Initial option to replace openssl default provider

Makefile.am

@@ -1,5 +1,5 @@
 
-SUFFIXES = 
+SUFFIXES =
 TESTS =
 noinst_PROGRAMS =
 noinst_HEADERS =
@@ -14,6 +14,13 @@ AM_CPPFLAGS = -I$(top_srcdir)/include
 
 lib_LTLIBRARIES = libwolfprov.la
 
+# Conditionally build libdefault.so when --replace-default is enabled
+if BUILD_REPLACE_DEFAULT
+lib_LTLIBRARIES += libdefault.la
+libdefault_la_SOURCES = src/wp_default_replace.c
+libdefault_la_LIBADD = libwolfprov.la
+endif
+
 EXTRA_DIST+=ChangeLog.md
 EXTRA_DIST+=README.md
 EXTRA_DIST+=IDE

configure.ac

@@ -123,8 +123,14 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xno" ],[
                       ])
       ])
 
+# Replace default provider
+AC_ARG_ENABLE([replace-default],
+    [AS_HELP_STRING([--enable-replace-default],[Build real libdefault.so from wp_default_replace.c (default: disabled).])],
+    [ ENABLED_REPLACE_DEFAULT=$enableval ],
+    [ ENABLED_REPLACE_DEFAULT=no ]
+    )
 
-
+AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"])
 
 
 AX_HARDEN_CC_COMPILER_FLAGS
@@ -170,6 +176,7 @@ echo
 echo "   Features "
 echo "   * User settings:              $ENABLED_USERSETTINGS"
 echo "   * Dynamic provider:           $ENABLED_DYNAMIC_PROVIDER"
+echo "   * Replace default:            $ENABLED_REPLACE_DEFAULT"
 echo ""
 echo "---"
 

default_stub/.gitignore

@@ -0,0 +1,15 @@
+Makefile
+Makefile.in
+.deps/
+.libs/
+*.la
+*.lo
+*.o
+aclocal.m4
+autom4te.cache/
+config.log
+config.status
+configure
+libtool
+*.so
+*.so.*

default_stub/Makefile.am

@@ -0,0 +1,2 @@
+lib_LTLIBRARIES = libdefault.la
+libdefault_la_SOURCES = wp_default_stub.c

default_stub/README.md

@@ -0,0 +1,21 @@
+# libdefault - Default Provider Stub Library
+
+Minimal autotools build for a stub version of the default provider.
+
+## Building
+
+```bash
+# Generate build system
+./autogen.sh
+
+# Configure and build
+./configure
+make
+
+# Clean build artifacts
+make clean
+```
+
+## Output
+
+The build produces `libdefault.so` in the `.libs/` directory.

default_stub/autogen.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+autoreconf -fiv

default_stub/configure.ac

@@ -0,0 +1,7 @@
+AC_INIT([libdefault], [1.0], [[email protected]])
+AM_INIT_AUTOMAKE([-Wall -Werror foreign])
+AC_PROG_CC
+AM_PROG_AR
+LT_INIT
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT

default_stub/wp_default_stub.c

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfProvider.
+ *
+ * wolfProvider is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfProvider is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <openssl/provider.h>
+
+/* Prototype of public function that initializes the wolfSSL provider. */
+OSSL_provider_init_fn wolfssl_provider_init;
+
+/* Prototype for the wolfprov_provider_init function */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx);
+
+/*
+ * Provider implementation stub
+ */
+int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle,
+                          const OSSL_DISPATCH* in,
+                          const OSSL_DISPATCH** out,
+                          void** provCtx)
+{
+    return 0;
+}

patches/ossl-replace-default-3.5.patch

@@ -0,0 +1,30 @@
+diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c
+index 068e0b7..499a9ca 100644
+--- a/crypto/provider_predefined.c
++++ b/crypto/provider_predefined.c
+@@ -10,21 +10,15 @@
+ #include <openssl/core.h>
+ #include "provider_local.h"
+
+-OSSL_provider_init_fn ossl_default_provider_init;
++OSSL_provider_init_fn wolfprov_provider_init;
+ OSSL_provider_init_fn ossl_base_provider_init;
+ OSSL_provider_init_fn ossl_null_provider_init;
+-OSSL_provider_init_fn ossl_fips_intern_provider_init;
+-#ifdef STATIC_LEGACY
+-OSSL_provider_init_fn ossl_legacy_provider_init;
+-#endif
+ const OSSL_PROVIDER_INFO ossl_predefined_providers[] = {
+ #ifdef FIPS_MODULE
+-    { "fips", NULL, ossl_fips_intern_provider_init, NULL, 1 },
++    { "fips", NULL, wolfprov_provider_init, NULL, 1 },
+ #else
+-    { "default", NULL, ossl_default_provider_init, NULL, 1 },
+-# ifdef STATIC_LEGACY
+-    { "legacy", NULL, ossl_legacy_provider_init, NULL, 0 },
+-# endif
++    { "default", NULL, wolfprov_provider_init, NULL, 1 },
++    { "legacy", NULL, wolfprov_provider_init, NULL, 0 },
+     { "base", NULL, ossl_base_provider_init, NULL, 0 },
+     { "null", NULL, ossl_null_provider_init, NULL, 0 },
+ #endif

