[Buildroot] [PATCH v2, 1/1] package/uacme: select openssl or gnutls with ualpn
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Apr 26 09:53:50 UTC 2020
Fabrice, All,
On 2020-04-24 16:00 +0200, Fabrice Fontaine spake thusly:
> ualpn with mbedtls requires the activation of
> MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION on mbedtls which can
> be a security risk. So if the user selects ualpn, make sure that openssl
> or gnutls are selected and used as the crypto library instead of mbedtls
>
> Fixes:
> - http://autobuild.buildroot.org/results/5d42189299549cd655218e9e7cfcfa63e79f74ec
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> Changes v1 -> v2 (after review of Thomas Petazzoni and Yann E. Morin):
> - Do not use ualpn with mbedtls
>
> package/uacme/Config.in | 1 +
> package/uacme/uacme.mk | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/package/uacme/Config.in b/package/uacme/Config.in
> index 58b7c534e7..5840ccd5f9 100644
> --- a/package/uacme/Config.in
> +++ b/package/uacme/Config.in
> @@ -20,6 +20,7 @@ config BR2_PACKAGE_UACME_UALPN
> bool "enable ualpn"
> depends on BR2_TOOLCHAIN_HAS_THREADS
> select BR2_PACKAGE_LIBEV
> + select BR2_PACKAGE_OPENSSL if !BR2_PACKAGE_GNUTLS
> help
> Build and install ualpn, the transparent proxying tls-alpn-01
> challenge responder.
> diff --git a/package/uacme/uacme.mk b/package/uacme/uacme.mk
> index 6df13eced6..b6488afebc 100644
> --- a/package/uacme/uacme.mk
> +++ b/package/uacme/uacme.mk
> @@ -15,10 +15,12 @@ UACME_DEPENDENCIES = libcurl
>
> UACME_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
>
> +# ualpn requires MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION in mbedtls
> +# which can be a security risk so don't use mbedtls if ualpn is requested
> ifeq ($(BR2_PACKAGE_GNUTLS),y)
> UACME_CONF_OPTS += --with-gnutls
> UACME_DEPENDENCIES += gnutls
> -else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
> +else ifeq ($(BR2_PACKAGE_MBEDTLS):$(BR2_PACKAGE_UACME_UALPN),y:)
This condition is a bit too confusing, I'm afraid.
Since you will want to add a choice of the backend, I think it is better
to do so and disable the embdetls backend when ualpn is enabled,
something like:
choice
bool "crypto backend"
config BR2_PACKAGE_UACME_CRYPTO_GNUTLS
bool "gnuttls"
config BR2_PACKAGE_UACME_CRYPTO_EMBEDTLS
bool "embedtls"
depends on !BR2_PACKAGE_UACME_UALPN
comment "embedtls backend unavaialbe for ualpn"
depends on BR2_PACKAGE_UACME_UALPN
config BR2_PACKAGE_UACME_CRYPTO_OPENSSL
bool "openssl"
endchoice
(note the other dependencies, if any swould be needed, are missing in
each entry of the choice, like wchar and !static for gnutls)
Regards,
Yann E. MORIN.
> UACME_CONF_OPTS += --with-mbedtls
> UACME_DEPENDENCIES += mbedtls
> else ifeq ($(BR2_PACKAGE_OPENSSL),y)
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list