Makefile revision 364
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder#
25cc5fbba63f84b47e389af749f55abbbde71c8cChristian Maeder# CDDL HEADER START
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder#
25cc5fbba63f84b47e389af749f55abbbde71c8cChristian Maeder# The contents of this file are subject to the terms of the
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# Common Development and Distribution License (the "License").
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder# You may not use this file except in compliance with the License.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder#
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# or http://www.opensolaris.org/os/licensing.
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder# See the License for the specific language governing permissions
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# and limitations under the License.
d8c71aacc9f1c8cd40a8ad8dcdad9be8854b849fChristian Maeder#
f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder# When distributing Covered Code, include this CDDL HEADER in each
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# If applicable, add the following below this CDDL HEADER, with the
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# fields enclosed by brackets "[]" replaced with your own identifying
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder# information: Portions Copyright [yyyy] [name of copyright owner]
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich#
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich# CDDL HEADER END
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich#
a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder#
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich
96646aed2ae087b942ae23f15bbe729a8f7c43d3Christian Maeder#
01e383014b555bbcf639c0ca60c5810b3eff83c0Christian Maeder# This component is not to be installed. It is used from openssl-0.9.8-fips-140
3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski# to build FIPS-140 certified OpenSSL libraries.
df29370ae8d8b41587957f6bcdcb43a3f1927e47Christian Maeder#
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maederinclude ../../../make-rules/shared-macros.mk
ce8b15da31cd181b7e90593cbbca98f47eda29d6Till Mossakowski
e7757995211bd395dc79d26fe017d99375f7d2a6Christian MaederCOMPONENT_NAME = openssl-fips
e7757995211bd395dc79d26fe017d99375f7d2a6Christian MaederCOMPONENT_VERSION = 1.2
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCOMPONENT_SRC = $(COMPONENT_NAME)-$(COMPONENT_VERSION)
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCOMPONENT_ARCHIVE = $(COMPONENT_SRC).tar.gz
ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian MaederCOMPONENT_ARCHIVE_HASH= sha1:f09c3040da6cdd8bdd8c9cf01af8f14f89ee84d1
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederCOMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder
2e2094a642e3775b0d76b890556407941d3a53b6Christian Maederinclude $(WS_TOP)/make-rules/prep.mk
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maederinclude $(WS_TOP)/make-rules/configure.mk
e8db9a65830cf71504e33c6f441a67b4d184a3caChristian Maeder
c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder# In order to build a 32bit version on a 64bit system the isalist(1) command
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder# its output. isalist is used internally when configuring the canister before
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# building it. In order to allow make install to be run as a no-op we have to
8410667510a76409aca9bb24ff0eda0420088274Christian Maeder# fake "make install" since we do not want to install the files anywhere. The
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich# command sets U1 and U2 are defined in the FIPS 1.2 security policy and must be
b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder# run as shown there. Nothing from the tarball can be modified. We use the U2
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich# command set, see below.
3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus LuettichFAKE_ISALIST = 32/isalist
4d56f2fa72e4aec20eb827c11ed49c8cbb7014bdChristian MaederFAKE_MAKE = gmake
4cb215739e9ab13447fa21162482ebe485b47455Christian MaederFAKE_CC = cc
8ef75f1cc0437656bf622cec5ac9e8ea221da8f2Christian MaederFAKE_APPS = $(FAKE_ISALIST) $(FAKE_MAKE) $(FAKE_CC)
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# Do not use $(PWD), it would not work if run from a different directory with
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder# "gmake -C" as we do from openssl-0.9.8-fips-140.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian MaederFIPS_PATH_32 = $(COMPONENT_DIR)/32:$(PATH)
55adfe57a4de1f36adc3e3bfc16f342e44a7d444Christian MaederFIPS_PATH_64 = $(PATH)
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder
8d97ef4f234681b11bb5924bd4d03adef858d2d2Christian MaederOPENSSL_FIPS_HMAC_KEY = etaonrishdlcupfm
8d97ef4f234681b11bb5924bd4d03adef858d2d2Christian MaederOPENSSL_FIPS_HMAC = 79193087e8115df76d3de1f346f7410df79cf6e0
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder
e593b89bfd4952698dc37feced21cefe869d87a2Christian Maeder# There is a broken link in the tarball which causes cp(1) to fail which would
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder# fail the whole configure process. It's safer to get rid of the link than
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
7cc09dd93962a2155c34d209d1d4cd7d7b838264Christian Maeder# hide real issues.
1aee4aaddde105264c1faf394d88e302c05094ffChristian MaederCOMPONENT_PRE_CONFIGURE_ACTION = ( cd $(@D); \
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder $(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; )
7cc09dd93962a2155c34d209d1d4cd7d7b838264Christian Maeder
7cc09dd93962a2155c34d209d1d4cd7d7b838264Christian Maeder# There is a specific way that must be followed to build the FIPS-140 canister.
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder# It is "./config fipscanisterbuild; make; make install" and is called a command
1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder# set "U2" in the OpenSSL FIPS-140 User Guide.
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCONFIGURE_SCRIPT = config
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCONFIGURE_OPTIONS = fipscanisterbuild
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCOMPONENT_BUILD_ARGS =
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCOMPONENT_BUILD_TARGETS =
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCOMPONENT_INSTALL_ARGS =
dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian MaederCOMPONENT_INSTALL_TARGETS = install
1aee4aaddde105264c1faf394d88e302c05094ffChristian MaederCONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS))
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian MaederCOMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE)
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder$(BUILD_32_and_64): $(FAKE_APPS)
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder
356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder# You should not use this target with this component unless testing or
0206ab93ef846e4e0885996d052b9b73b9dc66b0Christian Maeder# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
f13d1e86e58da53680e78043e8df182eed867efbChristian Maeder# should be run. See above for more information.
c2a4d8ae266aa37cc922eba97077520229a19902Christian Maederbuild: $(BUILD_32_and_64)
757e6c79ec40491d45dc72c82b5eb59a386634b0Jian Chun Wang
757e6c79ec40491d45dc72c82b5eb59a386634b0Jian Chun Wang# We must make the "install" target a no-op (but must run it to be compliant).
757e6c79ec40491d45dc72c82b5eb59a386634b0Jian Chun Wang# See above for more information.
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maederinstall: GMAKE = $(COMPONENT_DIR)/gmake
c6fcd42c6d6d9dae8c7835c24fcb7ce8531a9050Christian Maederinstall: $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified
31c49f2fa23d4ac089f35145d80a224deb6ea7e4Till Mossakowski
c55a0f77be7e88d3620b419ec8961f4379a586e3Klaus Luettich# This is a recommended set of commands to verify that the FIPS-140 mode can be
36f63902db2b3463faa9f59912ad106e2d5aaa24Klaus Luettich# used and that we used the correct tarball.
36f63902db2b3463faa9f59912ad106e2d5aaa24Klaus Luettich$(BUILD_DIR)/%/.verified: $(BUILD_DIR)/%/.installed
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder (printf x; \
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder $(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \
8cacad2a09782249243b80985f28e9387019fe40Christian Maeder $(@D)/apps/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder $(COMPONENT_ARCHIVE)) | \
a7c27282e71cf4505026645f96d4f5cb8a284e32Christian Maeder $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder @echo Basic FIPS-140 mode verification passed.
8a28707e9155465c6f2236a06eac6580a65c7025Christian Maeder $(TOUCH) $@
df35538fec1d9135602308d577255c0d466b6365Christian Maeder
df35538fec1d9135602308d577255c0d466b6365Christian Maedertest: $(NO_TESTS)
431d34c7007a787331c4e5ec997badb0f8190fc7Christian Maeder
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maederinclude $(WS_TOP)/make-rules/depend.mk
d3ae0072823e2ef0d41d4431fcc768e66489c20eChristian Maeder