README revision 1610
363N/A#
363N/A# CDDL HEADER START
363N/A#
363N/A# The contents of this file are subject to the terms of the
363N/A# Common Development and Distribution License (the "License").
363N/A# You may not use this file except in compliance with the License.
363N/A#
363N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
363N/A# or http://www.opensolaris.org/os/licensing.
363N/A# See the License for the specific language governing permissions
363N/A# and limitations under the License.
363N/A#
363N/A# When distributing Covered Code, include this CDDL HEADER in each
363N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
363N/A# If applicable, add the following below this CDDL HEADER, with the
363N/A# fields enclosed by brackets "[]" replaced with your own identifying
363N/A# information: Portions Copyright [yyyy] [name of copyright owner]
363N/A#
363N/A# CDDL HEADER END
363N/A#
1610N/A# Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
363N/A#
363N/A
1610N/A
363N/ABuild Layout
363N/A---
363N/A
777N/AOpenSSL build is run four times. Once for regular dynamic 1.0.0 non-fips, once
777N/Afor static 1.0.0 bits to link with standalone wanboot binary, once for 0.9.8
363N/Afips-140, and once for 0.9.8 FIPS-140 canister (in the openssl-fips component)
777N/Aneeded to build 0.9.8 FIPS-140 certified libraries. All builds apart from
777N/Astatic libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
797N/Ais built seven times. OpenSSL for wanboot is only build on sparc.
363N/A
797N/ASee also comments in all the Makefiles for more information.
363N/A
1610N/AOpenSSL Version
1610N/A---
1610N/A
1610N/AFor non-FIPS build, we currently deliver OpenSSL 1.0.1e with some updates
1610N/Afrom OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL
1610N/Aupstream code. As of April 2013, 1.0.2 is not yet released, and therefore,
1610N/Awe have decided to patch the code.
1610N/AThe following files/code are copied in from 1.0.2.
1610N/Aadded:
1610N/A components/openssl/openssl-1.0.1/inline-t4/md5-sparcv9.pl
1610N/A components/openssl/openssl-1.0.1/inline-t4/sparc_arch.h
1610N/A components/openssl/openssl-1.0.1/patches/openssl-t4-inline.sparc-patch
1610N/ATPNO for OpenSSL 1.0.1e is 13003.
1610N/A
1610N/AFor FIPS build, we currently deliver OpenSSL 0.9.8y with OpenSSL FIPS module 2.1.
1610N/ATPNO for OpenSSL 0.9.8y is 13019.
1610N/A
1610N/A
363N/AThe non-fips Build.
363N/A---
363N/A
363N/AThe non-fips build is the main build of OpenSSL and includes the regular
363N/Abinaries, libraries, man pages, and header files.
363N/A
363N/APatches
363N/A---
363N/A
363N/A08-6193522.patch
363N/AGive CA.pl better defaults. See 6193522 for more information.
363N/A
363N/A11-6546806.patch
363N/AMake sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
363N/Amore information.
363N/A
363N/A14-manpage_openssl.patch
363N/AForce openssl to install man pages into man[1357]openssl instead of man[1357].
363N/A
363N/A15-pkcs11_engine-0.9.8a.patch
363N/APatch which adds the pkcs11 engine. See also the pkcs11-engine/
363N/Asub-directory.
363N/A
363N/A18-compiler_opts.patch
797N/AAdds five Solaris specific configurations (both 32bit and 64bit for both sparc
797N/Aand x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
797N/Aused by the Makefiles. Wanboot configuration is special in that it doesn't link
797N/Awith libc and uses -xF=%all to put functions in separate sections, so that
797N/Aunused code can be discarded.
363N/A
363N/ACare should be taken if modifying this patch as changes to compile-time options
363N/Acan change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
363N/A
363N/A20-remove_rpath.patch
363N/APrevent build binaries having an unnecessary runpath (/lib).
363N/A
363N/A23-noexstack.patch
363N/ABuild with non-executable stacks and non-executable data (x86).
363N/A
363N/A27-6978791.patch
363N/AModifies Makefile.shared so that libssl is built with -znodelete.
363N/A
363N/A28-enginesdir.patch
363N/AAdds a new "enginesdir" option to the Configure script which allows a user to
363N/Aspecify the engines directory.
363N/A
363N/A29-devcrypto_engine.patch
363N/AModifies engines/Makefile so that the devcrypto engine will be built in the
363N/A"engines" directory.
363N/A
797N/A30_wanboot.patch:
797N/AWanboot specific patches.
