openssl/openssl

Statically linked openssl and/or OpenSSL libraries: Enable simple use of static third party provider(s)

Open

#24,944 opened on Jul 19, 2024

View on GitHub
 (10 comments) (0 reactions) (1 assignee)C (11,262 forks)batch import
help wantedtriaged: feature

Repository metrics

Stars
 (30,157 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

There are situations where fully static linking of the openssl application or applications making use of the OpenSSL libraries is a must. This implies that any third-party provider (and its dependencies) used in such applications should also be statically linked.

What is requested is therefore that statically linked providers can easily be added to the openssl application itself and to it's libs for ease of use in other statically linked applications.

I hope I didn't overlook a discussion or issue around this topic, but here's how that can be achieved:

0) Overview:

  • In the build configuration options, use build defines to specify name and init function of the provider and options to facilitate static linking,
  • Inject the information from the build defines during build in file provider_predefined.c to treat the static provider as "built-in" provider in analogy to the default provider.
  • Specify and activate the provider in openssl.cnf

The following assumes that the provider init function is myprovider_static_provider_init and that we (arbitrarily) specified the name of the provider to be myprovider_static.

1) Changes in the file provider_predefined.c: Add here:

/* Check whether a statically linked external provider should be added*/
#if(defined _STATIC_EXTERNAL_PROVIDER_NAME && defined _STATIC_EXTERNAL_PROVIDER_INITFUNC)
/* Declaration of the external init function*/
extern OSSL_provider_init_fn _STATIC_EXTERNAL_PROVIDER_INITFUNC;
/* Prep to add the provider to the "built-in" provider array 'ossl_predefined_providers' below*/
# define ADD_STATIC_EXTERNAL_PROVIDER_(name, initfunc) { #name, NULL, initfunc, NULL, 1 }
# define ADD_STATIC_EXTERNAL_PROVIDER(name, initfunc) ADD_STATIC_EXTERNAL_PROVIDER_(name, initfunc)
#endif

and insert after this line:

    /* Add an external static provider if needed */
# if(defined _STATIC_EXTERNAL_PROVIDER_NAME && defined _STATIC_EXTERNAL_PROVIDER_INITFUNC)
    ADD_STATIC_EXTERNAL_PROVIDER(_STATIC_EXTERNAL_PROVIDER_NAME, _STATIC_EXTERNAL_PROVIDER_INITFUNC),
# endif

2) Add section in openssl.cnf:

[ openssl_init ]
providers = provider_sect
[ provider_sect ]
default = default_sect
myprovider_static = myprovider_static_sect
[ default_sect ]
activate = 1
[ myprovider_static_sect ]
activate=1

3) Use/add ./Configure options during build:

        no-shared \
        -D_STATIC_EXTERNAL_PROVIDER_NAME=myprovider_static \
        -D_STATIC_EXTERNAL_PROVIDER_INITFUNC=myprovider_static_provider_init \
        --static -L/usr/lib64/ossl-modules -l:myprovider_static.a -L/usr/lib64/ -l:myprovider_static_dependency.a -l:libssl.a -l:libcrypto.a -static  \

The above approach was successfully tested by 'integrating' a statically linked QOS provider into a statically linked openssl and then generating Q-safe certificates using it, and by building cURL with static linking of oqsprovider.a, liboqs.a, libssl.a and libcrypto.a and testing it against the OQS Interop Server without changing a line of code on cURL.

Somebody skilled in the art of C pre-processor macro expansion might be able to extend the above to multiple providers.

If there's interest in the above approach, we could start working on a PR.

Contributor guide