openssl: add use_validated_fips option

[gegles]

Summary

Changes to recipe: openss/*

Motivation

The end goal here is for the openssl package to be able to build and provide the validated FIPS module from another version of itself. This takes advantage of this recent change in conan.

This recipe change is following @jcar87's suggestion here.

Details

• Add the use_validated_fips boolean option. False by default
• If use_validated_fips is True then there is no need to build the current version of the FIPS module so set no_fips = True
• If use_validated_fips is True then add a hidden dependency to the latest FIPS validated version of openssl, i.e. openssl/3.0.9
• Depending on whether either not no_fips or use_validated_fips is true, we copy the appropriate fips library into the final pakcage folder.

I did try to also add a programatic check in the test_package (following the digest_legacy.c example, but, for the FIPS provider to load properly at all (in order to test the version), it requires the fipsmodule.cnf to be properly generated via the openssl fipsinstall command ... All this seems maybe more complexity than desired...

FWIW,

I've tested this as part of our software depending on this which does the proper fipsinstall command:

OPENSSL_CONF=/etc/faspio-gateway/openssl.cnf OPENSSL_MODULES=/usr/local/lib/ossl-modules /usr/local/sbin/openssl@faspio-gateway list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.2.2
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.9
    status: active

As you can see, the default provider is 3.2.2 (from the latest version of this package I used as a dependency in my project whereas the FIPS provider is 3.0.9 as per the result of using use_validated_fips option.

---

• Read the contributing guidelines
• Checked that this PR is not a duplicate: list of PRs by recipe
• Tested locally with at least one configuration using a recent version of Conan

[gegles]

FYI @jcar87 @bemehiser @Croydon @memsharded @kulkarniamit @hoyhoy

[kulkarniamit]

Works as expected 👍🏼
Just a minor thing, does it help to add a self.output.info() to print the provdir path ?
It will make it easier to confirm that the certified fips module has been copied from 3.0.9 directory.

[gegles]

Good point @kulkarniamit, I'll see what I can do...

Actually, ideally, I was trying to add some testing logic in the test_package code to be able to properly verify the version of the fips module... For example, that version == 3.0.9 when use_validated_fips == True or version == tested_package_version otherwwise, but both programmatically or simply using the openssl list -providers command require a properly fipsinstalled module before loading it to check the version...

Do you know of any ways to check the version of the fips module without it needing to be fully installed?

[kulkarniamit]

As you mentioned, printing buildinfo related information for fips provider requires loading the provider. Loading FIPS provider requires having a configuration file with module-mac to enable self tests of the module.

If we don't prefer checking the integration with openssl command, we are left with two options:

• Use strings command (or any other equivalent) and search for presence of version number in module. Need to ensure we've a consistent command or python string search thats platform independent

  # Linux
  $ strings <path_to_fips_module> | grep -i -A1 buildinfo
  buildinfo
  3.0.9

• Print the fips module source and destination directory information

Though its extra work, running openssl fipsinstall to generate fipsmodule.cnf and loading the provider programmatically in test_package.c would be the ideal future-proof platform-independent approach to printing version information.

[jcar87]

This looks really good @gegles ! Thanks for this.

Some comments from me:

I would probably keep, in the recipe, a list of "fips validated" versions (as per the OpenSSL documentation), and have a logic such that if use_validated_fips is True, then we either:
- find the closest version, lower than the current one, that is fips-validated
- if the current version is already fips validated, don't depend on it (avoid a recipe depending on itself with the same version) - the current version should be good enough on its own, correct?

This might look something like:

    @property
    def _fips_validated_version(self):
        # As of version 3.3.1, the FIPS module is validated for the following versions
        # see https://openssl-library.org/source/   
        versions = ['3.0.0', '3.0.8', '3.0.9']
        versions = sorted([Version(v) for v in versions], reverse=True)

        # Find the closest version that is less than or equal to the current version
        fips_validated_version = next((v for v in versions if v <= Version(self.version)), None)
        return fips_validated_version

    def requirements(self):
            # ...
            fips_version = self._fips_validated_version
            if fips_version and fips_version != self.version:
                self.output.info(f"Using validated FIPS module from openssl version:{fips_version}")
                self.requires(f"openssl/{fips_version}", visible=False, libs=False, headers=False, run=False, options={'no_fips': False})

I would probably add some additional checks in the validate() method as there are a few cases that would be invalid:

• there is no earlier version that is fips validated (not the case since eventually 3.0.0 was validated)
• if we are depending on another version for fips validation, but that dependency is being built with no_fips=True

