1 #

     2 # CDDL HEADER START

     3 #

     4 # The contents of this file are subject to the terms of the

     5 # Common Development and Distribution License (the "License").

     6 # You may not use this file except in compliance with the License.

     7 #

     8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

     9 # or http://www.opensolaris.org/os/licensing.

    10 # See the License for the specific language governing permissions

    11 # and limitations under the License.

    12 #

    13 # When distributing Covered Code, include this CDDL HEADER in each

    14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.

    15 # If applicable, add the following below this CDDL HEADER, with the

    16 # fields enclosed by brackets "[]" replaced with your own identifying

    17 # information: Portions Copyright [yyyy] [name of copyright owner]

    18 #

    19 # CDDL HEADER END

    20 #

    21 # Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.

    22 #

    23 export PARFAIT_BUILD=no

    24 

    25 include ../../../make-rules/shared-macros.mk

    26 

    27 PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin

    28 

    29 COMPONENT_NAME =	openssl-fips-140

    30 # Note that this is the OpenSSL version that is used to build FIPS-140 certified

    31 # libraries. However, we use the FIPS canister version for the IPS package.

    32 COMPONENT_VERSION =	0.9.8y

    33 IPS_COMPONENT_VERSION = 1.2

    34 COMPONENT_PROJECT_URL=	http://www.openssl.org/

    35 COMPONENT_SRC_NAME =	openssl

    36 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)

    37 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz

    38 COMPONENT_ARCHIVE_HASH=	\

    39     sha256:bbecf13495e612936e3a9860c29c0701413564b7a964bf771a3575eaa867cee3

    40 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)

    41 COMPONENT_BUGDB=	utility/openssl

    42 

    43 # Apply the patch on SPARC only. Must put this before including prep.mk as

    44 # mentioned in there.

    45 PATCH_sparc = patches/sparc-01-ccwrap.patch

    46 EXTRA_PATCHES = $(PATCH_$(MACH))

    47 # Note that the SPARC patch above does not fit this pattern. That is intentional

    48 # and a reason why we can add it to the EXTRA_PATCHES variable so that we use it

    49 # only on SPARC.

    50 PATCH_PATTERN = [0-9][0-9]*.patch

    51 

    52 include $(WS_TOP)/make-rules/prep.mk

    53 include $(WS_TOP)/make-rules/configure.mk

    54 include $(WS_TOP)/make-rules/ips.mk

    55 include $(WS_TOP)/make-rules/lint-libraries.mk

    56 

    57 # OpenSSL does not use autoconf but its own configure system.

    58 CONFIGURE_SCRIPT = $(SOURCE_DIR)/Configure

    59 

    60 # Used in the configure options below.

    61 PKCS11_LIB32 = /usr/lib/libpkcs11.so.1

    62 PKCS11_LIB64 = /usr/lib/64/libpkcs11.so.1

    63 ENGINESDIR_32 = /lib/openssl/engines

    64 ENGINESDIR_64 = /lib/openssl/engines/64

    65 

    66 # Built openssl/openssl-fips component is used when building FIPS-140 libraries.

    67 # What we do here follows the OpenSSL FIPS-140 User Guide instructions.

    68 FIPS_BUILD_DIR_32 = $(shell echo $(BUILD_DIR_32) | \

    69     sed -e 's/openssl-0.9.8-fips-140/openssl-fips/g' )

    70 FIPS_BUILD_DIR_64 = $(shell echo $(BUILD_DIR_64) | \

    71     sed -e 's/openssl-0.9.8-fips-140/openssl-fips/g' )

    72 

    73 CONFIGURE_OPTIONS =  -DSOLARIS_OPENSSL -DNO_WINDOWS_BRAINDEATH

    74 CONFIGURE_OPTIONS += --openssldir=/etc/openssl

    75 CONFIGURE_OPTIONS += --prefix=/usr

    76 # We use OpenSSL install code for installing only manual pages and we do that

    77 # for 32-bit version only.

    78 CONFIGURE_OPTIONS += --install_prefix=$(PROTO_DIR)

    79 CONFIGURE_OPTIONS += no-ec

    80 CONFIGURE_OPTIONS += no-ecdh

    81 CONFIGURE_OPTIONS += no-ecdsa

    82 CONFIGURE_OPTIONS += no-rc3

    83 CONFIGURE_OPTIONS += no-rc5

    84 CONFIGURE_OPTIONS += no-mdc2

    85 CONFIGURE_OPTIONS += no-idea

    86 CONFIGURE_OPTIONS += no-hw_4758_cca

    87 CONFIGURE_OPTIONS += no-hw_aep

    88 CONFIGURE_OPTIONS += no-hw_atalla

    89 CONFIGURE_OPTIONS += no-hw_chil

    90 CONFIGURE_OPTIONS += no-hw_gmp

    91 CONFIGURE_OPTIONS += no-hw_ncipher

    92 CONFIGURE_OPTIONS += no-hw_nuron

    93 CONFIGURE_OPTIONS += no-hw_padlock

    94 CONFIGURE_OPTIONS += no-hw_sureware

    95 CONFIGURE_OPTIONS += no-hw_ubsec

    96 CONFIGURE_OPTIONS += no-hw_cswift

    97 CONFIGURE_OPTIONS += threads

    98 CONFIGURE_OPTIONS += shared

    99 CONFIGURE_OPTIONS += fips --with-fipslibdir="$(FIPS_BUILD_DIR_$(BITS))/fips"

   100 

   101 # We define our own compiler and linker option sets for Solaris. See Configure

   102 # for more information.

