Draft: Add openssl debian package

.github/workflows/debian-package.yml

@@ -58,37 +58,32 @@ jobs:
 
     - name: Install wolfssl debian package
       run: |
-        mkdir -p "$RUNNER_TEMP/wolfssl-pkg"
-        cd "$RUNNER_TEMP/wolfssl-pkg"
+        mkdir -p "/tmp/wolfssl-pkg"
+        cd "/tmp/wolfssl-pkg"
 
-        echo "Using standard wolfSSL package"
-        tar -xvf $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz
-
-        # Get current architecture
-        CURRENT_ARCH=$(dpkg --print-architecture)
-        echo "Current architecture: $CURRENT_ARCH"
+        # Install wolfssl packages
+        chmod +x $GITHUB_WORKSPACE/debian/install-wolfssl.sh
+        $GITHUB_WORKSPACE/debian/install-wolfssl.sh \
+          $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz \
+          "/tmp/wolfssl-pkg"
+
+        # Create wolfprov-packages directory and move wolfssl files there
+        mkdir -p "/tmp/wolfprov-packages"
+        echo "Moving wolfssl files to artifacts directory..."
 
-        # Look for existing .deb files that match the current architecture
-        cd debian-packages
-        MATCHING_DEB_FILES=$(find . -name "*_${CURRENT_ARCH}.deb" -o -name "*_${CURRENT_ARCH}_*.deb" 2>/dev/null || true)
+        # Copy all wolfssl-related files (source and binary packages)
+        find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.deb" -exec cp {} /tmp/wolfprov-packages/ \;
+        find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.dsc" -exec cp {} /tmp/wolfprov-packages/ \;
+        find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \;
+        find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.orig.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \;
 
-        if [ -n "$MATCHING_DEB_FILES" ]; then
-          echo "Found matching .deb files for architecture $CURRENT_ARCH:"
-          echo "$MATCHING_DEB_FILES"
-          echo "Installing existing .deb files..."
-          dpkg -i $MATCHING_DEB_FILES
-        else
-          echo "No matching .deb files found for architecture $CURRENT_ARCH, rebuilding from source..."
-          dpkg-source -x wolfssl*.dsc
-          cd wolfssl*/
-          dpkg-buildpackage -b -us -uc
-          dpkg -i ../libwolfssl*.deb
-        fi
+        echo "WolfSSL files in artifacts directory:"
+        ls -la /tmp/wolfprov-packages/*wolfssl* || true
 
     - name: Build Debian package
       run: |
         # Bypass the warning prompt with 'yes Y' 
-        yes Y | ./scripts/build-wolfprovider.sh --debian
+        yes Y | ./scripts/build-wolfprovider.sh --debian $FIPS_FLAG
 
         # List generated packages
         echo "Generated Packages:"
@@ -114,7 +109,7 @@ jobs:
 
     - name: Test OpenSSL provider functionality
       run: |
-        PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider.conf"
+        PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
         PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
 
         # Temporarily move wolfprovider config so we can toggle between providers
@@ -156,9 +151,9 @@ jobs:
         fi
 
         # Check if the config file is removed
-        if [ -f /etc/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+        if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
           echo "wolfprovider.conf still exists after package removal"
-          ls -la /etc/ssl/openssl.cnf.d/
+          ls -la /usr/lib/ssl/openssl.cnf.d/
           exit 1
         else
           echo "wolfprovider.conf successfully removed"
@@ -194,10 +189,12 @@ jobs:
 
     - name: Move package artifacts
       run: |
-        # Move the generated packages to the temp directory
-        mv ../*.deb $RUNNER_TEMP/ || true
-        mv ../*.dsc $RUNNER_TEMP/ || true
-        mv ../*.tar.gz $RUNNER_TEMP/ || true
+        # Create a clean artifacts directory
+        mkdir -p "/tmp/wolfprov-packages"
+        # Move the generated packages to the artifacts directory
+        mv ../*.deb /tmp/wolfprov-packages/ || true
+        mv ../*.dsc /tmp/wolfprov-packages/ || true
+        mv ../*.tar.gz /tmp/wolfprov-packages/ || true
 
     # Save the build outputs which for use in release packages
     - name: Upload package artifacts
@@ -206,7 +203,7 @@ jobs:
       with:
         name: wolfprovider-debian-packages
         path: |
-          ${{ runner.temp }}/*.deb
-          ${{ runner.temp }}/*.dsc
-          ${{ runner.temp }}/*.tar.gz
+          /tmp/wolfprov-packages/*.deb
+          /tmp/wolfprov-packages/*.dsc
+          /tmp/wolfprov-packages/*.tar.gz
         retention-days: 7

