implement support for hiding symbols in libtls / libssl

2016-11-05 08:44:35 -05:00 · 2016-11-05 08:44:35 -05:00 · 7770e4f2e4
commit 7770e4f2e4
parent 348362416d
6 changed files with 42 additions and 341 deletions
--- a/ssl/Makefile.am
+++ b/ssl/Makefile.am
@ -5,8 +5,9 @@ lib_LTLIBRARIES = libssl.la
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 EXTRA_DIST += ssl.def
+EXTRA_DIST += ssl.sym

-libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined
+libssl_la_LDFLAGS = -version-info @LIBSSL_VERSION@ -no-undefined -export-symbols $(top_srcdir)/ssl/ssl.sym
 libssl_la_LIBADD = $(abs_top_builddir)/crypto/libcrypto.la

 libssl_la_SOURCES = bio_ssl.c
--- a/ssl/ssl.def
+++ b/ssl/ssl.def
@ -5,63 +5,31 @@ BIO_new_ssl
 BIO_new_ssl_connect
 BIO_ssl_copy_session_id
 BIO_ssl_shutdown
-CBB_add_asn1
-CBB_add_asn1_uint64
-CBB_add_bytes
-CBB_add_space
-CBB_add_u16
-CBB_add_u16_length_prefixed
-CBB_add_u24
-CBB_add_u24_length_prefixed
-CBB_add_u8
-CBB_add_u8_length_prefixed
-CBB_cleanup
-CBB_finish
-CBB_flush
-CBB_init
-CBB_init_fixed
-CBS_asn1_indefinite_to_definite
-CBS_contains_zero_byte
-CBS_data
-CBS_dup
-CBS_get_any_asn1_element
-CBS_get_asn1
-CBS_get_asn1_element
-CBS_get_asn1_uint64
-CBS_get_bytes
-CBS_get_optional_asn1
-CBS_get_optional_asn1_bool
-CBS_get_optional_asn1_octet_string
-CBS_get_optional_asn1_uint64
-CBS_get_u16
-CBS_get_u16_length_prefixed
-CBS_get_u24
-CBS_get_u24_length_prefixed
-CBS_get_u32
-CBS_get_u8
-CBS_get_u8_length_prefixed
-CBS_init
-CBS_len
-CBS_mem_equal
-CBS_offset
-CBS_peek_asn1_tag
-CBS_skip
-CBS_stow
-CBS_strdup
-CBS_write_bytes
 DTLSv1_client_method
-DTLSv1_client_method_data
-DTLSv1_enc_data
 DTLSv1_method
-DTLSv1_method_data
 DTLSv1_server_method
-DTLSv1_server_method_data
-ERR_load_SSL_strings
-OBJ_bsearch_ssl_cipher_id
+SSLv23_client_method
+SSLv23_method
+SSLv23_server_method
+TLS_client_method
+TLS_method
+TLS_server_method
+TLSv1_1_client_method
+TLSv1_1_method
+TLSv1_1_server_method
+TLSv1_2_client_method
+TLSv1_2_method
+TLSv1_2_server_method
+TLSv1_client_method
+TLSv1_method
+TLSv1_server_method
 PEM_read_SSL_SESSION
 PEM_read_bio_SSL_SESSION
 PEM_write_SSL_SESSION
 PEM_write_bio_SSL_SESSION
+d2i_SSL_SESSION
+i2d_SSL_SESSION
+ERR_load_SSL_strings
 SSL_CIPHER_description
 SSL_CIPHER_get_bits
 SSL_CIPHER_get_by_id
@ -288,266 +256,3 @@ SSL_version
 SSL_version_str
 SSL_want
 SSL_write
-SSLv23_client_method
-SSLv23_method
-SSLv23_server_method
-TLS_client_method
-TLS_client_method_data
-TLS_method
-TLS_method_data
-TLS_server_method
-TLS_server_method_data
-TLSv1_1_client_method
-TLSv1_1_client_method_data
-TLSv1_1_enc_data
-TLSv1_1_method
-TLSv1_1_method_data
-TLSv1_1_server_method
-TLSv1_1_server_method_data
-TLSv1_2_client_method
-TLSv1_2_client_method_data
