* NOTES.WIN (any supported Windows)
* NOTES.DJGPP (DOS platform with DJGPP)
* NOTES.ANDROID (obviously Android [NDK])
+ * NOTES.VALGRIND (testing with Valgrind)
Notational conventions in this document
---------------------------------------
$ nmake test
$ nmake install
+ Note that in order to perform the install step above you need to have
+ appropriate permissions to write to the installation directory.
+
If any of these steps fails, see section Installation in Detail below.
This will build and install OpenSSL in the default location, which is:
OpenSSL version number with underscores instead of periods.
Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
+ The installation directory should be appropriately protected to ensure
+ unprivileged users cannot make changes to OpenSSL binaries or files, or install
+ engines. If you already have a pre-installed version of OpenSSL as part of
+ your Operating System it is recommended that you do not overwrite the system
+ version and instead install to somewhere else.
+
If you want to install it anywhere else, run config like this:
On Unix:
--openssldir depend in what configuration is used and what Windows
implementation OpenSSL is built on. More notes on this in NOTES.WIN):
- --api=x.y.z
- Don't build with support for deprecated APIs below the
- specified version number. For example "--api=1.1.0" will
- remove support for all APIS that were deprecated in OpenSSL
- version 1.1.0 or below.
+ --api=x.y[.z]
+ Build the OpenSSL libraries to support the API for
+ the specified version. If "no-deprecated" is also
+ given, don't build with support for deprecated APIs
+ in or below the specified version number. For example
+ "--api=1.1.0" with "no-deprecated" will remove
+ support for all APIS that were deprecated in
+ OpenSSL version 1.1.0 or below.
+ This is a rather specialized option for developers.
+ If you just intend to remove all deprecated APIs
+ entirely (up to the current version), only specify
+ "-no-deprecated" (see below).
+ If "--api" isn't given, it defaults to the current
+ OpenSSL minor version.
--cross-compile-prefix=PREFIX
The PREFIX to include in front of commands for your
source exists.
getrandom: Use the L<getrandom(2)> or equivalent system
call.
- devrandom: Use the the first device from the DEVRANDOM list
+ devrandom: Use the first device from the DEVRANDOM list
which can be opened to read random bytes. The
DEVRANDOM preprocessor constant expands to
"/dev/urandom","/dev/random","/dev/srandom" on
Don't build the CAPI engine. This option will be forced if
on a platform that does not support CAPI.
+ no-cmp
+ Don't build support for CMP features
+
no-cms
Don't build support for CMS features
work if the zlib or zlib-dynamic options are also chosen.
enable-crypto-mdebug
- Build support for debugging memory allocated via
- OPENSSL_malloc() or OPENSSL_zalloc().
+ This now only enables the failed-malloc feature.
enable-crypto-mdebug-backtrace
- As for crypto-mdebug, but additionally provide backtrace
- information for allocated memory.
- TO BE USED WITH CARE: this uses GNU C functionality, and
- is therefore not usable for non-GNU config targets. If
- your build complains about the use of '-rdynamic' or the
- lack of header file execinfo.h, this option is not for you.
- ALSO NOTE that even though execinfo.h is available on your
- system (through Gnulib), the functions might just be stubs
- that do nothing.
+ This is a no-op; the project uses the compiler's
+ address/leak sanitizer instead.
no-ct
Don't build support for Certificate Transparency.
no-deprecated
- Don't build with support for any deprecated APIs. This is the
- same as using "--api" and supplying the latest version
- number.
+ Don't build with support for deprecated APIs up
+ until and including the version given with
+ "--api" (or the current version of "--api" wasn't
+ given).
no-dgram
Don't build support for datagram based BIOs. Selecting this
option will also force the disabling of DTLS.
+ no-dso
+ Don't build support for loading Dynamic Shared Objects.
+
enable-devcryptoeng
Build the /dev/crypto engine. It is automatically selected
on BSD implementations, in which case it can be disabled with
no-devcryptoeng.
- no-dso
- Don't build support for loading Dynamic Shared Objects.
-
no-dynamic-engine
Don't build the dynamically loaded engines. This only has an
effect in a "shared" build
Don't compile in filename and line number information (e.g.
for errors and memory allocation).
+ no-fips
+ Don't compile the FIPS module
+
enable-fuzz-libfuzzer, enable-fuzz-afl
Build with support for fuzzing using either libfuzzer or AFL.
These are developer options only. They may not work on all
available if the GOST algorithms are also available through
loading an externally supplied engine.
+ no-legacy
+ Don't build the legacy provider. Disabling this also disables
+ the legacy algorithms: MD2 (already disabled by default).
