Add FIPS support for Debian package build

padelsbach · padelsbach · commit 9eb464fc6220 · 2025-08-19T16:25:57.000Z
diff --git a/.github/packages/debian-wolfssl.tar.gz b/.github/packages/debian-wolfssl.tar.gz
diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml
@@ -5,29 +5,22 @@ on:
     branches: [ master ]
   pull_request:
     branches: [ '*' ]
-  workflow_dispatch:
 
 jobs:
-  test-debian-package:
-    runs-on: ubuntu-latest
-
+  bookworm:
+    runs-on: ubuntu-22.04
+    # Important: use Debian Bookworm for compatibility
+    container:
+      image: debian:bookworm   # or debian:bookworm-slim
+      env:
+        DEBIAN_FRONTEND: noninteractive
     steps:
-    - name: Checkout wolfProvider
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 1
-    - run: |
-        # Fetch tags
-        git fetch --tags
-        # List all tags
-        git tag -l
-
     - name: Set up environment
       run: |
         # Update package lists
-        sudo apt-get update
+        apt-get update
         # Install build dependencies
-        sudo apt-get install -y \
+        apt-get install -y \
           build-essential \
           devscripts \
           debhelper \
@@ -44,27 +37,56 @@ jobs:
           fakeroot \
           equivs
         # Install additional tools for testing
-        sudo apt-get install -y \
+        apt-get install -y \
           expect \
           xxd
 
-    # TODO: this step rebuilds the package for the current architecture
-    #       we may be able to remove it if we can ensure the package supports
-    #       the architecture of the runner (most likely amd64)
-    - name: Install custom wolfssl
+    # Avoid "detected dubious ownership" warning
+    - name: Ensure the working directory safe
+      run: |
+        git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+    - name: Checkout wolfProvider
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+    - run: |
+        # Fetch tags
+        git fetch --tags
+        # List all tags
+        git tag -l
+
+    - name: Install wolfssl debian package
       run: |
         mkdir -p "$RUNNER_TEMP/wolfssl-pkg"
         cd "$RUNNER_TEMP/wolfssl-pkg"
-        unzip $GITHUB_WORKSPACE/.github/packages/debian-packages-20250731T171211Z-1-001.zip
+        
+        echo "Using standard wolfSSL package"
+        tar -xvf $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz
+
+        # Get current architecture
+        CURRENT_ARCH=$(dpkg --print-architecture)
+        echo "Current architecture: $CURRENT_ARCH"
+        
+        # Look for existing .deb files that match the current architecture
         cd debian-packages
-        sudo dpkg-source -x wolfssl_5.8.2-1.dsc
-        cd wolfssl-5.8.2
-        sudo dpkg-buildpackage -b -us -uc
-        sudo dpkg -i ../libwolfssl*.deb
+        MATCHING_DEB_FILES=$(find . -name "*_${CURRENT_ARCH}.deb" -o -name "*_${CURRENT_ARCH}_*.deb" 2>/dev/null || true)
+        
+        if [ -n "$MATCHING_DEB_FILES" ]; then
+          echo "Found matching .deb files for architecture $CURRENT_ARCH:"
+          echo "$MATCHING_DEB_FILES"
+          echo "Installing existing .deb files..."
+          dpkg -i $MATCHING_DEB_FILES
+        else
+          echo "No matching .deb files found for architecture $CURRENT_ARCH, rebuilding from source..."
+          dpkg-source -x wolfssl*.dsc
+          cd wolfssl*/
+          dpkg-buildpackage -b -us -uc
+          dpkg -i ../libwolfssl*.deb
+        fi
 
     - name: Build Debian package
       run: |
-        # Run the build script
         # Bypass the warning prompt with 'yes Y' 
         yes Y | ./scripts/build-wolfprovider.sh --debian
 
@@ -83,7 +105,7 @@ jobs:
         fi
 
         echo "Installing package: $PACKAGE_FILE and dependencies"
-        sudo apt install -y ./"$PACKAGE_FILE"
+        apt install -y ./"$PACKAGE_FILE"
 
