Update build system to make use of validated module in FIPS mode.

Configure

@@ -621,6 +621,7 @@ my $prefix="";
 my $openssldir="";
 my $exe_ext="";
 my $install_prefix="";
+my $fipslibdir="/usr/local/ssl/lib";
 my $no_threads=0;
 my $no_shared=1;
 my $zlib=0;
@@ -871,7 +872,7 @@ PROCESS_ARGS:
 				}
 			elsif (/^--with-fipslibdir=(.*)$/)
 				{
-				$withargs{"fipslibdir"}="$1";
+				$fipslibdir="$1";
 				}
 			elsif (/^--with-zlib-include=(.*)$/)
 				{
@@ -976,6 +977,21 @@ chop $prefix if $prefix =~ /\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 
+if ($fips && ! -f "$fipslibdir/fipscanister.o")
+	{
+	my $fipswinerr = "";
+	$fipswinerr = <<EOF if $IsWindows;
+ Ensure that the correct path to the FIPS module directory
+has been given to the --with-fipslibdir option.
+EOF
+	print STDERR <<EOF;
+The file fipscanister.o could not be located. Please build and install the
+FIPS module using the instructions in the user guide before compiling OpenSSL
+in FIPS mode.$fipswinerr
+EOF
+	exit 1;
+	}
+
 
 print "IsWindows=$IsWindows\n";
 
@@ -1322,7 +1338,7 @@ while (<IN>)
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
-	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$withargs{"fipslibdir"}/;
+	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;

Makefile.org

@@ -176,7 +176,14 @@ LIBKRB5=
 ZLIB_INCLUDE=
 LIBZLIB=
 
-FIPSLIBDIR=$(INSTALLTOP)/lib
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/lib
 
 # When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
@@ -236,7 +243,7 @@ sub_all:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \

fips-1.0/Makefile

@@ -55,7 +55,8 @@ all:
 	fi
 
 check:
-	$(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
+#	$(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
+	echo FIPS module not built: no check done
 
 # Idea behind fipscanister.o is to "seize" the sequestered code between
 # known symbols for fingerprinting purposes, which would be commonly
@@ -71,6 +72,7 @@ check:
 # flag and simply assume that all objects are of the same type as first
 # one in command line. So the idea is to identify gcc and deficient
 # vendor compiler drivers...
+
 fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
 	@objs="fips_start.o $(LIBOBJ)"; \
 	for i in $(FIPS_OBJ_LISTS); do \
@@ -87,6 +89,7 @@ fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
 		*) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \
 	esac fi
 	sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
 # If another exception is immediately required, assign approprite
 # site-specific ld command to FIPS_SITE_LD environment variable.
 
@@ -128,8 +131,8 @@ links:
 	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
 	done;
 
-lib:	fipscanister.o
+lib:	$(FIPSLIBDIR)/fipscanister.o
-	$(AR) $(LIB) fipscanister.o
+	$(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 

fips-1.0/fipsld

@@ -10,6 +10,8 @@
 # command line syntax and $FIPSLD_CC or $CC environment variable set
 # and can even be used to compile source files.
 
+#set -x
+
 CC=${FIPSLD_CC:-${CC}}
 [ -n "${CC}" ] || { echo '$CC is not defined'; exit 1; }
 
@@ -30,6 +32,14 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`
 
 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..
 
+# Location of installed validated FIPS module
+FIPSLIBDIR=${FIPSLIBDIR:-/usr/local/ssl/lib}
+# If this is a build from a validated tarball use this instead
+# FIPSLIBDIR=${THERE}/fips-1.0
+
+[ -f "${FIPSLIBDIR}/fipscanister.o" ] ||
+	{ echo "fipscanister.o not found"; exit 1; }
+
 HMAC_KEY="etaonrishdlcupfm"
 
 case "`(uname -s) 2>/dev/null`" in
@@ -50,8 +60,10 @@ case "${TARGET}" in
 	# Shared lib creation can be taking place in the source
 	# directory only!!!
 	FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
-	CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
+	CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
-	PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
+	PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
+
+echo Canister: $CANISTER_O
 
 	# verify fipscanister.o against its detached signature...
 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
@@ -96,16 +108,15 @@ case "${TARGET}" in
 	# directory or off the installed binary target destination.
 	if [ -x "${THERE}/fips-1.0/sha/fips_standalone_sha1" ]; then
 		FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
-		CANISTER_O="${THERE}/fips-1.0/fipscanister.o"
-		PREMAIN_C="${THERE}/fips-1.0/fips_premain.c"
 	else	# Installed tree is expected to contain
 		# lib/fipscanister.o, lib/fipscanister.o.sha1 and
 		# lib/fips_premain.c [not to mention bin/openssl].
 		FINGERTYPE="${THERE}/bin/openssl sha1 -hmac ${HMAC_KEY}"
-		CANISTER_O="${THERE}/lib/fipscanister.o"
-		PREMAIN_C="${THERE}/lib/fips_premain.c"
 	fi
 
+	CANISTER_O="${FIPSLIBDIR}/fipscanister.o"
+	PREMAIN_C="${FIPSLIBDIR}/fips_premain.c"
+
 	# verify fipscanister.o against its detached signature...
 	${FINGERTYPE} "${CANISTER_O}" | sed "s/(.*\//(/" | \
 		diff -w "${CANISTER_O}.sha1" - || \