23 |
23 |
24 |
24 |
25 Build Layout |
25 Build Layout |
26 --- |
26 --- |
27 |
27 |
28 OpenSSL build is run four times. Once for regular dynamic 1.0.1 non-fips, once |
28 OpenSSL build is run four times. Once for regular dynamic non-fips, once |
29 for static 1.0.1 bits to link with standalone wanboot binary, once for 1.0.1 |
29 for static bits to link with standalone wanboot binary, once for fips-140, |
30 fips-140, and once for 1.0.1 FIPS-140 canister (in the openssl-fips component) |
30 and once for FIPS-140 canister (in the openssl-fips component) |
31 needed to build 1.0.1 FIPS-140 certified libraries. All builds apart from |
31 needed to build FIPS-140 certified libraries. All builds apart from |
32 static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL |
32 static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL |
33 is built seven times. OpenSSL for wanboot is only built on sparc. |
33 is built seven times. OpenSSL for wanboot is only built on sparc. |
34 |
34 |
35 See also comments in all the Makefiles for more information. |
35 See also comments in all the Makefiles for more information. |
36 |
36 |
37 OpenSSL Version |
37 OpenSSL Version |
38 --- |
38 -------------- |
39 |
|
40 For non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates |
|
41 from OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL |
|
42 upstream code. As of April 2013, 1.0.2 is not yet released, and therefore, |
|
43 we have decided to patch the code. |
|
44 The following files/code are copied in from 1.0.2. |
|
45 added: |
|
46 components/openssl/openssl-1.0.1/inline-t4/aest4-sparcv9.pl |
|
47 components/openssl/openssl-1.0.1/inline-t4/dest4-sparcv9.pl |
|
48 components/openssl/openssl-1.0.1/inline-t4/md5-sparcv9.pl |
|
49 components/openssl/openssl-1.0.1/inline-t4/sparc_arch.h |
|
50 components/openssl/openssl-1.0.1/inline-t4/sparct4-mont.pl |
|
51 components/openssl/openssl-1.0.1/inline-t4/sparcv9_modes.pl |
|
52 components/openssl/openssl-1.0.1/inline-t4/sparcv9-gf2m.pl |
|
53 components/openssl/openssl-1.0.1/inline-t4/vis3-mont.pl |
|
54 components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch |
|
55 |
|
56 |
39 |
57 The non-fips Build. |
40 The non-fips Build. |
58 --- |
41 --- |
59 |
42 |
60 The non-fips build is the 'default' build of OpenSSL and includes the regular |
43 The non-fips build is the 'default' build of OpenSSL and includes the regular |
95 |
78 |
96 In order to determine which openssl object files are required for wanboot, |
79 In order to determine which openssl object files are required for wanboot, |
97 first build static standalone openssl bits in Userland. As a site effect, |
80 first build static standalone openssl bits in Userland. As a site effect, |
98 static libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot. |
81 static libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot. |
99 |
82 |
100 $ cd $USERLAND/components/openssl/openssl-1.0.1 ; gmake build |
83 $ cd $USERLAND/components/openssl/openssl-default ; gmake build |
101 |
84 |
102 Next, collect some information from linking wanboot static libraries in ON. |
85 Next, collect some information from linking wanboot static libraries in ON. |
103 This can be done by the following hack. |
86 This can be done by the following hack. |
104 |
87 |
105 $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4 |
88 $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4 |
106 $ touch wanboot.o |
89 $ touch wanboot.o |
107 $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \ |
90 $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \ |
108 -L$USERLAND/components/openssl/openssl-1.0.1/build/sparcv9-wanboot " \ |
91 -L$USERLAND/components/openssl/openssl-default/build/sparcv9-wanboot " \ |
109 WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all |
92 WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all |
110 |
93 |
111 The following sort of information ends up in ld.dbg (note that the debugging |
94 The following sort of information ends up in ld.dbg (note that the debugging |
112 output from the link-editor is not considered a 'stable interface' and may |
95 output from the link-editor is not considered a 'stable interface' and may |
113 change in the future): |
96 change in the future): |
114 |
97 |
115 debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
98 debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-default/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
116 debug: |
99 debug: |
117 debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
100 debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-default/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
118 debug: symbol[1]=sparcv9cap.c |
101 debug: symbol[1]=sparcv9cap.c |
119 .... |
102 .... |
120 |
103 |
121 Now run the following script in Userland: |
104 Now run the following script in Userland: |
122 |
105 |
239 |
222 |
240 Common patch files are located in the components/openssl/common/patches dir, |
223 Common patch files are located in the components/openssl/common/patches dir, |
241 and they are copied to both FIPS and non-FIPS 'patches' dir as soon as the |
