Gentlemen -
I am a developer attempting to use OpenSSL in a rather unusual project, and I'm having some problems with getting the binary file size down to a reasonable value. I'm targeting "Cygwin -mno-cygwin" (mingw). There appear to be some bugs in the Configure script and usage of OPENSSL_NO_* macros, as I'm not able to disable a lot of algorithms. - Project Background - NTUtils (http://ntutils.sourceforge.net/) are command-line programs for (remote) administration of NT/2K/XP machines. The OpenSSL part comes in with the "remote" capabilities. Essentially, an NTUtils program will inject a server onto the target machine, remotely invoke it, and then communicate over named pipes to do what it needs (see the web page if you're interested in how this is done). This enables NTUtils programs to remotely administer other computers *without* any previous installation of anything on the remote machine. Right now, the information transmitted is not so critical to protect, but the next major addition is a general remote execution (i.e., remote command prompt), which the user may type critical information into. What I want to do is add some simple encryption over the connection. I'm pushing the responsibility for authentication onto the OS/network (there's really no other choice, since there's no existing installation on the remote machine). Even in the case of an insecure network, simple encryption would at least prevent passive eavesdropping. - Desired Use of OpenSSL - The code interfacing with OpenSSL will exist in a separate DLL, injected to the server only if the user specifies encryption. The server and client are therefore both always kept in sync. So, a single supported cipher suite is sufficient. I would like to use TLS 1.0 with ADH-DES-CBC3-SHA, though this may change in the future. It's possible, since the protocol and cipher suite are hard-coded, to simplify (replace) the TLS protocol with a custom alternative, but I really don't want to go there. - The Problem in More Detail - The size of a DLL that just initializes SSL (SSL_load_error_strings + SSL_library_init) is 337,456. Ouch, I'm not even doing anything yet. (The size of a DLL that does nothing is 4,096). I tried replacing SSL_library_init with: SSL_add_cipher(EVP_des_ede3_cbc()); SSL_add_digest(EVP_sha1()); and got a DLL size of 279,040. Still not too good. Removing all the SLL initialization except the error strings nets a size of 95,232. I'm not even sure what all is being compiled into the DLL. I know that RAND_* is referencing some stuff from gdi (window message stuff), which I'm not going to use. I also am not planning to use certificates, most BIO_* capabilities (just memory buffers), etc. Really, I just want simple symmetric encryption following an anonymous DH key exchange. How do I trim this size down? Any ideas? The command I used to build libcrypto.a and libssl.a is: ./Configure mingw 386 no-threads no-zlib no-shared no-hw no-ssl I also noted that I could not disable MD5, IDEA, or the ENGINE. In fact, a lot (most?) of the "no-" prefixes just don't work; I get compile errors when building the libraries. Just as a test, I have tried configuring with the above line and "no-idea" against the released 0.9.7g tarball, the developer 0.9.7g snapshot (openssl-r-0.9.7-stable-SNAP-20050701.tar.gz), and the developer 0.9.8 "stable" (?) snapshot (openssl-0.9.8-stable-SNAP-20050701.tar.gz). But the "no-idea" causes a failure every time (except with the 0.9.8, which complains about MDC2 being disabled), leaving me with a partial libcrypto and no libssl at all. I just have "no idea"... So, the question is: where do I go from here? Are the no-* options going to be supported in the future (they're not that well documented), or is OpenSSL going the way of supporting the "big" projects (i.e., all major ciphers for compatibility reasons)? Or should I just throw out TLS and just use the low-level DH/3DES functions? Thanks, -Steve _________________________________________________________________ Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Stephen Cleary wrote:
... > The command I used to build libcrypto.a and libssl.a is: > ./Configure mingw 386 no-threads no-zlib no-shared no-hw no-ssl > I also noted that I could not disable MD5, IDEA, or the ENGINE. In fact, > a lot (most?) of the "no-" prefixes just don't work; I get compile > errors when building the libraries. > > Just as a test, I have tried configuring with the above line and > "no-idea" against the released 0.9.7g tarball, the developer 0.9.7g > snapshot (openssl-r-0.9.7-stable-SNAP-20050701.tar.gz), and the > developer 0.9.8 "stable" (?) snapshot > (openssl-0.9.8-stable-SNAP-20050701.tar.gz). But the "no-idea" causes a > failure every time (except with the 0.9.8, which complains about MDC2 where does it fail (error message) ? I just did a quick test with "./config no-threads no-zlib no-shared no-hw no-ssl no-idea" in 0.9.8 and "make depend all test" seems to work (on my linux box). > being disabled), leaving me with a partial libcrypto and no libssl at > all. I just have "no idea"... > > So, the question is: where do I go from here? Are the no-* options going > to be supported in the future (they're not that well documented), I would consider it a bug (note: something like "no-md5" or "no-idea" is more problematic as they are used internally but afaik should the above work). Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Stephen Cleary
>where does it fail (error message) ? I just did a quick test with
>"./config no-threads no-zlib no-shared no-hw no-ssl no-idea" in >0.9.8 and "make depend all test" seems to work (on my linux box). I'm attaching logs for the results of the following commands, compiling with the just-released 0.9.8: ./Configure mingw 386 no-threads no-shared no-hw no-ssl no-idea > ../configure.log make depend > ../make.depend.log 2>&1 make > ../make.log 2>&1 Make fails compiling mdc2dgst.c with a #error of "MDC2 is disabled." -Steve _________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement |
OK, I found out what the problem was: line endings.
I run my Cygwin mounts in binmode, and I used WinZip to extract the .tar.gz, so Makefile.org had \r\n line endings. Apparently, perl (as of v5.8.7, built for cygwin-thread-multi-64int) was seeing the \r\n line endings. This is normal for people like me who have our Cygwin mounts in binmode. In this situation, the Configure script will not remove any entries from the SDIRS variable because the Configure script is searching for a backslash followed by an end-of-line (and it would be seeing a backslash followed by carriage-return followed by end-of-line). I just did a d2u on Makefile.org, and now Configure (and make) work fine. Also, if I had unpacked using gzip/tar instead of WinZip, there wouldn't have been \r\n line endings to begin with. To prevent this problem from happening to other people, I recommend one of the following options (in order of my personal preference): 1) Put a statement in the readme for Windows/Cygwin users that they should unpack with gzip/tar instead of WinZip if they mount in binmode. 2) Have the Configure script open its file explicitly as a text file. I believe this can be done by passing O_TEXT to an open function. 3) Have the Configure script expect an optional \r whenever it's searching for \n (or $). Happy coding! -Steve _________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |