363N/A# The contents of this file are subject to the terms of the 363N/A# Common Development and Distribution License (the "License"). 363N/A# You may not use this file except in compliance with the License. 363N/A# See the License for the specific language governing permissions 363N/A# and limitations under the License. 363N/A# When distributing Covered Code, include this CDDL HEADER in each 363N/A# If applicable, add the following below this CDDL HEADER, with the 363N/A# fields enclosed by brackets "[]" replaced with your own identifying 363N/A# information: Portions Copyright [yyyy] [name of copyright owner] 7161N/A# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. 2369N/A# This component is not to be installed. It is used to build FIPS-140 2369N/A# certified OpenSSL libraries. 363N/A# In order to build a 32bit version on a 64bit system the isalist(1) command 363N/A# must be substituted for the 32bit build so that amd64|sparcv9 is not part of 363N/A# its output. isalist is used internally when configuring the canister before 363N/A# building it. In order to allow make install to be run as a no-op we have to 363N/A# fake "make install" since we do not want to install the files anywhere. The 2369N/A# command sets U1 and U2 are defined in the FIPS 2.0.5 security policy and must be 363N/A# run as shown there. Nothing from the tarball can be modified. We use the U2 363N/A# command set, see below. 363N/A# Do not use $(PWD), it would not work if run from a different directory with 7161N/A# "gmake -C" as we do from openssl-default 791N/A# we'll also pick up gcc if we find it in the path, so force it to 791N/A# find one that doesn't work like it wants 3091N/A# HMAC-SHA-1 digest of the OpenSSL FIPS tar file is used for the 3091N/A# integrity test requirement for the FIPS-140 validation. 3091N/A# Note: COMPONENT_ARCHIVE_HASH is a SHA256 digest used by the Userland 3091N/A# Consolidation to check the file integrity. 363N/A# There is a broken link in the tarball which causes cp(1) to fail which would 363N/A# fail the whole configure process. It's safer to get rid of the link than 363N/A# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could 363N/A# There is a specific way that must be followed to build the FIPS-140 canister. 363N/A# It is "./config fipscanisterbuild; make; make install" and is called a command 363N/A# set "U2" in the OpenSSL FIPS-140 User Guide. 2369N/A# For 64-bit, use './Configure fipscanisterbuild solaris64-sparcv9-cc'. 7161N/A# Ignore default CC_FOR_BUILD, CC, and CXX in CONFIGURE_ENV. 695N/A# Add COMPONENT_DIR to PATH so cc wrapper can be found. 363N/A# You should not use this target with this component unless testing or 363N/A# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set 363N/A# should be run. See above for more information. 363N/A# We must make the "install" target a no-op (but must run it to be compliant). 363N/A# See above for more information. 363N/A# This is a recommended set of commands to verify that the FIPS-140 mode can be 363N/A# used and that we used the correct tarball. 363N/A $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'