Reducing the footprint of a simple application

Reinier Torenbeek reinier.torenbeek at gmail.com
Sun Sep 12 17:34:51 UTC 2021 

Hi,

I have a simple application that uses OpenSSL 3.0.0 for AES-GCM encryption
and decryption only. Looking at the size of the binary on disc, I see it's
a few KBs when linking dynamically with libcrypto, and  4.8 MB when linking
statically. Although I know the large footprint of OpenSSL is considered "a
fact of life", this seems excessive. From experience with other crypto
implementations, I know that the *actual* crypto functionality that I am
using can fit in 10s of KBs and I would like to understand the reasons for
OpenSSL's size better. I am on Linux, 64 bits, using gcc 9.3.0.

Some analysis of the binary reveals (not surprisingly) that it contains
many OpenSSL symbols that have nothing to do with the functionality that I
am using. Those seem to get pulled in because objects get linked in as a
whole and apparently the layout of the object contents are such that the
symbols needed for my functionality are spread out over many different
objects.

It was my hope that I could mitigate this by compiling OpenSSL and my
application with the flags -ffunction-sections, -fdata-sections, -Os and
-flto and using --gc-sections and -flto when linking. (See 3.10 Options
That Control Optimization
<https://gcc.gnu.org/onlinedocs/gcc-9.4.0/gcc/Optimize-Options.html#Optimize-Options>
of
GCC's documentation).  This did reduce the binary size by 2 MB, leaving me
with almost 3 MB. Almost 90% of that was in the text section and a bit over
10% in the data section. I do not have sufficient experience with these
options to assess how well the optimizations worked in this case, I think
the resulting binary is still pretty large.

I have not tried disabling any of the features when building OpenSSL. I
suspect that may help a little bit because it may result in a decrease in
size of (some) objects, but I have seen people reporting
disappointing results of that on the web. Also, it does not seem to be a
workable approach in general to have to figure out which build options to
use and to have to rebuild OpenSSL for every type of application that I
create.

Did any people here try similar things, with better results? Does anybody
have any other suggestions as to what I could try? And what is the
explanation (or justification) for this excessive footprint?

Thanks,
Reinier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210912/f821689a/attachment-0001.html>

More information about the openssl-users mailing list