diff --git a/.github/packages/debian-packages-20250731T171211Z-1-001.zip b/.github/packages/debian-packages-20250731T171211Z-1-001.zip new file mode 100644 index 00000000..00938636 Binary files /dev/null and b/.github/packages/debian-packages-20250731T171211Z-1-001.zip differ diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml new file mode 100644 index 00000000..0535d7c7 --- /dev/null +++ b/.github/workflows/debian-package.yml @@ -0,0 +1,190 @@ +name: Debian Package Test + +on: + push: + branches: [ master ] + pull_request: + branches: [ '*' ] + workflow_dispatch: + +jobs: + test-debian-package: + runs-on: ubuntu-latest + + steps: + - name: Checkout wolfProvider + uses: actions/checkout@v4 + with: + fetch-depth: 1 + - run: | + # Fetch tags + git fetch --tags + # List all tags + git tag -l + + - name: Set up environment + run: | + # Update package lists + sudo apt-get update + # Install build dependencies + sudo apt-get install -y \ + build-essential \ + devscripts \ + debhelper \ + dh-autoreconf \ + libtool \ + pkg-config \ + git \ + wget \ + curl \ + ca-certificates \ + openssl \ + dpkg-dev \ + lintian \ + fakeroot \ + equivs + # Install additional tools for testing + sudo apt-get install -y \ + expect \ + xxd + + # TODO: this step rebuilds the package for the current architecture + # we may be able to remove it if we can ensure the package supports + # the architecture of the runner (most likely amd64) + - name: Install custom wolfssl + run: | + mkdir -p "$RUNNER_TEMP/wolfssl-pkg" + cd "$RUNNER_TEMP/wolfssl-pkg" + unzip $GITHUB_WORKSPACE/.github/packages/debian-packages-20250731T171211Z-1-001.zip + cd debian-packages + sudo dpkg-source -x wolfssl_5.8.2-1.dsc + cd wolfssl-5.8.2 + sudo dpkg-buildpackage -b -us -uc + sudo dpkg -i ../libwolfssl*.deb + + - name: Build Debian package + run: | + # Run the build script + # Bypass the warning prompt with 'yes Y' + yes Y | ./scripts/build-wolfprovider.sh --debian + + # List generated packages + echo "Generated Packages:" + ls -la ../*.deb ../*.dsc ../*.tar.gz || true + + - name: Install package + run: | + # Find the package file + PACKAGE_FILE=$(find ../ -name "libwolfprov_*.deb" | head -n1) + if [ -z "$PACKAGE_FILE" ]; then + echo "No package file found!" + ls -la ../ + exit 1 + fi + + echo "Installing package: $PACKAGE_FILE and dependencies" + sudo apt install -y ./"$PACKAGE_FILE" + + # Verify installation + echo "Package Installation Verification:" + dpkg -l | grep libwolfprov + dpkg -L libwolfprov + + - name: Test OpenSSL provider functionality + run: | + PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider.conf" + PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup" + + # Temporarily move wolfprovider config so we can toggle between providers + echo "3. Temporarily disabling wolfprovider for default provider tests:" + mkdir -p /tmp/openssl-test + if [ -f $PROVIDER_CONF ]; then + sudo mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP + echo " - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP" + else + echo "$PROVIDER_CONF not found!" + exit 1 + fi + + # Run the do-cmd-test.sh script to execute interoperability tests + echo "Running OpenSSL provider interoperability tests..." + OPENSSL_BIN=$(eval which openssl) ./scripts/cmd_test/do-cmd-tests.sh + + # Restore wolfprovider configuration + echo "5. Restoring wolfprovider configuration:" + if [ -f $PROVIDER_CONF_BACKUP ]; then + sudo mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF + echo " - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP" + fi + + echo "PASS: All provider interoperability tests successful" + + - name: Uninstall package and verify cleanup + run: | + # Uninstall the package + sudo apt-get remove --purge -y libwolfprov + + # Verify the package is removed + if dpkg -l | grep -q libwolfprov; then + echo "Package still installed after removal" + dpkg -l | grep libwolfprov + exit 1 + else + echo "Package successfully removed" + fi + + # Check if the config file is removed + if [ -f /etc/ssl/openssl.cnf.d/wolfprovider.conf ]; then + echo "wolfprovider.conf still exists after package removal" + ls -la /etc/ssl/openssl.cnf.d/ + exit 1 + else + echo "wolfprovider.conf successfully removed" + fi + + # Check