797N/A- modified Makefiles not to build in engines apps test tools
797N/A- not using vfprintf for error print in crypto/cryptlib.c
797N/A- not using ERR_load_DSO_strings() in crypto/err/err_all.c
797N/A- not using EVP_read_pw_string() in crypto/evp/evp_key.c
797N/A - reading password is implemented in disabled DES library
797N/A- avoid select() in crypto/rand/rand_unix.c
797N/A- direct reading of IP to avoid sscanf() in crypto/x509v3/v3_utl.c
797N/A- using functions from libsock in e_os.h
797N/A- by-passing version of sparc detection in crypto/sparcv9cap.c
797N/A - results in not using FPU for big numbers multiplication
797N/A - should be ok - original detection seems broken, FPU gets never used
797N/A- implementation of atoi()
797N/A
1610N/A31_dtls_version.patch
1610N/AFix DTLS_BAD_VER bug reported after OpenSSL 1.0.1e is released.
419N/A
426N/Aopenssl-1.0.0d-t4-engine.sparc-patch
426N/ASPARC-only patch.
426N/AAdd a built-in engine, t4, to support SPARC T4 crypto instructions.
426N/Aalong with files in directory engines/t4.
426N/A
1610N/Aopenssl-t4-inline.sparc-patch
1610N/ASPARC-only patch.
1610N/AAdd patch to support inline T4 instruction in OpenSSL upstream code until
1610N/AOpenSSL 1.0.2 is released.
1610N/A
363N/Aopensslconf.patch
363N/AModifies opensslconf.h so that it is suitable for both 32bit and 64bit installs.
363N/AOpenSSL either builds for 32bit or 64bit - it doesn't allow for combined 32bit
363N/Aand 64bit builds.
363N/A
363N/AThe fips Build
363N/A---
363N/A
363N/AFIPS-140 certified libraries for Solaris private use. We wait for OpenSSL 1.0.0
363N/Ato be FIPS-140 certified in which time we can ship only 1.0.0 with S11 and make
363N/Ait a public interface.
363N/A
363N/APatches
363N/A---
363N/A
363N/AAll the patches from 1.0.0 are used in 0.9.8 as well aside from
363N/A14-manpage_openssl.patch which is not needed since we do not deliver 0.9.8 man
363N/Apages. Additional patches:
363N/A
363N/A01-7009105.patch
363N/AFixing a bug introduces in 0.9.8q and fixed in 0.9.8r.
363N/A
363N/Asparc-01-ccwrap.patch
363N/AWorkaround so that fingerprinting the canister during runtime and comparing it
363N/Awith the saved fingerprint works correctly.
797N/A
797N/AThe wanboot Build
797N/A----
797N/A
797N/AThere are some significant differences when building OpenSSL for wanboot.
797N/A
797N/ASome additional Configuration options are needed:
797N/A-DNO_CHMOD chmod not available in stand-alone environment
797N/A-DBOOT guard for wanboot specific patches
797N/A-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
797N/A
797N/AList of object files for wanboot-openssl.o
797N/A----
797N/A
797N/AAt this moment, object files for wanboot-openssl.o need to be listed explicitly.
797N/AThis is cumbersome and relatively tedious with respect to upgrading to higher
797N/Aversion of openssl.
797N/A
797N/AIn future, it would be nice, if this could be performed automatically by the
797N/Alinker. The required interface for wanboot is already defined in a mapfile and
797N/Alinker option '-zdiscard-unused=sections,files' is already used to discard
797N/Aunused code.
797N/ABut sadly, at this moment when the linker is given all the object files, it
797N/Acorrectly discards some unused files, but references to undefined symbols from
797N/Athe discarded files don't get discarded along. Later, these undefined references
797N/Acause wanboot linking failure.
797N/A
797N/AIn order to determine which openssl object files are required for wanboot,
797N/Afirst build static standalone openssl bits in Userland. As a site effect,
797N/Astatic libraries libssl.a and libcrypto.a are created in build/sparcv9-wanboot.
797N/A
797N/A $ cd $USERLAND/components/openssl/openssl-1.0.0 ; gmake build
797N/A
797N/ANext, collect some information from linking wanboot static libraries in ON.
797N/AThis can be done by the following hack.
797N/A
797N/A $ cd $ON/usr/src/psm/stand/boot/sparcv9/sun4
797N/A $ touch wanboot.o
797N/A $ LD_OPTIONS="-Dfiles,symbols,output=ld.dbg \
797N/A -L$USERLAND/components/openssl/openssl-1.0.0/build/sparcv9-wanboot " \
797N/A WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
797N/A
797N/AThe following sort of information ends up in ld.dbg (note that the debugging
797N/Aoutput from the link-editor is not considered a 'stable interface' and may
797N/Achange in the future):
797N/A
797N/A debug: file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.0/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
797N/A debug:
797N/A debug: symbol table processing; file=/builds/tkuthan/ul-wanboot-rebuilt/components/openssl/openssl-1.0.0/build/sparcv9-wanboot/libcrypto.a(sparcv9cap.o) [ ET_REL ]
797N/A debug: symbol[1]=sparcv9cap.c
797N/A ....
