From 87782b707e8e46b33b323be066b2d220945febe6 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Tue, 14 Apr 2026 14:16:32 -0700 Subject: [PATCH] Fix WPFF CI failures --- .github/workflows/bind9.yml | 5 ++ .github/workflows/cjose.yml | 5 ++ .github/workflows/curl.yml | 5 ++ .github/workflows/debian-package.yml | 10 +++ .github/workflows/git-ssh-dr.yml | 5 ++ .github/workflows/grpc.yml | 5 ++ .github/workflows/hostap.yml | 5 ++ .github/workflows/iperf.yml | 5 ++ .github/workflows/krb5.yml | 5 ++ .github/workflows/libcryptsetup.yml | 5 ++ .github/workflows/libeac3.yml | 5 ++ .github/workflows/libfido2.yml | 5 ++ .github/workflows/libhashkit2.yml | 5 ++ .github/workflows/libnice.yml | 5 ++ .github/workflows/liboauth2.yml | 5 ++ .github/workflows/librelp.yml | 5 ++ .github/workflows/libssh2.yml | 5 ++ .github/workflows/libwebsockets.yml | 5 ++ .github/workflows/net-snmp.yml | 5 ++ .github/workflows/nginx.yml | 5 ++ .github/workflows/openldap.yml | 5 ++ .github/workflows/opensc.yml | 5 ++ .github/workflows/openssh.yml | 5 ++ .github/workflows/openvpn.yml | 5 ++ .github/workflows/pam-pkcs11.yml | 5 ++ .github/workflows/ppp.yml | 5 ++ .github/workflows/python3-ntp.yml | 5 ++ .github/workflows/qt5network5.yml | 5 ++ .github/workflows/rsync.yml | 5 ++ .github/workflows/socat.yml | 5 ++ .github/workflows/sscep.yml | 5 ++ .github/workflows/stunnel.yml | 5 ++ .github/workflows/systemd.yml | 5 ++ .github/workflows/tcpdump.yml | 5 ++ .github/workflows/tnftp.yml | 20 ++++- .github/workflows/tpm2-tools.yml | 5 ++ .github/workflows/x11vnc.yml | 5 ++ .github/workflows/xmlsec.yml | 5 ++ debian/install-openssl.sh | 53 ++++++++---- docs/FIPS_INTEGRATION_GUIDE.md | 5 +- patches/openssl3-replace-default.patch | 86 ------------------- patches/provider_predefined.c.replace-default | 73 ++++++++++++++++ scripts/utils-openssl.sh | 17 ++-- scripts/verify-install.sh | 6 +- 44 files changed, 336 insertions(+), 114 deletions(-) delete mode 100644 patches/openssl3-replace-default.patch create mode 100644 patches/provider_predefined.c.replace-default diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml index 1057707c..264bf1f7 100644 --- a/.github/workflows/bind9.yml +++ b/.github/workflows/bind9.yml @@ -74,6 +74,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml index 778a4225..3d593a89 100644 --- a/.github/workflows/cjose.yml +++ b/.github/workflows/cjose.yml @@ -81,6 +81,11 @@ jobs: apt install --reinstall -y \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 6c5ee31b..5f49d55f 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml index 2b019185..2be668d5 100644 --- a/.github/workflows/debian-package.yml +++ b/.github/workflows/debian-package.yml @@ -85,6 +85,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + # In standalone mode, use OPENSSL_CONF to enable wolfProvider. if [ "${{ matrix.replace_default }}" = "false" ]; then echo "Setting OPENSSL_CONF to /etc/ssl/openssl.cnf.d/wolfprovider.conf" @@ -108,6 +113,11 @@ jobs: - name: Uninstall package and verify cleanup run: | + # libwolfprov was held earlier to prevent transitive libssl3 + # upgrades from clobbering the wolfprov-patched libssl3. Release + # the hold here so apt-get is allowed to remove it. + apt-mark unhold libwolfprov || true + # Uninstall the package apt-get remove -y libwolfprov diff --git a/.github/workflows/git-ssh-dr.yml b/.github/workflows/git-ssh-dr.yml index c1cf5861..881f5b33 100644 --- a/.github/workflows/git-ssh-dr.yml +++ b/.github/workflows/git-ssh-dr.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index d4033a8f..1761a66c 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -81,6 +81,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/hostap.yml b/.github/workflows/hostap.yml index 28907da2..370709f7 100644 --- a/.github/workflows/hostap.yml +++ b/.github/workflows/hostap.yml @@ -77,6 +77,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Show OpenSSL version run: | echo "OpenSSL version:" diff --git a/.github/workflows/iperf.yml b/.github/workflows/iperf.yml index 73873421..5f9c3c3d 100644 --- a/.github/workflows/iperf.yml +++ b/.github/workflows/iperf.