Makefile revision 363
28c4fe67d75f8f26504d75b7aa8dc5d868032888wrowe# CDDL HEADER START
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj# The contents of this file are subject to the terms of the
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj# Common Development and Distribution License (the "License").
8163c8f6e2a9a8e4aba318d874c54a3155d57e21jerenkrantz# You may not use this file except in compliance with the License.
d8028365066fca602bf35d014530a1802114378crbb# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c25203fdca093d4504c51b4cd974ff60d5aa4fb1wrowe# See the License for the specific language governing permissions
c25203fdca093d4504c51b4cd974ff60d5aa4fb1wrowe# and limitations under the License.
4214e98fc9045e5010e66f9a967bd6d68f40d342aaron# When distributing Covered Code, include this CDDL HEADER in each
8721697e2aece27b0e738519329f7976c72b27bfjerenkrantz# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c25203fdca093d4504c51b4cd974ff60d5aa4fb1wrowe# If applicable, add the following below this CDDL HEADER, with the
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz# fields enclosed by brackets "[]" replaced with your own identifying
91cacb801f6c0215b38322f6d2fc58cbfedfecfbjerenkrantz# information: Portions Copyright [yyyy] [name of copyright owner]
df14f0d3a5191cdd7c4bb5b03acd135d43a6f51brbb# CDDL HEADER END
571760de5e60c0b459cb11be45507b923cd023eejwoolley# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
9bd71e35f5d26d26d23fe3a677401828e842ed72wrowe# This component is not to be installed. It is used from openssl-0.9.8-fips-140
2900ab946a2d76b73a14cebfe2985d253f01c967stoddard# to build FIPS-140 certified OpenSSL libraries.
6f6f4a4bca281779d196acbdd5c017bb90858305trawickCOMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawickCOMPONENT_ARCHIVE_HASH= sha1:f09c3040da6cdd8bdd8c9cf01af8f14f89ee84d1
2deb319e6b3de239f45c16a3e9e836d44f1f7108rbbCOMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
af4c982a7cf4515f124935f99a329744035fc699slive# In order to build a 32bit version on a 64bit system the isalist(1) command
af4c982a7cf4515f124935f99a329744035fc699slive# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
af4c982a7cf4515f124935f99a329744035fc699slive# its output. isalist is used internally when configuring the canister before
af4c982a7cf4515f124935f99a329744035fc699slive# building it. In order to allow make install to be run as a no-op we have to
af4c982a7cf4515f124935f99a329744035fc699slive# fake "make install" since we do not want to install the files anywhere. The
af4c982a7cf4515f124935f99a329744035fc699slive# command sets U1 and U2 are defined in the FIPS 1.2 security policy and must be
10270f6f94b2069d0d357805c140a9897449b9ccianh# run as shown there. Nothing from the tarball can be modified. We use the U2
4b62424416882687387923b3130b96241503cbe0jerenkrantz# command set, see below.
45b0e1c775c1cfed6473c9e5304179ccb9609f53stoddard# Do not use $(PWD), it would not work if run from a different directory with
dbec4658981e4f9127e8676457c28d42932be7cdtrawick# "gmake -C" as we do from openssl-0.9.8-fips-140.
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolleyOPENSSL_FIPS_HMAC = 79193087e8115df76d3de1f346f7410df79cf6e0
d415c14da6d37345738e160f785dbe8458095068jwoolley# There is a broken link in the tarball which causes cp(1) to fail which would
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley# fail the whole configure process. It's safer to get rid of the link than
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
d85144f90d2fb3cc27f12640011ef77ca7946dbdjwoolley# hide real issues.
d415c14da6d37345738e160f785dbe8458095068jwoolley $(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; )
d415c14da6d37345738e160f785dbe8458095068jwoolley# There is a specific way that must be followed to build the FIPS-140 canister.
d415c14da6d37345738e160f785dbe8458095068jwoolley# It is "./config fipscanisterbuild; make; make install" and is called a command
d415c14da6d37345738e160f785dbe8458095068jwoolley# set "U2" in the OpenSSL FIPS-140 User Guide.
d415c14da6d37345738e160f785dbe8458095068jwoolleyCONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS))
d415c14da6d37345738e160f785dbe8458095068jwoolleyCOMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE)
f17588e04d2412bf1345783ed1d173322d728d6ftrawick# You should not use this target with this component unless testing or
f17588e04d2412bf1345783ed1d173322d728d6ftrawick# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
f17588e04d2412bf1345783ed1d173322d728d6ftrawick# should be run. See above for more information.
f17588e04d2412bf1345783ed1d173322d728d6ftrawick# We must make the "install" target a no-op (but must run it to be compliant).
2fb49a1d25f38421a68d31b4cbb5d9293fdeafbewrowe# See above for more information.
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantzinstall: $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified
2fb49a1d25f38421a68d31b4cbb5d9293fdeafbewrowe# This is a recommended set of commands to verify that the FIPS-140 mode can be
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz# used and that we used the correct tarball.
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz$(BUILD_DIR)/%/.verified: $(BUILD_DIR)/%/.installed
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz $(@D)/apps/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
f4cb04eb78da02a38fcdd87489dc7b660107d55fjerenkrantz $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'