This may look like:

        if self.options.use_validated_fips:
            fips_version = self._fips_validated_version
            if fips_version is None:
                raise ConanInvalidConfiguration(f"OpenSSL {self.version} - no compatible FIPS validated version")
            if self.options.no_fips:
                raise ConanInvalidConfiguration(f"Fips support is requested, but no_fips is set to True")
            elif fips_version != self.version and self.dependencies["openssl"].options.no_fips:
                raise ConanInvalidConfiguration(f"In order to use FIPS module from openssl/{fips_version}, it needs to be built with `no_fips` option set to False")

Note that I've seen in the PR that this is done:

        if self.options.use_validated_fips == True:
            self.options.no_fips = True

however I would err in the side of caution - bear in mind that if externally a user does -o "openssl/*:no_fips=True" -o "openssl/*:use_validated_fips=True" - it will apply to both versions of openssl in the graph.

What I would suggest is just rely on the validation - assume that if users pass these, it's a contradiction. And to avoid building the fips-module when it is being provided by an earlier version, I would do in the configure args method:

        # pass no-fips to the current build if:
        # - use_validated_fips is enabled and using the fips module from a different version
        # - user requested no-fips
        no_fips = self.options.use_validated_fips and self._fips_validated_version != self.version or self.options.no_fips
        args.append("no-fips" if no_fips else "enable-fips")

The above are all very rough - but gives an idea.

I also agree with @Nekto89 - we should re-add 3.0.9 to the list of maintained versions. Perhaps if we do this, we may choose to keep the list in the recipe constrained to just 3.0.9

As for the installation, the openssl documentation does specify that the self-tests should be run - personally, if a use_validated_fips is meant to offer "strong" expectation that we are using a validated fips, I would test this not just in the test package, but in the recipe's build method itself, at the very end of the build. This would have to be guarded with a can_run - but I dont have enough experience with the validation process here - and I'm not sure where the resulting config file should reside

[gegles]

.... experience with the validation process here - and I'm not sure where the resulting config file should reside

Thanks for the review and all the feedback @jcar87!

I agree with almost everything and will see what I can do.

I had already just re-added 3.0.9 based on @Nekto89's feedback.

I am seriously questioning whether it would make any sense for anybody to use anything but the latest validated version (i.e. v3.0.9).... I would think it's probably best to instead encourage folks to only use the latest and thus only specify 3.0.9 ...
Because of that I would rather not offer a list, but instead just offer the latest validated version... LMK.

Thanks!

[gegles]

Some comments from me:

I would probably keep, in the recipe, a list of "fips validated" versions (as per the OpenSSL documentation), and have a logic such that if use_validated_fips is True, then we either: - find the closest version, lower than the current one, that is fips-validated - if the current version is already fips validated, don't depend on it (avoid a recipe depending on itself with the same version) - the current version should be good enough on its own, correct?

This might look something like:

    @property
    def _fips_validated_version(self):
        # As of version 3.3.1, the FIPS module is validated for the following versions
        # see https://openssl-library.org/source/   
        versions = ['3.0.0', '3.0.8', '3.0.9']
        versions = sorted([Version(v) for v in versions], reverse=True)

        # Find the closest version that is less than or equal to the current version
        fips_validated_version = next((v for v in versions if v <= Version(self.version)), None)
        return fips_validated_version

    def requirements(self):
            # ...
            fips_version = self._fips_validated_version
            if fips_version and fips_version != self.version:
                self.output.info(f"Using validated FIPS module from openssl version:{fips_version}")
                self.requires(f"openssl/{fips_version}", visible=False, libs=False, headers=False, run=False, options={'no_fips': False})

I would probably add some additional checks in the validate() method as there are a few cases that would be invalid:

• there is no earlier version that is fips validated (not the case since eventually 3.0.0 was validated)
• if we are depending on another version for fips validation, but that dependency is being built with no_fips=True

This may look like:

        if self.options.use_validated_fips:
            fips_version = self._fips_validated_version
            if fips_version is None:
                raise ConanInvalidConfiguration(f"OpenSSL {self.version} - no compatible FIPS validated version")
            if self.options.no_fips:
                raise ConanInvalidConfiguration(f"Fips support is requested, but no_fips is set to True")
            elif fips_version != self.version and self.dependencies["openssl"].options.no_fips:
                raise ConanInvalidConfiguration(f"In order to use FIPS module from openssl/{fips_version}, it needs to be built with `no_fips` option set to False")

Note that I've seen in the PR that this is done:

        if self.options.use_validated_fips == True:
            self.options.no_fips = True

however I would err in the side of caution - bear in mind that if externally a user does -o "openssl/*:no_fips=True" -o "openssl/*:use_validated_fips=True" - it will apply to both versions of openssl in the graph.

