1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#
#
# This component is not to be installed. It is used to build FIPS-140
# certified OpenSSL libraries.
#
# In order to build a 32bit version on a 64bit system the isalist(1) command
# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
# its output. isalist is used internally when configuring the canister before
# building it. In order to allow make install to be run as a no-op we have to
# fake "make install" since we do not want to install the files anywhere. The
# command sets U1 and U2 are defined in the FIPS 2.0.5 security policy and must be
# run as shown there. Nothing from the tarball can be modified. We use the U2
# command set, see below.
CLEAN_PATHS += $(FAKE_APPS)
# Do not use $(PWD), it would not work if run from a different directory with
# "gmake -C" as we do from openssl-default
# we'll also pick up gcc if we find it in the path, so force it to
# find one that doesn't work like it wants
# HMAC-SHA-1 digest of the OpenSSL FIPS tar file is used for the
# integrity test requirement for the FIPS-140 validation.
# Note: COMPONENT_ARCHIVE_HASH is a SHA256 digest used by the Userland
# Consolidation to check the file integrity.
# There is a broken link in the tarball which causes cp(1) to fail which would
# fail the whole configure process. It's safer to get rid of the link than
# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
# hide real issues.
( echo "Cloning engines..."; \
# There is a specific way that must be followed to build the FIPS-140 canister.
# It is "./config fipscanisterbuild; make; make install" and is called a command
# set "U2" in the OpenSSL FIPS-140 User Guide.
# For 64-bit, use './Configure fipscanisterbuild solaris64-sparcv9-cc'.
else
# Ignore default CC_FOR_BUILD, CC, and CXX in CONFIGURE_ENV.
CONFIGURE_ENV += CC=
CONFIGURE_ENV += CXX=
# Add COMPONENT_DIR to PATH so cc wrapper can be found.
$(BUILD_32_and_64): $(FAKE_APPS)
# You should not use this target with this component unless testing or
# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
# should be run. See above for more information.
build: $(BUILD_32_and_64)
# We must make the "install" target a no-op (but must run it to be compliant).
# See above for more information.
# This is a recommended set of commands to verify that the FIPS-140 mode can be
# used and that we used the correct tarball.
(printf x; \
$(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'
$(TOUCH) $@
test: $(NO_TESTS)