Trying to build a reduced OpenSSL library on Cygwin/mingw

Gentlemen -

I am a developer attempting to use OpenSSL in a rather unusual project, and
I'm having some problems with getting the binary file size down to a
reasonable value. I'm targeting "Cygwin -mno-cygwin" (mingw).

There appear to be some bugs in the Configure script and usage of
OPENSSL_NO_* macros, as I'm not able to disable a lot of algorithms.

- Project Background -

NTUtils (http://ntutils.sourceforge.net/) are command-line programs for
(remote) administration of NT/2K/XP machines. The OpenSSL part comes in with
the "remote" capabilities. Essentially, an NTUtils program will inject a
server onto the target machine, remotely invoke it, and then communicate
over named pipes to do what it needs (see the web page if you're interested
in how this is done). This enables NTUtils programs to remotely administer
other computers *without* any previous installation of anything on the
remote machine.

Right now, the information transmitted is not so critical to protect, but
the next major addition is a general remote execution (i.e., remote command
prompt), which the user may type critical information into.

What I want to do is add some simple encryption over the connection. I'm
pushing the responsibility for authentication onto the OS/network (there's
really no other choice, since there's no existing installation on the remote
machine). Even in the case of an insecure network, simple encryption would
at least prevent passive eavesdropping.

- Desired Use of OpenSSL -

The code interfacing with OpenSSL will exist in a separate DLL, injected to
the server only if the user specifies encryption. The server and client are
therefore both always kept in sync. So, a single supported cipher suite is
sufficient.

I would like to use TLS 1.0 with ADH-DES-CBC3-SHA, though this may change in
the future. It's possible, since the protocol and cipher suite are
hard-coded, to simplify (replace) the TLS protocol with a custom
alternative, but I really don't want to go there.

- The Problem in More Detail -

The size of a DLL that just initializes SSL (SSL_load_error_strings +
SSL_library_init) is 337,456. Ouch, I'm not even doing anything yet. (The
size of a DLL that does nothing is 4,096).

I tried replacing SSL_library_init with:
  SSL_add_cipher(EVP_des_ede3_cbc());
  SSL_add_digest(EVP_sha1());
and got a DLL size of 279,040. Still not too good.

Removing all the SLL initialization except the error strings nets a size of
95,232.

I'm not even sure what all is being compiled into the DLL. I know that
RAND_* is referencing some stuff from gdi (window message stuff), which I'm
not going to use. I also am not planning to use certificates, most BIO_*
capabilities (just memory buffers), etc. Really, I just want simple
symmetric encryption following an anonymous DH key exchange.

How do I trim this size down? Any ideas?

The command I used to build libcrypto.a and libssl.a is:
  ./Configure mingw 386 no-threads no-zlib no-shared no-hw no-ssl
I also noted that I could not disable MD5, IDEA, or the ENGINE. In fact, a
lot (most?) of the "no-" prefixes just don't work; I get compile errors when
building the libraries.

Just as a test, I have tried configuring with the above line and "no-idea"
against the released 0.9.7g tarball, the developer 0.9.7g snapshot
(openssl-r-0.9.7-stable-SNAP-20050701.tar.gz), and the developer 0.9.8
"stable" (?) snapshot (openssl-0.9.8-stable-SNAP-20050701.tar.gz). But the
"no-idea" causes a failure every time (except with the 0.9.8, which
complains about MDC2 being disabled), leaving me with a partial libcrypto
and no libssl at all. I just have "no idea"...

So, the question is: where do I go from here? Are the no-* options going to
be supported in the future (they're not that well documented), or is OpenSSL
going the way of supporting the "big" projects (i.e., all major ciphers for
compatibility reasons)? Or should I just throw out TLS and just use the
low-level DH/3DES functions?

Thanks,
        -Steve

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Stephen Cleary wrote:
...
where does it fail (error message) ? I just did a quick test with
"./config no-threads no-zlib no-shared no-hw no-ssl no-idea" in
0.9.8 and "make depend all test" seems to work (on my linux box).

> being disabled), leaving me with a partial libcrypto and no libssl at
> all. I just have "no idea"...
>
> So, the question is: where do I go from here? Are the no-* options going
> to be supported in the future (they're not that well documented),

I would consider it a bug (note: something like "no-md5" or "no-idea"
is more problematic as they are used internally but afaik should the
above work).

Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

>where does it fail (error message) ? I just did a quick test with
>"./config no-threads no-zlib no-shared no-hw no-ssl no-idea" in
>0.9.8 and "make depend all test" seems to work (on my linux box).

I'm attaching logs for the results of the following commands, compiling with
the just-released 0.9.8:
  ./Configure mingw 386 no-threads no-shared no-hw no-ssl no-idea >
../configure.log
  make depend > ../make.depend.log 2>&1
  make > ../make.log 2>&1

Make fails compiling mdc2dgst.c with a #error of "MDC2 is disabled."

       -Steve

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

OK, I found out what the problem was: line endings.

I run my Cygwin mounts in binmode, and I used WinZip to extract the .tar.gz,
so Makefile.org had \r\n line endings.

Apparently, perl (as of v5.8.7, built for cygwin-thread-multi-64int) was
seeing the \r\n line endings. This is normal for people like me who have our
Cygwin mounts in binmode.

In this situation, the Configure script will not remove any entries from the
SDIRS variable because the Configure script is searching for a backslash
followed by an end-of-line (and it would be seeing a backslash followed by
carriage-return followed by end-of-line).

I just did a d2u on Makefile.org, and now Configure (and make) work fine.
Also, if I had unpacked using gzip/tar instead of WinZip, there wouldn't
have been \r\n line endings to begin with.

To prevent this problem from happening to other people, I recommend one of
the following options (in order of my personal preference):
1) Put a statement in the readme for Windows/Cygwin users that they should
unpack with gzip/tar instead of WinZip if they mount in binmode.
2) Have the Configure script open its file explicitly as a text file. I
believe this can be done by passing O_TEXT to an open function.
3) Have the Configure script expect an optional \r whenever it's searching
for \n (or $).

Happy coding!
       -Steve

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]