diff --git a/debian/install-openssl.sh b/debian/install-openssl.sh index b1b463cb..d117add9 100755 --- a/debian/install-openssl.sh +++ b/debian/install-openssl.sh @@ -23,6 +23,7 @@ set -e REPO_ROOT=${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)} +source ${REPO_ROOT}/scripts/utils-general.sh openssl_clone() { local debian_version=${1:-bookworm} @@ -47,59 +48,9 @@ openssl_clone() { cd $openssl_dir } -openssl_patch_version() { - local replace_default=${1:-0} - printf "\tPatching OpenSSL version" - # Patch the OpenSSL version with our BUILD_METADATA - if [ "$replace_default" = "1" ]; then - sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' VERSION.dat - else - sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' VERSION.dat - fi - # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY - sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" VERSION.dat -} - -openssl_is_patched() { - # Return 0 if patched, 1 if not - local file="crypto/provider_predefined.c" - - # File must exist to be patched - [[ -f "$file" ]] || return 1 - - # Any time we see libwolfprov, we're patched - if grep -q 'libwolfprov' -- "$file"; then - return 0 - fi - - # Not patched - return 1 -} - -openssl_patch() { - local replace_default=${1:-0} - - if openssl_is_patched; then - printf "\tOpenSSL already patched\n" - elif [ "$replace_default" = "1" ]; then - printf "\tApplying OpenSSL default provider patch ... " - - # Apply the patch - patch -p1 < ${REPO_ROOT}/patches/openssl3-replace-default.patch - if [ $? != 0 ]; then - printf "ERROR.\n" - printf "\n\nPatch application failed.\n" - exit 1 - fi - fi - # Patch the OpenSSL version with our metadata - openssl_patch_version $replace_default - +openssl_build() { DEBFULLNAME="${DEBFULLNAME:-WolfSSL Developer}" DEBEMAIL="${DEBEMAIL:-support@wolfssl.com}" dch -l +wolfprov "Adjust VERSION.dat for custom build" DEBIAN_FRONTEND=noninteractive EDITOR=true dpkg-source --commit . adjust-version-dat -} - -openssl_build() { DEB_BUILD_OPTIONS="parallel=$(nproc) nocheck" dpkg-buildpackage -us -uc } @@ -171,7 +122,7 @@ main() { exit 0 fi - if [ -n "output_dir" ]; then + if [ -n "$output_dir" ]; then output_dir=$(realpath $output_dir) fi diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh index 86c14c17..c79242d5 100644 --- a/scripts/utils-general.sh +++ b/scripts/utils-general.sh @@ -27,6 +27,7 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once export UTILS_GENERAL_LOADED=yes fi +# Check if the current git repository matches the target commit/tag/branch # Usage: check_git_match [] check_git_match() { local target_ref="$1" @@ -64,3 +65,69 @@ check_git_match() { exit 1 fi } + +# Apply patch for OpenSSL version info +openssl_patch_metadata() { + local replace_default=${1:-0} + local openssl_source_dir=${2:-.} + printf "\tPatching OpenSSL version metadata ... " + # Patch the OpenSSL version with our BUILD_METADATA + if [ "$replace_default" = "1" ]; then + sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' $openssl_source_dir/VERSION.dat + else + sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' $openssl_source_dir/VERSION.dat + fi + # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY + sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=\"$(date '+%d %b %Y')\"/g" $openssl_source_dir/VERSION.dat + + printf "Done.\n" +} + +# Check if replace-default patch is applied +# Return 0 if patched, 1 if not +openssl_is_patched() { + local openssl_source_dir=${1:-.} + local file="$openssl_source_dir/crypto/provider_predefined.c" + local ret=1 + + # File must exist to be patched + if [[ ! -f "$file" ]]; then + printf "\tOpenSSL source file not found: %s\n" "$file" + elif grep -q 'libwolfprov' -- "$file"; then + # Any time we see libwolfprov, we're patched + ret=0 + else + : # Not patched + fi + + return $ret +} + +# Apply replace-default and version patches +openssl_patch() { + local replace_default=${1:-0} + local openssl_source_dir=${2:-.} + local patch_file="${SCRIPT_DIR}/../patches/openssl3-replace-default.patch" + + if openssl_is_patched $openssl_source_dir; then + printf "\tOpenSSL already patched\n" + elif [ "$replace_default" = "1" ]; then + if [ ! -f "${patch_file}" ]; then + printf "ERROR: OpenSSL replace-default patch file not found: ${patch_file}\n" + printf " Looked in directory: $(dirname ${patch_file})\n" + exit 1 + fi + + printf "\tApplying OpenSSL default provider patch ... " + + # Apply the patch + patch -d $openssl_source_dir -p1 < ${patch_file} + if [ $? != 0 ]; then + printf "ERROR.