Re-enable non-replace-default builds

.github/workflows/debian-package.yml

@@ -27,9 +27,6 @@ jobs:
         replace_default: [ true ]
 
   libwolfprov-standalone:
-    # Standalone mode is disabled until we re-enable support for it in the debian build.
-    if: false
-
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm to match packaging environment
@@ -43,11 +40,12 @@ jobs:
       matrix:
         wolfssl_ref: [ 'v5.8.2-stable' ]
         openssl_ref: [ 'openssl-3.5.2' ]
-        replace_default: [ true ]
+        replace_default: [ false ]
     env:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -86,17 +84,16 @@ jobs:
 
       - name: Test OpenSSL provider functionality
         run: |
-          PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
-          PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
+          WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
 
           # Temporarily move wolfprovider config so we can toggle between providers
           echo "Temporarily disabling wolfprovider for default provider tests:"
           mkdir -p /tmp/openssl-test
-          if [ -f $PROVIDER_CONF ]; then
-            mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP
-            echo "   - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_FILE ]; then
+            mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP
+            echo "   - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP"
           else
-            echo "$PROVIDER_CONF not found!"
+            echo "$WOLFPROV_CONF_FILE not found!"
             exit 1
           fi
 
@@ -106,16 +103,36 @@ jobs:
 
           # Restore wolfprovider configuration
           echo "Restoring wolfprovider configuration:"
-          if [ -f $PROVIDER_CONF_BACKUP ]; then
-            mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF
-            echo "   - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_BACKUP ]; then
+            mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE
+            echo "   - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP"
           fi
 
           echo "PASS: All provider interoperability tests successful"
 
       - name: Uninstall package and verify cleanup
         run: |
           # Uninstall the package
+          apt-get remove -y libwolfprov
+
+          # Verify default OpenSSL provider is active
+          echo "Verifying Default Provider is Active:"
+          openssl list -providers
+
+          # Verify that the default provider is present and active
+          echo "Checking default provider status:"
+          if openssl list -providers | grep -q "default" && \
+            openssl list -providers | grep -q "OpenSSL Default Provider" && \
+            openssl list -providers | grep -q "status: active"; then
+            echo "Default provider is present and active"
+          else
+            echo "Default provider verification failed"
+            echo "Provider output:"
+            openssl list -providers
+            exit 1
+          fi
+
+          # Purge the package to remove all files
           apt-get remove --purge -y libwolfprov
 
           # Verify the package is removed
@@ -128,27 +145,24 @@ jobs:
           fi
 
           # Check if the config file is removed
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "wolfprovider.conf still exists after package removal"
-            ls -la /usr/lib/ssl/openssl.cnf.d/
+            ls -la $(dirname $WOLFPROV_CONF_FILE)
             exit 1
           else
             echo "wolfprovider.conf successfully removed"
           fi
 
           # Check if the library files are removed
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "libwolfprov.so still exists after package removal"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null || true
+            echo "$WOLFPROV_OBJS"
             exit 1
           else
             echo "libwolfprov.so successfully removed"
           fi
 
-          # Verify default OpenSSL provider is active
-          echo "Verifying Default Provider is Active:"
-          openssl list -providers
-
           # Verify that the default provider is present and active
           echo "Checking default provider status:"
           if openssl list -providers | grep -q "default" && \
@@ -165,7 +179,7 @@ jobs:
           echo "Package uninstallation and cleanup verification successful"
 
 
-  libwolfprov-with-openssl:
+  libwolfprov-replace-default:
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # Run inside Debian Bookworm to match packaging environment
@@ -184,6 +198,7 @@ jobs:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -254,17 +269,18 @@ jobs:
           echo "Verifying wolfprov configuration..."
 
