Makefile revision 364
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsync#
9f30b2a88d1c4a96e076a38bdebb87029e91cde7vboxsync# CDDL HEADER START
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync#
4684442a126edc2c340731e8fee74714f195bc77vboxsync# The contents of this file are subject to the terms of the
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync# Common Development and Distribution License (the "License").
2bee0b79c44fdd60aa91125cee31467b4300234avboxsync# You may not use this file except in compliance with the License.
b918a7b5e159df188e876b8aef5f971222485c64vboxsync#
54259e443abcd8197f7c3158bb7f69457ca1d1davboxsync# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
b918a7b5e159df188e876b8aef5f971222485c64vboxsync# or http://www.opensolaris.org/os/licensing.
b918a7b5e159df188e876b8aef5f971222485c64vboxsync# See the License for the specific language governing permissions
2581ea3f1f32d09a6e2d443661ed4b01e40bfefavboxsync# and limitations under the License.
b918a7b5e159df188e876b8aef5f971222485c64vboxsync#
d0ce2837ba92386abdaaa79d6176853ccf959a2fvboxsync# When distributing Covered Code, include this CDDL HEADER in each
c7267e77a1f8b99136cc3dd57f7c381103edc4e5vboxsync# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync# If applicable, add the following below this CDDL HEADER, with the
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsync# fields enclosed by brackets "[]" replaced with your own identifying
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync# information: Portions Copyright [yyyy] [name of copyright owner]
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync#
7e958a4329e4f9d83f597e26c72121969091e87bvboxsync# CDDL HEADER END
6b13ec38bf7e2771e85570c32ec64c3f9c9105a9vboxsync#
20c1fe9af8352873e4766f3136b25312c8595877vboxsync# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
0887a65d2e1f7d938381bed11e859caed56cb47evboxsync#
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync#
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync# This component is not to be installed. It is used from openssl-0.9.8-fips-140
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync# to build FIPS-140 certified OpenSSL libraries.
9d473abea9a9b6597b2b20bedc950ba33a2e73a5vboxsync#
c7267e77a1f8b99136cc3dd57f7c381103edc4e5vboxsync
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncinclude ../../../make-rules/shared-macros.mk
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsync
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncCOMPONENT_NAME = openssl-fips
104ee9b130538e40654d7732282799493cdd5e7dvboxsyncCOMPONENT_VERSION = 1.2
0887a65d2e1f7d938381bed11e859caed56cb47evboxsyncCOMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncCOMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncCOMPONENT_ARCHIVE_HASH= sha1:f09c3040da6cdd8bdd8c9cf01af8f14f89ee84d1
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncCOMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsync
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncinclude $(WS_TOP)/make-rules/prep.mk
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsyncinclude $(WS_TOP)/make-rules/configure.mk
bbfc28b1a00ce00001b2ead074d47254bec3e5cfvboxsync
# In order to build a 32bit version on a 64bit system the isalist(1) command
# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
# its output. isalist is used internally when configuring the canister before
# building it. In order to allow make install to be run as a no-op we have to
# fake "make install" since we do not want to install the files anywhere. The
# command sets U1 and U2 are defined in the FIPS 1.2 security policy and must be
# run as shown there. Nothing from the tarball can be modified. We use the U2
# command set, see below.
FAKE_ISALIST = 32/isalist
FAKE_MAKE = gmake
FAKE_CC = cc
FAKE_APPS = $(FAKE_ISALIST) $(FAKE_MAKE) $(FAKE_CC)
# Do not use $(PWD), it would not work if run from a different directory with
# "gmake -C" as we do from openssl-0.9.8-fips-140.
FIPS_PATH_32 = $(COMPONENT_DIR)/32:$(PATH)
FIPS_PATH_64 = $(PATH)
OPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
OPENSSL_FIPS_HMAC = 79193087e8115df76d3de1f346f7410df79cf6e0
# There is a broken link in the tarball which causes cp(1) to fail which would
# fail the whole configure process. It's safer to get rid of the link than
# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
# hide real issues.
COMPONENT_PRE_CONFIGURE_ACTION = ( cd $(@D); \
$(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; )
# There is a specific way that must be followed to build the FIPS-140 canister.
# It is "./config fipscanisterbuild; make; make install" and is called a command
# set "U2" in the OpenSSL FIPS-140 User Guide.
CONFIGURE_SCRIPT = config
CONFIGURE_OPTIONS = fipscanisterbuild
COMPONENT_BUILD_ARGS =
COMPONENT_BUILD_TARGETS =
COMPONENT_INSTALL_ARGS =
COMPONENT_INSTALL_TARGETS = install
CONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS))
COMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE)
$(BUILD_32_and_64): $(FAKE_APPS)
# You should not use this target with this component unless testing or
# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
# should be run. See above for more information.
build: $(BUILD_32_and_64)
# We must make the "install" target a no-op (but must run it to be compliant).
# See above for more information.
install: GMAKE = $(COMPONENT_DIR)/gmake
install: $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified
# This is a recommended set of commands to verify that the FIPS-140 mode can be
# used and that we used the correct tarball.
$(BUILD_DIR)/%/.verified: $(BUILD_DIR)/%/.installed
(printf x; \
$(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \
$(@D)/apps/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
$(COMPONENT_ARCHIVE)) | \
$(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'
@echo Basic FIPS-140 mode verification passed.
$(TOUCH) $@
test: $(NO_TESTS)
include $(WS_TOP)/make-rules/depend.mk