+
no-makedepend
Don't generate dependencies.
+ no-module
+ Don't build any dynamically loadable engines. This also
+ implies 'no-dynamic-engine'.
+
no-multiblock
Don't build support for writing multiple records in one
go in libssl (Note: this is a different capability to the
Enable additional unit test APIs. This should not typically
be used in production deployments.
+ no-uplink
+ Don't build support for UPLINK interface.
+
enable-weak-ssl-ciphers
Build support for SSL/TLS ciphers that are considered "weak"
(e.g. RC4 based ciphersuites).
Take note of the VAR=value documentation below and how
these flags interact with those variables.
- -xxx, +xxx
+ -xxx, +xxx, /xxx
Additional options that are not otherwise recognised are
- passed through as they are to the compiler as well. Again,
- consult your compiler documentation.
+ passed through as they are to the compiler as well.
+ Unix-style options beginning with a '-' or '+' and
+ Windows-style options beginning with a '/' are recognized.
+ Again, consult your compiler documentation.
+
+ If the option contains arguments separated by spaces,
+ then the URL-style notation %20 can be used for the space
+ character in order to avoid having to quote the option.
+ For example, -opt%20arg gets expanded to -opt arg.
+ In fact, any ASCII character can be encoded as %xx using its
+ hexadecimal encoding.
Take note of the VAR=value documentation below and how
these flags interact with those variables.
Configure creates a build file ("Makefile" on Unix, "makefile" on Windows
and "descrip.mms" on OpenVMS) from a suitable template in Configurations,
- and defines various macros in include/openssl/opensslconf.h (generated from
- include/openssl/opensslconf.h.in).
+ and defines various macros in include/openssl/configuration.h (generated
+ from include/openssl/configuration.h.in).
1c. Configure OpenSSL for building outside of the source tree.
malfunction with Perl). You may want increased verbosity, that
can be accomplished like this:
- $ make VERBOSE=1 test # Unix
+ Verbosity on failure only (make macro VERBOSE_FAILURE or VF):
- $ mms /macro=(VERBOSE=1) test ! OpenVMS
+ $ make VF=1 test # Unix
+ $ mms /macro=(VF=1) test ! OpenVMS
+ $ nmake VF=1 test # Windows
- $ nmake VERBOSE=1 test # Windows
+ Full verbosity (make macro VERBOSE or V):
+
+ $ make V=1 test # Unix
+ $ mms /macro=(V=1) test ! OpenVMS
+ $ nmake V=1 test # Windows
If you want to run just one or a few specific tests, you can use
the make variable TESTS to specify them, like this:
And of course, you can combine (Unix example shown):
- $ make VERBOSE=1 TESTS='test_rsa test_dsa' test
+ $ make VF=1 TESTS='test_rsa test_dsa' test
You can find the list of available tests like this:
$ mms install ! OpenVMS
$ nmake install # Windows
- This will install all the software components in this directory
- tree under PREFIX (the directory given with --prefix or its
+ Note that in order to perform the install step above you need to have
+ appropriate permissions to write to the installation directory.
+
+ The above commands will install all the software components in this
+ directory tree under PREFIX (the directory given with --prefix or its
default):
Unix:
for private key files.
misc Various scripts.
+ The installation directory should be appropriately protected to ensure
+ unprivileged users cannot make changes to OpenSSL binaries or files, or
+ install engines. If you already have a pre-installed version of OpenSSL as
+ part of your Operating System it is recommended that you do not overwrite
+ the system version and instead install to somewhere else.
+
Package builders who want to configure the library for standard
locations, but have the package installed somewhere else so that
it can easily be packaged, can use
HASHBANGPERL
The command string for the Perl executable to insert in the
- #! line of perl scripts that will be publically installed.
+ #! line of perl scripts that will be publicly installed.
Default: /usr/bin/env perl
Note: the value of this variable is added to the same scripts
on all platforms, but it's only relevant on Unix-like platforms.
described here. Examine the Makefiles themselves for the full list.
all
- The default target to build all the software components.
+ The target to build all the software components and
+ documentation.
+
+ build_sw
+ Build all the software components.
+ THIS IS THE DEFAULT TARGET.
+
+ build_docs
+ Build all documentation components.
clean
Remove all build artefacts and return the directory to a "clean"
$ make TESTS='[89]? -90'
+To stochastically verify that the algorithm that produces uniformly distributed
+random numbers is operating correctly (with a false positive rate of 0.01%):
+
+ $ ./util/shlib_wrap.sh test/bntest -stochastic
+
Note on multi-threading
-----------------------
projects / openssl.git / blobdiff