diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 74fa7f46..b08030c2 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -58,37 +58,32 @@ jobs: - name: Install wolfssl debian package run: | - mkdir -p "$RUNNER_TEMP/wolfssl-pkg" - cd "$RUNNER_TEMP/wolfssl-pkg" + mkdir -p "/tmp/wolfssl-pkg" + cd "/tmp/wolfssl-pkg" - echo "Using standard wolfSSL package" - tar -xvf $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz - - # Get current architecture - CURRENT_ARCH=$(dpkg --print-architecture) - echo "Current architecture: $CURRENT_ARCH" + # Install wolfssl packages + chmod +x $GITHUB_WORKSPACE/debian/install-wolfssl.sh + $GITHUB_WORKSPACE/debian/install-wolfssl.sh \ + $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz \ + "/tmp/wolfssl-pkg" + + # Create wolfprov-packages directory and move wolfssl files there + mkdir -p "/tmp/wolfprov-packages" + echo "Moving wolfssl files to artifacts directory..." - # Look for existing .deb files that match the current architecture - cd debian-packages - MATCHING_DEB_FILES=$(find . -name "*_${CURRENT_ARCH}.deb" -o -name "*_${CURRENT_ARCH}_*.deb" 2>/dev/null || true) + # Copy all wolfssl-related files (source and binary packages) + find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.deb" -exec cp {} /tmp/wolfprov-packages/ \; + find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.dsc" -exec cp {} /tmp/wolfprov-packages/ \; + find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \; + find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.orig.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \; - if [ -n "$MATCHING_DEB_FILES" ]; then - echo "Found matching .deb files for architecture $CURRENT_ARCH:" - echo "$MATCHING_DEB_FILES" - echo "Installing existing .deb files..." - dpkg -i $MATCHING_DEB_FILES - else - echo "No matching .deb files found for architecture $CURRENT_ARCH, rebuilding from source..." - dpkg-source -x wolfssl*.dsc - cd wolfssl*/ - dpkg-buildpackage -b -us -uc - dpkg -i ../libwolfssl*.deb - fi + echo "WolfSSL files in artifacts directory:" + ls -la /tmp/wolfprov-packages/*wolfssl* || true - name: Build Debian package run: | # Bypass the warning prompt with 'yes Y' - yes Y | ./scripts/build-wolfprovider.sh --debian + yes Y | ./scripts/build-wolfprovider.sh --debian $FIPS_FLAG # List generated packages echo "Generated Packages:" @@ -114,7 +109,7 @@ jobs: - name: Test OpenSSL provider functionality run: | - PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider.conf" + PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup" # Temporarily move wolfprovider config so we can toggle between providers @@ -156,9 +151,9 @@ jobs: fi # Check if the config file is removed - if [ -f /etc/ssl/openssl.cnf.d/wolfprovider.conf ]; then + if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then echo "wolfprovider.conf still exists after package removal" - ls -la /etc/ssl/openssl.cnf.d/ + ls -la /usr/lib/ssl/openssl.cnf.d/ exit 1 else echo "wolfprovider.conf successfully removed" @@ -194,10 +189,12 @@ jobs: - name: Move package artifacts run: | - # Move the generated packages to the temp directory - mv ../*.deb $RUNNER_TEMP/ || true - mv ../*.dsc $RUNNER_TEMP/ || true - mv ../*.tar.gz $RUNNER_TEMP/ || true + # Create a clean artifacts directory + mkdir -p "/tmp/wolfprov-packages" + # Move the generated packages to the artifacts directory + mv ../*.deb /tmp/wolfprov-packages/ || true + mv ../*.dsc /tmp/wolfprov-packages/ || true + mv ../*.tar.gz /tmp/wolfprov-packages/ || true # Save the build outputs which for use in release packages - name: Upload package artifacts @@ -206,7 +203,7 @@ jobs: with: name: wolfprovider-debian-packages path: | - ${{ runner.temp }}/*.deb - ${{ runner.temp }}/*.dsc - ${{ runner.temp }}/*.tar.gz + /tmp/wolfprov-packages/*.deb + /tmp/wolfprov-packages/*.dsc + /tmp/wolfprov-packages/*.tar.gz retention-days: 7 diff --git a/.gitignore b/.gitignore index 483d9a6c..6ac61580 100644 --- a/.gitignore +++ b/.gitignore @@ -109,8 +109,27 @@ debian/*.deb debian/*.buildinfo debian/files debian/libwolfprov* +debian/libssl-dev* +debian/openssl* +debian/libssl3* +debian/libdefault0* +debian/libdefault-wolf0* !debian/libwolfprov.install !debian/libwolfprov.postinst !debian/libwolfprov.postrm !debian/libwolfprov-dev.docs !debian/libwolfprov-dev.install +!debian/openssl.cnf +!debian/openssl.install +!debian/openssl.postinst +!debian/openssl.postrm +!debian/libssl3.postinst +!debian/libssl3.postrm +!debian/libssl3.install +!debian/libssl3.docs +!debian/libssl3.install +!debian/libssl3.postinst +!debian/libssl3.postrm +!debian/libdefault0.install +!debian/libdefault-wolf0.install + diff --git a/Makefile.am b/Makefile.am index 6d3e43af..62b00b38 100644 --- a/Makefile.am +++ b/Makefile.am @@ -14,15 +14,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/include lib_LTLIBRARIES = libwolfprov.la -# Conditionally build libdefault.so when --replace-default is enabled -if BUILD_REPLACE_DEFAULT -# Install libdefault.la directly to OpenSSL lib directory -openssldir = $(OPENSSL_LIB_DIR) -openssl_LTLIBRARIES = libdefault.la -libdefault_la_SOURCES = src/wp_default_replace.c -libdefault_la_LIBADD = libwolfprov.la -endif - EXTRA_DIST+=ChangeLog.md EXTRA_DIST+=README.md EXTRA_DIST+=IDE diff --git a/README-packaging.md b/README-packaging.md new file mode 100644 index 00000000..41581fe0 --- /dev/null +++ b/README-packaging.md @@ -0,0 +1,88 @@ +# WolfProvider Debian Packaging +This is the flow for building and installing + +## Local build + +From the repo root, run the following command: +``` +./scripts/build-wolfprovider.sh --debian +``` + +For a FIPS build, run the following: +``` +./scripts/build-wolfprovider.sh --debian --enable-fips +``` + +The Debian packages are placed in the parent directory, which should be one level above the repo root. + +## CI build +Instead of doing a local build as outlined above, we can alternatively use packages generated from CI. + +To use a build from CI for local install, download the artifacts from the Debian CI job. Then install the .deb's from the zip file with `apt` as shown below rather than from the build. + +## Install + +If not already done, install the WolfSSL Debian package. The non-FIPS version is available in this repo and is installed by the script below. This step is only needed once, and can be done prior to the `build-wolfprovider.sh` step above. +``` +./debian/install-wolfssl.sh ./.github/packages/debian-wolfssl.tar.gz +``` + +For the script above, some systems may require additional packages: +``` +apt install build-essential devscripts dh-exec +``` + +### Optionally install custom OpenSSL + +**Important**: before proceeding with the wolfProvider install, make sure packages are not present: +``` +apt purge -y libwolfprov ; apt purge -y openssl-config ; apt purge -y openssl ; apt purge -y libssl3 +``` + +Get the system architecture which determines the library paths for the following steps: +``` +export CURRENT_ARCH=$(dpkg --print-architecture) +``` + +Then install the wolfProvider-specific OpenSSL. From the repo root: +``` +apt install ../openssl*${CURRENT_ARCH}*.deb ../libssl3*${CURRENT_ARCH}*.deb +``` + +Check that the provider API is disabled since wolfProvider is not installed: +``` +$ openssl list -providers +Could not load libwolfprov.so. Is the libwolfprov package installed? + libwolfprov.so: cannot open shared object file: No such file or directory +``` + +### Install wolfProvider + +Then install wolfProvider: +``` +apt install ../libwolfprov*${CURRENT_ARCH}*.deb +``` + +Confirm that wolfProvider is installed: +``` +$ openssl list -providers +``` + +Output should look like this: +``` +Providers: + default + name: wolfSSL Provider + version: 1.0.2 + status: active +``` + +## Release process +Always use CI to perform the release build to avoid potential errors from building locally. + +* Tag the wolfProvider repo in the format `vX.Y.Z` + * The changelog is generated by the Debian scripts +* Run the Debian job in CI +* Download the artifacts zip file which contains the .deb's +* Generate release archives as needed + diff --git a/README.md b/README.md index 99f6fe6a..342a1b27 100644 --- a/README.md +++ b/README.md @@ -78,12 +78,6 @@ To remove all source directories, use the following: ./scripts/build-wolfprovider.sh --distclean ``` -To build a Debian package file, use the following command. -Note this will remove all ignored files in the repo, and there must be no staged changes. -``` -./scripts/build-wolfprovider.sh --debian -``` - Alternatively, you can manually compile each component using the following guide. ### OpenSSL diff --git a/configure.ac b/configure.ac index 17e31303..dc3f566a 100644 --- a/configure.ac +++ b/configure.ac @@ -29,6 +29,12 @@ AC_LANG(C) # OpenSSL AC_CHECK_HEADERS([openssl/core.h]) +# Add libdefault-stub-install to LDFLAGS if replace-default will be enabled +# (This needs to happen before OpenSSL check) +if test "x$enable_replace_default" = "xyes"; then + LDFLAGS="$LDFLAGS -L./libdefault-stub-install/lib -ldefault" +fi + AX_CHECK_OPENSSL( [have_openssl=yes], AC_MSG_FAILURE([could not locate OpenSSL]) @@ -130,6 +136,11 @@ AC_ARG_ENABLE([replace-default], [ ENABLED_REPLACE_DEFAULT=no ] ) +# Add libdefault-stub-install to LDFLAGS when replace-default is enabled +if test "x$ENABLED_REPLACE_DEFAULT" = "xyes"; then + LDFLAGS="$LDFLAGS -L./libdefault-stub-install/lib" +fi + AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"]) # Set OpenSSL lib directory for installing libdefault.so diff --git a/debian/clean b/debian/clean new file mode 100644 index 00000000..fb82819e --- /dev/null +++ b/debian/clean @@ -0,0 +1 @@ +wolfProvider/scripts/build-release.log diff --git a/debian/compat b/debian/compat deleted file mode 100644 index 48082f72..00000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -12 diff --git a/debian/control b/debian/control index 1f0a18d8..5301b759 100644 --- a/debian/control +++ b/debian/control @@ -3,23 +3,47 @@ Section: libs Priority: optional Maintainer: WolfSSL Standards-Version: 4.6.2 -Build-Depends: debhelper (>= 12), - devscripts, - pkgconf, - openssl, - libwolfssl, - libwolfssl-dev +Rules-Requires-Root: no +Build-Depends: + debhelper-compat (= 13), + devscripts, + dh-exec, + openssl, + git, + pkgconf, + libwolfssl-dev +Package: libdefault0 +Section: libs +Architecture: any +Multi-Arch: same +Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: libdefault-wolf0 +Replaces: libdefault-wolf0 +Description: Default provider stub library (libdefault) for OpenSSL + This package provides the default libdefault shared library used by libcrypto. + It is the baseline/stub implementation intended for systems without wolfProvider. + +Package: libdefault-wolf0 +Section: libs +Architecture: any +Multi-Arch: same +Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: libdefault0 +Replaces: libdefault0 +Description: WolfSSL-backed libdefault replacement for OpenSSL + This package provides a WolfSSL-backed replacement of libdefault. + Installing it will replace the stub libdefault, giving precedence to the wolf variant. Package: libwolfprov Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl +Multi-Arch: same +Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl, libdefault-wolf0 Provides: ${variant:provides} XB-Variant: ${variant} Description: wolfProvider library for OpenSSL — ${variant:desc} wolfProvider is a library that can be used as a Provider in OpenSSL. It provides cryptographic functionality through wolfSSL including: - . * Hash functions (MD5, SHA-1, SHA-2, SHA-3) * Symmetric encryption (AES, DES) * Asymmetric cryptography (RSA, ECC, DH) @@ -31,7 +55,40 @@ Description: wolfProvider library for OpenSSL — ${variant:desc} Package: libwolfprov-dev Architecture: any Section: libdevel +Multi-Arch: same Depends: libwolfprov (= ${binary:Version}), ${misc:Depends} -Description: Development files for wolfProvider - This package contains the header files and development libraries - needed to build applications using wolfProvider. +XB-Variant: ${variant} +Description: Development files for wolfProvider — ${variant:desc} + This package contains the headers and development files + for applications using wolfProvider. + +Package: openssl +Architecture: any +Section: utils +Multi-Arch: foreign +Depends: ${shlibs:Depends}, ${misc:Depends}, libdefault0 | libdefault-wolf0 +Description: Secure Sockets Layer toolkit - command line interface + This package contains the OpenSSL command line utility. + Built for use with wolfProvider. + +Package: libssl3 +Architecture: any +Multi-Arch: same +Depends: ${shlibs:Depends}, ${misc:Depends}, libdefault0 | libdefault-wolf0 +Breaks: libssl3 (<< 3.0.0) +Replaces: libssl3 +Recommends: openssl +Description: OpenSSL shared libraries (wolfProvider build) + This package contains the OpenSSL shared libraries built + for use with wolfProvider. + +Package: libssl-dev +Architecture: any +Section: libdevel +Multi-Arch: same +Depends: libssl3 (= ${binary:Version}), ${misc:Depends} +Breaks: libssl-dev (<< 3.0.0) +Replaces: libssl-dev +Description: OpenSSL development files (wolfProvider build) + This package contains headers, pkg-config files and linker symlinks + for the OpenSSL version built for wolfProvider. diff --git a/debian/install-wolfssl.sh b/debian/install-wolfssl.sh new file mode 100755 index 00000000..440a9c79 --- /dev/null +++ b/debian/install-wolfssl.sh @@ -0,0 +1,126 @@ +#!/bin/bash + +# Script to install wolfSSL packages for Debian +# Checks if packages are already installed and installs appropriate architecture-specific packages + +set -e + +# Function to check if packages are installed +check_packages_installed() { + if dpkg -l | grep -q "^ii.*libwolfssl " && dpkg -l | grep -q "^ii.*libwolfssl-dev "; then + echo "libwolfssl and libwolfssl-dev packages are already installed" + dpkg -l | grep wolfssl + return 0 + else + return 1 + fi +} + +# Function to install wolfSSL packages +install_wolfssl_packages() { + local wolfssl_tar_path="$1" + local dest_dir="$2" + + if [ ! -f "$wolfssl_tar_path" ]; then + echo "Error: wolfSSL package archive not found at $wolfssl_tar_path" + exit 1 + fi + + # If no destination directory specified, create one using mktemp + if [ -z "$dest_dir" ]; then + dest_dir=$(mktemp -d) + echo "No destination directory specified, created temporary directory: $dest_dir" + else + echo "Using specified destination directory: $dest_dir" + # Create the directory if it doesn't exist + mkdir -p "$dest_dir" + fi + + echo "Extracting wolfSSL package to: $dest_dir" + tar -xvf "$wolfssl_tar_path" -C "$dest_dir" + + # Get current architecture + CURRENT_ARCH=$(dpkg --print-architecture) + echo "Current architecture: $CURRENT_ARCH" + + # Look for existing .deb files that match the current architecture + cd "$dest_dir/debian-packages" + MATCHING_DEB_FILES=$(find . -name "*_${CURRENT_ARCH}.deb" -o -name "*_${CURRENT_ARCH}_*.deb" 2>/dev/null || true) + + if [ -n "$MATCHING_DEB_FILES" ]; then + echo "Found matching .deb files for architecture $CURRENT_ARCH:" + echo "$MATCHING_DEB_FILES" + echo "Installing existing .deb files..." + + # Install both libwolfssl and libwolfssl-dev packages for the current architecture + LIBWOLFSSL_DEB=$(echo "$MATCHING_DEB_FILES" | grep "libwolfssl_[^-]" | head -n1) + LIBWOLFSSL_DEV_DEB=$(echo "$MATCHING_DEB_FILES" | grep "libwolfssl-dev_" | head -n1) + + if [ -n "$LIBWOLFSSL_DEB" ]; then + echo "Installing libwolfssl package: $LIBWOLFSSL_DEB" + dpkg -i "$LIBWOLFSSL_DEB" + else + echo "No libwolfssl package found for architecture $CURRENT_ARCH" + exit 1 + fi + + if [ -n "$LIBWOLFSSL_DEV_DEB" ]; then + echo "Installing libwolfssl-dev package: $LIBWOLFSSL_DEV_DEB" + dpkg -i "$LIBWOLFSSL_DEV_DEB" + else + echo "No libwolfssl-dev package found for architecture $CURRENT_ARCH" + exit 1 + fi + else + echo "No matching .deb files found for architecture $CURRENT_ARCH, rebuilding from source..." + dpkg-source -x wolfssl*.dsc + cd wolfssl*/ + dpkg-buildpackage -b -us -uc + + # Install both libwolfssl and libwolfssl-dev packages + LIBWOLFSSL_DEB=$(find .. -name "libwolfssl_*${CURRENT_ARCH}.deb" | grep -v "dev" | head -n1) + LIBWOLFSSL_DEV_DEB=$(find .. -name "libwolfssl-dev*_${CURRENT_ARCH}.deb" | head -n1) + + if [ -n "$LIBWOLFSSL_DEB" ]; then + echo "Installing libwolfssl package: $LIBWOLFSSL_DEB" + dpkg -i "$LIBWOLFSSL_DEB" + else + echo "No libwolfssl package found after building for architecture $CURRENT_ARCH" + exit 1 + fi + + if [ -n "$LIBWOLFSSL_DEV_DEB" ]; then + echo "Installing libwolfssl-dev package: $LIBWOLFSSL_DEV_DEB" + dpkg -i "$LIBWOLFSSL_DEV_DEB" + else + echo "No libwolfssl-dev package found after building for architecture $CURRENT_ARCH" + exit 1 + fi + fi +} + +# Main execution +main() { + local wolfssl_tar_path="$1" + local dest_dir="$2" + + if [ -z "$wolfssl_tar_path" ]; then + echo "Usage: $0 [destination-directory]" + echo " If destination-directory is not specified, a temporary directory will be created using mktemp" + exit 1 + fi + + echo "Checking if wolfSSL packages are already installed..." + if check_packages_installed; then + echo "Packages already installed, exiting successfully" + exit 0 + fi + + echo "Installing wolfSSL packages..." + install_wolfssl_packages "$wolfssl_tar_path" "$dest_dir" + + echo "WolfSSL installation completed successfully" +} + +# Run main function with all arguments +main "$@" diff --git a/debian/libdefault-wolf0.install b/debian/libdefault-wolf0.install new file mode 100644 index 00000000..077894e3 --- /dev/null +++ b/debian/libdefault-wolf0.install @@ -0,0 +1,2 @@ +# dh-exec +./wolfprov-install/lib/libdefault.so* usr/lib/${DEB_HOST_MULTIARCH}/ diff --git a/debian/libdefault0.install b/debian/libdefault0.install new file mode 100644 index 00000000..35099bad --- /dev/null +++ b/debian/libdefault0.install @@ -0,0 +1,2 @@ +# dh-exec +libdefault-stub-install/lib/libdefault.so.* usr/lib/${DEB_HOST_MULTIARCH}/ diff --git a/debian/libssl-dev.install b/debian/libssl-dev.install new file mode 100644 index 00000000..a4d91cf5 --- /dev/null +++ b/debian/libssl-dev.install @@ -0,0 +1,3 @@ +usr/include/openssl/** +usr/lib/*/libcrypto.so +usr/lib/*/libssl.so diff --git a/debian/libssl3.install b/debian/libssl3.install new file mode 100644 index 00000000..fcc40907 --- /dev/null +++ b/debian/libssl3.install @@ -0,0 +1,2 @@ +usr/lib/*/libcrypto.so.3 +usr/lib/*/libssl.so.3 diff --git a/debian/libwolfprov.install b/debian/libwolfprov.install index d2e32928..e0f5fd99 100644 --- a/debian/libwolfprov.install +++ b/debian/libwolfprov.install @@ -1,3 +1,3 @@ usr/lib/*/ossl-modules/libwolfprov.so* -etc/ssl/openssl.cnf.d/ -etc/ssl/openssl.cnf.d/wolfprovider.conf +usr/lib/ssl/openssl.cnf.d +usr/lib/ssl/openssl.cnf.d/wolfprovider.conf diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst index 4755e4ba..bb8f604f 100755 --- a/debian/libwolfprov.postinst +++ b/debian/libwolfprov.postinst @@ -1,12 +1,28 @@ #!/bin/sh set -e -CONF_FILE="/etc/ssl/openssl.cnf" -INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/" +INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" +CONF_FILE="/usr/lib/ssl/openssl.cnf" +CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf" -if ! grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then - echo "Adding include for wolfprovider..." +# Copy from our template if it doesn't exist +if [ ! -f "$CONF_FILE" ]; then + echo "Config file does not exist: $CONF_FILE" + if [ -f "$CONF_DEFAULT" ]; then + install -Dm644 "$CONF_DEFAULT" "$CONF_FILE" + else + echo "Default config file does not exist: $CONF_DEFAULT" + exit 1 + fi +fi + +# Add include for wolfprovider config file if not already present +if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then + echo "Include line already exists in $CONF_FILE" +else + echo "Adding include for wolfprovider to $CONF_FILE..." sed -i "/^openssl_conf/ a $INCLUDE_LINE" "$CONF_FILE" fi +#DEBHELPER# exit 0 diff --git a/debian/libwolfprov.postrm b/debian/libwolfprov.postrm index 48e6e07b..be819db5 100755 --- a/debian/libwolfprov.postrm +++ b/debian/libwolfprov.postrm @@ -3,7 +3,10 @@ set -e case "$1" in remove|purge) - rm -f /etc/ssl/openssl.cnf.d/wolfprovider.conf - rmdir /etc/ssl/openssl.cnf.d 2>/dev/null || true + rm -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf + rm -rf /usr/share/wolfprovider-defaults ;; esac + +#DEBHELPER# +exit 0 diff --git a/debian/openssl.install b/debian/openssl.install new file mode 100644 index 00000000..dc8bc1fc --- /dev/null +++ b/debian/openssl.install @@ -0,0 +1,2 @@ +usr/bin/openssl +usr/share/openssl-defaults/openssl.cnf diff --git a/debian/openssl.postinst b/debian/openssl.postinst new file mode 100644 index 00000000..6b12047c --- /dev/null +++ b/debian/openssl.postinst @@ -0,0 +1,19 @@ +#!/bin/sh +set -e + +CONF_FILE="/usr/lib/ssl/openssl.cnf" +CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf" + +# Copy from our template if it doesn't exist +if [ ! -f "$CONF_FILE" ]; then + echo "Config file does not exist: $CONF_FILE" + if [ -f "$CONF_DEFAULT" ]; then + install -Dm644 "$CONF_DEFAULT" "$CONF_FILE" + else + echo "Default config file does not exist: $CONF_DEFAULT" + exit 1 + fi +fi + +#DEBHELPER# +exit 0 \ No newline at end of file diff --git a/debian/openssl.postrm b/debian/openssl.postrm new file mode 100644 index 00000000..2353760c --- /dev/null +++ b/debian/openssl.postrm @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +case "$1" in + remove|purge) + rm -rf /usr/share/openssl-defaults + rm -f /usr/lib/ssl/libdefault.so* + ;; +esac + +#DEBHELPER# +exit 0 diff --git a/debian/rules b/debian/rules index 763638ee..4b7e4f0d 100755 --- a/debian/rules +++ b/debian/rules @@ -1,7 +1,7 @@ #!