1
Download the Cryptlib manual
Transcript
Configuration Issues 27 X.500 DNs in string form cryptlib supports the ability to specify X.500 Distinguished Names for certificates as free-format strings, allowing the creation of arbitrarily complex and non-standard DNs. This is a somewhat dangerous capability both because it allows the creation of arbitrarily awkward and broken DNs, and because it bypasses cryptlib’s standard safety checks for DN validity, so it’s disabled by default. If you’re certain that you really need X.500 free-format string access then you can enable it by defining USE_CERT_DNSTRING either via the makefile/project file or in misc/config.h. Customised and Cut-down cryptlib Versions In some cases you may want to customise the cryptlib build or create a cut-down version that omits certain capabilities in order to reduce code size for constrained environments. You can do this by editing the configuration build file misc/config.h, which allows almost every part of cryptlib’s functionality to be selectively enabled or disabled (some functionality is used by all of cryptlib and can’t be disabled). Each portion of functionality is controlled by a USE_name define, by undefining the value before you build cryptlib the named functionality will be removed. For example, undefining USE_SSH1 would disable the use of SSHv1 (this is disabled by default, since it’s been superseded by SSHv2); undefining USE_SKIPJACK would disable the use of the Skipjack algorithm (this is also disabled by default, since it’s obsolete and no longer considered secure). In addition you can use the build file to disable the use of the two patented algorithms IDEA and RC5 (see “Algorithms” on page 303 for more information on whether these two patents affect your use of cryptlib) by undefining USE_PATENTED_ALGORITHMS. More details on tuning cryptlib’s size and capabilities (particularly for use in embedded systems) is given in “Embedded Systems” on page 288. If you only want to use cryptlib for one particular purpose and don’t feel like manually enabling all of the necessary configuration options then you can make use of the following predefined profiles to enable only the functionality that you need: Profile Description CONFIG_PROFILE_SMIME Enable only the capabilities needed for S/MIME envelopes. CONFIG_PROFILE_SSH Enable only the capabilities needed for SSH sessions. CONFIG_PROFILE_SSL Enable only the capabilities needed for SSL sessions. Note that these predefined profiles will enable only the functionality that you need for the particular application and no more. For example SSH doesn’t use X.509 certificates so CONFIG_PROFILE_SSH won’t enable the use of certificates, if you’re using a keyset to store an SSH server’s private (and public) key then you need to store the public portion as a raw public key rather than a public-key certificate because the latter can’t be processed by the SSH-only profile. Debug vs. Release Versions of cryptlib cryptlib can be built in one of two forms, a debug version and a release version. The main difference between the two is that the release version is built with the NDEBUG value defined, which disables the large number of internal consistency checks that are present in the debug build of cryptlib. These consistency checks are used to catch conditions such as inappropriate error codes being returned from internal functions, invalid data values being passed to functions inside cryptlib, configuration errors, and general sanity checks that ensure that everything is operating as it should. If one of these internal checks is triggered, cryptlib will throw an exception and display an error message indicating that an assertion in the code has failed. These assertions are useful for tracking down areas of code that may need revision in later releases.