.gitignore

@@ -109,8 +109,27 @@ debian/*.deb
 debian/*.buildinfo
 debian/files
 debian/libwolfprov*
+debian/libssl-dev*
+debian/openssl*
+debian/libssl3*
+debian/libdefault0*
+debian/libdefault-wolf0*
 !debian/libwolfprov.install
 !debian/libwolfprov.postinst
 !debian/libwolfprov.postrm
 !debian/libwolfprov-dev.docs
 !debian/libwolfprov-dev.install
+!debian/openssl.cnf
+!debian/openssl.install
+!debian/openssl.postinst
+!debian/openssl.postrm
+!debian/libssl3.postinst
+!debian/libssl3.postrm
+!debian/libssl3.install
+!debian/libssl3.docs
+!debian/libssl3.install
+!debian/libssl3.postinst
+!debian/libssl3.postrm
+!debian/libdefault0.install
+!debian/libdefault-wolf0.install
+

Makefile.am

@@ -14,15 +14,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/include
 
 lib_LTLIBRARIES = libwolfprov.la
 
-# Conditionally build libdefault.so when --replace-default is enabled
-if BUILD_REPLACE_DEFAULT
-# Install libdefault.la directly to OpenSSL lib directory
-openssldir = $(OPENSSL_LIB_DIR)
-openssl_LTLIBRARIES = libdefault.la
-libdefault_la_SOURCES = src/wp_default_replace.c
-libdefault_la_LIBADD = libwolfprov.la
-endif
-
 EXTRA_DIST+=ChangeLog.md
 EXTRA_DIST+=README.md
 EXTRA_DIST+=IDE

README-packaging.md

@@ -0,0 +1,88 @@
+# WolfProvider Debian Packaging
+This is the flow for building and installing 
+
+## Local build
+
+From the repo root, run the following command:
+```
+./scripts/build-wolfprovider.sh --debian
+```
+
+For a FIPS build, run the following:
+```
+./scripts/build-wolfprovider.sh --debian --enable-fips
+```
+
+The Debian packages are placed in the parent directory, which should be one level above the repo root.
+
+## CI build
+Instead of doing a local build as outlined above, we can alternatively use packages generated from CI.
+
+To use a build from CI for local install, download the artifacts from the Debian CI job. Then install the .deb's from the zip file with `apt` as shown below rather than from the build.
+
+## Install
+
+If not already done, install the WolfSSL Debian package. The non-FIPS version is available in this repo and is installed by the script below. This step is only needed once, and can be done prior to the `build-wolfprovider.sh` step above.
+```
+./debian/install-wolfssl.sh ./.github/packages/debian-wolfssl.tar.gz
+```
+
+For the script above, some systems may require additional packages:
+```
+apt install build-essential devscripts dh-exec
+```
+
+### Optionally install custom OpenSSL
+
+**Important**: before proceeding with the wolfProvider install, make sure packages are not present:
+```
+apt purge -y libwolfprov ; apt purge -y openssl-config ; apt purge -y openssl ; apt purge -y libssl3
+```
+
+Get the system architecture which determines the library paths for the following steps:
+```
+export CURRENT_ARCH=$(dpkg --print-architecture)
+```
+
+Then install the wolfProvider-specific OpenSSL. From the repo root:
+```
+apt install ../openssl*${CURRENT_ARCH}*.deb ../libssl3*${CURRENT_ARCH}*.deb
+```
+
+Check that the provider API is disabled since wolfProvider is not installed:
+```
+$ openssl list -providers
+Could not load libwolfprov.so. Is the libwolfprov package installed?
+  libwolfprov.so: cannot open shared object file: No such file or directory
+```
+
+### Install wolfProvider
+
+Then install wolfProvider:
+```
+apt install ../libwolfprov*${CURRENT_ARCH}*.deb
+```
+
+Confirm that wolfProvider is installed:
+```
+$ openssl list -providers
+```
+
+Output should look like this:
+```
+Providers:
+  default
+    name: wolfSSL Provider
+    version: 1.0.2
+    status: active
+```
+
+## Release process
+Always use CI to perform the release build to avoid potential errors from building locally.
+
+* Tag the wolfProvider repo in the format `vX.Y.Z`
+  * The changelog is generated by the Debian scripts
+* Run the Debian job in CI
+* Download the artifacts zip file which contains the .deb's
+* Generate release archives as needed
+

