From 0279fa8f477784facd48527f951ba11725d6735b Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Mon, 29 Sep 2025 15:49:19 -0700 Subject: [PATCH 1/2] Re-enable non-replace-default builds for testing --- .github/workflows/debian-package.yml | 7 +--- .gitignore | 1 + debian/control | 6 +-- debian/libwolfprov.postinst | 61 ++++++++++++++++------------ debian/libwolfprov.triggers | 8 ++++ scripts/verify-install.sh | 4 +- 6 files changed, 51 insertions(+), 36 deletions(-) create mode 100644 debian/libwolfprov.triggers diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 45b1d6c3..3a100091 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -27,9 +27,6 @@ jobs: replace_default: [ true ] libwolfprov-standalone: - # Standalone mode is disabled until we re-enable support for it in the debian build. - if: false - runs-on: ubuntu-22.04 needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment @@ -43,7 +40,7 @@ jobs: matrix: wolfssl_ref: [ 'v5.8.2-stable' ] openssl_ref: [ 'openssl-3.5.2' ] - replace_default: [ true ] + replace_default: [ false ] env: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages @@ -165,7 +162,7 @@ jobs: echo "Package uninstallation and cleanup verification successful" - libwolfprov-with-openssl: + libwolfprov-replace-default: runs-on: ubuntu-22.04 needs: build_wolfprovider # Run inside Debian Bookworm to match packaging environment diff --git a/.gitignore b/.gitignore index 5e86d412..fdd5741c 100644 --- a/.gitignore +++ b/.gitignore @@ -117,4 +117,5 @@ debian/libssl3* !debian/*.postrm !debian/*.docs !debian/*.links +!debian/*.triggers diff --git a/debian/control b/debian/control index d8d9a993..a923f182 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,8 @@ Build-Depends: Package: libwolfprov Architecture: any Multi-Arch: same -Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl +Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2) +Recommends: openssl Provides: ${variant:provides} XB-Variant: ${variant} Description: wolfProvider library for OpenSSL — ${variant:desc} @@ -43,9 +44,8 @@ Architecture: any Section: utils Multi-Arch: foreign Depends: ${shlibs:Depends}, ${misc:Depends} -Description: Secure Sockets Layer toolkit - command line interface +Description: Secure Sockets Layer toolkit - command line interface (wolfProvider build) This package contains the OpenSSL command line utility. - Built for use with wolfProvider. Package: libssl3 Architecture: any diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst index a8c3a105..497c0c5c 100755 --- a/debian/libwolfprov.postinst +++ b/debian/libwolfprov.postinst @@ -1,35 +1,44 @@ #!/bin/sh set -e -# We currently only support "replace default" mode. -# In this mode, we don't need to modify the system openssl.cnf file -# since our modified openssl references libwolfprov.so explicitly. -# In the future, we should add scripting here to find the system openssl.cnf file -# and add the include line to it. Note that the code below -# references a hardcoded path which may not be correct for all systems. +# Define the include line to add to the openssl.cnf file +INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" -# INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" -# CONF_FILE="/usr/lib/ssl/openssl.cnf" -# CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf" +# Search for the openssl.cnf file in /usr, /lib and /etc +CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null) -# # Copy from our template if it doesn't exist -# if [ ! -f "$CONF_FILE" ]; then -# echo "Config file does not exist: $CONF_FILE" -# if [ -f "$CONF_DEFAULT" ]; then -# install -Dm644 "$CONF_DEFAULT" "$CONF_FILE" -# else -# echo "Default config file does not exist: $CONF_DEFAULT" -# exit 1 -# fi -# fi +# Check if we are in replace-default mode by reading the openssl version +REPLACE_DEFAULT=0 +if command -v openssl >/dev/null 2>&1; then + OPENSSL_VERSION=$(openssl version) + if echo "$OPENSSL_VERSION" | grep -q "wolfProvider"; then + REPLACE_DEFAULT=1 + fi +fi -# # Add include for wolfprovider config file if not already present -# if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then -# echo "Include line already exists in $CONF_FILE" -# else -# echo "Adding include for wolfprovider to $CONF_FILE..." -# sed -i "/^openssl_conf/ a $INCLUDE_LINE" "$CONF_FILE" -# fi +if [ $REPLACE_DEFAULT -eq 1 ]; then + # Remove INCLUDE_LINE from each CONF_FILE + # Replace default mode should automatically find wolfProvider. + # Using the config file or OPENSSL_CONF will cause: + # 1. the provider name to be 'libwolfprov' instead of 'default' + # 2. the provider init call to happen twice + # Neither of these is harmful, but it's not ideal. + for CONF_FILE in $CONF_FILES; do + # Remove any line containing both ".include" and "wolfprovider.conf" + sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE" + printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE" + done +else + # For each CONF_FILE, apply the include line to the openssl.cnf file, if not already applied + for CONF_FILE in $CONF_FILES; do + if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then + echo "Include line already exists in $CONF_FILE" + else + echo "Adding include for wolfprovider to $CONF_FILE..." + echo "$INCLUDE_LINE" >> "$CONF_FILE" + fi + done +fi #DEBHELPER# exit 0 diff --git a/debian/libwolfprov.triggers b/debian/libwolfprov.triggers new file mode 100644 index 00000000..421724bc --- /dev/null +++ b/debian/libwolfprov.triggers @@ -0,0 +1,8 @@ +# Re-run our setup whenever OpenSSL config or module dirs change +interest-noawait /etc/ssl/openssl.cnf +interest-noawait /etc/ssl/openssl.cnf.d +interest-noawait /lib/ssl/openssl.cnf +interest-noawait /lib/ssl/openssl.cnf.d +interest-noawait /usr/lib/ssl/openssl.cnf +interest-noawait /usr/lib/ssl/openssl.cnf.d + diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh index afb727fd..b5623d47 100755 --- a/scripts/verify-install.sh +++ b/scripts/verify-install.sh @@ -152,9 +152,9 @@ verify_openssl_version() { if [ $replace_default -eq 0 ]; then # Verify that wolfProv (case-insensitive) is in the version output if echo "$version_output" | grep -qi "wolfProv"; then - log_success "wolfProv is in the version output" + handle_error "wolfProv is in the version output" else - handle_error "wolfProv is not in the version output" + log_success "wolfProv is not in the version output" fi else # Verify that wolfProvider (case-insensitive) is in the version output From a29736f007c7f03a0f3fe1ea35481645dc2c95d0 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Thu, 9 Oct 2025 08:51:55 -0700 Subject: [PATCH 2/2] Update location of default openssl.cnf --- .github/workflows/debian-package.yml | 61 ++++++++++++++++++---------- .gitignore | 3 ++ debian/libwolfprov.install | 4 +- debian/libwolfprov.postinst | 2 +- debian/libwolfprov.postrm | 23 +++++++++++ debian/libwolfprov.triggers | 2 - debian/openssl.install | 2 +- debian/openssl.links | 6 +++ debian/openssl.postinst | 19 --------- debian/openssl.postrm | 11 ----- debian/rules | 11 +++-- debian/shlibs.local | 3 ++ 12 files changed, 84 insertions(+), 63 deletions(-) create mode 100644 debian/libwolfprov.postrm create mode 100644 debian/openssl.links delete mode 100644 debian/openssl.postinst delete mode 100644 debian/openssl.postrm create mode 100644 debian/shlibs.local diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 3a100091..b32a7959 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -45,6 +45,7 @@ jobs: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages + WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf steps: - name: Checkout wolfProvider uses: actions/checkout@v4 @@ -83,17 +84,16 @@ jobs: - name: Test OpenSSL provider functionality run: | - PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" - PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup" + WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup" # Temporarily move wolfprovider config so we can toggle between providers echo "Temporarily disabling wolfprovider for default provider tests:" mkdir -p /tmp/openssl-test - if [ -f $PROVIDER_CONF ]; then - mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP - echo " - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP" + if [ -f $WOLFPROV_CONF_FILE ]; then + mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP + echo " - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP" else - echo "$PROVIDER_CONF not found!" + echo "$WOLFPROV_CONF_FILE not found!" exit 1 fi @@ -103,9 +103,9 @@ jobs: # Restore wolfprovider configuration echo "Restoring wolfprovider configuration:" - if [ -f $PROVIDER_CONF_BACKUP ]; then - mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF - echo " - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP" + if [ -f $WOLFPROV_CONF_BACKUP ]; then + mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE + echo " - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP" fi echo "PASS: All provider interoperability tests successful" @@ -113,6 +113,26 @@ jobs: - name: Uninstall package and verify cleanup run: | # Uninstall the package + apt-get remove -y libwolfprov + + # Verify default OpenSSL provider is active + echo "Verifying Default Provider is Active:" + openssl list -providers + + # Verify that the default provider is present and active + echo "Checking default provider status:" + if openssl list -providers | grep -q "default" && \ + openssl list -providers | grep -q "OpenSSL Default Provider" && \ + openssl list -providers | grep -q "status: active"; then + echo "Default provider is present and active" + else + echo "Default provider verification failed" + echo "Provider output:" + openssl list -providers + exit 1 + fi + + # Purge the package to remove all files apt-get remove --purge -y libwolfprov # Verify the package is removed @@ -125,27 +145,24 @@ jobs: fi # Check if the config file is removed - if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then + if [ -f $WOLFPROV_CONF_FILE ]; then echo "wolfprovider.conf still exists after package removal" - ls -la /usr/lib/ssl/openssl.cnf.d/ + ls -la $(dirname $WOLFPROV_CONF_FILE) exit 1 else echo "wolfprovider.conf successfully removed" fi # Check if the library files are removed - if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then + WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*") + if [ -n "$WOLFPROV_OBJS" ]; then echo "libwolfprov.so still exists after package removal" - find /usr/lib -name "libwolfprov.so*" 2>/dev/null || true + echo "$WOLFPROV_OBJS" exit 1 else echo "libwolfprov.so successfully removed" fi - # Verify default OpenSSL provider is active - echo "Verifying Default Provider is Active:" - openssl list -providers - # Verify that the default provider is present and active echo "Checking default provider status:" if openssl list -providers | grep -q "default" && \ @@ -181,6 +198,7 @@ jobs: WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages OPENSSL_PACKAGES_PATH: /tmp/openssl-packages WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages + WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf steps: - name: Checkout wolfProvider uses: actions/checkout@v4 @@ -251,17 +269,18 @@ jobs: echo "Verifying wolfprov configuration..." # Check if configuration file exists - if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then + if [ -f $WOLFPROV_CONF_FILE ]; then echo "SUCCESS: wolfprovider.conf exists" - cat /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf + cat $WOLFPROV_CONF_FILE else echo "WARNING: wolfprovider.conf not found" fi # Check if library file exists - if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then + WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*") + if [ -n "$WOLFPROV_OBJS" ]; then echo "SUCCESS: libwolfprov.so exists" - find /usr/lib -name "libwolfprov.so*" 2>/dev/null + echo "$WOLFPROV_OBJS" else echo "WARNING: libwolfprov.so not found" fi diff --git a/.gitignore b/.gitignore index fdd5741c..3e70a287 100644 --- a/.gitignore +++ b/.gitignore @@ -84,6 +84,8 @@ test/**/*.trs test/**/*.o test/**/.deps/ test/**/.dirstamp +req_outputs +scripts/cmd_test/req-test.log IDE/Android/android-ndk-r26b/ IDE/Android/openssl-source/ @@ -118,4 +120,5 @@ debian/libssl3* !debian/*.docs !debian/*.links !debian/*.triggers +!debian/shlib.local diff --git a/debian/libwolfprov.install b/debian/libwolfprov.install index 0a25d1c8..4c5976b0 100644 --- a/debian/libwolfprov.install +++ b/debian/libwolfprov.install @@ -1,3 +1,3 @@ usr/lib/*/ossl-modules/libwolfprov.so.0.0.0 -usr/lib/ssl/openssl.cnf.d -usr/lib/ssl/openssl.cnf.d/wolfprovider.conf +etc/ssl/openssl.cnf.d +etc/ssl/openssl.cnf.d/wolfprovider.conf diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst index 497c0c5c..c9218fd4 100755 --- a/debian/libwolfprov.postinst +++ b/debian/libwolfprov.postinst @@ -2,7 +2,7 @@ set -e # Define the include line to add to the openssl.cnf file -INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf" +INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/wolfprovider.conf" # Search