diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 1334 |
1 files changed, 1093 insertions, 241 deletions
@@ -1,128 +1,695 @@ + OPENSSL INSTALLATION + -------------------- - INSTALLATION ON THE UNIX PLATFORM - --------------------------------- - - [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X) - and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS, - INSTALL.MacOS and INSTALL.NW. - - This document describes installation on operating systems in the Unix - family.] + This document describes installation on all supported operating + systems (the Unix/Linux family (which includes Mac OS/X), OpenVMS, + and Windows). To install OpenSSL, you will need: - * make - * Perl 5 + * A make implementation + * Perl 5 with core modules (please read NOTES.PERL) + * The perl module Text::Template (please read NOTES.PERL) * an ANSI C compiler - * a development environment in form of development libraries and C + * a development environment in the form of development libraries and C header files - * a supported Unix operating system + * a supported operating system + + For additional platform specific requirements, solutions to specific + issues and other details, please read one of these: + + * NOTES.UNIX (any supported Unix like system) + * NOTES.VMS (OpenVMS) + * NOTES.WIN (any supported Windows) + * NOTES.DJGPP (DOS platform with DJGPP) + * NOTES.ANDROID (obviously Android [NDK]) + + Notational conventions in this document + --------------------------------------- + + Throughout this document, we use the following conventions in command + examples: + + $ command Any line starting with a dollar sign + ($) is a command line. + + { word1 | word2 | word3 } This denotes a mandatory choice, to be + replaced with one of the given words. + A simple example would be this: + + $ echo { FOO | BAR | COOKIE } + + which is to be understood as one of + these: + + $ echo FOO + - or - + $ echo BAR + - or - + $ echo COOKIE + + [ word1 | word2 | word3 ] Similar to { word1 | word2 | word3 } + except it's optional to give any of + those. In addition to the examples + above, this would also be valid: + + $ echo + + {{ target }} This denotes a mandatory word or + sequence of words of some sort. A + simple example would be this: + + $ type {{ filename }} + + which is to be understood to use the + command 'type' on some file name + determined by the user. + + [[ options ]] Similar to {{ target }}, but is + optional. + + Note that the notation assumes spaces around {, }, [, ], {{, }} and + [[, ]]. This is to differentiate from OpenVMS directory + specifications, which also use [ and ], but without spaces. Quick Start ----------- If you want to just get on with it, do: - $ ./config - $ make - $ make test - $ make install + on Unix (again, this includes Mac OS/X): + + $ ./config + $ make + $ make test + $ make install + + on OpenVMS: + + $ @config + $ mms + $ mms test + $ mms install + + on Windows (only pick one of the targets for configuration): + + $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE } + $ nmake + $ nmake test + $ nmake install + + If any of these steps fails, see section Installation in Detail below. + + This will build and install OpenSSL in the default location, which is: - [If any of these steps fails, see section Installation in Detail below.] + Unix: normal installation directories under /usr/local + OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the + OpenSSL version number with underscores instead of periods. + Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL - This will build and install OpenSSL in the default location, which is (for - historical reasons) /usr/local/ssl. If you want to install it anywhere else, - run config like this: + If you want to install it anywhere else, run config like this: - $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl + On Unix: + + $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl + + On OpenVMS: + + $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL] + + (Note: if you do add options to the configuration command, please make sure + you've read more than just this Quick Start, such as relevant NOTES.* files, + the options outline below, as configuration options may change the outcome + in otherwise unexpected ways) Configuration Options --------------------- There are several options to ./config (or ./Configure) to customize - the build: - - --prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl. - Configuration files used by OpenSSL will be in DIR/ssl - or the directory specified by --openssldir. - - --openssldir=DIR Directory for OpenSSL files. If no prefix is specified, - the library files and binaries are also installed there. - - no-threads Don't try to build with support for multi-threaded - applications. - - threads Build with support for multi-threaded applications. - This will usually require additional system-dependent options! - See "Note on multi-threading" below. - - no-zlib Don't try to build with support for zlib compression and - decompression. - - zlib Build with support for zlib compression/decompression. - - zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically - when needed. This is only supported on systems where loading - of shared libraries is supported. This is the default choice. - - no-shared Don't try to create shared libraries. - - shared In addition to the usual static libraries, create shared - libraries on platforms where it's supported. See "Note on - shared libraries" below. - - no-asm Do not use assembler code. - - 386 In 32-bit x86 builds, when generating assembly modules, - use the 80386 instruction set only (the default x86 code - is more efficient, but requires at least a 486). Note: - This doesn't affect code generated by compiler, you're - likely to complement configuration command line with - suitable compiler-specific option. - - no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules. - Normally SSE2 extension is detected at run-time, but the - decision whether or not the machine code will be executed - is taken solely on CPU capability vector. This means that - if you happen to run OS kernel which does not support SSE2 - extension on Intel P4 processor, then your application - might be exposed to "illegal instruction" exception. - There might be a way to enable support in kernel, e.g. - FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and - there is a way to disengage SSE2 code paths upon application - start-up, but if you aim for wider "audience" running - such kernel, consider no-sse2. Both the 386 and - no-asm options imply no-sse2. - - no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa, - hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). - The