2
|
1 |
|
|
2 |
Build Layout
|
|
3 |
---
|
|
4 |
|
|
5 |
OpenSSL is built twice. Once for "fips" and once for "non-fips". Both
|
|
6 |
the fips and non-fips builds share Patches and Configure-time options
|
|
7 |
where possible. It is very important that they are ABI compatible. All
|
|
8 |
the common patches are contained in the Patches sub-directory and common
|
|
9 |
configuration is taken from Makefile.com in the top-level openssl
|
|
10 |
directory. If a particular build requires a modification which is not
|
|
11 |
common to both builds then the patch is kept in the build specific
|
|
12 |
sub-directory.
|
|
13 |
|
|
14 |
In addition to the regular Makefile targets both the fips and non-fips
|
|
15 |
builds have the following targets:
|
|
16 |
|
|
17 |
all32
|
|
18 |
all64
|
|
19 |
install32
|
|
20 |
install64
|
|
21 |
|
|
22 |
This makes building any subset easy.
|
|
23 |
i.e. to build and install the 64bit non-fips OpenSSL the following
|
|
24 |
command is used:
|
|
25 |
|
|
26 |
$ cd openssl/non-fips
|
|
27 |
$ make install64
|
|
28 |
|
|
29 |
|
|
30 |
The fips Build
|
|
31 |
---
|
|
32 |
|
|
33 |
The "fips" build has the following deliverables (symbolic links and
|
|
34 |
architecture specific binaries are excluded):
|
|
35 |
|
|
36 |
/lib/openssl/fips-140/libcrypto.so.0.9.8
|
|
37 |
/usr/include/openssl/fips-140/openssl/fips.h
|
|
38 |
/usr/include/openssl/fips-140/openssl/fips_rand.h
|
|
39 |
/usr/include/openssl/fips-140/openssl/opensslconf.h
|
|
40 |
|
|
41 |
A build-time requirement for the fips build is the FIPS Object Module.
|
|
42 |
The FIPS Object Module has very stringent build requirements as
|
|
43 |
specified in its Security Policy:
|
|
44 |
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf
|
|
45 |
|
|
46 |
In essence the FIPS Object Module may not be patched or modified in any
|
|
47 |
way, the build must be performed with "./config [no-asm], make,
|
|
48 |
make install". The only way to influence the build is by modifying the
|
|
49 |
environment it is run in. isalist is "faked" so that the 32bit build can
|
|
50 |
be built even when running with a 64bit kernel (see isalist.sh). make is
|
|
51 |
run by a wrapper script so that "make install" can be run even as a
|
|
52 |
non-root user (see make.sh). If modifications are to be make to how the
|
|
53 |
FIPS Object Module is built the security policy must be consulted to
|
|
54 |
ensure that the build is still compliant.
|
|
55 |
|
|
56 |
The non-fips Build.
|
|
57 |
---
|
|
58 |
|
|
59 |
The "non-fips" build is the main build of OpenSSL and includes the
|
|
60 |
regular binaries, libraries and header files. The openssl binary from
|
|
61 |
this build is patched to work with both the fips build of libcrypto and
|
|
62 |
the non-fips build of libcrypto.
|
|
63 |
|
|
64 |
|
|
65 |
Patches
|
|
66 |
---
|
|
67 |
|
|
68 |
08-6193522.patch
|
|
69 |
Give CA.pl better defaults. See 6193522 for more information.
|
|
70 |
|
|
71 |
11-6546806.patch
|
|
72 |
Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
|
|
73 |
more information.
|
|
74 |
|
|
75 |
14-manpage_openssl.patch
|
|
76 |
Force openssl to install man pages into man[1357]openssl instead of
|
|
77 |
man[1357].
|
|
78 |
|
|
79 |
15-pkcs11_engine-0.9.8a.patch
|
|
80 |
Patch which adds the pkcs11 engine. See also the pkcs11-engine/
|
|
81 |
sub-directory.
|
|
82 |
|
|
83 |
18-compiler_opts.patch
|
|
84 |
Adds four Solaris specific configurations (both 32bit and 64bit for both
|
|
85 |
sparc and x86) to Configure which are then explicitly used by the
|
|
86 |
Makefiles.
|
|
87 |
Care should be taken if modifying this patch as changes to compile-time
|
|
88 |
options can change the ABI. One example of this is the use of RC4_INT vs
|
|
89 |
RC4_CHAR.
|
|
90 |
|
|
91 |
20-remove_rpath.patch
|
|
92 |
Prevent build binaries having an unnecessary runpath (/lib).
|
|
93 |
|
|
94 |
23-noexstack.patch
|
|
95 |
Build with non-executable stacks and non-executable data (x86).
|
|
96 |
|
|
97 |
25-fips_rand.patch
|
|
98 |
fips_rand.h assumes that des.h will be found in the same directory. This
|
|
99 |
is probably normally true however we deliver the FIPS specific header
|
|
100 |
files into a non-standard location (see above) and so is not true for
|
|
101 |
Solaris. This patch makes sure that des.h is found by changing
|
|
102 |
fips_rand.h to look in the system header files for openssl/des.h.
|
|
103 |
|
|
104 |
26-openssl_fips.patch
|
|
105 |
Modifies openssl so that it will run with the non-fips libcrypto as well
|
|
106 |
as the fips libcrypto. If it is run with the fips libcrypto it can be
|
|
107 |
run in FIPS mode. Instead of directly using the FIPS specific symbols
|
|
108 |
they are looked up at runtime. This is necessary as the non-fips
|
|
109 |
libcrypto won't have the those FIPS specific symbols.
|
|
110 |
The CRYPTO_NUM_LOCKS pre-processor macro varies between the fips and
|
|
111 |
non-fips build of libcrypto. A run-time mechanism is available which
|
|
112 |
returns the number of locks - the CRYPTO_num_locks() function. Using
|
|
113 |
this function is required if the openssl binary is to be run with both
|
|
114 |
the fips and non-fips versions of libcrypto.
|
|
115 |
|
|
116 |
opensslconf.patch
|
|
117 |
Modifies opensslconf.h so that it is suitable for both 32bit and 64bit
|
|
118 |
installs. OpenSSL either builds for 32bit or 64bit - it doesn't allow
|
|
119 |
for combined 32bit and 64bit builds.
|
|
120 |
|
|
121 |
sparc-01-ccwrap.patch
|
|
122 |
A sparc only patch which modifies fipsld for the FIPS Capable OpenSSL
|
|
123 |
build by replacing calls to CC with CCWRAP. CCRWAP (ccwrap.sh) simply
|
|
124 |
runs the original CC command without the "-g" option.
|
|
125 |
From the patch:
|
|
126 |
# Wrap the calls to cc to remove the "-g" option when compiling
|
|
127 |
# (SPARC only). If "-g" is used on SPARC to build libcrypto.so
|
|
128 |
# the fingerprint will be incorrectly generated as "-g" promotes
|
|
129 |
# static symbols to globals which then interacts with the linker to
|
|
130 |
# produce a changed text section.
|
|
131 |
|