| Up to higher level directory | |||
| Name | Date | Size | |
|---|---|---|---|
| fips/ | 10-Nov-2009 | ||
| Makefile.com | 10-Nov-2009 | 2.6K | |
| Makefile.sfw | 10-Nov-2009 | 1.3K | |
| METADATA | 10-Nov-2009 | 408 | |
| non-fips/ | 10-Nov-2009 | ||
| openssl-0.9.8k/ | 10-Nov-2009 | ||
| openssl-0.9.8k.tar.gz | 10-Nov-2009 | 3.7M | |
| Patches/ | 10-Nov-2009 | ||
| README | 10-Nov-2009 | 6.3K | |
README
1 2 Build Layout 3 --- 4 5 OpenSSL is built twice. Once for "fips" and once for "non-fips". Both 6 the fips and non-fips builds share Patches and Configure-time options 7 where possible. It is very important that they are ABI compatible. All 8 the common patches are contained in the Patches sub-directory and common 9 configuration is taken from Makefile.com in the top-level openssl 10 directory. If a particular build requires a modification which is not 11 common to both builds then the patch is kept in the build specific 12 sub-directory. 13 14 In addition to the regular Makefile targets both the fips and non-fips 15 builds have the following targets: 16 17 all32 18 all64 19 install32 20 install64 21 22 This makes building any subset easy. 23 i.e. to build and install the 64bit non-fips OpenSSL the following 24 command is used: 25 26 $ cd openssl/non-fips 27 $ make install64 28 29 30 The fips Build 31 --- 32 33 The "fips" build has the following deliverables (symbolic links and 34 architecture specific binaries are excluded): 35 36 /lib/openssl/fips-140/libcrypto.so.0.9.8 37 /usr/include/openssl/fips-140/openssl/fips.h 38 /usr/include/openssl/fips-140/openssl/fips_rand.h 39 /usr/include/openssl/fips-140/openssl/opensslconf.h 40 41 A build-time requirement for the fips build is the FIPS Object Module. 42 The FIPS Object Module has very stringent build requirements as 43 specified in its Security Policy: 44 http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf 45 46 In essence the FIPS Object Module may not be patched or modified in any 47 way, the build must be performed with "./config [no-asm], make, 48 make install". The only way to influence the build is by modifying the 49 environment it is run in. isalist is "faked" so that the 32bit build can 50 be built even when running with a 64bit kernel (see isalist.sh). make is 51 run by a wrapper script so that "make install" can be run even as a 52 non-root user (see make.sh). If modifications are to be make to how the 53 FIPS Object Module is built the security policy must be consulted to 54 ensure that the build is still compliant. 55 56 The non-fips Build. 57 --- 58 59 The "non-fips" build is the main build of OpenSSL and includes the 60 regular binaries, libraries and header files. The openssl binary from 61 this build is patched to work with both the fips build of libcrypto and 62 the non-fips build of libcrypto. 63 64 65 Patches 66 --- 67 68 08-6193522.patch 69 Give CA.pl better defaults. See 6193522 for more information. 70 71 09-6346809.patch 72 Fix for buggy use of S_IFxxx. See 6346809 for more information. 73 74 11-6546806.patch 75 Make sure the HMAC_CTX_init(3) man page gets delivered. See 6546806 for 76 more information. 77 78 12-6607590.patch 79 Missing functions in pem(3). See 6607590 for more information. 80 81 14-manpage_openssl.patch 82 Force openssl to install man pages into man[1357]openssl instead of 83 man[1357]. 84 85 15-pkcs11_engine-0.9.8a.patch 86 Patch which adds the pkcs11 engine. See also the pkcs11-engine/ 87 sub-directory. 88 89 16-pkgconfig.patch 90 Make sure that openssl.pc contains the correct location for the OpenSSL 91 libs (/lib) and doesn't include '-R' for a standard library location. 92 93 18-compiler_opts.patch 94 Adds four Solaris specific configurations (both 32bit and 64bit for both 95 sparc and x86) to Configure which are then explicitly used by the 96 Makefiles. 97 Care should be taken if modifying this patch as changes to compile-time 98 options can change the ABI. One example of this is the use of RC4_INT vs 99 RC4_CHAR. 100 101 19-disable_Bsymbolic.patch 102 The "-B symbolic" option for ld will bind references to global symbols 103 to their definitions. This will ensure that internal symbol references 104 will always be correctly satisfied from within the library however it 105 also prevents interposition and according to the man page is "not 106 recommended for general use". Direct bindings are preferred (see 107 18-compiler_opts.patch). 108 109 20-remove_rpath.patch 110 Prevent build binaries having an unnecessary runpath (/lib). 111 112 22-pic_asm.patch 113 This patch is a direct consequence of wanting to use direct bindings 114 instead of -B symbolic. Direct bindings can only be used when the code 115 is PIC. Unfortunately some of the hand-coded asm is not PIC - this 116 patch rectifies that for amd64. 117 118 23-noexstack.patch 119 Build with non-executable stacks and non-executable data (x86). 120 121 24-6850304.patch 122 Fix for CVE-2009-1377, CVE-2009-1378, CVE-2009-1379. See 6850304 for 123 more information. 124 125 25-fips_rand.patch 126 fips_rand.h assumes that des.h will be found in the same directory. This 127 is probably normally true however we deliver the FIPS specific header 128 files into a non-standard location (see above) and so is not true for 129 Solaris. This patch makes sure that des.h is found by changing 130 fips_rand.h to look in the system header files for openssl/des.h. 131 132 26-openssl_fips.patch 133 Modifies openssl so that it will run with the non-fips libcrypto as well 134 as the fips libcrypto. If it is run with the fips libcrypto it can be 135 run in FIPS mode. Instead of directly using the FIPS specific symbols 136 they are looked up at runtime. This is necessary as the non-fips 137 libcrypto won't have the those FIPS specific symbols. 138 The CRYPTO_NUM_LOCKS pre-processor macro varies between the fips and 139 non-fips build of libcrypto. A run-time mechanism is available which 140 returns the number of locks - the CRYPTO_num_locks() function. Using 141 this function is required if the openssl binary is to be run with both 142 the fips and non-fips versions of libcrypto. 143 144 opensslconf.patch 145 Modifies opensslconf.h so that it is suitable for both 32bit and 64bit 146 installs. OpenSSL either builds for 32bit or 64bit - it doesn't allow 147 for combined 32bit and 64bit builds. 148 149 x86_32-01-mapfile.patch 150 This patch is a direct consequence of wanting to use direct bindings 151 instead of -B symbolic. Direct bindings can only be used when the code 152 is PIC. Unfortunately some of the hand-coded asm is not PIC - this 153 patch allows the x86 build to use a map file to mark the non-PIC symbols 154 as "protected". See also "non-fips/crypto.mapfile". 155 156 x86_64-01-mapfile.patch 157 Same as x86_32-01-mapfile.patch but for the fips amd64 build. See also 158 "fips/crypto-amd64.mapfile". 159 160 sparc-01-ccwrap.patch 161 A sparc only patch which modifies fipsld for the FIPS Capable OpenSSL 162 build by replacing calls to CC with CCWRAP. CCRWAP (ccwrap.sh) simply 163 runs the original CC command without the "-g" option. 164 From the patch: 165 # Wrap the calls to cc to remove the "-g" option when compiling 166 # (SPARC only). If "-g" is used on SPARC to build libcrypto.so 167 # the fingerprint will be incorrectly generated as "-g" promotes 168 # static symbols to globals which then interacts with the linker to 169 # produce a changed text section. 170 171
Indexes created Mon Nov 23 21:45:23 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.