-TLSv1_2_enc_data
-TLSv1_2_method
-TLSv1_2_method_data
-TLSv1_2_server_method
-TLSv1_2_server_method_data
-TLSv1_client_method
-TLSv1_client_method_data
-TLSv1_enc_data
-TLSv1_method
-TLSv1_method_data
-TLSv1_server_method
-TLSv1_server_method_data
-cbs_get_any_asn1_element_internal
-d2i_SSL_SESSION
-do_dtls1_write
-dtls1_accept
-dtls1_buffer_message
-dtls1_build_sequence_number
-dtls1_check_timeout_num
-dtls1_clear
-dtls1_clear_record_buffer
-dtls1_connect
-dtls1_ctrl
-dtls1_default_timeout
-dtls1_dispatch_alert
-dtls1_do_write
-dtls1_double_timeout
-dtls1_enc
-dtls1_free
-dtls1_get_ccs_header
-dtls1_get_cipher
-dtls1_get_message
-dtls1_get_message_header
-dtls1_get_queue_priority
-dtls1_get_record
-dtls1_get_timeout
-dtls1_handle_timeout
-dtls1_is_timer_expired
-dtls1_listen
-dtls1_min_mtu
-dtls1_new
-dtls1_output_cert_chain
-dtls1_read_bytes
-dtls1_read_failed
-dtls1_reset_seq_numbers
-dtls1_retransmit_buffered_messages
-dtls1_retransmit_message
-dtls1_send_change_cipher_spec
-dtls1_send_client_certificate
-dtls1_send_server_certificate
-dtls1_set_message_header
-dtls1_shutdown
-dtls1_start_timer
-dtls1_stop_timer
-dtls1_write_app_data_bytes
-dtls1_write_bytes
-i2d_SSL_SESSION
-pitem_free
-pitem_new
-pqueue_find
-pqueue_free
-pqueue_insert
-pqueue_iterator
-pqueue_new
-pqueue_next
-pqueue_peek
-pqueue_pop
-pqueue_size
-ssl23_accept
-ssl23_connect
-ssl23_default_timeout
-ssl23_get_client_hello
-ssl23_peek
-ssl23_read
-ssl23_read_bytes
-ssl23_write
-ssl23_write_bytes
-ssl3_accept
-ssl3_callback_ctrl
-ssl3_cbc_copy_mac
-ssl3_cbc_digest_record
-ssl3_cbc_record_digest_supported
-ssl3_check_cert_and_algorithm
-ssl3_check_finished
-ssl3_choose_cipher
-ssl3_cipher_get_value
-ssl3_ciphers
-ssl3_clear
-ssl3_client_hello
-ssl3_connect
-ssl3_ctrl
-ssl3_ctx_callback_ctrl
-ssl3_ctx_ctrl
-ssl3_dispatch_alert
-ssl3_do_change_cipher_spec
-ssl3_do_write
-ssl3_free
-ssl3_get_cert_status
-ssl3_get_cert_verify
-ssl3_get_certificate_request
-ssl3_get_cipher
-ssl3_get_cipher_by_char
-ssl3_get_cipher_by_id
-ssl3_get_cipher_by_value
-ssl3_get_client_certificate
-ssl3_get_client_hello
-ssl3_get_client_key_exchange
-ssl3_get_finished
-ssl3_get_key_exchange
-ssl3_get_message
-ssl3_get_new_session_ticket
-ssl3_get_next_proto
-ssl3_get_req_cert_type
-ssl3_get_server_certificate
-ssl3_get_server_done
-ssl3_get_server_hello
-ssl3_handshake_msg_finish
-ssl3_handshake_msg_hdr_len
-ssl3_handshake_msg_start
-ssl3_handshake_write
-ssl3_new
-ssl3_num_ciphers
-ssl3_output_cert_chain
-ssl3_peek
-ssl3_pending
-ssl3_put_cipher_by_char
-ssl3_read
-ssl3_read_bytes
-ssl3_read_n
-ssl3_release_read_buffer
-ssl3_release_write_buffer
-ssl3_renegotiate
-ssl3_renegotiate_check
-ssl3_send_alert
-ssl3_send_cert_status
-ssl3_send_certificate_request