/usr/bin/make -f %: - dh $@ --with autoreconf + dh $@ # Multiarch triplet DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) @@ -11,6 +11,9 @@ DESTDIR=debian/tmp # Grab the base version from debian/changelog BASEVER := $(shell dpkg-parsechangelog -SVersion) +# Get OpenSSL version from the build (this will be set after build) +OPENSSL_VERSION ?= 3.5.0 + # Check if FIPS build is requested WOLFSSL_ISFIPS?=0 # Variant-specific metadata @@ -30,35 +33,117 @@ else FIPS_FLAG := endif -# Override just the control-file generation to inject our values -override_dh_gencontrol: - dh_gencontrol -- \ - -v$(VERSION) \ - -Vvariant=$(VARIANT) \ - -Vvariant:desc="$(VARIANT_DESC)" \ - -Vvariant:provides="$(VARIANT_PROVIDES)" - override_dh_auto_configure: # None, handled below override_dh_auto_build: - ./scripts/build-wolfprovider.sh $(FIPS_FLAG) + # Always build OpenSSL with wolfProvider as the default provider + WOLFPROV_BUILD_DEBIAN=1 ./scripts/build-wolfprovider.sh --replace-default $(FIPS_FLAG) override_dh_auto_install: - # Install library + # Install OpenSSL binary for openssl package + install -d $(DESTDIR)/usr/bin + install -m755 ./openssl-install/bin/openssl \ + $(DESTDIR)/usr/bin/ + + # Install OpenSSL shared libraries for libssl3 package + install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH) + install -m755 ./openssl-install/lib/libssl.so* \ + ./openssl-install/lib/libcrypto.so* \ + $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ + + # Install OpenSSL headers and dev files for libssl-dev package + install -d $(DESTDIR)/usr/include + find ./openssl-install/include/openssl -type d -exec install -d "$(DESTDIR)/usr/include/openssl/{}" \; + find ./openssl-install/include/openssl -type f -exec install -m644 "{}" "$(DESTDIR)/usr/include/openssl/{}" \; + cd ../../ + +# # Install static libraries and pkg-config files +# install -m644 ./openssl-install/lib/libssl.a \ +# $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ +# install -m644 ./openssl-install/lib/libcrypto.a \ +# $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ + +# install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig +# install -m644 ./openssl-install/lib/pkgconfig/libssl.pc \ +# $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/ +# install -m644 ./openssl-install/lib/pkgconfig/libcrypto.pc \ +# $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig/ + + # Install wolfProvider library install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules install -m755 ./.libs/libwolfprov.so* \ $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/ossl-modules/ - # Install headers + # Install wolfProvider headers install -d $(DESTDIR)/usr/include/wolfprovider install -m644 ./include/wolfprovider/*.h \ $(DESTDIR)/usr/include/wolfprovider/ # Install provider config file - install -d $(DESTDIR)/etc/ssl/openssl.cnf.d + install -d $(DESTDIR)/usr/lib/ssl/openssl.cnf.d install -m644 ./$(PROVIDER_CONF) \ - $(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf + $(DESTDIR)/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf + + # Install default openssl.cnf template (do NOT ship it directly in /usr/lib/ssl) + # The postinsall script will handle copying it to the system location + install -d $(DESTDIR)/usr/share/openssl-defaults + install -m 0644 ./openssl-source/apps/openssl.cnf \ + $(DESTDIR)/usr/share/openssl-defaults/openssl.cnf + +override_dh_makeshlibs: + # Create shlibs only for real SONAME’d libs; skip provider modules under ossl-modules/ + dh_makeshlibs -V -p libssl3 + dh_makeshlibs -V -p libdefault0 + dh_makeshlibs -V -p libdefault-wolf0 + # do NOT run on libwolfprov (plugin-only, no SONAME) + +override_dh_shlibdeps: + # First, compute ${shlibs:Depends} for the libdefault* runtime packages + # (resolve their NEEDED: libcrypto.so.3 to our just-built libssl3) + dh_shlibdeps -plibdefault0 \ + -ldebian/libssl3/usr/lib/$(DEB_HOST_MULTIARCH) \ + -- -Sdebian/libssl3 -v + dh_shlibdeps -plibdefault-wolf0 \ + -ldebian/libssl3/usr/lib/$(DEB_HOST_MULTIARCH) \ + -- -Sdebian/libssl3 -v + + # Do not auto-add a dependency on libdefault{0,-wolf0} for these two packages; + # we supply the OR manually in debian/control. + dh_shlibdeps -plibssl3 \ + -ldebian/libdefault0/usr/lib/$(DEB_HOST_MULTIARCH) \ + -ldebian/libdefault-wolf0/usr/lib/$(DEB_HOST_MULTIARCH) \ + -- -xlibdefault0 -xlibdefault-wolf0 -v + dh_shlibdeps -plibssl-dev \ + -ldebian/libdefault0/usr/lib/$(DEB_HOST_MULTIARCH) \ + -ldebian/libdefault-wolf0/usr/lib/$(DEB_HOST_MULTIARCH) \ + -- -xlibdefault0 -xlibdefault-wolf0 -v + + # Everyone else (openssl, libwolfprov, etc.) + dh_shlibdeps --remaining-packages -- -v + + +override_dh_gencontrol: + # Generate control for wolfProvider packages + dh_gencontrol -- \ + -v$(VERSION) \ + -Vvariant=$(VARIANT) \ + -Vvariant:desc="$(VARIANT_DESC)" \ + -Vvariant:provides="$(VARIANT_PROVIDES)" + + # Extract OpenSSL version from the current build + $(eval OPENSSL_VERSION := $(shell LD_LIBRARY_PATH=./openssl-install/lib:./libdefault-stub-install/lib ./openssl-install/bin/openssl version | cut -d' ' -f2)) + + # Generate control for OpenSSL packages with OpenSSL version + dh_gencontrol -popenssl -- \ + -v$(OPENSSL_VERSION)-1 \ + -Vopenssl:Version=$(OPENSSL_VERSION) + dh_gencontrol -plibssl3 -- \ + -v$(OPENSSL_VERSION)-1 \ + -Vopenssl:Version=$(OPENSSL_VERSION) + dh_gencontrol -plibssl-dev -- \ + -v$(OPENSSL_VERSION)-1 \ + -Vopenssl:Version=$(OPENSSL_VERSION) override_dh_auto_clean: dh_auto_clean @@ -67,7 +152,11 @@ override_dh_auto_clean: override_dh_auto_test: @echo "Skipping dh_auto_test (tests already run during build phase)" -# Avoid warnings of the form package-has-unnecessary-activation-of-ldconfig-trigger -override_dh_makeshlibs: - dh_makeshlibs -n +override_dh_install: + dh_install + +# Fail the build if anything in debian/tmp (or elsewhere) wasn’t picked up +override_dh_missing: + dh_missing --fail-missing + diff --git a/default_stub/Makefile.am b/default_stub/Makefile.am index e31303de..1074170a 100644 --- a/default_stub/Makefile.am +++ b/default_stub/Makefile.am @@ -1,2 +1,7 @@ lib_LTLIBRARIES = libdefault.la + +if BUILD_REPLACE +libdefault_la_SOURCES = wp_default_replace.c +else libdefault_la_SOURCES = wp_default_stub.c +endif diff --git a/default_stub/configure.ac b/default_stub/configure.ac index 5c44872c..2546816a 100644 --- a/default_stub/configure.ac +++ b/default_stub/configure.ac @@ -3,5 +3,40 @@ AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AC_PROG_CC AM_PROG_AR LT_INIT + +# Replace flag to choose between wp_default_replace.c and wp_default_stub.c +AC_ARG_ENABLE([replace], + [AS_HELP_STRING([--enable-replace],[Build wp_default_replace.c instead of wp_default_stub.c (default: disabled).])], + [ ENABLED_REPLACE=yes ], + [ ENABLED_REPLACE=no ] + ) + +# OpenSSL path configuration +AC_ARG_WITH([openssl], + [AS_HELP_STRING([--with-openssl=DIR],[Specify the path to OpenSSL source code (default: system default)])], + [ OPENSSL_DIR=$withval ], + [ OPENSSL_DIR="" ] + ) + +# Check for OpenSSL headers +if test "x$OPENSSL_DIR" != "x"; then + # User specified OpenSSL directory + CPPFLAGS_save=$CPPFLAGS + CPPFLAGS="$CPPFLAGS -I$OPENSSL_DIR/include" + AC_CHECK_HEADER([openssl/ssl.h], + [AC_MSG_RESULT([OpenSSL headers found in $OPENSSL_DIR])], + [AC_MSG_ERROR([OpenSSL headers not found in $OPENSSL_DIR/include])] + ) + CPPFLAGS=$CPPFLAGS_save +else + # Check system default location + AC_CHECK_HEADER([openssl/ssl.h], + [AC_MSG_RESULT([OpenSSL headers found in system location])], + [AC_MSG_ERROR([OpenSSL headers not found. Please install OpenSSL development package or specify path with --with-openssl=DIR])] + ) +fi + +AM_CONDITIONAL([BUILD_REPLACE], [test "x$ENABLED_REPLACE" = "xyes"]) + AC_CONFIG_FILES([Makefile]) AC_OUTPUT diff --git a/src/wp_default_replace.c b/default_stub/wp_default_replace.c similarity index 100% rename from src/wp_default_replace.c rename to default_stub/wp_default_replace.c diff --git a/default_stub/wp_default_stub.c b/default_stub/wp_default_stub.c index 52d9ea28..ac6bd73c 100644 --- a/default_stub/wp_default_stub.c +++ b/default_stub/wp_default_stub.c @@ -17,24 +17,19 @@ * along with wolfProvider. If not, see . */ -#include - -/* Prototype of public function that initializes the wolfSSL provider. */ -OSSL_provider_init_fn wolfssl_provider_init; +/* Note: to simplify the build process, we are not using the OpenSSL headers. + * Instead, we are using functions that don't specify parameters. This + * allows us to build the stub without having to clone OpenSSL first, + * nor use the system OpenSSL headers. + */ /* Prototype for the wolfprov_provider_init function */ -int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle, - const OSSL_DISPATCH* in, - const OSSL_DISPATCH** out, - void** provCtx); +int wolfprov_provider_init(); /* * Provider implementation stub */ -int wolfprov_provider_init(const OSSL_CORE_HANDLE* handle, - const OSSL_DISPATCH* in, - const OSSL_DISPATCH** out, - void** provCtx) +int wolfprov_provider_init() { return 0; } diff --git a/scripts/build-debian.sh b/scripts/build-debian.sh index 2a73d9a0..6c6bbc1b 100755 --- a/scripts/build-debian.sh +++ b/scripts/build-debian.sh @@ -111,6 +111,6 @@ git archive --format=tar.gz --prefix="${TARBALL_PREFIX}/" \ # Step 10: Build package echo "⚙️ Building package..." WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0} -debuild --set-envvar WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS} -us -uc +debuild -e WOLFSSL_ISFIPS -us -uc echo "✅ Build completed for version $VERSION" diff --git a/scripts/build-wolfprovider.sh b/scripts/build-wolfprovider.sh index 79c8c274..ad25d106 100755 --- a/scripts/build-wolfprovider.sh +++ b/scripts/build-wolfprovider.sh @@ -160,10 +160,6 @@ source ${SCRIPT_DIR}/utils-wolfprovider.sh echo "Using openssl: $OPENSSL_TAG, wolfssl: $WOLFSSL_TAG" -if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then - build_default_stub -fi - init_wolfprov exit $? diff --git a/scripts/env-setup b/scripts/env-setup index c7e84302..7fe7e724 100755 --- a/scripts/env-setup +++ b/scripts/env-setup @@ -46,7 +46,7 @@ WOLFPROV_LIB_PATH="$REPO_ROOT/wolfprov-install/lib" # Always reconstruct LD_LIBRARY_PATH with correctly detected OPENSSL_LIB_PATH # ${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} expands to :$LD_LIBRARY_PATH only if LD_LIBRARY_PATH was already set -export LD_LIBRARY_PATH="$WOLFSSL_LIB_PATH:$OPENSSL_LIB_PATH${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" +export LD_LIBRARY_PATH="$WOLFPROV_LIB_PATH:$WOLFSSL_LIB_PATH:$OPENSSL_LIB_PATH${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" # Auto-detect FIPS mode and use appropriate config if [ "${WOLFSSL_ISFIPS:-0}" = "1" ]; then diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh index cd3d5780..b0547611 100755 --- a/scripts/utils-openssl.sh +++ b/scripts/utils-openssl.sh @@ -47,6 +47,7 @@ clean_openssl() { make -C "${OPENSSL_SOURCE_DIR}" clean >>$LOG_FILE 2>&1 fi rm -rf "${OPENSSL_INSTALL_DIR}" + rm -rf "${OPENSSL_STUB_INSTALL_DIR}" fi if [ "$WOLFPROV_DISTCLEAN" -eq "1" ]; then printf "Removing OpenSSL source ...