What I would suggest is just rely on the validation - assume that if users pass these, it's a contradiction. And to avoid building the fips-module when it is being provided by an earlier version, I would do in the configure args method:

        # pass no-fips to the current build if:
        # - use_validated_fips is enabled and using the fips module from a different version
        # - user requested no-fips
        no_fips = self.options.use_validated_fips and self._fips_validated_version != self.version or self.options.no_fips
        args.append("no-fips" if no_fips else "enable-fips")

The above are all very rough - but gives an idea.

@jcar87, with 274288c, I've now incorporate most of your suggestions/feedback.
I've restricted to only 3.0.8 and 3.0.9. I've left 3.0.0 behind as it would not even work and it's ancient.

I've manually tested the various error conditions:

conan create -b missing --version 3.2.2 -o "&:use_validated_fips=True" -o "&:no_fips=True" 3.x.x

ERROR: There are invalid packages:
openssl/3.2.2: Invalid: FIPS support is requested, but no_fips is set to True

conan create -b missing --version 3.2.2 -o "&:use_validated_fips=True" -o "openssl/3.0.9:no_fips=True" 3.x.x
ERROR: There are invalid packages:
openssl/3.2.2: Invalid: In order to use FIPS module from openssl/3.0.9, it needs to be built with `no_fips` option set to False

conan create -b missing --version 3.0.7 -o "&:use_validated_fips=True" 3.x.x

ERROR: There are invalid packages:
openssl/3.0.7: Invalid: OpenSSL 3.0.7 - no compatible FIPS validated version found

I will see what I can do for the self validation testing...

[gegles]

As for the installation, the openssl documentation does specify that the self-tests should be run - personally, if a use_validated_fips is meant to offer "strong" expectation that we are using a validated fips, I would test this not just in the test package, but in the recipe's build method itself, at the very end of the build. This would have to be guarded with a can_run - but I dont have enough experience with the validation process here - and I'm not sure where the resulting config file should reside

@jcar87 take a look at my latest changes... I've now added a fipsinstall and fipsinstall -verify steps in the package() phase...

I got caught by a linter issue (re using stderr)... I guess it's not available on the min conan version used on conan center... So I'll need to refactor/revisit.

Anyway let me know what you think and if I am the right track...

Cheers. G.

[kulkarniamit]

• find the closest version, lower than the current one, that is fips-validated

conan create -b missing --version 3.0.7 -o "&:use_validated_fips=True" 3.x.x
ERROR: There are invalid packages:
openssl/3.0.7: Invalid: OpenSSL 3.0.7 - no compatible FIPS validated version found

According to OpenSSL maintainers: openssl/openssl#25048 (comment)

"The ABI is deliberately set so any 3.x fips module works with any 3.x.y in general."

I ran a few commands to verify that OpenSSL 3.0.7 binary can work with 3.0.9 FIPS provider

$ ./bin/openssl version -v
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

$ OPENSSL_MODULES=../openssl-3.0.9/lib64/ossl-modules ./bin/openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.7
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.9
    status: active

$ export OPENSSL_MODULES=../openssl-3.0.9/lib64/ossl-modules 

$ echo "helloworld" | ./bin/openssl dgst -sha1
SHA1(stdin)= e7509a8c032f3bc2a8df1df476f8ef03436185fa

$ echo "helloworld" | ./bin/openssl dgst -sha256
SHA2-256(stdin)= 8cd07f3a5ff98f2a78cfc366c13fb123eb8d29c1ca37c79df190425d5b9e424d

$ echo "helloworld" | ./bin/openssl dgst -md5
Error setting digest
40876E37977F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (MD5 : 102), Properties ()
40876E37977F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:254:

@gegles @jcar87 Any particular reason why we're limiting lower versions of OpenSSL 3.0.x (x < 9) to not work with 3.0.8 or 3.0.9 FIPS provider?

[jcar87]

@gegles @jcar87 Any particular reason why we're limiting lower versions of OpenSSL 3.0.x (x < 9) to not work with 3.0.8 or 3.0.9 FIPS provider?

none really! we didn't have that context.
Although bear in mind that we are unlikely to maintain up-to-date recipes for versions dating that far back - considering that OpenSSL 3.x itself is backwards compatible

[conan-center-bot]

Conan v1 pipeline ❌

Failure in build 14 (f751f8463cdc59e72867b6dd45cccf789ccfa909):

