Experimentally rolling back scripts and debian dirs

padelsbach · padelsbach · commit 1b2ab01b62c4 · 2025-11-10T10:34:08.000-08:00
diff --git a/debian/install-openssl.sh b/debian/install-openssl.sh
@@ -23,7 +23,6 @@
 set -e
 
 REPO_ROOT=${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)}
-source ${REPO_ROOT}/scripts/utils-general.sh
 
 openssl_clone() {
     local debian_version=${1:-bookworm}
@@ -48,9 +47,59 @@ openssl_clone() {
     cd $openssl_dir
 }
 
-openssl_build() {
+openssl_patch_version() {
+    local replace_default=${1:-0}
+    printf "\tPatching OpenSSL version"
+    # Patch the OpenSSL version with our BUILD_METADATA
+    if [ "$replace_default" = "1" ]; then
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' VERSION.dat
+    else
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' VERSION.dat
+    fi
+    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
+    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" VERSION.dat
+}
+
+openssl_is_patched() {
+    # Return 0 if patched, 1 if not
+    local file="crypto/provider_predefined.c"
+
+    # File must exist to be patched
+    [[ -f "$file" ]] || return 1
+
+    # Any time we see libwolfprov, we're patched
+    if grep -q 'libwolfprov' -- "$file"; then
+        return 0
+    fi
+
+    # Not patched
+    return 1
+}
+
+openssl_patch() {
+    local replace_default=${1:-0}
+
+    if openssl_is_patched; then
+        printf "\tOpenSSL already patched\n"
+    elif [ "$replace_default" = "1" ]; then
+        printf "\tApplying OpenSSL default provider patch ... "
+
+        # Apply the patch
+        patch -p1 < ${REPO_ROOT}/patches/openssl3-replace-default.patch
+        if [ $? != 0 ]; then
+            printf "ERROR.\n"
+            printf "\n\nPatch application failed.\n"
+            exit 1
+        fi
+    fi
+    # Patch the OpenSSL version with our metadata
+    openssl_patch_version $replace_default
+
     DEBFULLNAME="${DEBFULLNAME:-WolfSSL Developer}" DEBEMAIL="${DEBEMAIL:-support@wolfssl.com}" dch -l +wolfprov "Adjust VERSION.dat for custom build"
     DEBIAN_FRONTEND=noninteractive EDITOR=true dpkg-source --commit . adjust-version-dat
+}
+
+openssl_build() {
     DEB_BUILD_OPTIONS="parallel=$(nproc) nocheck" dpkg-buildpackage -us -uc
 }
 
@@ -122,7 +171,7 @@ main() {
         exit 0
     fi
 
-    if [ -n "$output_dir" ]; then
+    if [ -n "output_dir" ]; then
         output_dir=$(realpath $output_dir)
     fi
 
diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh
@@ -3,7 +3,6 @@
 # the wolfProvider library
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-REPO_ROOT=${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)}
 
 if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once
     kill_servers() {
@@ -28,7 +27,6 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once
     export UTILS_GENERAL_LOADED=yes
 fi
 
-# Check if the current git repository matches the target commit/tag/branch
 # Usage: check_git_match <target_ref> [<repo_dir>]
 check_git_match() {
     local target_ref="$1"
@@ -66,69 +64,3 @@ check_git_match() {
         exit 1
     fi
 }
-
-# Apply patch for OpenSSL version info
-openssl_patch_metadata() {
-    local replace_default=${1:-0}
-    local openssl_source_dir=${2:-.}
-    printf "\tPatching OpenSSL version metadata ... "
-    # Patch the OpenSSL version with our BUILD_METADATA
-    if [ "$replace_default" = "1" ]; then
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' $openssl_source_dir/VERSION.dat
-    else
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' $openssl_source_dir/VERSION.dat
-    fi
-    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
-    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=\"$(date '+%d %b %Y')\"/g" $openssl_source_dir/VERSION.dat
-
-    printf "Done.\n"
-}
-
-# Check if replace-default patch is applied
-# Return 0 if patched, 1 if not
-openssl_is_patched() {
-    local openssl_source_dir=${1:-.}
-    local file="$openssl_source_dir/crypto/provider_predefined.c"
-    local ret=1
-
-    # File must exist to be patched
-    if [[ ! -f "$file" ]]; then
-        printf "\tOpenSSL source file not found: %s\n" "$file"
-    elif grep -q 'libwolfprov' -- "$file"; then
-        # Any time we see libwolfprov, we're patched
-        ret=0
-    else
-        : # Not patched
-    fi
-
-    return $ret
-}
-
-# Apply replace-default and version patches
-openssl_patch() {
-    local replace_default=${1:-0}
-    local openssl_source_dir=${2:-.}
-    local patch_file="${REPO_ROOT}/patches/openssl3-replace-default.patch"
-
-    if openssl_is_patched $openssl_source_dir; then
-        printf "\tOpenSSL already patched\n"
-    elif [ "$replace_default" = "1" ]; then
-        if [ ! -f "${patch_file}" ]; then
-            printf "ERROR: OpenSSL replace-default patch file not found: ${patch_file}\n"
-            printf "  Looked in directory: $(dirname ${patch_file})\n"
-            exit 1
-        fi
-
-        printf "\tApplying OpenSSL default provider patch ... "
-
-        # Apply the patch
-        patch -d $openssl_source_dir -p1 < ${patch_file}
-        if [ $? != 0 ]; then
-            printf "ERROR.\n"
-            printf "\n\nPatch application failed.\n"
-            exit 1
-        fi
-    fi
-    # Patch the OpenSSL version with our metadata
-    openssl_patch_metadata $replace_default $openssl_source_dir
-}
diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh
@@ -97,24 +97,97 @@ clone_openssl() {
     fi
 }
 
