16 # fields enclosed by brackets "[]" replaced with your own identifying |
16 # fields enclosed by brackets "[]" replaced with your own identifying |
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
17 # information: Portions Copyright [yyyy] [name of copyright owner] |
18 # |
18 # |
19 # CDDL HEADER END |
19 # CDDL HEADER END |
20 # |
20 # |
21 # Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. |
21 # Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. |
22 # |
22 # |
23 |
23 |
24 |
24 |
25 Build Layout |
25 Build Layout |
26 --- |
26 --- |
27 |
27 |
28 OpenSSL build is run four times. Once for regular dynamic 1.0.1 non-fips, once |
28 OpenSSL build is run four times. Once for regular dynamic non-fips, once |
29 for static 1.0.1 bits to link with standalone wanboot binary, once for 1.0.1 |
29 for static bits to link with standalone wanboot binary, once for fips-140, |
30 fips-140, and once for 1.0.1 FIPS-140 canister (in the openssl-fips component) |
30 and once for FIPS-140 canister (in the openssl-fips component) |
31 needed to build 1.0.1 FIPS-140 certified libraries. All builds apart from |
31 needed to build FIPS-140 certified libraries. All builds apart from |
32 static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL |
32 static libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL |
33 is built seven times. OpenSSL for wanboot is only built on sparc. |
33 is built seven times. OpenSSL for wanboot is only built on sparc. |
34 |
34 |
35 See also comments in all the Makefiles for more information. |
35 See also comments in all the Makefiles for more information. |
36 |
36 |
37 OpenSSL Version |
37 OpenSSL Version |
38 --- |
38 -------------- |
39 |
|
40 For non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates |
|
41 from OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL |
|
42 upstream code. As of April 2013, 1.0.2 is not yet released, and therefore, |
|
43 we have decided to patch the code. |
|
44 The following files/code are copied in from 1.0.2. |
|
45 added: |
|
46 components/openssl/openssl-1.0.1/inline-t4/aest4-sparcv9.pl |
|
47 components/openssl/openssl-1.0.1/inline-t4/dest4-sparcv9.pl |
|
48 components/openssl/openssl-1.0.1/inline-t4/md5-sparcv9.pl |
|
49 components/openssl/openssl-1.0.1/inline-t4/sparc_arch.h |
|
50 components/openssl/openssl-1.0.1/inline-t4/sparct4-mont.pl |
|
51 components/openssl/openssl-1.0.1/inline-t4/sparcv9_modes.pl |
|
52 components/openssl/openssl-1.0.1/inline-t4/sparcv9-gf2m.pl |
|
53 components/openssl/openssl-1.0.1/inline-t4/vis3-mont.pl |
|
54 components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch |
|
55 |
|
56 |
39 |
57 The non-fips Build. |
40 The non-fips Build. |
58 --- |
41 --- |
59 |
42 |
60 The non-fips build is the main build of OpenSSL and includes the regular |
43 The non-fips build is the 'default' build of OpenSSL and includes the regular |
61 binaries, libraries, man pages, and header files. |
44 binaries, libraries, man pages, and header files. |
62 |
45 |
63 Patches |
|
64 --- |
|
65 |
|
66 08-6193522.patch |
|
67 Give CA.pl better defaults. See 6193522 for more information. |
|
68 |
|
69 11-6546806.patch |
|
70 Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for |
|
71 more information. |
|
72 |
|
73 14-manpage_openssl.patch |
|
74 Force openssl to install man pages into man[1357]openssl instead of man[1357]. |
|
75 |
|
76 15-pkcs11_engine-0.9.8a.patch |
|
77 Patch which adds the pkcs11 engine. See also the engines/pkcs11 |
|
78 sub-directory. |
|
79 |
|
80 18-compiler_opts.patch |
|
81 Adds five Solaris specific configurations (both 32bit and 64bit for both sparc |
|
82 and x86, plus 64bit sparc for wanboot) to Configure which are then explicitly |
|
83 used by the Makefiles. Wanboot configuration is special in that it doesn't link |
|
84 with libc and uses -xF=%all to put functions in separate sections, so that |
|
85 unused code can be discarded. |
|
86 |
|
87 Care should be taken if modifying this patch as changes to compile-time options |
|
88 can change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR. |
|
89 |
|
90 20-remove_rpath.patch |
|
91 Prevent build binaries having an unnecessary runpath (/lib). |
|
92 |
|
93 23-noexstack.patch |
|
