Tool to calculate CRC32 for Amlogic environment partition? - Android Stick & Console AMLogic based Computers

The Amlogic environment partition has two copies of the environment. Usually each copy is different than the other. I'd like to be able to quickly calculate the CRC32 for these using only the entire environment partition as input, rather than a text file. This would allow quick flashing of an edited environment during development and testing.
I've tried mkenvimage, but it only works using text files as input. Even when using a text file as input, the CRC32 fails and the default environment is loaded instead. Some of the comments at the link for mkenvimage describe the same sort of problem.
So, I decided to just try to write a python script that would use the raw environment partition as input. But I haven't been able to generate the same CRC32 as the original unedited partition image. Perhaps I have the address range for the checksum calculation wrong, but I copied it from the source for mkenvimage.
Are there any other existing scripts or tools that calculate the amlogic environment checksum quickly?

Related

[BASIC DONE] A simplified 2ndinit (2ndihkvc) for experimenting

>>>> In a post further down, I have released a updated zip file which contains the 2ndihkvc program as well as its source as well as few support scripts to allow experimentation with this mechanism of multiple user spaces <<<<
Hi All
I have been following the below thread, as well as working on my own on some of the concepts. You can get the details till now from my posts in the below thread.
http://forum.xda-developers.com/showthread.php?t=1378886
I was not able to get the SETREGS to succeed in setting PC required for the current/existing 2nd-init logic, nor wait was waiting to lock the process, SO I tried a new and simpler alternate method for triggering/execve the init process a 2nd time using only POKE and it seems to have succeeded. I am guessing this based on my nooktablet having got messed up and it keeps rebooting again and again when it reaches my logic potentially. I have to restore back to factory settings and try afresh in the morning (Well it is almost morning ;-) now here) with few more debug messages to pin point it fully.
The code I am injecting directly into init process is in the attached txt file which is actually a .s (assembly file). (NOTE: Currently I am not handling environment variables, not sure if that is causing my boot to keep looping).
In turn the logic to hijack the init process and inject the code is as simple as
Step1) PTRACE_ATTACH
Step2) PTRACE_GETREGS
Step3) PTRACE_POKETEXT (Regs.ARM_pc, code to inject)
Step4) PTRACE_CONT
Step5) PTRACE_DETACH
I will upload the code in a day or two - however the jist of the logic is above, if anyone wants to experiment on their own.
NOTE: The code is very simple and experimental and expects the pc address to be known before hand to massage the .s file appropriately.
NOTE: The above algo with the corresponding .s file is still EXPERIMENTAL and also requires additional shell scripts to get access to the boot flow to trigger the hijack. And the current code will break the nooktab booting, so don't experiment this logic and the .s file unless you know what you are doing.
NOTE: I am not that much into Custom Roms etc, so don't expect anything much shortly wrt Custom Roms etc, this is just a experimentation for myself and to feel happy inspite of BN removing some useful features like sideloading as well as forcing a signed bootloader on everyone.
can you make a 2-init zip like on the milestone
http://forum.xda-developers.com/showthread.php?t=998425
because then the devs can go on and make a recovery
Bit more exploration with init hijacking - 2ndihkvc src package for EXPERIMENTATION
Hi,
NOTE: Source code package is attached with this message. However this is WIP and provided for anyone wanting to EXPERIMENT on their own parallel to me. Because I think the basic logic is done now. It is more of cleaning up the init rc files and or killing some additional tasks before restarting init or some such things HOPEFULLY (NO harm in hoping and being positive . HOWEVER NOTE that the current version will loop your boot and fail. I have put a timed triggering logic to try and reduce the risk, check out the documents in the package, but it can factory reset or worst case wipe your partitions and render the nooktab dead.
After yesterdays initial init hijacking, I have cleaned up the .s file so that it passes the Args properly as well as added the environment variables set by Android by default. Also the ptrace code I have updated to do relocation (using a simple custom table) of injected code. Also rather than a minimal ptrace code, I have put a bit more full fledged one with my logic as well as skrilax's logic as well as reg dumping and few other stuff to help experimenters.
In turn I have cross verified, that init is actually getting restarted and it is running thro the scripts and setting up the properties as specified by my modified default.prop as well as in the process rerunning all the commands/services/prgs.
However some where beyond rild/vold sequence it seems to be blocking and looping the boot. Also I had modified the init a bit, have to check that also once later.
Enjoy and experiment
NOTE: Not sure how to avoid having to put the same message in two threads. I created this thread only becasue the original thread was in the wrong category (i.e non development), when it should have been in development also.
This is interesting. I have minimal experience with assembly, none of it ARM. I would like to help, if possible. I appreciate the work you have put into this. I'm really hoping to be able to have CM7 on this tablet eventually.
Sent from my BNTV250 using xda premium
Potentially working Alternate Userspace in uSD using 2ndihkvc
Hi All,
I have updated my 2ndihkvc package a bit more and now you can boot into a ALTERNATE Android user space in uSD (NOTE: Userspace only and not kernel - locked bootloader doesn't allow alternate kernel).
For this you require to copy your required android /system and /data partitions into a MicroSD card in its 2nd and 3rd partitions which should be ext4 (specified in the init.omap4430.rc file in 2ndihkvc directory).
NOTE: Best way of getting a working /system and /data partitions is to ==> After rooting your Nook and removing all unwanted Apps/Junk, make a copy of the /system partition from eMMC to uSD. Same for /data/partition. Then you can copy what ever additional applications you want in this uSD based Android /system/app or /data/app partition. Thus you can have different sets of Android user space in different uSD cards.
Follow the instructions in INSTALL file for experimenting this on your rooted NookTab. BUT REMEMBER IT IS STILL EXPERIMENTAL. ALSO as a SAFETY FEATURE, as of now it will boot into this ALTERNATE MODE (in uSD) only when the current HOUR is specified in the start2ndihkvc.sh file appropriately. Otherwise it tries to boot into the your normal Andorid system in eMMC. This should hopefull CATCH any mistake, BUT THIS IS NOT GUARENTEED AND THIS IS A DANGEROUS THING TO EXPERIMENT, UNLESS YOU KNOW WHAT YOU ARE DOING.
NOTE: One time it did reboot from my alternate android system, I haven't debugged this yet, as it has not occured after it (Well I have tried only once more) so cann't say one way or the other yet. But definitely, there are some corner cases.
NOTE: If something gets messed up or if something is different or even if there is some corner case in my code, which I haven't handled yet, it may MESS UP your NOOK TAB so EXPERIMENT WITH THIS only if you know how to recover on your own, provided the NOOKTAB is recoverable (90% should be, but NO GAURENTEE).
Now the BRAVE HEARTS can experiment and Enjoy a alternate Andorid system in uSD card.
NOTE: With this one should be able to boot into any Custom ROM after suitable updation of the scripts in my zip file, as well as by copying their /system and /data/ partitions into uSD 2nd and 3rd partitions. AS long AS that Custome ROM doesn't have any specific kernel requirements.
BYPASS Kernel and Ramdisk check for People with UART ACCESS
Hi,
NOTE: THis is based on a initial look at the source code and then the objdump of u-boot.bin. I haven't cross checked this yet, because for now I haven't opened up the nooktab for uart access yet. Also this assumes by default booti command is used for booting in BN uboot. If some one wants to use bootm, then a different location requires to be patched wrt the image loading security check.
If you are a lucky ;-) person working with opened up NookTab with UART access, then basically replacing the memory contents of these two offsets with NOP will 90% BYPASS the security check successfully and allow you to boot a MODIFIED KERNEL or RAMDISK as required.
All offsets specified Assuming u-boot is loaded at 0 (adjust for the actual address where u-boot.bin is loaded, haven't looked into that yet).
Check for Security check of Kernel image is at
[ORIG] 0x48c0 => bne 0x48d8 (0x1a00.0004)
Make this a NOP by overwriting using uboot memory write command to
[MODI] 0x48c0 => mov r0, r0 (0xe1a0.0000)
Check for Security check of RAMDisk image is at
[ORIG] 0x4928 => bne 0x4958 (1a00.000a)
Make this a NOP by overwriting with
[MODI] 0x4928 => mov r0, r0 (0xe1a0.0000)
Someone (Hi Adamoutler, maybe you) with opened up NookTab can try this and tell me if it worked or not.
NOTE: you have to add up the actual u-boot load address to the offsets specified.
UPDATE1: It appears the load address is either
Possibility 1) 0x80e8.0000 OR
Possibility 2) 0x80e8.0000-0x120 (More likely).
Have to dig thro bit more, but one of these two will potentially work.
So that means to NOP RAMDisk security check the offset is
Possibility 1 ==> 0x80e8.0000+0x4928
Possibility 2 ==> 0x80e8.0000-0x120+0x4928 (More likely)
Best is to cross check if the resultant address contains the BNE instruction bytes specified above.
Same concept applies for the Kernel security check Nopping offset.
NOTE: It appears there is a 0x120 size header before the actual u-boot.bin code starts and in turn, when I did the objdump, it included the 0x120 bytes of header also assumed as code. And inturn the full (including the header) u-boot.bin or for that matter the u-boot from emmc seems to load into 0x80e8.0000-0x120.
UPDATE 2:
Code around the locations to be noped to help identify the same in memory, in case my offset calculations are wrong
48b4: eb0030f1 bl 0x10c80
48b8: e59d3010 ldr r3, [sp, #16]
48bc: e3530000 cmp r3, #0
48c0: 1a000004 bne 0x48d8
48c4: e59f0104 ldr r0, [pc, #260] ; 0x49d0
48c8: e594100c ldr r1, [r4, #12]
48cc: e5942008 ldr r2, [r4, #8]
48d0: eb0015db bl 0xa044
............
491c: eb0030d7 bl 0x10c80
4920: e59d3010 ldr r3, [sp, #16]
4924: e3530000 cmp r3, #0
4928: 1a00000a bne 0x4958
492c: e59f00a4 ldr r0, [pc, #164] ; 0x49d8
4930: e5941014 ldr r1, [r4, #20]
4934: e5942010 ldr r2, [r4, #16]
4938: eb0015c1 bl 0xa044
UPDATE 3: ... for a rainy day in future ;-)
UPDATE 4: For maximum success, first try a changed RAMDisk rather than Changed Kernel. If Changed Ramdisk works then try Changed Kernel (THere is one more thing in Code, which I am not sure if it will impact a modified kernel or not yet, only way is to experiment).
How can I run 2ndihkvc just to load a new default.prop using the existing userspace? What I did so far was to remount / in rw, updated default.prop, pushed 2ndihkvc to /data/local/, changed permissions to 755 and executed. Here is the output
Code:
# ./2ndihkvc -p 1 -w 0 -c 0 -m 2
INFO:2ndihkvc:v30Dec_2020:
INFO:2ndihkvc: Tracing process with pid = 1
INFO:2ndihkvc: NewPrg = /init
WARN: RESPECT_WAIT disabled
WARN: Mode = MODE_INJECT_HKVC2
INFO: ContType = CONTINUE
INFO:2ndihkvc:PTRACE: Attached to (1)
INFO:2ndihkvc: Giving 2 secs to the likely traced process
ERROR:2ndihkvc:WAIT:Failed (No child processes)
INFO:2ndihkvc:hkvc2: InjectAddr (Regs->ARM_pc) = 0xffff0520
INFO:2ndihkvc:hkvc2: /init found at offset 0x100
INFO:2ndihkvc:hkvc2:ProgramToExecute: /init replaced with /init
INFO:2ndihkvc:hkvc2: At offset 0x208 relocating from 0x100 to 0xffff0620
INFO:2ndihkvc:hkvc2: At offset 0x200 relocating from 0x208 to 0xffff0728
INFO:2ndihkvc:hkvc2: At offset 0x280 relocating from 0x288 to 0xffff07a8
INFO:2ndihkvc:hkvc2: At offset 0x288 relocating from 0x300 to 0xffff0820
INFO:2ndihkvc:hkvc2: At offset 0x28c relocating from 0x307 to 0xffff0827
INFO:2ndihkvc:hkvc2: At offset 0x290 relocating from 0x312 to 0xffff0832
ERROR:PTRACE:POKE failed at location ffff0520
INFO:2ndihkvc:PTRACE: Continue/SingleStep ...
INFO:2ndihkvc: Detaching...
ERROR:2ndihkvc:PTRACE: Failed DETACH (No such process)
#
Do I need to push your init to /system/2ndihkvc/init? I am just trying to play around with it and Adam's BHT just to see what I can do them. Thanks.
Hi Brianf21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
hkvc said:
Hi Brian21,
As specified in the INSTALL file with in my zip
Copy my 2ndihkvc.zip file to /data/local/tmp
Then mount /system in rw mode.
Next unzip 2ndihkvc.zip into /system. It should create 2ndihkvc folder.
Next run ./install.sh from with in 2ndihkvc folder.
This will setup the boot process to start into 2ndihkvc. And it inturn will restart init with new set of init.*.rc as well as default.prop files.
Have a look at the 2ndihkvc folder, it already contains a default.prop file. If you want to change anything in default.prop then do the changes in this default.prop in /system/2ndihkvc folder.
Also remember to change the time check in start2ndihkvc.sh file in /system/2ndihkvc folder to the current hour, when you will be experimenting. Otherwise, it will not run 2ndihkvc, but continue with the normal Android init flow.
Cross check my INSTALL file once again for the details/steps to setup 2ndihkvc.
Once you have done the above. When you restart your system, it will trigger 2ndihkvc as required and the default.prop will be the new one which you would have edited/updated in /system/2ndihkvc/ folder.
NOTE: Looking at the address, it seems like you had tried 2ndihkvc once before in the same session. Try following the install step specified above/In the 2ndihkvc zip file and see. There is a minimally modified version of init.omap4430.rc and default.prop already in the 2ndihkvc folder, modify those if you want to modify them. This is because start2ndihkvc.sh will copy these files from /system/2ndihkvc/ folder when it is run to restart init.
Click to expand...
Click to collapse
brianf21 said:
I will have to read more, to avoid setting up system and data up on an sdcard. Once the setup is done, will it always hijack init for every following boot until it is removed or only one reboot? i am just to get a clearer picture of what's going on, I wanted to just see the hijack of init work independently of the other processes.. I kind of like to break things down into parts so I can get a better understanding of the entire process. Thanks for the work you've out in so far.