crypto/<cipher> directory can be removed after running - "make depend". - - -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will - be passed through to the compiler to allow you to - define preprocessor symbols, specify additional libraries, - library directories or other compiler options. It might be - worth noting that some compilers generate code specifically - for processor the compiler currently executes on. This is - not necessarily what you might have in mind, since it might - be unsuitable for execution on other, typically older, - processor. Consult your compiler documentation. - - -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using - BSD. Useful if you are running ocf-linux or something - similar. Once enabled you can also enable the use of - cryptodev digests, which is usually slower unless you have - large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force - it. + the build (note that for Windows, the defaults for --prefix and + --openssldir depend in what configuration is used and what Windows + implementation OpenSSL is built on. More notes on this in NOTES.WIN): + + --api=x.y.z + Don't build with support for deprecated APIs below the + specified version number. For example "--api=1.1.0" will + remove support for all APIS that were deprecated in OpenSSL + version 1.1.0 or below. + + --cross-compile-prefix=PREFIX + The PREFIX to include in front of commands for your + toolchain. It's likely to have to end with dash, e.g. + a-b-c- would invoke GNU compiler as a-b-c-gcc, etc. + Unfortunately cross-compiling is too case-specific to + put together one-size-fits-all instructions. You might + have to pass more flags or set up environment variables + to actually make it work. Android and iOS cases are + discussed in corresponding Configurations/15-*.conf + files. But there are cases when this option alone is + sufficient. For example to build the mingw64 target on + Linux "--cross-compile-prefix=x86_64-w64-mingw32-" + works. Naturally provided that mingw packages are + installed. Today Debian and Ubuntu users have option to + install a number of prepackaged cross-compilers along + with corresponding run-time and development packages for + "alien" hardware. To give another example + "--cross-compile-prefix=mipsel-linux-gnu-" suffices + in such case. Needless to mention that you have to + invoke ./Configure, not ./config, and pass your target + name explicitly. Also, note that --openssldir refers + to target's file system, not one you are building on. + + --debug + Build OpenSSL with debugging symbols and zero optimization + level. + + --libdir=DIR + The name of the directory under the top of the installation + directory tree (see the --prefix option) where libraries will + be installed. By default this is "lib". Note that on Windows + only ".lib" files will be stored in this location. dll files + will always be installed to the "bin" directory. + + --openssldir=DIR + Directory for OpenSSL configuration files, and also the + default certificate and key store. Defaults are: + + Unix: /usr/local/ssl + Windows: C:\Program Files\Common Files\SSL + or C:\Program Files (x86)\Common Files\SSL + OpenVMS: SYS$COMMON:[OPENSSL-COMMON] + + --prefix=DIR + The top of the installation directory tree. Defaults are: + + Unix: /usr/local + Windows: C:\Program Files\OpenSSL + or C:\Program Files (x86)\OpenSSL + OpenVMS: SYS$COMMON:[OPENSSL-'version'] + + --release + Build OpenSSL without debugging symbols. This is the default. + + --strict-warnings + This is a developer flag that switches on various compiler + options recommended for OpenSSL development. It only works + when using gcc or clang as the compiler. If you are + developing a patch for OpenSSL then it is recommended that + you use this option where possible. + + --with-zlib-include=DIR + The directory for the location of the zlib include file. This + option is only necessary if enable-zlib (see below) is used + and the include file is not already on the system include + path. + + --with-zlib-lib=LIB + On Unix: this is the directory containing the zlib library. + If not provided the system library path will be used. + On Windows: this is the filename of the zlib library (with or + without a path). This flag must be provided if the + zlib-dynamic option is not also used. If zlib-dynamic is used + then this flag is optional and a default value ("ZLIB1") is + used if not provided. + On VMS: this is the filename of the zlib library (with or + without a path). This flag is optional and if not provided + then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is + used by default depending on the pointer size chosen. + + + --with-rand-seed=seed1[,seed2,...] + A comma separated list of seeding methods which will be tried + by OpenSSL in order to obtain random input (a.k.a "entropy") + for seeding its cryptographically secure random number + generator (CSPRNG). The current seeding methods are: + + os: Use a trusted operating system entropy source. + This is the default method if such an entropy + source exists. + getrandom: Use the L<getrandom(2)> or equivalent system + call. + devrandom: Use the the first device from the DEVRANDOM list + which can be opened to read random bytes. The + DEVRANDOM preprocessor constant expands to + "/dev/urandom","/dev/random","/dev/srandom" on + most unix-ish operating systems. + egd: Check for an entropy generating daemon. + rdcpu: Use the RDSEED or RDRAND command if provided by + the CPU. + librandom: Use librandom (not implemented yet). + none: Disable automatic seeding. This is the default + on some operating systems where no suitable + entropy source exists, or no support for it is + implemented yet. + + For more information, see the section 'Note on random number + generation' at the end of this document. + + no-afalgeng + Don't build the AFALG engine. This option will be forced if + on a platform that does not support AFALG. + + enable-asan + Build with the Address sanitiser. This is a developer option + only. It may not work on all platforms and should never be + used in production environments. It will only work when used + with gcc or clang and should be used in conjunction with the + no-shared option. + + no-asm + Do not use assembler code. This should be viewed as + debugging/trouble-shooting option rather than production. + On some platforms a small amount of assembler code may + still be used even with this option. + + no-async + Do not build support for async operations. + + no-autoalginit + Don't automatically load all supported ciphers and digests. + Typically OpenSSL will make available all of its supported + ciphers and digests. For a statically