+is_openssl_patched() {
+    # Return 0 if patched, 1 if not
+    local dir="${OPENSSL_SOURCE_DIR:?OPENSSL_SOURCE_DIR not set}"
+    local file="${dir%/}/crypto/provider_predefined.c"
+
+    # File must exist to be patched
+    [[ -f "$file" ]] || return 1
+
+    # Any time we see libwolfprov, we're patched
+    if grep -q 'libwolfprov' -- "$file"; then
+        return 0
+    fi
+
+    # Not patched
+    return 1
+}
+
+patch_openssl_version() {
+    # Patch the OpenSSL version (wolfProvider/openssl-source/VERSION.dat)
+    # with our BUILD_METADATA, depending on the FIPS flag. Either "wolfProvider" or "wolfProvider-fips".
+    if [ ${WOLFSSL_ISFIPS:-0} -eq 1 ]; then
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat
+    else
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-nonfips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat
+    fi
+
+    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
+    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" ${OPENSSL_SOURCE_DIR}/VERSION.dat
+}
+
+patch_openssl() {
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
+
+        if [ -d "${OPENSSL_INSTALL_DIR}" ]; then
+            # If openssl is already installed, patching makes no sense as
+            # it will not be rebuilt. It may already be built as patched,
+            # just return and let check_openssl_replace_default_mismatch
+            # check for the mismatch.
+            return 0
+        fi
+
+        printf "\tApplying OpenSSL default provider patch ... "
+        pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
+
+        # Check if patch is already applied
+        if is_openssl_patched; then
+            printf "Already applied.\n"
+            popd &> /dev/null
+            return 0
+        fi
+
+        # Apply the patch
+        patch -p1 < ${SCRIPT_DIR}/../patches/openssl3-replace-default.patch >>$LOG_FILE 2>&1
+        if [ $? != 0 ]; then
+            printf "ERROR.\n"
+            printf "\n\nPatch application failed. Last 40 lines of log:\n"
+            tail -n 40 $LOG_FILE
+            do_cleanup
+            exit 1
+        fi
+        patch_openssl_version
+        printf "Done.\n"
+
+        popd &> /dev/null
+    else
+        printf "\tPatching OpenSSL version only ... "
+        pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
+        patch_openssl_version
+        printf "Done.\n"
+        popd &> /dev/null
+    fi
+}
+
 check_openssl_replace_default_mismatch() {
-    local is_patched=0
+    local openssl_is_patched=0
 
     # Check if the source was patched for --replace-default
-    if openssl_is_patched $OPENSSL_SOURCE_DIR; then
-        is_patched=1
+    if is_openssl_patched; then
+        openssl_is_patched=1
         printf "INFO: OpenSSL source modified - wolfProvider integrated as default provider (non-stock build).\n"
     fi
 
