Martin,
Can you resend the attachment. I didn't receive it. I'm very interested in a smaller
openssl library. Do you have any memory profiles, statistics on the amount of size
reduction you were able to achieve?
Thanks and Regards,
David Ahrens
[EMAIL PROTECTED]
-Original Message-
From: Martin Witzel via RT [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 8:33 AM
Cc: [EMAIL PROTECTED]
Subject: [openssl.org #676] Small OpenSSL
The attachment includes a diff file which you can apply to the standard
openssl-0.9.7b.tar.gz sources.
With these modifications you can create smaller libraries libcrypto.so and
libssl.so and a smaller
openssl executable.
I would greatly appreciate if you considered to make the changes part of
the mainstream openssl
source. I believe that they can also benefit others as well who are looking
for a size-reduced version
of OpenSSL.
(See attached file: smallOpenSSL-0.9.7b.tar.gz)
For your convenience, I include the plain text of the README.small.ossl
file for a quick overview
what you can expect from the package contents.
Regards, Martin Witzel
==
The diff file is based on openssl-0.9.7b.tar.gz
Directories:
you are here
openssl-0.9.7b
openssl-e
With the diff file you can build a reduced version of the well-known
OpenSSL open source implementation of (1) a cryptographic library,
(2) a library which implements the SSL/TLS protocols, and (3) the
openssl executable which is used (among other things) to maintain keys
and certificates. I have named it OpenSSL-e (with e for embedded).
Linking the libraries with other Linux utilities
The documented APIs of libcrypto and libssl are identical to the
full version. This smaller version should therefore still link to
the many applications which depend on either one of these libraries.
Then how come the libraries are smaller than the full version?
---
I have reduced the library sizes with the use of conditional com-
pilation statements and have excluded code which is non-essential to
me. In particular, the following algorithms ar left in libcrypto.so:
RSA, DES in its variants, RC2, RC4 in its variants, MD5, and SHA-1
These algorithms are sufficient to implement all the major cipher
suites for SSL/TLS and should provide enough selections for a client
and server to negotiate a cipher suite.
Besides excluding non-essential code, I have also suppressed the
translation of error codes into textual error messages. This saved
the code space for all those message texts. You can find the numeric
values and their textual equivalent in openssl header files.
The openssl executable, a key and certificate maintanance utility
-
I have considerably reduced the size of the openssl executable
by excluding much of its overwhelming functionality. The openssl
executable is a tool which can be used to do almost everything.
The reduced version includes the following functions which a
client or server may need:
genrsa, req, s_client, s_server, version
These functions are sufficient to generate a key pair, request a
certificate for a public key, run as a client or server for debug
purposes, and display the library version numbers.
I have linked the openssl executable dynamically to the crypto
library; this also saves a considerable amount of code.
The engine (hardware support)
-
The engine support is not compiled into these small versions.
Assembler code for cryptographic operations
---
To maintain portability to any platform with a C compiler, I
have compiled all openssl binaries with the 'no-asm' option
from straight C code. You can reverse this decision and remove
the no-asm compile option again.
Test cases
--
Built-in test cases can be executed with the command 'make test'
after the package has been compiled. This requires that the code
is compiled on a test system with the same processor as on the
target system. When you cross-compile, then you cannot execute
tests on the build system. A script can execute the same functions
as the 'make test' command does. Such a script which executes
test cases is in test/test_sh.
The full version of OpenSSL generates and tests certificates on
the fly and uses them in subsequent tests. This does not work
any more in the small version because the 'x509' function is no
longer included in the openssl executable. There are now a number
of prefabricated keys and certificates in directory 'test' which
you have to use instead. Their names are keyCAss, keyUss, certCAss,
certUss. I have included them in the tar file for your convenience.
Changes:
In my first shot at a code reduction I simply modified the Makefiles.org
and/or Makefile.ssl in the Linux build