• openssl/3.3.2:
  Didn't run or was cancelled before finishing

• openssl/3.2.2:
  Didn't run or was cancelled before finishing

• openssl/3.3.1:
  Didn't run or was cancelled before finishing

• openssl/3.2.3:
  Didn't run or was cancelled before finishing

• openssl/3.0.13:
  Didn't run or was cancelled before finishing

• openssl/3.2.1:
  Didn't run or was cancelled before finishing

• openssl/3.1.6:
  Didn't run or was cancelled before finishing

• openssl/3.0.15:
  Didn't run or was cancelled before finishing

• openssl/3.0.14:
  Didn't run or was cancelled before finishing

• openssl/3.1.7:
  Didn't run or was cancelled before finishing

• openssl/3.0.9:
  Didn't run or was cancelled before finishing

• openssl/3.0.8:
  CI failed to create some packages (All logs)

  Logs for packageID 288ceea1eccdb5f24f7075ead24b83b854b1d943:

  [settings]
  arch=x86_64
  build_type=Release
  compiler=gcc
  compiler.libcxx=libstdc++11
  compiler.version=5
  os=Linux
  [options]
  openssl:shared=False
  

  [...]
  install ./include/openssl/tserr.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/tserr.h
  install ./include/openssl/txt_db.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/txt_db.h
  install ./include/openssl/types.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/types.h
  install ./include/openssl/ui.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/ui.h
  install ./include/openssl/uierr.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/uierr.h
  install ./include/openssl/whrlpool.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/whrlpool.h
  install ./include/openssl/x509.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/x509.h
  install ./include/openssl/x509_vfy.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/x509_vfy.h
  install ./include/openssl/x509err.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/x509err.h
  install ./include/openssl/x509v3.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/x509v3.h
  install ./include/openssl/x509v3err.h -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//include/openssl/x509v3err.h
  install libcrypto.a -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/libcrypto.a
  install libssl.a -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/libssl.a
  created directory `/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/pkgconfig'
  install libcrypto.pc -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/pkgconfig/libcrypto.pc
  install libssl.pc -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/pkgconfig/libssl.pc
  install openssl.pc -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/pkgconfig/openssl.pc
  make depend && make _build_modules
  make[1]: Entering directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Leaving directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Entering directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Nothing to be done for '_build_modules'.
  make[1]: Leaving directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  created directory `/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/engines-3'
  *** Installing engines
  created directory `/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/ossl-modules'
  *** Installing modules
  install providers/legacy.so -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//lib/ossl-modules/legacy.so
  make depend && make _build_programs
  make[1]: Entering directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Leaving directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Entering directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  make[1]: Nothing to be done for '_build_programs'.
  make[1]: Leaving directory '/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/build/288ceea1eccdb5f24f7075ead24b83b854b1d943/src'
  created directory `/home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//bin'
  *** Installing runtime programs
  install apps/openssl -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//bin/openssl
  install tools/c_rehash -> /home/conan/workspace/prod-v1/bsr/103191/ebdcf/.conan/data/openssl/3.0.8/_/_/package/288ceea1eccdb5f24f7075ead24b83b854b1d943//bin/c_rehash
  openssl/3.0.8: Copied 1 '.so' file: fips.so
  openssl/3.0.8: Testing FIPS module (via fipsinstall & fipsinstall -verify)
  WARN: **************************************************
  WARN: *** Conan 1 is legacy and on a deprecation path **
  WARN: *********** Please upgrade to Conan 2 ************
  WARN: **************************************************
  openssl/3.0.8: WARN: Using the new toolchains and generators without specifying a build profile (e.g: -pr:b=default) is discouraged and might cause failures and unexpected behavior
  ERROR: openssl/3.0.8: Error in package() method, line 671
  	self._package_and_test_fips()
  while calling '_package_and_test_fips', line 619
  	self.run(" ".join(fipsinstall_command), stderr=stderr, env="conanrun")
  	TypeError: run() got an unexpected keyword argument 'stderr'
  

• openssl/3.1.5:
  Didn't run or was cancelled before finishing

---

^{Note: To save resources, CI tries to finish as soon as an error is found. For this reason you might find that not all the references have been launched or not all the configurations for a given reference. Also, take into account that we cannot guarantee the order of execution as it depends on CI workload and workers availability.}

---

Conan v2 pipeline ❌

Note: Conan v2 builds are now mandatory. Please read our discussion about it.

The v2 pipeline failed. Please, review the errors and note this is required for pull requests to be merged. In case this recipe is still not ported to Conan 2.x, please, ping @conan-io/barbarians on the PR and we will help you.