Click to expand...
Click to collapse
If all you are interested is run 2ndihkvc with a modified default.prop but no other modification (i.e no uSD /system and /data partitions), then
a) overwrite the init.omap4430.rc in /system/2ndihkvc with the one in / . However if you have already booted into a system with 2ndihkvc then in /data/local/tmp.
Or if required you can directly edit the init.omap4430.rc in /system/2ndihkvc and update the mount commands in there to mount from emmc instead of uSD.
b) Remove the 2 lines in restart-userspace.sh corresponding to mount -o move ....
This will allow you to boot into a system with a modified default.prop but no other change from a runtime perspective (unless I have forgotten something).
Also 2ndihkvc will be applied each time boot into NookTab provided the current hour matches the hour set in start2ndihkvc.sh. Once the current hour no longer matches the hour set in the sh file, it will boot into the normal BN Nooktab environment.
NOTE: I purposefully modified the init.omap4430.rc file to replace the /system and /data from emmc to uSD, so that if someone is experimenting something, he doesn't corrupt the emmc easily as long as he doesn't become root user. HOWEVER with root access emmc can still get corrupted if one is not careful, because eMMC is still available and mounted.
tried but rebooted few times until factory reset kicked in
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
chrmhoffmann said:
Hi,
The device booted a few times until it restored factory. Uff.
Click to expand...
Click to collapse
If it's counting boots like the Nook Color you can stop it by running this (if the rom partition is mounted at /rom-- it's p2 on nc and I guess p5 on nt).
chrmhoffmann said:
Hi,
ok. maybe a bit too optimistic, but I compiled ICS for pandaboard and put the system to sd card (partition 1 ext4 empty, partion 2 ext4 system with panda stuff, partion 3 data, partition 4 empty).
I hit adb reboot and the device booted a few times until it restored factory. Uff.
Is there a way without serial console to see what happens?
There's also small glitch in install.sh. It doesn't find init.rc in /system/2ndihkvc.
Rgds,
Chris
Click to expand...
Click to collapse
Hi,
The missing init.rc is not a glitch, I purposefully left it out while packaging, so that one doesn't modify it drastically and botch up the boot. init.4430.rc is the only thing required to change the mount partitions.
Also if you are using my default start2ndihkvc.sh script, then it has a time check, so while xperimenting if you have goofed up. Just let the time you have set in this script pass by (i.e don't power on), then it will automatically go back to the stock NT boot, thus avoiding the factory reset.

How to extract kallsyms from u-boot of S6(aarch64)?

Hi, I need help.
Long time ago I was looking for a way to extract kallsyms from boot/zImage (Android) without running the kernel (statically).
I found this:
at github.com look for fi01/kallsymsprint
This worked and served well for ARM32 kernels. It was able to find and extract kallsyms (offset + function name). It was limited to known 6 patterns of kallsyms locations, but still was better than nothing.
Now, new devices are coming (Samsung S6 Series, for example) based on ARM64 (aarch64). It is UBOOT images, with uncompressed kernel. The tool (above) does not work anymore.
I was trying to do some manual work and figured out following:
0xffffffc000206000 is offset of the first 3 kallsyms functions, so I was able to find where kallsyms_addresses table starts.
It was found at aarch64.img (SM-G920 kernel) at offset from 0xc19800 to 0xc96088 (size is 510088 or 0x7C888). There are 0xF911 (63761) symbols (11 F9 00 00), and kallsyms_num_syms is located at 0xc96090 (after 0x78 (120) zero bytes after table ends).
Next data block of something starts at 0xc96190
Looks like all sections inside kernel are 32-byte aligned.
I was able to find some text part at 0x007d5f90.
Something that looks like some table (maybe not related) at 0x08403504.
Another table at 0x00e8eb20 - 0x00eb6a00.
Update:
kallsyms_in_memory_addresses 0xc19790
kallsyms_in_memory_num_syms 0x0000f911 (at 0xc96090)
kallsyms_in_memory_names 0xc96190
kallsyms_type_table ? 0xd56198
kallsyms_in_memory_markers 0xd56990
kallsyms_token_table 0xd56d90
Who can give any idea how to modify the kallsymsprint code or explain how to find and extract the kallsyms?

General Intro to Cryptography By a Noob

Hello Friends~!
I have built information trees, to teach you about these tools. I was originally going to package them all together, but in my efforts of doing so I realize that the process was getting too convoluted, when there is already an excellent "package manager" called Chocolatey that will allow us to Download all These and more, with "wrapped" permissions, meaning you don't have to go into settings, and program environment variables for Every Single Program you want to install. I will make a separate thread on Chocolatey and explain better what it is, and how to use it
READ THE WARNING IN THE THREAD BELOW BEFORE DOWNLOADING OPENSSL
TOOLS FOR ENCRYPTION AND BUILDING APPLICATIONS, SOURCES
Spoiler: OPENSSL
Please read the WARNING on this Thread about CRYPTOGRAPHY before downloading...
Spoiler: THREAD
How to Make and Sign a Driver and Certificate: Intro To Encryption
========================================= HOW TO MAKE AND SIGN, A DRIVER AND CERTIFICATE: INTRO TO ENCRYPTION~! ========================================= Today we are going to get our feet a little wet in Cryptography~! Why would I need this...
forum.xda-developers.com
Spoiler: DOWNLOAD
GitHub - openssl/openssl: TLS/SSL and crypto library
TLS/SSL and crypto library. Contribute to openssl/openssl development by creating an account on GitHub.
github.com
You need to click on Clone, then download zip.
Spoiler: LIKE THIS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Spoiler: WHAT IS OPEN SSL
Spoiler: README
Welcome to the OpenSSL Project
www.openssl.org
OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
for the Transport Layer Security (TLS) protocol formerly known as the
Secure Sockets Layer (SSL) protocol. The protocol implementation is based
on a full-strength general purpose cryptographic library, which can also
be used stand-alone.
OpenSSL is descended from the SSLeay library developed by Eric A. Young
and Tim J. Hudson.
The official Home Page of the OpenSSL Project is [www.openssl.org].
Spoiler: OVERVIEW
The OpenSSL toolkit includes:
- **libssl**
an implementation of all TLS protocol versions up to TLSv1.3 ([RFC 8446]).
- **libcrypto**
a full-strength general purpose cryptographic library. It constitutes the
basis of the TLS implementation, but can also be used independently.
- **openssl**
the OpenSSL command line tool, a swiss army knife for cryptographic tasks,
testing and analyzing. It can be used for
- creation of key parameters
- creation of X.509 certificates, CSRs and CRLs
- calculation of message digests
- encryption and decryption
- SSL/TLS client and server tests
- handling of S/MIME signed or encrypted mail
- and more...
Spoiler: FOR PRODUCTION USE
Source code tarballs of the official releases can be downloaded from
[www.openssl.org/source](https://www.openssl.org/source).
The OpenSSL project does not distribute the toolkit in binary form.
However, for a large variety of operating systems precompiled versions
of the OpenSSL toolkit are available. In particular on Linux and other
Unix operating systems it is normally recommended to link against the
precompiled shared libraries provided by the distributor or vendor.
Spoiler: FOR TESTING AND DEVELOPMENT
Although testing and development could in theory also be done using
the source tarballs, having a local copy of the git repository with
the entire project history gives you much more insight into the
code base.
The official OpenSSL Git Repository is located at [git.openssl.org].
There is a GitHub mirror of the repository at [github.com/openssl/openssl],
which is updated automatically from the former on every commit.
A local copy of the Git Repository can be obtained by cloning it from
the original OpenSSL repository using
git clone git://git.openssl.org/openssl.git
or from the GitHub mirror using
git clone https://github.com/openssl/openssl.git
If you intend to contribute to OpenSSL, either to fix bugs or contribute
new features, you need to fork the OpenSSL repository openssl/openssl on
GitHub and clone your public fork instead.
git clone https://github.com/yourname/openssl.git
This is necessary, because all development of OpenSSL nowadays is done via
GitHub pull requests. For more details, see [Contributing](#contributing).
Spoiler: BUILD AND INSTALL
After obtaining the Source, have a look at the [INSTALL](INSTALL.md) file for
detailed instructions about building and installing OpenSSL. For some
platforms, the installation instructions are amended by a platform specific
document.
* [Notes for UNIX-like platforms](NOTES-UNIX.md)
* [Notes for Android platforms](NOTES-ANDROID.md)
* [Notes for Windows platforms](NOTES-WINDOWS.md)
* [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
* [Notes for the OpenVMS platform](NOTES-VMS.md)
* [Notes on Perl](NOTES-PERL.md)
* [Notes on Valgrind](NOTES-VALGRIND.md)
Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as
known issues are available on the [OpenSSL 3.0 Wiki] page.
Spoiler: DOCUMENTATION
Manual Pages
------------
The manual pages for the master branch and all current stable releases are
available online.
- [OpenSSL master](https://www.openssl.org/docs/manmaster)
- [OpenSSL 1.1.1](https://www.openssl.org/docs/man1.1.1)
Wiki
----
There is a Wiki at [wiki.openssl.org] which is currently not very active.
It contains a lot of useful information, not all of which is up to date.
License
=======
OpenSSL is licensed under the Apache License 2.0, which means that
you are free to get and use it for commercial and non-commercial
purposes as long as you fulfill its conditions.
See the [LICENSE.txt](LICENSE.txt) file for more details.
Support
=======
There are various ways to get in touch. The correct channel depends on
your requirement. see the [SUPPORT](SUPPORT.md) file for more details.
Contributing
============
If you are interested and willing to contribute to the OpenSSL project,
please take a look at the [CONTRIBUTING](CONTRIBUTING.md) file.
Legalities
==========
A number of nations restrict the use or export of cryptography. If you are
potentially subject to such restrictions you should seek legal advice before
attempting to develop or distribute cryptographic code.
Copyright
=========
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
<!-- Links -->
[www.openssl.org]:
<https://www.openssl.org>
"OpenSSL Homepage"
[git.openssl.org]:
<https://git.openssl.org>
"OpenSSL Git Repository"
[git.openssl.org]:
<https://git.openssl.org>
"OpenSSL Git Repository"
[github.com/openssl/openssl]:
<https://github.com/openssl/openssl>
"OpenSSL GitHub Mirror"
[wiki.openssl.org]:
<https://wiki.openssl.org>
"OpenSSL Wiki"
[OpenSSL 3.0 Wiki]:
<https://wiki.openssl.org/index.php/OpenSSL_3.0>
"OpenSSL 3.0 Wiki"
[RFC 8446]:
<https://tools.ietf.org/html/rfc8446>
<!-- Logos and Badges -->
[openssl logo]:
doc/images/openssl.svg
"OpenSSL Logo"
[github actions ci badge]:
<https://github.com/openssl/openssl/workflows/GitHub CI/badge.svg>
"GitHub Actions CI Status"
[github actions ci]:
<https://github.com/openssl/openssl/actions?query=workflow:"GitHub+CI">
"GitHub Actions CI"
[appveyor badge]:
<https://ci.appveyor.com/api/projects/status/8e10o7xfrg73v98f/branch/master?svg=true>
"AppVeyor Build Status"
[appveyor jobs]:
<https://ci.appveyor.com/project/openssl/openssl/branch/master>
"AppVeyor Jobs"
Spoiler: INSTALLATION AND EXPLANATION OF SYSTEMS
This document describes installation on all supported operating
systems (the Unix/Linux family, including macOS), OpenVMS,
and Windows).
Spoiler: TABLE OF CONTENTS
Spoiler: PREREQUISITES
To install OpenSSL, you will need:
* A "make" implementation
* Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md))
* The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md))
* an ANSI C compiler
* a development environment in the form of development libraries and C
header files
* a supported operating system
Spoiler: NOTATIONAL CONVENTIONS
Throughout this document, we use the following conventions.
Spoiler: COMMANDS
Any line starting with a dollar sign is a command line.
$ command
The dollar sign indicates the shell prompt and is not to be entered as
part of the command.
Spoiler: CHOICES
Several words in curly braces separated by pipe characters indicate a
**mandatory choice**, to be replaced with one of the given words.
Spoiler: EXAMPLE
For example, the line
$ echo { WORD1 | WORD2 | WORD3 }
represents one of the following three commands
$ echo WORD1
- or -
$ echo WORD2
- or -
$ echo WORD3
One or several words in square brackets separated by pipe characters
denote an **optional choice**. It is similar to the mandatory choice,
but it can also be omitted entirely.
Spoiler: EXAMPLE
So the line
$ echo [ WORD1 | WORD2 | WORD3 ]
represents one of the four commands
$ echo WORD1
- or -
$ echo WORD2
- or -
$ echo WORD3
- or -
$ echo
Spoiler: ARGUMENTS
**Optional Arguments** are enclosed in square brackets.
[option...]
A trailing ellipsis means that more than one could be specified.
Spoiler: QUICK INSTALLATION GUIDE
If you just want to get OpenSSL installed without bothering too much
about the details, here is the short version of how to build and install
OpenSSL. If any of the following steps fails, please consult the
[Installation in Detail](#installation-steps-in-detail) section below.
Spoiler: BUILDING OPENSSL
Use the following commands to configure, build and test OpenSSL.
The testing is optional, but recommended if you intend to install
OpenSSL for production use.
Spoiler: UNIX LINUX MAC
$ ./Configure
$ make
$ make test
Spoiler: OPENVMS
Use the following commands to build OpenSSL:
$ perl Configure
$ mms
$ mms test
Spoiler: WINDOWS
If you are using Visual Studio, open a Developer Command Prompt and
issue the following commands to build OpenSSL.
$ perl Configure
$ nmake
$ nmake test
As mentioned in the [Choices](#choices) section, you need to pick one
of the four Configure targets in the first command.
Most likely you will be using the `VC-WIN64A` target for 64bit Windows
binaries (AMD64) or `VC-WIN32` for 32bit Windows binaries (X86).
The other two options are `VC-WIN64I` (Intel IA64, Itanium) and
`VC-CE` (Windows CE) are rather uncommon nowadays.
Spoiler: INSTALLING OPENSSL
The following commands will install OpenSSL to a default system location.
**Danger Zone:** even if you are impatient, please read the following two
paragraphs carefully before you install OpenSSL.
For security reasons the default system location is by default not writable
for unprivileged users. So for the final installation step administrative
privileges are required. The default system location and the procedure to
obtain administrative privileges depends on the operating system.
