Build Layout

---

OpenSSL is built twice. Once for "fips" and once for "non-fips". Both

the fips and non-fips builds share Patches and Configure-time options

where possible. It is very important that they are ABI compatible. All

the common patches are contained in the Patches sub-directory and common

configuration is taken from Makefile.com in the top-level openssl

directory. If a particular build requires a modification which is not

common to both builds then the patch is kept in the build specific

sub-directory.

In addition to the regular Makefile targets both the fips and non-fips

builds have the following targets:

all32

all64

install32

install64

This makes building any subset easy.

i.e. to build and install the 64bit non-fips OpenSSL the following

command is used:

$ cd openssl/non-fips

$ make install64

The fips Build

---

The "fips" build has the following deliverables (symbolic links and

architecture specific binaries are excluded):

/lib/openssl/fips-140/libcrypto.so.0.9.8

/usr/include/openssl/fips-140/openssl/fips.h

/usr/include/openssl/fips-140/openssl/fips_rand.h

/usr/include/openssl/fips-140/openssl/opensslconf.h

A build-time requirement for the fips build is the FIPS Object Module.

The FIPS Object Module has very stringent build requirements as

specified in its Security Policy:

http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf

In essence the FIPS Object Module may not be patched or modified in any

way, the build must be performed with "./config [no-asm], make, 

make install". The only way to influence the build is by modifying the

environment it is run in. isalist is "faked" so that the 32bit build can

be built even when running with a 64bit kernel (see isalist.sh). make is

run by a wrapper script so that "make install" can be run even as a

non-root user (see make.sh).  If modifications are to be make to how the

FIPS Object Module is built the security policy must be consulted to

ensure that the build is still compliant.

The non-fips Build.

---

The "non-fips" build is the main build of OpenSSL and includes the

regular binaries, libraries and header files. The openssl binary from

this build is patched to work with both the fips build of libcrypto and

the non-fips build of libcrypto.

Patches

---

08-6193522.patch

Give CA.pl better defaults. See 6193522 for more information.

11-6546806.patch

Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for

more information.

14-manpage_openssl.patch

Force openssl to install man pages into man[1357]openssl instead of

man[1357].

15-pkcs11_engine-0.9.8a.patch

Patch which adds the pkcs11 engine. See also the pkcs11-engine/

sub-directory. 

18-compiler_opts.patch

Adds four Solaris specific configurations (both 32bit and 64bit for both

sparc and x86) to Configure which are then explicitly used by the

Makefiles.

Care should be taken if modifying this patch as changes to compile-time

options can change the ABI. One example of this is the use of RC4_INT vs

RC4_CHAR.

20-remove_rpath.patch

Prevent build binaries having an unnecessary runpath (/lib).

23-noexstack.patch

Build with non-executable stacks and non-executable data (x86).

25-fips_rand.patch

fips_rand.h assumes that des.h will be found in the same directory. This

is probably normally true however we deliver the FIPS specific header

files into a non-standard location (see above) and so is not true for

Solaris. This patch makes sure that des.h is found by changing

fips_rand.h to look in the system header files for openssl/des.h.

26-openssl_fips.patch

Modifies openssl so that it will run with the non-fips libcrypto as well

as the fips libcrypto. If it is run with the fips libcrypto it can be

run in FIPS mode. Instead of directly using the FIPS specific symbols

they are looked up at runtime. This is necessary as the non-fips

libcrypto won't have the those FIPS specific symbols.

The CRYPTO_NUM_LOCKS pre-processor macro varies between the fips and

non-fips build of libcrypto. A run-time mechanism is available which

returns the number of locks - the CRYPTO_num_locks() function. Using

this function is required if the openssl binary is to be run with both

the fips and non-fips versions of libcrypto. 

opensslconf.patch

Modifies opensslconf.h so that it is suitable for both 32bit and 64bit

installs. OpenSSL either builds for 32bit or 64bit - it doesn't allow

for combined 32bit and 64bit builds.

sparc-01-ccwrap.patch

A sparc only patch which modifies fipsld for the FIPS Capable OpenSSL

build by replacing calls to CC with CCWRAP. CCRWAP (ccwrap.sh) simply

runs the original CC command without the "-g" option.

From the patch:

# Wrap the calls to cc to remove the "-g" option when compiling

# (SPARC only). If "-g" is used on SPARC to build libcrypto.so

# the fingerprint will be incorrectly generated as "-g" promotes

# static symbols to globals which then interacts with the linker to

# produce a changed text section.