         # Verify installation
         echo "Package Installation Verification:"
@@ -99,7 +121,7 @@ jobs:
         echo "3. Temporarily disabling wolfprovider for default provider tests:"
         mkdir -p /tmp/openssl-test
         if [ -f $PROVIDER_CONF ]; then
-          sudo mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP
+          mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP
           echo "   - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP"
         else
           echo "$PROVIDER_CONF not found!"
@@ -113,7 +135,7 @@ jobs:
         # Restore wolfprovider configuration
         echo "5. Restoring wolfprovider configuration:"
         if [ -f $PROVIDER_CONF_BACKUP ]; then
-          sudo mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF
+          mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF
           echo "   - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP"
         fi
 
@@ -122,7 +144,7 @@ jobs:
     - name: Uninstall package and verify cleanup
       run: |
         # Uninstall the package
-        sudo apt-get remove --purge -y libwolfprov
+        apt-get remove --purge -y libwolfprov
 
         # Verify the package is removed
         if dpkg -l | grep -q libwolfprov; then
@@ -182,9 +204,9 @@ jobs:
       if: always()
       uses: actions/upload-artifact@v4
       with:
-        name: debian-packages
+        name: wolfprovider-debian-packages
         path: |
           ${{ runner.temp }}/*.deb
           ${{ runner.temp }}/*.dsc
           ${{ runner.temp }}/*.tar.gz
-        retention-days: 7 
+        retention-days: 7
diff --git a/debian/control b/debian/control
@@ -7,14 +7,16 @@ Build-Depends: debhelper (>= 12),
                devscripts,
                pkgconf,
                openssl,
-               libssl-dev,
                libwolfssl,
                libwolfssl-dev
 
+
 Package: libwolfprov
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libwolfssl, openssl
-Description: wolfProvider library for OpenSSL
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl
+Provides: ${variant:provides}
+XB-Variant: ${variant}
+Description: wolfProvider library for OpenSSL — ${variant:desc}
  wolfProvider is a library that can be used as a Provider in OpenSSL.
  It provides cryptographic functionality through wolfSSL including:
  .
diff --git a/debian/rules b/debian/rules
@@ -8,20 +8,47 @@ DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 # Destination directory for installation
 DESTDIR=debian/tmp
 
+# Grab the base version from debian/changelog
+BASEVER := $(shell dpkg-parsechangelog -SVersion)
+
+# Check if FIPS build is requested
+WOLFSSL_ISFIPS?=0
+# Variant-specific metadata
+ifeq ($(WOLFSSL_ISFIPS),1)
+  VARIANT           := fips
+  VARIANT_DESC      := FIPS build
+  VARIANT_PROVIDES  := libwolfprov-fips
+  VERSION           := $(BASEVER)+fips
+  FIPS_FLAG         := --enable-fips
+  PROVIDER_CONF     := provider-fips.conf
+else
+  VARIANT           := non-fips
+  VARIANT_DESC      := non-FIPS build
+  VARIANT_PROVIDES  := libwolfprov-nonfips
+  VERSION           := $(BASEVER)
+  PROVIDER_CONF     := provider.conf
+  FIPS_FLAG         :=
+endif
+
+# Override just the control-file generation to inject our values
+override_dh_gencontrol:
+	dh_gencontrol -- \
+	 -v$(VERSION) \
+	 -Vvariant=$(VARIANT) \
+	 -Vvariant:desc="$(VARIANT_DESC)" \
+	 -Vvariant:provides="$(VARIANT_PROVIDES)"
+
 override_dh_auto_configure:
-	./autogen.sh
-	./configure
+	# None, handled below
 
 override_dh_auto_build:
-	make -j$(shell nproc)
+	./scripts/build-wolfprovider.sh $(FIPS_FLAG)
 
 override_dh_auto_install:
 	# Install library
 	install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules
 	install -m755 ./.libs/libwolfprov.so* \
 		$(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/
-	install -m755 ./.libs/libwolfprov.la* \
-		$(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/
 
 	# Install headers
 	install -d $(DESTDIR)/usr/include/wolfprovider
@@ -30,7 +57,7 @@ override_dh_auto_install:
 
 	# Install provider config file
 	install -d $(DESTDIR)/etc/ssl/openssl.cnf.d
-	install -m644 ./provider.conf \
+	install -m644 ./$(PROVIDER_CONF) \
 		$(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf
 
 override_dh_auto_clean:
diff --git a/scripts/build-debian.sh b/scripts/build-debian.sh
@@ -110,6 +110,7 @@ git archive --format=tar.gz --prefix="${TARBALL_PREFIX}/" \
 
