Makefile revision 4250
9210d8796eaf4125ac58c034f9b5ca167857a55aAutomatic Updater# CDDL HEADER START
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater# The contents of this file are subject to the terms of the
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# Common Development and Distribution License (the "License").
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# You may not use this file except in compliance with the License.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9210d8796eaf4125ac58c034f9b5ca167857a55aAutomatic Updater# See the License for the specific language governing permissions
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# and limitations under the License.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# When distributing Covered Code, include this CDDL HEADER in each
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# If applicable, add the following below this CDDL HEADER, with the
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User# fields enclosed by brackets "[]" replaced with your own identifying
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# information: Portions Copyright [yyyy] [name of copyright owner]
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# CDDL HEADER END
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# This component is not to be installed. It is used to build FIPS-140
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# certified OpenSSL libraries.
351b62535d4c4f89883bfdba025999dd32490266Evan HuntCOMPONENT_SRC = $(COMPONENT_NAME)-ecp-$(COMPONENT_VERSION)
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt sha256:861b431c625c27daf440041fd67c0866ebb84b44cc672cf1ea8f23e883518897
351b62535d4c4f89883bfdba025999dd32490266Evan HuntCOMPONENT_ARCHIVE_URL = http://www.openssl.org/source/$(COMPONENT_ARCHIVE)
351b62535d4c4f89883bfdba025999dd32490266Evan HuntPATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin:/usr/perl5/bin
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# In order to build a 32bit version on a 64bit system the isalist(1) command
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# must be substituted for the 32bit build so that amd64|sparcv9 is not part of
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# its output. isalist is used internally when configuring the canister before
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# building it. In order to allow make install to be run as a no-op we have to
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# fake "make install" since we do not want to install the files anywhere. The
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# command sets U1 and U2 are defined in the FIPS 2.0.5 security policy and must be
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# run as shown there. Nothing from the tarball can be modified. We use the U2
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# command set, see below.
351b62535d4c4f89883bfdba025999dd32490266Evan HuntFAKE_APPS = $(FAKE_ISALIST) $(FAKE_MAKE) $(FAKE_CC)
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# Do not use $(PWD), it would not work if run from a different directory with
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User# "gmake -C" as we do from openssl-1.0.1
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# we'll also pick up gcc if we find it in the path, so force it to
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# find one that doesn't work like it wants
351b62535d4c4f89883bfdba025999dd32490266Evan HuntFIPS_PATH_32 = $(COMPONENT_DIR)/32:$(COMPONENT_DIR)/gcc:$(PATH)
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# HMAC-SHA-1 digest of the OpenSSL FIPS tar file is used for the
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# integrity test requirement for the FIPS-140 validation.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# Note: COMPONENT_ARCHIVE_HASH is a SHA256 digest used by the Userland
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# Consolidation to check the file integrity.
351b62535d4c4f89883bfdba025999dd32490266Evan HuntOPENSSL_FIPS_HMAC = 852f43cd9ae1bd2eba60e4f9f1f266d3c16c0319
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# There is a broken link in the tarball which causes cp(1) to fail which would
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# fail the whole configure process. It's safer to get rid of the link than
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# adding "true" at the end of COMPONENT_PRE_CONFIGURE_ACTION since that could
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# hide real issues.
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic UpdaterCOMPONENT_PRE_CONFIGURE_ACTION = ( cd $(@D); \
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater $(RM) $(SOURCE_DIR)/test/fips_aes_data; $(CP) -r $(SOURCE_DIR)/* .; )
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# There is a specific way that must be followed to build the FIPS-140 canister.
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# It is "./config fipscanisterbuild; make; make install" and is called a command
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# set "U2" in the OpenSSL FIPS-140 User Guide.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# For 64-bit, use './Configure fipscanisterbuild solaris64-sparcv9-cc'.
351b62535d4c4f89883bfdba025999dd32490266Evan HuntCONFIGURE_ENV += FIPS_SITE_LD=$(LD) PATH=$(FIPS_PATH_$(BITS))
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt# Add COMPONENT_DIR to PATH so cc wrapper can be found.
351b62535d4c4f89883bfdba025999dd32490266Evan HuntCOMPONENT_BUILD_ENV += FIPS_SITE_LD=$(LD) REALCC=$(CC) MYMAKE=$(MAKE) PATH=$(COMPONENT_DIR):$(PATH)
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater# You should not use this target with this component unless testing or
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# debugging. The OpenSSL FIPS-140 policy is strict and full U2 command set
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater# should be run. See above for more information.
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater# We must make the "install" target a no-op (but must run it to be compliant).
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# See above for more information.
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updaterinstall: GMAKE = $(COMPONENT_DIR)/fips-gmake
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updaterinstall: $(BUILD_DIR_32)/.verified $(BUILD_DIR_64)/.verified
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# This is a recommended set of commands to verify that the FIPS-140 mode can be
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater# used and that we used the correct tarball.
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater$(BUILD_DIR)/%/.verified: $(BUILD_DIR)/%/.installed
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater $(ENV) - OPENSSL_FIPS=1 LD_LIBRARY_PATH=$(@D) \
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater /lib/openssl/fips-140/openssl sha1 -hmac $(OPENSSL_FIPS_HMAC_KEY) \
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt $(NAWK) '{ if ($$2 != "$(OPENSSL_FIPS_HMAC)") exit 1 }'