The attachment includes a diff file which you can apply to the standard
openssl-0.9.7b.tar.gz sources.
With these modifications you can create smaller libraries libcrypto.so and
libssl.so and a smaller
openssl executable.
I would greatly appreciate if you considered to make the changes part of
the mainstream openssl
source. I believe that they can also benefit others as well who are looking
for a size-reduced version
of OpenSSL.
(See attached file: smallOpenSSL-0.9.7b.tar.gz)
For your convenience, I include the plain text of the README.small.ossl
file for a quick overview
what you can expect from the package contents.
Regards, Martin Witzel
==================================================================================
The diff file is based on openssl-0.9.7b.tar.gz
Directories:
<you are here>
openssl-0.9.7b
openssl-e
With the diff file you can build a reduced version of the well-known
OpenSSL open source implementation of (1) a cryptographic library,
(2) a library which implements the SSL/TLS protocols, and (3) the
openssl executable which is used (among other things) to maintain keys
and certificates. I have named it OpenSSL-e (with "e" for embedded).
Linking the libraries with other Linux utilities
------------------------------------------------
The documented APIs of libcrypto and libssl are identical to the
full version. This smaller version should therefore still link to
the many applications which depend on either one of these libraries.
Then how come the libraries are smaller than the full version?
---------------------------------------------------------------
I have reduced the library sizes with the use of conditional com-
pilation statements and have excluded code which is non-essential to
me. In particular, the following algorithms ar left in libcrypto.so:
RSA, DES in its variants, RC2, RC4 in its variants, MD5, and SHA-1
These algorithms are sufficient to implement all the major cipher
suites for SSL/TLS and should provide enough selections for a client
and server to negotiate a cipher suite.
Besides excluding non-essential code, I have also suppressed the
translation of error codes into textual error messages. This saved
the code space for all those message texts. You can find the numeric
values and their textual equivalent in openssl header files.
The openssl executable, a key and certificate maintanance utility
-----------------------------------------------------------------
I have considerably reduced the size of the openssl executable
by excluding much of its overwhelming functionality. The openssl
executable is a tool which can be used to do almost everything.
The reduced version includes the following functions which a
client or server may need:
genrsa, req, s_client, s_server, version
These functions are sufficient to generate a key pair, request a
certificate for a public key, run as a client or server for debug
purposes, and display the library version numbers.
I have linked the openssl executable dynamically to the crypto
library; this also saves a considerable amount of code.
The engine (hardware support)
-----------------------------
The engine support is not compiled into these small versions.
Assembler code for cryptographic operations
-------------------------------------------
To maintain portability to any platform with a C compiler, I
have compiled all openssl binaries with the 'no-asm' option
from straight C code. You can reverse this decision and remove
the no-asm compile option again.
Test cases
----------
Built-in test cases can be executed with the command 'make test'
after the package has been compiled. This requires that the code
is compiled on a test system with the same processor as on the
target system. When you cross-compile, then you cannot execute
tests on the build system. A script can execute the same functions
as the 'make test' command does. Such a script which executes
test cases is in test/test_sh.
The full version of OpenSSL generates and tests certificates on
the fly and uses them in subsequent tests. This does not work
any more in the small version because the 'x509' function is no
longer included in the openssl executable. There are now a number
of prefabricated keys and certificates in directory 'test' which
you have to use instead. Their names are keyCAss, keyUss, certCAss,
certUss. I have included them in the tar file for your convenience.
Changes:
--------
In my first shot at a code reduction I simply modified the Makefiles.org
and/or Makefile.ssl in the Linux build tree. This broke the Windows build
process as I found out. I have added logic to the "Configure" script to
modify the Makefiles in a more compatible way and on the fly when I do
a Linux build. At any rate, the original Makefiles are now unchanged. In
order to be able to build a full or a small version, I have added three
files named Makefile.org in the following directories: apps, test, and
crypto/pkcs12. They are identical copies of the open source versions; the
"Configure" script either copies them to "Makefile.ssl" files when you want
to compile a full version, or modifies the "Makefile.ssl" files on the
fly for a small version. So much to how the build process has changed.
config
Added a section which is activated with the invocation parameter
-DOPENSSL_EMBED and does all the work for you to configure the
other compile parameters. no-asm is used by default but can be
changed.