It is recommended to compile and test OpenSSL with normal user privileges
and use administrative privileges only for the final installation step.
Spoiler: SYSTEMS WITH OPENSSL PREINSTALLED
On some platforms OpenSSL is preinstalled as part of the Operating System.
In this case it is highly recommended not to overwrite the system versions,
because other applications or libraries might depend on it.
To avoid breaking other applications, install your copy of OpenSSL to a
[different location](#installing-to-a-different-location) which is not in
the global search path for system libraries.
Finally, if you plan on using the FIPS module, you need to read the
[Post-installation Notes](#post-installation-notes) further down.
Spoiler: UNIX LINUX MAC
Depending on your distribution, you need to run the following command as
root user or prepend `sudo` to the command:
$ make install
By default, OpenSSL will be installed to
/usr/local
More precisely, the files will be installed into the subdirectories
/usr/local/bin
/usr/local/lib
/usr/local/include
depending on the file type, as it is custom on Unix-like operating systems.
Spoiler: OPENVMS
Use the following command to install OpenSSL.
$ mms install
By default, OpenSSL will be installed to
SYS$COMMON:[OPENSSL]
Spoiler: WINDOWS
Spoiler: USING VISUAL STUDIO
If you are using Visual Studio, open the Developer Command Prompt _elevated_
and issue the following command.
$ nmake install
The easiest way to elevate the Command Prompt is to press and hold down
the both the `<CTRL>` and `<SHIFT>` key while clicking the menu item in the
task menu.
The default installation location is
C:\Program Files\OpenSSL
for native binaries, or
C:\Program Files (x86)\OpenSSL
for 32bit binaries on 64bit Windows (WOW64).
Spoiler: INSTALLING TO A DIFFERENT LOCATION
To install OpenSSL to a different location (for example into your home
directory for testing purposes) run `Configure` as shown in the following
examples.
The options `--prefix` and `--openssldir` are explained in further detail in
[Directories](#directories) below, and the values used here are mere examples.
Spoiler: UNIX OPENVMS
On Unix:
$ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl
On OpenVMS:
$ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
Note: if you do add options to the configuration command, please make sure
you've read more than just this Quick Start, such as relevant `NOTES-*` files,
the options outline below, as configuration options may change the outcome
in otherwise unexpected ways.
Spoiler: CONFIGURATION OPTIONS
There are several options to `./Configure` to customize the build (note that
for Windows, the defaults for `--prefix` and `--openssldir` depend on what
configuration is used and what Windows implementation OpenSSL is built on.
For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md).
Spoiler: API LEVEL
Spoiler: API=X.Y[.Z]
--api=x.y[.z]
Build the OpenSSL libraries to support the API for the specified version.
If [no-deprecated](#no-deprecated) is also given, don't build with support
for deprecated APIs in or below the specified version number. For example,
adding
Spoiler: API=1.1.0 NO-DEPRECATED
--api=1.1.0 no-deprecated
will remove support for all APIs that were deprecated in OpenSSL version
1.1.0 or below. This is a rather specialized option for developers.
If you just intend to remove all deprecated APIs up to the current version
entirely, just specify [no-deprecated](#no-deprecated).
If `--api` isn't given, it defaults to the current (minor) OpenSSL version.
Spoiler: CROSS COMPILE PREFIX
--cross-compile-prefix=<PREFIX>
The `<PREFIX>` to include in front of commands for your toolchain.
It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler
as `a-b-c-gcc`, etc. Unfortunately cross-compiling is too case-specific to put
together one-size-fits-all instructions. You might have to pass more flags or
set up environment variables to actually make it work. Android and iOS cases
are discussed in corresponding `Configurations/15-*.conf` files. But there are
cases when this option alone is sufficient. For example to build the mingw64
target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works. Naturally
provided that mingw packages are installed. Today Debian and Ubuntu users
have option to install a number of prepackaged cross-compilers along with
corresponding run-time and development packages for "alien" hardware. To give
another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such
case.
For cross compilation, you must [configure manually](#manual-configuration).
Also, note that `--openssldir` refers to target's file system, not one you are
building on.
Spoiler: BUILD TYPE
--debug
Build OpenSSL with debugging symbols and zero optimization level.
--release
Build OpenSSL without debugging symbols. This is the default.
Spoiler: DIRECTORIES
Spoiler: LIBDIR
--libdir=DIR
The name of the directory under the top of the installation directory tree
(see the `--prefix` option) where libraries will be installed. By default
this is `lib`. Note that on Windows only static libraries (`*.lib`) will
be stored in this location. Shared libraries (`*.dll`) will always be
installed to the `bin` directory.
Some build targets have a multilib postfix set in the build configuration.
For these targets the default libdir is `lib<multilib-postfix>`. Please use
`--libdir=lib` to override the libdir if adding the postfix is undesirable.
Spoiler: OPENSSLDIR
--openssldir=DIR
Directory for OpenSSL configuration files, and also the default certificate
and key store. Defaults are:
Unix: /usr/local/ssl
Windows: C:\Program Files\Common Files\SSL
OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
For 32bit Windows applications on Windows 64bit (WOW64), always replace
`C:\Program Files` by `C:\Program Files (x86)`.
Spoiler: PREFIX
--prefix=DIR
The top of the installation directory tree. Defaults are:
Unix: /usr/local
Windows: C:\Program Files\OpenSSL
OpenVMS: SYS$COMMON:[OPENSSL]
Spoiler: COMPILER WARNINGS
--strict-warnings
This is a developer flag that switches on various compiler options recommended
for OpenSSL development. It only works when using gcc or clang as the compiler.
If you are developing a patch for OpenSSL then it is recommended that you use
this option where possible.
Spoiler: ZLIB FLAGS
Spoiler: WITH-ZLIB-INCLUDE
--with-zlib-include=DIR
The directory for the location of the zlib include file. This option is only
necessary if [zlib](#zlib) is used and the include file is not
already on the system include path.
Spoiler: WITH-ZLIB-LIB
--with-zlib-lib=LIB
Spoiler: UNIX
**On Unix**: this is the directory containing the zlib library.
If not provided the system library path will be used.
Spoiler: WINDOWS
**On Windows:** this is the filename of the zlib library (with or
without a path). This flag must be provided if the
[zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used
then this flag is optional and defaults to `ZLIB1` if not provided.
Spoiler: VMS
**On VMS:** this is the filename of the zlib library (with or without a path).
This flag is optional and if not provided then `GNV$LIBZSHR`, `GNV$LIBZSHR32`
or `GNV$LIBZSHR64` is used by default depending on the pointer size chosen.
Spoiler: SEEDING THE RANDOM NUMBER GENERATOR
--with-rand-seed=seed1[,seed2,...]
A comma separated list of seeding methods which will be tried by OpenSSL
in order to obtain random input (a.k.a "entropy") for seeding its
cryptographically secure random number generator (CSPRNG).
The current seeding methods are:
Spoiler: OS
### os
Use a trusted operating system entropy source.
This is the default method if such an entropy source exists.
Spoiler: GETRANDOM
### getrandom
Use the [getrandom(2)][man-getrandom] or equivalent system call.
[man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html
Spoiler: DEVRANDOM
### devrandom
Use the first device from the `DEVRANDOM` list which can be opened to read
random bytes. The `DEVRANDOM` preprocessor constant expands to
"/dev/urandom","/dev/random","/dev/srandom"
on most unix-ish operating systems.
Spoiler: EGD
### egd
Check for an entropy generating daemon.
This source is ignored by the FIPS provider.
Spoiler: RDCPU
### rdcpu
Use the `RDSEED` or `RDRAND` command on x86 or `RNDRRS` command on aarch64
if provided by the CPU.
Spoiler: LIBRANDOM
### librandom
Use librandom (not implemented yet).
This source is ignored by the FIPS provider.
Spoiler: NONE
### none
Disable automatic seeding. This is the default on some operating systems where
no suitable entropy source exists, or no support for it is implemented yet.
This option is ignored by the FIPS provider.
For more information, see the section [Notes on random number generation][rng]
at the end of this document.
[rng]: #notes-on-random-number-generation
Spoiler: SETTING THE FIPS HMAC KEY
Spoiler: FIPS-KEY=VALUE
--fips-key=value
As part of its self-test validation, the FIPS module must verify itself
by performing a SHA-256 HMAC computation on itself. The default key is
the SHA256 value of "the holy handgrenade of antioch" and is sufficient
for meeting the FIPS requirements.
To change the key to a different value, use this flag. The value should
be a hex string no more than 64 characters.
Spoiler: ENABLE AND DISABLE FEATURES
Feature options always come in pairs, an option to enable feature
`xxxx`, and an option to disable it:
[ enable-xxxx | no-xxxx ]
Whether a feature is enabled or disabled by default, depends on the feature.
In the following list, always the non-default variant is documented: if
feature `xxxx` is disabled by default then `enable-xxxx` is documented and
if feature `xxxx` is enabled by default then `no-xxxx` is documented.
Spoiler: NO-AFALGENG
### no-afalgeng
Don't build the AFALG engine.
This option will be forced on a platform that does not support AFALG.
Spoiler: ENABLE-KTLS
### enable-ktls
Build with Kernel TLS support.
This option will enable the use of the Kernel TLS data-path, which can improve
performance and allow for the use of sendfile and splice system calls on
TLS sockets. The Kernel may use TLS accelerators if any are available on the
system. This option will be forced off on systems that do not support the
Kernel TLS data-path.
Spoiler: ENABLE-ASAN
### enable-asan
Build with the Address sanitiser.
This is a developer option only. It may not work on all platforms and should
never be used in production environments. It will only work when used with
gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
option.
Spoiler: ENABLE-ACVP-TESTS
### enable-acvp-tests
Build support for Automated Cryptographic Validation Protocol (ACVP)
tests.
This is required for FIPS validation purposes. Certain ACVP tests require
access to algorithm internals that are not normally accessible.
Additional information related to ACVP can be found at
<https://github.com/usnistgov/ACVP>.
Spoiler: NO-ASM
### no-asm
Do not use assembler code.
This should be viewed as debugging/troubleshooting option rather than for
production use. On some platforms a small amount of assembler code may still
be used even with this option.
Spoiler: NO-ASYNC
### no-async
Do not build support for async operations.
Spoiler: NO-AUTOALGINIT
### no-autoalginit
Don't automatically load all supported ciphers and digests.
Typically OpenSSL will make available all of its supported ciphers and digests.
For a statically linked application this may be undesirable if small executable
size is an objective. This only affects libcrypto. Ciphers and digests will
have to be loaded manually using `EVP_add_cipher()` and `EVP_add_digest()`
if this option is used. This option will force a non-shared build.
Spoiler: NO-AUTOERRINIT
### no-autoerrinit
Don't automatically load all libcrypto/libssl error strings.
Typically OpenSSL will automatically load human readable error strings. For a
statically linked application this may be undesirable if small executable size
is an objective.
Spoiler: NO-AUTOLOAD-CONFIG
### no-autoload-config
Don't automatically load the default `openssl.cnf` file.
Typically OpenSSL will automatically load a system config file which configures
default SSL options.
Spoiler: ENABLE-BUILDTEST-C++
### enable-buildtest-c++
While testing, generate C++ buildtest files that simply check that the public
OpenSSL header files are usable standalone with C++.
Enabling this option demands extra care. For any compiler flag given directly
as configuration option, you must ensure that it's valid for both the C and
the C++ compiler. If not, the C++ build test will most likely break. As an
alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS`.
Spoiler: BANNER=TEXT
### --banner=text
Use the specified text instead of the default banner at the end of
configuration.
Spoiler: W
### --w
On platforms where the choice of 32-bit or 64-bit architecture
is not explicitly specified, `Configure` will print a warning
message and wait for a few seconds to let you interrupt the
configuration. Using this flag skips the wait.
Spoiler: NO-BULK
### no-bulk
Build only some minimal set of features.
This is a developer option used internally for CI build tests of the project.
Spoiler: NO-CACHED-FETCH
### no-cached-fetch
Never cache algorithms when they are fetched from a provider. Normally, a
provider indicates if the algorithms it supplies can be cached or not. Using
this option will reduce run-time memory usage but it also introduces a
significant performance penalty. This option is primarily designed to help
with detecting incorrect reference counting.
Spoiler: NO-CAPIENG
### no-capieng
Don't build the CAPI engine.
This option will be forced if on a platform that does not support CAPI.
Spoiler: NO-CMP
### no-cmp
Don't build support for Certificate Management Protocol (CMP)
and Certificate Request Message Format (CRMF).
Spoiler: NO-CMS
### no-cms
Don't build support for Cryptographic Message Syntax (CMS).
Spoiler: NO-COMP
### no-comp
Don't build support for SSL/TLS compression.
If this option is enabled (the default), then compression will only work if
the zlib or `zlib-dynamic` options are also chosen.
Spoiler: ENABLE-CRYPTO-MDEBUG
### enable-crypto-mdebug
This now only enables the `failed-malloc` feature.
Spoiler: ENABLE-CRYPTO-MDEBUG-BACKTRACE
### enable-crypto-mdebug-backtrace
This is a no-op; the project uses the compiler's address/leak sanitizer instead.
Spoiler: NO-CT
### no-ct
Don't build support for Certificate Transparency (CT).
Spoiler: NO-DEPRECATED
### no-deprecated
Don't build with support for deprecated APIs up until and including the version
given with `--api` (or the current version, if `--api` wasn't specified).
Spoiler: NO-DGRAM
### no-dgram
Don't build support for datagram based BIOs.
Selecting this option will also force the disabling of DTLS.
Spoiler: NO-DSO
### no-dso
Don't build support for loading Dynamic Shared Objects (DSO)
Spoiler: ENABLE-DEVCRYPTOENG
### enable-devcryptoeng
Build the `/dev/crypto` engine.
This option is automatically selected on the BSD platform, in which case it can
be disabled with `no-devcryptoeng`.
Spoiler: NO-DYNAMIC-ENGINE
### no-dynamic-engine
Don't build the dynamically loaded engines.
This only has an effect in a shared build.
Spoiler: NO-EC
### no-ec
Don't build support for Elliptic Curves.