797N/A
797N/ANow run the following script in Userland:
797N/A
797N/A #!/bin/bash
797N/A
797N/A # set to workspace paths:
797N/A USERLAND=/builds/tkuthan/ul-wanboot-rebuilt
797N/A ON=/builds/tkuthan/on11u1-wanboot-rti
797N/A
797N/A BUILD=$USERLAND/components/openssl/openssl-1.0.0/build/sparcv9-wanboot
797N/A LD_DBG=$ON/usr/src/psm/stand/boot/sparcv9/sun4/ld.dbg
797N/A
797N/A for i in `find $BUILD/crypto $BUILD/ssl -name '*.o'`
797N/A do
797N/A f=`basename $i`
797N/A if grep -q "^debug: file.*\<$f\>" $LD_DBG
797N/A then
797N/A echo $i | sed "s#$BUILD/##"
797N/A fi
797N/A done
797N/A
797N/Ato get the list of required object files.
797N/A
797N/AAdditionally, you can format the list for including to Makefile by:
797N/A sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
797N/A
797N/ALinking with wanboot
797N/A----
797N/A
797N/AWhen linking with wanboot please pay attention to following pitfalls.
797N/A
797N/ACorrect openssl header files need to be included. This is done in
797N/A$ON/usr/src/stand/lib/wanboot/Makefile
797N/AMake sure CPPFLAGS point to the right directories.
797N/A
797N/AEXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
797N/Achanges!
797N/AWanboot is a statically linked standalone binary and it is loaded on a fixed
797N/Aaddress before execution. This address is defined in
797N/A$ON/usr/src/psm/stand/boot/sparc/common/mapfile:
797N/A
797N/A 27 LOAD_SEGMENT text {
797N/A 28 FLAGS = READ EXECUTE;
797N/A 29 VADDR = 0x130000;
797N/A 30 ASSIGN_SECTION {
797N/A 31 TYPE = PROGBITS;
797N/A 32 FLAGS = ALLOC !WRITE;
797N/A 33 };
797N/A 34 };
797N/A
797N/AThis address (VADDR) NEEDS TO BE GREATER THEN
797N/A size of wanboot binary + 0x4000
797N/A
797N/AThe reason for this is in how wanboot is loaded by OpenBoot Prom:
797N/A1) user initiates boot from network - "boot net"
797N/A2) obp loads wanboot binary at address 0x4000
797N/A3) obp parses ELF header, reads virtual address where to load wanboot to
797N/A4) obp mem-copies .text section to this address
797N/A5) obp copies .data section behind .text
797N/A6) obp starts executing wanboot at entry address
797N/A
797N/AIf the given address is too small, obp overwrites part of .data with
797N/Ainstructions from .text in step 4. resulting in .data being corrupted.
797N/AInitialized variables get bogus values and failure is inevitable.
797N/AThis is very hard to troubleshoot.
797N/A
797N/A
797N/ATesting wanboot with new openssl
797N/A----
797N/A
797N/AWith every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
797N/Aworks well with the new bits.
797N/A
797N/AProvided you have a freshly built ON workspace, you can link wanboot with new
797N/AOpenSSL bits by redefining WAN_OPENSSL macro:
797N/A
797N/A # copy wanboot-openssl.o to ON build machine
797N/A cp wanboot-openssl.o /var/tmp/
797N/A
797N/A # prepare to rebuild wanboot
797N/A cd $ON
797N/A bldenv developer.sh
797N/A cd usr/src/psm/stand/boot/sparcv9/sun4
797N/A
797N/A # hack to force a rebuild
797N/A touch wanboot.o
797N/A
797N/A # link new OpenSSL to wanboot
797N/A WAN_OPENSSL=/var/tmp/wanboot-openssl.o dmake all
797N/A
797N/AWanboot should build without warning.
797N/A
797N/AIf there is something like this in the output:
797N/A
797N/A Undefined first referenced
797N/A symbol in file
797N/A CRYPTO_ccm128_setiv /var/tmp/wanboot-openssl.o
797N/A SSL_get_srtp_profiles /var/tmp/wanboot-openssl.o
797N/A ssl_parse_clienthello_use_srtp_ext /var/tmp/wanboot-openssl.o
797N/A CRYPTO_gcm128_setiv /var/tmp/wanboot-openssl.o
797N/A ...
797N/A cmac_pkey_meth /var/tmp/wanboot-openssl.o
797N/A ld: fatal: symbol referencing errors. No output written to wanboot
797N/A *** Error code 1
797N/A dmake: Fatal error: Command failed for target `wanboot'
797N/A
797N/Asome additional work has to be done in OpenSSL to either satisfy the function
797N/Areferences listed in the linker error message, or to remove the calls to these
797N/Afunctions.
797N/A
797N/AFinally, resulting wanboot binary shall be deployed on some install server and
797N/Awanbooting from this server shall be tested.