linked application this + may be undesirable if small executable size is an objective. + This only affects libcrypto. Ciphers and digests will have to + be loaded manually using EVP_add_cipher() and + EVP_add_digest() if this option is used. This option will + force a non-shared build. + + no-autoerrinit + Don't automatically load all libcrypto/libssl error strings. + Typically OpenSSL will automatically load human readable + error strings. For a statically linked application this may + be undesirable if small executable size is an objective. + + no-autoload-config + Don't automatically load the default openssl.cnf file. + Typically OpenSSL will automatically load a system config + file which configures default ssl options. + + no-capieng + Don't build the CAPI engine. This option will be forced if + on a platform that does not support CAPI. + + no-cms + Don't build support for CMS features + + no-comp + Don't build support for SSL/TLS compression. If this option + is left enabled (the default), then compression will only + work if the zlib or zlib-dynamic options are also chosen. + + enable-crypto-mdebug + Build support for debugging memory allocated via + OPENSSL_malloc() or OPENSSL_zalloc(). + + enable-crypto-mdebug-backtrace + As for crypto-mdebug, but additionally provide backtrace + information for allocated memory. + TO BE USED WITH CARE: this uses GNU C functionality, and + is therefore not usable for non-GNU config targets. If + your build complains about the use of '-rdynamic' or the + lack of header file execinfo.h, this option is not for you. + ALSO NOTE that even though execinfo.h is available on your + system (through Gnulib), the functions might just be stubs + that do nothing. + + no-ct + Don't build support for Certificate Transparency. + + no-deprecated + Don't build with support for any deprecated APIs. This is the + same as using "--api" and supplying the latest version + number. + + no-dgram + Don't build support for datagram based BIOs. Selecting this + option will also force the disabling of DTLS. + + no-dso + Don't build support for loading Dynamic Shared Objects. + + no-dynamic-engine + Don't build the dynamically loaded engines. This only has an + effect in a "shared" build + + no-ec + Don't build support for Elliptic Curves. + + no-ec2m + Don't build support for binary Elliptic Curves + + enable-ec_nistp_64_gcc_128 + Enable support for optimised implementations of some commonly + used NIST elliptic curves. + This is only supported on platforms: + - with little-endian storage of non-byte types + - that tolerate misaligned memory references + - where the compiler: + - supports the non-standard type __uint128_t + - defines the built-in macro __SIZEOF_INT128__ + + enable-egd + Build support for gathering entropy from EGD (Entropy + Gathering Daemon). + + no-engine + Don't build support for loading engines. + + no-err + Don't compile in any error strings. + + enable-external-tests + Enable building of integration with external test suites. + This is a developer option and may not work on all platforms. + The only supported external test suite at the current time is + the BoringSSL test suite. See the file test/README.external + for further details. + + no-filenames + Don't compile in filename and line number information (e.g. + for errors and memory allocation). + + enable-fuzz-libfuzzer, enable-fuzz-afl + Build with support for fuzzing using either libfuzzer or AFL. + These are developer options only. They may not work on all + platforms and should never be used in production environments. + See the file fuzz/README.md for further details. + + no-gost + Don't build support for GOST based ciphersuites. Note that + if this feature is enabled then GOST ciphersuites are only + available if the GOST algorithms are also available through + loading an externally supplied engine. + + no-hw-padlock + Don't build the padlock engine. + + no-makedepend + Don't generate dependencies. + + no-multiblock + Don't build support for writing multiple records in one + go in libssl (Note: this is a different capability to the + pipelining functionality). + + no-nextprotoneg + Don't build support for the NPN TLS extension. + + no-ocsp + Don't build support for OCSP. + + no-pic + Don't build with support for Position Independent Code. + + no-posix-io + Don't use POSIX IO capabilities. + + no-psk + Don't build support for Pre-Shared Key based ciphersuites. + + no-rdrand + Don't use hardware RDRAND capabilities. + + no-rfc3779 + Don't build support for RFC3779 ("X.509 Extensions for IP + Addresses and AS Identifiers") + + sctp + Build support for SCTP + + no-shared + Do not create shared libraries, only static ones. See "Note + on shared libraries" below. + + no-sock + Don't build support for socket BIOs + + no-srp + Don't build support for SRP or SRP based ciphersuites. + + no-srtp + Don't build SRTP support + + no-sse2 + Exclude SSE2 code paths from 32-bit x86 assembly modules. + Normally SSE2 extension is detected at run-time, but the + decision whether or not the machine code will be executed + is taken solely on CPU capability vector. This means that + if you happen to run OS kernel which does not support SSE2 + extension on Intel P4 processor, then your application + might be exposed to "illegal instruction" exception. + There might be a way to enable support in kernel, e.g. + FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and + there is a way to disengage SSE2 code paths upon application + start-up, but if you aim for wider "audience" running + such kernel, consider no-sse2. Both the 386 and + no-asm options imply no-sse2. + + enable-ssl-trace + Build with the SSL Trace capabilities (adds the "-trace" + option to s_client and s_server). + + no-static-engine + Don't build the statically linked engines. This only + has an impact when not built "shared". + + no-stdio + Don't use anything from the C header file "stdio.h" that + makes use of the "FILE" type. Only libcrypto and libssl can + be built in this way. Using this option will suppress + building the command line applications. Additionally since + the OpenSSL tests also use the command line applications the + tests will also be skipped. + + no-tests + Don't build test programs or run any test. + + no-threads + Don't try to build with support for multi-threaded + applications. + + threads + Build with support for multi-threaded applications. Most + platforms will enable this by default. However if on a + platform where this is not the case then this will usually + require additional system-dependent options! See "Note on + multi-threading" below. + + no-ts + Don't build Time Stamping Authority support. + + enable-ubsan + Build with the Undefined Behaviour sanitiser. This is a + developer option only. It may not work on all platforms and + should never be used in production environments. It will only + work when used with gcc or clang and should be used in + conjunction with the "-DPEDANTIC" option (or the + --strict-warnings option). + + no-ui + Don't build with the "UI" capability (i.e. the set of + features enabling text based prompts). + + enable-unit-test + Enable additional unit test APIs. This should not typically + be used in production deployments. + + enable-weak-ssl-ciphers + Build support for SSL/TLS ciphers that are considered "weak" + (e.g. RC4 based ciphersuites). + + zlib + Build with support for zlib compression/decompression. + + zlib-dynamic + Like "zlib", but has OpenSSL load the zlib library + dynamically when needed. This is only supported on systems + where loading of shared libraries is supported. + + 386 + In 32-bit x86 builds, when generating assembly modules, + use the 80386 instruction set only (the default x86 code + is more efficient, but requires at least a 486). Note: + This doesn't affect code generated by compiler, you're + likely to complement configuration command line with + suitable compiler-specific option. + + no-<prot> + Don't build support for negotiating the specified SSL/TLS + protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, + tls1_3, dtls, dtls1 or dtls1_2). If "no-tls" is selected then + all of tls1, tls1_1, tls1_2 and tls1_3 are disabled. + Similarly "no-dtls" will disable dtls1 and dtls1_2. The + "no-ssl" option is synonymous with "no-ssl3". Note this only + affects version negotiation. OpenSSL will still provide the + methods for applications to explicitly select the individual + protocol versions. + + no-<prot>-method + As for no-<prot> but in addition do not build the methods for + applications to explicitly select individual protocol + versions. Note that there is no "no-tls1_3-method" option + because there is no application method for TLSv1.3. Using + individual protocol methods directly is deprecated. + Applications should use TLS_method() instead. + + enable-<alg> + Build with support for the specified algorithm, where <alg> + is one of: md2 or rc5. + + no-<alg> + Build without support for the specified algorithm, where + <alg> is one of: aria, bf, blake2, camellia, cast, chacha, + cmac, des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, + poly1305, rc2, rc4, rmd160, scrypt, seed, siphash, sm2, sm3, + sm4 or whirlpool. The "ripemd" algorithm is deprecated and + if used is synonymous with rmd160. + + -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static + These system specific options will be recognised and + passed through to the compiler to allow you to define + preprocessor symbols, specify additional libraries, library + directories or other compiler options. It might be worth + noting that some compilers generate code specifically for + processor the compiler currently executes on. This is not + necessarily what you might have in mind, since it might be + unsuitable for execution on other, typically older, + processor. Consult your compiler documentation. + + Take note of the VAR=value documentation below and how + these flags interact with those variables. + + -xxx, +xxx + Additional options that are not otherwise recognised are + passed through as they are to the compiler as well. Again, + consult your compiler documentation. + + Take note of the VAR=value documentation below and how + these flags interact with those variables. + + VAR=value + Assignment of environment variable for Configure. These + work just like normal environment variable assignments, + but are supported on all platforms and are confined to + the configuration scripts only. These assignments override + the corresponding value in the inherited environment, if + there is one. + + The following variables are used as "make variables" and + can be used as an alternative to giving preprocessor, + compiler and linker options directly as configuration. + The following variables are supported: + + AR The static library archiver. + ARFLAGS Flags for the static library archiver. + AS The assembler compiler. + ASFLAGS Flags for the assembler compiler. + CC The C compiler. + CFLAGS Flags for the C compiler. + CXX The C++ compiler. + CXXFLAGS Flags for the C++ compiler. + CPP The C/C++ preprocessor. + CPPFLAGS Flags for the C/C++ preprocessor. + CPPDEFINES List of CPP macro definitions, separated + by a platform specific character (':' or + space for Unix, ';' for Windows, ',' for + VMS). This can be used instead of using + -D (or what corresponds to that on your + compiler) in CPPFLAGS. + CPPINCLUDES List of CPP inclusion directories, separated + the same way as for CPPDEFINES. This can + be used instead of -I (or what corresponds + to that on your compiler) in CPPFLAGS. + HASHBANGPERL Perl invocation to be inserted after '#!' + in public perl scripts (only relevant on + Unix). + LD The program linker (not used on Unix, $(CC) + is used there). + LDFLAGS Flags for the shared library, DSO and + program linker. + LDLIBS Extra libraries to use when linking. + Takes the form of a space separated list + of library specifications on Unix and + Windows, and as a comma separated list of + libraries on VMS. + RANLIB The library archive indexer. + RC The Windows resources manipulator. + RCFLAGS Flags for the Windows reources manipulator. + RM The command to remove files and directories. + + These cannot be mixed with compiling / linking flags given + on the command line. In other words, something like this + isn't permitted. + + ./config -DFOO CPPFLAGS=-DBAR -DCOOKIE + + Backward compatibility note: + + To be compatible with older configuration scripts, the + environment variables are ignored if compiling / linking + flags are given on the command line, except for these: + + AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC + and WINDRES + + For example, the following command will not see -DBAR: + + CPPFLAGS=-DBAR ./config -DCOOKIE + + However, the following will see both set variables: + + CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- \ + ./config -DCOOKIE + + reconf + reconfigure + Reconfigure from earlier data. This fetches the previous + command line options and environment from data saved in + "configdata.pm", and runs the configuration process again, + using these options and environment. + Note: NO other option is permitted together with "reconf". + This means that you also MUST use "./Configure" (or + what corresponds to that on non-Unix platforms) directly + to invoke this option. + Note: The original configuration saves away