Spoiler: NO-EC2M
### no-ec2m
Don't build support for binary Elliptic Curves
Spoiler: ENABLE-EC_NISTP_64_GCC_128
### enable-ec_nistp_64_gcc_128
Enable support for optimised implementations of some commonly used NIST
elliptic curves.
This option is only supported on platforms:
- with little-endian storage of non-byte types
- that tolerate misaligned memory references
- where the compiler:
- supports the non-standard type `__uint128_t`
- defines the built-in macro `__SIZEOF_INT128__`
Spoiler: ENABLE-EGD
### enable-egd
Build support for gathering entropy from the Entropy Gathering Daemon (EGD).
Spoiler: NO-ENGINE
### no-engine
Don't build support for loading engines.
Spoiler: NO-ERR
### no-err
Don't compile in any error strings.
Spoiler: ENABLE-EXTERNAL-TESTS
### enable-external-tests
Enable building of integration with external test suites.
This is a developer option and may not work on all platforms. The following
external test suites are currently supported:
- GOST engine test suite
- Python PYCA/Cryptography test suite
- krb5 test suite
See the file [test/README-external.md](test/README-external.md)
for further details.
Spoiler: NO-FILENAMES
### no-filenames
Don't compile in filename and line number information (e.g. for errors and
memory allocation).
Spoiler: ENABLE-FIPS
### enable-fips
Build (and install) the FIPS provider
Spoiler: NO-FIPS-SECURITYCHECKS
### no-fips-securitychecks
Don't perform FIPS module run-time checks related to enforcement of security
parameters such as minimum security strength of keys.
Spoiler: ENABLE-FUZZ-LIBFUZZER, ENABLE-FUZZ-AFL
### enable-fuzz-libfuzzer, enable-fuzz-afl
Build with support for fuzzing using either libfuzzer or AFL.
These are developer options only. They may not work on all platforms and
should never be used in production environments.
See the file [fuzz/README.md](fuzz/README.md) for further details.
Spoiler: NO-GOST
### no-gost
Don't build support for GOST based ciphersuites.
Note that if this feature is enabled then GOST ciphersuites are only available
if the GOST algorithms are also available through loading an externally supplied
engine.
Spoiler: NO-LEGACY
### no-legacy
Don't build the legacy provider.
Disabling this also disables the legacy algorithms: MD2 (already disabled by default).
Spoiler: NO-MAKEDEPEND
### no-makedepend
Don't generate dependencies.
Spoiler: NO-MODULE
### no-module
Don't build any dynamically loadable engines.
This also implies `no-dynamic-engine`.
Spoiler: NO-MULTIBLOCK
### no-multiblock
Don't build support for writing multiple records in one go in libssl
Note: this is a different capability to the pipelining functionality.
Spoiler: NO-NEXTPROTONEG
### no-nextprotoneg
Don't build support for the Next Protocol Negotiation (NPN) TLS extension.
Spoiler: NO-OCSP
### no-ocsp
Don't build support for Online Certificate Status Protocol (OCSP).
Spoiler: NO-PADLOCKENG
### no-padlockeng
Don't build the padlock engine.
Spoiler: NO-HW-PADLOCK
### no-hw-padlock
As synonym for `no-padlockeng`. Deprecated and should not be used.
Spoiler: NO-PIC
### no-pic
Don't build with support for Position Independent Code.
Spoiler: NO-PINSHARED
### no-pinshared
Don't pin the shared libraries.
By default OpenSSL will attempt to stay in memory until the process exits.
This is so that libcrypto and libssl can be properly cleaned up automatically
via an `atexit()` handler. The handler is registered by libcrypto and cleans
up both libraries. On some platforms the `atexit()` handler will run on unload of
libcrypto (if it has been dynamically loaded) rather than at process exit. This
option can be used to stop OpenSSL from attempting to stay in memory until the
process exits. This could lead to crashes if either libcrypto or libssl have
already been unloaded at the point that the atexit handler is invoked, e.g. on a
platform which calls `atexit()` on unload of the library, and libssl is unloaded
before libcrypto then a crash is likely to happen. Applications can suppress
running of the `atexit()` handler at run time by using the
`OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
See the man page for it for further details.
Spoiler: NO-POSIX-IO
### no-posix-io
Don't use POSIX IO capabilities.
Spoiler: NO-PSK
### no-psk
Don't build support for Pre-Shared Key based ciphersuites.
Spoiler: NO-RDRAND
### no-rdrand
Don't use hardware RDRAND capabilities.
Spoiler: NO-RFC3779
### no-rfc3779
Don't build support for RFC3779, "X.509 Extensions for IP Addresses and
AS Identifiers".
Spoiler: SCTP
### sctp
Build support for Stream Control Transmission Protocol (SCTP).
Spoiler: NO-SHARED
### no-shared
Do not create shared libraries, only static ones.
See [Notes on shared libraries](#notes-on-shared-libraries) below.
Spoiler: NO-SOCK
### no-sock
Don't build support for socket BIOs.
Spoiler: NO-SRP
### no-srp
Don't build support for Secure Remote Password (SRP) protocol or
SRP based ciphersuites.
Spoiler: NO-SRTP
### no-srtp
Don't build Secure Real-Time Transport Protocol (SRTP) support.
Spoiler: NO-SSE2
### no-sse2
Exclude SSE2 code paths from 32-bit x86 assembly modules.
Normally SSE2 extension is detected at run-time, but the decision whether or not
the machine code will be executed is taken solely on CPU capability vector. This
means that if you happen to run OS kernel which does not support SSE2 extension
on Intel P4 processor, then your application might be exposed to "illegal
instruction" exception. There might be a way to enable support in kernel, e.g.
FreeBSD kernel can be compiled with `CPU_ENABLE_SSE`, and there is a way to
disengage SSE2 code paths upon application start-up, but if you aim for wider
"audience" running such kernel, consider `no-sse2`. Both the `386` and `no-asm`
options imply `no-sse2`.
Spoiler: NO-SSL-TRACE
### no-ssl-trace
Don't build with SSL Trace capabilities.
This removes the `-trace` option from `s_client` and `s_server`, and omits the
`SSL_trace()` function from libssl.
Disabling `ssl-trace` may provide a small reduction in libssl binary size.
Spoiler: NO-STATIC-ENGINE
### no-static-engine
Don't build the statically linked engines.
This only has an impact when not built "shared".
Spoiler: NO-STDIO
### no-stdio
Don't use anything from the C header file `stdio.h` that makes use of the `FILE`
type. Only libcrypto and libssl can be built in this way. Using this option will
suppress building the command line applications. Additionally, since the OpenSSL
tests also use the command line applications, the tests will also be skipped.
Spoiler: NO-TESTS
### no-tests
Don't build test programs or run any tests.
Spoiler: NO-THREADS
### no-threads
Don't build with support for multi-threaded applications.
Spoiler: THREADS
### threads
Build with support for multi-threaded applications. Most platforms will enable
this by default. However, if on a platform where this is not the case then this
will usually require additional system-dependent options!
See [Notes on multi-threading](#notes-on-multi-threading) below.
Spoiler: ENABLE-TRACE
### enable-trace
Build with support for the integrated tracing api.
See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.
Spoiler: NO-TS
### no-ts
Don't build Time Stamping (TS) Authority support.
Spoiler: ENABLE-UBSAN
### enable-ubsan
Build with the Undefined Behaviour sanitiser (UBSAN).
This is a developer option only. It may not work on all platforms and should
never be used in production environments. It will only work when used with
gcc or clang and should be used in conjunction with the `-DPEDANTIC` option
(or the `--strict-warnings` option).
Spoiler: NO-UI-CONSOLE
### no-ui-console
Don't build with the User Interface (UI) console method
The User Interface console method enables text based console prompts.
Spoiler: ENABLE-UNIT-TEST
### enable-unit-test
Enable additional unit test APIs.
This should not typically be used in production deployments.
Spoiler: NO-UPLINK
### no-uplink
Don't build support for UPLINK interface.
Spoiler: ENABLE-WEAK-SSL-CIPHERS
### enable-weak-ssl-ciphers
Build support for SSL/TLS ciphers that are considered "weak"
Enabling this includes for example the RC4 based ciphersuites.
Spoiler: ZLIB
### zlib
Build with support for zlib compression/decompression.
Spoiler: ZLIB-DYNAMIC
### zlib-dynamic
Like the zlib option, but has OpenSSL load the zlib library dynamically
when needed.
This is only supported on systems where loading of shared libraries is supported.
Spoiler: 386
### 386
In 32-bit x86 builds, use the 80386 instruction set only in assembly modules
The default x86 code is more efficient, but requires at least an 486 processor.
Note: This doesn't affect compiler generated code, so this option needs to be
accompanied by a corresponding compiler-specific option.
Spoiler: NO-{PROTOCOL}
### no-{protocol}
no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}
Don't build support for negotiating the specified SSL/TLS protocol.
If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3`
are disabled.
Similarly `no-dtls` will disable `dtls1` and `dtls1_2`. The `no-ssl` option is
synonymous with `no-ssl3`. Note this only affects version negotiation.
OpenSSL will still provide the methods for applications to explicitly select
the individual protocol versions.
Spoiler: NO-{PROTOCOL}-METHOD
### no-{protocol}-method
no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}-method
Analogous to `no-{protocol}` but in addition do not build the methods for
applications to explicitly select individual protocol versions. Note that there
is no `no-tls1_3-method` option because there is no application method for
TLSv1.3.
Using individual protocol methods directly is deprecated. Applications should
use `TLS_method()` instead.
Spoiler: ENABLE-{ALGORITHM}
### enable-{algorithm}
enable-{md2|rc5}
Build with support for the specified algorithm.
Spoiler: NO-{ALGORITHM}
### no-{algorithm}
no-{aria|bf|blake2|camellia|cast|chacha|cmac|
des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
poly1305|rc2|rc4|rmd160|scrypt|seed|
siphash|siv|sm2|sm3|sm4|whirlpool}
Build without support for the specified algorithm.
The `ripemd` algorithm is deprecated and if used is synonymous with `rmd160`.
Spoiler: COMPILER-SPECIFIC OPTIONS
### Compiler-specific options
-Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
These system specific options will be recognised and passed through to the
compiler to allow you to define preprocessor symbols, specify additional
libraries, library directories or other compiler options. It might be worth
noting that some compilers generate code specifically for processor the
compiler currently executes on. This is not necessarily what you might have
in mind, since it might be unsuitable for execution on other, typically older,
processor. Consult your compiler documentation.
Take note of the [Environment Variables](#environment-variables) documentation
below and how these flags interact with those variables.
-xxx, +xxx, /xxx
Additional options that are not otherwise recognised are passed through as
they are to the compiler as well. Unix-style options beginning with a
`-` or `+` and Windows-style options beginning with a `/` are recognized.
Again, consult your compiler documentation.
If the option contains arguments separated by spaces, then the URL-style
notation `%20` can be used for the space character in order to avoid having
to quote the option. For example, `-opt%20arg` gets expanded to `-opt arg`.
In fact, any ASCII character can be encoded as %xx using its hexadecimal
encoding.
Take note of the [Environment Variables](#environment-variables) documentation
below and how these flags interact with those variables.
Spoiler: ENVIRONMENT VARIABLES
### Environment Variables
VAR=value
Assign the given value to the environment variable `VAR` for `Configure`.
These work just like normal environment variable assignments, but are supported
on all platforms and are confined to the configuration scripts only.
These assignments override the corresponding value in the inherited environment,
if there is one.
Spoiler: MAKE VARIABLES
The following variables are used as "`make` variables" and can be used as an
alternative to giving preprocessor, compiler and linker options directly as
configuration. The following variables are supported:
AR The static library archiver.
ARFLAGS Flags for the static library archiver.
AS The assembler compiler.
ASFLAGS Flags for the assembler compiler.
CC The C compiler.
CFLAGS Flags for the C compiler.
CXX The C++ compiler.
CXXFLAGS Flags for the C++ compiler.
CPP The C/C++ preprocessor.
CPPFLAGS Flags for the C/C++ preprocessor.
CPPDEFINES List of CPP macro definitions, separated
by a platform specific character (':' or
space for Unix, ';' for Windows, ',' for
VMS). This can be used instead of using
-D (or what corresponds to that on your
compiler) in CPPFLAGS.
CPPINCLUDES List of CPP inclusion directories, separated
the same way as for CPPDEFINES. This can
be used instead of -I (or what corresponds
to that on your compiler) in CPPFLAGS.
HASHBANGPERL Perl invocation to be inserted after '#!'
in public perl scripts (only relevant on
Unix).
LD The program linker (not used on Unix, $(CC)
is used there).
LDFLAGS Flags for the shared library, DSO and
program linker.
LDLIBS Extra libraries to use when linking.
Takes the form of a space separated list
of library specifications on Unix and
Windows, and as a comma separated list of
libraries on VMS.
RANLIB The library archive indexer.
RC The Windows resource compiler.
RCFLAGS Flags for the Windows resource compiler.
RM The command to remove files and directories.
These cannot be mixed with compiling/linking flags given on the command line.
In other words, something like this isn't permitted.
$ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE
Spoiler: BACKWARD COMPATABILITY
Backward compatibility note:
To be compatible with older configuration scripts, the environment variables
are ignored if compiling/linking flags are given on the command line, except
for the following:
AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC, and WINDRES
For example, the following command will not see `-DBAR`:
$ CPPFLAGS=-DBAR ./Configure -DCOOKIE
However, the following will see both set variables:
$ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE
If `CC` is set, it is advisable to also set `CXX` to ensure both the C and C++
compiler are in the same "family". This becomes relevant with
`enable-external-tests` and `enable-buildtest-c++`.
Spoiler: RECONFIGURE
### Reconfigure
reconf
reconfigure
Reconfigure from earlier data.
This fetches the previous command line options and environment from data
saved in `configdata.pm` and runs the configuration process again, using
these options and environment. Note: NO other option is permitted together
with `reconf`. Note: The original configuration saves away values for ALL
environment variables that were used, and if they weren't defined, they are
still saved away with information that they weren't originally defined.
This information takes precedence over environment variables that are
defined when reconfiguring.
Spoiler: DISPLAYING CONFIGURATION DATA
The configuration script itself will say very little, and finishes by
creating `configdata.pm`. This perl module can be loaded by other scripts
to find all the configuration data, and it can also be used as a script to
display all sorts of configuration data in a human readable form.
