Add an explict list of exported symbols with just the functions

declared in the public headers, and use __{BEGIN,END}_HIDDEN_DECLS
in the internal headers to optimize internal functions

ok jsing@

5 files changed, 289 insertions, 11 deletions

diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 6421aabe34..64b3b5060b 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.23 2016/09/19 03:25:22 bcook Exp $
+# $OpenBSD: Makefile,v 1.24 2016/11/04 18:28:58 guenther Exp $
 
 SUBDIR= man
 PC_FILES=openssl.pc libssl.pc
@@ -17,6 +17,9 @@ CFLAGS+= -I${.CURDIR}
 
 LDADD+= -L${BSDOBJDIR}/lib/libcrypto -lcrypto
 
+VERSION_SCRIPT= Symbols.map
+SYMBOL_LIST=    ${.CURDIR}/Symbols.list
+
 SRCS=\
         s3_srvr.c s3_clnt.c s3_lib.c s3_pkt.c s3_both.c \
         s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
@@ -46,6 +49,11 @@ includes:
             eval "$$j"; \
         done;
 
+${VERSION_SCRIPT}: ${SYMBOL_LIST}
+        { printf '{\n\tglobal:\n'; \
+          sed '/^[._a-zA-Z]/s/$$/;/; s/^/               /' ${SYMBOL_LIST}; \
+          printf '\n\tlocal:\n\t\t*;\n};\n'; } >$@.tmp && mv $@.tmp $@
+
 .include <bsd.lib.mk>
 
