Re: [openssl.org #676] Small OpenSSL
Richard, I have just put another version of my patches on the OpenSSL request tracker. This new version corrects the issue you have addressed below. It also includes a shell script which helps a user to patch an original source tree from www.openssl.org with my changes. Could you tell me what the status is about my request items small OpenSSL? I would greatly appreciate if the patches would make it into the mainstream code not far from now so I do not have to catch up with changes in the mainstream code and reinsert my own each time OpenSSL releases a new version. Users in the forum have expressed a desire to have such a small version on various occasions already. I have supplied my version offline and - except for a user who had some difficulties with appying the patches - always heard that this is exactly what we were looking for. I would appreciate a short feedback from you or the core team about the status of this line item. Don't hesitate to ask if you have any questions. Regards, Martin Richard Levitte via RT [EMAIL PROTECTED] To: Martin Witzel/Germany/[EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: [openssl.org #676] Small OpenSSL cottbus.de 2003-09-27 22:46 Please respond to rt I've a small comment to contribute first, then I'll go through the rest of your contribution. [EMAIL PROTECTED] - Thu Aug 14 17:33:20 2003]: - Do not suppress TLS when Diffie-Hellman is excluded. RFC2246 says the following: 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. That implies that OpenSSL MUST support DH, DSA, 3DES and SHA. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #676] Small OpenSSL
Richard, Thank you, I stand corrected. I will be on vacation till 2003-10-15 and will gladly discuss any open items which may still exist at this time. At any rate, you can imagine that we would greatly welcome it if the changes which I have made would be accepted into the mainstream code. They do not introduce any functional changes to the normal operation of OpenSSL but allow to build a version with greatly reduced code size. I can picture that the two build methods could easily coexist and hope that you agree. Other OpenSSL developers have contacted me directly and have expressed interest in exactly the same thing what I have done and requested the modified version. Regards, Martin Richard Levitte via RT [EMAIL PROTECTED] To: Martin Witzel/Germany/[EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: [openssl.org #676] Small OpenSSL cottbus.de 2003-09-27 22:46 Please respond to rt I've a small comment to contribute first, then I'll go through the rest of your contribution. [EMAIL PROTECTED] - Thu Aug 14 17:33:20 2003]: - Do not suppress TLS when Diffie-Hellman is excluded. RFC2246 says the following: 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. That implies that OpenSSL MUST support DH, DSA, 3DES and SHA. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #676] Small OpenSSL
I've a small comment to contribute first, then I'll go through the rest of your contribution. [EMAIL PROTECTED] - Thu Aug 14 17:33:20 2003]: - Do not suppress TLS when Diffie-Hellman is excluded. RFC2246 says the following: 9. Mandatory Cipher Suites In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. That implies that OpenSSL MUST support DH, DSA, 3DES and SHA. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #676] Small OpenSSL
David == Ahrens, David (David) [EMAIL PROTECTED] writes: David Can you resend the attachment. I didn't receive it. I'm very David interested in a smaller openssl library. Do you have any David memory profiles, statistics on the amount of size reduction David you were able to achieve? The identical thing happened last time. Username=guest, password=guest. http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=533; http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/3941/2567/smallOpenSSL.tar.gz; The attachments aren't sent to the OpenSSL mailing list. This is probably good as we don't get large binaries in the email. It would be good if the header had some links to RT and if the body provided a link to the specific file. fwiw, Bill Pringlemeir. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #676] Small OpenSSL
Thanks! Got it. Regards, David Ahrens -Original Message- From: Bill Pringlemeir [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 11:37 AM To: [EMAIL PROTECTED]; Ahrens, David (David) Subject: Re: [openssl.org #676] Small OpenSSL David == Ahrens, David (David) [EMAIL PROTECTED] writes: David Can you resend the attachment. I didn't receive it. I'm very David interested in a smaller openssl library. Do you have any David memory profiles, statistics on the amount of size reduction David you were able to achieve? The identical thing happened last time. Username=guest, password=guest. http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=533; http://www.aet.tu-cottbus.de/rt2/Ticket/Attachment/3941/2567/smallOpenSSL.tar.gz; The attachments aren't sent to the OpenSSL mailing list. This is probably good as we don't get large binaries in the email. It would be good if the header had some links to RT and if the body provided a link to the specific file. fwiw, Bill Pringlemeir. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #676] Small OpenSSL
