* [Buildroot] [PATCH] package/mbedtls: fix zlib support
@ 2017-01-29 21:15 Jörg Krause
2017-02-06 12:58 ` Thomas Petazzoni
0 siblings, 1 reply; 2+ messages in thread
From: Jörg Krause @ 2017-01-29 21:15 UTC (permalink / raw)
To: buildroot
To enable compression support using zlib it is necessary to uncomment
the define for MBEDTLS_ZLIB_SUPPORT in config.h [1].
Note, that enabling TLS compression may make mbedTLS vulnerable to the
CRIME attack [1]. It should not be enabled unless is is sure CRIME and
similar attacks are not applicable to the particulare situation.
As zlib is probably enabled in most systems, maybe it is best to make
the compression support a user choice and add the warning from [1]?
[1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls
Signed-off-by: J?rg Krause <joerg.krause@embedded.rocks>
---
package/mbedtls/mbedtls.mk | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/package/mbedtls/mbedtls.mk b/package/mbedtls/mbedtls.mk
index a8bd61f12..7171af9f9 100644
--- a/package/mbedtls/mbedtls.mk
+++ b/package/mbedtls/mbedtls.mk
@@ -42,6 +42,11 @@ endif
ifeq ($(BR2_PACKAGE_ZLIB),y)
MBEDTLS_CONF_OPTS += -DENABLE_ZLIB_SUPPORT=ON
MBEDTLS_DEPENDENCIES += zlib
+define MBEDTLS_ENABLE_ZLIB
+ $(SED) "s://#define MBEDTLS_ZLIB_SUPPORT:#define MBEDTLS_ZLIB_SUPPORT:" \
+ $(@D)/include/mbedtls/config.h
+endef
+MBEDTLS_POST_PATCH_HOOKS += MBEDTLS_ENABLE_ZLIB
else
MBEDTLS_CONF_OPTS += -DENABLE_ZLIB_SUPPORT=OFF
endif
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [Buildroot] [PATCH] package/mbedtls: fix zlib support
2017-01-29 21:15 [Buildroot] [PATCH] package/mbedtls: fix zlib support Jörg Krause
@ 2017-02-06 12:58 ` Thomas Petazzoni
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Petazzoni @ 2017-02-06 12:58 UTC (permalink / raw)
To: buildroot
Hello,
On Sun, 29 Jan 2017 22:15:11 +0100, J?rg Krause wrote:
> To enable compression support using zlib it is necessary to uncomment
> the define for MBEDTLS_ZLIB_SUPPORT in config.h [1].
>
> Note, that enabling TLS compression may make mbedTLS vulnerable to the
> CRIME attack [1]. It should not be enabled unless is is sure CRIME and
> similar attacks are not applicable to the particulare situation.
>
> As zlib is probably enabled in most systems, maybe it is best to make
> the compression support a user choice and add the warning from [1]?
Yes, please do this, it seems to make sense.
> [1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls
>
> Signed-off-by: J?rg Krause <joerg.krause@embedded.rocks>
> ---
> package/mbedtls/mbedtls.mk | 5 +++++
> 1 file changed, 5 insertions(+)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-06 12:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-29 21:15 [Buildroot] [PATCH] package/mbedtls: fix zlib support Jörg Krause
2017-02-06 12:58 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox