1 # |
|
2 # CDDL HEADER START |
|
3 # |
|
4 # The contents of this file are subject to the terms of the |
|
5 # Common Development and Distribution License (the "License"). |
|
6 # You may not use this file except in compliance with the License. |
|
7 # |
|
8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 # or http://www.opensolaris.org/os/licensing. |
|
10 # See the License for the specific language governing permissions |
|
11 # and limitations under the License. |
|
12 # |
|
13 # When distributing Covered Code, include this CDDL HEADER in each |
|
14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 # If applicable, add the following below this CDDL HEADER, with the |
|
16 # fields enclosed by brackets "[]" replaced with your own identifying |
|
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 # |
|
19 # CDDL HEADER END |
|
20 # |
|
21 # Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. |
|
22 # |
|
23 export PARFAIT_BUILD=no |
|
24 |
|
25 include ../../../make-rules/shared-macros.mk |
|
26 |
|
27 PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin |
|
28 |
|
29 COMPONENT_NAME = openssl-fips-140 |
|
30 # Note that this is the OpenSSL version that is used to build FIPS-140 certified |
|
31 # libraries. However, we use the FIPS canister version for the IPS package. |
|
32 COMPONENT_VERSION = 1.0.1e |
|
33 IPS_COMPONENT_VERSION = 2.0.5 |
|
34 COMPONENT_PROJECT_URL= http://www.openssl.org/ |
|
35 COMPONENT_SRC_NAME = openssl |
|
36 COMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION) |
|
37 COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz |
|
38 COMPONENT_ARCHIVE_HASH= \ |
|
39 sha256:f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 |
|
40 COMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE) |
|
41 COMPONENT_BUGDB= utility/openssl |
|
42 |
|
43 # OpenSSL FIPS 2.0.5 directory |
|
44 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips |
|
45 |
|
46 # Note that the SPARC patch above does not fit this pattern. That is intentional |
|
47 # and a reason why we can add it to the EXTRA_PATCHES variable so that we use it |
|
48 # only on SPARC. |
|
49 PATCH_PATTERN = [0-9][0-9]*.patch |
|
50 |
|
51 include $(WS_TOP)/make-rules/prep.mk |
|
52 include $(WS_TOP)/make-rules/configure.mk |
|
53 include $(WS_TOP)/make-rules/ips.mk |
|
54 include $(WS_TOP)/make-rules/lint-libraries.mk |
|
55 |
|
56 # OpenSSL does not use autoconf but its own configure system. |
|
57 CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure |
|
58 |
|
59 # Used in the configure options below. |
|
60 PKCS11_LIB32 = /usr/lib/libpkcs11.so.1 |
|
61 PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1 |
|
62 ENGINESDIR_32 = /lib/openssl/engines |
|
63 ENGINESDIR_64 = /lib/openssl/engines/64 |
|
64 |
|
65 # Built openssl/openssl-fips component is used when building FIPS-140 libraries. |
|
66 # What we do here follows the OpenSSL FIPS-140 User Guide instructions. |
|
67 FIPS_BUILD_DIR_32 = $(shell echo $(BUILD_DIR_32) | \ |
|
68 sed -e 's/openssl-1.0.1-fips-140/openssl-fips/g' ) |
|
69 FIPS_BUILD_DIR_64 = $(shell echo $(BUILD_DIR_64) | \ |
|
70 sed -e 's/openssl-1.0.1-fips-140/openssl-fips/g' ) |
|
71 |
|
72 CONFIGURE_OPTIONS = -DSOLARIS_OPENSSL -DNO_WINDOWS_BRAINDEATH |
|
73 CONFIGURE_OPTIONS += --openssldir=/etc/openssl |
|
74 CONFIGURE_OPTIONS += --prefix=/usr |
|
75 # We use OpenSSL install code for installing only manual pages and we do that |
|
76 # for 32-bit version only. |
|
77 CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR) |
|
78 CONFIGURE_OPTIONS += no-ec2m |
|
79 CONFIGURE_OPTIONS += no-rc3 |
|
80 CONFIGURE_OPTIONS += no-rc5 |
|
81 CONFIGURE_OPTIONS += no-mdc2 |
|
82 CONFIGURE_OPTIONS += no-idea |
|
83 CONFIGURE_OPTIONS += no-hw_4758_cca |
|
84 CONFIGURE_OPTIONS += no-hw_aep |
|
85 CONFIGURE_OPTIONS += no-hw_atalla |
|
86 CONFIGURE_OPTIONS += no-hw_chil |
|
87 CONFIGURE_OPTIONS += no-hw_gmp |
|
88 CONFIGURE_OPTIONS += no-hw_ncipher |
|
89 CONFIGURE_OPTIONS += no-hw_nuron |
|
90 CONFIGURE_OPTIONS += no-hw_padlock |
|
91 CONFIGURE_OPTIONS += no-hw_sureware |
|
92 CONFIGURE_OPTIONS += no-hw_ubsec |
|
93 CONFIGURE_OPTIONS += no-hw_cswift |
|
94 CONFIGURE_OPTIONS += threads |
|
95 CONFIGURE_OPTIONS += shared |
|
96 CONFIGURE_OPTIONS += fips --with-fipslibdir="$(FIPS_BUILD_DIR_$(BITS))/fips/" |
|
97 CONFIGURE_OPTIONS += --with-fipsdir="$(BUILD_DIR_$(BITS))" |
|
98 |
|
99 # MD2 is not enabled by default in OpensSSL but some software we have in |
|
100 # Userland needs it. One example is nmap. |
|
101 CONFIGURE_OPTIONS += enable-md2 |
|
102 CONFIGURE_OPTIONS += no-seed |
|
103 |
|
104 # We define our own compiler and linker option sets for Solaris. See Configure |
|
105 # for more information. |
|
106 CONFIGURE_OPTIONS32_i386 = solaris-x86-cc-sunw |
|
107 CONFIGURE_OPTIONS32_sparc = solaris-sparcv8-cc-sunw |
|
