From f50c2386163bc01f73a28906c149e03dd3dc3f49 Mon Sep 17 00:00:00 2001
From: Guillaume Egles <gegles@us.ibm.com>
Date: Mon, 29 Jul 2024 17:52:19 -0700
Subject: [PATCH] incorporate PR feedback

---
 recipes/openssl/3.x.x/conandata.yml |  6 ++-
 recipes/openssl/3.x.x/conanfile.py  | 70 +++++++++++++++++++++--------
 recipes/openssl/config.yml          |  5 ++-
 3 files changed, 61 insertions(+), 20 deletions(-)

diff --git a/recipes/openssl/3.x.x/conandata.yml b/recipes/openssl/3.x.x/conandata.yml
index b80fae7feac86c..a75db59c4362f2 100644
--- a/recipes/openssl/3.x.x/conandata.yml
+++ b/recipes/openssl/3.x.x/conandata.yml
@@ -17,7 +17,11 @@ sources:
   3.0.13:
     url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz"
     sha256: 88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313
-  # Latest validated FIPS version
+  # Validated FIPS versions
   3.0.9:
     url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.9/openssl-3.0.9.tar.gz"
     sha256: eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90
+  3.0.8:
+    url: "https://github.com/openssl/openssl/releases/download/openssl-3.0.8/openssl-3.0.8.tar.gz"
+    sha256: 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e
+  #
diff --git a/recipes/openssl/3.x.x/conanfile.py b/recipes/openssl/3.x.x/conanfile.py
index d9fa02630ae6d5..3779957261de8d 100644
--- a/recipes/openssl/3.x.x/conanfile.py
+++ b/recipes/openssl/3.x.x/conanfile.py
@@ -6,6 +6,7 @@
 from conan.tools.gnu import AutotoolsToolchain
 from conan.tools.layout import basic_layout
 from conan.tools.microsoft import is_msvc, msvc_runtime_flag, unix_path
+from conan.tools.scm import Version
 
 import fnmatch
 import os
@@ -113,6 +114,34 @@ def _use_nmake(self):
     def _settings_build(self):
         return getattr(self, "settings_build", self.settings)
 
+    @property
+    def _fips_validated_version(self):
+        # As of version 3.3.1, the FIPS module is validated for the following versions
+        # see https://openssl-library.org/source/ (excluding ancient 3.0.0)
+        versions = ['3.0.8', '3.0.9']
+        versions = sorted([Version(v) for v in versions], reverse=True)
+
+        # Find the closest version that is less than or equal to the current version
+        fips_validated_version = next((v for v in versions if v <= Version(self.version)), None)
+        return fips_validated_version
+
+    @property
+    def _is_fips_enabled(self):
+        return not self.options.no_fips or self.options.use_validated_fips
+
+    @property
+    def _is_fips_validated(self):
+        return self.version == self._fips_validated_version
+
+    @property
+    def _fips_provider_dir(self):
+        if self.options.use_validated_fips and not self._is_fips_validated:
+            return self.dependencies["openssl"].runenv_info.vars(self)["OPENSSL_MODULES"]
+        elif not self.options.no_fips:
+            return os.path.join(self.source_folder, "providers")
+        else:
+            return None
+
     def config_options(self):
         if self.settings.os != "Windows":
             self.options.rm_safe("capieng_dialog")
@@ -125,9 +154,6 @@ def config_options(self):
             self.options.no_threads = True
             self.options.no_stdio = True
 
-        if self.options.use_validated_fips == True:
-            self.options.no_fips = True
-
     def configure(self):
         if self.options.shared:
             self.options.rm_safe("fPIC")
@@ -140,8 +166,14 @@ def layout(self):
     def requirements(self):
         if not self.options.no_zlib:
             self.requires("zlib/[>=1.2.11 <2]")
-        if self.options.use_validated_fips:
-            self.requires("openssl/3.0.9", visible=False, libs=False, headers=False, run=False)
+
+        if self.options.use_validated_fips and self._fips_validated_version:
+            fips_version = self._fips_validated_version
+            self_validated = self._is_fips_validated
+            self.output.info(f"Using validated FIPS module "
+                             f"from {"self i.e. " if self_validated else "openssl/"}{fips_version}")
+            if not self_validated:
+                self.requires(f"openssl/{fips_version}", visible=False, libs=False, headers=False, run=False, options={'no_fips': False})
 
     def validate(self):
         if self.settings.os == "Emscripten":
@@ -151,6 +183,15 @@ def validate(self):
         if self.settings.os == "iOS" and self.options.shared:
             raise ConanInvalidConfiguration("OpenSSL 3 does not support building shared libraries for iOS")
 
+        if self.options.use_validated_fips:
+            fips_version = self._fips_validated_version
+            if fips_version is None:
+                raise ConanInvalidConfiguration(f"OpenSSL {self.version} - no compatible FIPS validated version found")
+            if self.options.no_fips:
+                raise ConanInvalidConfiguration(f"FIPS support is requested, but no_fips is set to True")
+            elif not self._is_fips_validated and self.dependencies["openssl"].options.no_fips:
+                raise ConanInvalidConfiguration(f"In order to use FIPS module from openssl/{fips_version}, it needs to be built with `no_fips` option set to False")
+
     def build_requirements(self):
         if self._settings_build.os == "Windows":
             if not self.options.no_asm:
@@ -384,7 +425,12 @@ def _configure_args(self):
         else:
             args.append("-fPIC" if self.options.get_safe("fPIC", True) else "no-pic")
 
-        args.append("no-fips" if self.options.get_safe("no_fips", True) else "enable-fips")
+        # pass no-fips to the current build if:
+        # - use_validated_fips is enabled and using the fips module from a different version
+        # - user requested no-fips
+        no_fips = self.options.use_validated_fips and not self._is_fips_validated or self.options.no_fips
+        args.append("no-fips" if no_fips else "enable-fips")
+
         args.append("no-md2" if self.options.get_safe("no_md2", True) else "enable-md2")
         if str(self.options.tls_security_level) != "None":
             args.append(f"-DOPENSSL_TLS_SECURITY_LEVEL={self.options.tls_security_level}")
@@ -542,18 +588,6 @@ def _replace_runtime_in_file(self, filename):
             replace_in_file(self, filename, f"/{e} ", f"/{runtime} ", strict=False)
             replace_in_file(self, filename, f"/{e}\"", f"/{runtime}\"", strict=False)
 
-    @property
-    def _is_fips_enabled(self):
-        return not self.options.no_fips or self.options.use_validated_fips
-
-    @property
-    def _fips_provider_dir(self):
-        if self.options.use_validated_fips:
-            return self.dependencies["openssl"].runenv_info.vars(self)["OPENSSL_MODULES"]
-        elif not self.options.no_fips:
-            return os.path.join(self.source_folder, "providers")
-        else:
-            return None
     def package(self):
         copy(self, "*LICENSE*", src=self.source_folder, dst=os.path.join(self.package_folder, "licenses"))
         self._make_install()
diff --git a/recipes/openssl/config.yml b/recipes/openssl/config.yml
index c3e9b5b9b5da8c..58f2bd45c921d2 100644
--- a/recipes/openssl/config.yml
+++ b/recipes/openssl/config.yml
@@ -11,8 +11,11 @@ versions:
     folder: "3.x.x"
   "3.0.13":
     folder: "3.x.x"
-  # Latest validated FIPS version
+  # Validated FIPS versions
   "3.0.9":
     folder: "3.x.x"
+  "3.0.8":
+    folder: "3.x.x"
+  #
   "1.1.1w":
     folder: "1.x.x"