Questions on Building and Testing OpenSSL

* Why does Clang sanitizer give warnings?

You need to build with -DPEDANTIC to run sanitized tests, otherwise
you will get optimized assembler versions of some functions.

* Why does the linker complain about undefined symbols?

Maybe the compilation was interrupted, and make doesn't notice that
something is missing.  Run "make clean; make".

If you used ./Configure instead of ./config, make sure that you
selected the right target.  File formats may differ slightly between
OS versions (for example sparcv8/sparcv9, or a.out/elf).

In case you get errors about the following symbols, use the config
option "no-asm", as described in INSTALL:

<PRE>
    BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
    CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
    RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
    bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
    bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
    des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
    des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
</PRE>

If none of these helps, you may want to try using the current snapshot.
If the problem persists, please submit a bug report.

* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?

On some Alpha installations running Tru64 Unix and Compaq C, the compilation
of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
memory to continue compilation.'  As far as the tests have shown, this may be
a compiler bug.  What happens is that it eats up a lot of resident memory
to build something, probably a table.  The problem is clearly in the
optimization code, because if one eliminates optimization completely (-O0),
the compilation goes through (and the compiler consumes about 2MB of resident
memory instead of 240MB or whatever one's limit is currently).

There are three options to solve this problem:

1. set your current data segment size soft limit higher.  Experience shows
that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
kbytes to set the limit to.

2. If you have a hard limit that is lower than what you need and you can't
get it changed, you can compile all of OpenSSL with -O0 as optimization
level.  This is however not a very nice thing to do for those who expect to
get the best result from OpenSSL.  A bit more complicated solution is the
following:

<PRE>
    make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
        sed -e 's/ -O[0-9] / -O0 /'`"
    rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
    make
</PRE>

This will only compile sha_dgst.c with -O0, the rest with the optimization
level chosen by the configuration process.  When the above is done, do the
test and installation and you're set.

3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
should not be used and is not used in SSL/TLS nor any other recognized
protocol in either case.

* Why does the OpenSSL compilation fail with "ar: command not found"?

Getting this message is quite usual on Solaris 2, because Sun has hidden
away 'ar' and other development commands in directories that aren't in
$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
quickest way to fix this is to do the following (it assumes you use sh
or any sh-compatible shell):

<PRE>
    PATH=${PATH}:/usr/ccs/bin; export PATH
</PRE>

and then redo the compilation.  What you should really do is make sure
'/usr/ccs/bin' is permanently in your $PATH, for example through your
'.profile' (again, assuming you use a sh-compatible shell).

* Why does the OpenSSL compilation fail on Win32 with VC++?

Sometimes, you may get reports from VC++ command line (cl) that it
can't find standard include files like stdio.h and other weirdnesses.
One possible cause is that the environment isn't correctly set up.
To solve that problem for VC++ versions up to 6, one should run
VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
installation directory (somewhere under 'Program Files').  For VC++
version 7 (and up?), which is also called VS.NET, the file is called
VSVARS32.BAT instead.
This needs to be done prior to running NMAKE, and the changes are only
valid for the current DOS session.

* What is special about OpenSSL on Redhat?

Red Hat Linux (release 7.0 and later) include a preinstalled limited
version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
MDC2 in this version. The same may apply to other Linux distributions.
Users may therefore wish to install more or all of the features left out.

To do this you MUST ensure that you do not overwrite the openssl that is in
/usr/bin on your Red Hat machine. Several packages depend on this file,
including sendmail and ssh. /usr/local/bin is a good alternative choice. The
libraries that come with Red Hat 7.0 onwards have different names and so are
not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
/lib/libcrypto.so.2 respectively).

Please note that we have been advised by Red Hat attempting to recompile the
openssl rpm with all the cryptography enabled will not work. All other
packages depend on the original Red Hat supplied openssl package. It is also
worth noting that due to the way Red Hat supplies its packages, updates to
openssl on each distribution never change the package version, only the
build number. For example, on Red Hat 7.1, the latest openssl package has
version number 0.9.6 and build number 9 even though it contains all the
relevant updates in packages up to and including 0.9.6b.

