Cross Reference: /solaris-userland/components/openssl/openssl-fips/Makefile

	Makefile revision 2877
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder#
c63ebf815c8a874525cf18670ad74847f7fc7b26Christian Maeder# CDDL HEADER START
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder#
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# The contents of this file are subject to the terms of the
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder# Common Development and Distribution License (the "License").
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# You may not use this file except in compliance with the License.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder#
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder# or http://www.opensolaris.org/os/licensing.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# See the License for the specific language governing permissions
f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder# and limitations under the License.
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder#
c9a7e6af169a2adfb92f42331cd578065ed83a2bChristian Maeder# When distributing Covered Code, include this CDDL HEADER in each
c9a7e6af169a2adfb92f42331cd578065ed83a2bChristian Maeder# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder# If applicable, add the following below this CDDL HEADER, with the
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder# fields enclosed by brackets "[]" replaced with your own identifying
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# information: Portions Copyright [yyyy] [name of copyright owner]
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder#
a1ed34933c266ce85066acb0d7b20c90cb8eb213Christian Maeder# CDDL HEADER END
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder#
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich# Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder#
ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder
4d56f2fa72e4aec20eb827c11ed49c8cbb7014bdChristian Maeder#
4cb215739e9ab13447fa21162482ebe485b47455Christian Maeder# This component is not to be installed. It is used to build FIPS-140
8ef75f1cc0437656bf622cec5ac9e8ea221da8f2Christian Maeder# certified OpenSSL libraries.
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich#
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder
74eed04be26f549d2f7ca35c370e1c03879b28b1Christian Maederinclude ../../../make-rules/shared-macros.mk
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder
3e8b136f23ed57d40ee617f49bcac37830b58cabChristian MaederCOMPONENT_NAME =    openssl-fips
ef9e8535c168d3f774d9e74368a2317a9eda5826Christian MaederCOMPONENT_VERSION = 2.0.5
bab2d88d650448628730ed3b65c9f99c52500e8cChristian MaederCOMPONENT_SRC =     $(COMPONENT_NAME)-ecp-$(COMPONENT_VERSION)
3e8b136f23ed57d40ee617f49bcac37830b58cabChristian MaederCOMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
ef9e8535c168d3f774d9e74368a2317a9eda5826Christian MaederCOMPONENT_ARCHIVE_HASH= \
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder    sha256:f1abdd0ca1a9467a3eba15564fc2b3447114d1d63020c33cd3210f2a43a5ff4d
e593b89bfd4952698dc37feced21cefe869d87a2Christian MaederCOMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCOMPONENT_BUGDB=    utility/openssl
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder
c3053d57f642ca507cdf79512e604437c4546cb9Christian Maederinclude $(WS_TOP)/make-rules/prep.mk
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maederinclude $(WS_TOP)/make-rules/configure.mk
f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder
f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian MaederPATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder
05a62e84edac8c64de04f8349dee418598d216b9Christian Maeder# In order to build a 32bit version on a 64bit system the isalist(1) command
1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder# its output. isalist is used internally when configuring the canister before
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder# building it. In order to allow make install to be run as a no-op we have to
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder# fake "make install" since we do not want to install the files anywhere. The
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder# command sets U1 and U2 are defined in the FIPS 2.0.5 security policy and must be
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder# run as shown there. Nothing from the tarball can be modified. We use the U2
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder# command set, see below.
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian MaederFAKE_ISALIST = 32/isalist
456238178f89e5a3de2988ee6c8af924297d52d9Christian MaederFAKE_MAKE = fips-gmake
d54cd08a4cfa26256c38d8ed12c343adbfe1a0e3Christian MaederFAKE_CC = cc
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian MaederFAKE_APPS = $(FAKE_ISALIST) $(FAKE_MAKE) $(FAKE_CC)
bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder
bab2d88d650448628730ed3b65c9f99c52500e8cChristian MaederCLOBBER_PATHS += $(FAKE_APPS)
8cacad2a09782249243b80985f28e9387019fe40Christian Maeder
6a2dad705deefd1b7a7e09b84fd2d75f2213be47Christian Maeder# Do not use $(PWD), it would not work if run from a different directory with
a7c27282e71cf4505026645f96d4f5cb8a284e32Christian Maeder# "gmake -C" as we do from openssl-1.0.1
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder# we'll also pick up gcc if we find it in the path, so force it to
014dc30f64ec25e4790cca987d4d1e6635430510Christian Maeder# find one that doesn't work like it wants
f04e8f3ff56405901be968fd4c6e9769239f1a9bKlaus LuettichFIPS_PATH_32 = $(COMPONENT_DIR)/32:$(COMPONENT_DIR)/gcc:$(PATH)
6aea82c63ba1d2efc0329bc784a14e521469ec20Christian MaederFIPS_PATH_64 = $(COMPONENT_DIR)/gcc:$(PATH)
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder
feca1d35123d8c31aee238c9ce79947b0bf65494Christian MaederOPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
431d34c7007a787331c4e5ec997badb0f8190fc7Christian MaederOPENSSL_FIPS_HMAC = 148e4e127ffef1df80c0ed61bae35b07ec7b7b36
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder
db675e8302ddb0d6528088ce68f5e98a00e890e3Christian Maeder# There is a broken link in the tarball which causes cp(1) to fail which would
db675e8302ddb0d6528088ce68f5e98a00e890e3Christian Maeder# fail the whole configure process. It's safer to get rid of the link than
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder# hide real issues.