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index a2fb97b8..05f0d7be 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libcryptsetup.yml b/.github/workflows/libcryptsetup.yml index f2d90a06..6727bf5e 100644 --- a/.github/workflows/libcryptsetup.yml +++ b/.github/workflows/libcryptsetup.yml @@ -75,6 +75,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libeac3.yml b/.github/workflows/libeac3.yml index 74e5067f..3c53ff21 100644 --- a/.github/workflows/libeac3.yml +++ b/.github/workflows/libeac3.yml @@ -75,6 +75,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libfido2.yml b/.github/workflows/libfido2.yml index ac5e8fb7..cf375313 100644 --- a/.github/workflows/libfido2.yml +++ b/.github/workflows/libfido2.yml @@ -68,6 +68,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libhashkit2.yml b/.github/workflows/libhashkit2.yml index f8ae74e3..db5844c9 100644 --- a/.github/workflows/libhashkit2.yml +++ b/.github/workflows/libhashkit2.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libnice.yml b/.github/workflows/libnice.yml index e1240c1a..e82a4ee0 100644 --- a/.github/workflows/libnice.yml +++ b/.github/workflows/libnice.yml @@ -72,6 +72,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/liboauth2.yml b/.github/workflows/liboauth2.yml index aa625668..6a294be5 100644 --- a/.github/workflows/liboauth2.yml +++ b/.github/workflows/liboauth2.yml @@ -72,6 +72,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/librelp.yml b/.github/workflows/librelp.yml index ab182edd..002c4fd8 100644 --- a/.github/workflows/librelp.yml +++ b/.github/workflows/librelp.yml @@ -82,6 +82,11 @@ jobs: apt install --reinstall -y \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index be878832..f5c59177 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -72,6 +72,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/libwebsockets.yml b/.github/workflows/libwebsockets.yml index 4a722274..c471fce2 100644 --- a/.github/workflows/libwebsockets.yml +++ b/.github/workflows/libwebsockets.yml @@ -79,6 +79,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Download libwebsockets uses: actions/checkout@v4 with: diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 4e844cec..dcb806b3 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -74,6 +74,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index da2b06c4..1159b765 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index c83206e2..5b85854a 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -74,6 +74,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/opensc.yml b/.github/workflows/opensc.yml index f20e585c..f8b44d12 100644 --- a/.github/workflows/opensc.yml +++ b/.github/workflows/opensc.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 35580657..b4b2e835 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -83,6 +83,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index e8e46781..de421158 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -76,6 +76,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml index e5a974a2..a3666bba 100644 --- a/.github/workflows/pam-pkcs11.yml +++ b/.github/workflows/pam-pkcs11.yml @@ -83,6 +83,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/ppp.yml b/.github/workflows/ppp.yml index 6319a01c..457f81c5 100644 --- a/.github/workflows/ppp.yml +++ b/.github/workflows/ppp.yml @@ -75,6 +75,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/python3-ntp.yml b/.github/workflows/python3-ntp.yml index a21e52e3..21881f32 100644 --- a/.github/workflows/python3-ntp.yml +++ b/.github/workflows/python3-ntp.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/qt5network5.yml b/.github/workflows/qt5network5.yml index 5213a887..f12581d0 100644 --- a/.github/workflows/qt5network5.yml +++ b/.github/workflows/qt5network5.yml @@ -69,6 +69,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/rsync.yml b/.github/workflows/rsync.yml index 56c7411e..57f64e20 100644 --- a/.github/workflows/rsync.yml +++ b/.github/workflows/rsync.yml @@ -69,6 +69,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index e623f932..1abeadfe 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -75,6 +75,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/sscep.yml b/.github/workflows/sscep.yml index ef8cb447..4ea28a9b 100644 --- a/.github/workflows/sscep.yml +++ b/.github/workflows/sscep.