\n" + printf "\n\nPatch application failed.\n" + exit 1 + fi + fi + # Patch the OpenSSL version with our metadata + openssl_patch_metadata $replace_default $openssl_source_dir +} diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh index 53907be2..f98302b4 100755 --- a/scripts/utils-openssl.sh +++ b/scripts/utils-openssl.sh @@ -100,97 +100,24 @@ clone_openssl() { fi } -is_openssl_patched() { - # Return 0 if patched, 1 if not - local dir="${OPENSSL_SOURCE_DIR:?OPENSSL_SOURCE_DIR not set}" - local file="${dir%/}/crypto/provider_predefined.c" - - # File must exist to be patched - [[ -f "$file" ]] || return 1 - - # Any time we see libwolfprov, we're patched - if grep -q 'libwolfprov' -- "$file"; then - return 0 - fi - - # Not patched - return 1 -} - -patch_openssl_version() { - # Patch the OpenSSL version (wolfProvider/openssl-source/VERSION.dat) - # with our BUILD_METADATA, depending on the FIPS flag. Either "wolfProvider" or "wolfProvider-fips". - if [ ${WOLFSSL_ISFIPS:-0} -eq 1 ]; then - sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat - else - sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-nonfips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat - fi - - # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY - sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" ${OPENSSL_SOURCE_DIR}/VERSION.dat -} - -patch_openssl() { - if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then - - if [ -d "${OPENSSL_INSTALL_DIR}" ]; then - # If openssl is already installed, patching makes no sense as - # it will not be rebuilt. It may already be built as patched, - # just return and let check_openssl_replace_default_mismatch - # check for the mismatch. - return 0 - fi - - printf "\tApplying OpenSSL default provider patch ... " - pushd ${OPENSSL_SOURCE_DIR} &> /dev/null - - # Check if patch is already applied - if is_openssl_patched; then - printf "Already applied.\n" - popd &> /dev/null - return 0 - fi - - # Apply the patch - patch -p1 < ${SCRIPT_DIR}/../patches/openssl3-replace-default.patch >>$LOG_FILE 2>&1 - if [ $? != 0 ]; then - printf "ERROR.\n" - printf "\n\nPatch application failed. Last 40 lines of log:\n" - tail -n 40 $LOG_FILE - do_cleanup - exit 1 - fi - patch_openssl_version - printf "Done.\n" - - popd &> /dev/null - else - printf "\tPatching OpenSSL version only ... " - pushd ${OPENSSL_SOURCE_DIR} &> /dev/null - patch_openssl_version - printf "Done.\n" - popd &> /dev/null - fi -} - check_openssl_replace_default_mismatch() { - local openssl_is_patched=0 + local is_patched=0 # Check if the source was patched for --replace-default - if is_openssl_patched; then - openssl_is_patched=1 + if openssl_is_patched $OPENSSL_SOURCE_DIR; then + is_patched=1 printf "INFO: OpenSSL source modified - wolfProvider integrated as default provider (non-stock build).\n" fi # Check for mismatch - if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$openssl_is_patched" = "0" ]; then + if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$is_patched" = "0" ]; then printf "ERROR: --replace-default build mode mismatch!\n" printf "Existing OpenSSL was built WITHOUT --replace-default patch\n" printf "Current request: --replace-default build\n\n" printf "Fix: ./scripts/build-wolfprovider.sh --distclean\n" printf "Then rebuild with desired configuration.\n" exit 1 - elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$openssl_is_patched" = "1" ]; then + elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$is_patched" = "1" ]; then printf "ERROR: Standard build mode mismatch!\n" printf "Existing OpenSSL was built WITH --replace-default patch\n" printf "Current request: standard build\n\n" @@ -203,7 +130,7 @@ check_openssl_replace_default_mismatch() { install_openssl() { printf "\nInstalling OpenSSL ${OPENSSL_TAG} ...