values for ALL + environment variables that were used, and if they weren't + defined, they are still saved away with information that + they weren't originally defined. This information takes + precedence over environment variables that are defined + when reconfiguring. + + Displaying configuration data + ----------------------------- + + The configuration script itself will say very little, and finishes by + creating "configdata.pm". This perl module can be loaded by other scripts + to find all the configuration data, and it can also be used as a script to + display all sorts of configuration data in a human readable form. + + For more information, please do: + + $ ./configdata.pm --help # Unix + + or + + $ perl configdata.pm --help # Windows and VMS Installation in Detail ---------------------- 1a. Configure OpenSSL for your operation system automatically: - $ ./config [options] + NOTE: This is not available on Windows. + + $ ./config [[ options ]] # Unix + + or + + $ @config [[ options ]] ! OpenVMS + + For the remainder of this text, the Unix form will be used in all + examples, please use the appropriate form for your platform. This guesses at your operating system (and compiler, if necessary) and configures OpenSSL based on this guess. Run ./config -t to see @@ -132,170 +699,441 @@ On some systems, you can include debugging information as follows: - $ ./config -d [options] + $ ./config -d [[ options ]] 1b. Configure OpenSSL for your operating system manually OpenSSL knows about a range of different operating system, hardware and compiler combinations. To see the ones it knows about, run - $ ./Configure + $ ./Configure # Unix + + or + + $ perl Configure # All other platforms + + For the remainder of this text, the Unix form will be used in all + examples, please use the appropriate form for your platform. Pick a suitable name from the list that matches your system. For most operating systems there is a choice between using "cc" or "gcc". When you have identified your system (and if necessary compiler) use this name - as the argument to ./Configure. For example, a "linux-elf" user would + as the argument to Configure. For example, a "linux-elf" user would run: - $ ./Configure linux-elf [options] + $ ./Configure linux-elf [[ options ]] + + If your system isn't listed, you will have to create a configuration + file named Configurations/{{ something }}.conf and add the correct + configuration for your system. See the available configs as examples + and read Configurations/README and Configurations/README.design for + more information. + + The generic configurations "cc" or "gcc" should usually work on 32 bit + Unix-like systems. + + Configure creates a build file ("Makefile" on Unix, "makefile" on Windows + and "descrip.mms" on OpenVMS) from a suitable template in Configurations, + and defines various macros in include/openssl/opensslconf.h (generated from + include/openssl/opensslconf.h.in). + + 1c. Configure OpenSSL for building outside of the source tree. + + OpenSSL can be configured to build in a build directory separate from + the directory with the source code. It's done by placing yourself in + some other directory and invoking the configuration commands from + there. + + Unix example: + + $ mkdir /var/tmp/openssl-build + $ cd /var/tmp/openssl-build + $ /PATH/TO/OPENSSL/SOURCE/config [[ options ]] + + or + + $ /PATH/TO/OPENSSL/SOURCE/Configure {{ target }} [[ options ]] + + OpenVMS example: + + $ set default sys$login: + $ create/dir [.tmp.openssl-build] + $ set default [.tmp.openssl-build] + $ @[PATH.TO.OPENSSL.SOURCE]config [[ options ]] + + or - If your system is not available, you will have to edit the Configure - program and add the correct configuration for your system. The - generic configurations "cc" or "gcc" should usually work on 32 bit - systems. + $ @[PATH.TO.OPENSSL.SOURCE]Configure {{ target }} [[ options ]] - Configure creates the file Makefile.ssl from Makefile.org and - defines various macros in crypto/opensslconf.h (generated from - crypto/opensslconf.h.in). + Windows example: + + $ C: + $ mkdir \temp-openssl + $ cd \temp-openssl + $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {{ target }} [[ options ]] + + Paths can be relative just as well as absolute. Configure will + do its best to translate them to relative paths whenever possible. 2. Build OpenSSL by running: - $ make + $ make # Unix + $ mms ! (or mmk) OpenVMS + $ nmake # Windows + + This will build the OpenSSL libraries (libcrypto.a and libssl.a on + Unix, corresponding on other platforms) and the OpenSSL binary + ("openssl"). The libraries will be built in the top-level directory, + and the binary will be in the "apps" subdirectory. - This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the - OpenSSL binary ("openssl"). The libraries will be built in the top-level - directory, and the binary will be in the "apps" directory. + Troubleshooting: If the build fails, look at the output. There may be reasons for the failure that aren't problems in OpenSSL itself (like - missing standard headers). If you are having problems you can - get help by sending an email to the openssl-users email list (see + missing standard headers). + + If the build succeeded previously, but fails after a source or + configuration change, it might be helpful to clean the build tree + before attempting another build. Use this command: + + $ make clean # Unix + $ mms clean ! (or mmk) OpenVMS + $ nmake clean # Windows + + Assembler error messages can sometimes be sidestepped by using the + "no-asm" configuration option. + + Compiling parts of OpenSSL with gcc and others with the system + compiler will result in unresolved symbols on some systems. + + If you are still having problems you can get help by sending an email + to the openssl-users email list (see https://www.openssl.org/community/mailinglists.html for details). If it is a bug with OpenSSL itself, please open an issue on GitHub, at https://github.com/openssl/openssl/issues. Please review the existing ones first; maybe the bug was already reported or has already been fixed. - (If you encounter assembler error messages, try the "no-asm" - configuration option as an immediate fix.) + 3. After a successful build, the libraries should be tested. Run: - Compiling parts of OpenSSL with gcc and others with the system - compiler will result in unresolved symbols on some systems. + $ make test # Unix + $ mms test ! OpenVMS + $ nmake test # Windows - 3. After a successful build, the libraries should be tested. Run: + NOTE: you MUST run the tests from an unprivileged account (or + disable your privileges temporarily if your platform allows it). - $ make test + If