From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
Date: Thu, 23 Apr 2020 22:09:05 +0200 [thread overview]
Message-ID: <20200423220905.06d9dc59@windsurf.home> (raw)
In-Reply-To: <20200422192059.790299-1-fontaine.fabrice@gmail.com>
On Wed, 22 Apr 2020 21:20:57 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> Add an option to enable
> MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/mbedtls/Config.in | 10 ++++++++++
> package/mbedtls/mbedtls.mk | 8 ++++++++
> 2 files changed, 18 insertions(+)
>
> diff --git a/package/mbedtls/Config.in b/package/mbedtls/Config.in
> index a39ba65d98..e48f0473b0 100644
> --- a/package/mbedtls/Config.in
> +++ b/package/mbedtls/Config.in
> @@ -29,4 +29,14 @@ config BR2_PACKAGE_MBEDTLS_COMPRESSION
> sure CRIME and similar attacks are not applicable to your
> particular situation.
>
> +config BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION
> + bool "allow X509 unsupported critical extension"
> + help
> + If set, the X509 parser will not break-off when parsing an
> + X509 certificate and encountering an unknown critical
> + extension.
> +
> + Warning: Depending on your PKI use, enabling this can be a
> + security risk!
> +
> endif
This whole series is pretty awkward. Shouldn't we instead simply not
allow the use of uacme mbedtls crypto backend ?
What is this X509_UNSUPPORTED_CRITICAL_EXTENSION functionality that is
so weird that it requires patching the mbedtls config.h file ? Why is
uacme absolutely requiring this functionality that no other user of
mbedtls requires ?
Until these questions are answered, I'd prefer to drop support for
mbedtls as a crypto backend for uacme.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2020-04-23 20:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-22 19:20 [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 2/3] package/uacme: allow selection of crypto backend Fabrice Fontaine
2020-04-22 19:20 ` [Buildroot] [PATCH 3/3] package/uacme: ualpn needs X509 unsupported critical extension support Fabrice Fontaine
2020-04-23 20:09 ` Thomas Petazzoni [this message]
2020-04-23 20:27 ` [Buildroot] [PATCH 1/3] package/mbedtls: add BR2_PACKAGE_MBEDTLS_X509_UNSUPPORTED_CRITICAL_EXTENSION Yann E. MORIN
2020-04-23 20:49 ` Thomas Petazzoni
2020-04-23 23:27 ` Nicola Di Lieto
2020-04-24 9:07 ` Yann E. MORIN
2020-04-24 11:26 ` Nicola Di Lieto
2020-04-24 11:32 ` Nicola Di Lieto
2020-04-24 11:48 ` Yann E. MORIN
2020-04-24 13:11 ` Nicola Di Lieto
2020-04-24 13:20 ` Fabrice Fontaine
2020-04-24 13:21 ` Thomas Petazzoni
2020-04-24 14:01 ` Fabrice Fontaine
2020-04-24 11:45 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200423220905.06d9dc59@windsurf.home \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.