Tuesday, September 8, 2015

Compiling openssl with emscripten

a.k.a. the days of 10kB JavaScript are gone.

We are doing some crypto app prototypes and figured that having demos on the web, without having to download or install anything are quite valuable. And despite the issues on the SSL side of OpenSSL, the crypto library is still quite useful. Let's see how to build it into JavaScript using the amazing emscripten.

I'm using openssl v1.0.2a which is commit 3df69d3aefde7671053d4e3c242b228e5d79c83f in the git repository. First I have emscripten prepare my environment for compilation to make sure I'm using the correct compiler, archiver and linker (emcc, ar, ld). I do

emmake bash

or any other shell such as fish. I wasn't able to run emmake ./Configure or emconfigure directly so I just run a new shell. From the shell I can configure openssl as usual:

./Configure -no-asm -no-apps no-ssl2 no-ssl3 no-comp no-hw no-engine no-deprecated shared no-dso --openssldir=built linux-generic32

note that 64b architecture cannot be used. I also did have to modify the generated Makefile a bit.


  1. on line 63, delete the path after $(CROSS_COMPILE) so that it looks like this:
    CC= $(CROSS_COMPILE)cc
  2. on line 64, remove the -O3 flag just to be sure because not all enscriptem optimizations may be compatible with openssl
after this you're able to build the library using

make

To test, I did build one of the demos:

emcc  demos/sign/sign.c -lcrypto  -o demos/sign/sign.html -Iinclude -L. --preload-file demos/sign@/

The resulting library is almost 4 MB, it may be useful to try and remove some more features. Now it's not really clear if crypto software running in this way is still secure. I know that browser Crypto API + enscriptem ensure that randomness in /dev/urandom is correct but I may need to dig into the debugger to be sure it's really used correctly.





2 comments:

  1. Hello, you can share the result of this post? aka openssl.js file for testing? thanks

    ReplyDelete
  2. Hi, I don't have it any more, it wouldn't be good to use anyway because

    1) it would be outdated and probably insecure
    2) you're better off using a library such as TweetNaCl or other library based on NaCl
    3) WASM is the hot new stuff rather than asm.js
    4) note that in-browser crypto is inherently insecure

    ReplyDelete