     # Check for mismatch
-    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$is_patched" = "0" ]; then
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$openssl_is_patched" = "0" ]; then
         printf "ERROR: --replace-default build mode mismatch!\n"
         printf "Existing OpenSSL was built WITHOUT --replace-default patch\n"
         printf "Current request: --replace-default build\n\n"
         printf "Fix: ./scripts/build-wolfprovider.sh --distclean\n"
         printf "Then rebuild with desired configuration.\n"
         exit 1
-    elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$is_patched" = "1" ]; then
+    elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$openssl_is_patched" = "1" ]; then
         printf "ERROR: Standard build mode mismatch!\n"
         printf "Existing OpenSSL was built WITH --replace-default patch\n"
         printf "Current request: standard build\n\n"
@@ -127,7 +200,7 @@ check_openssl_replace_default_mismatch() {
 install_openssl() {
     printf "\nInstalling OpenSSL ${OPENSSL_TAG} ...\n"
     clone_openssl
-    openssl_patch "$WOLFPROV_REPLACE_DEFAULT" "${OPENSSL_SOURCE_DIR}"
+    patch_openssl
     check_openssl_replace_default_mismatch
 
     pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
@@ -311,18 +311,18 @@ verify_wolfprovider() {
 #     version: 1.0.2
 #     status: active
 
-# When using base openssl, expect:
-# $ openssl version
+# When replace-default is 0, expect:
+# $ openssl version        
 # OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025
 
-# When using wolfProvider's openssl with replace-default 0, expect:
-# openssl version
-# OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025)
-
 # When replace-default is 1 and fips is 0, expect:
-# $ openssl version
+# $ openssl version        
 # OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)
 
+# When fips is 1, expect:
+# $ openssl version        
+# OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025)
+
 # When fips is 1, expect:
 # $ dpkg -l | grep libwolfssl
 # ii  libwolfssl                              5.8.2+commercial.fips.linuxv5.2.4   amd64        wolfSSL encryption library
@@ -342,8 +342,8 @@ self_test() {
 
     # Mock strings for openssl version
     local ver_base="OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025)"
-    local ver_wp="OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025)"
-    local ver_replace_default="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)"
+    local ver_replace_default_nonfips="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)"
+    local ver_replace_default_fips="OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025)"
 
     # Mock strings for provider listings
     read -r -d '' providers_libwolfprov_nonfips <<'EOF'
@@ -447,26 +447,27 @@ EOF
 
     # Positive cases per comment expectations
     run_case "pos: replace_default=0,fips=0" 0 0 0 0 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips
-    run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default providers_default_wolf_nonfips dpkg_installed_nonfips
+    run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default_nonfips providers_default_wolf_nonfips dpkg_installed_nonfips
+    run_case "pos: replace_default=1,fips=1" 0 1 1 0 ver_replace_default_fips providers_default_wolf_fips dpkg_installed_fips
     run_case "pos: replace_default=0,fips=1" 0 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_fips
     # run positive test cases with providers_default_openssl_only
     run_case "pos: no_wp true with OpenSSL default, default provider" 0 0 0 1 ver_base providers_default_openssl_only dpkg_installed_nonfips
-    run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips  dpkg_installed_nonfips
+    run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips  dpkg_installed_nonfips
 
     # Negative cases
-    run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default providers_libwolfprov_nonfips dpkg_installed_nonfips
-    run_case "neg: rd=0 but OpenSSL wp metadata" 1 0 0 0 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips
+    run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default_nonfips providers_libwolfprov_nonfips dpkg_installed_nonfips
     run_case "neg: rd=0 but provider default" 1 0 0 0 ver_base providers_both_default_and_libwolfprov dpkg_installed_nonfips
     run_case "neg: rd=0 but no providers listed" 1 0 0 0 ver_base providers_none dpkg_installed_nonfips
     run_case "neg: rd=0 missing provider" 1 0 0 0 ver_base providers_default_openssl_only dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default providers_none dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_fips
+    run_case "neg: rd=1,fips=0 but OpenSSL FIPS" 1 0 1 0 ver_replace_default_fips providers_default_wolf_nonfips dpkg_installed_nonfips
+    run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_nonfips
+    run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default_nonfips providers_none dpkg_installed_nonfips
+    run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_fips
     run_case "neg: fips=1 but wolfSSL non-FIPS" 1 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_nonfips
 
     # no_wp positive and negative cases
     run_case "neg: no_wp true with OpenSSL default, default provider" 1 0 0 1 ver_base providers_none dpkg_installed_nonfips
-    run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips
+    run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips
 
     log_info "self_test results: ${pass_count} passed, ${fail_count} failed"
     if [ "$fail_count" -gt 0 ]; then