some tests fail, look at the output. There may be reasons for + the failure that isn't a problem in OpenSSL itself (like a + malfunction with Perl). You may want increased verbosity, that + can be accomplished like this: - If a test fails, look at the output. There may be reasons for - the failure that isn't a problem in OpenSSL itself (like a missing - or malfunctioning bc). If it is a problem with OpenSSL itself, - try removing any compiler optimization flags from the CFLAG line - in Makefile.ssl and run "make clean; make". To report a bug please open an - issue on GitHub, at https://github.com/openssl/openssl/issues. + $ make VERBOSE=1 test # Unix - 4. If everything tests ok, install OpenSSL with + $ mms /macro=(VERBOSE=1) test ! OpenVMS + + $ nmake VERBOSE=1 test # Windows + + If you want to run just one or a few specific tests, you can use + the make variable TESTS to specify them, like this: + + $ make TESTS='test_rsa test_dsa' test # Unix + $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS + $ nmake TESTS='test_rsa test_dsa' test # Windows - $ make install + And of course, you can combine (Unix example shown): - This will create the installation directory (if it does not exist) and - then the following subdirectories: + $ make VERBOSE=1 TESTS='test_rsa test_dsa' test - certs Initially empty, this is the default location - for certificate files. - man/man1 Manual pages for the 'openssl' command line tool - man/man3 Manual pages for the libraries (very incomplete) - misc Various scripts. - private Initially empty, this is the default location - for private key files. + You can find the list of available tests like this: - If you didn't choose a different installation prefix, the - following additional subdirectories will be created: + $ make list-tests # Unix + $ mms list-tests ! OpenVMS + $ nmake list-tests # Windows - bin Contains the openssl binary and a few other - utility programs. - include/openssl Contains the header files needed if you want to - compile programs with libcrypto or libssl. - lib Contains the OpenSSL library files themselves. + Have a look at the manual for the perl module Test::Harness to + see what other HARNESS_* variables there are. - Use "make install_sw" to install the software without documentation, - and "install_docs_html" to install HTML renditions of the manual - pages. + If you find a problem with OpenSSL itself, try removing any + compiler optimization flags from the CFLAGS line in Makefile and + run "make clean; make" or corresponding. + + To report a bug please open an issue on GitHub, at + https://github.com/openssl/openssl/issues. + + For more details on how the make variables TESTS can be used, + see section TESTS in Detail below. + + 4. If everything tests ok, install OpenSSL with + + $ make install # Unix + $ mms install ! OpenVMS + $ nmake install # Windows + + This will install all the software components in this directory + tree under PREFIX (the directory given with --prefix or its + default): + + Unix: + + bin/ Contains the openssl binary and a few other + utility scripts. + include/openssl + Contains the header files needed if you want + to build your own programs that use libcrypto + or libssl. + lib Contains the OpenSSL library files. + lib/engines Contains the OpenSSL dynamically loadable engines. + + share/man/man1 Contains the OpenSSL command line man-pages. + share/man/man3 Contains the OpenSSL library calls man-pages. + share/man/man5 Contains the OpenSSL configuration format man-pages. + share/man/man7 Contains the OpenSSL other misc man-pages. + + share/doc/openssl/html/man1 + share/doc/openssl/html/man3 + share/doc/openssl/html/man5 + share/doc/openssl/html/man7 + Contains the HTML rendition of the man-pages. + + OpenVMS ('arch' is replaced with the architecture name, "Alpha" + or "ia64", 'sover' is replaced with the shared library version + (0101 for 1.1), and 'pz' is replaced with the pointer size + OpenSSL was built with): + + [.EXE.'arch'] Contains the openssl binary. + [.EXE] Contains a few utility scripts. + [.include.openssl] + Contains the header files needed if you want + to build your own programs that use libcrypto + or libssl. + [.LIB.'arch'] Contains the OpenSSL library files. + [.ENGINES'sover''pz'.'arch'] + Contains the OpenSSL dynamically loadable engines. + [.SYS$STARTUP] Contains startup, login and shutdown scripts. + These define appropriate logical names and + command symbols. + [.SYSTEST] Contains the installation verification procedure. + [.HTML] Contains the HTML rendition of the manual pages. + + + Additionally, install will add the following directories under + OPENSSLDIR (the directory given with --openssldir or its default) + for you convenience: + + certs Initially empty, this is the default location + for certificate files. + private Initially empty, this is the default location + for private key files. + misc Various scripts. Package builders who want to configure the library for standard locations, but have the package installed somewhere else so that it can easily be packaged, can use - $ make INSTALL_PREFIX=/tmp/package-root install + $ make DESTDIR=/tmp/package-root install # Unix + $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS - (or specify "--install_prefix=/tmp/package-root" as a configure - option). The specified prefix will be prepended to all - installation target filenames. + The specified destination directory will be prepended to all + installation target paths. + Compatibility issues with previous OpenSSL versions: - NOTE: The header files used to reside directly in the include - directory, but have now been moved to include/openssl so that - OpenSSL can co-exist with other libraries which use some of the - same filenames. This means that applications that use OpenSSL - should now use C preprocessor directives of the form + * COMPILING existing applications - #include <openssl/ssl.h> + OpenSSL 1.1.0 hides a number of structures that were previously + open. This includes all internal libssl structures and a number + of EVP types. Accessor functions have been added to allow + controlled access to the structures' data. - instead of "#include <ssl.h>", which was used with library versions - up to OpenSSL 0.9.2b. + This means that some software needs to be rewritten to adapt to + the new ways of doing things. This often amounts to allocating + an instance of a structure explicitly where you could previously + allocate them on the stack as automatic variables, and using the + provided accessor functions where you would previously access a + structure's field directly. - If you install a new version of OpenSSL over an old library version, - you should delete the