On Thu, Aug 14, 2003 at 11:31:46AM -0600, Ahrens, David (David) wrote: Martin, Can you resend the attachment. I didn't receive it. I'm very interested in a smaller openssl library. Do you have any memory profiles, statistics on the amount of size reduction you were able to achieve? For the convenience of the mailing list readers, attachments are not forwarded but are only stored in the request tracker. You can download it from the ticket information for ticket #676 (right hand side at the bottom of Martin's message). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #676] Small OpenSSL
The attachment includes a diff file which you can apply to the standard openssl-0.9.7b.tar.gz sources. With these modifications you can create smaller libraries libcrypto.so and libssl.so and a smaller openssl executable. I would greatly appreciate if you considered to make the changes part of the mainstream openssl source. I believe that they can also benefit others as well who are looking for a size-reduced version of OpenSSL. (See attached file: smallOpenSSL-0.9.7b.tar.gz) For your convenience, I include the plain text of the README.small.ossl file for a quick overview what you can expect from the package contents. Regards, Martin Witzel == The diff file is based on openssl-0.9.7b.tar.gz Directories: you are here openssl-0.9.7b openssl-e With the diff file you can build a reduced version of the well-known OpenSSL open source implementation of (1) a cryptographic library, (2) a library which implements the SSL/TLS protocols, and (3) the openssl executable which is used (among other things) to maintain keys and certificates. I have named it OpenSSL-e (with e for embedded). Linking the libraries with other Linux utilities The documented APIs of libcrypto and libssl are identical to the full version. This smaller version should therefore still link to the many applications which depend on either one of these libraries. Then how come the libraries are smaller than the full version? --- I have reduced the library sizes with the use of conditional com- pilation statements and have excluded code which is non-essential to me. In particular, the following algorithms ar left in libcrypto.so: RSA, DES in its variants, RC2, RC4 in its variants, MD5, and SHA-1 These algorithms are sufficient to implement all the major cipher suites for SSL/TLS and should provide enough selections for a client and server to negotiate a cipher suite. Besides excluding non-essential code, I have also suppressed the translation of error codes into textual error messages. This saved the code space for all those message texts. You can find the numeric values and their textual equivalent in openssl header files. The openssl executable, a key and certificate maintanance utility - I have considerably reduced the size of the openssl executable by excluding much of its overwhelming functionality. The openssl executable is a tool which can be used to do almost everything. The reduced version includes the following functions which a client or server may need: genrsa, req, s_client, s_server, version These functions are sufficient to generate a key pair, request a certificate for a public key, run as a client or server for debug purposes, and display the library version numbers. I have linked the openssl executable dynamically to the crypto library; this also saves a considerable amount of code. The engine (hardware support) - The engine support is not compiled into these small versions. Assembler code for cryptographic operations --- To maintain portability to any platform with a C compiler, I have compiled all openssl binaries with the 'no-asm' option from straight C code. You can reverse this decision and remove the no-asm compile option again. Test cases -- Built-in test cases can be executed with the command 'make test' after the package has been compiled. This requires that the code is compiled on a test system with the same processor as on the target system. When you cross-compile, then you cannot execute tests on the build system. A script can execute the same functions as the 'make test' command does. Such a script which executes test cases is in test/test_sh. The full version of OpenSSL generates and tests certificates on the fly and uses them in subsequent tests. This does not work any more in the small version because the 'x509' function is no longer included in the openssl executable. There are now a number of prefabricated keys and certificates in directory 'test' which you have to use instead. Their names are keyCAss, keyUss, certCAss, certUss. I have included them in the tar file for your convenience. Changes: In my first shot at a code reduction I simply modified the Makefiles.org and/or Makefile.ssl in the Linux build tree. This broke the Windows build process as I found out. I have added logic to the Configure script to modify the Makefiles in a more compatible way and on the fly when I do a Linux build. At any rate, the original Makefiles are now unchanged. In order to be able to build a full or a small version, I have added three files named Makefile.org in the following directories: apps, test, and crypto/pkcs12. They are identical copies of the open source