For more information, please do:
$ ./configdata.pm --help # Unix
or
$ perl configdata.pm --help # Windows and VMS
Spoiler: INSTALLATION STEPS IN DETAIL
Spoiler: CONFIGURE OPENSSL
Spoiler: AUTOMATIC CONFIGURATION
In previous version, the `config` script determined the platform type and
compiler and then called `Configure`. Starting with this release, they are
the same.
Spoiler: LINUX MAC
$ ./Configure [options...]
Spoiler: OPENVMS
$ perl Configure [options...]
Spoiler: WINDOWS
$ perl Configure [options...]
Spoiler: MANUAL CONFIGURATION
OpenSSL knows about a range of different operating system, hardware and
compiler combinations. To see the ones it knows about, run
$ ./Configure LIST # Unix
or
$ perl Configure LIST # All other platforms
Spoiler: UNIX
For the remainder of this text, the Unix form will be used in all examples.
Please use the appropriate form for your platform.
Pick a suitable name from the list that matches your system. For most
operating systems there is a choice between using cc or gcc.
When you have identified your system (and if necessary compiler) use this
name as the argument to `Configure`. For example, a `linux-elf` user would
run:
$ ./Configure linux-elf [options...]
Spoiler: CREATE YOUR OWN CONFIGURATION
If your system isn't listed, you will have to create a configuration
file named `Configurations/YOURFILENAME.conf` (replace `YOURFILENAME`
with a filename of your choosing) and add the correct
configuration for your system. See the available configs as examples
and read [Configurations/README.md](Configurations/README.md) and
[Configurations/README-design.md](Configurations/README-design.md)
for more information.
The generic configurations `cc` or `gcc` should usually work on 32 bit
Unix-like systems.
`Configure` creates a build file (`Makefile` on Unix, `makefile` on Windows
and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`,
and defines various macros in `include/openssl/configuration.h` (generated
from `include/openssl/configuration.h.in`.
Spoiler: OUT OF TREE BUILDS
OpenSSL can be configured to build in a build directory separate from the
source code directory. It's done by placing yourself in some other
directory and invoking the configuration commands from there.
Spoiler: UNIX
$ mkdir /var/tmp/openssl-build
$ cd /var/tmp/openssl-build
$ /PATH/TO/OPENSSL/SOURCE/Configure [options...]
Spoiler: OPENVMS
$ set default sys$login:
$ create/dir [.tmp.openssl-build]
$ set default [.tmp.openssl-build]
$ perl D:[PATH.TO.OPENSSL.SOURCE]Configure [options...]
Spoiler: WINDOWS
$ C:
$ mkdir \temp-openssl
$ cd \temp-openssl
$ perl d:\PATH\TO\OPENSSL\SOURCE\Configure [options...]
Paths can be relative just as well as absolute. `Configure` will do its best
to translate them to relative paths whenever possible.
Spoiler: BUILD OPENSSL
Build OpenSSL by running:
$ make # Unix
$ mms ! (or mmk) OpenVMS
$ nmake # Windows
This will build the OpenSSL libraries (`libcrypto.a` and `libssl.a` on
Unix, corresponding on other platforms) and the OpenSSL binary
(`openssl`). The libraries will be built in the top-level directory,
and the binary will be in the `apps/` subdirectory.
If the build fails, take a look at the [Build Failures](#build-failures)
subsection of the [Troubleshooting](#troubleshooting) section.
Spoiler: TEST OPENSSL
After a successful build, and before installing, the libraries should
be tested. Run:
$ make test # Unix
$ mms test ! OpenVMS
$ nmake test # Windows
**Warning:** you MUST run the tests from an unprivileged account (or disable
your privileges temporarily if your platform allows it).
See [test/README.md](test/README.md) for further details how run tests.
See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests.
Spoiler: INSTALL OPENSSL
If everything tests ok, install OpenSSL with
$ make install # Unix
$ mms install ! OpenVMS
$ nmake install # Windows
Note that in order to perform the install step above you need to have
appropriate permissions to write to the installation directory.
The above commands will install all the software components in this
directory tree under `<PREFIX>` (the directory given with `--prefix` or
its default):
Spoiler: UNIX LINUX MAC
bin/ Contains the openssl binary and a few other
utility scripts.
include/openssl
Contains the header files needed if you want
to build your own programs that use libcrypto
or libssl.
lib Contains the OpenSSL library files.
lib/engines Contains the OpenSSL dynamically loadable engines.
share/man/man1 Contains the OpenSSL command line man-pages.
share/man/man3 Contains the OpenSSL library calls man-pages.
share/man/man5 Contains the OpenSSL configuration format man-pages.
share/man/man7 Contains the OpenSSL other misc man-pages.
share/doc/openssl/html/man1
share/doc/openssl/html/man3
share/doc/openssl/html/man5
share/doc/openssl/html/man7
Contains the HTML rendition of the man-pages.
Spoiler: OPENVMS
'arch' is replaced with the architecture name, `ALPHA` or `IA64`,
'sover' is replaced with the shared library version (`0101` for 1.1), and
'pz' is replaced with the pointer size OpenSSL was built with:
[.EXE.'arch'] Contains the openssl binary.
[.EXE] Contains a few utility scripts.
[.include.openssl]
Contains the header files needed if you want
to build your own programs that use libcrypto
or libssl.
[.LIB.'arch'] Contains the OpenSSL library files.
[.ENGINES'sover''pz'.'arch']
Contains the OpenSSL dynamically loadable engines.
[.SYS$STARTUP] Contains startup, login and shutdown scripts.
These define appropriate logical names and
command symbols.
[.SYSTEST] Contains the installation verification procedure.
[.HTML] Contains the HTML rendition of the manual pages.
Spoiler: ADDITIONAL DIRECTORIES
Additionally, install will add the following directories under
OPENSSLDIR (the directory given with `--openssldir` or its default)
for you convenience:
certs Initially empty, this is the default location
for certificate files.
private Initially empty, this is the default location
for private key files.
misc Various scripts.
The installation directory should be appropriately protected to ensure
unprivileged users cannot make changes to OpenSSL binaries or files, or
install engines. If you already have a pre-installed version of OpenSSL as
part of your Operating System it is recommended that you do not overwrite
the system version and instead install to somewhere else.
Package builders who want to configure the library for standard locations,
but have the package installed somewhere else so that it can easily be
packaged, can use
$ make DESTDIR=/tmp/package-root install # Unix
$ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
The specified destination directory will be prepended to all installation
target paths.
Spoiler: COMPATABILITY ISSUES WITH PREVIOUS OPENSSL VERSIONS
Compiling Existing Applications
Starting with version 1.1.0, OpenSSL hides a number of structures that were
previously open. This includes all internal libssl structures and a number
of EVP types. Accessor functions have been added to allow controlled access
to the structures' data.
This means that some software needs to be rewritten to adapt to the new ways
of doing things. This often amounts to allocating an instance of a structure
explicitly where you could previously allocate them on the stack as automatic
variables, and using the provided accessor functions where you would previously
access a structure's field directly.
Some APIs have changed as well. However, older APIs have been preserved when
possible.
Spoiler: POST-INSTALLATION NOTES
With the default OpenSSL installation comes a FIPS provider module, which
needs some post-installation attention, without which it will not be usable.
This involves using the following command:
$ openssl fipsinstall
See the openssl-fipsinstall(1) manual for details and examples.
Spoiler: ADVANCED BUILD OPTIONS
Spoiler: ENVIRONMENT VARIABLES
Environment Variables
---------------------
A number of environment variables can be used to provide additional control
over the build process. Typically these should be defined prior to running
`Configure`. Not all environment variables are relevant to all platforms.
Spoiler: AR
AR
The name of the ar executable to use.
Spoiler: BUILDFILE
BUILDFILE
Use a different build file name than the platform default
("Makefile" on Unix-like platforms, "makefile" on native Windows,
"descrip.mms" on OpenVMS). This requires that there is a
corresponding build file template.
See [Configurations/README.md](Configurations/README.md)
for further information.
Spoiler: CC
CC
The compiler to use. Configure will attempt to pick a default
compiler for your platform but this choice can be overridden
using this variable. Set it to the compiler executable you wish
to use, e.g. gcc or clang.
Spoiler: CROSS_COMPILE
CROSS_COMPILE
This environment variable has the same meaning as for the
"--cross-compile-prefix" Configure flag described above. If both
are set then the Configure flag takes precedence.
Spoiler: HASHBANGPERL
HASHBANGPERL
The command string for the Perl executable to insert in the
#! line of perl scripts that will be publicly installed.
Default: /usr/bin/env perl
Note: the value of this variable is added to the same scripts
on all platforms, but it's only relevant on Unix-like platforms.
Spoiler: KERNEL_BITS
KERNEL_BITS
This can be the value `32` or `64` to specify the architecture
when it is not "obvious" to the configuration. It should generally
not be necessary to specify this environment variable.
Spoiler: NM
NM
The name of the nm executable to use.
Spoiler: OPENSSL_LOCAL_CONFIG_DIR
OPENSSL_LOCAL_CONFIG_DIR
OpenSSL comes with a database of information about how it
should be built on different platforms as well as build file
templates for those platforms. The database is comprised of
".conf" files in the Configurations directory. The build
file templates reside there as well as ".tmpl" files. See the
file [Configurations/README.md](Configurations/README.md)
for further information about the format of ".conf" files
as well as information on the ".tmpl" files.
In addition to the standard ".conf" and ".tmpl" files, it is
possible to create your own ".conf" and ".tmpl" files and
store them locally, outside the OpenSSL source tree.
This environment variable can be set to the directory where
these files are held and will be considered by Configure
before it looks in the standard directories.
Spoiler: PERL
PERL
The name of the Perl executable to use when building OpenSSL.
Only needed if builing should use a different Perl executable
than what is used to run the Configure script.
Spoiler: RANLIB
RANLIB
The name of the ranlib executable to use.
Spoiler: RC
RC
The name of the rc executable to use. The default will be as
defined for the target platform in the ".conf" file. If not
defined then "windres" will be used. The WINDRES environment
variable is synonymous to this. If both are defined then RC
takes precedence.
Spoiler: WINDRES
WINDRES
See RC.
Spoiler: MAKEFILE TARGETS
The `Configure` script generates a Makefile in a format relevant to the specific
platform. The Makefiles provide a number of targets that can be used. Not all
targets may be available on all platforms. Only the most common targets are
described here. Examine the Makefiles themselves for the full list.
Spoiler: ALL
all
The target to build all the software components and
documentation.
Spoiler: BUILD_SW
build_sw
Build all the software components.
THIS IS THE DEFAULT TARGET.
Spoiler: BUILD_DOCS
build_docs
Build all documentation components.
Spoiler: CLEAN
clean
Remove all build artefacts and return the directory to a "clean"
state.
Spoiler: DEPEND
depend
Rebuild the dependencies in the Makefiles. This is a legacy
option that no longer needs to be used since OpenSSL 1.1.0.
Spoiler: INSTALL
install
Install all OpenSSL components.
Spoiler: INSTALL_SW
install_sw
Only install the OpenSSL software components.
Spoiler: INSTALL_DOCS
install_docs
Only install the OpenSSL documentation components.
Spoiler: INSTALL_MAN_DOCS
install_man_docs
Only install the OpenSSL man pages (Unix only).
Spoiler: INSTALL_HTML_DOCS
install_html_docs
Only install the OpenSSL HTML documentation.
Spoiler: INSTALL_FIPS
install_fips
Install the FIPS provider module configuration file.
Spoiler: LIST-TESTS
list-tests
Prints a list of all the self test names.
Spoiler: TEST
test
Build and run the OpenSSL self tests.
Spoiler: UNINSTALL
uninstall
Uninstall all OpenSSL components.
Spoiler: RECONFIGURE
reconf
Re-run the configuration process, as exactly as the last time
as possible.
Spoiler: UPDATE
update
This is a developer option. If you are developing a patch for
OpenSSL you may need to use this if you want to update
automatically generated files; add new error codes or add new
(or change the visibility of) public API functions. (Unix only).
Spoiler: RUNNING SELECTED TESTS
You can specify a set of tests to be performed
using the `make` variable `TESTS`.
See the section [Running Selected Tests of
test/README.md](test/README.md#running-selected-tests).
Spoiler: TROUBLESHOOTING
Spoiler: CONFIGURATION PROBLEMS
### Selecting the correct target
The `./Configure` script tries hard to guess your operating system, but in some
cases it does not succeed. You will see a message like the following:
$ ./Configure
Operating system: x86-whatever-minix
This system (minix) is not supported. See file INSTALL.md for details.
Even if the automatic target selection by the `./Configure` script fails,
chances are that you still might find a suitable target in the `Configurations`
directory, which you can supply to the `./Configure` command,
possibly after some adjustment.
The `Configurations/` directory contains a lot of examples of such targets.
The main configuration file is [10-main.conf], which contains all targets that
are officially supported by the OpenSSL team. Other configuration files contain
targets contributed by other OpenSSL users. The list of targets can be found in
a Perl list `my %targets = ( ... )`.
my %targets = (
...
"target-name" => {
inherit_from => [ "base-target" ],
CC => "...",
cflags => add("..."),
asm_arch => '...',
perlasm_scheme => "...",
},
...
)
If you call `./Configure` without arguments, it will give you a list of all
known targets. Using `grep`, you can lookup the target definition in the
`Configurations/` directory. For example the `android-x86_64` can be found in
[Configurations/15-android.conf](Configurations/15-android.conf).
The directory contains two README files, which explain the general syntax and
design of the configuration files.
- [Configurations/README.md](Configurations/README.md)
- [Configurations/README-design.md](Configurations/README-design.md)
If you need further help, try to search the [openssl-users] mailing list
or the [GitHub Issues] for existing solutions. If you don't find anything,
you can [raise an issue] to ask a question yourself.
More about our support resources can be found in the [SUPPORT] file.
Spoiler: CONFIGURATION ERRORS
If the `./Configure` or `./Configure` command fails with an error message,
read the error message carefully and try to figure out whether you made
a mistake (e.g., by providing a wrong option), or whether the script is
working incorrectly. If you think you encountered a bug, please
[raise an issue] on GitHub to file a bug report.
Along with a short description of the bug, please provide the complete
configure command line and the relevant output including the error message.
Note: To make the output readable, please add a 'code fence' (three backquotes
` ``` ` on a separate line) before and after your output:
```
./Configure [your arguments...]
