X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=INSTALL;h=9ea1f115138fd0f1ee6ba70c88c297e190e948af;hb=bf9d6bb83d009923ceb65753c6dd9fa880e8ba92;hp=5185033a797e5177dcaada0de66980155dc12b34;hpb=706b6333a6dd29a8d11561dee8013a2fddbc2742;p=openssl.git

diff --git a/INSTALL b/INSTALL
index 5185033a79..9ea1f11513 100644
--- a/INSTALL
+++ b/INSTALL
@@ -23,6 +23,7 @@
   * NOTES.WIN (any supported Windows)
   * NOTES.DJGPP (DOS platform with DJGPP)
   * NOTES.ANDROID (obviously Android [NDK])
+  * NOTES.VALGRIND (testing with Valgrind)
 
  Notational conventions in this document
  ---------------------------------------
@@ -98,6 +99,9 @@
     $ nmake test
     $ nmake install
 
+ Note that in order to perform the install step above you need to have
+ appropriate permissions to write to the installation directory.
+
  If any of these steps fails, see section Installation in Detail below.
 
  This will build and install OpenSSL in the default location, which is:
@@ -107,6 +111,12 @@
            OpenSSL version number with underscores instead of periods.
   Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
 
+ The installation directory should be appropriately protected to ensure
+ unprivileged users cannot make changes to OpenSSL binaries or files, or install
+ engines. If you already have a pre-installed version of OpenSSL as part of
+ your Operating System it is recommended that you do not overwrite the system
+ version and instead install to somewhere else.
+
  If you want to install it anywhere else, run config like this:
 
   On Unix:
@@ -135,7 +145,10 @@
                    Don't build with support for deprecated APIs below the
                    specified version number. For example "--api=1.1.0" will
                    remove support for all APIS that were deprecated in OpenSSL
-                   version 1.1.0 or below.
+                   version 1.1.0 or below. This is a rather specialized option
+                   for developers. If you just intend to remove all deprecated
+                   APIs entirely (up to the current version), it is easier
+                   to add the 'no-deprecated' option instead (see below).
 
   --cross-compile-prefix=PREFIX
                    The PREFIX to include in front of commands for your
@@ -229,7 +242,7 @@
                                source exists.
                    getrandom:  Use the L<getrandom(2)> or equivalent system
                                call.
-                   devrandom:  Use the the first device from the DEVRANDOM list
+                   devrandom:  Use the first device from the DEVRANDOM list
                                which can be opened to read random bytes. The
                                DEVRANDOM preprocessor constant expands to
                                "/dev/urandom","/dev/random","/dev/srandom" on
@@ -313,6 +326,9 @@
                    Don't build the CAPI engine. This option will be forced if
                    on a platform that does not support CAPI.
 
+  no-cmp
+                   Don't build support for CMP features
+
   no-cms
                    Don't build support for CMS features
 
@@ -394,6 +410,9 @@
                    Don't compile in filename and line number information (e.g.
                    for errors and memory allocation).
 
+  no-fips
+                   Don't compile the FIPS module
+
   enable-fuzz-libfuzzer, enable-fuzz-afl
                    Build with support for fuzzing using either libfuzzer or AFL.
                    These are developer options only. They may not work on all
@@ -406,6 +425,10 @@
                    available if the GOST algorithms are also available through
                    loading an externally supplied engine.
 
+  no-legacy
+                   Don't build the legacy provider. Disabling this also disables
+                   the legacy algorithms: MD2 (already disabled by default).
+
   no-makedepend
                    Don't generate dependencies.
 
@@ -547,6 +570,9 @@
                    Enable additional unit test APIs. This should not typically
                    be used in production deployments.
 
+  no-uplink
+                   Don't build support for UPLINK interface.
+
   enable-weak-ssl-ciphers
                    Build support for SSL/TLS ciphers that are considered "weak"
                    (e.g. RC4 based ciphersuites).
@@ -927,8 +953,11 @@
        $ mms install                                    ! OpenVMS
        $ nmake install                                  # Windows
 
-     This will install all the software components in this directory
-     tree under PREFIX (the directory given with --prefix or its
+     Note that in order to perform the install step above you need to have
+     appropriate permissions to write to the installation directory.
+
+     The above commands will install all the software components in this
+     directory tree under PREFIX (the directory given with --prefix or its
      default):
 
        Unix:
@@ -984,6 +1013,12 @@
                         for private key files.
          misc           Various scripts.
 
+     The installation directory should be appropriately protected to ensure
+     unprivileged users cannot make changes to OpenSSL binaries or files, or
+     install engines. If you already have a pre-installed version of OpenSSL as
+     part of your Operating System it is recommended that you do not overwrite
+     the system version and instead install to somewhere else.
+
      Package builders who want to configure the library for standard
      locations, but have the package installed somewhere else so that
      it can easily be packaged, can use
@@ -1192,6 +1227,11 @@
 
  $ make TESTS='[89]? -90'
 
+To stochastically verify that the algorithm that produces uniformly distributed
+random numbers is operating correctly (with a false positive rate of 0.01%):
+
+ $ ./util/shlib_wrap.sh test/bntest -stochastic
+
  Note on multi-threading
  -----------------------