The attachment includes a diff file which you can apply to the standard openssl-0.9.7b.tar.gz sources. With these modifications you can create smaller libraries libcrypto.so and libssl.so and a smaller openssl executable.
I would greatly appreciate if you considered to make the changes part of the mainstream openssl source. I believe that they can also benefit others as well who are looking for a size-reduced version of OpenSSL. (See attached file: smallOpenSSL-0.9.7b.tar.gz) For your convenience, I include the plain text of the README.small.ossl file for a quick overview what you can expect from the package contents. Regards, Martin Witzel ================================================================================== The diff file is based on openssl-0.9.7b.tar.gz Directories: <you are here> openssl-0.9.7b openssl-e With the diff file you can build a reduced version of the well-known OpenSSL open source implementation of (1) a cryptographic library, (2) a library which implements the SSL/TLS protocols, and (3) the openssl executable which is used (among other things) to maintain keys and certificates. I have named it OpenSSL-e (with "e" for embedded). Linking the libraries with other Linux utilities ------------------------------------------------ The documented APIs of libcrypto and libssl are identical to the full version. This smaller version should therefore still link to the many applications which depend on either one of these libraries. Then how come the libraries are smaller than the full version? --------------------------------------------------------------- I have reduced the library sizes with the use of conditional com- pilation statements and have excluded code which is non-essential to me. In particular, the following algorithms ar left in libcrypto.so: RSA, DES in its variants, RC2, RC4 in its variants, MD5, and SHA-1 These algorithms are sufficient to implement all the major cipher suites for SSL/TLS and should provide enough selections for a client and server to negotiate a cipher suite. Besides excluding non-essential code, I have also suppressed the translation of error codes into textual error messages. This saved the code space for all those message texts. You can find the numeric values and their textual equivalent in openssl header files. The openssl executable, a key and certificate maintanance utility ----------------------------------------------------------------- I have considerably reduced the size of the openssl executable by excluding much of its overwhelming functionality. The openssl executable is a tool which can be used to do almost everything. The reduced version includes the following functions which a client or server may need: genrsa, req, s_client, s_server, version These functions are sufficient to generate a key pair, request a certificate for a public key, run as a client or server for debug purposes, and display the library version numbers. I have linked the openssl executable dynamically to the crypto library; this also saves a considerable amount of code. The engine (hardware support) ----------------------------- The engine support is not compiled into these small versions. Assembler code for cryptographic operations ------------------------------------------- To maintain portability to any platform with a C compiler, I have compiled all openssl binaries with the 'no-asm' option from straight C code. You can reverse this decision and remove the no-asm compile option again. Test cases ---------- Built-in test cases can be executed with the command 'make test' after the package has been compiled. This requires that the code is compiled on a test system with the same processor as on the target system. When you cross-compile, then you cannot execute tests on the build system. A script can execute the same functions as the 'make test' command does. Such a script which executes test cases is in test/test_sh. The full version of OpenSSL generates and tests certificates on the fly and uses them in subsequent tests. This does not work any more in the small version because the 'x509' function is no longer included in the openssl executable. There are now a number of prefabricated keys and certificates in directory 'test' which you have to use instead. Their names are keyCAss, keyUss, certCAss, certUss. I have included them in the tar file for your convenience. Changes: -------- In my first shot at a code reduction I simply modified the Makefiles.org and/or Makefile.ssl in the Linux build tree. This broke the Windows build process as I found out. I have added logic to the "Configure" script to modify the Makefiles in a more compatible way and on the fly when I do a Linux build. At any rate, the original Makefiles are now unchanged. In order to be able to build a full or a small version, I have added three files named Makefile.org in the following directories: apps, test, and crypto/pkcs12. They are identical copies of the open source versions; the "Configure" script either copies them to "Makefile.ssl" files when you want to compile a full version, or modifies the "Makefile.ssl" files on the fly for a small version. So much to how the build process has changed. config Added a section which is activated with the invocation parameter -DOPENSSL_EMBED and does all the work for you to configure the other compile parameters. no-asm is used by default but can be changed. Configure - Added targets for QNX 6.1 which use the qcc compiler for x86 and other processors. The other processors are supported with the respective QNX cross-compilers. - Added logic to derive a Makefile.ssl from Makefile.org in apps/Makefile.org ==> apps/Makefile.ssl, test/Makefile.org ==> test/Makefile.ssl, and crypto/pkcs12/Makefile.org ==> crypto/pkcs12/Makefile.ssl - Do not suppress TLS when Diffie-Hellman is excluded. apps/progs.pl Made many functions in the openssl executable optional. Can now build a full or reduced set of prototype functions in progs.h See the end of the file for a list of functions in openssl which are enabled and disabled. apps/ca.c Moved the X509_NAME *do_subject(char *subject, long chtype) function from this module to apps/req.c. Rationale: I suppress the "ca" function for small devices but not the "req" function and can exclude the whole module ca.c from the compilation this way. apps/Makefile.org A new file. It is used as the template from which to create an identical Makefile.ssl for a full version, or a modified Makefile.ssl for a small version. crypto/pkcs12/Makefile.org A new file. It is used as the template from which to create an identical Makefile.ssl for a full version, or a modified Makefile.ssl for a small version. ssl/kssl.c The code breaks when compiled on a QNX V6.1 system. Added the following #if !defined(__NTO__) && !defined(__QNXNTO__) #define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ #endif /* __NTO__ || __QNXNTO__ */ test/Makefile.org A new file. It is used as the template from which to create an identical Makefile.ssl for a full version, or a modified Makefile.ssl for a small version. test/testss A modified script file to take into account that openssl functions are missing. test/testssl A modified script file to take into account that openssl functions are missing. test/test_sh A shell script which intends to execute the same tests on a non-native target system as "make test" does. test/certCAss, test/certUss, test/keyCAss, test/keyUss Fixed keys and certs as opposed to dynamically created ones because the x509 function is suppressed in openssl. Error messages do not display the long string version of the messages. Numerous small additions or minor changes like comments to #endif clauses. Occasionally added indentation to these constructs. ===================================================== Commands which are enabled or disabled in openssl: Standard commands: asn1parse disabled ca disabled ciphers disabled crl disabled crl2pkcs7 disabled dgst disabled dh (obsolete) disabled (hangs in RedHat version) dhparam disabled dsa disabled dsaparam disabled enc disabled errstr disabled dhparam disabled gendh (obsolete) disabled gendsa disabled genrsa yes nseq disabled ocsp disabled passwd disabled pkcs7 disabled pkcs8 disabled pkcs12 disabled rand disabled req yes rsa disabled rsautl disabled s_client yes s_server yes s_time disabled sess_id disabled smime disabled speed disabled spkac disabled verify disabled version yes x509 disabled Message Digestcommands md2 disabled md4 disabled (not in doc) md5 disabled mdc2 disabled rmd160 disabled sha disabled sha1 disabled Encoding and cipher commands base64 disabled bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb disabled cast, cast-cbc disabled cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb disabled des, des-cbc, des-cfb, des-ecb, des-ede, des-ofb disabled des-ede-cbc, des-ede-cfb, des-ede-ofb disabled des3, desx des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb disabled idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb disabled rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb disabled rc2-64-cbc, rc2-40-cbc disabled (not in doc) rc4, rc4-40 disabled rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb disabled ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]