scripts/build-wolfprovider.sh

@@ -20,6 +20,7 @@ show_help() {
   echo "  --fips-version=VER         Choose the wolfSSL FIPS version"
   echo "  --debian                   Build a Debian package"
   echo "  --quicktest                Disable some tests for a faster testing suite"
+  echo "  --replace-default          Patch OpenSSL and build it so that wolfProvider is the default provider"
   echo ""
   echo "Environment Variables:"
   echo "  OPENSSL_TAG                OpenSSL tag to use (e.g., openssl-3.5.0)"
@@ -81,7 +82,6 @@ for arg in "$@"; do
             WOLFSSL_ISFIPS=1
             ;;
         --fips-bundle=*)
-            unset WOLFSSL_ISFIPS
             unset WOLFSSL_FIPS_CHECK_TAG
             IFS='=' read -r trash fips_bun <<< "$arg"
             if [ -z "$fips_bun" ]; then
@@ -113,6 +113,9 @@ for arg in "$@"; do
         --quicktest)
             WOLFPROV_QUICKTEST=1
             ;;
+        --replace-default)
+            WOLFPROV_REPLACE_DEFAULT=1
+            ;;
         *)
             args_wrong+="$arg, "
             ;;
@@ -144,6 +147,10 @@ source ${SCRIPT_DIR}/utils-wolfprovider.sh
 
 echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG"
 
+if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+    build_default_stub
+fi
+
 init_wolfprov
 
 exit $?

scripts/utils-openssl.sh

@@ -93,19 +93,74 @@ clone_openssl() {
     fi
 }
 
+patch_openssl() {
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+        printf "\tApplying OpenSSL default provider patch ... "
+        cd ${OPENSSL_SOURCE_DIR}
+
+        # Check if patch is already applied
+        if grep -q "wolfprov_provider_init" crypto/provider_predefined.c 2>/dev/null; then
+    printf "Already applied.\n"
+            return 0
+        fi
+
+        # Apply the patch
+        patch -p1 < ${SCRIPT_DIR}/../patches/ossl-replace-default-3.5.patch >>$LOG_FILE 2>&1
+        if [ $? != 0 ]; then
+            printf "ERROR.\n"
+            printf "\n\nPatch application failed. Last 40 lines of log:\n"
+            tail -n 40 $LOG_FILE
+            do_cleanup
+            exit 1
+        fi
+        printf "Done.\n"
+
+        cd ${SCRIPT_DIR}/..
+    fi
+}
+
 install_openssl() {
     printf "\nInstalling OpenSSL ${OPENSSL_TAG} ...\n"
     clone_openssl
+    patch_openssl
     cd ${OPENSSL_SOURCE_DIR}
 
     if [ ! -d ${OPENSSL_INSTALL_DIR} ]; then
         printf "\tConfigure OpenSSL ${OPENSSL_TAG} ... "
+
+        # Build configure command
+        CONFIG_CMD="./config shared --prefix=${OPENSSL_INSTALL_DIR}"
         if [ "$WOLFPROV_DEBUG" = "1" ]; then
-            ./config shared enable-trace --prefix=${OPENSSL_INSTALL_DIR} --debug >>$LOG_FILE 2>&1
-            RET=$?
+            CONFIG_CMD+=" enable-trace --debug"
+        fi
+        if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+            CONFIG_CMD+=" no-external-tests no-tests"
+
+            # Set up library paths to find the stub libdefault
+            STUB_LIB_DIR=${SCRIPT_DIR}/../libdefault-stub-install/lib
+            if [ -d "${STUB_LIB_DIR}" ]; then
+                export PKG_CONFIG_PATH="${STUB_LIB_DIR}/pkgconfig:${PKG_CONFIG_PATH}"
+                # Link the stub library directly into libcrypto using LDFLAGS and LDLIBS
+                CONFIGURE_LDFLAGS="-L${STUB_LIB_DIR}"
+                CONFIGURE_LDLIBS="-ldefault"
+            else
+                printf "ERROR - stub libdefault not found in: ${STUB_LIB_DIR}\n"
+                do_cleanup
+                exit 1
+            fi
+        fi
+
+        # Execute configure
+        if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+            $CONFIG_CMD LDFLAGS="${CONFIGURE_LDFLAGS}" LDLIBS="${CONFIGURE_LDLIBS}" >>$LOG_FILE 2>&1
         else
-            ./config shared --prefix=${OPENSSL_INSTALL_DIR} >>$LOG_FILE 2>&1
-            RET=$?
+            $CONFIG_CMD >>$LOG_FILE 2>&1
+        fi
+        RET=$?
+
+        # Clean up environment
+        if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+            unset LDFLAGS
         fi
         if [ $RET != 0 ]; then
             printf "ERROR.\n"
@@ -143,15 +198,18 @@ init_openssl() {
     install_openssl
     printf "\tOpenSSL ${OPENSSL_TAG} installed in: ${OPENSSL_INSTALL_DIR}\n"
 
