Skip to content

Commit

Permalink
incorporate PR feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
gegles committed Jul 30, 2024
1 parent 3c52995 commit 274288c
Show file tree
Hide file tree
Showing 3 changed files with 62 additions and 20 deletions.
6 changes: 5 additions & 1 deletion recipes/openssl/3.x.x/conandata.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,11 @@ sources:
3.0.13:
url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz"
sha256: 88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313
# Latest validated FIPS version
# Validated FIPS versions
3.0.9:
url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz"
sha256: eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90
3.0.8:
url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.8/openssl-3.0.8.tar.gz"
sha256: 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
#
71 changes: 53 additions & 18 deletions recipes/openssl/3.x.x/conanfile.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
from conan.tools.gnu import AutotoolsToolchain
from conan.tools.layout import basic_layout
from conan.tools.microsoft import is_msvc, msvc_runtime_flag, unix_path
from conan.tools.scm import Version

import fnmatch
import os
Expand Down Expand Up @@ -113,6 +114,34 @@ def _use_nmake(self):
def _settings_build(self):
return getattr(self, "settings_build", self.settings)

@property
def _fips_validated_version(self):
# As of version 3.3.1, the FIPS module is validated for the following versions
# see https://openssl-library.org/source/ (excluding ancient 3.0.0)
versions = ['3.0.8', '3.0.9']
versions = sorted([Version(v) for v in versions], reverse=True)

# Find the closest version that is less than or equal to the current version
fips_validated_version = next((v for v in versions if v <= Version(self.version)), None)
return fips_validated_version

@property
def _is_fips_enabled(self):
return not self.options.no_fips or self.options.use_validated_fips

@property
def _is_fips_validated(self):
return self.version == self._fips_validated_version

@property
def _fips_provider_dir(self):
if self.options.use_validated_fips and not self._is_fips_validated:
return self.dependencies["openssl"].runenv_info.vars(self)["OPENSSL_MODULES"]
elif not self.options.no_fips:
return os.path.join(self.source_folder, "providers")
else:
return None

def config_options(self):
if self.settings.os != "Windows":
self.options.rm_safe("capieng_dialog")
Expand All @@ -125,9 +154,6 @@ def config_options(self):
self.options.no_threads = True
self.options.no_stdio = True

if self.options.use_validated_fips == True:
self.options.no_fips = True

def configure(self):
if self.options.shared:
self.options.rm_safe("fPIC")
Expand All @@ -140,8 +166,15 @@ def layout(self):
def requirements(self):
if not self.options.no_zlib:
self.requires("zlib/[>=1.2.11 <2]")
if self.options.use_validated_fips:
self.requires("openssl/3.0.9", visible=False, libs=False, headers=False, run=False)

if self.options.use_validated_fips and self._fips_validated_version:
fips_version = self._fips_validated_version
self_validated = self._is_fips_validated
if not self_validated:
self.output.info(f"Using validated FIPS module from openssl/{fips_version}")
self.requires(f"openssl/{fips_version}", visible=False, libs=False, headers=False, run=False, options={'no_fips': False})
else:
self.output.info(f"Using validated FIPS module from self (i.e. {fips_version})")

def validate(self):
if self.settings.os == "Emscripten":
Expand All @@ -151,6 +184,15 @@ def validate(self):
if self.settings.os == "iOS" and self.options.shared:
raise ConanInvalidConfiguration("OpenSSL 3 does not support building shared libraries for iOS")

if self.options.use_validated_fips:
fips_version = self._fips_validated_version
if fips_version is None:
raise ConanInvalidConfiguration(f"OpenSSL {self.version} - no compatible FIPS validated version found")
if self.options.no_fips:
raise ConanInvalidConfiguration(f"FIPS support is requested, but no_fips is set to True")

Check warning on line 192 in recipes/openssl/3.x.x/conanfile.py

View workflow job for this annotation

GitHub Actions / Lint changed conanfile.py (v2 migration)

Using an f-string that does not have any interpolated variables
elif not self._is_fips_validated and self.dependencies["openssl"].options.no_fips:
raise ConanInvalidConfiguration(f"In order to use FIPS module from openssl/{fips_version}, it needs to be built with `no_fips` option set to False")

def build_requirements(self):
if self._settings_build.os == "Windows":
if not self.options.no_asm:
Expand Down Expand Up @@ -384,7 +426,12 @@ def _configure_args(self):
else:
args.append("-fPIC" if self.options.get_safe("fPIC", True) else "no-pic")

args.append("no-fips" if self.options.get_safe("no_fips", True) else "enable-fips")
# pass no-fips to the current build if:
# - use_validated_fips is enabled and using the fips module from a different version
# - user requested no-fips
no_fips = self.options.use_validated_fips and not self._is_fips_validated or self.options.no_fips
args.append("no-fips" if no_fips else "enable-fips")

args.append("no-md2" if self.options.get_safe("no_md2", True) else "enable-md2")
if str(self.options.tls_security_level) != "None":
args.append(f"-DOPENSSL_TLS_SECURITY_LEVEL={self.options.tls_security_level}")
Expand Down Expand Up @@ -542,18 +589,6 @@ def _replace_runtime_in_file(self, filename):
replace_in_file(self, filename, f"/{e} ", f"/{runtime} ", strict=False)
replace_in_file(self, filename, f"/{e}\"", f"/{runtime}\"", strict=False)

@property
def _is_fips_enabled(self):
return not self.options.no_fips or self.options.use_validated_fips

@property
def _fips_provider_dir(self):
if self.options.use_validated_fips:
return self.dependencies["openssl"].runenv_info.vars(self)["OPENSSL_MODULES"]
elif not self.options.no_fips:
return os.path.join(self.source_folder, "providers")
else:
return None
def package(self):
copy(self, "*LICENSE*", src=self.source_folder, dst=os.path.join(self.package_folder, "licenses"))
self._make_install()
Expand Down
5 changes: 4 additions & 1 deletion recipes/openssl/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,11 @@ versions:
folder: "3.x.x"
"3.0.13":
folder: "3.x.x"
# Latest validated FIPS version
# Validated FIPS versions
"3.0.9":
folder: "3.x.x"
"3.0.8":
folder: "3.x.x"
#
"1.1.1w":
folder: "1.x.x"

0 comments on commit 274288c

Please sign in to comment.