-ssl3_send_change_cipher_spec
-ssl3_send_client_certificate
-ssl3_send_client_key_exchange
-ssl3_send_client_verify
-ssl3_send_finished
-ssl3_send_hello_request
-ssl3_send_newsession_ticket
-ssl3_send_next_proto
-ssl3_send_server_certificate
-ssl3_send_server_done
-ssl3_send_server_hello
-ssl3_send_server_key_exchange
-ssl3_setup_buffers
-ssl3_setup_init_buffer
-ssl3_setup_read_buffer
-ssl3_setup_write_buffer
-ssl3_shutdown
-ssl3_undef_enc_method
-ssl3_write
-ssl3_write_bytes
-ssl3_write_pending
-ssl_add_clienthello_renegotiate_ext
-ssl_add_clienthello_tlsext
-ssl_add_clienthello_use_srtp_ext
-ssl_add_serverhello_renegotiate_ext
-ssl_add_serverhello_tlsext
-ssl_add_serverhello_use_srtp_ext
-ssl_bytes_to_cipher_list
-ssl_cert_dup
-ssl_cert_free
-ssl_cert_inst
-ssl_cert_new
-ssl_cert_type
-ssl_check_clienthello_tlsext_early
-ssl_check_clienthello_tlsext_late
-ssl_check_serverhello_tlsext
-ssl_check_srvr_ecc_cert_and_alg
-ssl_cipher_get_evp
-ssl_cipher_get_evp_aead
-ssl_cipher_id_cmp
-ssl_cipher_list_to_bytes
-ssl_cipher_ptr_id_cmp
-ssl_clear_bad_session
-ssl_clear_cipher_ctx
-ssl_clear_hash_ctx
-ssl_create_cipher_list
-ssl_do_client_cert_cb
-ssl_free_wbio_buffer
-ssl_get_algorithm2
-ssl_get_auto_dh
-ssl_get_ciphers_by_id
-ssl_get_handshake_digest
-ssl_get_new_session
-ssl_get_prev_session
-ssl_get_server_send_cert
-ssl_get_server_send_pkey
-ssl_get_sign_pkey
-ssl_init_wbio_buffer
-ssl_load_ciphers
-ssl_max_server_version
-ssl_ok
-ssl_parse_clienthello_renegotiate_ext
-ssl_parse_clienthello_tlsext
-ssl_parse_clienthello_use_srtp_ext
-ssl_parse_serverhello_renegotiate_ext
-ssl_parse_serverhello_tlsext
-ssl_parse_serverhello_use_srtp_ext
-ssl_sess_cert_free
-ssl_sess_cert_new
-ssl_set_cert_masks
-ssl_undefined_const_function
-ssl_undefined_function
-ssl_undefined_void_function
-ssl_update_cache
-ssl_verify_alarm_type
-ssl_verify_cert_chain
-ssl_version_string
-tls12_get_hash
-tls12_get_req_sig_algs
-tls12_get_sigandhash
-tls12_get_sigid
-tls1_alert_code
-tls1_cbc_remove_padding
-tls1_cert_verify_mac
-tls1_change_cipher_state
-tls1_check_curve
-tls1_check_ec_server_key
-tls1_check_ec_tmp_key
-tls1_cleanup_key_block
-tls1_clear
-tls1_default_timeout
-tls1_digest_cached_records
-tls1_ec_curve_id2nid
-tls1_ec_nid2curve_id
-tls1_enc
-tls1_export_keying_material
-tls1_final_finish_mac
-tls1_finish_mac
-tls1_free
-tls1_free_digest_list
-tls1_generate_master_secret
-tls1_get_shared_curve
-tls1_init_finished_mac
-tls1_mac
-tls1_new
-tls1_process_sigalgs
-tls1_process_ticket
-tls1_record_sequence_increment
-tls1_setup_key_block
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@ -8,9 +8,9 @@ AM_CPPFLAGS += -I $(top_srcdir)/apps/openssl/compat
 AM_CPPFLAGS += -D_PATH_SSL_CA_FILE=\"$(top_srcdir)/apps/openssl/cert.pem\"

 LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
-LDADD += $(abs_top_builddir)/ssl/libssl.la
+LDADD += $(abs_top_builddir)/tls/.libs/libtls.a
+LDADD += $(abs_top_builddir)/ssl/.libs/libssl.a
 LDADD += $(abs_top_builddir)/crypto/libcrypto.la
-LDADD += $(abs_top_builddir)/tls/libtls.la

 TEST_LOG_DRIVER = env AM_TAP_AWK='$(AWK)' $(SHELL) $(top_srcdir)/tap-driver.sh

--- a/tls/Makefile.am
+++ b/tls/Makefile.am
@ -5,8 +5,9 @@ lib_LTLIBRARIES = libtls.la
 EXTRA_DIST = VERSION
 EXTRA_DIST += CMakeLists.txt
 EXTRA_DIST += tls.def
+EXTRA_DIST += tls.sym

-libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined
+libtls_la_LDFLAGS = -version-info @LIBTLS_VERSION@ -no-undefined -export-symbols $(top_srcdir)/tls/tls.sym
 libtls_la_LIBADD = $(abs_top_builddir)/ssl/libssl.la
 libtls_la_LIBADD += $(abs_top_builddir)/crypto/libcrypto.la
 libtls_la_LIBADD += $(PLATFORM_LDADD)
--- a/tls/tls.def
+++ b/tls/tls.def
@ -1,9 +1,7 @@
 EXPORTS
-strsep
 tls_accept_cbs
 tls_accept_fds
 tls_accept_socket
-tls_check_name
 tls_client
 tls_close
 tls_config_add_keypair_file
@ -14,8 +12,8 @@ tls_config_free
 tls_config_insecure_noverifycert
 tls_config_insecure_noverifyname
 tls_config_insecure_noverifytime
-tls_config_load_file
 tls_config_new
+tls_config_ocsp_require_stapling
 tls_config_parse_protocols
 tls_config_prefer_ciphers_client
 tls_config_prefer_ciphers_server
@ -28,8 +26,6 @@ tls_config_set_cert_mem
 tls_config_set_ciphers
 tls_config_set_dheparams
 tls_config_set_ecdhecurve
-tls_config_set_error
-tls_config_set_errorx
 tls_config_set_key_file
 tls_config_set_key_mem
 tls_config_set_keypair_file
@ -40,10 +36,6 @@ tls_config_verify
 tls_config_verify_client
 tls_config_verify_client_optional
 tls_configure
-tls_configure_server
-tls_configure_ssl
-tls_configure_ssl_keypair
-tls_configure_ssl_verify
 tls_conn_alpn_selected
 tls_conn_cipher
 tls_conn_servername
@ -53,19 +45,12 @@ tls_connect_cbs
 tls_connect_fds
 tls_connect_servername
 tls_connect_socket
-tls_conninfo_free
-tls_conninfo_populate
 tls_error
-tls_error_set
-tls_error_setx
 tls_free
 tls_handshake
-tls_handshake_client
-tls_handshake_server
-tls_host_port
 tls_init
 tls_load_file
-tls_new
+tls_ocsp_process_response
 tls_peer_cert_contains_name
 tls_peer_cert_hash
 tls_peer_cert_issuer
@ -73,14 +58,15 @@ tls_peer_cert_notafter
 tls_peer_cert_notbefore
 tls_peer_cert_provided
 tls_peer_cert_subject
+tls_peer_ocsp_cert_status
+tls_peer_ocsp_crl_reason
+tls_peer_ocsp_next_update
+tls_peer_ocsp_response_status
+tls_peer_ocsp_result
+tls_peer_ocsp_revocation_time
+tls_peer_ocsp_this_update
+tls_peer_ocsp_url
 tls_read
 tls_reset
 tls_server
-tls_server_conn
-tls_set_cbs
-tls_set_error
-tls_set_errorx
-tls_sni_ctx_free
-tls_sni_ctx_new
-tls_ssl_error
 tls_write
--- a/update.sh
+++ b/update.sh
@ -199,6 +199,10 @@ for i in `awk '/SOURCES|HEADERS/ { print $3 }' tls/Makefile.am` ; do
 		$CP $libtls_src/$i libtls-standalone/src
 	fi
 done
+# add the libtls symbol export list
+grep '^[[:alpha:]]' < $libtls_src/Symbols.list > tls/tls.sym
+echo EXPORTS > tls/tls.def
+cat tls/tls.sym >> tls/tls.def

 $CP_LIBC $libc_src/string/strsep.c tls
 $CP_LIBC $libc_src/string/strsep.c libtls-standalone/compat
@ -240,6 +244,10 @@ rm -f ssl/*.c ssl/*.h
 for i in `awk '/SOURCES|HEADERS/ { print $3 }' ssl/Makefile.am` ; do
 	$CP $libssl_src/$i ssl
 done
+# add the libssl symbol export list
+grep '^[[:alpha:]]' < $libssl_src/Symbols.list > ssl/ssl.sym
+echo EXPORTS > ssl/ssl.def
+cat ssl/ssl.sym >> ssl/ssl.def

 # copy libcrypto tests
 echo "copying tests"