Re: PKCS12 with multiple key pairs
On Fri, Jul 19, 2013, Leon Brits wrote: Hi all, I want/need to create a PKCS12 file which contains more than one key pair and some CA certs. As far as I understand from the spec this is possible, but the OpenSSL API does not seem to support this, since only the CAs can be passed as a list: PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, ) It's not possible with that API but it can be done with the more complex PKCS#12 APIs. A reasonable example of their use is the function PKCS12_create itself in crypto/pkcs12/p12_crt.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH] libssl: Hide library private symbols
I've submitted a patch in 2007 to make as much as possible static, but it never got applied, so I never bothered writing a patch to make the rest hidden. I think making things static is even better than hiding them, and should work on all platforms. It's just that you can't making everything that isn't public static. But I do have a patch that only tells the linker which symbols to export that's used in Debian, and so only those that are public are exported. It would of course be better to hide the rest like your patch so that more things can be optimised. Kurt On Wed, Jul 24, 2013 at 11:33:33PM -0400, Cristian Rodríguez wrote: This patch only contains the libssl part (the easy one) patch to libcrypto will follow after it is complete and good enough. It hides all the library symbols that are not part of the public API/ABI when GCC 4 or later is used. --- ssl/kssl_lcl.h | 9 + ssl/ssl_locl.h | 8 2 files changed, 17 insertions(+) diff --git a/ssl/kssl_lcl.h b/ssl/kssl_lcl.h index c039c91..69972b1 100644 --- a/ssl/kssl_lcl.h +++ b/ssl/kssl_lcl.h @@ -61,6 +61,10 @@ #include openssl/kssl.h +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility push(hidden) +#endif + #ifndef OPENSSL_NO_KRB5 #ifdef __cplusplus @@ -84,4 +88,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl_ctx); } #endif #endif /* OPENSSL_NO_KRB5 */ + +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility pop +#endif + #endif /* KSSL_LCL_H */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 56f9b4b..dde4e3e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -165,6 +165,10 @@ #include openssl/ssl.h #include openssl/symhacks.h +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility push(hidden) +#endif + #ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT @@ -1357,4 +1361,8 @@ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility pop +#endif + #endif -- 1.8.3.1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH] libssl: Hide library private symbols
Doing this at link time is far easier and can cover all the OS's. Static doesn't work for symbols that are called inter-module but which shouldn't be in the public API and GCC specific constructs only work for - well, GCC. libeay.num and ssleay.num already list all the public symbols. Parse those with Perl and generate the necessary linker files - there are only minor formatting differences between OS's to deal with and some minor differences in how the files are specified. Windows -def: ; ; Definition file for the DLL version of the LIBEAY library from OpenSSL ; LIBRARY LIBEAY32 EXPORTS SSLeay @1 ... AIX -bexport: #! *DESCRIPTION 'LIBSSL EXPORT FILE' SSLeay ... HP/UX -c #DESCRIPTION 'LIBSSL EXPORT FILE' +e SSLeay ... Linux -Wl,--version-script, #DESCRIPTION 'LIBSSL EXPORT FILE' LIBSSL { global: SSLeay; ... local: *; }; OSX -exported_symbols_list SSLeay Solaris -Wl,-M #DESCRIPTION 'LIBSSL EXPORT FILE' LIBSSL { global: SSLeay; ... local: *; }; Peter From: Kurt Roeckx k...@roeckx.be To: openssl-dev@openssl.org, Cc: Cristian Rodríguez crrodrig...@opensuse.org Date: 26/07/2013 03:57 Subject:Re: [PATCH] libssl: Hide library private symbols Sent by:owner-openssl-...@openssl.org I've submitted a patch in 2007 to make as much as possible static, but it never got applied, so I never bothered writing a patch to make the rest hidden. I think making things static is even better than hiding them, and should work on all platforms. It's just that you can't making everything that isn't public static. But I do have a patch that only tells the linker which symbols to export that's used in Debian, and so only those that are public are exported. It would of course be better to hide the rest like your patch so that more things can be optimised. Kurt On Wed, Jul 24, 2013 at 11:33:33PM -0400, Cristian Rodríguez wrote: This patch only contains the libssl part (the easy one) patch to libcrypto will follow after it is complete and good enough. It hides all the library symbols that are not part of the public API/ABI when GCC 4 or later is used. --- ssl/kssl_lcl.h | 9 + ssl/ssl_locl.h | 8 2 files changed, 17 insertions(+) diff --git a/ssl/kssl_lcl.h b/ssl/kssl_lcl.h index c039c91..69972b1 100644 --- a/ssl/kssl_lcl.h +++ b/ssl/kssl_lcl.h @@ -61,6 +61,10 @@ #include openssl/kssl.h +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility push(hidden) +#endif + #ifndef OPENSSL_NO_KRB5 #ifdef __cplusplus @@ -84,4 +88,9 @@ int kssl_tgt_is_available(KSSL_CTX *kssl_ctx); } #endif #endif/* OPENSSL_NO_KRB5 */ + +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility pop +#endif + #endif/* KSSL_LCL_H */ diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 56f9b4b..dde4e3e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -165,6 +165,10 @@ #include openssl/ssl.h #include openssl/symhacks.h +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility push(hidden) +#endif + #ifdef OPENSSL_BUILD_SHLIBSSL # undef OPENSSL_EXTERN # define OPENSSL_EXTERN OPENSSL_EXPORT @@ -1357,4 +1361,8 @@ void tls_fips_digest_extra( const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, const unsigned char *data, size_t data_len, size_t orig_len); +#if defined(__GNUC__) __GNUC__ = 4 +#pragma GCC visibility pop +#endif + #endif -- 1.8.3.1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH] libssl: Hide library private symbols
El 25/07/13 21:46, Peter Waltenberg escribió: Doing this at link time is far easier and can cover all the OS's. Yes, but this is the worst possible way, as the compiler cannot perform optimizations as it does not know that the symbols are hidden. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH] libssl: Hide library private symbols
The compiler can't optimize if the symbols are called inter-module either. And seriously, do you REALLY think that any changes the compiler makes at that level will have measurable performance impacts ?. There are good reasons to hide parts of the API that you don't want used by external code - hiding symbols to improve performance is a big stretch. And there have been linkers which did do a final optimization pass. (OS/2 for example). Peter From: Cristian Rodríguez crrodrig...@opensuse.org To: openssl-dev@openssl.org, Date: 26/07/2013 11:55 Subject:Re: [PATCH] libssl: Hide library private symbols Sent by:owner-openssl-...@openssl.org El 25/07/13 21:46, Peter Waltenberg escribió: Doing this at link time is far easier and can cover all the OS's. Yes, but this is the worst possible way, as the compiler cannot perform optimizations as it does not know that the symbols are hidden. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org