   103 CONFIGURE_OPTIONS32_i386 =	solaris-x86-cc-sunw

   104 CONFIGURE_OPTIONS32_sparc =	solaris-sparcv8-cc-sunw

   105 CONFIGURE_OPTIONS64_i386 =	solaris64-x86_64-cc-sunw

   106 CONFIGURE_OPTIONS64_sparc =	solaris64-sparcv9-cc-sunw

   107 

   108 # Some additional options needed for our engines.

   109 CONFIGURE_OPTIONS += --pk11-libname=$(PKCS11_LIB$(BITS))

   110 CONFIGURE_OPTIONS += --enginesdir=$(ENGINESDIR_$(BITS))

   111 CONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS$(BITS)_$(MACH))

   112 

   113 # OpenSSL has its own configure system which must be run from the fully

   114 # populated source code directory. However, the Userland configuration phase is

   115 # run from the build directory. The easiest way to workaround it is to copy all

   116 # the source files there.

   117 COMPONENT_PRE_CONFIGURE_ACTION = \

   118     ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); )

   119 

   120 # We deliver only one opensslconf.h file which must be suitable for both 32 and

   121 # 64 bits. Depending on the configuration option, OpenSSL's Configure script

   122 # creates opensslconf.h for either 32 or 64 bits. A patch makes the resulting

   123 # header file usable on both architectures. The patch was generated against the

   124 # opensslconf.h version from the 32 bit build.

   125 COMPONENT_POST_CONFIGURE_ACTION = \

   126     ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \

   127       patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; )

   128 

   129 # We must make sure that openssl-fips component is built before this 0.9.8

   130 # component since in order to build FIPS-140 certified libraries, the canister

   131 # is needed. Note that we must unset BITS that would override the same variable

   132 # used in openssl-fips' Makefile, and we would end up up with both canisters

   133 # built in 64 (or 32) bits.

   134 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \

   135 $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed:

   136 	( unset BITS; \

   137 	$(MAKE) -C $(COMPONENT_DIR)/../openssl-fips install; )

   138 

   139 # download, clean, and clobber should all propogate to the fips bits

   140 download clobber clean::

   141 	(cd ../openssl-fips ; $(GMAKE) $@)

   142 

   143 # We do not ship our engines as patches since it would be more difficult to

   144 # update the files which have been under continuous development. We rather copy

   145 # the files to the right directories and let OpenSSL makefiles build it.

   146 COMPONENT_PRE_BUILD_ACTION = \

   147     ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/*     $(@D)/engines; ) 

   148 

   149 # OpenSSL does not install into <dir>/$(MACH64) for 64-bit install so no such

   150 # directory is created and Userland install code would fail when installing lint

   151 # libraries.

   152 COMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); )

   153 

   154 # For ccwrap on SPARC. This is to workaround a problem with the cc compiler on

   155 # SPARC. We must modify PATH so that the wrapper can be found when run from

   156 # fips/fipsld.

   157 COMPONENT_BUILD_ENV += PATH=$(COMPONENT_DIR):$(PATH)

   158 COMPONENT_INSTALL_ENV += PATH=$(COMPONENT_DIR):$(PATH)

   159 

   160 $(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \

   161 		     $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed

   162 

   163 # We need ccwrap for building the libraries.

   164 $(BUILD_32_and_64):	ccwrap

   165 build:			$(BUILD_32_and_64)

   166 

   167 CLOBBER_PATHS += ccwrap

   168 

   169 # We follow what we do for install in openssl/openssl-1.0.0 component. Please

   170 # see the comment in Makefile in there for more information.

   171 install:	$(INSTALL_32_and_64)

   172 

   173 # We need to modify the default lint flags to include patched opensslconf.h from

   174 # the build directory. If we do not do that, lint will complain about md2.h

   175 # which is not enabled by default but it is in our opensslconf.h.

   176 LFLAGS_32 := -I$(BUILD_DIR_32)/include $(LINT_FLAGS)

   177 LFLAGS_64 := -I$(BUILD_DIR_64)/include $(LINT_FLAGS)

   178 

   179 # Set modified lint flags for our lint library targets.

   180 $(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32)

   181 $(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32)

   182 $(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64)

   183 $(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64)

   184 

   185 test:		$(NO_TESTS)

   186 

   187 BUILD_PKG_DEPENDENCIES =	$(BUILD_TOOLS)

   188 

   189 include $(WS_TOP)/make-rules/depend.mk