\n" @@ -63,8 +64,6 @@ clone_openssl() { if [ ! -d ${OPENSSL_SOURCE_DIR} ]; then printf "\tOpenSSL source directory not found: ${OPENSSL_SOURCE_DIR}\n" - printf "\tParent directory:\n" - tree -L 2 $(dirname ${OPENSSL_SOURCE_DIR}/..) || true CLONE_TAG=${USE_CUR_TAG:+${OPENSSL_TAG_CUR}} CLONE_TAG=${CLONE_TAG:-${OPENSSL_TAG}} @@ -72,7 +71,7 @@ clone_openssl() { DEPTH_ARG=${DEPTH_ARG:---depth=1} printf "\tClone OpenSSL ${CLONE_TAG} from ${OPENSSL_GIT_URL} ... " - git clone ${DEPTH_ARG} -b ${CLONE_TAG} ${OPENSSL_GIT_URL} ${OPENSSL_SOURCE_DIR} + git clone ${DEPTH_ARG} -b ${CLONE_TAG} ${OPENSSL_GIT_URL} ${OPENSSL_SOURCE_DIR} >>$LOG_FILE 2>&1 RET=$? if [ $RET != 0 ]; then @@ -160,12 +159,103 @@ patch_openssl() { fi } +install_openssl_deb() { + printf "\nInstalling OpenSSL ${OPENSSL_TAG} for Debian packaging ...\n" + clone_openssl + patch_openssl + check_openssl_replace_default_mismatch + + # Build stub first so we can link OpenSSL against it + if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then + install_default_stub + fi + + pushd ${OPENSSL_SOURCE_DIR} &> /dev/null + + if [ -d ${OPENSSL_INSTALL_DIR} ]; then + printf "\tOpenSSL install directory already exists: ${OPENSSL_INSTALL_DIR}\n" + printf "\tRemoving existing install directory...\n" + rm -rf ${OPENSSL_INSTALL_DIR} + fi + + # Build configure command + CONFIG_CMD="./config shared" + + # Determine the install paths for Debian Bookworm + DEB_HOST_MULTIARCH=$(dpkg-architecture -qDEB_HOST_MULTIARCH) + CONFIG_CMD+=" --prefix=/usr --openssldir=/usr/lib/ssl --libdir=lib/${DEB_HOST_MULTIARCH} " + + if [ "$WOLFPROV_DEBUG" = "1" ]; then + CONFIG_CMD+=" enable-trace --debug" + fi + + if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then + CONFIG_CMD+=" no-external-tests no-tests" + + # Set up library paths to find the stub libdefault + if [ -d "${OPENSSL_STUB_INSTALL_DIR}" ]; then + # Link the stub library directly into libcrypto using LDFLAGS and LDLIBS + CONFIGURE_LDFLAGS="-L${OPENSSL_STUB_INSTALL_DIR}/lib" + CONFIGURE_LDLIBS="-ldefault" + else + printf "ERROR - stub libdefault not found in: ${OPENSSL_STUB_INSTALL_DIR}\n" + do_cleanup + exit 1 + fi + + CONFIG_CMD+=" LDFLAGS=${CONFIGURE_LDFLAGS} LDLIBS=${CONFIGURE_LDLIBS}" + fi + + printf "\tConfigure OpenSSL ${OPENSSL_TAG} ... " + $CONFIG_CMD >>$LOG_FILE 2>&1 + RET=$? + if [ $RET != 0 ]; then + printf "ERROR.\n" + rm -rf ${OPENSSL_INSTALL_DIR} + do_cleanup + exit 1 + fi + printf "Done.\n" + + printf "\tBuild OpenSSL ${OPENSSL_TAG} ... " + make -j$NUMCPU >>$LOG_FILE 2>&1 + if [ $? != 0 ]; then + printf "ERROR.\n" + rm -rf ${OPENSSL_INSTALL_DIR} + do_cleanup + exit 1 + fi + printf "Done.\n" + + # Manually set up the install directory rather than running 'make install' + # so that we don't modify the system OpenSSL installation + printf "\tCopying outputs to ${OPENSSL_INSTALL_DIR} for OpenSSL ${OPENSSL_TAG} ... " + mkdir -p ${OPENSSL_INSTALL_DIR}/bin + mkdir -p ${OPENSSL_INSTALL_DIR}/lib + mkdir -p ${OPENSSL_INSTALL_DIR}/include/openssl + mkdir -p ${OPENSSL_INSTALL_DIR}/lib/pkgconfig + cp -r apps/openssl ${OPENSSL_INSTALL_DIR}/bin/openssl + cp -r libcrypto.so* libcrypto.a ${OPENSSL_INSTALL_DIR}/lib/ + cp -r libssl.so* libssl.a ${OPENSSL_INSTALL_DIR}/lib/ + cp -r include/openssl/* ${OPENSSL_INSTALL_DIR}/include/openssl/ + cp -r *.pc ${OPENSSL_INSTALL_DIR}/lib/pkgconfig/ + printf "Done.\n" + + popd &> /dev/null +} + install_openssl() { printf "\nInstalling OpenSSL ${OPENSSL_TAG} ...\n" clone_openssl patch_openssl check_openssl_replace_default_mismatch - cd ${OPENSSL_SOURCE_DIR} + + # Build stub first so we can link OpenSSL against it + if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then + install_default_stub + fi + + pushd ${OPENSSL_SOURCE_DIR} &> /dev/null if [ ! -d ${OPENSSL_INSTALL_DIR} ]; then printf "\tConfigure OpenSSL ${OPENSSL_TAG} ... " @@ -223,7 +313,7 @@ install_openssl() { printf "Done.\n" fi - cd .. + popd &> /dev/null } init_openssl() { diff --git a/scripts/utils-wolfprovider.sh b/scripts/utils-wolfprovider.sh index e3dc5696..1d5c1aab 100644 --- a/scripts/utils-wolfprovider.sh +++ b/scripts/utils-wolfprovider.sh @@ -25,13 +25,14 @@ source ${SCRIPT_DIR}/utils-general.sh WOLFPROV_SOURCE_DIR=${SCRIPT_DIR}/.. WOLFPROV_INSTALL_DIR=${SCRIPT_DIR}/../wolfprov-install +LIBDEFAULT_SOURCE_DIR=${SCRIPT_DIR}/../default_stub +LIBDEFAULT_INSTALL_DIR=${WOLFPROV_INSTALL_DIR} LIBDEFAULT_STUB_INSTALL_DIR=${SCRIPT_DIR}/../libdefault-stub-install WOLFPROV_WITH_WOLFSSL=--with-wolfssl=${WOLFSSL_INSTALL_DIR} # Check if using system wolfSSL installation if command -v dpkg >/dev/null 2>&1; then if dpkg -l | grep -q "^ii.*libwolfssl[[:space:]]" && dpkg -l | grep -q "^ii.*libwolfssl-dev[[:space:]]"; then - printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n" WOLFPROV_WITH_WOLFSSL= fi fi @@ -39,7 +40,6 @@ fi WOLFPROV_CONFIG_OPTS=${WOLFPROV_CONFIG_OPTS:-"--with-openssl=${OPENSSL_INSTALL_DIR} ${WOLFPROV_WITH_WOLFSSL} --prefix=${WOLFPROV_INSTALL_DIR}"} WOLFPROV_CONFIG_CFLAGS=${WOLFPROV_CONFIG_CFLAGS:-''} - if [ "${WOLFPROV_QUICKTEST}" = "1" ]; then WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS} -DWOLFPROV_QUICKTEST" fi @@ -58,9 +58,42 @@ WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0} WOLFPROV_CLEAN=${WOLFPROV_CLEAN:-0} WOLFPROV_DISTCLEAN=${WOLFPROV_DISTCLEAN:-0} -build_default_stub() { - printf "\nBuilding default stub library ...