Initial option to replace openssl default provider

.github/workflows/replace-default.yml

@@ -0,0 +1,66 @@
+name: Replace Default Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  replace_default_test:
+    name: Replace Default Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    strategy:
+      matrix:
+        # Test both standard and replace-default builds
+        replace_default: ['', '--replace-default']
+        # Test with stable versions
+        wolfssl_ref: ['v5.8.0-stable']
+        openssl_ref: ['openssl-3.5.0']
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Build wolfProvider ${{ matrix.replace_default && 'with replace-default' || 'standard' }}
+        run: |
+          OPENSSL_TAG=${{ matrix.openssl_ref }} \
+            WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
+            ./scripts/build-wolfprovider.sh ${{ matrix.replace_default }}
+
+      - name: Run standalone test suite
+        run: |
+          ./test/standalone/runners/run_standalone_tests.sh
+
+      - name: Print errors on failure
+        if: ${{ failure() }}
+        run: |
+          # Build failure log
+          if [ -f scripts/build-release.log ]; then
+            echo "=== Build log (last 50 lines) ==="
+            tail -n 50 scripts/build-release.log
+          fi
+
+          # Test suite failure log
+          if [ -f test-suite.log ]; then
+            echo "=== Test suite log ==="
+            cat test-suite.log
+          fi
+
+          # Standalone test failures
+          if [ -d test/standalone/runners/test_results ]; then
+            for log in test/standalone/runners/test_results/*.log; do
+              if [ -f "$log" ]; then
+                echo "=== $log ==="
+                cat "$log"
+              fi
+            done
+          fi

.gitignore

@@ -61,6 +61,30 @@
 /wolfprov-install/
 /artifacts
 
+# Default stub autotools files
+default_stub/ar-lib
+default_stub/compile
+default_stub/config.guess
+default_stub/config.sub
+default_stub/depcomp
+default_stub/install-sh
+default_stub/ltmain.sh
+default_stub/missing
+
+# Build install directories
+*-install/
+
+# Libtool archive files
+*.la
+
+# Test artifacts in subdirectories
+test/**/*.log
+test/**/*.test
+test/**/*.trs
+test/**/*.o
+test/**/.deps/
+test/**/.dirstamp
+
 IDE/Android/android-ndk-r26b/
 IDE/Android/openssl-source/
 IDE/Android/openssl-install/

Makefile.am

@@ -1,5 +1,5 @@
 
-SUFFIXES = 
+SUFFIXES =
 TESTS =
 noinst_PROGRAMS =
 noinst_HEADERS =
@@ -14,6 +14,15 @@ AM_CPPFLAGS = -I$(top_srcdir)/include
 
 lib_LTLIBRARIES = libwolfprov.la
 
+# Conditionally build libdefault.so when --replace-default is enabled
+if BUILD_REPLACE_DEFAULT
+# Install libdefault.la directly to OpenSSL lib directory
+openssldir = $(OPENSSL_LIB_DIR)
+openssl_LTLIBRARIES = libdefault.la
+libdefault_la_SOURCES = src/wp_default_replace.c
+libdefault_la_LIBADD = libwolfprov.la
+endif
+
 EXTRA_DIST+=ChangeLog.md
 EXTRA_DIST+=README.md
 EXTRA_DIST+=IDE

configure.ac

@@ -123,8 +123,26 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
                       ])
       ])
 
+# Replace default provider
+AC_ARG_ENABLE([replace-default],
+    [AS_HELP_STRING([--enable-replace-default],[Build real libdefault.so from wp_default_replace.c (default: disabled).])],
+    [ ENABLED_REPLACE_DEFAULT=$enableval ],
+    [ ENABLED_REPLACE_DEFAULT=no ]
+    )
 
-
+AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"])
+
+# Set OpenSSL lib directory for installing libdefault.so
+if test "x$ENABLED_REPLACE_DEFAULT" = "xyes"; then
+    if test -d "$OPENSSL_INSTALL_DIR/lib64"; then
+        OPENSSL_LIB_DIR="$OPENSSL_INSTALL_DIR/lib64"
+    elif test -d "$OPENSSL_INSTALL_DIR/lib"; then
+        OPENSSL_LIB_DIR="$OPENSSL_INSTALL_DIR/lib"
+    else
+        OPENSSL_LIB_DIR="$OPENSSL_INSTALL_DIR/lib"
+    fi
+fi
+AC_SUBST([OPENSSL_LIB_DIR])
 