A possible way around this is to persuade Red Hat to produce a non-US
version of Red Hat Linux.

* Why does the OpenSSL compilation fail on MacOS X?

If the failure happens when trying to build the "openssl" binary, with
a large number of undefined symbols, it's very probable that you have
OpenSSL 0.9.6b delivered with the operating system (you can find out by
running '/usr/bin/openssl version') and that you were trying to build
OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
MacOS X has a misfeature that's quite difficult to go around.
Look in the file PROBLEMS for a more detailed explanation and for possible
solutions.

* Why does the OpenSSL test suite fail on MacOS X?

If the failure happens when running 'make test' and the RC4 test fails,
it's very probable that you have OpenSSL 0.9.6b delivered with the
operating system (you can find out by running '/usr/bin/openssl version')
and that you were trying to build OpenSSL 0.9.6d.  The problem is that
the loader ('ld') in MacOS X has a misfeature that's quite difficult to
go around and has linked the programs "openssl" and the test programs
with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
libraries you just built.
Look in the file PROBLEMS for a more detailed explanation and for possible
solutions.

* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?

Failure in BN_sqr test is most likely caused by a failure to configure the
toolkit for current platform or lack of support for the platform in question.
Run './config -t' and './apps/openssl version -p'. Do these platform
identifiers match? If they don't, then you most likely failed to run
./config and you're hereby advised to do so before filing a bug report.
If ./config itself fails to run, then it's most likely problem with your
local environment and you should turn to your system administrator (or
similar). If identifiers match (and/or no alternative identifier is
suggested by ./config script), then the platform is unsupported. There might
or might not be a workaround. Most notably on SPARC64 platforms with GNU
C compiler you should be able to produce a working build by running
'./config -m32'. I understand that -m32 might not be what you want/need,
but the build should be operational. For further details turn to
@@@mailto:openssl-dev@openssl.org@@@

* Why does the OpenSSL test suite fail in sha512t on x86 CPU?

If the test program in question fails withs SIGILL, Illegal Instruction
exception, then you more than likely to run SSE2-capable CPU, such as
Intel P4, under control of kernel which does not support SSE2
instruction extensions. See accompanying INSTALL file and
OPENSSL_ia32cap(3) documentation page for further information.

* Why does compiler fail to compile sha512.c?

OpenSSL SHA-512 implementation depends on compiler support for 64-bit
integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
couple] lack support for this and therefore are incapable of compiling
the module in question. The recommendation is to disable SHA-512 by
adding no-sha512 to ./config [or ./Configure] command line. Another
possible alternative might be to switch to GCC.

* Test suite still fails, what to do?

Another common reason for test failures is bugs in the toolchain
or run-time environment.  Known cases of this are documented in the
PROBLEMS file, please review it before you beat the drum. Even if you
don't find anything in that file, please do consider the possibility
of a compiler bug. Compiler bugs often appear in rather bizarre ways,
they never make sense, and tend to emerge when you least expect
them. One thing to try is to reduce the level of optimization (such
as by editing the CFLAG variable line in the top-level Makefile),
and then recompile and re-run the test.

* I think I've found a bug, what should I do?

If you are a new user then it is quite likely you haven't found a bug and
something is happening you aren't familiar with. Check this FAQ, the associated
documentation and the mailing lists for similar queries. If you are still
unsure whether it is a bug or not submit a query to the openssl-users mailing
list.

If you think you have found a bug based on the output of static analysis tools
then please manually check the issue is genuine. Such tools can produce a
LOT of false positives.

* I'm SURE I've found a bug, how do I report it?

Please see @@@https://www.openssl.org/community@@@.

* I've found a security issue, how do I report it?

If you think your bug has security implications then please send it to
openssl-security@openssl.org if you don't get a prompt reply at least
acknowledging receipt then resend or mail it directly to one of the
more active team members (e.g. Steve). If you wish to use PGP to send
in a report please use one or more of the keys of the OMC listed
at @@@https://www.openssl.org/community/omc.html@@@.

Note that bugs only present in the openssl utility are not in general
considered to be security issues.