|
1 # |
|
2 # CDDL HEADER START |
|
3 # |
|
4 # The contents of this file are subject to the terms of the |
|
5 # Common Development and Distribution License (the "License"). |
|
6 # You may not use this file except in compliance with the License. |
|
7 # |
|
8 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
9 # or http://www.opensolaris.org/os/licensing. |
|
10 # See the License for the specific language governing permissions |
|
11 # and limitations under the License. |
|
12 # |
|
13 # When distributing Covered Code, include this CDDL HEADER in each |
|
14 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
15 # If applicable, add the following below this CDDL HEADER, with the |
|
16 # fields enclosed by brackets "[]" replaced with your own identifying |
|
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
|
18 # |
|
19 # CDDL HEADER END |
|
20 # |
|
21 # Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. |
|
22 # |
|
23 |
|
24 # |
|
25 # This component is not to be installed. It is used from openssl-0.9.8-fips-140 |
|
26 # to build FIPS-140 certified OpenSSL libraries. |
|
27 # |
|
28 |
|
29 include $(WS_TOP)/make-rules/shared-macros.mk |
|
30 |
|
31 COMPONENT_NAME = openssl-fips |
|
32 COMPONENT_VERSION = 1.2 |
|
33 COMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION) |
|
34 COMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz |
|
35 COMPONENT_ARCHIVE_HASH= sha1:f09c3040da6cdd8bdd8c9cf01af8f14f89ee84d1 |
|
36 COMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE) |
|
37 |
|
38 include $(WS_TOP)/make-rules/prep.mk |
|
39 include $(WS_TOP)/make-rules/configure.mk |
|
40 |
|
41 # In order to build a 32bit version on a 64bit system the isalist(1) command |
|
42 # must be substituted for the 32bit build so that amd64|sparcv9 is not part of |
|
43 # its output. isalist is used internally when configuring the canister before |
|
44 # building it. In order to allow make install to be run as a no-op we have to |
|
45 # fake "make install" since we do not want to install the files anywhere. The |
|
46 # command sets U1 and U2 are defined in the FIPS 1.2 security policy and must be |
|
47 # run as shown there. Nothing from the tarball can be modified. We use the U2 |
|
48 # command set, see below. |
|
49 FAKE_ISALIST = 32/isalist |
|
50 FAKE_MAKE = gmake |
|
51 FAKE_CC = cc |
|
52 FAKE_APPS = $(FAKE_ISALIST) $(FAKE_MAKE) $(FAKE_CC) |
|
53 |
|
54 # Do not use $(PWD), it would not work if run from a different directory with |
|
55 # "gmake -C" as we do from openssl-0.9.8-fips-140. |
|
56 FIPS_PATH_32 = $(COMPONENT_DIR)/32:$(PATH) |
|
57 FIPS_PATH_64 = $(PATH) |
|
58 |
|
59 OPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm |
|
60 OPENSSL_FIPS_HMAC = 79193087e8115df76d3de1f346f7410df79cf6e0 |
|
61 |
|
62 # There is a broken link in the tarball which causes cp(1) to fail which would |
|
63 # fail the whole configure process. It's safer to get rid of the link than |
|
64 # adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could |
|
65 # hide real issues. |
|
66 COMPONENT_PRE_CONFIGURE_ACTION = ( cd $(@D); \ |
|
67 $(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; ) |
|
68 |
|
69 # There is a specific way that must be followed to build the FIPS-140 canister. |
|
70 # It is "./config fipscanisterbuild; make; make install" and is called a command |
|
71 # set "U2" in the OpenSSL FIPS-140 User Guide. |
|
72 CONFIGURE_SCRIPT = config |
|
73 CONFIGURE_OPTIONS = fipscanisterbuild |
|
74 COMPONENT_BUILD_ARGS = |
|
75 COMPONENT_BUILD_TARGETS = |
|
76 COMPONENT_INSTALL_ARGS = |
|
77 COMPONENT_INSTALL_TARGETS = install |
|
78 CONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS)) |
|
79 COMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE) |
|
80 |
|
81 $(BUILD_32_and_64): $(FAKE_APPS) |
|
82 |
|
83 # You should not use this target with this component unless testing or |
|
84 # debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set |
|
85 # should be run. See above for more information. |
|
86 build: $(BUILD_32_and_64) |
|
87 |
|
88 # We must make the "install" target a no-op (but must run it to be compliant). |
|
89 # See above for more information. |
|
90 install: GMAKE = $(COMPONENT_DIR)/gmake |
|
91 install: $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified |
|
92 |
|
93 # This is a recommended set of commands to verify that the FIPS-140 mode can be |
|
94 # used and that we used the correct tarball. |
|
95 $(BUILD_DIR)/%/.verified: $(BUILD_DIR)/%/.installed |
|
96 (printf x; \ |
|
97 $(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \ |
|
98 $(@D)/apps/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \ |
|
99 $(COMPONENT_ARCHIVE)) | \ |
|
100 $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }' |
|
101 @echo Basic FIPS-140 mode verification passed. |
|
102 $(TOUCH) $@ |
|
103 |
|
104 test: $(NO_TESTS) |
|
105 |
|
106 include $(WS_TOP)/make-rules/depend.mk |