\n" clone_openssl - patch_openssl + openssl_patch "$WOLFPROV_REPLACE_DEFAULT" "${OPENSSL_SOURCE_DIR}" check_openssl_replace_default_mismatch pushd ${OPENSSL_SOURCE_DIR} &> /dev/null @@ -266,7 +193,7 @@ init_openssl() { if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then OPENSSL_OPTS+=" --replace-default" fi - $SCRIPT_DIR/debian/install-openssl.sh $OPENSSL_OPTS --output-dir ${REPO_DIR}/.. + $SCRIPT_DIR/debian/install-openssl.sh $OPENSSL_OPTS --output-dir .. else install_openssl fi diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh index aee5b664..b06d507b 100755 --- a/scripts/verify-install.sh +++ b/scripts/verify-install.sh @@ -310,18 +310,18 @@ verify_wolfprovider() { # version: 1.0.2 # status: active -# When replace-default is 0, expect: -# $ openssl version +# When using base openssl, expect: +# $ openssl version # OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025 +# When using wolfProvider's openssl with replace-default 0, expect: +# openssl version +# OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025) + # When replace-default is 1 and fips is 0, expect: -# $ openssl version +# $ openssl version # OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025) -# When fips is 1, expect: -# $ openssl version -# OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025) - # When fips is 1, expect: # $ dpkg -l | grep libwolfssl # ii libwolfssl 5.8.2+commercial.fips.linuxv5.2.4 amd64 wolfSSL encryption library @@ -341,8 +341,8 @@ self_test() { # Mock strings for openssl version local ver_base="OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025)" - local ver_replace_default_nonfips="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)" - local ver_replace_default_fips="OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025)" + local ver_wp="OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025)" + local ver_replace_default="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)" # Mock strings for provider listings read -r -d '' providers_libwolfprov_nonfips <<'EOF' @@ -446,27 +446,26 @@ EOF # Positive cases per comment expectations run_case "pos: replace_default=0,fips=0" 0 0 0 0 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips - run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default_nonfips providers_default_wolf_nonfips dpkg_installed_nonfips - run_case "pos: replace_default=1,fips=1" 0 1 1 0 ver_replace_default_fips providers_default_wolf_fips dpkg_installed_fips + run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default providers_default_wolf_nonfips dpkg_installed_nonfips run_case "pos: replace_default=0,fips=1" 0 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_fips # run positive test cases with providers_default_openssl_only run_case "pos: no_wp true with OpenSSL default, default provider" 0 0 0 1 ver_base providers_default_openssl_only dpkg_installed_nonfips - run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips + run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips # Negative cases - run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default_nonfips providers_libwolfprov_nonfips dpkg_installed_nonfips + run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default providers_libwolfprov_nonfips dpkg_installed_nonfips + run_case "neg: rd=0 but OpenSSL wp metadata" 1 0 0 0 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips run_case "neg: rd=0 but provider default" 1 0 0 0 ver_base providers_both_default_and_libwolfprov dpkg_installed_nonfips run_case "neg: rd=0 but no providers listed" 1 0 0 0 ver_base providers_none dpkg_installed_nonfips run_case "neg: rd=0 missing provider" 1 0 0 0 ver_base providers_default_openssl_only dpkg_installed_nonfips - run_case "neg: rd=1,fips=0 but OpenSSL FIPS" 1 0 1 0 ver_replace_default_fips providers_default_wolf_nonfips dpkg_installed_nonfips - run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_nonfips - run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default_nonfips providers_none dpkg_installed_nonfips - run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_fips + run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_nonfips + run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default providers_none dpkg_installed_nonfips + run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_fips run_case "neg: fips=1 but wolfSSL non-FIPS" 1 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_nonfips # no_wp positive and negative cases run_case "neg: no_wp true with OpenSSL default, default provider" 1 0 0 1 ver_base providers_none dpkg_installed_nonfips - run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips + run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips log_info "self_test results: ${pass_count} passed, ${fail_count} failed" if [ "$fail_count" -gt 0 ]; then