[openssl-dev] [openssl.org #3992] [PATCH] Allow RFC6962 Signed Certificate Timestamps to be disabled
David Woodhouse via RT
rt at openssl.org
Thu Aug 6 13:14:30 UTC 2015
This code does open-coded division on 64-bit quantities and thus when
building with GCC on 32-bit platforms will require functions such as
__umoddi3 and __udivdi3 from libgcc.
In constrained environments such as firmware, those functions may not
be available. So make it possible to compile out SCT support, which in
fact (in the case of UEFI) we don't need anyway.
---
crypto/x509v3/ext_dat.h | 2 ++
crypto/x509v3/v3_scts.c | 2 ++
makevms.com | 1 +
util/mkdef.pl | 6 +++++-
4 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 9c3529b..76be621 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -127,8 +127,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
&v3_idp,
&v3_alt[2],
&v3_freshest_crl,
+#ifndef OPENSSL_NO_SCT
&v3_ct_scts[0],
&v3_ct_scts[1],
+#endif
};
/* Number of standard extensions */
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
index 61e5a83..0ffdfb8 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c
@@ -61,6 +61,7 @@
#include <openssl/asn1.h>
#include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_SCT
/* Signature and hash algorithms from RFC 5246 */
#define TLSEXT_hash_sha256 4
@@ -321,3 +322,4 @@ static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
return 1;
}
+#endif
diff --git a/makevms.com b/makevms.com
index 35c44ec..500b191 100755
--- a/makevms.com
+++ b/makevms.com
@@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,-
RFC3779,-
RMD160,-
RSA,-
+ SCT,-
SCTP,-
SEED,-
SOCK,-
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 26fa209..c5aa99d 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -80,6 +80,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
"FP_API", "STDIO", "SOCK", "DGRAM",
# Engines
"STATIC_ENGINE", "ENGINE", "HW", "GMP",
+ # X.509v3 Signed Certificate Timestamps
+ "SCT",
# RFC3779
"RFC3779",
# TLS
@@ -126,7 +128,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
my $no_rsa; my $no_dsa; my $no_dh; my $no_aes;
my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
-my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng;
+my $no_sct; $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng;
my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc;
my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
my $no_unit_test; my $no_ssl3_method; my $no_ocb;
@@ -215,6 +217,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-engine$/) { $no_engine=1; }
elsif (/^no-hw$/) { $no_hw=1; }
elsif (/^no-gmp$/) { $no_gmp=1; }
+ elsif (/^no-sct$/) { $no_sct=1; }
elsif (/^no-rfc3779$/) { $no_rfc3779=1; }
elsif (/^no-cms$/) { $no_cms=1; }
elsif (/^no-ec2m$/) { $no_ec2m=1; }
@@ -1200,6 +1203,7 @@ sub is_valid
if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
if ($keyword eq "GMP" && $no_gmp) { return 0; }
+ if ($keyword eq "SCT" && $no_sct) { return 0; }
if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; }
if ($keyword eq "PSK" && $no_psk) { return 0; }
if ($keyword eq "CMS" && $no_cms) { return 0; }
--
2.4.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150806/b5bf7499/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list