1 # |
|
2 # CDDL HEADER START |
|
3 # |
|
4 # The contents of this file are subject to the terms of the |
|
5 # Common Development and Distribution License (the "License"). |
|
6 # You may not use this file except in compliance with the License. |
|
7 # |
|
8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 # or http://www.opensolaris.org/os/licensing. |
|
10 # See the License for the specific language governing permissions |
|
11 # and limitations under the License. |
|
12 # |
|
13 # When distributing Covered Code, include this CDDL HEADER in each |
|
14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 # If applicable, add the following below this CDDL HEADER, with the |
|
16 # fields enclosed by brackets "[]" replaced with your own identifying |
|
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 # |
|
19 # CDDL HEADER END |
|
20 # |
|
21 # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. |
|
22 # |
|
23 |
|
24 include ../../../make-rules/shared-macros.mk |
|
25 |
|
26 PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin |
|
27 ifeq ($(strip $(PARFAIT_BUILD)),yes) |
|
28 PATH=$(PARFAIT_TOOLS):$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin |
|
29 endif |
|
30 |
|
31 COMPONENT_NAME = openssl-fips-140 |
|
32 # Note that this is the OpenSSL version that is used to build FIPS-140 certified |
|
33 # libraries. However, we use the FIPS canister version for the IPS package. |
|
34 COMPONENT_VERSION = 1.0.1p |
|
35 IPS_COMPONENT_VERSION = 2.0.6 |
|
36 COMPONENT_PROJECT_URL= http://www.openssl.org/ |
|
37 COMPONENT_SRC_NAME = openssl |
|
38 COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) |
|
39 COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz |
|
40 COMPONENT_ARCHIVE_HASH= \ |
|
41 sha256:bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 |
|
42 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) |
|
43 COMPONENT_BUGDB= library/openssl |
|
44 |
|
45 TPNO= 23452 |
|
46 |
|
47 # Clone the patch files to the patches-all dir. |
|
48 # COPY_COMMON_FILES is there so that rsync is called as soon as |
|
49 # the Makefile is parsed. |
|
50 PATCH_DIR=patches-all |
|
51 CLEAN_PATHS += $(PATCH_DIR) |
|
52 COPY_COMMON_FILES:= $(shell rsync -ac ../common/patches/ patches/ $(PATCH_DIR)) |
|
53 |
|
54 # OpenSSL FIPS directory |
|
55 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips |
|
56 |
|
57 include $(WS_MAKE_RULES)/prep.mk |
|
58 include $(WS_MAKE_RULES)/configure.mk |
|
59 include $(WS_MAKE_RULES)/ips.mk |
|
60 include $(WS_MAKE_RULES)/lint-libraries.mk |
|
61 |
|
62 # OpenSSL does not use autoconf but its own configure system. |
|
63 CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure |
|
64 |
|
65 # Used in the configure options below. |
|
66 PKCS11_LIB32 = /usr/lib/libpkcs11.so.1 |
|
67 PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1 |
|
68 ENGINESDIR_32 = /lib/openssl/engines |
|
69 ENGINESDIR_64 = /lib/openssl/engines/64 |
|
70 |
|
71 # Built openssl/openssl-fips component is used when building FIPS-140 libraries. |
|
72 # What we do here follows the OpenSSL FIPS-140 User Guide instructions. |
|
73 FIPS_BUILD_DIR_32 = $(shell echo $(BUILD_DIR_32) | \ |
|
74 sed -e 's/openssl-1.0.1-fips-140/openssl-fips/g' ) |
|
75 FIPS_BUILD_DIR_64 = $(shell echo $(BUILD_DIR_64) | \ |
|
76 sed -e 's/openssl-1.0.1-fips-140/openssl-fips/g' ) |
|
77 |
|
78 CONFIGURE_OPTIONS = -DSOLARIS_OPENSSL -DNO_WINDOWS_BRAINDEATH |
|