 all: ${PC_FILES}
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
new file mode 100644
index 0000000000..1938c21509
--- /dev/null
+++ b/src/lib/libssl/Symbols.list
@@ -0,0 +1,266 @@
+/* BIO glue */
+BIO_f_ssl
+BIO_new_buffer_ssl_connect
+BIO_new_ssl
+BIO_new_ssl_connect
+BIO_ssl_copy_session_id
+BIO_ssl_shutdown
+
+/* methods */
+DTLSv1_client_method
+DTLSv1_method
+DTLSv1_server_method
+SSLv23_client_method
+SSLv23_method
+SSLv23_server_method
+TLS_client_method
+TLS_method
+TLS_server_method
+TLSv1_1_client_method
+TLSv1_1_method
+TLSv1_1_server_method
+TLSv1_2_client_method
+TLSv1_2_method
+TLSv1_2_server_method
+TLSv1_client_method
+TLSv1_method
+TLSv1_server_method
+
+/* session import/export */
+PEM_read_SSL_SESSION
+PEM_read_bio_SSL_SESSION
+PEM_write_SSL_SESSION
+PEM_write_bio_SSL_SESSION
+d2i_SSL_SESSION
+i2d_SSL_SESSION
+
+/* setup */
+ERR_load_SSL_strings
+
+/* general API */
+SSL_CIPHER_description
+SSL_CIPHER_get_bits
+SSL_CIPHER_get_by_id
+SSL_CIPHER_get_by_value
+SSL_CIPHER_get_id
+SSL_CIPHER_get_name
+SSL_CIPHER_get_value
+SSL_CIPHER_get_version
+SSL_COMP_add_compression_method
+SSL_COMP_get_compression_methods
+SSL_COMP_get_name
+SSL_CTX_add_client_CA
+SSL_CTX_add_session
+SSL_CTX_callback_ctrl
+SSL_CTX_check_private_key
+SSL_CTX_ctrl
+SSL_CTX_flush_sessions
+SSL_CTX_free
+SSL_CTX_get_cert_store
+SSL_CTX_get_client_CA_list
+SSL_CTX_get_client_cert_cb
+SSL_CTX_get_ex_data
+SSL_CTX_get_ex_new_index
+SSL_CTX_get_info_callback
+SSL_CTX_get_quiet_shutdown
+SSL_CTX_get_timeout
+SSL_CTX_get_verify_callback
+SSL_CTX_get_verify_depth
+SSL_CTX_get_verify_mode
+SSL_CTX_load_verify_locations
+SSL_CTX_load_verify_mem
+SSL_CTX_new
+SSL_CTX_remove_session
+SSL_CTX_sess_get_get_cb
+SSL_CTX_sess_get_new_cb
+SSL_CTX_sess_get_remove_cb
+SSL_CTX_sess_set_get_cb
+SSL_CTX_sess_set_new_cb
+SSL_CTX_sess_set_remove_cb
+SSL_CTX_sessions
+SSL_CTX_set1_param
+SSL_CTX_set_alpn_protos
+SSL_CTX_set_alpn_select_cb
+SSL_CTX_set_cert_store
+SSL_CTX_set_cert_verify_callback
+SSL_CTX_set_cipher_list
+SSL_CTX_set_client_CA_list
+SSL_CTX_set_client_cert_cb
+SSL_CTX_set_client_cert_engine
+SSL_CTX_set_cookie_generate_cb
+SSL_CTX_set_cookie_verify_cb
+SSL_CTX_set_default_passwd_cb
+SSL_CTX_set_default_passwd_cb_userdata
+SSL_CTX_set_default_verify_paths
+SSL_CTX_set_ex_data
+SSL_CTX_set_generate_session_id
+SSL_CTX_set_info_callback
+SSL_CTX_set_msg_callback
+SSL_CTX_set_next_proto_select_cb
+SSL_CTX_set_next_protos_advertised_cb
+SSL_CTX_set_purpose
+SSL_CTX_set_quiet_shutdown
+SSL_CTX_set_session_id_context
+SSL_CTX_set_ssl_version
+SSL_CTX_set_timeout
+SSL_CTX_set_tlsext_use_srtp
+SSL_CTX_set_tmp_dh_callback
+SSL_CTX_set_tmp_ecdh_callback
+SSL_CTX_set_tmp_rsa_callback
+SSL_CTX_set_trust
+SSL_CTX_set_verify
+SSL_CTX_set_verify_depth
+SSL_CTX_use_PrivateKey
+SSL_CTX_use_PrivateKey_ASN1
+SSL_CTX_use_PrivateKey_file
+SSL_CTX_use_RSAPrivateKey
+SSL_CTX_use_RSAPrivateKey_ASN1
+SSL_CTX_use_RSAPrivateKey_file
+SSL_CTX_use_certificate
+SSL_CTX_use_certificate_ASN1
+SSL_CTX_use_certificate_chain_file
+SSL_CTX_use_certificate_chain_mem
+SSL_CTX_use_certificate_file
+SSL_SESSION_free
+SSL_SESSION_get0_peer
+SSL_SESSION_get_compress_id
+SSL_SESSION_get_ex_data
+SSL_SESSION_get_ex_new_index
+SSL_SESSION_get_id
+SSL_SESSION_get_time
+SSL_SESSION_get_timeout
+SSL_SESSION_new
+SSL_SESSION_print
+SSL_SESSION_print_fp
+SSL_SESSION_set1_id_context
+SSL_SESSION_set_ex_data
+SSL_SESSION_set_time
+SSL_SESSION_set_timeout
+SSL_accept
+SSL_add_client_CA
+SSL_add_dir_cert_subjects_to_stack
+SSL_add_file_cert_subjects_to_stack
+SSL_alert_desc_string
+SSL_alert_desc_string_long
+SSL_alert_type_string
+SSL_alert_type_string_long
+SSL_cache_hit
+SSL_callback_ctrl
+SSL_check_private_key
+SSL_clear
+SSL_connect
+SSL_copy_session_id
+SSL_ctrl
+SSL_do_handshake
+SSL_dup
+SSL_dup_CA_list
+SSL_export_keying_material
+SSL_free
+SSL_get0_alpn_selected
+SSL_get0_next_proto_negotiated
+SSL_get1_session
+SSL_get_SSL_CTX
+SSL_get_certificate
+SSL_get_cipher_list
+SSL_get_ciphers
+SSL_get_client_CA_list
+SSL_get_current_cipher
+SSL_get_current_compression
+SSL_get_current_expansion
+SSL_get_default_timeout
+SSL_get_error
+SSL_get_ex_data
+SSL_get_ex_data_X509_STORE_CTX_idx
+SSL_get_ex_new_index
+SSL_get_fd
+SSL_get_finished
+SSL_get_info_callback
+SSL_get_peer_cert_chain
+SSL_get_peer_certificate
+SSL_get_peer_finished
+SSL_get_privatekey
+SSL_get_quiet_shutdown
+SSL_get_rbio
+SSL_get_read_ahead
+SSL_get_rfd
+SSL_get_selected_srtp_profile
+SSL_get_servername
+SSL_get_servername_type
+SSL_get_session
+SSL_get_shared_ciphers
+SSL_get_shutdown
+SSL_get_srtp_profiles
+SSL_get_ssl_method
+SSL_get_verify_callback
+SSL_get_verify_depth
+SSL_get_verify_mode
+SSL_get_verify_result
+SSL_get_version
+SSL_get_wbio
+SSL_get_wfd
+SSL_has_matching_session_id
+SSL_library_init
+SSL_load_client_CA_file
+SSL_load_error_strings
+SSL_new
+SSL_peek
+SSL_pending
+SSL_read
+SSL_renegotiate
+SSL_renegotiate_abbreviated
+SSL_renegotiate_pending
+SSL_rstate_string
+SSL_rstate_string_long
+SSL_select_next_proto
+SSL_set1_param
+SSL_set_SSL_CTX
+SSL_set_accept_state
+SSL_set_alpn_protos
+SSL_set_bio
+SSL_set_cipher_list
+SSL_set_client_CA_list
+SSL_set_connect_state
+SSL_set_debug
+SSL_set_ex_data
+SSL_set_fd
+SSL_set_generate_session_id
+SSL_set_info_callback
+SSL_set_msg_callback
+SSL_set_purpose
+SSL_set_quiet_shutdown
+SSL_set_read_ahead
+SSL_set_rfd
+SSL_set_session
+SSL_set_session_id_context
+SSL_set_session_secret_cb
+SSL_set_session_ticket_ext
+SSL_set_session_ticket_ext_cb
+SSL_set_shutdown
+SSL_set_ssl_method
+SSL_set_state
+SSL_set_tlsext_use_srtp
+SSL_set_tmp_dh_callback
+SSL_set_tmp_ecdh_callback
+SSL_set_tmp_rsa_callback
+SSL_set_trust
+SSL_set_verify
+SSL_set_verify_depth
+SSL_set_verify_result
+SSL_set_wfd
+SSL_shutdown
+SSL_state
+SSL_state_string
+SSL_state_string_long
+SSL_use_PrivateKey
+SSL_use_PrivateKey_ASN1
+SSL_use_PrivateKey_file
+SSL_use_RSAPrivateKey
+SSL_use_RSAPrivateKey_ASN1
+SSL_use_RSAPrivateKey_file
+SSL_use_certificate
+SSL_use_certificate_ASN1
+SSL_use_certificate_file
+SSL_version
+SSL_version_str
+SSL_want
+SSL_write
diff --git a/src/lib/libssl/bytestring.h b/src/lib/libssl/bytestring.h
index 8ea84005b4..d8c8e6ada6 100644
--- a/src/lib/libssl/bytestring.h
+++ b/src/lib/libssl/bytestring.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bytestring.h,v 1.14 2015/06/19 00:23:36 doug Exp $    */
+/*      $OpenBSD: bytestring.h,v 1.15 2016/11/04 18:28:58 guenther Exp $        */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -17,15 +17,13 @@
 #ifndef OPENSSL_HEADER_BYTESTRING_H
 #define OPENSSL_HEADER_BYTESTRING_H
 
