| Age | Commit message (Collapse) | Author |
|---|
|
Enabling TLS compression may make mbedTLS vulnerable to the
CRIME attack [1]. It should not be enabled unless is is sure CRIME and
similar attacks are not applicable to the particulare situation.
As zlib is probably enabled in most systems, the user might end up with
a vulnerable system without knowing. So, instead of enabling compression
support if the zlib package is available, we make the compression support
a config option. This way, the user has to explicitly enable compression
support and is warned by the help text about the risk.
[1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
To enable compression support using zlib it is necessary to uncomment
the define for MBEDTLS_ZLIB_SUPPORT in config.h [1].
Note, that enabling TLS compression may make mbedTLS vulnerable to the
CRIME attack [1]. It should not be enabled unless is is sure CRIME and
similar attacks are not applicable to the particulare situation.
As zlib is probably enabled in most systems, maybe it is best to make
the compression support a user choice and add the warning from [1]?
[1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
This change also fixes
http://autobuild.buildroot.net/results/27b/27b35d03b576392955e21498ac1e62590ef5f5db/build-end.log
Signed-off-by: Rahul Jain <Rahul.Jain@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Set LINK_WITH_PTHREAD to explicitly add pthread to the list of libraries.
Fixes:
http://autobuild.buildroot.net/results/e08/e087dfa2a6057b18209cd6adff2760026a9ca1db/
http://autobuild.buildroot.net/results/615/61565f1a88b7d6eea03a355ccf8dd3fe6585c4ab/
http://autobuild.buildroot.net/results/6b2/6b267b9cba37655e7d8e6d78821f96d9a8dd7d2e/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes:
CVE-2015-7575 - Security Losses from Obsolete and Truncated Transcript
Hashes (SLOTH) vulnerability.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
It's affected in the same way as polarssl, but use an enhanced trick
compared to 130ca81b since it's required by the codebase. Fixes:
http://autobuild.buildroot.net/results/584/584d1d12be9f2bbf45ccbdf93b6b442524059dcc/
http://autobuild.buildroot.net/results/d13/d13a06ba3fc0d7f08a03c04fcb484761da7af3f7/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Add the mbed TLS library, formerly known as PolarSSL.
The 2.0+ version can live side-by-side with polarssl since it was
renamed, hence can be added with no conflict.
Use the Apache-2.0 license variant since it's somewhat more flexible,
the codebase is the same as the GPLv2 variant, just copyright
headers/license file changed.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