[output...]
```
Spoiler: BUILD FAILURES
If the build fails, look carefully at the output. Try to locate and understand
the error message. It might be that the compiler is already telling you
exactly what you need to do to fix your problem.
There may be reasons for the failure that aren't problems in OpenSSL itself,
for example if the compiler reports missing standard or third party headers.
If the build succeeded previously, but fails after a source or configuration
change, it might be helpful to clean the build tree before attempting another
build. Use this command:
$ make clean # Unix
$ mms clean ! (or mmk) OpenVMS
$ nmake clean # Windows
Assembler error messages can sometimes be sidestepped by using the `no-asm`
configuration option. See also [notes](#notes-on-assembler-modules-compilation).
Compiling parts of OpenSSL with gcc and others with the system compiler will
result in unresolved symbols on some systems.
If you are still having problems, try to search the [openssl-users] mailing
list or the [GitHub Issues] for existing solutions. If you think you
encountered an OpenSSL bug, please [raise an issue] to file a bug report.
Please take the time to review the existing issues first; maybe the bug was
already reported or has already been fixed.
Spoiler: TEST FAILURES
If some tests fail, look at the output. There may be reasons for the failure
that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue).
You may want increased verbosity, that can be accomplished as described in
section [Test Failures of test/README.md](test/README.md#test-failures).
You may also want to selectively specify which test(s) to perform. This can be
done using the `make` variable `TESTS` as described in section [Running
Selected Tests of test/README.md](test/README.md#running-selected-tests).
If you find a problem with OpenSSL itself, try removing any
compiler optimization flags from the `CFLAGS` line in the Makefile and
run `make clean; make` or corresponding.
To report a bug please open an issue on GitHub, at
<https://github.com/openssl/openssl/issues>.
Spoiler: NOTES
Spoiler: MULTITHREADING
For some systems, the OpenSSL `Configure` script knows what compiler options
are needed to generate a library that is suitable for multi-threaded
applications. On these systems, support for multi-threading is enabled
by default; use the `no-threads` option to disable (this should never be
necessary).
On other systems, to enable support for multi-threading, you will have
to specify at least two options: `threads`, and a system-dependent option.
(The latter is `-D_REENTRANT` on various systems.) The default in this
case, obviously, is not to include support for multi-threading (but
you can still use `no-threads` to suppress an annoying warning message
from the `Configure` script.)
OpenSSL provides built-in support for two threading models: pthreads (found on
most UNIX/Linux systems), and Windows threads. No other threading models are
supported. If your platform does not provide pthreads or Windows threads then
you should use `Configure` with the `no-threads` option.
For pthreads, all locks are non-recursive. In addition, in a debug build,
the mutex attribute `PTHREAD_MUTEX_ERRORCHECK` is used. If this is not
available on your platform, you might have to add
`-DOPENSSL_NO_MUTEX_ERRORCHECK` to your `Configure` invocation.
(On Linux `PTHREAD_MUTEX_ERRORCHECK` is an enum value, so a built-in
ifdef test cannot be used.)
Spoiler: SHARED LIBRARIES
For most systems the OpenSSL `Configure` script knows what is needed to
build shared libraries for libcrypto and libssl. On these systems
the shared libraries will be created by default. This can be suppressed and
only static libraries created by using the `no-shared` option. On systems
where OpenSSL does not know how to build shared libraries the `no-shared`
option will be forced and only static libraries will be created.
Shared libraries are named a little differently on different platforms.
One way or another, they all have the major OpenSSL version number as
part of the file name, i.e. for OpenSSL 1.1.x, `1.1` is somehow part of
the name.
On most POSIX platforms, shared libraries are named `libcrypto.so.1.1`
and `libssl.so.1.1`.
on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll`
with import libraries `libcrypto.dll.a` and `libssl.dll.a`.
On Windows build with MSVC or using MingW, shared libraries are named
`libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows,
`libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows,
and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows.
With MSVC, the import libraries are named `libcrypto.lib` and `libssl.lib`,
while with MingW, they are named `libcrypto.dll.a` and `libssl.dll.a`.
On VMS, shareable images (VMS speak for shared libraries) are named
`ossl$libcrypto0101_shr.exe` and `ossl$libssl0101_shr.exe`. However, when
OpenSSL is specifically built for 32-bit pointers, the shareable images
are named `ossl$libcrypto0101_shr32.exe` and `ossl$libssl0101_shr32.exe`
instead, and when built for 64-bit pointers, they are named
`ossl$libcrypto0101_shr64.exe` and `ossl$libssl0101_shr64.exe`.
Spoiler: RANDOM NUMBER GENERATION
Availability of cryptographically secure random numbers is required for
secret key generation. OpenSSL provides several options to seed the
internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse
to deliver random bytes and a "PRNG not seeded error" will occur.
The seeding method can be configured using the `--with-rand-seed` option,
which can be used to specify a comma separated list of seed methods.
However, in most cases OpenSSL will choose a suitable default method,
so it is not necessary to explicitly provide this option. Note also
that not all methods are available on all platforms. The FIPS provider will
silently ignore seed sources that were not validated.
I) On operating systems which provide a suitable randomness source (in
form of a system call or system device), OpenSSL will use the optimal
available method to seed the CSPRNG from the operating system's
randomness sources. This corresponds to the option `--with-rand-seed=os`.
II) On systems without such a suitable randomness source, automatic seeding
and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary
to install additional support software to obtain a random seed and reseed
the CSPRNG manually. Please check out the manual pages for `RAND_add()`,
`RAND_bytes()`, `RAND_egd()`, and the FAQ for more information.
Spoiler: ASSEMBLER MODULES COMPILATION
Compilation of some code paths in assembler modules might depend on whether the
current assembler version supports certain ISA extensions or not. Code paths
that use the AES-NI, PCLMULQDQ, SSSE3, and SHA extensions are always assembled.
Apart from that, the minimum requirements for the assembler versions are shown
in the table below:
| ISA extension | GNU as | nasm | llvm |
|---------------|--------|--------|---------|
| AVX | 2.19 | 2.09 | 3.0 |
| AVX2 | 2.22 | 2.10 | 3.1 |
| ADCX/ADOX | 2.23 | 2.10 | 3.3 |
| AVX512 | 2.25 | 2.11.8 | 3.6 (*) |
| AVX512IFMA | 2.26 | 2.11.8 | 6.0 (*) |
| VAES | 2.30 | 2.13.3 | 6.0 (*) |
---
(*) Even though AVX512 support was implemented in llvm 3.6, prior to version 7.0
an explicit -march flag was apparently required to compile assembly modules. But
then the compiler generates processor-specific code, which in turn contradicts
the idea of performing dispatch at run-time, which is facilitated by the special
variable `OPENSSL_ia32cap`. For versions older than 7.0, it is possible to work
around the problem by forcing the build procedure to use the following script:
#!/bin/sh
exec clang -no-integrated-as "[email protected]"
instead of the real clang. In which case it doesn't matter what clang version
is used, as it is the version of the GNU assembler that will be checked.
Spoiler: LINKS
[openssl-users]:
<https://mta.openssl.org/mailman/listinfo/openssl-users>
[SUPPORT]:
./SUPPORT.md
[GitHub Issues]:
<https://github.com/openssl/openssl/issues>
[raise an issue]:
<https://github.com/openssl/openssl/issues/new/choose>
[10-main.conf]:
Configurations/10-main.conf
Spoiler: STRAWBERRY PERL
Spoiler: DOWNLOAD
Strawberry Perl for Windows - Releases
strawberryperl.com
Spoiler: STRAWBERRY PERL README
=== Strawberry Perl (64-bit) 5.32.1.1-64bit README ===
Spoiler: WHAT IS STRAWBERRY PERL
* 'Perl' is a programming language suitable for writing simple scripts as well
as complex applications. See http://perldoc.perl.org/perlintro.html
* 'Strawberry Perl' is a perl environment for Microsoft Windows containing all
you need to run and develop perl applications. It is designed to be as close
as possible to perl environment on UNIX systems. See http://strawberryperl.com/
* If you are completely new to perl consider visiting http://learn.perl.org/
Spoiler: INSTALLATION INSTRUCTIONS
* If installing this version from a .zip file, you MUST extract it to a
directory that does not have spaces in it - e.g. c:\myperl\
and then run some commands and manually set some environment variables:
c:\myperl\relocation.pl.bat ... this is REQUIRED!
c:\myperl\update_env.pl.bat ... this is OPTIONAL
You can specify " --nosystem" after update_env.pl.bat to install Strawberry
Perl's environment variables for the current user only.
* If having a fixed installation path does not suit you, try "Strawberry Perl
Portable Edition" from http://strawberryperl.com/releases.html
Spoiler: HOW TO USE STRAWBERRY PERL
* In the command prompt window you can:
1. run any perl script by launching
c:\> perl c:\path\to\script.pl
2. install additional perl modules (libraries) from http://www.cpan.org/ by
c:\> cpan Module::Name
3. run other tools included in Strawberry Perl like: perldoc, gcc, gmake ...
* You'll need a text editor to create perl scripts. One is NOT included with
Strawberry Perl. A few options are Padre (which can be installed by running
"cpan Padre" from the command prompt) and Notepad++ (which is downloadable at
http://notepad-plus-plus.org/ ) which both include syntax highlighting
for perl scripts. You can even use Notepad, if you wish.
Spoiler: TEXT TEMPLATE PERL MODULE
Text::Template - Expand template text with embedded Perl - metacpan.org
Expand template text with embedded Perl
metacpan.org
Spoiler: NASM
Spoiler: DOWNLOAD
https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/win64/nasm-2.15.05-win64.zip
Spoiler: WHAT IS NASM
NASM
Spoiler: GNU MAKE
Spoiler: DOWNLOAD
https://sourceforge.net/projects/gnuwin32/files/make/3.81/make-3.81.exe/download?use_mirror=phoenixnap&download=
Spoiler: WHAT IS GNUMAKE
GNU make
GNU make
www.gnu.org
Spoiler: MINGGW
Spoiler: DOWNLOAD
https://sourceforge.net/projects/mi...ngw-w64-release/mingw-w64-v9.0.0.zip/download
Spoiler: WHAT IS MINGGW
MinGW-w64
GCC for Windows 64 & 32 bits
www.mingw-w64.org
OTHER TOOLS FOR REFERENCE
Spoiler: NOTEPAD++
Spoiler: DOWNLOAD
https://github.com/notepad-plus-plus/notepad-plus-plus/releases/download/v8.3.1/npp.8.3.1.portable.x64.zip
Spoiler: WHAT AM I
This is the tool I use to help me write scripts better than just using a plain text editor.
FOR MORE OPENSSL DOCUMENTATION~! XDA HAS 80,000 WORD LIMIT XD
/docs/man3.0/man1/index.html
www.openssl.org
Make All Of This Easier~!
How To Use Chocolatey
========================= ============================================ HOW TO USE CHOCOLATEY ============== ============= Hi Friends~! This amazing package manager changed my Windoz life
forum.xda-developers.com
Happy studies!
Spoiler: USER ERROR INDUCED FORUM BUGZ
I DON'T UNDERSTAND HOW TWO SPOILERS KEEP ADDING THEMSELVES AT THE END OF MY THREAD ARBITRARILY AFTER EDITTING~! WHAT A NEAT LITTLE BUG THAT IS PRODUCING ITSELF, AS THIS TREE GROWS, LARGER, AND, LARGER <3
NOW IT ADDED 5 HAHAHA!
EDIT----NOW I KNOW WHAT IS CAUSING IT, IS WHEN I AM HAND TYPING THE SPOILERS AND I MISS /SPOILER, IT ADDS AS MANY MISSED SPOILERS TO THE END AS WAS MISSED IN THE ORIGINAL SPOILER TREE CODE. COOL~!
Spoiler: FURTHER LEARNING
I am watching this video now to learn about generating private and public key pairs, like we do with cryto currency~! How fun and neat to finally start to understand the backbones of this Tech
GitHub - pyca/cryptography: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. - GitHub - pyca/cryptography: cryptography is a package designed to expose cryptographic prim...
github.com
What are OpenSSL BIOs? How do they work? How are BIOs used in OpenSSL?
I need some general information about OpenSSL BIO. Some kind of introduction to it. What is OpenSSL BIO? What is its general idea? I know that it is some kind of API for input/output. But how is it
stackoverflow.com
I finally did it~! Took me forever to figure out such simple things but my openssl toolset I'm sharing with y'all is portable and works out the gate :> all open source but mingw requires you keep their sources if you are interested in redistributing~!
Spoiler: SUCESSIO
And now through all this reinventing of the wheel~! I know what Chocolatey Is and Is used for~! I will figure this out better now haha.
Installing Chocolatey
Chocolatey is software management automation for Windows that wraps installers, executables, zips, and scripts into compiled packages. Chocolatey integrates w/SCCM, Puppet, Chef, etc. Chocolatey is trusted by businesses to manage software deployments.
chocolatey.org
Chocolatey Software Docs | Getting Started
Introduction to Chocolatey
docs.chocolatey.org
Packages
Chocolatey is software management automation for Windows that wraps installers, executables, zips, and scripts into compiled packages. Chocolatey integrates w/SCCM, Puppet, Chef, etc. Chocolatey is trusted by businesses to manage software deployments.
community.chocolatey.org
This package has been Blocked By Content Filtering On Some Browsers Or Even ISPs~!
I would say it's because The Shadow Corporations want to keep the code slaves on their IDE's but I digress...~~!
This is Mostly a Joke~! Mostly... ;-]
oMG Chocolatey was SO MUCH EASIER. I finally created my certificate; I'm going to sign my driver~! And whether or not it fixes the problem we will see. Regardless this has been a fun exercise and I will post a video with a visual example on my future chocolatey thread, about what I learned about IDEs, "Programming Languages", package installation on windows, system environment variables, etc~! Hopefully I will explain it in a way that makes sense
Something you should be aware of when using open source software, is that, even though it's free and states that you can use it in your own, Developed, Software, you absolutely must read the licences, readmes, and documentation, for sharing the work!
A GNU case, evidenced, that asks of, software developers, on freeware, can be enforced in court~!
Do your due diligence and read what the software providers add in text form for us because they did a lot of work for us to bring us what they do
13:13 mark
is Notepad++ superior to sublime??