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
 #include <sys/types.h>
 #include <stdint.h>
 
 #include <openssl/opensslconf.h>
 
+__BEGIN_HIDDEN_DECLS
+
 /*
  * Bytestrings are used for parsing and building TLS and ASN.1 messages.
  *
@@ -504,8 +502,6 @@ int cbs_get_any_asn1_element_internal(CBS *cbs, CBS *out, unsigned int *out_tag,
 int CBS_asn1_indefinite_to_definite(CBS *in, uint8_t **out, size_t *out_len);
 #endif /* LIBRESSL_INTERNAL */
 
-#if defined(__cplusplus)
-}  /* extern C */
-#endif
+__END_HIDDEN_DECLS 
 
 #endif  /* OPENSSL_HEADER_BYTESTRING_H */
diff --git a/src/lib/libssl/pqueue.h b/src/lib/libssl/pqueue.h
index 0d7ddc04e2..cdda4a3961 100644
--- a/src/lib/libssl/pqueue.h
+++ b/src/lib/libssl/pqueue.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.h,v 1.3 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: pqueue.h,v 1.4 2016/11/04 18:28:58 guenther Exp $ */
 
 /*
  * DTLS implementation written by Nagendra Modadugu
@@ -61,6 +61,8 @@
 #ifndef HEADER_PQUEUE_H
 #define HEADER_PQUEUE_H
 
+__BEGIN_HIDDEN_DECLS 
+
 typedef struct _pqueue *pqueue;
 
 typedef struct _pitem {
@@ -86,4 +88,6 @@ pitem *pqueue_next(piterator *iter);
 
 int    pqueue_size(pqueue pq);
 
+__END_HIDDEN_DECLS 
+
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index c3107745c9..5a146ce0b4 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.132 2016/11/04 18:00:12 guenther Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.133 2016/11/04 18:28:58 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -160,6 +160,8 @@
 #include <openssl/ssl.h>
 #include <openssl/stack.h>
 
+__BEGIN_HIDDEN_DECLS
+
 #define c2l(c,l)        (l = ((unsigned long)(*((c)++)))     , \
                          l|=(((unsigned long)(*((c)++)))<< 8), \
                          l|=(((unsigned long)(*((c)++)))<<16), \
@@ -834,4 +836,6 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
     size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
     unsigned mac_secret_length, char is_sslv3);
 
+__END_HIDDEN_DECLS
+
 #endif