           # Check if configuration file exists
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "SUCCESS: wolfprovider.conf exists"
-            cat /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+            cat $WOLFPROV_CONF_FILE
           else
             echo "WARNING: wolfprovider.conf not found"
           fi
 
           # Check if library file exists
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "SUCCESS: libwolfprov.so exists"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null
+            echo "$WOLFPROV_OBJS"
           else
             echo "WARNING: libwolfprov.so not found"
           fi

.gitignore

@@ -84,6 +84,8 @@ test/**/*.trs
 test/**/*.o
 test/**/.deps/
 test/**/.dirstamp
+req_outputs
+scripts/cmd_test/req-test.log
 
 IDE/Android/android-ndk-r26b/
 IDE/Android/openssl-source/
@@ -117,4 +119,6 @@ debian/libssl3*
 !debian/*.postrm
 !debian/*.docs
 !debian/*.links
+!debian/*.triggers
+!debian/shlib.local
 

debian/control

@@ -14,7 +14,8 @@ Build-Depends:
 Package: libwolfprov
 Architecture: any
 Multi-Arch: same
-Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2), openssl
+Depends: ${shlibs:Depends}, ${misc:Depends}, libssl3 (>= 3.0.3), libwolfssl (>= 5.8.2)
+Recommends: openssl
 Provides: ${variant:provides}
 XB-Variant: ${variant}
 Description: wolfProvider library for OpenSSL — ${variant:desc}
@@ -43,9 +44,8 @@ Architecture: any
 Section: utils
 Multi-Arch: foreign
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Secure Sockets Layer toolkit - command line interface
+Description: Secure Sockets Layer toolkit - command line interface (wolfProvider build)
  This package contains the OpenSSL command line utility.
- Built for use with wolfProvider.
 
 Package: libssl3
 Architecture: any

debian/libwolfprov.install

@@ -1,3 +1,3 @@
 usr/lib/*/ossl-modules/libwolfprov.so.0.0.0
-usr/lib/ssl/openssl.cnf.d
-usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+etc/ssl/openssl.cnf.d
+etc/ssl/openssl.cnf.d/wolfprovider.conf

debian/libwolfprov.postinst

@@ -1,35 +1,44 @@
 #!/bin/sh
 set -e
 
-# We currently only support "replace default" mode.
-# In this mode, we don't need to modify the system openssl.cnf file 
-# since our modified openssl references libwolfprov.so explicitly.
-# In the future, we should add scripting here to find the system openssl.cnf file
-# and add the include line to it. Note that the code below 
-# references a hardcoded path which may not be correct for all systems.
+# Define the include line to add to the openssl.cnf file
+INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/wolfprovider.conf"
 
-# INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
-# CONF_FILE="/usr/lib/ssl/openssl.cnf"
-# CONF_DEFAULT="/usr/share/openssl-defaults/openssl.cnf"
+# Search for the openssl.cnf file in /usr, /lib and /etc
+CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
 
-# # Copy from our template if it doesn't exist
-# if [ ! -f "$CONF_FILE" ]; then
-#     echo "Config file does not exist: $CONF_FILE"
-#     if [ -f "$CONF_DEFAULT" ]; then
-#         install -Dm644 "$CONF_DEFAULT" "$CONF_FILE"
-#     else
-#         echo "Default config file does not exist: $CONF_DEFAULT"
-#         exit 1
-#     fi
-# fi
+# Check if we are in replace-default mode by reading the openssl version
+REPLACE_DEFAULT=0
+if command -v openssl >/dev/null 2>&1; then
+    OPENSSL_VERSION=$(openssl version)
+    if echo "$OPENSSL_VERSION" | grep -q "wolfProvider"; then
+        REPLACE_DEFAULT=1
+    fi  
+fi
 
-# # Add include for wolfprovider config file if not already present
-# if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then
-#     echo "Include line already exists in $CONF_FILE"
-# else 
-#     echo "Adding include for wolfprovider to $CONF_FILE..."
-#     sed -i "/^openssl_conf/ a $INCLUDE_LINE" "$CONF_FILE"
-# fi
+if [ $REPLACE_DEFAULT -eq 1 ]; then
+    # Remove INCLUDE_LINE from each CONF_FILE
+    # Replace default mode should automatically find wolfProvider.
+    # Using the config file or OPENSSL_CONF will cause:
+    #   1. the provider name to be 'libwolfprov' instead of 'default'
+    #   2. the provider init call to happen twice
+    # Neither of these is harmful, but it's not ideal.
+    for CONF_FILE in $CONF_FILES; do
+        # Remove any line containing both ".include" and "wolfprovider.conf"
+        sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE"
+        printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE"
+    done
+else
+    # For each CONF_FILE, apply the include line to the openssl.cnf file, if not already applied
+    for CONF_FILE in $CONF_FILES; do
+        if grep -qF "$INCLUDE_LINE" "$CONF_FILE"; then
+            echo "Include line already exists in $CONF_FILE"
+        else 
+            echo "Adding include for wolfprovider to $CONF_FILE..."
+            echo "$INCLUDE_LINE" >> "$CONF_FILE"
+        fi
+    done
+fi
 
