Add an explict list of exported symbols with just the functions declared

in <tls.h>, and use __{BEGIN,END}_HIDDEN_DECLS in tls_internal.h to
optimize internal functions

ok jsing@

3 files changed, 85 insertions, 2 deletions

diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index f90c57d53f..bc46332da3 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.26 2016/11/02 15:18:42 beck Exp $
+#       $OpenBSD: Makefile,v 1.27 2016/11/04 18:23:32 guenther Exp $
 
 CFLAGS+= -Wall -Werror -Wimplicit
 CFLAGS+= -DLIBRESSL_INTERNAL
@@ -10,6 +10,9 @@ DPADD=	${LIBCRYPTO} ${LIBSSL}
 LDADD+= -L${BSDOBJDIR}/lib/libcrypto -lcrypto
 LDADD+= -L${BSDOBJDIR}/lib/libssl -lssl
 
+VERSION_SCRIPT= Symbols.map
+SYMBOL_LIST=    ${.CURDIR}/Symbols.list
+
 HDRS=   tls.h
 
 SRCS=   tls.c \
@@ -34,4 +37,9 @@ includes:
             eval "$$j"; \
         done;
 
+${VERSION_SCRIPT}: ${SYMBOL_LIST}
+        { printf '{\n\tglobal:\n'; \
+          sed '/^[._a-zA-Z]/s/$$/;/; s/^/               /' ${SYMBOL_LIST}; \
+          printf '\n\tlocal:\n\t\t*;\n};\n'; } >$@.tmp && mv $@.tmp $@
+
 .include <bsd.lib.mk>
diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list
new file mode 100644
index 0000000000..9074d5e011
--- /dev/null
+++ b/src/lib/libtls/Symbols.list
@@ -0,0 +1,71 @@
+tls_accept_cbs
+tls_accept_fds
+tls_accept_socket
+tls_client
+tls_close
+tls_config_add_keypair_file
+tls_config_add_keypair_mem
+tls_config_clear_keys
+tls_config_error
+tls_config_free
+tls_config_insecure_noverifycert
+tls_config_insecure_noverifyname
+tls_config_insecure_noverifytime
+tls_config_new
+tls_config_ocsp_require_stapling
+tls_config_parse_protocols
+tls_config_prefer_ciphers_client
+tls_config_prefer_ciphers_server
+tls_config_set_alpn
+tls_config_set_ca_file
+tls_config_set_ca_mem
+tls_config_set_ca_path
+tls_config_set_cert_file
+tls_config_set_cert_mem
+tls_config_set_ciphers
+tls_config_set_dheparams
+tls_config_set_ecdhecurve
+tls_config_set_key_file
+tls_config_set_key_mem
+tls_config_set_keypair_file
+tls_config_set_keypair_mem
+tls_config_set_protocols
+tls_config_set_verify_depth
+tls_config_verify
+tls_config_verify_client
+tls_config_verify_client_optional
+tls_configure
+tls_conn_alpn_selected
+tls_conn_cipher
+tls_conn_servername
+tls_conn_version
+tls_connect
+tls_connect_cbs
+tls_connect_fds
+tls_connect_servername
+tls_connect_socket
+tls_error
+tls_free
+tls_handshake
+tls_init
+tls_load_file
+tls_ocsp_process_response
+tls_peer_cert_contains_name
+tls_peer_cert_hash
+tls_peer_cert_issuer
+tls_peer_cert_notafter
+tls_peer_cert_notbefore
+tls_peer_cert_provided
+tls_peer_cert_subject
+tls_peer_ocsp_cert_status
+tls_peer_ocsp_crl_reason
+tls_peer_ocsp_next_update
+tls_peer_ocsp_response_status
+tls_peer_ocsp_result
+tls_peer_ocsp_revocation_time
+tls_peer_ocsp_this_update
+tls_peer_ocsp_url
+tls_read
+tls_reset
+tls_server
+tls_write
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 7b07c96c86..4fe4ee7811 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.47 2016/11/04 18:07:24 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.48 2016/11/04 18:23:32 guenther Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -24,6 +24,8 @@
 
 #include <openssl/ssl.h>
 
+__BEGIN_HIDDEN_DECLS
+
 #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem"
 
 #define TLS_CIPHERS_DEFAULT     "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE"
@@ -209,4 +211,6 @@ int tls_ocsp_verify_cb(SSL *ssl, void *arg);
 void tls_ocsp_ctx_free(struct tls_ocsp_ctx *ctx);
 struct tls_ocsp_ctx *tls_ocsp_setup_from_peer(struct tls *ctx);
 
+__END_HIDDEN_DECLS
+
 #endif /* HEADER_TLS_INTERNAL_H */