Kross13 said:
is Notepad++ superior to sublime??
Click to expand...
Click to collapse
I will always be honest, I am Learning, So I do Not know~! What I advise is to try them both,, and learn the differences or "nuances" between the systems, so we can tell each other why we feel a certain way toward a certain program~! I will try out sublime now as I remember hearing about it years and years ago, but I wasn't at a basic enough level to understand what all of this is for.
Thank you for sharing this program with us~!
Thanks for this information. I will try it soon.
I think Notepad++ is the best free tool to help coding.
This is my opinion.
This video explains in super detail more about certificates, in ways I didn't even think of, in relation to man in the middle attacks on everyday websites we use.
Spoiler: Video
.
Since I'm thinking about it, and the idea of decentralization comes up, this video is interesting in explaining our present day internets' root
Spoiler: vid
Hello there. I wanted to share a link to a thread that "chains together" with this Thread. It is relating to Android Verified Boot which is a means of cryptographically protecting images. I am still learning so I will add links on that thread with interesting things. Notably the repository is available, there is a literal college thesis investigative study 33 pages, some good talks to listen to in the background and other things. Anyway it's here if anyone is interested
Learning About AVB Android Verified Boot (Boot.img dtb.img, vbmeta.img, and the "staging blob")
Edit-- after studying a couple days I understand why no modification to the images would work, which is due to AVB. I have a lot more studying to do and I will explain better. This thread is currently a mess of notes from a noob picking a kind...
forum.xda-developers.com
Oh and this is a subtle callout if anyone knows anything about avb please share on that thread. I am absolutely fascinated with this now and whelp... rabbit holes.

How To Guide How to Make and Sign a Driver and Certificate: Intro To Encryption

=========================================
HOW TO MAKE AND SIGN, A DRIVER AND CERTIFICATE: INTRO TO ENCRYPTION~!
=========================================​
Today we are going to get our feet a little wet in Cryptography~!
Why would I need this?
For this Use Case, we will be discussing the NVIDIA SHIELD~!
PLEASE NOTE, THE TOPICS BEING DISCUSSED TODAY MAY BE ILLEGAL IN YOUR COUNTRY. PLEASE USE DISCRETION AND KNOW YOUR COUNTRY'S LAWS REGARDING CRYPTOGRAPHY BEFORE GOING FURTHER.... PEACE AND LOVE
Spoiler: OPENSSL WARNING
OPENSSL WARNING:
"Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks,
or even just communicating technical details about cryptography software is illegal in some parts of the world. So
when you import this package to your country, re-distribute it from there or even just email technical suggestions
or even source patches to the authors or other people you are strongly advised to pay close attention to any laws
or regulations which apply to you. The authors of OpenSSL are not liable for any violations you make here. So be
careful, it is your responsibility."
Many Users on Windows 11 are reporting issues with Android Bootloader not installing and giving an Error Code 10.
Spoiler: LIKE THIS
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Error Code 10 is due to Nvidia's driver's digital certificate expiring. Crypto~!
Spoiler: SHOWN HERE
Spoiler: SOFTWARE DEVELOPMENT TOOLS
This is exclusively for beginners~! I don't care about your fancy IDE's Thank You~!
Intro to Cryptography By a Noob
Hello Friends~! I have built information trees, to teach you about these tools. I was originally going to package them all together, but in my efforts of doing so I realize that the process was getting too convoluted, when there is already an...
forum.xda-developers.com
The Bad Drivers From Nvidia:
Gameworks Download Center
Get the latest Gameworks software for your game development work.
developer.nvidia.com
Spoiler: MAKE A CERTIFICATE IN OPENSSL
GENERATING A PRIVATE AND PUBLIC KEY, AND A CSR
openssl genrsa -out shield.key 2048
openssl rsa -in shield.key -pubout -out shield_public.key
openssl req -new -key shield.key -out shield.csr
openssl x509 -in shield.csr -out shield.crt -req -signkey shield.key -days 365
Spoiler: BUILDING THE DRIVER
To be Continued~!
Spoiler: REFS
This article turned me on to the make cert tool
UWP - SignTool Error: No certificates were found that met all the given criteria
I'm getting this error after our company changed its AD domain. UWP app development with VS 2019 and Windows 10 (1903) C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Micr...
stackoverflow.com
MakeCert - Windows drivers
MakeCert (Makecert.exe) is a command-line CryptoAPI tool that creates an X.509 certificate that is signed by a system test root key or by another specified key.
docs.microsoft.com
Cryptographic Keylength Recomendation
Keylength - Cryptographic Key Length Recommendation
Certificate Stores - Windows drivers
Certificate Stores
docs.microsoft.com
System Store Locations - Win32 apps
A system store is a collection that consists of one or more physical sibling stores.
docs.microsoft.com
SignTool.exe (Sign Tool) - .NET Framework
Learn about SignTool.exe, the Sign Tool. This command-line tool digitally signs files, verifies signatures in files, and applies timestamps to files.
docs.microsoft.com
Using SignTool to Sign a File - Win32 apps
Explains how to use SignTool to sign a file.
docs.microsoft.com
COMMANDS FROM WINSDK LEARNED BUT NOT USED
Spoiler: MAKECERT COMMANDS
-sk <keyName> Subject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ss <store> Subject's certificate store name that stores the output
certificate
-sr <location> Subject's certificate store location.
<CurrentUser|LocalMachine>. Default to 'CurrentUser'
-# <number> Serial Number from 1 to 2^31-1. Default to be unique
-$ <authority> The signing authority of the certificate
<individual|commercial>
-n <X509name> Certificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options
Extended Options
-tbs <file> Certificate or CRL file to be signed
-sc <file> Subject's certificate file
-sv <pvkFile> Subject's PVK file; To be created if not present
-ic <file> Issuer's certificate file
-ik <keyName> Issuer's key container name
-iv <pvkFile> Issuer's PVK file
-is <store> Issuer's certificate store name.
-ir <location> Issuer's certificate store location
<CurrentUser|LocalMachine>. Default to 'CurrentUser'
-in <name> Issuer's certificate common name.(eg: Fred Dews)
-a <algorithm> The signature's digest algorithm.
<md5|sha1|sha256|sha384|sha512>. Default to 'sha1'
-ip <provider> Issuer's CryptoAPI provider's name
-iy <type> Issuer's CryptoAPI provider's type
-sp <provider> Subject's CryptoAPI provider's name
-sy <type> Subject's CryptoAPI provider's type
-iky <keytype> Issuer key type
<signature|exchange|<integer>>.
-sky <keytype> Subject key type
<signature|exchange|<integer>>.
-l <link> Link to the policy information (such as a URL)
-cy <certType> Certificate types
<end|authority>
-b <mm/dd/yyyy> Start of the validity period; default to now.
-m <number> The number of months for the cert validity period
-e <mm/dd/yyyy> End of validity period; defaults to 2039
-h <number> Max height of the tree below this cert
-len <number> Generated Key Length (Bits)
Default to '2048' for 'RSA' and '512' for 'DSS'
-r Create a self signed certificate
-nscp Include Netscape client auth extension
-crl Generate a CRL instead of a certificate
-eku <oid[<,oid>]> Comma separated enhanced key usage OIDs
-? Return a list of basic options
-! Return a list of extended options
Spoiler: SIGNTOOL COMMANDS
Typing Signtool brings up this
sign -- Sign files using an embedded signature.
timestamp -- Timestamp previously-signed files.
verify -- Verify embedded or catalog signatures.
catdb -- Modify a catalog database.
remove -- Remove embedded signature(s) or reduce the size of an
embedded signed file.
Spoiler: SIGN
Usage: signtool sign [options] <filename(s)>
Use the "sign" command to sign files using embedded signatures. Signing
protects a file from tampering, and allows users to verify the signer (you)
based on a signing certificate. The options below allow you to specify signing
parameters and to select the signing certificate you wish to use.
Certificate selection options:
/a Select the best signing cert automatically. SignTool will find all
valid certs that satisfy all specified conditions and select the
one that is valid for the longest. If this option is not present,
SignTool will expect to find only one valid signing cert.
/ac <file> Add an additional certificate, from <file>, to the signature block.
/c <name> Specify the Certificate Template Name (Microsoft extension) of the
signing cert.
/f <file> Specify the signing cert in a file. If this file is a PFX with
a password, the password may be supplied with the "/p" option.
If the file does not contain private keys, use the "/csp" and "/kc"
options to specify the CSP and container name of the private key.
/i <name> Specify the Issuer of the signing cert, or a substring.
/n <name> Specify the Subject Name of the signing cert, or a substring.
/p <pass.> Specify a password to use when opening the PFX file.
/r <name> Specify the Subject Name of a Root cert that the signing cert must
chain to.
/s <name> Specify the Store to open when searching for the cert. The default
is the "MY" Store.
/sm Open a Machine store instead of a User store.
/sha1 <h> Specify the SHA1 thumbprint of the signing cert.
/fd Specifies the file digest algorithm to use for creating file
signatures. If this parameter is not specified, an error will be
generated.
/u <usage> Specify the Enhanced Key Usage that must be present in the cert.
The parameter may be specified by OID or by string. The default
usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
/uw Specify usage of "Windows System Component Verification"
(1.3.6.1.4.1.311.10.3.6).
/fdchw Generate a warning if the file digest algorithm and the hash algorithm
used in the signing certificate's signature are different.
Private Key selection options:
/csp <name> Specify the CSP containing the Private Key Container.
/kc <name> Specify the Key Container Name of the Private Key.
Signing parameter options:
/as Append this signature. If no primary signature is present, this
signature will be made the primary signature instead.
/d <desc.> Provide a description of the signed content.
/du <URL> Provide a URL with more information about the signed content.
/t <URL> Specify the timestamp server's URL. If this option is not present,
the signed file will not be timestamped. A warning is generated if
timestamping fails.
/tr <URL> Specifies the RFC 3161 timestamp server's URL. If this option
(or /t) is not specified, the signed file will not be timestamped.
A warning is generated if timestamping fails. This switch cannot
be used with the /t switch.
/tseal <URL> Specifies the RFC 3161 timestamp server's URL for timestamping a
sealed file.
/td <alg> Used with the /tr or /tseal switch to request a digest algorithm
used by the RFC 3161 timestamp server. This parameter
is required if the /tr or /tseal is specified.
/sa <OID> <value> Specify an OID and value to be included as an authenticated
attribute in the signature. The value will be encoded as an
ASN1 UTF8 string. This option may be given multiple times.
/seal Add a sealing signature if the file format supports it.
/itos Create a primary signature with the intent-to-seal attribute.
/force Continue to seal or sign in situations where the existing signature
or sealing signature needs to be removed to support sealing.
/nosealwarn Sealing-related warnings do not affect SignTool's return code.
/tdchw Generate a warning if the digest algorithm used by the RFC 3161
timestamp server and the hash algorithm used in the signing certificate's
signature are different.
Digest options:
/dg <path> Generates the to be signed digest and the unsigned PKCS7 files.
The output digest and PKCS7 files will be: <path>\<file>.dig and
<path>\<file>.p7u. To output an additional XML file, see /dxml.
/ds Signs the digest only. The input file should be the digest
generated by the /dg option. The output file will be:
<file>.signed.
/di <path> Creates the signature by ingesting the signed digest to the
unsigned PKCS7 file. The input signed digest and unsigned
PKCS7 files should be: <path>\<file>.dig.signed and
<path>\<file>.p7u.
/dxml When used with the /dg option, produces an XML file. The output
file will be: <path>\<file>.dig.xml.
/dlib <dll> Specifies the DLL implementing the AuthenticodeDigestSign or
AuthenticodeDigestSignEx function to sign the digest with. This
option is equivalent to using SignTool separately with the
/dg, /ds, and /di switches, except this option invokes all three
as one atomic operation.
/dmdf <file> When used with the /dlib option, passes the file's contents to
the AuthenticodeDigestSign or AuthenticodeDigestSignEx function
without modification.
PKCS7 options:
/p7 <path> Specifies that for each specified content file a PKCS7 file is
produced. The PKCS7 file will be named: <path>\<file>.p7
/p7co <OID> Specifies the <OID> that identifies the signed content.
/p7ce <Value> Defined values:
Embedded - Embeds the signed content in the PKCS7.
DetachedSignedData - Produces the signed data part of
a detached PKCS7.
Pkcs7DetachedSignedData - Produces a full detached PKCS7.
The default is 'Embedded'
Other options:
/ph Generate page hashes for executable files if supported.
/nph Suppress page hashes for executable files if supported.
The default is determined by the SIGNTOOL_PAGE_HASHES
environment variable and by the wintrust.dll version.
/rmc Specifies signing a PE file with the relaxed marker check semantic.
The flag is ignored for non-PE files. During verification, certain
authenticated sections of the signature will bypass invalid PE
markers check. This option should only be used after careful
consideration and reviewing the details of MSRC case MS12-024 to
ensure that no vulnerabilities are introduced.
/q No output on success and minimal output on failure. As always,
SignTool returns 0 on success, 1 on failure, and 2 on warning.
/v Print verbose success and status messages. This may also provide
slightly more information on error.
/debug Display additional debug information.
Spoiler: TIMESTAMP
Use the "timestamp" command to add a timestamp to a previously-signed file.
The "/t" option is required.
/q No output on success and minimal output on failure. As always,
SignTool returns 0 on success and 1 on failure.
/t <URL> Specify the timestamp server's URL.
/tr <URL> Specifies the RFC 3161 timestamp server's URL.
/tseal <URL> Specifies the RFC 3161 timestamp server's URL for timestamping a
sealed file. One of /t, /tr or /tseal is required.
/td <alg> Used with the /tr or /tseal switch to request a digest algorithm
used by the RFC 3161 timestamp server. If this parameter is not
specified, a warning will be generated. In future releases,
this parameter will be required if /tr or /tseal is specified
/tp <index> Timestamps the signature at <index>.
/p7 Timestamps PKCS7 files.
/force Remove any sealing signature that is present in order to timestamp.
/nosealwarn Warnings for removing a sealing signature do not affect SignTool's
return code.
/v Print verbose success and status messages. This may also provide
slightly more information on error.
/debug Display additional debug information.
Spoiler: VERIFY
Usage: signtool verify [options] <filename(s)>
Use the "verify" command to verify embedded or catalog signatures.