README.md

@@ -78,12 +78,6 @@ To remove all source directories, use the following:
 ./scripts/build-wolfprovider.sh --distclean
 ```
 
-To build a Debian package file, use the following command. 
-Note this will remove all ignored files in the repo, and there must be no staged changes.
-```
-./scripts/build-wolfprovider.sh --debian
-```
-
 Alternatively, you can manually compile each component using the following guide.
 
 ### OpenSSL

configure.ac

@@ -29,6 +29,12 @@ AC_LANG(C)
 # OpenSSL
 AC_CHECK_HEADERS([openssl/core.h])
 
+# Add libdefault-stub-install to LDFLAGS if replace-default will be enabled
+# (This needs to happen before OpenSSL check)
+if test "x$enable_replace_default" = "xyes"; then
+    LDFLAGS="$LDFLAGS -L./libdefault-stub-install/lib -ldefault"
+fi
+
 AX_CHECK_OPENSSL(
     [have_openssl=yes],
     AC_MSG_FAILURE([could not locate OpenSSL])
@@ -130,6 +136,11 @@ AC_ARG_ENABLE([replace-default],
     [ ENABLED_REPLACE_DEFAULT=no ]
     )
 
+# Add libdefault-stub-install to LDFLAGS when replace-default is enabled
+if test "x$ENABLED_REPLACE_DEFAULT" = "xyes"; then
+    LDFLAGS="$LDFLAGS -L./libdefault-stub-install/lib"
+fi
+
 AM_CONDITIONAL([BUILD_REPLACE_DEFAULT], [test "x$ENABLED_REPLACE_DEFAULT" = "xyes"])
 
 # Set OpenSSL lib directory for installing libdefault.so

debian/clean

@@ -0,0 +1 @@
+wolfProvider/scripts/build-release.log

debian/control

@@ -3,23 +3,47 @@ Section: libs
 Priority: optional
 Maintainer: WolfSSL <[email protected]>
 Standards-Version: 4.6.2
-Build-Depends: debhelper (>= 12),
-               devscripts,
-               pkgconf,
-               openssl,
-               libwolfssl,
-               libwolfssl-dev
+Rules-Requires-Root: no
+Build-Depends:
+ debhelper-compat (= 13),
+ devscripts,
+ dh-exec,
+ openssl,
+ git,
+ pkgconf,
+ libwolfssl-dev
 
+Package: libdefault0
+Section: libs
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Conflicts: libdefault-wolf0
+Replaces: libdefault-wolf0
+Description: Default provider stub library (libdefault) for OpenSSL
+ This package provides the default libdefault shared library used by libcrypto.
+ It is the baseline/stub implementation intended for systems without wolfProvider.
+
+Package: libdefault-wolf0
+Section: libs
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Conflicts: libdefault0
+Replaces: libdefault0
+Description: WolfSSL-backed libdefault replacement for OpenSSL
+ This package provides a WolfSSL-backed replacement of libdefault.
+ Installing it will replace the stub libdefault, giving precedence to the wolf variant.
 
 Package: libwolfprov
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl, libdefault-wolf0
 Provides: ${variant:provides}
 XB-Variant: ${variant}
 Description: wolfProvider library for OpenSSL — ${variant:desc}
  wolfProvider is a library that can be used as a Provider in OpenSSL.
  It provides cryptographic functionality through wolfSSL including:
- .
   * Hash functions (MD5, SHA-1, SHA-2, SHA-3)
   * Symmetric encryption (AES, DES)
   * Asymmetric cryptography (RSA, ECC, DH)
@@ -31,7 +55,40 @@ Description: wolfProvider library for OpenSSL — ${variant:desc}
 Package: libwolfprov-dev
 Architecture: any
 Section: libdevel
+Multi-Arch: same
 Depends: libwolfprov (= ${binary:Version}), ${misc:Depends}
-Description: Development files for wolfProvider
- This package contains the header files and development libraries
- needed to build applications using wolfProvider.
+XB-Variant: ${variant}
+Description: Development files for wolfProvider — ${variant:desc}
+ This package contains the headers and development files
+ for applications using wolfProvider.
+
+Package: openssl
+Architecture: any
+Section: utils
+Multi-Arch: foreign
+Depends: ${shlibs:Depends}, ${misc:Depends}, libdefault0 | libdefault-wolf0
+Description: Secure Sockets Layer toolkit - command line interface
+ This package contains the OpenSSL command line utility.
+ Built for use with wolfProvider.
+
+Package: libssl3
+Architecture: any
+Multi-Arch: same
+Depends: ${shlibs:Depends}, ${misc:Depends}, libdefault0 | libdefault-wolf0
+Breaks: libssl3 (<< 3.0.0)
+Replaces: libssl3
+Recommends: openssl
+Description: OpenSSL shared libraries (wolfProvider build)
+ This package contains the OpenSSL shared libraries built
+ for use with wolfProvider.
+
+Package: libssl-dev
+Architecture: any
+Section: libdevel
+Multi-Arch: same
+Depends: libssl3 (= ${binary:Version}), ${misc:Depends}
+Breaks: libssl-dev (<< 3.0.0)
+Replaces: libssl-dev
+Description: OpenSSL development files (wolfProvider build)
+ This package contains headers, pkg-config files and linker symlinks
+ for the OpenSSL version built for wolfProvider.