Initial draft of option to replace openssl default provider

Author: ColtonWilley

Makefile.am

@@ -1,5 +1,5 @@
 
-SUFFIXES = 
+SUFFIXES =
 TESTS =
 noinst_PROGRAMS =
 noinst_HEADERS =
@@ -14,6 +14,13 @@ AM_CPPFLAGS = -I$(top_srcdir)/include
 
 lib_LTLIBRARIES = libwolfprov.la
 
+# Conditionally build libdefault.so when --replace-default is enabled
+if BUILD_REPLACE_DEFAULT
+lib_LTLIBRARIES += libdefault.la
+libdefault_la_SOURCES = src/wp_default_replace.c
+libdefault_la_LIBADD = libwolfprov.la
+endif
+
 EXTRA_DIST+=ChangeLog.md
 EXTRA_DIST+=README.md
 EXTRA_DIST+=IDE

configure.ac

@@ -123,8 +123,14 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
                       ])
       ])
 
+# Replace default provider
+AC_ARG_ENABLE([replace-default],
+    [AS_HELP_STRING([--enable-replace-default],[Build real libdefault.so from wp_default_replace.c (default: disabled).])],
+    [ ENABLED_REPLACE_DEFAULT=$enableval ],
+    [ ENABLED_REPLACE_DEFAULT=no ]
+    )
 
-
+AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"])
 
 
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -170,6 +176,7 @@ echo
 echo "   Features "
 echo "   * User settings:              $ENABLED_USERSETTINGS"
 echo "   * Dynamic provider:           $ENABLED_DYNAMIC_PROVIDER"
+echo "   * Replace default:            $ENABLED_REPLACE_DEFAULT"
 echo ""
 echo "---"
 

default_stub/.gitignore

@@ -0,0 +1,15 @@
+Makefile
+Makefile.in
+.deps/
+.libs/
+*.la
+*.lo
+*.o
+aclocal.m4
+autom4te.cache/
+config.log
+config.status
+configure
+libtool
+*.so
+*.so.*

default_stub/Makefile.am

@@ -0,0 +1,2 @@
+lib_LTLIBRARIES = libdefault.la
+libdefault_la_SOURCES = wp_default_stub.c

default_stub/README.md

@@ -0,0 +1,21 @@
+# libdefault - Default Provider Stub Library
+
+Minimal autotools build for a stub version of the default provider.
+
+## Building
+
+```bash
+# Generate build system
+./autogen.sh
+
+# Configure and build
+./configure
+make
+
+# Clean build artifacts
+make clean
+```
+
+## Output
+
+The build produces `libdefault.so` in the `.libs/` directory.

default_stub/autogen.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+autoreconf -fiv

default_stub/configure.ac

@@ -0,0 +1,7 @@
+AC_INIT([libdefault], [1.0], [support@wolfssl.com])
+AM_INIT_AUTOMAKE([-Wall -Werror foreign])
+AC_PROG_CC
+AM_PROG_AR
+LT_INIT
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT

default_stub/wp_default_stub.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfProvider.
+ *
+ * wolfProvider is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfProvider is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <openssl/provider.h>
+
+/* Prototype of public function that initializes the wolfSSL provider. */
+OSSL_provider_init_fn wolfssl_provider_init;
+
+/* Prototype for the wolfprov_provider_init function */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx);
+
+/*
+ * Provider implementation stub
+ */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx)
+{
+    return 0;
+}

patches/ossl-replace-default-3.5.patch

@@ -0,0 +1,30 @@
+diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c
+index 068e0b7..499a9ca 100644
+--- a/crypto/provider_predefined.c
++++ b/crypto/provider_predefined.c
+@@ -10,21 +10,15 @@
+ #include <openssl/core.h>
+ #include "provider_local.h"
+ 
+-OSSL_provider_init_fn ossl_default_provider_init;
++OSSL_provider_init_fn wolfprov_provider_init;
+ OSSL_provider_init_fn ossl_base_provider_init;
+ OSSL_provider_init_fn ossl_null_provider_init;
+-OSSL_provider_init_fn ossl_fips_intern_provider_init;
+-#ifdef STATIC_LEGACY
+-OSSL_provider_init_fn ossl_legacy_provider_init;
+-#endif
+ const OSSL_PROVIDER_INFO ossl_predefined_providers[] = {
+ #ifdef FIPS_MODULE
+-    { "fips", NULL, ossl_fips_intern_provider_init, NULL, 1 },
++    { "fips", NULL, wolfprov_provider_init, NULL, 1 },
+ #else
+-    { "default", NULL, ossl_default_provider_init, NULL, 1 },
+-# ifdef STATIC_LEGACY
+-    { "legacy", NULL, ossl_legacy_provider_init, NULL, 0 },
+-# endif
++    { "default", NULL, wolfprov_provider_init, NULL, 1 },
++    { "legacy", NULL, wolfprov_provider_init, NULL, 0 },
+     { "base", NULL, ossl_base_provider_init, NULL, 0 },
+     { "null", NULL, ossl_null_provider_init, NULL, 0 },
+ #endif

scripts/build-wolfprovider.sh

@@ -20,6 +20,7 @@ show_help() {
   echo "  --fips-version=VER         Choose the wolfSSL FIPS version"
   echo "  --debian                   Build a Debian package"
   echo "  --quicktest                Disable some tests for a faster testing suite"
+  echo "  --replace-default          Patch OpenSSL and build it so that wolfProvider is the default provider"
   echo ""
   echo "Environment Variables:"
   echo "  OPENSSL_TAG                OpenSSL tag to use (e.g., openssl-3.5.0)"
@@ -81,7 +82,6 @@ for arg in "$@"; do
             WOLFSSL_ISFIPS=1
             ;;
         --fips-bundle=*)
-            unset WOLFSSL_ISFIPS
             unset WOLFSSL_FIPS_CHECK_TAG
             IFS='=' read -r trash fips_bun <<< "$arg"
             if [ -z "$fips_bun" ]; then
@@ -113,6 +113,9 @@ for arg in "$@"; do
         --quicktest)
             WOLFPROV_QUICKTEST=1
             ;;
+        --replace-default)
+            WOLFPROV_REPLACE_DEFAULT=1
+            ;;
         *)
             args_wrong+="$arg, "
             ;;
@@ -144,6 +147,10 @@ source ${SCRIPT_DIR}/utils-wolfprovider.sh
 
 echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG"
 
+if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+    build_default_stub
+fi
+
 init_wolfprov
 
 exit $?