if the library files are removed + if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then + echo "libwolfprov.so still exists after package removal" + find /usr/lib -name "libwolfprov.so*" 2>/dev/null || true + exit 1 + else + echo "libwolfprov.so successfully removed" + fi + + # Verify default OpenSSL provider is active + echo "Verifying Default Provider is Active:" + openssl list -providers + + # Verify that the default provider is present and active + echo "Checking default provider status:" + if openssl list -providers | grep -q "default" && \ + openssl list -providers | grep -q "OpenSSL Default Provider" && \ + openssl list -providers | grep -q "status: active"; then + echo "Default provider is present and active" + else + echo "Default provider verification failed" + echo "Provider output:" + openssl list -providers + exit 1 + fi + + echo "Package uninstallation and cleanup verification successful" + + - name: Move package artifacts + run: | + # Move the generated packages to the temp directory + mv ../*.deb $RUNNER_TEMP/ || true + mv ../*.dsc $RUNNER_TEMP/ || true + mv ../*.tar.gz $RUNNER_TEMP/ || true + + # Save the build outputs which for use in release packages + - name: Upload package artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: debian-packages + path: | + ${{ runner.temp }}/*.deb + ${{ runner.temp }}/*.dsc + ${{ runner.temp }}/*.tar.gz + retention-days: 7 diff --git a/.gitignore b/.gitignore index 11a18bcb..6c79bf33 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,20 @@ examples/openssl_example cscope.out tags + +# Debian build files +libwolfprov*.tar.gz +debian/tmp +debian/*.dch +debian/autoreconf* +debian/tmp +debian/*debhelper* +debian/*.deb +debian/*.buildinfo +debian/files +debian/libwolfprov* +!debian/libwolfprov.install +!debian/libwolfprov.postinst +!debian/libwolfprov.postrm +!debian/libwolfprov-dev.docs +!debian/libwolfprov-dev.install diff --git a/README.md b/README.md index b6ce21ce..c1dc04f0 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,22 @@ It will retrieve the dependencies and compile them as necessary. To use other th OPENSSL_TAG=openssl-3.5.0 WOLFSSL_TAG=v5.8.0-stable WOLFPROV_DEBUG=1 scripts/build-wolfprovider.sh ``` +To clean the build, use the following: +``` +./scripts/build-wolfprovider.sh --clean +``` + +To remove all source directories, use the following: +``` +./scripts/build-wolfprovider.sh --distclean +``` + +To build a Debian package file, use the following command. +Note this will remove all ignored files in the repo, and there must be no staged changes. +``` +./scripts/build-wolfprovider.sh --debian +``` + Alternatively, you can manually compile each component using the following guide. ### OpenSSL diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..8af10a4d --- /dev/null +++ b/debian/changelog @@ -0,0 +1,7 @@ +libwolfprov (1.0.2-1) unstable; urgency=medium + + * Initial release. + This is the first packaging of libwolfprov. + No Debian bugs are being closed in this upload. + + -- WolfSSL Developer Mon, 28 Jul 2025 13:52:20 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..48082f72 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +12 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..58c894c9 --- /dev/null +++ b/debian/control @@ -0,0 +1,35 @@ +Source: libwolfprov +Section: libs +Priority: optional +Maintainer: WolfSSL +Standards-Version: 4.6.2 +Build-Depends: debhelper (>= 12), + devscripts, + pkgconf, + openssl, + libssl-dev, + libwolfssl, + libwolfssl-dev + +Package: libwolfprov +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libwolfssl, openssl +Description: wolfProvider library for OpenSSL + wolfProvider is a library that can be used as a Provider in OpenSSL. + It provides cryptographic functionality through wolfSSL including: + . + * Hash functions (MD5, SHA-1, SHA-2, SHA-3) + * Symmetric encryption (AES, DES) + * Asymmetric cryptography (RSA, ECC, DH) + * Key derivation functions (HKDF, PBKDF2) + * Message authentication codes (HMAC, CMAC, GMAC) + . + This package contains the runtime library. + +Package: libwolfprov-dev +Architecture: any +Section: libdevel +Depends: libwolfprov (= ${binary:Version}), ${misc:Depends} +Description: Development files for wolfProvider + This package contains the header files and development libraries + needed to build applications using wolfProvider. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..2a6be217 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,28 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: wolfProvider +Source: https://github.com/wolfssl/wolfProvider + +Files: * +Copyright: 2006-2025 wolfSSL Inc. +License: GPL-3.0+ + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the complete text of the GNU General Public + License version 3 can be found in `/usr/share/common-licenses/GPL-3'. + +Files: debian/* +Copyright: 2025 WolfSSL +License: GPL-3.0+ + On Debian systems, the complete text of the GNU General Public + License version 3 can be found in `/usr/share/common-licenses/GPL-3'. diff --git a/debian/libwolfprov-dev.docs b/debian/libwolfprov-dev.docs new file mode 100644 index 00000000..37ea9e92 --- /dev/null +++ b/debian/libwolfprov-dev.docs @@ -0,0 +1,3 @@ +README.md +ChangeLog.md +examples/openssl_example.c diff --git a/debian/libwolfprov-dev.install b/debian/libwolfprov-dev.install new file mode 100644 index 00000000..761de37a --- /dev/null +++ b/debian/libwolfprov-dev.install @@ -0,0 +1 @@ +usr/include/wolfprovider/* diff --git a/debian/libwolfprov.install b/debian/libwolfprov.install new file mode 100644 index 00000000..d2e32928 --- /dev/null +++ b/debian/libwolfprov.install @@ -0,0 +1,3 @@ +usr/lib/*/ossl-modules/libwolfprov.so* +etc/ssl/openssl.cnf.d/ +etc/ssl/openssl.cnf.d/wolfprovider.conf diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst new file mode 100755 index 00000000..4755e4ba --- /dev/null +++ b/debian/libwolfprov.postinst @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +CONF_FILE="/etc/ssl/openssl.cnf" +INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/" + +if ! grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then + echo "Adding include for wolfprovider..." + sed -i "/^openssl_conf/ a $INCLUDE_LINE" "$CONF_FILE" +fi + +exit 0 diff --git a/debian/libwolfprov.postrm b/debian/libwolfprov.postrm new file mode 100755 index 00000000..48e6e07b --- /dev/null +++ b/debian/libwolfprov.postrm @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +case "$1" in + remove|purge) + rm -f /etc/ssl/openssl.cnf.d/wolfprovider.conf + rmdir /etc/ssl/openssl.cnf.d 2>/dev/null || true + ;; +esac diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..8d1ec460 --- /dev/null +++ b/debian/rules @@ -0,0 +1,46 @@ +#!/usr/bin/make -f + +%: + dh $@ --with autoreconf + +# Multiarch triplet +DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +# Destination directory for installation +DESTDIR=debian/tmp + +override_dh_auto_configure: + ./autogen.sh + ./configure + +override_dh_auto_build: + make -j$(shell nproc) + +override_dh_auto_install: + # Install library + install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules + install -m755 ./.libs/libwolfprov.so* \ + $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/ + install -m755 ./.libs/libwolfprov.la* \ + $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/ + + # Install headers + install -d $(DESTDIR)/usr/include/wolfprovider + install -m644 ./include/wolfprovider/*.h \ + $(DESTDIR)/usr/include/wolfprovider/ + + # Install provider config file + install -d $(DESTDIR)/etc/ssl/openssl.cnf.d + install -m644 ./provider.conf \ + $(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf + +override_dh_auto_clean: + dh_auto_clean + ./scripts/build-wolfprovider.sh --clean --distclean + +override_dh_auto_test: + @echo "Skipping dh_auto_test (tests already run during build phase)" + +# Avoid warnings of the form package-has-unnecessary-activation-of-ldconfig-trigger +override_dh_makeshlibs: + dh_makeshlibs -n + diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/scripts/build-debian.sh b/scripts/build-debian.sh new file mode 100755 index 00000000..5814e5cc --- /dev/null +++ b/scripts/build-debian.