components/openssl/openssl-fips/Makefile
changeset 1596 59869c4257d0
parent 1587 314c74b881bc
child 1940 9b35341f1085
--- a/components/openssl/openssl-fips/Makefile	Thu Dec 12 18:48:34 2013 -0800
+++ b/components/openssl/openssl-fips/Makefile	Fri Dec 13 07:45:20 2013 -0800
@@ -18,22 +18,22 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
 #
 
 #
-# This component is not to be installed. It is used from openssl-0.9.8-fips-140
-# to build FIPS-140 certified OpenSSL libraries.
+# This component is not to be installed. It is used to build FIPS-140
+# certified OpenSSL libraries.
 #
 
 include ../../../make-rules/shared-macros.mk
 
 COMPONENT_NAME =	openssl-fips
-COMPONENT_VERSION =	1.2
-COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
+COMPONENT_VERSION =	2.0.5
+COMPONENT_SRC =		$(COMPONENT_NAME)-ecp-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:645cc77775a3e2e50d766ae0e0631327ceec6ab7793fe582da51cb04c007a5e1
+    sha256:f1abdd0ca1a9467a3eba15564fc2b3447114d1d63020c33cd3210f2a43a5ff4d
 COMPONENT_ARCHIVE_URL =	http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/openssl
 
@@ -47,7 +47,7 @@
 # its output. isalist is used internally when configuring the canister before
 # building it. In order to allow make install to be run as a no-op we have to
 # fake "make install" since we do not want to install the files anywhere. The
-# command sets U1 and U2 are defined in the FIPS 1.2 security policy and must be
+# command sets U1 and U2 are defined in the FIPS 2.0.5 security policy and must be
 # run as shown there. Nothing from the tarball can be modified. We use the U2
 # command set, see below.
 FAKE_ISALIST = 32/isalist
@@ -58,14 +58,14 @@
 CLOBBER_PATHS += $(FAKE_APPS)
 
 # Do not use $(PWD), it would not work if run from a different directory with
-# "gmake -C" as we do from openssl-0.9.8-fips-140.
+# "gmake -C" as we do from openssl-1.0.1
 # we'll also pick up gcc if we find it in the path, so force it to
 # find one that doesn't work like it wants
 FIPS_PATH_32 = $(COMPONENT_DIR)/32:$(COMPONENT_DIR)/gcc:$(PATH)
 FIPS_PATH_64 = $(COMPONENT_DIR)/gcc:$(PATH)
 
 OPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
-OPENSSL_FIPS_HMAC = 79193087e8115df76d3de1f346f7410df79cf6e0
+OPENSSL_FIPS_HMAC = 148e4e127ffef1df80c0ed61bae35b07ec7b7b36
 
 # There is a broken link in the tarball which causes cp(1) to fail which would
 # fail the whole configure process. It's safer to get rid of the link than
@@ -77,8 +77,18 @@
 # There is a specific way that must be followed to build the FIPS-140 canister.
 # It is "./config fipscanisterbuild; make; make install" and is called a command
 # set "U2" in the OpenSSL FIPS-140 User Guide.
+ifeq ($(MACH), sparc)
+CONFIGURE_SCRIPT_32 = config
+# For 64-bit, use './Configure fipscanisterbuild solaris64-sparcv9-cc'.
+CONFIGURE_SCRIPT_64 = ./Configure
+CONFIGURE_OPTIONS.64 = solaris64-sparcv9-cc
+CONFIGURE_SCRIPT = $(CONFIGURE_SCRIPT_$(BITS))
+else
 CONFIGURE_SCRIPT = config
+endif
+
 CONFIGURE_OPTIONS = fipscanisterbuild
+CONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS.$(BITS))
 COMPONENT_BUILD_ARGS =
 COMPONENT_BUILD_TARGETS =
 COMPONENT_INSTALL_ARGS =
@@ -103,8 +113,8 @@
 # used and that we used the correct tarball.
 $(BUILD_DIR)/%/.verified:	$(BUILD_DIR)/%/.installed
 	(printf x; \
-	$(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \
-	$(@D)/apps/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
+	$(ENV) - LD_LIBRARY_PATH=$(@D) \
+	openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
 	    $(COMPONENT_ARCHIVE)) | \
 	    $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'
 	@echo Basic FIPS-140 mode verification passed.