 # Step 10: Build package
 echo "⚙️  Building package..."
-debuild -us -uc
+WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0}
+debuild --set-envvar WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS} -us -uc
 
 echo "✅ Build completed for version $VERSION"
diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh
@@ -19,6 +19,7 @@ show_help() {
   echo "  --fips-check=TAG           Choose a FIPS tag to clone. May require a version to be given by --fips-version"
   echo "  --fips-version=VER         Choose the wolfSSL FIPS version"
   echo "  --debian                   Build a Debian package"
+  echo "  --debian --enable-fips     Build a Debian package with FIPS support"
   echo "  --quicktest                Disable some tests for a faster testing suite"
   echo ""
   echo "Environment Variables:"
@@ -128,7 +129,7 @@ fi
 
 if [ -n "$build_debian" ]; then
     echo "Building Debian package..."
-    ./scripts/build-debian.sh
+    WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0} ./scripts/build-debian.sh
     exit $?
 fi
 
diff --git a/scripts/cmd_test/ecc-cmd-test.sh b/scripts/cmd_test/ecc-cmd-test.sh
@@ -157,7 +157,6 @@ test_sign_verify_pkeyutl() {
     fi
     
     # Test 3: Cross-provider verification (default sign, wolf verify)
-    echo "Current FAIL status: $FAIL"
     if [ $FAIL -eq 0 ]; then # only verify if previous tests passed
         use_wolf_provider
         echo "Test 3: Cross-provider verification (default sign, wolf verify)"
diff --git a/scripts/utils-wolfprovider.sh b/scripts/utils-wolfprovider.sh
@@ -25,9 +25,20 @@ source ${SCRIPT_DIR}/utils-general.sh
 
 WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/..
 WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install
-WOLFPROV_CONFIG_OPTS=${WOLFPROV_CONFIG_OPTS:-"--with-openssl=${OPENSSL_INSTALL_DIR} --with-wolfssl=${WOLFSSL_INSTALL_DIR} --prefix=${WOLFPROV_INSTALL_DIR}"}
+WOLFPROV_WITH_WOLFSSL=--with-wolfssl=${WOLFSSL_INSTALL_DIR}
+
+# Check if using system wolfSSL installation
+if command -v dpkg >/dev/null 2>&1; then
+    if dpkg -l | grep -q "^ii.*libwolfssl[[:space:]]" && dpkg -l | grep -q "^ii.*libwolfssl-dev[[:space:]]"; then
+        printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n"
+        WOLFPROV_WITH_WOLFSSL=
+    fi
+fi
+
+WOLFPROV_CONFIG_OPTS=${WOLFPROV_CONFIG_OPTS:-"--with-openssl=${OPENSSL_INSTALL_DIR} ${WOLFPROV_WITH_WOLFSSL} --prefix=${WOLFPROV_INSTALL_DIR}"}
 WOLFPROV_CONFIG_CFLAGS=${WOLFPROV_CONFIG_CFLAGS:-''}
 
+
 if [ "${WOLFPROV_QUICKTEST}" = "1" ]; then
     WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS} -DWOLFPROV_QUICKTEST"
 fi
diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
@@ -88,6 +88,18 @@ clone_wolfssl() {
 }
 
 install_wolfssl() {
+    # Check if libwolfssl and libwolfssl-dev packages are already installed
+    # This is allowed only for wolfSSL, but not for OpenSSL because we want to
+    # use the custom OpenSSL built with wolfProvider.
+    if command -v dpkg >/dev/null 2>&1; then
+        if dpkg -l | grep -q "^ii.*libwolfssl[[:space:]]" && dpkg -l | grep -q "^ii.*libwolfssl-dev[[:space:]]"; then
+            printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n"
+            # Set WOLFSSL_INSTALL_DIR to system installation directory
+            WOLFSSL_INSTALL_DIR="/usr"
+            return 0
+        fi
+    fi
+
     printf "\nInstalling wolfSSL ${WOLFSSL_TAG} ...\n"
     clone_wolfssl
     cd ${WOLFSSL_SOURCE_DIR}