old header files in the include directory. + Some APIs have changed as well. However, older APIs have been + preserved when possible. - Compatibility issues: + Environment Variables + --------------------- - * COMPILING existing applications + A number of environment variables can be used to provide additional control + over the build process. Typically these should be defined prior to running + config or Configure. Not all environment variables are relevant to all + platforms. + + AR + The name of the ar executable to use. + + BUILDFILE + Use a different build file name than the platform default + ("Makefile" on Unixly platforms, "makefile" on native Windows, + "descrip.mms" on OpenVMS). This requires that there is a + corresponding build file template. See Configurations/README + for further information. + + CC + The compiler to use. Configure will attempt to pick a default + compiler for your platform but this choice can be overridden + using this variable. Set it to the compiler executable you wish + to use, e.g. "gcc" or "clang". + + CROSS_COMPILE + This environment variable has the same meaning as for the + "--cross-compile-prefix" Configure flag described above. If both + are set then the Configure flag takes precedence. + + NM + The name of the nm executable to use. + + OPENSSL_LOCAL_CONFIG_DIR + OpenSSL comes with a database of information about how it + should be built on different platforms as well as build file + templates for those platforms. The database is comprised of + ".conf" files in the Configurations directory. The build + file templates reside there as well as ".tmpl" files. See the + file Configurations/README for further information about the + format of ".conf" files as well as information on the ".tmpl" + files. + In addition to the standard ".conf" and ".tmpl" files, it is + possible to create your own ".conf" and ".tmpl" files and store + them locally, outside the OpenSSL source tree. This environment + variable can be set to the directory where these files are held + and will be considered by Configure before it looks in the + standard directories. + + PERL + The name of the Perl executable to use when building OpenSSL. + This variable is used in config script only. Configure on the + other hand imposes the interpreter by which it itself was + executed on the whole build procedure. + + HASHBANGPERL + The command string for the Perl executable to insert in the + #! line of perl scripts that will be publically installed. + Default: /usr/bin/env perl + Note: the value of this variable is added to the same scripts + on all platforms, but it's only relevant on Unix-like platforms. + + RC + The name of the rc executable to use. The default will be as + defined for the target platform in the ".conf" file. If not + defined then "windres" will be used. The WINDRES environment + variable is synonymous to this. If both are defined then RC + takes precedence. + + RANLIB + The name of the ranlib executable to use. + + WINDRES + See RC. + + Makefile targets + ---------------- + + The Configure script generates a Makefile in a format relevant to the specific + platform. The Makefiles provide a number of targets that can be used. Not all + targets may be available on all platforms. Only the most common targets are + described here. Examine the Makefiles themselves for the full list. + + all + The default target to build all the software components. + + clean + Remove all build artefacts and return the directory to a "clean" + state. + + depend + Rebuild the dependencies in the Makefiles. This is a legacy + option that no longer needs to be used in OpenSSL 1.1.0. + + install + Install all OpenSSL components. + + install_sw + Only install the OpenSSL software components. + + install_docs + Only install the OpenSSL documentation components. + + install_man_docs + Only install the OpenSSL man pages (Unix only). + + install_html_docs + Only install the OpenSSL html documentation. + + list-tests + Prints a list of all the self test names. - To compile an application that uses old filenames -- e.g. - "#include <ssl.h>" --, it will usually be enough to find - the CFLAGS definition in the application's Makefile and - add a C option such as + test + Build and run the OpenSSL self tests. - -I/usr/local/ssl/include/openssl + uninstall + Uninstall all OpenSSL components. - to it. + reconfigure + reconf + Re-run the configuration process, as exactly as the last time + as possible. - But don't delete the existing -I option that points to - the ..../include directory! Otherwise, OpenSSL header files - could not #include each other. + update + This is a developer option. If you are developing a patch for + OpenSSL you may need to use this if you want to update + automatically generated files; add new error codes or add new + (or change the visibility of) public API functions. (Unix only). - * WRITING applications + TESTS in Detail + --------------- - To write an application that is able to handle both the new - and the old directory layout, so that it can still be compiled - with library versions up to OpenSSL 0.9.2b without bothering - the user, you can proceed as follows: + The make variable TESTS supports a versatile set of space separated tokens + with which you can specify a set of tests to be performed. With a "current + set of tests" in mind, initially being empty, here are the possible tokens: - - Always use the new filename of OpenSSL header files, - e.g. #include <openssl/ssl.h>. + alltests The current set of tests becomes the whole set of available + tests (as listed when you do 'make list-tests' or similar). + xxx Adds the test 'xxx' to the current set of tests. + -xxx Removes 'xxx' from the current set of tests. If this is the + first token in the list, the current set of tests is first + assigned the whole set of available tests, effectively making + this token equivalent to TESTS="alltests -xxx". + nn Adds the test group 'nn' (which is a number) to the current + set of tests. + -nn Removes the test group 'nn' from the current set of tests. + If this is the first token in the list, the current set of + tests is first assigned the whole set of available tests, + effectively making this token equivalent to + TESTS="alltests -xxx". - - Create a directory "incl" that contains only a symbolic - link named "openssl", which points to the "include" directory - of OpenSSL. - For example, your application's Makefile might contain the - following rule, if OPENSSLDIR is a pathname (absolute or - relative) of the directory where OpenSSL resides: + Also, all tokens except for "alltests" may have wildcards, such as *. + (on Unix and Windows, BSD style wildcards are supported, while