108 CONFIGURE_OPTIONS64_i386 = solaris64-x86_64-cc-sunw |
|
109 CONFIGURE_OPTIONS64_sparc = solaris64-sparcv9-cc-sunw |
|
110 |
|
111 # Some additional options needed for our engines. |
|
112 CONFIGURE_OPTIONS += --pk11-libname=$(PKCS11_LIB$(BITS)) |
|
113 CONFIGURE_OPTIONS += --enginesdir=$(ENGINESDIR_$(BITS)) |
|
114 CONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS$(BITS)_$(MACH)) |
|
115 |
|
116 # OpenSSL has its own configure system which must be run from the fully |
|
117 # populated source code directory. However, the Userland configuration phase is |
|
118 # run from the build directory. The easiest way to workaround it is to copy all |
|
119 # the source files there. |
|
120 COMPONENT_PRE_CONFIGURE_ACTION = \ |
|
121 ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); ) |
|
122 |
|
123 # We deliver only one opensslconf.h file which must be suitable for both 32 and |
|
124 # 64 bits. Depending on the configuration option, OpenSSL's Configure script |
|
125 # creates opensslconf.h for either 32 or 64 bits. A patch makes the resulting |
|
126 # header file usable on both architectures. The patch was generated against the |
|
127 # opensslconf.h version from the 32 bit build. |
|
128 COMPONENT_POST_CONFIGURE_ACTION = \ |
|
129 ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \ |
|
130 patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; ) |
|
131 |
|
132 ASLR_MODE = $(ASLR_NOT_APPLICABLE) |
|
133 |
|
134 # We must make sure that openssl-fips component is built before this 1.0.1 |
|
135 # component since in order to build FIPS-140 certified libraries, the canister |
|
136 # is needed. Note that we must unset BITS that would override the same variable |
|
137 # used in openssl-fips' Makefile, and we would end up up with both canisters |
|
138 # built in 64 (or 32) bits. |
|
139 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
140 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed: |
|
141 ( unset BITS; \ |
|
142 $(MAKE) -C $(COMPONENT_DIR)/../openssl-fips install; ) |
|
143 |
|
144 # download, clean, and clobber should all propogate to the fips bits |
|
145 download clobber clean:: |
|
146 (cd ../openssl-fips ; $(GMAKE) $@) |
|
147 |
|
148 # We do not ship our engines as patches since it would be more difficult to |
|
149 # update the files which have been under continuous development. We rather copy |
|
150 # the files to the right directories and let OpenSSL makefiles build it. |
|
151 # We also copy some FIPS specific header files needed to build FIPS version |
|
152 # of OpenSSL from FIPS module (openssl-fips-ecp-2.0.5). |
|
153 COMPONENT_PRE_BUILD_ACTION = \ |
|
154 ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/* $(@D)/crypto/engine; \ |
|
155 $(MKDIR) $(@D)/bin; \ |
|
156 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fips.h $(@D)/include/openssl; \ |
|
157 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fipssyms.h $(@D)/include/openssl; \ |
|
158 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/rand/fips_rand.h $(@D)/include/openssl; \ |
|
159 $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-2.0.5/fips/fipsld $(@D)/bin/; \ |
|
160 $(LN) -fs $(OPENSSL_FIPS_DIR)/build/$(MACH$(BITS))/fips/fips_standalone_sha1 $(@D)/bin/; \ |
|
161 $(LN) -fs $(COMPONENT_DIR)/build/$(MACH$(BITS))/fips_premain_dso $(@D)/bin/;) |
|
162 |
|
163 # OpenSSL does not install into <dir>/$(MACH64) for 64-bit install so no such |
|
164 # directory is created and Userland install code would fail when installing lint |
|
165 # libraries. |
|
166 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); ) |
|
167 |
|
168 $(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \ |
|
169 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed |
|
170 |
|
171 build: $(BUILD_32_and_64) |
|
172 |
|
173 # We follow what we do for install in openssl/openssl-1.0.0 component. Please |
|
174 # see the comment in Makefile in there for more information. |
|
175 install: $(INSTALL_32_and_64) |
|
176 |
|
177 # We need to modify the default lint flags to include patched opensslconf.h from |
|
178 # the build directory. If we do not do that, lint will complain about md2.h |
|
179 # which is not enabled by default but it is in our opensslconf.h. |
|
180 LFLAGS_32 := -I$(BUILD_DIR_32)/include $(LINT_FLAGS) |
|
181 LFLAGS_64 := -I$(BUILD_DIR_64)/include $(LINT_FLAGS) |
|
182 |
|
183 # Set modified lint flags for our lint library targets. |
|
184 $(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32) |
|
185 $(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32) |
|
186 $(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64) |
|
187 $(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64) |
|
188 |
|
189 test: $(NO_TESTS) |
|
190 |
|
191 BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS) |
|
192 |
|
193 include $(WS_TOP)/make-rules/depend.mk |
|