Fix is_openssl_patched

Author: padelsbach

.github/workflows/build-wolfprovider.yml

@@ -70,52 +70,13 @@ jobs:
           git remote add upstream https://github.com/wolfSSL/wolfProvider.git || true
           git fetch upstream --tags --no-recurse-submodules
 
-      - name: Restore wolfSSL packages
-        uses: actions/cache@v4
-        id: wolfssl_cache
-        with:
-          path: |
-            ${{ env.WOLFSSL_PACKAGES_PATH }}/*.deb
-            ${{ env.WOLFSSL_PACKAGES_PATH }}/*.dsc
-            ${{ env.WOLFSSL_PACKAGES_PATH }}/*.tar.gz
-          key: wolfssl-debian-packages-${{ inputs.wolfssl_ref }}
-
-      - name: Install wolfSSL packages from cache
-        if: steps.wolfssl_cache.outputs.cache-hit == 'true'
-        run: |
-          printf "Installing wolfSSL packages from cache:\n"
-          ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
-          apt install --reinstall -y ${{ env.WOLFSSL_PACKAGES_PATH }}/*wolfssl*.deb
-
+      # Build wolfSSL packages and install
+      # Note we do not use the cache currently. This is a future optimization.
       # TODO: roll this step into utils-wolfssl.sh
       - name: Build wolfSSL packages and install
-        # if: steps.wolfssl_cache.outputs.cache-hit != 'true'
         run: | 
           $GITHUB_WORKSPACE/debian/install-wolfssl.sh --tag ${{ inputs.wolfssl_ref }} ${{ env.WOLFSSL_PACKAGES_PATH }}
 
-      # Check for cached OpenSSL packages
-      # WARNING: for Debian, openssl_ref is ignored since we build from Debian baseline
-      - name: Checking OpenSSL packages in cache
-        uses: actions/cache@v4
-        id: openssl_cache
-        continue-on-error: true
-        with:
-          path: |
-            ${{ env.OPENSSL_PACKAGES_PATH }}
-          key: openssl-debian-packages-${{ inputs.openssl_ref }}${{ inputs.replace_default && '-replace-default' || '' }}
-          lookup-only: false
-
-      # Install OpenSSL packages from cache if available
-      - name: Install OpenSSL packages from cache
-        if: ${{ steps.openssl_cache.outputs.cache-hit == 'true' }}
-        run: |
-          printf "Installing OpenSSL packages from cache:\n"
-          ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
-          apt install --reinstall -y \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
-            ${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
-
       - name: Build wolfProvider
         run: |
           WOLFSSL_TAG=${{ inputs.wolfssl_ref }} OPENSSL_TAG=${{ inputs.openssl_ref }} \
@@ -138,7 +99,7 @@ jobs:
           ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
           ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
 
-      - name: Save to cache
+      - name: Save all packages to cache for use by other workflows
         uses: actions/cache/save@v4
         continue-on-error: true
         with:
@@ -166,15 +127,3 @@ jobs:
             ${{ env.WOLFPROV_PACKAGES_PATH }}/*.dsc
             ${{ env.WOLFPROV_PACKAGES_PATH }}/*.tar.gz
           retention-days: 1
-
-      # TODO: upload wolfSSL artifacts, after building
-      # - name: Upload wolfSSL artifacts
-      #   uses: actions/upload-artifact@v4
-      #   with:
-      #     name: wolfssl-debian-packages-${{ inputs.wolfssl_ref }}
-      #     path: |
-      #       ${{ env.WOLFPROV_PACKAGES_PATH }}/*wolfssl*.deb
-      #       ${{ env.WOLFPROV_PACKAGES_PATH }}/*wolfssl*.dsc
-      #       ${{ env.WOLFPROV_PACKAGES_PATH }}/*wolfssl*.tar.gz
-      #     retention-days: 1
-