79 CONFIGURE_OPTIONS += --openssldir=/etc/openssl |
|
80 CONFIGURE_OPTIONS += --prefix=/usr |
|
81 # We use OpenSSL install code for installing only manual pages and we do that |
|
82 # for 32-bit version only. |
|
83 CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR) |
|
84 CONFIGURE_OPTIONS += no-ec2m |
|
85 CONFIGURE_OPTIONS += no-rc3 |
|
86 CONFIGURE_OPTIONS += no-rc5 |
|
87 CONFIGURE_OPTIONS += no-mdc2 |
|
88 CONFIGURE_OPTIONS += no-idea |
|
89 CONFIGURE_OPTIONS += no-hw_4758_cca |
|
90 CONFIGURE_OPTIONS += no-hw_aep |
|
91 CONFIGURE_OPTIONS += no-hw_atalla |
|
92 CONFIGURE_OPTIONS += no-hw_chil |
|
93 CONFIGURE_OPTIONS += no-hw_gmp |
|
94 CONFIGURE_OPTIONS += no-hw_ncipher |
|
95 CONFIGURE_OPTIONS += no-hw_nuron |
|
96 CONFIGURE_OPTIONS += no-hw_padlock |
|
97 CONFIGURE_OPTIONS += no-hw_sureware |
|
98 CONFIGURE_OPTIONS += no-hw_ubsec |
|
99 CONFIGURE_OPTIONS += no-hw_cswift |
|
100 CONFIGURE_OPTIONS += threads |
|
101 CONFIGURE_OPTIONS += shared |
|
102 CONFIGURE_OPTIONS += fips --with-fipslibdir="$(FIPS_BUILD_DIR_$(BITS))/fips/" |
|
103 CONFIGURE_OPTIONS += --with-fipsdir="$(BUILD_DIR_$(BITS))" |
|
104 |
|
105 # MD2 is not enabled by default in OpensSSL but some software we have in |
|
106 # Userland needs it. One example is nmap. |
|
107 CONFIGURE_OPTIONS += enable-md2 |
|
108 CONFIGURE_OPTIONS += no-seed |
|
109 |
|
110 # Disable SSLv2 and SSLv3 protocols |
|
111 CONFIGURE_OPTIONS += no-ssl2 |
|
112 CONFIGURE_OPTIONS += no-ssl3 |
|
113 |
|
114 # We define our own compiler and linker option sets for Solaris. See Configure |
|
115 # for more information. |
|
116 CONFIGURE_OPTIONS32_i386 = solaris-x86-cc-sunw |
|
117 CONFIGURE_OPTIONS32_sparc = solaris-fips-sparcv9-cc-sunw |
|
118 CONFIGURE_OPTIONS64_i386 = solaris64-x86_64-cc-sunw |
|
119 CONFIGURE_OPTIONS64_sparc = solaris64-fips-sparcv9-cc-sunw |
|
120 |
|
121 # Some additional options needed for our engines. |
|
122 CONFIGURE_OPTIONS += --pk11-libname=$(PKCS11_LIB$(BITS)) |
|
123 CONFIGURE_OPTIONS += --enginesdir=$(ENGINESDIR_$(BITS)) |
|
124 CONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS$(BITS)_$(MACH)) |
|
125 |
|
126 # OpenSSL has its own configure system which must be run from the fully |
|
127 # populated source code directory. However, the Userland configuration phase is |
|
128 # run from the build directory. The easiest way to workaround it is to copy all |
|
129 # the source files there. |
|
130 COMPONENT_PRE_CONFIGURE_ACTION = \ |
|
131 ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); ) |
|
132 |
|
133 # We deliver only one opensslconf.h file which must be suitable for both 32 and |
|
134 # 64 bits. Depending on the configuration option, OpenSSL's Configure script |
|
135 # creates opensslconf.h for either 32 or 64 bits. A patch makes the resulting |
|
136 # header file usable on both architectures. The patch was generated against the |
|
137 # opensslconf.h version from the 32 bit build. |
|
138 COMPONENT_POST_CONFIGURE_ACTION = \ |
|
139 ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \ |
|
140 patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; ) |
|
141 |
|
142 # Enable ASLR for this component |
|
143 ASLR_MODE = $(ASLR_ENABLE) |
|
144 |
|
145 # We must make sure that openssl-fips component is built before this 1.0.1 |
|
146 # component since in order to build FIPS-140 certified libraries, the canister |
|
147 # is needed. Note that we must unset BITS that would override the same variable |
