Compute the FIPS checksums in $(BLDDIR) and remove it from update target

Add also update-fips-checksums to update the checksums in the
$(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different.

The fips-checksums and generate_fips_sources targets are always
produced (regardless of enable-fips) as nothing else depends on them
and they are developer targets.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)

diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index c2a0de3a973fb517d2c6e9ec734a7ba221653163..f4805e87136f3de704d097808675737ac0d0f2e4 100644 (file)
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -1055,9 +1055,6 @@ uninstall_html_docs:
 # It's important that generate_buildinfo comes after ordinals, as ordinals
 # is sensitive to build.info changes.
 update: generate errors ordinals generate_buildinfo
-{- output_off() if $disabled{fips}; "" -}
-update: fips-checksums
-{- output_on() if $disabled{fips}; "" -}
 
 generate: generate_apps generate_crypto_bn generate_crypto_objects \
           generate_crypto_conf generate_crypto_asn1 generate_fuzz_oids
@@ -1140,9 +1137,8 @@ generate_doc_buildinfo:
                 mv $(SRCDIR)/doc/build.info.new $(SRCDIR)/doc/build.info; \
           fi )
 
-{- output_off() if $disabled{fips}; "" -}
-generate_fips_sources: $(SRCDIR)/providers/fips.module.sources
-$(SRCDIR)/providers/fips.module.sources: \
+generate_fips_sources: providers/fips.module.sources
+providers/fips.module.sources: \
                 $(SRCDIR)/Configure \
                 {- join(" \\\n" . ' ' x 16,
                         fill_lines(" ", $COLUMNS - 16,
@@ -1171,9 +1167,8 @@ $(SRCDIR)/providers/fips.module.sources: \
                   crypto/sha/asm/*.pl; do \
            echo "$$x"; \
          done \
-       ) | sort | uniq > $(SRCDIR)/providers/fips.module.sources
+       ) | sort | uniq > providers/fips.module.sources
        rm -rf sources-tmp
-{- output_on() if $disabled{fips}; "" -}
 
 # Set to -force to force a rebuild
 ERROR_REBUILD=
@@ -1269,19 +1264,24 @@ tags TAGS: FORCE
        -ctags -R .
        -etags `find . -name '*.[ch]' -o -name '*.pm'`
 
-{- output_off() if $disabled{fips}; "" -}
 fips-checksums: generate_fips_sources
-       if which unifdef > /dev/null; then \
-           ( cd $(SRCDIR) \
-             && cat providers/fips.module.sources \
-                    | xargs ./util/fips-checksums.sh \
-                    > providers/fips-sources.checksums \
-             && sha256sum providers/fips-sources.checksums \
-                    > providers/fips.checksum ); \
-       else \
-           echo >&2 "WARNING: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
-       fi
-{- output_on() if $disabled{fips}; "" -}
+       @which unifdef > /dev/null || \
+       ( echo >&2 "ERROR: unifdef not in your \$$PATH, FIPS checksums not calculated"; \
+         false )
+       ( sources=`pwd`/providers/fips.module.sources; \
+         cd $(SRCDIR) \
+         && cat $$sources \
+                | xargs ./util/fips-checksums.sh ) \
+                > providers/fips-sources.checksums \
+       && sha256sum providers/fips-sources.checksums \
+            > providers/fips.checksum
+
+$(SRCDIR)/providers/fips.checksum: providers/fips.checksum
+       cp -p providers/fips.module.sources \
+           providers/fips-sources.checksums \
+           providers/fips.checksum $(SRCDIR)/providers
+
+update-fips-checksums: $(SRCDIR)/providers/fips.checksum
 
 # Release targets (note: only available on Unix) #####################