363N/A# The contents of this file are subject to the terms of the
363N/A# Common Development and Distribution License (the "License").
363N/A# You may not use this file except in compliance with the License.
363N/A# See the License for the specific language governing permissions
363N/A# and limitations under the License.
363N/A# When distributing Covered Code, include this CDDL HEADER in each
363N/A# If applicable, add the following below this CDDL HEADER, with the
363N/A# fields enclosed by brackets "[]" replaced with your own identifying
363N/A# information: Portions Copyright [yyyy] [name of copyright owner]
2377N/A# Copyright (c) 2009, 2014, Oracle
and/or its affiliates. All rights reserved.
2221N/AOpenSSL build is run four times. Once for regular dynamic 1.0.1 non-fips, once
2221N/Afor static 1.0.1 bits to link with standalone wanboot binary, once for 1.0.1
2221N/Afips-140, and once for 1.0.1 FIPS-140 canister (in the openssl-fips component)
2221N/Aneeded to build 1.0.1 FIPS-140 certified libraries. All builds apart from
777N/Astatic libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
797N/Ais built seven times. OpenSSL for wanboot is only build on sparc.
797N/ASee also comments in all the Makefiles for more information.
2377N/AFor non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates
1610N/Afrom OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL
1610N/Aupstream code. As of April 2013, 1.0.2 is not yet released, and therefore,
1610N/Awe have decided to patch the code.
363N/AThe non-fips build is the main build of OpenSSL and includes the regular
363N/Abinaries, libraries, man pages, and header files.
363N/AGive
CA.pl better defaults. See 6193522 for more information.
363N/AMake sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
363N/AForce openssl to install man pages into man[1357]openssl instead of man[1357].
797N/AAdds five Solaris specific configurations (both 32bit and 64bit for both sparc
797N/Aand x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
797N/Aused by the Makefiles. Wanboot configuration is special in that it doesn't link
797N/Awith libc and uses -xF=%all to put functions in separate sections, so that
797N/Aunused code can be discarded.
363N/ACare should be taken if modifying this patch as changes to compile-time options
363N/Acan change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
363N/APrevent build binaries having an unnecessary runpath (/lib).
363N/ABuild with non-executable stacks and non-executable data (x86).
363N/AAdds a new "enginesdir" option to the Configure script which allows a user to
363N/Aspecify the engines directory.
797N/AWanboot specific patches.
797N/A- modified Makefiles not to build in engines apps test tools
797N/A - reading password is implemented in disabled DES library
797N/A - results in not using FPU for big numbers multiplication
797N/A - should be ok - original detection seems broken, FPU gets never used
797N/A- implementation of atoi()
1610N/AAdd patch to support inline T4 instruction in OpenSSL upstream code until
363N/AOpenSSL either builds for 32bit or 64bit - it doesn't allow for combined 32bit
2783N/ASPARC patch. Solaris-only patch.
2783N/AOtherwise modify them to call getisax() to check for HW capability instead.
2377N/AWe are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2.
2377N/AThe admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
2221N/AAll the patches from 1.0.1 (non-fips) are used in 1.0.1(fips) as well aside from
2221N/Apages. Once we make fips version public, we should deliver man page.
797N/AThere are some significant differences when building OpenSSL for wanboot.
797N/ASome additional Configuration options are needed:
797N/A-DNO_CHMOD chmod not available in stand-alone environment
797N/A-DBOOT guard for wanboot specific patches
797N/A-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
797N/AThis is cumbersome and relatively tedious with respect to upgrading to higher
797N/AIn future, it would be nice, if this could be performed automatically by the
797N/Alinker. The required interface for wanboot is already defined in a mapfile and
797N/Alinker option '-zdiscard-unused=sections,files' is already used to discard
797N/ABut sadly, at this moment when the linker is given all the object files, it
797N/Acorrectly discards some unused files, but references to undefined symbols from
797N/Athe discarded files don't get discarded along. Later, these undefined references
797N/Acause wanboot linking failure.
797N/AIn order to determine which openssl object files are required for wanboot,
797N/Afirst build static standalone openssl bits in Userland. As a site effect,
797N/ANext, collect some information from linking wanboot static libraries in ON.
797N/AThis can be done by the following hack.
797N/A WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
797N/AThe following sort of information ends up in
ld.dbg (note that the debugging
797N/Aoutput from the link-editor is not considered a 'stable interface' and may
797N/ANow run the following script in Userland:
797N/A # set to workspace paths:
797N/A if grep -q "^debug: file.*\<$f\>" $LD_DBG
797N/A echo $i | sed "s#$BUILD/##"
797N/Ato get the list of required object files.
797N/AAdditionally, you can format the list for including to Makefile by:
797N/A sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
797N/AWhen linking with wanboot please pay attention to following pitfalls.
797N/ACorrect openssl header files need to be included. This is done in
797N/AMake sure CPPFLAGS point to the right directories.
797N/AEXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
797N/AWanboot is a statically linked standalone binary and it is loaded on a fixed
797N/Aaddress before execution. This address is defined in
797N/A 28 FLAGS = READ EXECUTE;
797N/A 32 FLAGS = ALLOC !WRITE;
797N/AThis address (VADDR) NEEDS TO BE GREATER THEN
797N/A size of wanboot binary + 0x4000
797N/AThe reason for this is in how wanboot is loaded by OpenBoot Prom:
797N/A1) user initiates boot from network - "boot net"
797N/A2) obp loads wanboot binary at address 0x4000
797N/A3) obp parses ELF header, reads virtual address where to load wanboot to
797N/A4) obp mem-copies .text section to this address
797N/A5) obp copies .data section behind .text
797N/A6) obp starts executing wanboot at entry address
797N/AIf the given address is too small, obp overwrites part of .data with
797N/Ainstructions from .text in step 4. resulting in .data being corrupted.
797N/AInitialized variables get bogus values and failure is inevitable.
797N/AThis is very hard to troubleshoot.
797N/ATesting wanboot with new openssl
797N/AWith every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
797N/Aworks well with the new bits.
797N/AProvided you have a freshly built ON workspace, you can link wanboot with new
797N/AOpenSSL bits by redefining WAN_OPENSSL macro:
797N/A # prepare to rebuild wanboot
797N/A # hack to force a rebuild
797N/A # link new OpenSSL to wanboot
797N/AWanboot should build without warning.
797N/AIf there is something like this in the output:
797N/A Undefined first referenced
797N/A ld: fatal: symbol referencing errors. No output written to wanboot
797N/A dmake: Fatal error: Command failed for target `wanboot'
797N/Asome additional work has to be done in OpenSSL to either satisfy the function
797N/Areferences listed in the linker error message, or to remove the calls to these
797N/AFinally, resulting wanboot binary shall be deployed on some install server and
797N/Awanbooting from this server shall be tested.