on VMS, + it's VMS style wildcards) - incl/openssl: - -mkdir incl - cd $(OPENSSLDIR) # Check whether the directory really exists - -ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl + Example: All tests except for the fuzz tests: - You will have to add "incl/openssl" to the dependencies - of those C files that include some OpenSSL header file. + $ make TESTS=-test_fuzz test - - Add "-Iincl" to your CFLAGS. + or (if you want to be explicit) - With these additions, the OpenSSL header files will be available - under both name variants if an old library version is used: - Your application can reach them under names like <openssl/foo.h>, - while the header files still are able to #include each other - with names of the form <foo.h>. + $ make TESTS='alltests -test_fuzz' test + Example: All tests that have a name starting with "test_ssl" but not those + starting with "test_ssl_": + + $ make TESTS='test_ssl* -test_ssl_*' test + + Example: Only test group 10: + + $ make TESTS='10' + + Example: All tests except the slow group (group 99): + + $ make TESTS='-99' + + Example: All tests in test groups 80 to 99 except for tests in group 90: + + $ make TESTS='[89]? -90' Note on multi-threading ----------------------- @@ -313,53 +1151,67 @@ you can still use "no-threads" to suppress an annoying warning message from the Configure script.) - - Note on shared libraries - ------------------------ - - Shared libraries have certain caveats. Binary backward compatibility - can't be guaranteed before OpenSSL version 1.0. The only reason to - use them would be to conserve memory on systems where several programs - are using OpenSSL. - - For some systems, the OpenSSL Configure script knows what is needed to - build shared libraries for libcrypto and libssl. On these systems, - the shared libraries are currently not created by default, but giving - the option "shared" will get them created. This method supports Makefile - targets for shared library creation, like linux-shared. Those targets - can currently be used on their own just as well, but this is expected - to change in future versions of OpenSSL. + OpenSSL provides built-in support for two threading models: pthreads (found on + most UNIX/Linux systems), and Windows threads. No other threading models are + supported. If your platform does not provide pthreads or Windows threads then + you should Configure with the "no-threads" option. + + Notes on shared libraries + ------------------------- + + For most systems the OpenSSL Configure script knows what is needed to + build shared libraries for libcrypto and libssl. On these systems + the shared libraries will be created by default. This can be suppressed and + only static libraries created by using the "no-shared" option. On systems + where OpenSSL does not know how to build shared libraries the "no-shared" + option will be forced and only static libraries will be created. + + Shared libraries are named a little differently on different platforms. + One way or another, they all have the major OpenSSL version number as + part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of + the name. + + On most POSIXly platforms, shared libraries are named libcrypto.so.1.1 + and libssl.so.1.1. + + on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll + with import libraries libcrypto.dll.a and libssl.dll.a. + + On Windows build with MSVC or using MingW, shared libraries are named + libcrypto-1_1.dll and libssl-1_1.dll for 32-bit Windows, libcrypto-1_1-x64.dll + and libssl-1_1-x64.dll for 64-bit x86_64 Windows, and libcrypto-1_1-ia64.dll + and libssl-1_1-ia64.dll for IA64 Windows. With MSVC, the import libraries + are named libcrypto.lib and libssl.lib, while with MingW, they are named + libcrypto.dll.a and libssl.dll.a. + + On VMS, shareable images (VMS speak for shared libraries) are named + ossl$libcrypto0101_shr.exe and ossl$libssl0101_shr.exe. However, when + OpenSSL is specifically built for 32-bit pointers, the shareable images + are named ossl$libcrypto0101_shr32.exe and ossl$libssl0101_shr32.exe + instead, and when built for 64-bit pointers, they are named + ossl$libcrypto0101_shr64.exe and ossl$libssl0101_shr64.exe. Note on random number generation -------------------------------- Availability of cryptographically secure random numbers is required for secret key generation. OpenSSL provides several options to seed the - internal PRNG. If not properly seeded, the internal PRNG will refuse + internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse to deliver random bytes and a "PRNG not seeded error" will occur. - On systems without /dev/urandom (or similar) device, it may be necessary - to install additional support software to obtain random seed. - Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(), - and the FAQ for more information. - - Note on support for multiple builds - ----------------------------------- - - OpenSSL is usually built in its source tree. Unfortunately, this doesn't - support building for multiple platforms from the same source tree very well. - It is however possible to build in a separate tree through the use of lots - of symbolic links, which should be prepared like this: - - mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" - cd objtree/"`uname -s`-`uname -r`-`uname -m`" - (cd $OPENSSL_SOURCE; find . -type f) | while read F; do - mkdir -p `dirname $F` - rm -f $F; ln -s $OPENSSL_SOURCE/$F $F - echo $F '->' $OPENSSL_SOURCE/$F - done - make -f Makefile.org clean - - OPENSSL_SOURCE is an environment variable that contains the absolute (this - is important!) path to the OpenSSL source tree. - - Also, operations like 'make update' should still be made in the source tree. + + The seeding method can be configured using the --with-rand-seed option, + which can be used to specify a comma separated list of seed methods. + However in most cases OpenSSL will choose a suitable default method, + so it is not necessary to explicitely provide this option. Note also + that not all methods are available on all platforms. + + I) On operating systems which provide a suitable randomness source (in + form of a system call or system device), OpenSSL will use the optimal + available method to seed the CSPRNG from the operating system's + randomness sources. This corresponds to the option --with-rand-seed=os. + + II) On systems without such a suitable randomness source, automatic seeding + and reseeding is disabled (--with-rand-seed=none) and it may be necessary + to install additional support software to obtain a random seed and reseed + the CSPRNG manually. Please check out the manual pages for RAND_add(), + RAND_bytes(), RAND_egd(), and the FAQ for more information. |