94 Build with non-executable stacks and non-executable data (x86). |
|
95 |
|
96 27-6978791.patch |
|
97 Modifies Makefile.shared so that libssl is built with -znodelete. |
|
98 |
|
99 28-enginesdir.patch |
|
100 Adds a new "enginesdir" option to the Configure script which allows a user to |
|
101 specify the engines directory. |
|
102 |
|
103 30_wanboot.patch: |
|
104 Wanboot specific patches. |
|
105 - modified Makefiles not to build in engines apps test tools |
|
106 - not using vfprintf for error print in crypto/cryptlib.c |
|
107 - not using ERR_load_DSO_strings() in crypto/err/err_all.c |
|
108 - not using EVP_read_pw_string() in crypto/evp/evp_key.c |
|
109 - reading password is implemented in disabled DES library |
|
110 - avoid select() in crypto/rand/rand_unix.c |
|
111 - direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c |
|
112 - using functions from libsock in e_os.h |
|
113 - by-passing version of sparc detection in crypto/sparcv9cap.c |
|
114 - results in not using FPU for big numbers multiplication |
|
115 - should be ok - original detection seems broken, FPU gets never used |
|
116 - implementation of atoi() |
|
117 - avoid using ssl_fill_hello_random() in s3_clnt.c |
|
118 |
|
119 36_evp_leak.patch: |
|
120 Solaris-specific fix for mem leak caused by EVP_EncryptFinal_ex() |
|
121 and EVP_DecryptFinal_ex() not cleaning up properly. |
|
122 |
|
123 37_openssl_t4_inline.patch |
|
124 SPARC-only patch. |
|
125 Add patch to support inline T4 instruction in OpenSSL upstream code until |
|
126 OpenSSL 1.0.2 is released. |
|
127 |
|
128 38_remove_illegal_instruction_calls.patch |
|
129 SPARC patch. Solaris-only patch. |
|
130 Remove _sparcv9_random instruction from sparcv9cap.c. |
|
131 It is not supported on any sparc platforms. |
|
132 |
|
133 opensslconf.patch |
|
134 Modifies opensslconf.h so that it is suitable for both 32bit and 64bit installs. |
|
135 OpenSSL either builds for 32bit or 64bit - it doesn't allow for combined 32bit |
|
136 and 64bit builds. |
|
137 |
46 |
138 The fips Build |
47 The fips Build |
139 --- |
48 --- |
140 |
49 |
141 We are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2. |
50 We are now shipping FIPS-140 certified OpenSSL with S11.2 and later. |
142 The admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'. |
51 The admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'. |
143 The change will come soon. |
|
144 |
|
145 |
|
146 Patches |
|
147 --- |
|
148 |
|
149 All the patches from 1.0.1 (non-fips) are used in 1.0.1(fips) as well aside from |
|
150 14-manpage_openssl.patch which is not needed since we do not deliver 1.0.1(fips) man |
|
151 pages. Once we make fips version public, we should deliver man page. |
|
152 (coming soon) |
|
153 |
52 |
154 The wanboot Build |
53 The wanboot Build |
155 ---- |
54 ---- |
156 |
55 |
157 There are some significant differences when building OpenSSL for wanboot. |
56 There are some significant differences when building OpenSSL for wanboot. |
179 |
78 |
180 In order to determine which openssl object files are required for wanboot, |
79 In order to determine which openssl object files are required for wanboot, |
181 first build static standalone openssl bits in Userland. As a site effect, |
80 first build static standalone openssl bits in Userland. As a site effect, |
182 static libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot. |
81 static libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot. |
183 |
82 |
184 $ cd $USERLAND/components/openssl/openssl-1.0.1 ; gmake build |
83 $ cd $USERLAND/components/openssl/openssl-default ; gmake build |
185 |
84 |
186 Next, collect some information from linking wanboot static libraries in ON. |
85 Next, collect some information from linking wanboot static libraries in ON. |
187 This can be done by the following hack. |
86 This can be done by the following hack. |
188 |
87 |
189 $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4 |
88 $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4 |
190 $ touch wanboot.o |
89 $ touch wanboot.o |
191 $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \ |
90 $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \ |
192 -L$USERLAND/components/openssl/openssl-1.0.1/build/sparcv9-wanboot " \ |