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian MaederCOMPONENT_PRE_CONFIGURE_ACTION = ( cd $(@D); \
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder    $(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; )
23ffcc44ca8612feccbd8fda63fa5be7ab5f9dc3Christian Maeder
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder# There is a specific way that must be followed to build the FIPS-140 canister.
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder# It is "./config fipscanisterbuild; make; make install" and is called a command
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# set "U2" in the OpenSSL FIPS-140 User Guide.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maederifeq ($(MACH), sparc)
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCONFIGURE_SCRIPT_32 = config
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# For 64-bit, use './Configure fipscanisterbuild solaris64-sparcv9-cc'.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCONFIGURE_SCRIPT_64 = ./Configure
9e748851c150e1022fb952bab3315e869aaf0214Christian MaederCONFIGURE_OPTIONS.64 = solaris64-sparcv9-cc
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian MaederCONFIGURE_SCRIPT = $(CONFIGURE_SCRIPT_$(BITS))
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maederelse
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian MaederCONFIGURE_SCRIPT = config
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maederendif
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCONFIGURE_OPTIONS = fipscanisterbuild
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian MaederCONFIGURE_OPTIONS += $(CONFIGURE_OPTIONS.$(BITS))
a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian MaederCOMPONENT_BUILD_ARGS =
bc8cbf12aa172bf5673b92a9e7a0151d4aa4c315Christian MaederCOMPONENT_BUILD_TARGETS =
2d130d212db7208777ca896a7ecad619a8944971Christian MaederCOMPONENT_INSTALL_ARGS =
2d130d212db7208777ca896a7ecad619a8944971Christian MaederCOMPONENT_INSTALL_TARGETS = install
51d769d55d88dfa88bdf54bee78d8fa85a2deba8Christian MaederCONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS))
a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder# Add COMPONENT_DIR to PATH so cc wrapper can be found.
a42fbfe7becf0eae2d624123eb0db73a794593f0Christian MaederCOMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE) PATH=$(COMPONENT_DIR):$(PATH)
a42fbfe7becf0eae2d624123eb0db73a794593f0Christian Maeder
b363eb04791e7f735633b9b4088502c2bc50ebfcChristian Maeder$(BUILD_32_and_64): $(FAKE_APPS)
a42fbfe7becf0eae2d624123eb0db73a794593f0Christian Maeder
1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder# You should not use this target with this component unless testing or
1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
2d130d212db7208777ca896a7ecad619a8944971Christian Maeder# should be run. See above for more information.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maederbuild:      $(BUILD_32_and_64)
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder
6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder# We must make the "install" target a no-op (but must run it to be compliant).
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder# See above for more information.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maederinstall:    GMAKE = $(COMPONENT_DIR)/fips-gmake
4017ebc0f692820736d796af3110c3b3018c108aChristian Maederinstall:    $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified
a9b59eb2ce961014974276cdae0e9df4419bd212Christian Maeder
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder# This is a recommended set of commands to verify that the FIPS-140 mode can be
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder# used and that we used the correct tarball.
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder$(BUILD_DIR)/%/.verified:   $(BUILD_DIR)/%/.installed
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder    (printf x; \
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder    $(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \
a3c6d8e0670bf2aa71bc8e2a3b1f45d56dd65e4cChristian Maeder    /lib/openssl/fips-140/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
dc679edd4ca027663212afdf00926ae2ce19b555Christian Maeder        $(COMPONENT_ARCHIVE)) | \
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder        $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder    @echo Basic FIPS-140 mode verification passed.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder    $(TOUCH) $@
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maedertest:       $(NO_TESTS)
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder
4017ebc0f692820736d796af3110c3b3018c108aChristian Maederinclude $(WS_TOP)/make-rules/depend.mk
b568982efd0997d877286faa592d81b03c8c67b8Christian Maeder