Re-enable non-replace-default builds for testing

Author: padelsbach

.github/workflows/debian-package.yml

@@ -27,9 +27,6 @@ jobs:
         replace_default: [ true ]
 
   libwolfprov-standalone:
-    # Standalone mode is disabled until we re-enable support for it in the debian build.
-    if: false
-
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm to match packaging environment
@@ -43,7 +40,7 @@ jobs:
       matrix:
         wolfssl_ref: [ 'v5.8.2-stable' ]
         openssl_ref: [ 'openssl-3.5.2' ]
-        replace_default: [ true ]
+        replace_default: [ false ]
     env:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
@@ -165,7 +162,7 @@ jobs:
           echo "Package uninstallation and cleanup verification successful"
 
 
-  libwolfprov-with-openssl:
+  libwolfprov-replace-default:
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm to match packaging environment

.gitignore

@@ -117,4 +117,5 @@ debian/libssl3*
 !debian/*.postrm
 !debian/*.docs
 !debian/*.links
+!debian/*.triggers
 

debian/control

@@ -14,7 +14,8 @@ Build-Depends:
 Package: libwolfprov
 Architecture: any
 Multi-Arch: same
-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2)
+Recommends: openssl
 Provides: ${variant:provides}
 XB-Variant: ${variant}
 Description: wolfProvider library for OpenSSL — ${variant:desc}
@@ -43,9 +44,8 @@ Architecture: any
 Section: utils
 Multi-Arch: foreign
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Secure Sockets Layer toolkit - command line interface
+Description: Secure Sockets Layer toolkit - command line interface (wolfProvider build)
  This package contains the OpenSSL command line utility.
- Built for use with wolfProvider.
 
 Package: libssl3
 Architecture: any

debian/libwolfprov.postinst

@@ -1,35 +1,44 @@
 #!/bin/sh
 set -e
 
-# We currently only support "replace default" mode.
-# In this mode, we don't need to modify the system openssl.cnf file 
-# since our modified openssl references libwolfprov.so explicitly.
-# In the future, we should add scripting here to find the system openssl.cnf file
-# and add the include line to it. Note that the code below 
-# references a hardcoded path which may not be correct for all systems.
+# Define the include line to add to the openssl.cnf file
+INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
 
-# INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
-# CONF_FILE="/usr/lib/ssl/openssl.cnf"
-# CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf"
+# Search for the openssl.cnf file in /usr, /lib and /etc
+CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
 
-# # Copy from our template if it doesn't exist
-# if [ ! -f "$CONF_FILE" ]; then
-#     echo "Config file does not exist: $CONF_FILE"
-#     if [ -f "$CONF_DEFAULT" ]; then
-#         install -Dm644 "$CONF_DEFAULT" "$CONF_FILE"
-#     else
-#         echo "Default config file does not exist: $CONF_DEFAULT"
-#         exit 1
-#     fi
-# fi
+# Check if we are in replace-default mode by reading the openssl version
+REPLACE_DEFAULT=0
+if command -v openssl >/dev/null 2>&1; then
+    OPENSSL_VERSION=$(openssl version)
+    if echo "$OPENSSL_VERSION" | grep -q "wolfProvider"; then
+        REPLACE_DEFAULT=1
+    fi  
+fi
 
-# # Add include for wolfprovider config file if not already present
-# if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then
-#     echo "Include line already exists in $CONF_FILE"
-# else 
-#     echo "Adding include for wolfprovider to $CONF_FILE..."
-#     sed -i "/^openssl_conf/ a $INCLUDE_LINE" "$CONF_FILE"
-# fi
+if [ $REPLACE_DEFAULT -eq 1 ]; then
+    # Remove INCLUDE_LINE from each CONF_FILE
+    # Replace default mode should automatically find wolfProvider.
+    # Using the config file or OPENSSL_CONF will cause:
+    #   1. the provider name to be 'libwolfprov' instead of 'default'
+    #   2. the provider init call to happen twice
+    # Neither of these is harmful, but it's not ideal.
+    for CONF_FILE in $CONF_FILES; do
+        # Remove any line containing both ".include" and "wolfprovider.conf"
+        sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE"
+        printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE"
+    done
+else
+    # For each CONF_FILE, apply the include line to the openssl.cnf file, if not already applied
+    for CONF_FILE in $CONF_FILES; do
+        if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then
+            echo "Include line already exists in $CONF_FILE"
+        else 
+            echo "Adding include for wolfprovider to $CONF_FILE..."
+            echo "$INCLUDE_LINE" >> "$CONF_FILE"
+        fi
+    done
+fi
 
 #DEBHELPER#
 exit 0

debian/libwolfprov.triggers

@@ -0,0 +1,8 @@
+# Re-run our setup whenever OpenSSL config or module dirs change
+interest-noawait /etc/ssl/openssl.cnf
+interest-noawait /etc/ssl/openssl.cnf.d
+interest-noawait /lib/ssl/openssl.cnf
+interest-noawait /lib/ssl/openssl.cnf.d
+interest-noawait /usr/lib/ssl/openssl.cnf
+interest-noawait /usr/lib/ssl/openssl.cnf.d
+

scripts/verify-install.sh

@@ -152,9 +152,9 @@ verify_openssl_version() {
     if [ $replace_default -eq 0 ]; then
         # Verify that wolfProv (case-insensitive) is in the version output
         if echo "$version_output" | grep -qi "wolfProv"; then
-            log_success "wolfProv is in the version output"
+            handle_error "wolfProv is in the version output"
         else
-            handle_error "wolfProv is not in the version output"
+            log_success "wolfProv is not in the version output"
         fi
     else
         # Verify that wolfProvider (case-insensitive) is in the version output