\n" - cd ${SCRIPT_DIR}/../default_stub +clean_default_stub() { + # Remove autoconf files in default_stub + rm -f ${LIBDEFAULT_SOURCE_DIR}/aclocal.m4 + rm -f ${LIBDEFAULT_SOURCE_DIR}/config.h + rm -f ${LIBDEFAULT_SOURCE_DIR}/config.log + rm -f ${LIBDEFAULT_SOURCE_DIR}/config.status + rm -f ${LIBDEFAULT_SOURCE_DIR}/configure + rm -f ${LIBDEFAULT_SOURCE_DIR}/depcomp + rm -f ${LIBDEFAULT_SOURCE_DIR}/install-sh + rm -f ${LIBDEFAULT_SOURCE_DIR}/*.o + rm -f ${LIBDEFAULT_SOURCE_DIR}/*.lo +} + +install_default_stub() { + # set flag for stub build based on incoming parameter + if [ "$1" = "replace" ]; then + LIBDEFAULT_CONFIG_OPTS="--prefix=${LIBDEFAULT_INSTALL_DIR}" + LIBDEFAULT_CONFIG_OPTS+=" --enable-replace" + printf "\n\tBuilding default replacement library ...\n" + else + LIBDEFAULT_CONFIG_OPTS="--prefix=${LIBDEFAULT_STUB_INSTALL_DIR}" + printf "\n\tBuilding default stub library ...\n" + fi + + pushd ${LIBDEFAULT_SOURCE_DIR} &> /dev/null + + # Ensure openssl is present for header files + clone_openssl + + # if openssl source dir is present, add the include path + if [ -d "${OPENSSL_SOURCE_DIR}" ]; then + LIBDEFAULT_CONFIG_OPTS+=" --with-openssl=${OPENSSL_INSTALL_DIR}" + fi + + # Always do a clean build + clean_default_stub printf "\tGenerate build system ... " if [ ! -e "configure" ]; then @@ -75,7 +108,7 @@ build_default_stub() { printf "Done.\n" printf "\tConfigure default stub ... " - ./configure --prefix=${LIBDEFAULT_STUB_INSTALL_DIR} >>$LOG_FILE 2>&1 + ./configure ${LIBDEFAULT_CONFIG_OPTS} >>$LOG_FILE 2>&1 if [ $? != 0 ]; then printf "\n\n...\n" tail -n 40 $LOG_FILE @@ -104,7 +137,7 @@ build_default_stub() { fi printf "Done.\n" - cd ${SCRIPT_DIR}/.. + popd &> /dev/null } clean_wolfprov() { @@ -116,41 +149,33 @@ clean_wolfprov() { make clean >>$LOG_FILE 2>&1 fi # Clean default_stub build artifacts - if [ -f "default_stub/Makefile" ]; then + if [ -f "${LIBDEFAULT_SOURCE_DIR}/Makefile" ]; then printf "Cleaning default stub ...\n" - make -C default_stub clean >>$LOG_FILE 2>&1 + make -C ${LIBDEFAULT_SOURCE_DIR} clean >>$LOG_FILE 2>&1 fi # Remove root libdefault.la file rm -f libdefault.la + # Clean the stub + clean_default_stub + # Remove entire wolfProvider install directory rm -rf ${WOLFPROV_INSTALL_DIR} + rm -rf ${LOG_FILE} fi if [ "$WOLFPROV_DISTCLEAN" -eq "1" ]; then printf "Removing wolfProvider install ...\n" rm -rf ${WOLFPROV_INSTALL_DIR} + rm -rf ${LIBDEFAULT_INSTALL_DIR} rm -rf ${LIBDEFAULT_STUB_INSTALL_DIR} fi } install_wolfprov() { - cd ${WOLFPROV_SOURCE_DIR} - - # Add stub library path for replace-default functionality after dependencies are installed - if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then - if [ -z "$LD_LIBRARY_PATH" ]; then - export LD_LIBRARY_PATH="${LIBDEFAULT_STUB_INSTALL_DIR}/lib" - else - export LD_LIBRARY_PATH="${LIBDEFAULT_STUB_INSTALL_DIR}/lib:$LD_LIBRARY_PATH" - fi - fi + pushd ${WOLFPROV_SOURCE_DIR} &> /dev/null init_openssl init_wolfssl - printf "\nConsolidating wolfProvider ...\n" - unset OPENSSL_MODULES - unset OPENSSL_CONF - - printf "LD_LIBRARY_PATH: $LD_LIBRARY_PATH\n" + printf "\nInstalling wolfProvider ...\n" printf "\tConfigure wolfProvider ... " if [ ! -e "${WOLFPROV_SOURCE_DIR}/configure" ]; then @@ -171,7 +196,6 @@ install_wolfprov() { ./configure ${WOLFPROV_CONFIG_OPTS} CFLAGS="${WOLFPROV_CONFIG_CFLAGS}" >>$LOG_FILE 2>&1 RET=$? - if [ $RET != 0 ]; then printf "\n\n...\n" tail -n 40 $LOG_FILE @@ -190,15 +214,22 @@ install_wolfprov() { fi printf "Done.\n" - printf "\tTest wolfProvider ... " - make test >>$LOG_FILE 2>&1 - if [ $? != 0 ]; then - printf "\n\n...\n" - tail -n 40 $LOG_FILE - do_cleanup - exit 1 + # Build the replacement default library after wolfprov to avoid linker errors + # but before testing so that the library is present if needed + if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then + printf "\tWARNING: Skipping tests in replace mode...\n" + install_default_stub "replace" + else + printf "\tTest wolfProvider ... " + make test >>$LOG_FILE 2>&1 + if [ $? != 0 ]; then + printf "\n\n...\n" + tail -n 40 $LOG_FILE + do_cleanup + exit 1 + fi + printf "Done.\n" fi - printf "Done.\n" printf "\tInstall wolfProvider ... " make install >>$LOG_FILE 2>&1 @@ -209,6 +240,8 @@ install_wolfprov() { exit 1 fi printf "Done.\n" + + popd &> /dev/null } init_wolfprov() { diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh index 481929d9..fab16ec6 100644 --- a/scripts/utils-wolfssl.sh +++ b/scripts/utils-wolfssl.sh @@ -98,10 +98,23 @@ install_wolfssl() { # use the custom OpenSSL built with wolfProvider. if command -v dpkg >/dev/null 2>&1; then if dpkg -l | grep -q "^ii.*libwolfssl[[:space:]]" && dpkg -l | grep -q "^ii.*libwolfssl-dev[[:space:]]"; then + # Check if there is a FIPS mismatch + # If the system wolfSSL is FIPS, we need to be doing a FIPS build + dpkg -l | grep "^ii.*libwolfssl[[:space:]]" | grep -q "fips" + if [ $? -eq 0 ] && [ "$WOLFSSL_ISFIPS" != "1" ]; then + printf "ERROR: System wolfSSL is FIPS, but WOLFSSL_ISFIPS is not set to 1\n" + do_cleanup + exit 1 + elif [ $? -eq 0 ] && [ "$WOLFSSL_ISFIPS" != "0" ]; then + printf "ERROR: System wolfSSL is non-FIPS, but WOLFSSL_ISFIPS is set to 1\n" + do_cleanup + exit 1 + fi + printf "\nSkipping wolfSSL installation - libwolfssl and libwolfssl-dev packages are already installed.\n" # Set WOLFSSL_INSTALL_DIR to system installation directory WOLFSSL_INSTALL_DIR="/usr" - return 0 + return fi fi