|
148 # used in openssl-fips' Makefile, and we would end up up with both canisters |
|
149 # built in 64 (or 32) bits. |
|
150 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
151 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed: |
|
152 ( unset BITS; \ |
|
153 $(MAKE) -C $(COMPONENT_DIR)/../openssl-fips install; ) |
|
154 |
|
155 # download, clean, and clobber should all propogate to the fips bits |
|
156 download clobber clean:: |
|
157 (cd ../openssl-fips ; $(GMAKE) $@) |
|
158 |
|
159 # We do not ship our engines as patches since it would be more difficult to |
|
160 # update the files which have been under continuous development. We rather copy |
|
161 # the files to the right directories and let OpenSSL makefiles build it. |
|
162 # We also copy some FIPS specific header files needed to build FIPS version |
|
163 # of OpenSSL from FIPS module. |
|
164 COMPONENT_PRE_BUILD_ACTION = \ |
|
165 ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/* $(@D)/engines; \ |
|
166 $(MKDIR) $(@D)/bin; \ |
|
167 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fips.h $(@D)/include/openssl; \ |
|
168 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipssyms.h $(@D)/include/openssl; \ |
|
169 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/rand/fips_rand.h $(@D)/include/openssl; \ |
|
170 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipsld $(@D)/bin/; \ |
|
171 $(LN) -fs $(OPENSSL_FIPS_DIR)/build/$(MACH$(BITS))/fips/fips_standalone_sha1 $(@D)/bin/; \ |
|
172 $(LN) -fs $(COMPONENT_DIR)/build/$(MACH$(BITS))/fips_premain_dso $(@D)/bin/;) |
|
173 |
|
174 # OpenSSL does not install into <dir>/$(MACH64) for 64-bit install so no such |
|
175 # directory is created and Userland install code would fail when installing lint |
|
176 # libraries. |
|
177 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); ) |
|
178 |
|
179 $(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
180 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed |
|
181 |
|
182 configure: $(CONFIGURE_32_and_64) |
|
183 |
|
184 build: $(BUILD_32_and_64) |
|
185 |
|
186 # We follow what we do for install in openssl/openssl-1.0.0 component. Please |
|
187 # see the comment in Makefile in there for more information. |
|
188 install: $(INSTALL_32_and_64) |
|
189 |
|
190 # We need to modify the default lint flags to include patched opensslconf.h from |
|
191 # the build directory. If we do not do that, lint will complain about md2.h |
|
192 # which is not enabled by default but it is in our opensslconf.h. |
|
193 LFLAGS_32 := -I$(BUILD_DIR_32)/include $(LINT_FLAGS) |
|
194 LFLAGS_64 := -I$(BUILD_DIR_64)/include $(LINT_FLAGS) |
|
195 |
|
196 # Set modified lint flags for our lint library targets. |
|
197 $(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32) |
|
198 $(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32) |
|
199 $(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64) |
|
200 $(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64) |
|
201 |
|
202 # There are also separate STC test suites 'openssl' and 'openssl-engine' |
|
203 # for regression testing. These internal tests are unit tests only. |
|
204 COMPONENT_TEST_TARGETS = test |
|
205 test: $(TEST_32_and_64) |
|
206 |
|
207 system-test: $(SYSTEM_TESTS_NOT_IMPLEMENTED) |
|
208 |
|
209 |
|
210 REQUIRED_PACKAGES += developer/build/makedepend |
|
211 REQUIRED_PACKAGES += system/library |
|