projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3bf545d)
package/uacme: don't allow ualpn with mbedTLS
authorNicola Di Lieto <nicola.dilieto@gmail.com>
Sat, 9 May 2020 09:08:08 +0000 (11:08 +0200)
committerThomas Petazzoni <thomas.petazzoni@bootlin.com>
Sat, 9 May 2020 11:54:46 +0000 (13:54 +0200)
ualpn requires mbedTLS to be configured and built with
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
which is not the default and can be a security risk.

Therefore make BR2_PACKAGE_UACME_UALPN depend on
BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS.

Fixes http://autobuild.buildroot.net/results/d241121f8155bad9b6b25c16234576abb7fc940b

See also

https://github.com/ndilieto/uacme/issues/23
https://github.com/ARMmbed/mbedtls/issues/3241
https://github.com/ARMmbed/mbedtls/pull/3243
http://lists.busybox.net/pipermail/buildroot/2020-April/281059.html
http://lists.busybox.net/pipermail/buildroot/2020-April/281108.html

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/uacme/Config.in patch | blob | history
package/uacme/uacme.mk patch | blob | history

diff --git a/package/uacme/Config.in b/package/uacme/Config.in
index 58b7c534e73d147d89b1cc82f8a7141247c8ed62..d69343611557d2e56a82627cbdfae0c35ebce4be 100644 (file)
--- a/package/uacme/Config.in
+++ b/package/uacme/Config.in
@@ -19,6 +19,7 @@ if BR2_PACKAGE_UACME
 config BR2_PACKAGE_UACME_UALPN
        bool "enable ualpn"
        depends on BR2_TOOLCHAIN_HAS_THREADS
+       depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS
        select BR2_PACKAGE_LIBEV
        help
          Build and install ualpn, the transparent proxying tls-alpn-01
@@ -27,4 +28,7 @@ config BR2_PACKAGE_UACME_UALPN
 comment "ualpn needs a toolchain w/ threads"
        depends on !BR2_TOOLCHAIN_HAS_THREADS
 
+comment "ualpn needs either OpenSSL or GnuTLS"
+       depends on !(BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS)
+
 endif
diff --git a/package/uacme/uacme.mk b/package/uacme/uacme.mk
index 7e544fce7901fd074d53902938d2e4790495b42a..be2aa608118b01af49d0d40973a506ebf98e6f45 100644 (file)
--- a/package/uacme/uacme.mk
+++ b/package/uacme/uacme.mk
@@ -18,12 +18,12 @@ UACME_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 UACME_CONF_OPTS += --with-gnutls
 UACME_DEPENDENCIES += gnutls
-else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
-UACME_CONF_OPTS += --with-mbedtls
-UACME_DEPENDENCIES += mbedtls
 else ifeq ($(BR2_PACKAGE_OPENSSL),y)
 UACME_CONF_OPTS += --with-openssl
 UACME_DEPENDENCIES += openssl
+else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
+UACME_CONF_OPTS += --with-mbedtls
+UACME_DEPENDENCIES += mbedtls
 endif
 
 ifeq ($(BR2_PACKAGE_UACME_UALPN),y)