 
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -170,6 +188,7 @@ echo
 echo "   Features "
 echo "   * User settings:              $ENABLED_USERSETTINGS"
 echo "   * Dynamic provider:           $ENABLED_DYNAMIC_PROVIDER"
+echo "   * Replace default:            $ENABLED_REPLACE_DEFAULT"
 echo ""
 echo "---"
 

default_stub/.gitignore

@@ -0,0 +1,15 @@
+Makefile
+Makefile.in
+.deps/
+.libs/
+*.la
+*.lo
+*.o
+aclocal.m4
+autom4te.cache/
+config.log
+config.status
+configure
+libtool
+*.so
+*.so.*

default_stub/Makefile.am

@@ -0,0 +1,2 @@
+lib_LTLIBRARIES = libdefault.la
+libdefault_la_SOURCES = wp_default_stub.c

default_stub/README.md

@@ -0,0 +1,21 @@
+# libdefault - Default Provider Stub Library
+
+Minimal autotools build for a stub version of the default provider.
+
+## Building
+
+```bash
+# Generate build system
+./autogen.sh
+
+# Configure and build
+./configure
+make
+
+# Clean build artifacts
+make clean
+```
+
+## Output
+
+The build produces `libdefault.so` in the `.libs/` directory.

default_stub/autogen.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+autoreconf -fiv

default_stub/configure.ac

@@ -0,0 +1,7 @@
+AC_INIT([libdefault], [1.0], [[email protected]])
+AM_INIT_AUTOMAKE([-Wall -Werror foreign])
+AC_PROG_CC
+AM_PROG_AR
+LT_INIT
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT

default_stub/wp_default_stub.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfProvider.
+ *
+ * wolfProvider is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfProvider is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <openssl/provider.h>
+
+/* Prototype of public function that initializes the wolfSSL provider. */
+OSSL_provider_init_fn wolfssl_provider_init;
+
+/* Prototype for the wolfprov_provider_init function */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx);
+
+/*
+ * Provider implementation stub
+ */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx)
+{
+    return 0;
+}

patches/README.md

@@ -0,0 +1,16 @@
+# OpenSSL Default Provider Replacement Patch
+
+> **Note**: For comprehensive Open Source Project (OSP) patches and integration work, visit the main wolfSSL OSP repository: **https://github.com/wolfSSL/osp/tree/master/wolfProvider**
+
+This directory contains the patch for replacing OpenSSL's default provider with wolfProvider.
+
+## Purpose
+
+The patch modifies OpenSSL's provider registration to substitute wolfProvider as the "default" provider, ensuring that all default provider operations are handled by wolfProvider instead of OpenSSL's built-in implementation.
+
+## Compatibility
+
+- **Supported Versions**: OpenSSL 3.0 and later
+- **Patch Target**: `crypto/provider_predefined.c`
+
+This directory contains only the OpenSSL default provider replacement functionality.

patches/openssl3-replace-default.patch

@@ -0,0 +1,30 @@
+diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c
+index 068e0b7..499a9ca 100644
+--- a/crypto/provider_predefined.c
++++ b/crypto/provider_predefined.c
+@@ -10,21 +10,15 @@
+ #include <openssl/core.h>
+ #include "provider_local.h"
+
+-OSSL_provider_init_fn ossl_default_provider_init;
++OSSL_provider_init_fn wolfprov_provider_init;
+ OSSL_provider_init_fn ossl_base_provider_init;
+ OSSL_provider_init_fn ossl_null_provider_init;
+-OSSL_provider_init_fn ossl_fips_intern_provider_init;
+-#ifdef STATIC_LEGACY
+-OSSL_provider_init_fn ossl_legacy_provider_init;
+-#endif
+ const OSSL_PROVIDER_INFO ossl_predefined_providers[] = {
+ #ifdef FIPS_MODULE
+-    { "fips", NULL, ossl_fips_intern_provider_init, NULL, 1 },
++    { "fips", NULL, wolfprov_provider_init, NULL, 1 },
+ #else
+-    { "default", NULL, ossl_default_provider_init, NULL, 1 },
+-# ifdef STATIC_LEGACY
+-    { "legacy", NULL, ossl_legacy_provider_init, NULL, 0 },
+-# endif
++    { "default", NULL, wolfprov_provider_init, NULL, 1 },
++    { "legacy", NULL, wolfprov_provider_init, NULL, 0 },
+     { "base", NULL, ossl_base_provider_init, NULL, 0 },
+     { "null", NULL, ossl_null_provider_init, NULL, 0 },
+ #endif

