From patchwork Mon Feb 6 20:01:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?J=C3=B6rg_Krause?= X-Patchwork-Id: 724666 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3vHJJj08Rmz9s1y for ; Tue, 7 Feb 2017 07:01:40 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="key not found in DNS" (0-bit key; unprotected) header.d=embedded.rocks header.i=@embedded.rocks header.b="EwSs+q/e"; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 9AF4B258AC; Mon, 6 Feb 2017 20:01:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwicT8DKYt2O; Mon, 6 Feb 2017 20:01:35 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 0C5B02EAEE; Mon, 6 Feb 2017 20:01:35 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 490EC1C03BF for ; Mon, 6 Feb 2017 20:01:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 43A0288783 for ; Mon, 6 Feb 2017 20:01:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VdVk4OMLCvr4 for ; Mon, 6 Feb 2017 20:01:32 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.142]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 05754881E2 for ; Mon, 6 Feb 2017 20:01:31 +0000 (UTC) Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 3vHJJS2jtZz1094 for ; Mon, 6 Feb 2017 21:01:28 +0100 (CET) Authentication-Results: mail.embedded.rocks (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=embedded.rocks DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embedded.rocks; h=content-transfer-encoding:content-type:content-type :mime-version:x-mailer:message-id:date:date:subject:subject:from :from:received:received; s=default; t=1486411286; x=1487016087; bh=kKzg4x1n6Sb05YJbwY9K9ZRvIX8y5T4quKus/VDZVLk=; b=EwSs+q/erUt7 VY+H98lrDKaQcBJZcV4aT+zeScf8wNi/foAWO+X8l4ZhZfbTVlCMZg0XrHsY7byj uTQlC2JQSStvvEsCdhThWfEtEk1BuasMUUf3Y3tJimm0mPSPRyVEMCveTyexINOC ahUJT3TzVn0CUQSG1AzNcdAAWAB49tMzHSvcgpBDzYNa259sW7m1t6tMzQHlxEK1 dYSGbUpP4Od30+JN9gRjWFkTmF1cHtzchGerLFn2NxU0ILQkuAjD807RAbrlTwVm 2jtmNseOUx9GeZyx001sNKzGCCJS6+s9B8jkEt7vPaesgEhqFKjiaOWep5tuEWzj KoKPQWBA/g== Received: from mail.embedded.rocks ([127.0.0.1]) by localhost (mail.embedded.rocks [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 0vG2TrDcDPFW; Mon, 6 Feb 2017 21:01:26 +0100 (CET) Received: from nzxt.fritz.box (xd9badf86.dyn.telefonica.de [217.186.223.134]) (Authenticated sender: joerg.krause@embedded.rocks) by mail.embedded.rocks (Postfix) with ESMTPSA; Mon, 6 Feb 2017 21:01:26 +0100 (CET) From: =?UTF-8?q?J=C3=B6rg=20Krause?= To: buildroot@buildroot.org Date: Mon, 6 Feb 2017 21:01:23 +0100 Message-Id: <20170206200123.25375-1-joerg.krause@embedded.rocks> X-Mailer: git-send-email 2.11.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/mbedtls: make compression support a config option X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Enabling TLS compression may make mbedTLS vulnerable to the CRIME attack [1]. It should not be enabled unless is is sure CRIME and similar attacks are not applicable to the particulare situation. As zlib is probably enabled in most systems, the user might end up with a vulnerable system without knowing. So, instead of enabling compression support if the zlib package is available, we make the compression support a config option. This way, the user has to explicitly enable compression support and is warned by the help text about the risk. [1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls Signed-off-by: Jörg Krause --- package/mbedtls/Config.in | 12 ++++++++++++ package/mbedtls/mbedtls.mk | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/package/mbedtls/Config.in b/package/mbedtls/Config.in index 24f0f489d..42bdcc4d1 100644 --- a/package/mbedtls/Config.in +++ b/package/mbedtls/Config.in @@ -17,4 +17,16 @@ config BR2_PACKAGE_MBEDTLS_PROGRAMS This option enables the installation and the build of mbed TLS companion programs. +config BR2_PACKAGE_MBEDTLS_COMPRESSION + bool "enable compression support" + select BR2_PACKAGE_ZLIB + help + Enable support for compression of the content data before it + enters the secure channel as described in RFC 3749. + + Warning: TLS compression may make you vulnerable to the CRIME + attack. You shoud not enable it unless you know for sure CRIME + and similar attacks are not applicable to your particular + situation. + endif diff --git a/package/mbedtls/mbedtls.mk b/package/mbedtls/mbedtls.mk index 7171af9f9..198879da4 100644 --- a/package/mbedtls/mbedtls.mk +++ b/package/mbedtls/mbedtls.mk @@ -39,7 +39,7 @@ MBEDTLS_CONF_OPTS += \ -DUSE_SHARED_MBEDTLS_LIBRARY=ON -DUSE_STATIC_MBEDTLS_LIBRARY=OFF endif -ifeq ($(BR2_PACKAGE_ZLIB),y) +ifeq ($(BR2_PACKAGE_MBEDTLS_COMPRESSION),y) MBEDTLS_CONF_OPTS += -DENABLE_ZLIB_SUPPORT=ON MBEDTLS_DEPENDENCIES += zlib define MBEDTLS_ENABLE_ZLIB