1N/A# The contents of this file are subject to the terms of the
1N/A# Common Development and Distribution License (the "License").
1N/A# You may not use this file except in compliance with the License.
1N/A# See the License for the specific language governing permissions
1N/A# and limitations under the License.
1N/A# When distributing Covered Code, include this CDDL HEADER in each
1N/A# If applicable, add the following below this CDDL HEADER, with the
1N/A# fields enclosed by brackets "[]" replaced with your own identifying
1N/A# information: Portions Copyright [yyyy] [name of copyright owner]
1N/A# Copyright (c) 2009, 2014, Oracle
and/or its affiliates. All rights reserved.
1N/AOpenSSL build is run four times. Once for regular dynamic 1.0.1 non-fips, once
1N/Afor static 1.0.1 bits to link with standalone wanboot binary, once for 1.0.1
1N/Afips-140, and once for 1.0.1 FIPS-140 canister (in the openssl-fips component)
1N/Aneeded to build 1.0.1 FIPS-140 certified libraries. All builds apart from
1N/Astatic libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
1N/Ais built seven times. OpenSSL for wanboot is only build on sparc.
1N/ASee also comments in all the Makefiles for more information.
1N/AFor non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates
1N/Afrom OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL
1N/Aupstream code. As of April 2013, 1.0.2 is not yet released, and therefore,
1N/Awe have decided to patch the code.
1N/AThe non-fips build is the main build of OpenSSL and includes the regular
1N/Abinaries, libraries, man pages, and header files.
1N/AGive
CA.pl better defaults. See 6193522 for more information.
1N/AMake sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
1N/AForce openssl to install man pages into man[1357]openssl instead of man[1357].
Adds five Solaris specific configurations (both 32bit and 64bit for both sparc
and x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
used by the Makefiles. Wanboot configuration is special in that it doesn't link
with libc and uses -xF=%all to put functions in separate sections, so that
unused code can be discarded.
Care should be taken if modifying this patch as changes to compile-time options
can change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
Prevent build binaries having an unnecessary runpath (/lib).
Build with non-executable stacks and non-executable data (x86).
Adds a new "enginesdir" option to the Configure script which allows a user to
specify the engines directory.
Wanboot specific patches.
- modified Makefiles not to build in engines apps test tools
- reading password is implemented in disabled DES library
- using functions from libsock in
e_os.h - results in not using FPU for big numbers multiplication
- should be ok - original detection seems broken, FPU gets never used
- implementation of atoi()
- avoid using ssl_fill_hello_random() in
s3_clnt.cAdd patch to support inline T4 instruction in OpenSSL upstream code until
OpenSSL 1.0.2 is released.
Modifies
opensslconf.h so that it is suitable for both 32bit and 64bit installs.
OpenSSL either builds for 32bit or 64bit - it doesn't allow for combined 32bit
SPARC patch. Solaris-only patch.
For instructions in
sparcv9cap.c, remove if not supported on any platforms.
Otherwise modify them to call getisax() to check for HW capability instead.
We are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2.
The admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
The change will come soon.
All the patches from 1.0.1 (non-fips) are used in 1.0.1(fips) as well aside from
pages. Once we make fips version public, we should deliver man page.
There are some significant differences when building OpenSSL for wanboot.
Some additional Configuration options are needed:
-DNO_CHMOD chmod not available in stand-alone environment
-DBOOT guard for wanboot specific patches
-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
This is cumbersome and relatively tedious with respect to upgrading to higher
In future, it would be nice, if this could be performed automatically by the
linker. The required interface for wanboot is already defined in a mapfile and
linker option '-zdiscard-unused=sections,files' is already used to discard
But sadly, at this moment when the linker is given all the object files, it
correctly discards some unused files, but references to undefined symbols from
the discarded files don't get discarded along. Later, these undefined references
cause wanboot linking failure.
In order to determine which openssl object files are required for wanboot,
first build static standalone openssl bits in Userland. As a site effect,
Next, collect some information from linking wanboot static libraries in ON.
This can be done by the following hack.
$ LD_OPTIONS="-Dfiles,symbols,output=
ld.dbg \
WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
The following sort of information ends up in
ld.dbg (note that the debugging
output from the link-editor is not considered a 'stable interface' and may
Now run the following script in Userland:
# set to workspace paths:
if grep -q "^debug: file.*\<$f\>" $LD_DBG
echo $i | sed "s#$BUILD/##"
to get the list of required object files.
Additionally, you can format the list for including to Makefile by:
sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
When linking with wanboot please pay attention to following pitfalls.
Correct openssl header files need to be included. This is done in
Make sure CPPFLAGS point to the right directories.
EXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
Wanboot is a statically linked standalone binary and it is loaded on a fixed
address before execution. This address is defined in
This address (VADDR) NEEDS TO BE GREATER THEN
size of wanboot binary + 0x4000
The reason for this is in how wanboot is loaded by OpenBoot Prom:
1) user initiates boot from network - "boot net"
2) obp loads wanboot binary at address 0x4000
3) obp parses ELF header, reads virtual address where to load wanboot to
4) obp mem-copies .text section to this address
5) obp copies .data section behind .text
6) obp starts executing wanboot at entry address
If the given address is too small, obp overwrites part of .data with
instructions from .text in step 4. resulting in .data being corrupted.
Initialized variables get bogus values and failure is inevitable.
This is very hard to troubleshoot.
Testing wanboot with new openssl
With every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
works well with the new bits.
Provided you have a freshly built ON workspace, you can link wanboot with new
OpenSSL bits by redefining WAN_OPENSSL macro:
# prepare to rebuild wanboot
# hack to force a rebuild
# link new OpenSSL to wanboot
Wanboot should build without warning.
If there is something like this in the output:
Undefined first referenced
ld: fatal: symbol referencing errors. No output written to wanboot
dmake: Fatal error: Command failed for target `wanboot'
some additional work has to be done in OpenSSL to either satisfy the function
references listed in the linker error message, or to remove the calls to these
Finally, resulting wanboot binary shall be deployed on some install server and
wanbooting from this server shall be tested.