.github/workflows/xmlsec.yml

@@ -3,7 +3,7 @@ name: xmlsec Tests
 # START OF COMMON SECTION
 on:
   push:
-    branches: [ '**' ] # 'master', 'main', 'release/**' ]
+    branches: [ 'master', 'main', 'release/**' ]
   pull_request:
     branches: [ '*' ]
 

debian/install-wolfssl.sh

@@ -132,6 +132,7 @@ AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])' configure.ac
     # Configure with the specified options
     echo "Configuring wolfSSL with specified options..."
     configure_opts="--enable-opensslcoexist \
+        --enable-opensslextra \
         --enable-cmac \
         --with-eccminsz=192 \
         --enable-ed25519 \
@@ -145,9 +146,16 @@ AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])' configure.ac
         --enable-keygen \
         --enable-shake128 \
         --enable-shake256 \
-        --enable-wolfprovider \
         --enable-rsapss \
-        --enable-scrypt"
+        --enable-scrypt \
+        --enable-base16 \
+        --enable-aesctr \
+        --enable-des3 \
+        --enable-enckeys \
+        --enable-hkdf \
+        --enable-supportedcurves \
+        --enable-base64encode \
+        --enable-wolfprovider"
 
     if [ "$debug_mode" = "true" ]; then
         configure_opts="$configure_opts --enable-debug"
@@ -173,7 +181,10 @@ AC_CONFIG_FILES([debian/rules],[chmod +x debian/rules])' configure.ac
             -DWC_RSA_DIRECT \
             -DWC_RSA_NO_PADDING \
             -DACVP_VECTOR_TESTING \
-            -DWOLFSSL_ECDSA_SET_K" \
+            -DWOLFSSL_ECDSA_SET_K \
+            -DWOLFSSL_ASN_ALL \
+            -DWOLFSSL_ALT_NAMES \
+            -DWOLFSSL_HAVE_ISSUER_NAMES" \
             LIBS="-lm"
 
     # Build Debian packages

scripts/utils-openssl.sh

@@ -121,20 +121,20 @@ clone_openssl() {
 }
 
 is_openssl_patched() {
-    if [ ! -f "${OPENSSL_SOURCE_DIR}/crypto/provider_predefined.c" ]; then
+    # Return 0 if patched, 1 if not
+    local dir="${OPENSSL_SOURCE_DIR:?OPENSSL_SOURCE_DIR not set}"
+    local file="${dir%/}/crypto/provider_predefined.c"
+
+    # File must exist to be patched
+    [[ -f "$file" ]] || return 1
+
+    # Any time we see libwolfprov, we're patched
+    if grep -q 'libwolfprov' -- "$file"; then
         return 0
     fi
 
-    # Check if $OPENSSL_SOURCE_DIR is a git repository
-    if [ -d ${OPENSSL_SOURCE_DIR}/.git ]; then
-        pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
-        patch_applied=$(git diff --quiet "crypto/provider_predefined.c" 2>/dev/null && echo 1 || echo 0)
-        popd &> /dev/null
-    else
-        # Not a git repo, may have been downloaded separately (from Debian sources)
-        patch_applied=$(grep -q "libwolfprov" "${OPENSSL_SOURCE_DIR}/crypto/provider_predefined.c" && echo 1 || echo 0)
-    fi
-    return $patch_applied
+    # Not patched
+    return 1
 }
 
 check_openssl_replace_default_mismatch() {

src/wp_wolfprov.c

@@ -1242,8 +1242,9 @@ int wolfssl_provider_init(const OSSL_CORE_HANDLE* handle,
     if (ok) {
         if (wolfSSL_Debugging_ON() != 0) {
             WOLFPROV_MSG(WP_LOG_PROVIDER,
-              "WARNING: wolfProvider built with debug but underlying wolfSSL is not!"
-              "Building wolfSSl with debug is highly recommended, proceeding...");
+              "WARNING: wolfProvider built with debug but underlying wolfSSL is not!");
+            WOLFPROV_MSG(WP_LOG_PROVIDER,
+              "\tBuilding wolfSSl with debug is highly recommended, proceeding...");
         }
         else {
             wolfSSL_SetLoggingPrefix("wolfSSL");