363N/A# The contents of this file are subject to the terms of the
363N/A# Common Development and Distribution License (the "License").
363N/A# You may not use this file except in compliance with the License.
363N/A# See the License for the specific language governing permissions
363N/A# and limitations under the License.
363N/A# When distributing Covered Code, include this CDDL HEADER in each
363N/A# If applicable, add the following below this CDDL HEADER, with the
363N/A# fields enclosed by brackets "[]" replaced with your own identifying
363N/A# information: Portions Copyright [yyyy] [name of copyright owner]
4368N/A# Copyright (c) 2009, 2015, Oracle
and/or its affiliates. All rights reserved.
2221N/AOpenSSL build is run four times. Once for regular dynamic 1.0.1 non-fips, once
2221N/Afor static 1.0.1 bits to link with standalone wanboot binary, once for 1.0.1
2221N/Afips-140, and once for 1.0.1 FIPS-140 canister (in the openssl-fips component)
2221N/Aneeded to build 1.0.1 FIPS-140 certified libraries. All builds apart from
777N/Astatic libraries for wanboot are done for 32 and 64 bits. So, in total, OpenSSL
3387N/Ais built seven times. OpenSSL for wanboot is only built on sparc.
797N/ASee also comments in all the Makefiles for more information.
2377N/AFor non-FIPS build, we currently deliver OpenSSL 1.0.1 with some updates
1610N/Afrom OpenSSL 1.0.2 to make T4 instructions embedded in the OpenSSL
1610N/Aupstream code. As of April 2013, 1.0.2 is not yet released, and therefore,
1610N/Awe have decided to patch the code.
4368N/AThe non-fips build is the 'default' build of OpenSSL and includes the regular
363N/Abinaries, libraries, man pages, and header files.
2377N/AWe are now shipping FIPS-140 certified OpenSSL 1.0.1 with S12 and S11.2.
2377N/AThe admin may choose to activate 'openssl-fips' implementation using 'pkg mediator'.
797N/AThere are some significant differences when building OpenSSL for wanboot.
797N/ASome additional Configuration options are needed:
797N/A-DNO_CHMOD chmod not available in stand-alone environment
797N/A-DBOOT guard for wanboot specific patches
797N/A-DOPENSSL_NO_DTLS1 to avoid dtls1_min_mtu() - DTLS not used anyway
797N/AThis is cumbersome and relatively tedious with respect to upgrading to higher
797N/AIn future, it would be nice, if this could be performed automatically by the
797N/Alinker. The required interface for wanboot is already defined in a mapfile and
797N/Alinker option '-zdiscard-unused=sections,files' is already used to discard
797N/ABut sadly, at this moment when the linker is given all the object files, it
797N/Acorrectly discards some unused files, but references to undefined symbols from
797N/Athe discarded files don't get discarded along. Later, these undefined references
797N/Acause wanboot linking failure.
797N/AIn order to determine which openssl object files are required for wanboot,
797N/Afirst build static standalone openssl bits in Userland. As a site effect,
797N/ANext, collect some information from linking wanboot static libraries in ON.
797N/AThis can be done by the following hack.
797N/A WAN_OPENSSL=" -lwanboot -lssl -lcrypto" dmake all
797N/AThe following sort of information ends up in
ld.dbg (note that the debugging
797N/Aoutput from the link-editor is not considered a 'stable interface' and may
797N/ANow run the following script in Userland:
797N/A # set to workspace paths:
797N/A if grep -q "^debug: file.*\<$f\>" $LD_DBG
797N/A echo $i | sed "s#$BUILD/##"
797N/Ato get the list of required object files.
797N/AAdditionally, you can format the list for including to Makefile by:
797N/A sort | tr '\n' ' ' | fold -s -w74 | sed -e 's/^/ /' -e 's/$/\\/'
797N/AWhen linking with wanboot please pay attention to following pitfalls.
797N/ACorrect openssl header files need to be included. This is done in
797N/AMake sure CPPFLAGS point to the right directories.