91 -L$USERLAND/components/openssl/openssl-default/build/sparcv9-wanboot " \ |
193 WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all |
92 WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all |
194 |
93 |
195 The following sort of information ends up in ld.dbg (note that the debugging |
94 The following sort of information ends up in ld.dbg (note that the debugging |
196 output from the link-editor is not considered a 'stable interface' and may |
95 output from the link-editor is not considered a 'stable interface' and may |
197 change in the future): |
96 change in the future): |
198 |
97 |
199 debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
98 debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-default/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
200 debug: |
99 debug: |
201 debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.1/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
100 debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-default/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ] |
202 debug: symbol[1]=sparcv9cap.c |
101 debug: symbol[1]=sparcv9cap.c |
203 .... |
102 .... |
204 |
103 |
205 Now run the following script in Userland: |
104 Now run the following script in Userland: |
206 |
105 |
270 |
169 |
271 Testing wanboot with new openssl |
170 Testing wanboot with new openssl |
272 ---- |
171 ---- |
273 |
172 |
274 With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and |
173 With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and |
275 works well with the new bits. |
174 works well with the new bits (post lullaby). |
276 |
175 |
277 Provided you have a freshly built ON workspace, you can link wanboot with new |
176 Provided you have a freshly built ON workspace, you can link wanboot with new |
278 OpenSSL bits by redefining WAN_OPENSSL macro: |
177 OpenSSL bits as follows: |
279 |
178 |
280 # copy wanboot-openssl.o to ON build machine |
179 # copy wanboot-openssl.o to ON build machine |
281 cp wanboot-openssl.o /var/tmp/ |
180 cp wanboot-openssl.o /var/tmp/ |
282 |
181 |
283 # prepare to rebuild wanboot |
182 # prepare to rebuild wanboot |
284 cd $ON |
183 cd $ON |
285 bldenv developer.sh |
|
286 cd usr/src/psm/stand/boot/sparcv9/sun4 |
184 cd usr/src/psm/stand/boot/sparcv9/sun4 |
287 |
185 |
288 # hack to force a rebuild |
186 # hack to force a rebuild |
289 touch wanboot.o |
187 touch wanboot.o |
290 |
188 |
291 # link new OpenSSL to wanboot |
189 # link new OpenSSL to wanboot # modify Makefile and assign the WAN_OPENSSL macro to your binary |
292 WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all |
190 WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all |
293 |
191 |
294 Wanboot should build without warning. |
192 Wanboot should build without warning. |
295 |
193 |
296 If there is something like this in the output: |
194 If there is something like this in the output: |
311 references listed in the linker error message, or to remove the calls to these |
209 references listed in the linker error message, or to remove the calls to these |
312 functions. |
210 functions. |
313 |
211 |
314 Finally, resulting wanboot binary shall be deployed on some install server and |
212 Finally, resulting wanboot binary shall be deployed on some install server and |
315 wanbooting from this server shall be tested. |
213 wanbooting from this server shall be tested. |
|
214 |
|
215 =============== |
|
216 Common Patches |
|
217 =============== |
|
218 |
|
219 Common patch files are located in the components/openssl/common/patches dir, |
|
220 and they are copied to both FIPS and non-FIPS 'patches' dir as soon as the |
|
221 Makefile is parsed. The Common patch filename has prefix '0', |
|
222 |
|
223 ========================= |
|
224 Non-FIPS specific Patches |
|
225 ========================= |
|
226 |
|
227 Non-FIPS specific patch files are located in the |
|
228 components/openssl/openssl-default/patches dir. |
|
229 The Non-FIPS specific patch filename has prefix '1', |
|
230 |
|
231 ========================= |
|
232 FIPS specific Patches |
|
233 ========================= |
|
234 |
|
235 FIPS specific patch files are located in the |
|
236 components/openssl/openssl-fips-140/patches dir. |
|
237 The FIPS specific patch filename has prefix '2', |