Verification determines if the signing certificate was issued by a trusted
party, whether that certificate has been revoked, and whether the certificate
is valid under a specific policy. Options allow you to specify requirements
that must be met and to specify how to find the catalog, if appropriate.
Catalogs are used by Microsoft and others to sign many files very efficiently.
Catalog options:
/a Automatically attempt to verify the file using all methods. First
search for a catalog using all catalog databases. If the file is
not signed in any catalog, attempt to verify the embedded
signature. When verifying files that may or may not be signed in a
catalog, such as Windows files and drivers, this option is the
easiest way to ensure that the signature is found.
/ad Find the catalog automatically using the default catalog database.
/as Find the catalog automatically using the system component (driver)
catalog database.
/ag <GUID> Find the catalog automatically in the specified catalog database.
Catalog databases are identified by GUID.
Example GUID: {F750E6C3-38EE-11D1-85E5-00C04FC295EE}
/c <file> Specify the catalog file.
/o <ver> When verifying a file that is in a signed catalog, verify that the
file is valid for the specified platform.
Parameter format is: PlatformID:VerMajor.VerMinor.BuildNumber
/hash <SHA1 | SHA256> Optional hash algorithm to use when searching for
a file in a catalog.
SignTool uses the "Windows Driver" Verification Policy by default. The options
below allow you to use alternate Policies.
Verification Policy options:
/pa Use the "Default Authenticode" Verification Policy.
/pg <GUID> Specify the verification policy by GUID (also called ActionID).
Signature requirement options:
/ca <h> Verify that the file is signed with an intermediate CA cert with
the specified hash. This option may be specified multiple times;
one of the specified hashes must match.
/r <name> Specify the Subject Name of a Root cert that the signing cert must
chain to.
/sha1 <h> Verify that the signer certificate has the specified hash. This
option may be specified multiple times; one of the specified hashes
must match.
/tw Generate a Warning if the signature is not timestamped.
/u <usage> Generate a Warning if the specified Enhanced Key Usage is not
present in the cert. This option may be given multiple times.
Other options:
/all Verify all signatures in a file with multiple signatures.
/ds <index> Verify the signature at <index>.
/ms Use multiple verification semantics. This is the default behavior
of a Win8 WinVerifyTrust call.
/sl Verify sealing signatures for supported file types.
/p7 Verify PKCS7 files. No existing policies are used for p7 validation.
The signature is checked and a chain is built for the signing
certificate.
/bp Perform the verification with the Biometric mode signing policy.
/enclave Perform the verification with the enclave signing policy. This also
prints the Unique ID and Author ID information.
/kp Perform the verification with the kernel-mode driver signing policy.
/q No output on success and minimal output on failure. As always,
SignTool returns 0 on success, 1 on failure, and 2 on warning.
/ph Print and verify page hash values.
/d Print Description and Description URL.
/v Print verbose success and status messages. This may also provide
slightly more information on error. If you want to see information
about the signer, you should use this option.
/debug Display additional debug information.
/p7content <file> Provide p7 content file incase of detached signatures (signed using PKCS7DetachedSignedData).
Spoiler: CATDB
Usage: signtool catdb [options] <filename(s)>
Use the "catdb" command to add or remove catalog files to or from a catalog
database. Catalog databases are used for automatic lookup of catalog files,
and are identified by GUID.
Catalog Database options allow you to select which catalog database to operate
on. If you do not specify a catalog database, SignTool operates on the system
component (driver) database.
Catalog Database options:
/d Operate on the default catalog database instead of the system
component (driver) catalog database.
/g <GUID> Operate on the specified catalog database.
Other options specify what to do with the selected catalog database, and other
behavior. If you do not specify any other options, SignTool will add the
specified catalogs to the catalog database, replacing any existing catalog
which has the same name.
Other options:
/q No output on success and minimal output on failure. As always,
SignTool returns 0 on success and 1 on failure.
/r Remove the specified catalogs from the catalog database.
/u Automatically generate a unique name for the added catalogs. The
catalog files will be renamed if necessary to prevent name
conflicts with existing catalog files.
/v Print verbose success and status messages. This may also provide
slightly more information on error.
/debug Display additional debug information.
Spoiler: REMOVE
Usage: signtool remove [options] <filename(s)>
Use the "remove" command to remove the embedded signature(s) or sections of
the embedded signature on a PE/COFF file.
WARNING: This command will modify the file on the disk. Please create a backup
copy if you want to preserve the original file.
The option "/c" and/or "/u", or "/s" is required.
/c Remove all certificates, except for the signer certificate
from the signature.
/q No output on success and minimal output on failure. As always,
SignTool returns 0 on success and 1 on failure.
/s Remove the signature(s) entirely.
/u Remove the unauthenticated attributes from the signature
e.g. Dual signatures and timestamps.
/v Print verbose success and status messages. This may also provide
slightly more information on error.
This thread may explain why this is happening, AMD CPU and USB 3.0 unsupported on these old dang drivers
Fastboot problem on USB 3.0 ports
Hi guys, today I set up my notebook, to use in the future, MIUI flashing tool (No bootloader unlock in this machine, cause: ryzen CPU). After installing the drivers I restarted in fastboot mode and all ok..recognized device (Android bootloader...
forum.xda-developers.com
This is not complete and the code shown is placeholder. I am getting so deep in note taking I had to put up what I have so I can see it better and clearer~! I'll update when I am done and will post a video walkthrough. For Now... I need Sleep. Bah~! I hate having to sleep all the time.
jenneh said:
This is not complete and the code shown is placeholder. I am getting so deep in note taking I had to put up what I have so I can see it better and clearer~! I'll update when I am done and will post a video walkthrough. For Now... I need Sleep. Bah~! I hate having to sleep all the time.
Click to expand...
Click to collapse
What do you need to know?
persona78 said:
What do you need to know?
Click to expand...
Click to collapse
I'm trying to learn how to take a fresh USB driver ini file and build a cert for it with sha 256 hash just to learn how to run the algorithm while fixing the problem of the original ini file being expired. It's funny to think about some of this software we use, as having "shelf dates" almost. Haha. Like a food product or something organic. Interesting! Crypto~!
jenneh said:
I'm trying to learn how to take a fresh USB driver ini file and build a cert for it with sha 256 hash just to learn how to run the algorithm while fixing the problem of the original ini file being expired. It's funny to think about some of this software we use, as having "shelf dates" almost. Haha. Like a food product or something organic. Interesting! Crypto~!
Click to expand...
Click to collapse
I know how to create a certificate and sign a exe.
This helps?
persona78 said:
I know how to create a certificate and sign a exe.
This helps?
Click to expand...
Click to collapse
Yes!!
Hi!
@jenneh this are the batch tools i create: Tools
1-Extract to Desktop
2-Create your cert.pfx and paste inside Sign_Batch folder
3-paste the app you want in to sign inside Sign_Batch folder to
4-Pick and drop the app over the appsign_soft.bat
5-Right click over app and check Digital signature
6-Select the signature and go to details
7-Check your certificate
8-Install your certificate, like this system will know that is safe
9-Done!
Your app is now signed with your certificate!
Spoiler: Print Screens
persona78 said:
Hi!
@jenneh this are the batch tools i create: Tools
1-Extract to Desktop
2-Create your cert.pfx and paste inside Sign_Batch folder
3-paste the app you want in to sign inside Sign_Batch folder to
4-Pick and drop the app over the appsign_soft.bat
5-Right click over app and check Digital signature
6-Select the signature and go to details
7-Check your certificate
8-Install your certificate, like this system will know that is safe
9-Done!
Your app is now signed with your certificate!
Spoiler: Print Screens
View attachment 5544459
View attachment 5544463
Click to expand...
Click to collapse
You are like An Angel from Binary Heaven. I just Woke Up and was refreshing my memory on this~! I will check out your tools now and update my thread when I fully understand and properly credit you for your hard work. I really thank you So So much :> Your efforts will help Many~!
I only started this train of thought yesterday so bare with me, this is all new to me~!
jenneh said:
You are like An Angel from Binary Heaven. I just Woke Up and was refreshing my memory on this~! I will check out your tools now and update my thread when I fully understand and properly credit you for your hard work. I really thank you So So much :> Your efforts will help Many~!
I only started this train of thought yesterday so bare with me, this is all new to me~!
Click to expand...
Click to collapse
I hope it helps you!
persona78 said:
I hope it helps you!
Click to expand...
Click to collapse
OMG. I'm going through your work now... I got goosebumps. THANK YOU. I just need to get my coffee and some music going and Ima figure out how to explain all this in a video when I chain it together. haha
Oh and I want to tell the other WSA enthusiasts out there~! I see now how to chain this information over to WSA, specifically the MSIX bundle, decompiling it and adding rooted system images. I have seen where others on this forum have done the same thing, or come to the same conclusion but want to be secretive about their methods.
But WHy?~~! Haha~! That Tis Only the Soft Root as I am coining it. Explaining the modding of the msix file in order to gain root will be my next project on windows when this is complete. I would like to think... the stock root... would be a valuable resource that could be reported somewhere... But who knows?~! HMM
The letter of the day today is O, for OPEN SSL
/docs/man3.0/man7/crypto.html
www.openssl.org
Could not repeat the error. Tested using Virtual win11available here. Previous version though.
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Faked my LG to show as Nvidia...
CXZa said:
Could not repeat the error. Tested using Virtual win11available here. Previous version though.
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
Faked my LG to show as Nvidia...
View attachment 5544673
Click to expand...
Click to collapse
The purpose of this article is to learn something about this obstacle, since Nvidia has not updated the drivers since 2018.
Which we are learning LOTS.
Not whether or not it is broke for all Users.
It's about engineering a fix for said problem.
Since I cannot easily edit the .inf Due to it's encryption.
jenneh said:
Nvidia Drivers, not an issue with Windows 11.
Click to expand...
Click to collapse
I was interested as it has been said that in future there are
more strick rules for drivers and such.
But this driver is ok. Installed properly and worked ok.
Or maybe the rules have changed in the later win versions.??
Try to restart your device. Maybe both of them...
CXZa said:
I was interested as it has been said that in future there are
more strick rules for drivers and such.
But this driver is ok. Installed properly and worked ok.
Try to restart your device. Maybe both of them...
Click to expand...
Click to collapse
Sorry that came off robotic, I THANK YOU For testing. Out of curiosity are you using amd or intel processor?
jenneh said:
Sorry that came off robotic, I THANK YOU For testing. Out of curiosity are you using amd or intel processor?
Click to expand...
Click to collapse
Intel...
Which win11 version you are using? Maybe the rules have changed like I said in previous post (added it after you quoted)
CXZa said:
Intel...
Which win11 version you are using? Maybe the rules have changed like I said in previous post (added it after you quoted)
Click to expand...
Click to collapse
I am on the latest version. Running AMD. I have uninstalled and reinstalled Many Times. I have used both Microsofts Factory isos, tried every iteration since preview, built my own modded ISOs ETC.
I have case Evidenced This problem for months and many of my viewers Have reported the Same Issue.
So what you are not understanding is, there are some of us who see a problem, regardless of the Root Cause,
We want a fix~! Your solutions have already been tried. So thank you, but this is an article regarding KNOWLEDGE
The shield is only a metaphor~! It is as said in the beginning just the Use Case. For the Lesson. This is a Live lesson.
Thank you.
Okay, have fun...
CXZa said:
Okay, have fun...
Click to expand...
Click to collapse
Oh I Am <3
So an Update~! I had theorized that I could just copy the contents of the .inf file, paste them into a new text document, rename it to android_usb.inf, then paste the rest of nvidia's original dlls etc, but Nope~! Apparently you have to modify the cat files and well every thing~! So another day of research it is!! Here's a nifty signing tool ;-)
ksign (Install) 2016.07.20.20170105
Free GUI and command line tool for software and installer signing
community.chocolatey.org

Question how to use perfetto (or any equivalent known to mankind) offline ON ANDROID to READ a system trace

so I have been searching everything I could think of on the internet trying to figure out how to read a system trace natively made by Android 13 on my Pixel 6 on the phone itself because I'm not with my computer and can't use it and it doesn't seem to be possible. now there's a web page application but it requires that you be connected to the internet and requires that your system traces be minuscule tiny or that you learn how to use an Android phone without a graphic user interface because I'm sorry My bad I'm not a programmer I don't really want to be and they want me to code something into my browser on my phone I don't even know how to do that just so that I can open a file as large as the trace I made I just want to figure out why my phone is doing something that it shouldn't be doing(several somethings actually randomly failing to allow internet connection to my Xbox beta app randomly shutting down screen recordings in the middle and booting my screen black and kicking me out of Android so that I have to log back in randomly running a work profile I didn't install the list goes on) so I can stop it from doing that please if anyone out there knows anyway at all on this Earth to open and read a file who's extension is perfetto-Trace without plugging into a computer just like you know on my phone I swear to God I'll do anything I'm begging you please help a ***** out cuz this girl is on her last ragged edged nerve over all this it's too much for one girl to figure out
perfetto is an open source tool provided by google. you can download the binaries they already provided for android. you can download your device specific binaries
Release Perfetto v35.0 · google/perfetto
v35.0 - 2023-06-07: Tracing service and probes: * Compression has been moved from perfetto_cmd to traced. Now compression is supported even with write_into_file. The `compress_from_cli`...
github.com
you need to install a terminal emulator , I suggest the Termux from fdroid.
then setup and initialize everything in Termux (I can't explain now, you can google it)
the from the extracted zip file of perfetto binaries, copy them to termux
``cp -r [directory path of the extracted] .``
``cd [directory name of the extracted] ``
The supported output formats are:
text - protobuf text format: a text based representation of protos
json - Chrome JSON format: the format used by chrome://tracing systrace: the ftrace text format used by Android systrace
Converting to systrace text format
./traceconv systrace [input proto file] [output systrace file]
example, systrace format are more human readable and easier
./traceconv systrace sample-trace.perfetto-trace sample-trace.systrace
Same way,
Converting to Chrome Tracing JSON format which is so familiar
./traceconv json [input proto file] [output json file]
is this way it will give a human readable output. now you can view output with a text editor
although reading a big file of 50-100MB May not be possible because of chunk issue. but Mostly it will show otherwise no hope. there's very limited tools out there
You can inbox me if you need assistance.
[Its my first answer on XDA]

Categories

Resources