RE: [openssl.org #676] Small OpenSSL
Martin, Can you resend the attachment. I didn't receive it. I'm very interested in a smaller openssl library. Do you have any memory profiles, statistics on the amount of size reduction you were able to achieve? Thanks and Regards, David Ahrens [EMAIL PROTECTED] -Original Message- From: Martin Witzel via RT [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 8:33 AM Cc: [EMAIL PROTECTED] Subject: [openssl.org #676] Small OpenSSL The attachment includes a diff file which you can apply to the standard openssl-0.9.7b.tar.gz sources. With these modifications you can create smaller libraries libcrypto.so and libssl.so and a smaller openssl executable. I would greatly appreciate if you considered to make the changes part of the mainstream openssl source. I believe that they can also benefit others as well who are looking for a size-reduced version of OpenSSL. (See attached file: smallOpenSSL-0.9.7b.tar.gz) For your convenience, I include the plain text of the README.small.ossl file for a quick overview what you can expect from the package contents. Regards, Martin Witzel == The diff file is based on openssl-0.9.7b.tar.gz Directories: you are here openssl-0.9.7b openssl-e With the diff file you can build a reduced version of the well-known OpenSSL open source implementation of (1) a cryptographic library, (2) a library which implements the SSL/TLS protocols, and (3) the openssl executable which is used (among other things) to maintain keys and certificates. I have named it OpenSSL-e (with e for embedded). Linking the libraries with other Linux utilities The documented APIs of libcrypto and libssl are identical to the full version. This smaller version should therefore still link to the many applications which depend on either one of these libraries. Then how come the libraries are smaller than the full version? --- I have reduced the library sizes with the use of conditional com- pilation statements and have excluded code which is non-essential to me. In particular, the following algorithms ar left in libcrypto.so: RSA, DES in its variants, RC2, RC4 in its variants, MD5, and SHA-1 These algorithms are sufficient to implement all the major cipher suites for SSL/TLS and should provide enough selections for a client and server to negotiate a cipher suite. Besides excluding non-essential code, I have also suppressed the translation of error codes into textual error messages. This saved the code space for all those message texts. You can find the numeric values and their textual equivalent in openssl header files. The openssl executable, a key and certificate maintanance utility - I have considerably reduced the size of the openssl executable by excluding much of its overwhelming functionality. The openssl executable is a tool which can be used to do almost everything. The reduced version includes the following functions which a client or server may need: genrsa, req, s_client, s_server, version These functions are sufficient to generate a key pair, request a certificate for a public key, run as a client or server for debug purposes, and display the library version numbers. I have linked the openssl executable dynamically to the crypto library; this also saves a considerable amount of code. The engine (hardware support) - The engine support is not compiled into these small versions. Assembler code for cryptographic operations --- To maintain portability to any platform with a C compiler, I have compiled all openssl binaries with the 'no-asm' option from straight C code. You can reverse this decision and remove the no-asm compile option again. Test cases -- Built-in test cases can be executed with the command 'make test' after the package has been compiled. This requires that the code is compiled on a test system with the same processor as on the target system. When you cross-compile, then you cannot execute tests on the build system. A script can execute the same functions as the 'make test' command does. Such a script which executes test cases is in test/test_sh. The full version of OpenSSL generates and tests certificates on the fly and uses them in subsequent tests. This does not work any more in the small version because the 'x509' function is no longer included in the openssl executable. There are now a number of prefabricated keys and certificates in directory 'test' which you have to use instead. Their names are keyCAss, keyUss, certCAss, certUss. I have included them in the tar file for your convenience. Changes: In my first shot at a code reduction I simply modified the Makefiles.org and/or Makefile.ssl in the Linux build