Configure
- Added targets for QNX 6.1 which use the qcc compiler for x86 and
other processors. The other processors are supported with the
respective QNX cross-compilers.
- Added logic to derive a Makefile.ssl from Makefile.org in
apps/Makefile.org ==> apps/Makefile.ssl,
test/Makefile.org ==> test/Makefile.ssl, and
crypto/pkcs12/Makefile.org ==> crypto/pkcs12/Makefile.ssl
- Do not suppress TLS when Diffie-Hellman is excluded.
apps/progs.pl
Made many functions in the openssl executable optional. Can now
build a full or reduced set of prototype functions in progs.h
See the end of the file for a list of functions in openssl which
are enabled and disabled.
apps/ca.c
Moved the X509_NAME *do_subject(char *subject, long chtype) function
from this module to apps/req.c. Rationale: I suppress the "ca"
function
for small devices but not the "req" function and can exclude the
whole
module ca.c from the compilation this way.
apps/Makefile.org
A new file. It is used as the template from which to create an
identical
Makefile.ssl for a full version, or a modified Makefile.ssl for a
small
version.
crypto/pkcs12/Makefile.org
A new file. It is used as the template from which to create an
identical
Makefile.ssl for a full version, or a modified Makefile.ssl for a
small
version.
ssl/kssl.c
The code breaks when compiled on a QNX V6.1 system. Added the
following
#if !defined(__NTO__) && !defined(__QNXNTO__)
#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
#endif /* __NTO__ || __QNXNTO__ */
test/Makefile.org
A new file. It is used as the template from which to create an
identical
Makefile.ssl for a full version, or a modified Makefile.ssl for a
small
version.
test/testss
A modified script file to take into account that openssl functions
are
missing.
test/testssl
A modified script file to take into account that openssl functions
are
missing.
test/test_sh
A shell script which intends to execute the same tests on a
non-native
target system as "make test" does.
test/certCAss, test/certUss, test/keyCAss, test/keyUss
Fixed keys and certs as opposed to dynamically created ones because
the
x509 function is suppressed in openssl.
Error messages do not display the long string version of the messages.
Numerous small additions or minor changes like comments to #endif clauses.
Occasionally added indentation to these constructs.
=====================================================
Commands which are enabled or disabled in openssl:
Standard commands:
asn1parse disabled
ca disabled
ciphers disabled
crl disabled
crl2pkcs7 disabled
dgst disabled
dh (obsolete) disabled (hangs in RedHat version)
dhparam disabled
dsa disabled
dsaparam disabled
enc disabled
errstr disabled
dhparam disabled
gendh (obsolete) disabled
gendsa disabled
genrsa yes
nseq disabled
ocsp disabled
passwd disabled
pkcs7 disabled
pkcs8 disabled
pkcs12 disabled
rand disabled
req yes
rsa disabled
rsautl disabled
s_client yes
s_server yes
s_time disabled
sess_id disabled
smime disabled
speed disabled
spkac disabled
verify disabled
version yes
x509 disabled
Message Digestcommands
md2 disabled
md4 disabled (not in doc)
md5 disabled
mdc2 disabled
rmd160 disabled
sha disabled
sha1 disabled
Encoding and cipher commands
base64 disabled
bf, bf-cbc, bf-cfb,
bf-ecb, bf-ofb disabled
cast, cast-cbc disabled
cast5-cbc, cast5-cfb,
cast5-ecb, cast5-ofb disabled
des, des-cbc, des-cfb,
des-ecb, des-ede, des-ofb disabled
des-ede-cbc, des-ede-cfb,
des-ede-ofb disabled
des3, desx
des-ede3, des-ede3-cbc,
des-ede3-cfb,
des-ede3-ofb disabled
idea, idea-cbc, idea-cfb,
idea-ecb, idea-ofb disabled
rc2, rc2-cbc, rc2-cfb,
rc2-ecb, rc2-ofb disabled
rc2-64-cbc, rc2-40-cbc disabled (not in doc)
rc4, rc4-40 disabled
rc5, rc5-cbc, rc5-cfb,
rc5-ecb, rc5-ofb disabled
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