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# +# Copyright (C) 2006-2024 wolfSSL Inc. +# +# This file is part of wolfProvider. +# +# wolfProvider is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# wolfProvider is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with wolfProvider. If not, see . +set -euo pipefail + +PKG_NAME="libwolfprov" + +# Step 1: Determine the repo root +REPO_ROOT=$(git rev-parse --show-toplevel) +cd "$REPO_ROOT" + +# Step 2: Determine latest upstream tag +latest_tag=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' | sort -V | tail -n1) +if [[ -z "$latest_tag" ]]; then + echo "โŒ Error: No tag found in format vX.Y.Z" + exit 1 +fi +latest_tag_commit=$(git rev-list -n 1 "$latest_tag") +current_commit=$(git rev-parse HEAD) + +UPSTREAM_VERSION="${latest_tag#v}" # e.g. 1.0.2 + +# Step 3: Determine Debian revision automatically +if [[ -f debian/changelog ]]; then + last_version=$(dpkg-parsechangelog --show-field Version) + last_upstream="${last_version%%-*}" # strip Debian revision + last_revision="${last_version##*-}" # get Debian revision number + + if [[ "$last_upstream" == "$UPSTREAM_VERSION" ]]; then + # Same upstream version โ†’ increment Debian revision + DEB_REVISION=$((last_revision + 1)) + else + # New upstream version โ†’ reset Debian revision to 1 + DEB_REVISION=1 + fi +else + DEB_REVISION=1 +fi + +# Step 4: Compose full version string +if [[ "$current_commit" == "$latest_tag_commit" ]]; then + VERSION="${UPSTREAM_VERSION}-${DEB_REVISION}" + echo "๐Ÿ“Œ On tag $latest_tag โ€” using version: $VERSION" +else + echo "โš ๏ธ Not on latest tagged commit ($latest_tag)" + read -rp "โ“ Continue building snapshot version? Type Y to confirm: " CONFIRM + if [[ "$CONFIRM" != "Y" ]]; then + echo "๐Ÿšซ Aborting." + exit 1 + fi + VERSION="${UPSTREAM_VERSION}-${DEB_REVISION}" + echo "๐Ÿ“Œ Snapshot build โ€” using version: $VERSION" +fi + +TARBALL="${PKG_NAME}_${UPSTREAM_VERSION}.orig.tar.gz" +TARBALL_PREFIX="${PKG_NAME}-${UPSTREAM_VERSION}" + +# Step 5: Warn if not on master +current_branch=$(git rev-parse --abbrev-ref HEAD) +if [[ "$current_branch" != "master" ]]; then + echo "โš ๏ธ Warning: On branch '$current_branch', not 'master'" +fi + +# Step 6: Check for uncommitted changes +if ! git diff --quiet || ! git diff --cached --quiet; then + echo "โš ๏ธ Error: Uncommitted changes in working tree:" + git status --short + exit 1 +fi + +# Step 7: Clean untracked files +echo "๐Ÿงน Cleaning untracked files..." +git clean -fdx + +# Step 8: Update debian/changelog +echo "๐Ÿ“ Updating debian/changelog..." +mkdir -p debian +export DEBFULLNAME="${DEBFULLNAME:-WolfSSL Developer}" +export DEBEMAIL="${DEBEMAIL:-support@wolfssl.com}" + +if [[ -f debian/changelog ]]; then + dch -v "$VERSION" --distribution unstable --urgency=medium "Release version $VERSION" +else + dch --create -v "$VERSION" --package "$PKG_NAME" --distribution unstable --urgency=medium "Initial release." +fi + +# Step 9: Create tarball +if [[ -f "../$TARBALL" ]]; then + echo "๐Ÿ—‘๏ธ Removing existing tarball: $TARBALL" + rm -f "../$TARBALL" +fi +echo "๐Ÿ“ฆ Creating tarball $TARBALL from commit $current_commit..." +git archive --format=tar.gz --prefix="${TARBALL_PREFIX}/" \ + -o "../$TARBALL" "$current_commit" + +# Step 10: Build package +echo "โš™๏ธ Building package..." +debuild -us -uc + +echo "โœ… Build completed for version $VERSION" diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh index ed06b77a..a499eb2a 100755 --- a/scripts/build-wolfprovider.sh +++ b/scripts/build-wolfprovider.sh @@ -18,6 +18,7 @@ show_help() { echo " --fips-bundle=DIR Build wolfProvider with a directory containing a wolfSSL FIPS bundle instead of cloning from GitHub. Requires a FIPS version to be given by --fips-version" echo " --fips-check=TAG Choose a FIPS tag to clone. May require a version to be given by --fips-version" echo " --fips-version=VER Choose the wolfSSL FIPS version" + echo " --debian Build a Debian package" echo " --quicktest Disable some tests for a faster testing suite" echo "" echo "Environment Variables:" @@ -106,6 +107,9 @@ for arg in "$@"; do fi WOLFSSL_FIPS_VERSION="$fips_ver" ;; + --debian) + build_debian=1 + ;; --quicktest) WOLFPROV_QUICKTEST=1 ;; @@ -122,6 +126,12 @@ if [ -n "$args_wrong" ]; then exit 1 fi +if [ -n "$build_debian" ]; then + echo "Building Debian package..." + ./scripts/build-debian.sh + exit $? +fi + if [ -n "$args" ]; then args="`echo $args | head -c -2 -`" echo "Building wolfProvider with: $args"