scripts/build-wolfprovider.sh

@@ -8,7 +8,7 @@ show_help() {
   echo "Script Arguments:"
   echo "  --help, -help, -h          Display this help menu and exit"
   echo "  --clean                    Run make clean in OpenSSL, wolfSSL, and wolfProvider"
-  echo "  --distclean                Remove source directories of OpenSSL and wolfSSL"
+  echo "  --distclean                Remove source and install directories of OpenSSL, wolfSSL, and wolfProvider"
   echo "  --debug                    Builds OpenSSL, wolfSSL, and WolfProvider with debugging enabled. This is the same as setting WOLFPROV_DEBUG=1"
   echo "  --debug-asn-template       Enable debug information for asn within wolfSSL"
   echo "  --disable-err-trace        No debug trace messages from library errors in wolfSSL"
@@ -21,6 +21,7 @@ show_help() {
   echo "  --debian                   Build a Debian package"
   echo "  --debian --enable-fips     Build a Debian package with FIPS support"
   echo "  --quicktest                Disable some tests for a faster testing suite"
+  echo "  --replace-default          Patch OpenSSL and build it so that wolfProvider is the default provider"
   echo ""
   echo "Environment Variables:"
   echo "  OPENSSL_TAG                OpenSSL tag to use (e.g., openssl-3.5.0)"
@@ -30,7 +31,7 @@ show_help() {
   echo "  WOLFSSL_FIPS_VERSION       Version of wolfSSL FIPS bundle (v5, v6, ready), used as an argument for --enable-fips when configuring wolfSSL"
   echo "  WOLFSSL_FIPS_CHECK_TAG     Tag for wolfSSL FIPS bundle (linuxv5.2.1, v6.0.0, etc), used as an argument for fips-check.sh when cloning a wolfSSL FIPS version"
   echo "  WOLFPROV_CLEAN             If set to 1, run make clean in OpenSSL, wolfSSL, and wolfProvider"
-  echo "  WOLFPROV_DISTCLEAN         If set to 1, remove the source directories of OpenSSL and wolfSSL"
+  echo "  WOLFPROV_DISTCLEAN         If set to 1, remove the source and install directories of OpenSSL, wolfSSL, and wolfProvider"
   echo "  WOLFPROV_DEBUG             If set to 1, builds OpenSSL, wolfSSL, and wolfProvider with debug options enabled"
   echo "  WOLFPROV_QUICKTEST         If set to 1, disables some tests in the test suite to increase test speed"
   echo "  WOLFPROV_DISABLE_ERR_TRACE If set to 1, wolfSSL will not be configured with --enable-debug-trace-errcodes=backtrace"
@@ -82,7 +83,6 @@ for arg in "$@"; do
             WOLFSSL_ISFIPS=1
             ;;
         --fips-bundle=*)
-            unset WOLFSSL_ISFIPS
             unset WOLFSSL_FIPS_CHECK_TAG
             IFS='=' read -r trash fips_bun <<< "$arg"
             if [ -z "$fips_bun" ]; then
@@ -114,6 +114,9 @@ for arg in "$@"; do
         --quicktest)
             WOLFPROV_QUICKTEST=1
             ;;
+        --replace-default)
+            WOLFPROV_REPLACE_DEFAULT=1
+            ;;
         *)
             args_wrong+="$arg, "
             ;;
@@ -145,6 +148,10 @@ source ${SCRIPT_DIR}/utils-wolfprovider.sh
 
 echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG"
 
+if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+    build_default_stub
+fi
+
 init_wolfprov
 
 exit $?

scripts/env-setup

@@ -33,9 +33,9 @@ echo "PWD: $PWD"
 
 # Detect the openssl library path
 if [ -d $REPO_ROOT/openssl-install/lib ]; then
-    OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib
+    export OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib
 elif [ -d $REPO_ROOT/openssl-install/lib64 ]; then
-    OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib64
+    export OPENSSL_LIB_PATH=$REPO_ROOT/openssl-install/lib64
 else
     echo "Error: Could not find OpenSSL lib directory in $REPO_ROOT/openssl-install"
     exit 1
@@ -44,8 +44,9 @@ fi
 WOLFSSL_LIB_PATH="$REPO_ROOT/wolfssl-install/lib"
 WOLFPROV_LIB_PATH="$REPO_ROOT/wolfprov-install/lib"
 
-# Set variables with default values if not already set
-export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:=$WOLFSSL_LIB_PATH:$OPENSSL_LIB_PATH}"
+# Always reconstruct LD_LIBRARY_PATH with correctly detected OPENSSL_LIB_PATH
+# ${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} expands to :$LD_LIBRARY_PATH only if LD_LIBRARY_PATH was already set
+export LD_LIBRARY_PATH="$WOLFSSL_LIB_PATH:$OPENSSL_LIB_PATH${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
 
 # Auto-detect FIPS mode and use appropriate config
 if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then