-    OSSL_VER=`LD_LIBRARY_PATH=${OPENSSL_LIB_DIRS} $OPENSSL_BIN version | tail -n1`
-    case $OSSL_VER in
-        OpenSSL\ 3.*) ;;
-        *)
-            echo "OpenSSL ($OPENSSL_BIN) has wrong version: $OSSL_VER"
-            echo "Set: OPENSSL_DIR"
-            exit 1
-            ;;
-    esac
+    # Skip version check for replace-default mode since we only build libraries
+    if [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ]; then
+        OSSL_VER=`LD_LIBRARY_PATH=${OPENSSL_LIB_DIRS} $OPENSSL_BIN version | tail -n1`
+        case $OSSL_VER in
+            OpenSSL\ 3.*) ;;
+            *)
+                echo "OpenSSL ($OPENSSL_BIN) has wrong version: $OSSL_VER"
+                echo "Set: OPENSSL_DIR"
+                exit 1
+                ;;
+        esac
+    fi
 
     if [ -z $LD_LIBRARY_PATH ]; then
       export LD_LIBRARY_PATH=${OPENSSL_LIB_DIRS}

scripts/utils-wolfprovider.sh

@@ -25,6 +25,7 @@ source ${SCRIPT_DIR}/utils-general.sh
 
 WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/..
 WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install
+LIBDEFAULT_STUB_INSTALL_DIR=${SCRIPT_DIR}/../libdefault-stub-install
 WOLFPROV_CONFIG_OPTS=${WOLFPROV_CONFIG_OPTS:-"--with-openssl=${OPENSSL_INSTALL_DIR} --with-wolfssl=${WOLFSSL_INSTALL_DIR} --prefix=${WOLFPROV_INSTALL_DIR}"}
 WOLFPROV_CONFIG_CFLAGS=${WOLFPROV_CONFIG_CFLAGS:-''}
 
@@ -46,6 +47,55 @@ WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}
 WOLFPROV_CLEAN=${WOLFPROV_CLEAN:-0}
 WOLFPROV_DISTCLEAN=${WOLFPROV_DISTCLEAN:-0}
 
+build_default_stub() {
+    printf "\nBuilding default stub library ...\n"
+    cd ${SCRIPT_DIR}/../default_stub
+
+    printf "\tGenerate build system ... "
+    if [ ! -e "configure" ]; then
+        ./autogen.sh >>$LOG_FILE 2>&1
+        if [ $? != 0 ]; then
+            printf "\n\n...\n"
+            tail -n 40 $LOG_FILE
+            do_cleanup
+            exit 1
+        fi
+    fi
+    printf "Done.\n"
+
+    printf "\tConfigure default stub ... "
+    ./configure --prefix=${LIBDEFAULT_STUB_INSTALL_DIR} >>$LOG_FILE 2>&1
+    if [ $? != 0 ]; then
+        printf "\n\n...\n"
+        tail -n 40 $LOG_FILE
+        do_cleanup
+        exit 1
+    fi
+    printf "Done.\n"
+
+    printf "\tBuild default stub ... "
+    make >>$LOG_FILE 2>&1
+    if [ $? != 0 ]; then
+        printf "\n\n...\n"
+        tail -n 40 $LOG_FILE
+        do_cleanup
+        exit 1
+    fi
+    printf "Done.\n"
+
+    printf "\tInstall default stub ... "
+    make install >>$LOG_FILE 2>&1
+    if [ $? != 0 ]; then
+        printf "\n\n...\n"
+        tail -n 40 $LOG_FILE
+        do_cleanup
+        exit 1
+    fi
+    printf "Done.\n"
+
+    cd ${SCRIPT_DIR}/..
+}
+
 clean_wolfprov() {
     printf "\n"
 
@@ -78,6 +128,16 @@ install_wolfprov() {
         WOLFPROV_CONFIG_OPTS+=" --enable-debug"
     fi
 
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+        WOLFPROV_CONFIG_OPTS+=" --enable-replace-default"
+        # Add stub library path for replace-default functionality
+        if [ -z "$LD_LIBRARY_PATH" ]; then
+            export LD_LIBRARY_PATH="${LIBDEFAULT_STUB_INSTALL_DIR}/lib"
+        else
+            export LD_LIBRARY_PATH="${LIBDEFAULT_STUB_INSTALL_DIR}/lib:$LD_LIBRARY_PATH"
+        fi
+    fi
+
     ./configure ${WOLFPROV_CONFIG_OPTS} CFLAGS="${WOLFPROV_CONFIG_CFLAGS}" >>$LOG_FILE 2>&1
     RET=$?