797N/AEXTREME CAUTION needs to be employed, if WANBOOT GREW IN SIZE because of the
797N/AWanboot is a statically linked standalone binary and it is loaded on a fixed
797N/Aaddress before execution. This address is defined in
797N/AThis address (VADDR) NEEDS TO BE GREATER THEN
797N/A size of wanboot binary + 0x4000
797N/AThe reason for this is in how wanboot is loaded by OpenBoot Prom:
797N/A1) user initiates boot from network - "boot net"
797N/A2) obp loads wanboot binary at address 0x4000
797N/A3) obp parses ELF header, reads virtual address where to load wanboot to
797N/A4) obp mem-copies .text section to this address
797N/A5) obp copies .data section behind .text
797N/A6) obp starts executing wanboot at entry address
797N/AIf the given address is too small, obp overwrites part of .data with
797N/Ainstructions from .text in step 4. resulting in .data being corrupted.
797N/AInitialized variables get bogus values and failure is inevitable.
797N/AThis is very hard to troubleshoot.
797N/ATesting wanboot with new openssl
797N/AWith every upgrade of OpenSSL, it is necessary to make sure wanboot builds and
2828N/Aworks well with the new bits (post lullaby).
797N/AProvided you have a freshly built ON workspace, you can link wanboot with new
797N/A # prepare to rebuild wanboot
797N/A # hack to force a rebuild
2828N/A # modify Makefile and assign the WAN_OPENSSL macro to your binary
797N/AWanboot should build without warning.
797N/AIf there is something like this in the output:
797N/A Undefined first referenced
797N/A ld: fatal: symbol referencing errors. No output written to wanboot
797N/A dmake: Fatal error: Command failed for target `wanboot'
797N/Asome additional work has to be done in OpenSSL to either satisfy the function
797N/Areferences listed in the linker error message, or to remove the calls to these
797N/AFinally, resulting wanboot binary shall be deployed on some install server and
797N/Awanbooting from this server shall be tested.
4368N/Aand they are copied to both FIPS and non-FIPS 'patches' dir as soon as the
4368N/AMakefile is parsed. The Common patch filename has prefix '0',
4368N/AGive
CA.pl better defaults. See 6193522 for more information.
4368N/AMake sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for
4368N/AAdds five Solaris specific configurations (both 32bit and 64bit for both sparc
4368N/Aand x86, plus 64bit sparc for wanboot) to Configure which are then explicitly
4368N/Aused by the Makefiles. Wanboot configuration is special in that it doesn't link
4368N/Awith libc and uses -xF=%all to put functions in separate sections, so that
4368N/Aunused code can be discarded.
4368N/ACare should be taken if modifying this patch as changes to compile-time options
4368N/Acan change the ABI. One example of this is the use of RC4_INT vs RC4_CHAR.
4368N/APrevent build binaries having an unnecessary runpath (/lib).
4368N/ABuild with non-executable stacks and non-executable data (x86).
4368N/AAdds a new "enginesdir" option to the Configure script which allows a user to
4368N/Aspecify the engines directory.
4368N/AAdds the code to setup internal mutexes and callback function.
4368N/AAES-CBC input length is checked to avoid segmentation fault.
4368N/AFixes the certificate chain bug.
4368N/ASPARC patch. Solaris-only patch.
4368N/AOtherwise modify them to call getisax() to check for HW capability instead.
4368N/ARemove test 'test_ca' because it depends on directories not present in the
4368N/ANon-FIPS specific patch files are located in the
4368N/AThe Non-FIPS specific patch filename has prefix '1',
4368N/AForce openssl to install man pages into man[1357]openssl instead of man[1357].
4368N/A- modified Makefiles not to build in engines apps test tools
4368N/A - reading password is implemented in disabled DES library
4368N/A - results in not using FPU for big numbers multiplication
4368N/A - should be ok - original detection seems broken, FPU gets never used
4368N/AAdd patch to support inline T4 instruction in OpenSSL upstream code until
4368N/ASuppress warnings about sparcv8+ ABI violation when building T4-specific
4368N/AFIPS specific patch files are located in the
4368N/AThe FIPS specific patch filename has prefix '2',
4368N/AChange openssl(1) to call the FIPS routines only if the fips mediator is activated.
4368N/AFIPS version needs to build with '-lc' explicitly with stuido 12.3 and above.