1 # |
|
2 # CDDL HEADER START |
|
3 # |
|
4 # The contents of this file are subject to the terms of the |
|
5 # Common Development and Distribution License (the "License"). |
|
6 # You may not use this file except in compliance with the License. |
|
7 # |
|
8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 # or http://www.opensolaris.org/os/licensing. |
|
10 # See the License for the specific language governing permissions |
|
11 # and limitations under the License. |
|
12 # |
|
13 # When distributing Covered Code, include this CDDL HEADER in each |
|
14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 # If applicable, add the following below this CDDL HEADER, with the |
|
16 # fields enclosed by brackets "[]" replaced with your own identifying |
|
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 # |
|
19 # CDDL HEADER END |
|
20 # |
|
21 # Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. |
|
22 # |
|
23 export PARFAIT_BUILD=no |
|
24 |
|
25 include ../../../make-rules/shared-macros.mk |
|
26 |
|
27 PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin |
|
28 |
|
29 COMPONENT_NAME = openssl-fips-140 |
|
30 # Note that this is the OpenSSL version that is used to build FIPS-140 certified |
|
31 # libraries. However, we use the FIPS canister version for the IPS package. |
|
32 COMPONENT_VERSION = 0.9.8y |
|
33 IPS_COMPONENT_VERSION = 1.2 |
|
34 COMPONENT_PROJECT_URL= http://www.openssl.org/ |
|
35 COMPONENT_SRC_NAME = openssl |
|
36 COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) |
|
37 COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz |
|
38 COMPONENT_ARCHIVE_HASH= \ |
|
39 sha256:bbecf13495e612936e3a9860c29c0701413564b7a964bf771a3575eaa867cee3 |
|
40 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) |
|
41 COMPONENT_BUGDB= utility/openssl |
|
42 |
|
43 # Apply the patch on SPARC only. Must put this before including prep.mk as |
|
44 # mentioned in there. |
|
45 PATCH_sparc = patches/sparc-01-ccwrap.patch |
|
46 EXTRA_PATCHES = $(PATCH_$(MACH)) |
|
47 # Note that the SPARC patch above does not fit this pattern. That is intentional |
|
48 # and a reason why we can add it to the EXTRA_PATCHES variable so that we use it |
|
49 # only on SPARC. |
|
50 PATCH_PATTERN = [0-9][0-9]*.patch |
|
51 |
|
52 include $(WS_TOP)/make-rules/prep.mk |
|
53 include $(WS_TOP)/make-rules/configure.mk |
|
54 include $(WS_TOP)/make-rules/ips.mk |
|
55 include $(WS_TOP)/make-rules/lint-libraries.mk |
|
56 |
|
57 # OpenSSL does not use autoconf but its own configure system. |
|
58 CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure |
|
59 |
|
60 # Used in the configure options below. |
|
61 PKCS11_LIB32 = /usr/lib/libpkcs11.so.1 |
|
62 PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1 |
|
63 ENGINESDIR_32 = /lib/openssl/engines |
|
64 ENGINESDIR_64 = /lib/openssl/engines/64 |
|
65 |
|
66 # Built openssl/openssl-fips component is used when building FIPS-140 libraries. |
|
67 # What we do here follows the OpenSSL FIPS-140 User Guide instructions. |
|
68 FIPS_BUILD_DIR_32 = $(shell echo $(BUILD_DIR_32) | \ |
|
69 sed -e 's/openssl-0.9.8-fips-140/openssl-fips/g' ) |
|
70 FIPS_BUILD_DIR_64 = $(shell echo $(BUILD_DIR_64) | \ |
|
71 sed -e 's/openssl-0.9.8-fips-140/openssl-fips/g' ) |
|
72 |
|
73 CONFIGURE_OPTIONS = -DSOLARIS_OPENSSL -DNO_WINDOWS_BRAINDEATH |
|
74 CONFIGURE_OPTIONS += --openssldir=/etc/openssl |
|
75 CONFIGURE_OPTIONS += --prefix=/usr |
|
76 # We use OpenSSL install code for installing only manual pages and we do that |
|
77 # for 32-bit version only. |
|
78 CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR) |
|
79 CONFIGURE_OPTIONS += no-ec |
|
80 CONFIGURE_OPTIONS += no-ecdh |
|
81 CONFIGURE_OPTIONS += no-ecdsa |
|
82 CONFIGURE_OPTIONS += no-rc3 |
|
83 CONFIGURE_OPTIONS += no-rc5 |
|
84 CONFIGURE_OPTIONS += no-mdc2 |
|
85 CONFIGURE_OPTIONS += no-idea |
|
86 CONFIGURE_OPTIONS += no-hw_4758_cca |
|
87 CONFIGURE_OPTIONS += no-hw_aep |
|
88 CONFIGURE_OPTIONS += no-hw_atalla |
|
89 CONFIGURE_OPTIONS += no-hw_chil |
|
90 CONFIGURE_OPTIONS += no-hw_gmp |
|
91 CONFIGURE_OPTIONS += no-hw_ncipher |
|
92 CONFIGURE_OPTIONS += no-hw_nuron |
|
93 CONFIGURE_OPTIONS += no-hw_padlock |
|
94 CONFIGURE_OPTIONS += no-hw_sureware |
|
95 CONFIGURE_OPTIONS += no-hw_ubsec |
|
96 CONFIGURE_OPTIONS += no-hw_cswift |
|
97 CONFIGURE_OPTIONS += threads |
|
98 CONFIGURE_OPTIONS += shared |
|
99 CONFIGURE_OPTIONS += fips --with-fipslibdir="$(FIPS_BUILD_DIR_$(BITS))/fips" |
|
100 |
|
101 # We define our own compiler and linker option sets for Solaris. See Configure |
|
102 # for more information. |
|
103 CONFIGURE_OPTIONS32_i386 = solaris-x86-cc-sunw |
