Build Layout
---

OpenSSL is built twice. Once for "fips" and once for "non-fips". Both
the fips and non-fips builds share Patches and Configure-time options
where possible. It is very important that they are ABI compatible. All
the common patches are contained in the Patches sub-directory and common
configuration is taken from Makefile.com in the top-level openssl
directory. If a particular build requires a modification which is not
common to both builds then the patch is kept in the build specific
sub-directory.

In addition to the regular Makefile targets both the fips and non-fips
builds have the following targets:

all32
all64
install32
install64

This makes building any subset easy.
i.e. to build and install the 64bit non-fips OpenSSL the following
command is used:

$ cd openssl/non-fips
$ make install64


The fips Build
---

The "fips" build has the following deliverables (symbolic links and
architecture specific binaries are excluded):

/lib/openssl/fips-140/libcrypto.so.0.9.8
/usr/include/openssl/fips-140/openssl/fips.h
/usr/include/openssl/fips-140/openssl/fips_rand.h
/usr/include/openssl/fips-140/openssl/opensslconf.h

A build-time requirement for the fips build is the FIPS Object Module.
The FIPS Object Module has very stringent build requirements as
specified in its Security Policy:
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf

In essence the FIPS Object Module may not be patched or modified in any
way, the build must be performed with "./config [no-asm], make, 
make install". The only way to influence the build is by modifying the
environment it is run in. isalist is "faked" so that the 32bit build can
be built even when running with a 64bit kernel (see isalist.sh). make is
run by a wrapper script so that "make install" can be run even as a
non-root user (see make.sh).  If modifications are to be make to how the
FIPS Object Module is built the security policy must be consulted to
ensure that the build is still compliant.

The non-fips Build.
---

The "non-fips" build is the main build of OpenSSL and includes the
regular binaries, libraries and header files. The openssl binary from
this build is patched to work with both the fips build of libcrypto and
the non-fips build of libcrypto.


Patches
---

08-6193522.patch
Give CA.pl better defaults. See 6193522 for more information.

11-6546806.patch
Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
more information.

14-manpage_openssl.patch
Force openssl to install man pages into man[1357]openssl instead of
man[1357].

15-pkcs11_engine-0.9.8a.patch
Patch which adds the pkcs11 engine. See also the pkcs11-engine/
sub-directory. 

18-compiler_opts.patch
Adds four Solaris specific configurations (both 32bit and 64bit for both
sparc and x86) to Configure which are then explicitly used by the
Makefiles.
Care should be taken if modifying this patch as changes to compile-time
options can change the ABI. One example of this is the use of RC4_INT vs
RC4_CHAR.

20-remove_rpath.patch
Prevent build binaries having an unnecessary runpath (/lib).

23-noexstack.patch
Build with non-executable stacks and non-executable data (x86).

25-fips_rand.patch
fips_rand.h assumes that des.h will be found in the same directory. This
is probably normally true however we deliver the FIPS specific header
files into a non-standard location (see above) and so is not true for
Solaris. This patch makes sure that des.h is found by changing
fips_rand.h to look in the system header files for openssl/des.h.

26-openssl_fips.patch
Modifies openssl so that it will run with the non-fips libcrypto as well
as the fips libcrypto. If it is run with the fips libcrypto it can be
run in FIPS mode. Instead of directly using the FIPS specific symbols
they are looked up at runtime. This is necessary as the non-fips
libcrypto won't have the those FIPS specific symbols.
The CRYPTO_NUM_LOCKS pre-processor macro varies between the fips and
non-fips build of libcrypto. A run-time mechanism is available which
returns the number of locks - the CRYPTO_num_locks() function. Using
this function is required if the openssl binary is to be run with both
the fips and non-fips versions of libcrypto. 

opensslconf.patch
Modifies opensslconf.h so that it is suitable for both 32bit and 64bit
installs. OpenSSL either builds for 32bit or 64bit - it doesn't allow
for combined 32bit and 64bit builds.

sparc-01-ccwrap.patch
A sparc only patch which modifies fipsld for the FIPS Capable OpenSSL
build by replacing calls to CC with CCWRAP. CCRWAP (ccwrap.sh) simply
runs the original CC command without the "-g" option.
From the patch:
# Wrap the calls to cc to remove the "-g" option when compiling
# (SPARC only). If "-g" is used on SPARC to build libcrypto.so
# the fingerprint will be incorrectly generated as "-g" promotes
# static symbols to globals which then interacts with the linker to
# produce a changed text section.