 #DEBHELPER#
 exit 0

debian/libwolfprov.postrm

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+# On removal/purge of libwolfprov, ensure any include of wolfprovider.conf
+# is removed from system openssl.cnf files to avoid stale includes.
+
+# Search for the openssl.cnf file in /usr, /lib and /etc
+CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
+
+case "$1" in
+remove|purge)
+    for CONF_FILE in $CONF_FILES; do
+        # Remove any line containing both ".include" and "wolfprovider.conf"
+        sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE"
+        printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE"
+    done
+    ;;
+esac
+
+#DEBHELPER#
+exit 0
+
+

debian/libwolfprov.triggers

@@ -0,0 +1,6 @@
+# Re-run our setup whenever OpenSSL config or module dirs change
+interest-noawait /etc/ssl/openssl.cnf
+interest-noawait /etc/ssl/openssl.cnf.d
+interest-noawait /lib/ssl/openssl.cnf
+interest-noawait /lib/ssl/openssl.cnf.d
+

debian/openssl.install

@@ -1,2 +1,2 @@
 usr/bin/openssl
-usr/share/openssl-defaults/openssl.cnf
+etc/ssl/openssl.cnf

debian/openssl.links

@@ -0,0 +1,6 @@
+# openssl expects the conf file under /usr/lib/ssl, so ensure the symlink
+# is set to match the normal install
+/etc/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf
+# Other symlinks expected by Debian
+/etc/ssl/certs       /usr/lib/ssl/certs
+/etc/ssl/private     /usr/lib/ssl/private

debian/rules

@@ -80,15 +80,14 @@ override_dh_auto_install:
 		$(DESTDIR)/usr/include/wolfprovider/
 
 	# Install provider config file
-	install -d $(DESTDIR)/usr/lib/ssl/openssl.cnf.d
+	install -d $(DESTDIR)/etc/ssl/openssl.cnf.d
 	install -m644 ./$(PROVIDER_CONF) \
-		$(DESTDIR)/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+		$(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf
 
-	# Install default openssl.cnf template (do NOT ship it directly in /usr/lib/ssl)
-	# The postinstall script will handle copying it to the system location
-	install -d $(DESTDIR)/usr/share/openssl-defaults
+	# Install openssl.cnf directly into /etc/ssl
+	install -d $(DESTDIR)/etc/ssl
 	install -m 0644 ./openssl-source/apps/openssl.cnf \
-		$(DESTDIR)/usr/share/openssl-defaults/openssl.cnf
+		$(DESTDIR)/etc/ssl/openssl.cnf
 
 	# Install pkg-config files for libssl-dev
 	install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig

debian/shlibs.local

@@ -0,0 +1,3 @@
+# For the case where wolfssl is not installed on the system, 
+# we must specify that libwolfssl.so.44 comes from the libwolfssl package.
+libwolfssl 44 libwolfssl (>= 5.8.2)

scripts/verify-install.sh

@@ -152,9 +152,9 @@ verify_openssl_version() {
     if [ $replace_default -eq 0 ]; then
         # Verify that wolfProv (case-insensitive) is in the version output
         if echo "$version_output" | grep -qi "wolfProv"; then
-            log_success "wolfProv is in the version output"
+            handle_error "wolfProv is in the version output"
         else
-            handle_error "wolfProv is not in the version output"
+            log_success "wolfProv is not in the version output"
         fi
     else
         # Verify that wolfProvider (case-insensitive) is in the version output