for the openssl.cnf file in /usr, /lib and /etc CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null) diff --git a/debian/libwolfprov.postrm b/debian/libwolfprov.postrm new file mode 100644 index 00000000..b60d90d9 --- /dev/null +++ b/debian/libwolfprov.postrm @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +# On removal/purge of libwolfprov, ensure any include of wolfprovider.conf +# is removed from system openssl.cnf files to avoid stale includes. + +# Search for the openssl.cnf file in /usr, /lib and /etc +CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null) + +case "$1" in +remove|purge) + for CONF_FILE in $CONF_FILES; do + # Remove any line containing both ".include" and "wolfprovider.conf" + sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE" + printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE" + done + ;; +esac + +#DEBHELPER# +exit 0 + + diff --git a/debian/libwolfprov.triggers b/debian/libwolfprov.triggers index 421724bc..9ed1a3c8 100644 --- a/debian/libwolfprov.triggers +++ b/debian/libwolfprov.triggers @@ -3,6 +3,4 @@ interest-noawait /etc/ssl/openssl.cnf interest-noawait /etc/ssl/openssl.cnf.d interest-noawait /lib/ssl/openssl.cnf interest-noawait /lib/ssl/openssl.cnf.d -interest-noawait /usr/lib/ssl/openssl.cnf -interest-noawait /usr/lib/ssl/openssl.cnf.d diff --git a/debian/openssl.install b/debian/openssl.install index dc8bc1fc..85c6ccba 100644 --- a/debian/openssl.install +++ b/debian/openssl.install @@ -1,2 +1,2 @@ usr/bin/openssl -usr/share/openssl-defaults/openssl.cnf +etc/ssl/openssl.cnf diff --git a/debian/openssl.links b/debian/openssl.links new file mode 100644 index 00000000..c994c275 --- /dev/null +++ b/debian/openssl.links @@ -0,0 +1,6 @@ +# openssl expects the conf file under /usr/lib/ssl, so ensure the symlink +# is set to match the normal install +/etc/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf +# Other symlinks expected by Debian +/etc/ssl/certs /usr/lib/ssl/certs +/etc/ssl/private /usr/lib/ssl/private diff --git a/debian/openssl.postinst b/debian/openssl.postinst deleted file mode 100644 index 6b12047c..00000000 --- a/debian/openssl.postinst +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -set -e - -CONF_FILE="/usr/lib/ssl/openssl.cnf" -CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf" - -# Copy from our template if it doesn't exist -if [ ! -f "$CONF_FILE" ]; then - echo "Config file does not exist: $CONF_FILE" - if [ -f "$CONF_DEFAULT" ]; then - install -Dm644 "$CONF_DEFAULT" "$CONF_FILE" - else - echo "Default config file does not exist: $CONF_DEFAULT" - exit 1 - fi -fi - -#DEBHELPER# -exit 0 \ No newline at end of file diff --git a/debian/openssl.postrm b/debian/openssl.postrm deleted file mode 100644 index ffb449dd..00000000 --- a/debian/openssl.postrm +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -set -e - -case "$1" in - remove|purge) - rm -rf /usr/share/openssl-defaults - ;; -esac - -#DEBHELPER# -exit 0 diff --git a/debian/rules b/debian/rules index 47d05767..2f22f071 100755 --- a/debian/rules +++ b/debian/rules @@ -80,15 +80,14 @@ override_dh_auto_install: $(DESTDIR)/usr/include/wolfprovider/ # Install provider config file - install -d $(DESTDIR)/usr/lib/ssl/openssl.cnf.d + install -d $(DESTDIR)/etc/ssl/openssl.cnf.d install -m644 ./$(PROVIDER_CONF) \ - $(DESTDIR)/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf + $(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf - # Install default openssl.cnf template (do NOT ship it directly in /usr/lib/ssl) - # The postinstall script will handle copying it to the system location - install -d $(DESTDIR)/usr/share/openssl-defaults + # Install openssl.cnf directly into /etc/ssl + install -d $(DESTDIR)/etc/ssl install -m 0644 ./openssl-source/apps/openssl.cnf \ - $(DESTDIR)/usr/share/openssl-defaults/openssl.cnf + $(DESTDIR)/etc/ssl/openssl.cnf # Install pkg-config files for libssl-dev install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig diff --git a/debian/shlibs.local b/debian/shlibs.local new file mode 100644 index 00000000..efe9d977 --- /dev/null +++ b/debian/shlibs.local @@ -0,0 +1,3 @@ +# For the case where wolfssl is not installed on the system, +# we must specify that libwolfssl.so.44 comes from the libwolfssl package. +libwolfssl 44 libwolfssl (>= 5.8.2)