224 and they are copied to both FIPS and non-FIPS 'patches' dir as soon as the |
242 Makefile is parsed. The Common patch filename has prefix '0', |
225 Makefile is parsed. The Common patch filename has prefix '0', |
243 |
226 |
244 ---- |
|
245 |
|
246 008-6193522.patch |
|
247 Give CA.pl better defaults. See 6193522 for more information. |
|
248 |
|
249 011-6546806.patch |
|
250 Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for |
|
251 more information. |
|
252 |
|
253 015-pkcs11_engine-0.9.8a.patch |
|
254 Patch which adds the pkcs11 engine. See also the engine/pkcs11 |
|
255 sub-directory. |
|
256 |
|
257 018-compiler_opts.patch |
|
258 Adds five Solaris specific configurations (both 32bit and 64bit for both sparc |
|
259 and x86, plus 64bit sparc for wanboot) to Configure which are then explicitly |
|
260 used by the Makefiles. Wanboot configuration is special in that it doesn't link |
|
261 with libc and uses -xF=%all to put functions in separate sections, so that |
|
262 unused code can be discarded. |
|
263 |
|
264 Care should be taken if modifying this patch as changes to compile-time options |
|
265 can change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR. |
|
266 |
|
267 020-remove_rpath.patch |
|
268 Prevent build binaries having an unnecessary runpath (/lib). |
|
269 |
|
270 023-noexstack.patch |
|
271 Build with non-executable stacks and non-executable data (x86). |
|
272 |
|
273 027-6978791.patch |
|
274 Modifies Makefile.shared so that libssl is built with -znodelete. |
|
275 |
|
276 028-enginesdir.patch |
|
277 Adds a new "enginesdir" option to the Configure script which allows a user to |
|
278 specify the engines directory. |
|
279 |
|
280 029-fork_safe.patch |
|
281 Adds the code to setup internal mutexes and callback function. |
|
282 See PSARC/2014/077. |
|
283 |
|
284 032-aes_cbc_len_check.patch |
|
285 AES-CBC input length is checked to avoid segmentation fault. |
|
286 |
|
287 033-cert_chain.patch |
|
288 Fixes the certificate chain bug. |
|
289 |
|
290 036-evp_leak.patch |
|
291 Fixes the memory leak bug. |
|
292 |
|
293 038_remove_illegal_instruction_calls.patch |
|
294 SPARC patch. Solaris-only patch. |
|
295 For instructions in sparcv9cap.c, remove if not supported on any platforms. |
|
296 Otherwise modify them to call getisax() to check for HW capability instead. |
|
297 |
|
298 039-internal_tests.patch |
|
299 Remove test 'test_ca' because it depends on directories not present in the |
|
300 build directory. |
|
301 |
|
302 ========================= |
227 ========================= |
303 Non-FIPS specific Patches |
228 Non-FIPS specific Patches |
304 ========================= |
229 ========================= |
305 |
230 |
306 Non-FIPS specific patch files are located in the |
231 Non-FIPS specific patch files are located in the |
307 components/openssl/openssl-1.0.1/patches dir. |
232 components/openssl/openssl-default/patches dir. |
308 The Non-FIPS specific patch filename has prefix '1', |
233 The Non-FIPS specific patch filename has prefix '1', |
309 |
234 |
310 ---- |
|
311 101-manpage_openssl.patch |
|
312 Force openssl to install man pages into man[1357]openssl instead of man[1357]. |
|
313 |
|
314 102-wanboot.patch: |
|
315 Wanboot specific patches. |
|
316 - modified Makefiles not to build in engines apps test tools |
|
317 - not using vfprintf for error print in crypto/cryptlib.c |
|
318 - not using ERR_load_DSO_strings() in crypto/err/err_all.c |
|
319 - not using EVP_read_pw_string() in crypto/evp/evp_key.c |
|
320 - reading password is implemented in disabled DES library |
|
321 - avoid select() in crypto/rand/rand_unix.c |
|
322 - direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c |
|
323 - using functions from libsock in e_os.h |
|
324 - by-passing version of sparc detection in crypto/sparcv9cap.c |
|
325 - results in not using FPU for big numbers multiplication |
|
326 - should be ok - original detection seems broken, FPU gets never used |
|
327 - implementation of atoi() |
|
328 - avoid using ssl_fill_hello_random() in s3_clnt.c |
|
329 |
|
330 103-openssl_t4_inline.patch |
|
331 Add patch to support inline T4 instruction in OpenSSL upstream code until |
|
332 OpenSSL 1.0.2 is released. |
|
333 |
|
334 104-suppress_v8plus_abi_warnings.patch |
|
335 Suppress warnings about sparcv8+ ABI violation when building T4-specific |
|
336 modules as 32-bit. |
|
337 |
|
338 ========================= |
235 ========================= |
339 FIPS specific Patches |
236 FIPS specific Patches |
340 ========================= |
237 ========================= |
341 |
238 |
342 FIPS specific patch files are located in the |
239 FIPS specific patch files are located in the |
343 components/openssl/openssl-1.0.1-fips-140/patches dir. |
240 components/openssl/openssl-fips-140/patches dir. |
344 The FIPS specific patch filename has prefix '2', |
241 The FIPS specific patch filename has prefix '2', |
345 |
|
346 --- |
|
347 201-openssl_fips.patch |
|
348 Change openssl(1) to call the FIPS routines only if the fips mediator is activated. |
|
349 |
|
350 202-17952966.patch |
|
351 FIPS version needs to build with '-lc' explicitly with stuido 12.3 and above. |
|