c43c7c50ea0d6010

Aargh, gitweb makes it unbelievably hard to track which tags might include a
given commit. Okay, ChangeLog lists it in 2007-10-24 for version 2.1.4.

With 2.2.5, gnutls/gnutls.h gives:
#define LIBGNUTLS_VERSION_MAJOR 2
#define LIBGNUTLS_VERSION_MINOR 2
#define LIBGNUTLS_VERSION_PATCH 5

#define LIBGNUTLS_VERSION_NUMBER 0x020205

Should this check be used to log a different message and proceed as normal or
to remove the functionality, or what?

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 665] GnuTLS: Please allow disabling of MAC Padding [ In reply to ]

exim-dev at spodhuis

Aug 13, 2008, 10:57 PM

Post #2 of 4 (1459 views)

Permalink

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=665

--- Comment #3 from Phil Pennock <exim-dev@spodhuis.org> 2008-08-14 06:57:32 ---
Created an attachment (id=263)
--> (http://bugs.exim.org/attachment.cgi?id=263)
gnutls_compat_mode

With some checking, it appears that while GnuTLS has
gnutls_record_disable_padding() it also has
gnutls_session_enable_compatibility_mode() which is currently documented as
equivalent, but more generic and perhaps more appropriate for a policy (but
even better would be an interface offering a string list of tags for compat
features).

The patch adds "gnutls_compat_mode"; I have tested that Exim compiles and runs
with this but don't have a way to test the impact.

Note that I haven't written documentation for this, I've had enough of docbook
for one day. (Five minutes, far too much).

The code patch for bug 674 makes changes nearby but I've confirmed that patch
and this patch can be applied together without conflict (just some minor line
fudging).

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 665] GnuTLS: Please allow disabling of MAC Padding [ In reply to ]

eximusers at downhill

Aug 14, 2008, 10:54 AM

Post #3 of 4 (1461 views)

Permalink

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=665

Andreas Metzler <eximusers@downhill.at.eu.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |eximusers@downhill.at.eu.org

--- Comment #5 from Andreas Metzler <eximusers@downhill.at.eu.org> 2008-08-14 18:54:12 ---
Both gnutls_session_enable_compatibility_mode() and
gnutls_record_disable_padding() were added in 2.1.4 (development version).
2.2.0 (released 2007-12-14) was the first stable release with these functions.

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

[Bug 665] GnuTLS: Please allow disabling of MAC Padding [ In reply to ]

exim-dev at spodhuis

Aug 14, 2008, 11:49 AM

Post #4 of 4 (1459 views)

Permalink

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=665

--- Comment #6 from Phil Pennock <exim-dev@spodhuis.org> 2008-08-14 19:49:04 ---
Oh good, it's an obvious and sane versioning scheme. Always a pleasant
surprise.

So it's safe to just use:
#if LIBGNUTLS_VERSION_NUMBER >= 0x020104

as a guard on the actual application of the function and to debug-log a notice
that GNUTLS is too old to support this otherwise. Seems saner than making the
option's availability conditional upon version numbers, since the impact of
this not being applied is some clients not having their bugginess supported
which doesn't seem so critical that the code should be made messier for that.

I think this is a minor enough change for the committer to apply that they
don't need a new patch from me. :) (Shout if I'm wrong)

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##