|
104 CONFIGURE_OPTIONS32_sparc = solaris-sparcv8-cc-sunw |
|
105 CONFIGURE_OPTIONS64_i386 = solaris64-x86_64-cc-sunw |
|
106 CONFIGURE_OPTIONS64_sparc = solaris64-sparcv9-cc-sunw |
|
107 |
|
108 # Some additional options needed for our engines. |
|
109 CONFIGURE_OPTIONS += --pk11-libname=$(PKCS11_LIB$(BITS)) |
|
110 CONFIGURE_OPTIONS += --enginesdir=$(ENGINESDIR_$(BITS)) |
|
111 CONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS$(BITS)_$(MACH)) |
|
112 |
|
113 # OpenSSL has its own configure system which must be run from the fully |
|
114 # populated source code directory. However, the Userland configuration phase is |
|
115 # run from the build directory. The easiest way to workaround it is to copy all |
|
116 # the source files there. |
|
117 COMPONENT_PRE_CONFIGURE_ACTION = \ |
|
118 ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); ) |
|
119 |
|
120 # We deliver only one opensslconf.h file which must be suitable for both 32 and |
|
121 # 64 bits. Depending on the configuration option, OpenSSL's Configure script |
|
122 # creates opensslconf.h for either 32 or 64 bits. A patch makes the resulting |
|
123 # header file usable on both architectures. The patch was generated against the |
|
124 # opensslconf.h version from the 32 bit build. |
|
125 COMPONENT_POST_CONFIGURE_ACTION = \ |
|
126 ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \ |
|
127 patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; ) |
|
128 |
|
129 ASLR_MODE = $(ASLR_NOT_APPLICABLE) |
|
130 |
|
131 # We must make sure that openssl-fips component is built before this 0.9.8 |
|
132 # component since in order to build FIPS-140 certified libraries, the canister |
|
133 # is needed. Note that we must unset BITS that would override the same variable |
|
134 # used in openssl-fips' Makefile, and we would end up up with both canisters |
|
135 # built in 64 (or 32) bits. |
|
136 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
137 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed: |
|
138 ( unset BITS; \ |
|
139 $(MAKE) -C $(COMPONENT_DIR)/../openssl-fips install; ) |
|
140 |
|
141 # download, clean, and clobber should all propogate to the fips bits |
|
142 download clobber clean:: |
|
143 (cd ../openssl-fips ; $(GMAKE) $@) |
|
144 |
|
145 # We do not ship our engines as patches since it would be more difficult to |
|
146 # update the files which have been under continuous development. We rather copy |
|
147 # the files to the right directories and let OpenSSL makefiles build it. |
|
148 COMPONENT_PRE_BUILD_ACTION = \ |
|
149 ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/* $(@D)/crypto/engine; ) |
|
150 |
|
151 # OpenSSL does not install into <dir>/$(MACH64) for 64-bit install so no such |
|
152 # directory is created and Userland install code would fail when installing lint |
|
153 # libraries. |
|
154 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); ) |
|
155 |
|
156 # For ccwrap on SPARC. This is to workaround a problem with the cc compiler on |
|
157 # SPARC. We must modify PATH so that the wrapper can be found when run from |
|
158 # fips/fipsld. |
|
159 COMPONENT_BUILD_ENV += PATH=$(COMPONENT_DIR):$(PATH) |
|
160 COMPONENT_INSTALL_ENV += PATH=$(COMPONENT_DIR):$(PATH) |
|
161 |
|
162 $(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
163 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed |
|
164 |
|
165 # We need ccwrap for building the libraries. |
|
166 $(BUILD_32_and_64): ccwrap |
|
167 build: $(BUILD_32_and_64) |
|
168 |
|
169 CLOBBER_PATHS += ccwrap |
|
170 |
|
171 # We follow what we do for install in openssl/openssl-1.0.0 component. Please |
|
172 # see the comment in Makefile in there for more information. |
|
173 install: $(INSTALL_32_and_64) |
|
174 |
|
175 # We need to modify the default lint flags to include patched opensslconf.h from |
|
176 # the build directory. If we do not do that, lint will complain about md2.h |
|
177 # which is not enabled by default but it is in our opensslconf.h. |
|
178 LFLAGS_32 := -I$(BUILD_DIR_32)/include $(LINT_FLAGS) |
|
179 LFLAGS_64 := -I$(BUILD_DIR_64)/include $(LINT_FLAGS) |
|
180 |
|
181 # Set modified lint flags for our lint library targets. |
|
182 $(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32) |
|
183 $(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32) |
|
184 $(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64) |
|
185 $(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64) |
|
186 |
|
187 test: $(NO_TESTS) |
|
188 |
|
189 BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS) |
|
190 |
|
191 include $(WS_TOP)/make-rules/depend.mk |
|