Makefile revision 5537
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# CDDL HEADER START
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# The contents of this file are subject to the terms of the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Common Development and Distribution License (the "License").
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# You may not use this file except in compliance with the License.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# See the License for the specific language governing permissions
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# and limitations under the License.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# When distributing Covered Code, include this CDDL HEADER in each
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# If applicable, add the following below this CDDL HEADER, with the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# fields enclosed by brackets "[]" replaced with your own identifying
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# information: Portions Copyright [yyyy] [name of copyright owner]
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# CDDL HEADER END
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncPATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncPATH=$(PARFAIT_TOOLS):$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Note: COMPONENT_VERSION is the core OpenSSL version, and IPS_COMPONENT_VERSION
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# is the FIPS module version. The COMPONENT_VERSION changes with the core
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# OpenSSL version, but the IPS_COMPONENT_VERSION is purposely only to change if
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# the FIPS module version changes.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCOMPONENT_SRC = $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync sha256:b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCOMPONENT_ARCHIVE_URL = $(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Clone the patch files to the patches-all dir.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# COPY_COMMON_FILES is there so that rsync is called as soon as
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# the Makefile is parsed.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCOPY_COMMON_FILES:= $(shell rsync -ac ../common/patches/ patches/ $(PATCH_DIR))
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# OpenSSL FIPS directory
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# OpenSSL does not use autoconf but its own configure system.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Used in the configure options below.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Built openssl/openssl-fips component is used when building FIPS-140 libraries.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# What we do here follows the OpenSSL FIPS-140 User Guide instructions.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncFIPS_BUILD_DIR_32 = $(shell echo $(BUILD_DIR_32) | \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncFIPS_BUILD_DIR_64 = $(shell echo $(BUILD_DIR_64) | \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Ignore default CC_FOR_BUILD, CC, and CXX in CONFIGURE_ENV.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS = -DSOLARIS_OPENSSL -DNO_WINDOWS_BRAINDEATH
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We use OpenSSL install code for installing only manual pages and we do that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# for 32-bit version only.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS += fips --with-fipslibdir="$(FIPS_BUILD_DIR_$(BITS))/fips/"
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS += --with-fipsdir="$(BUILD_DIR_$(BITS))"
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# MD2 is not enabled by default in OpensSSL but some software we have in
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Userland needs it. One example is nmap.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Disable SSLv2 and SSLv3 protocols
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We define our own compiler and linker option sets for Solaris. See Configure
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# for more information.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS32_sparc = solaris-fips-sparcv9-cc-sunw
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS64_sparc = solaris64-fips-sparcv9-cc-sunw
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Some additional options needed for our engines.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS += --pk11-libname=$(PKCS11_LIB$(BITS))
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS += --enginesdir=$(ENGINESDIR_$(BITS))
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS$(BITS)_$(MACH))
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# OpenSSL has its own configure system which must be run from the fully
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# populated source code directory. However, the Userland configuration phase is
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# run from the build directory. The easiest way to workaround it is to copy all
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# the source files there.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync ( $(CLONEY) $(SOURCE_DIR) $(BUILD_DIR)/$(MACH$(BITS)); )
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We deliver only one opensslconf.h file which must be suitable for both 32 and
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# 64 bits. Depending on the configuration option, OpenSSL's Configure script
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# creates opensslconf.h for either 32 or 64 bits. A patch makes the resulting
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# header file usable on both architectures. The patch was generated against the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# opensslconf.h version from the 32 bit build.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync ( [ $(BITS) -eq 32 ] && $(GPATCH) -p1 $(@D)/crypto/opensslconf.h \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync patches-post-config/opensslconf.patch; cd $(@D); $(MAKE) depend; )
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Enable ASLR for this component
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We must make sure that openssl-fips component is built before this openssl-fips-140
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# component since in order to build FIPS-140 certified libraries, the canister
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# is needed. Note that we must unset BITS that would override the same variable
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# used in openssl-fips' Makefile, and we would end up up with both canisters
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# built in 64 (or 32) bits.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed:
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(MAKE) -C $(COMPONENT_DIR)/../openssl-fips install; )
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# download, clean, and clobber should all propogate to the fips bits
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We do not ship our engines as patches since it would be more difficult to
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# update the files which have been under continuous development. We rather copy
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# the files to the right directories and let OpenSSL makefiles build it.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We also copy some FIPS specific header files needed to build FIPS version
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# of OpenSSL from FIPS module.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync ( $(LN) -fs $(COMPONENT_DIR)/engines/pkcs11/* $(@D)/engines; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fips.h $(@D)/include/openssl; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipssyms.h $(@D)/include/openssl; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/rand/fips_rand.h $(@D)/include/openssl; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(OPENSSL_FIPS_DIR)/openssl-fips-ecp-$(IPS_COMPONENT_VERSION)/fips/fipsld $(@D)/bin/; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(OPENSSL_FIPS_DIR)/build/$(MACH$(BITS))/fips/fips_standalone_sha1 $(@D)/bin/; \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(LN) -fs $(COMPONENT_DIR)/build/$(MACH$(BITS))/fips_premain_dso $(@D)/bin/;)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# OpenSSL does not install into <dir>/$(MACH64) for 64-bit install so no such
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# directory is created and Userland install code would fail when installing lint
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# libraries.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncCOMPONENT_PRE_INSTALL_ACTION = ( $(MKDIR) $(PROTO_DIR)/usr/lib/$(MACH64); )
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(SOURCE_DIR)/.prep: $(COMPONENT_DIR)/../openssl-fips/build/$(MACH32)/.installed \
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync $(COMPONENT_DIR)/../openssl-fips/build/$(MACH64)/.installed
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We follow what we do for install in openssl/openssl-1.0.0 component. Please
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# see the comment in Makefile in there for more information.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# We need to modify the default lint flags to include patched opensslconf.h from
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# the build directory. If we do not do that, lint will complain about md2.h
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# which is not enabled by default but it is in our opensslconf.h.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncLFLAGS_32 := -I$(BUILD_DIR_32)/include $(LINT_FLAGS)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsyncLFLAGS_64 := -I$(BUILD_DIR_64)/include $(LINT_FLAGS)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# Set modified lint flags for our lint library targets.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(BUILD_DIR_32)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_32)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(BUILD_DIR_32)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_32)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(BUILD_DIR_64)/llib-lcrypto.ln: LINT_FLAGS=$(LFLAGS_64)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync$(BUILD_DIR_64)/llib-lssl.ln: LINT_FLAGS=$(LFLAGS_64)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# There are also separate STC test suites 'openssl' and 'openssl-engine'
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync# for regression testing. These internal tests are unit tests only.