Failure in build 14 (f751f8463cdc59e72867b6dd45cccf789ccfa909):

• openssl/3.3.2:
  Didn't run or was cancelled before finishing

• openssl/3.3.1:
  Didn't run or was cancelled before finishing

• openssl/3.2.2:
  Didn't run or was cancelled before finishing

• openssl/3.2.1:
  Didn't run or was cancelled before finishing

• openssl/3.2.3:
  Didn't run or was cancelled before finishing

• openssl/3.1.7:
  Didn't run or was cancelled before finishing

• openssl/3.1.5:
  Didn't run or was cancelled before finishing

• openssl/3.0.14:
  Didn't run or was cancelled before finishing

• openssl/3.1.6:
  Didn't run or was cancelled before finishing

• openssl/3.0.15:
  Didn't run or was cancelled before finishing

• openssl/3.0.13:
  Didn't run or was cancelled before finishing

• openssl/3.0.9:
  Didn't run or was cancelled before finishing

• openssl/3.0.8:
  CI failed to create some packages (All logs)

  Logs for packageID aeeecfda9816e9910c8fcc2f12cd72f4d60f7e17:

  [settings]
  arch=x86_64
  build_type=Release
  compiler=gcc
  compiler.cppstd=17
  compiler.libcxx=libstdc++11
  compiler.version=11
  os=Linux
  [options]
  */*:shared=True
  

  [...]
  install ./include/openssl/uierr.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/uierr.h
  install ./include/openssl/whrlpool.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/whrlpool.h
  install ./include/openssl/x509.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/x509.h
  install ./include/openssl/x509_vfy.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/x509_vfy.h
  install ./include/openssl/x509err.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/x509err.h
  install ./include/openssl/x509v3.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/x509v3.h
  install ./include/openssl/x509v3err.h -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//include/openssl/x509v3err.h
  install libcrypto.a -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libcrypto.a
  install libssl.a -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libssl.a
  link /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libcrypto.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libcrypto.so.3
  link /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libssl.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/libssl.so.3
  created directory `/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/pkgconfig'
  install libcrypto.pc -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/pkgconfig/libcrypto.pc
  install libssl.pc -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/pkgconfig/libssl.pc
  install openssl.pc -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/pkgconfig/openssl.pc
  make depend && make _build_modules
  make[1]: Entering directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Leaving directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Entering directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Nothing to be done for '_build_modules'.
  make[1]: Leaving directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  created directory `/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/engines-3'
  *** Installing engines
  install engines/afalg.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/engines-3/afalg.so
  install engines/capi.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/engines-3/capi.so
  install engines/loader_attic.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/engines-3/loader_attic.so
  install engines/padlock.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/engines-3/padlock.so
  created directory `/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/ossl-modules'
  *** Installing modules
  install providers/legacy.so -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//lib/ossl-modules/legacy.so
  make depend && make _build_programs
  make[1]: Entering directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Leaving directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Entering directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  make[1]: Nothing to be done for '_build_programs'.
  make[1]: Leaving directory '/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/src'
  created directory `/home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//bin'
  *** Installing runtime programs
  install apps/openssl -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//bin/openssl
  install tools/c_rehash -> /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p//bin/c_rehash
  
  openssl/3.0.8: Testing FIPS module (via fipsinstall & fipsinstall -verify)
  openssl/3.0.8: RUN: /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p/bin/openssl fipsinstall -module /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p/lib/ossl-modules/fips.so -out /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/b/build-release/fips.cnf
  
  ERROR: openssl/3.0.8: Error in package() method, line 671
  	self._package_and_test_fips()
  while calling '_package_and_test_fips', line 622
  	raise ConanException(f"{str(e)}\n{stderr_text}") from e
  	ConanException: Error 127 while executing
  /home/conan/workspace/prod-v2/bsr/91930/bdaeb/p/b/opensd05555e14cb9b/p/bin/openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
  

---

^{Note: To save resources, CI tries to finish as soon as an error is found. For this reason you might find that not all the references have been launched or not all the configurations for a given reference. Also, take into account that we cannot guarantee the order of execution as it depends on CI workload and workers availability.}

[szigetics]

@gegles : Great update! Thank you for this! 🙏

I see that for this updated recipe to work, the changes from conan-io/conan#16132 are required.
So a conan version update is necessary for this updated recipe to work.

I also see that the there is an official conan release which has the necessary update : https://github.com/conan-io/conan/releases/tag/2.4.0 .
So it's definitely available for conan2.

However : I cannot find a conan1 release with this change.

So my question : could the above recipe update work with conan1 as well? Which conan1 version have to be used?

[gegles]

So my question : could the above recipe update work with conan1 as well? Which conan1 version have to be used?

@szigetics, I may be wrong, but my understanding is that this feature would only work with Conan v2 and especially with the conan-io/conan#16132 changeset as you pointed out.