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index d5e50089..cae41223 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/systemd.yml b/.github/workflows/systemd.yml index 60bd92b2..4ae223fd 100644 --- a/.github/workflows/systemd.yml +++ b/.github/workflows/systemd.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/tcpdump.yml b/.github/workflows/tcpdump.yml index 04fa9fa8..295a4b09 100644 --- a/.github/workflows/tcpdump.yml +++ b/.github/workflows/tcpdump.yml @@ -70,6 +70,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/tnftp.yml b/.github/workflows/tnftp.yml index 64146cb3..6beaf3e8 100644 --- a/.github/workflows/tnftp.yml +++ b/.github/workflows/tnftp.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ @@ -87,9 +92,18 @@ jobs: - name: Download and extract tnftp run: | - wget http://ftp.netbsd.org/pub/NetBSD/misc/tnftp/${{ matrix.tnftp_ref }}.tar.gz - tar xvf ${{ matrix.tnftp_ref }}.tar.gz - cd ${{ matrix.tnftp_ref }} + # Fetch from the Debian source archive rather than ftp.netbsd.org + # or its CDN; both of those rate-limit or time-out requests from + # GitHub Actions egress. Debian mirrors the identical upstream + # tarball under a slightly different filename, and deb.debian.org + # is already the reliable source used by other workflows here. + # Translate 'tnftp-' ref to Debian's 'tnftp_.orig'. + ref="${{ matrix.tnftp_ref }}" + version="${ref#tnftp-}" + wget -4 "https://deb.debian.org/debian/pool/main/t/tnftp/tnftp_${version}.orig.tar.gz" \ + -O "${ref}.tar.gz" + tar xvf ${ref}.tar.gz + cd ${ref} - name: Build and test tnftp working-directory: ${{ matrix.tnftp_ref }} diff --git a/.github/workflows/tpm2-tools.yml b/.github/workflows/tpm2-tools.yml index a041b7e0..76e71b00 100644 --- a/.github/workflows/tpm2-tools.yml +++ b/.github/workflows/tpm2-tools.yml @@ -74,6 +74,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/x11vnc.yml b/.github/workflows/x11vnc.yml index a1853a29..40c3cb44 100644 --- a/.github/workflows/x11vnc.yml +++ b/.github/workflows/x11vnc.yml @@ -73,6 +73,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/.github/workflows/xmlsec.yml b/.github/workflows/xmlsec.yml index 814b37c1..decb647e 100644 --- a/.github/workflows/xmlsec.yml +++ b/.github/workflows/xmlsec.yml @@ -74,6 +74,11 @@ jobs: apt install --reinstall -y --allow-downgrades --allow-change-held-packages \ ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb + # Prevent later 'apt-get install' of test dependencies from + # replacing the wolfprov-patched libssl3, which breaks + # replace-default mode. + apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov + - name: Verify wolfProvider is properly installed run: | $GITHUB_WORKSPACE/scripts/verify-install.sh \ diff --git a/debian/install-openssl.sh b/debian/install-openssl.sh index b1b463cb..324be593 100755 --- a/debian/install-openssl.sh +++ b/debian/install-openssl.sh @@ -28,19 +28,32 @@ openssl_clone() { local debian_version=${1:-bookworm} printf "\tDownloading OpenSSL from Debian for $debian_version\n" - # Check if "deb-src" is in the sources.list, which allows us to - # grab the source from Debian. - if [ -f /etc/apt/sources.list ] && grep -q "deb-src" /etc/apt/sources.list; then - printf "\tDebian sources.list already contains deb-src\n" - else - printf "\tAdding deb-src to sources.list\n" - echo "deb-src http://deb.debian.org/debian ${debian_version} main" >> /etc/apt/sources.list - echo "deb-src http://deb.debian.org/debian-security ${debian_version}-security main" >> /etc/apt/sources.list - echo "deb-src http://deb.debian.org/debian ${debian_version}-updates main" >> /etc/apt/sources.list - fi + # Ensure deb-src is enabled for each of main, security, and updates. + # A single "deb-src" entry for main is not sufficient: without the + # security and updates pockets, 'apt-get source' resolves to the + # original release version (e.g. 3.0.18) instead of the latest + # security-patched source (e.g. 3.5.5), which quietly produces stale + # .debs whose runtime libssl gets clobbered by test-time apt upgrades. + touch /etc/apt/sources.list + add_deb_src() { + local line="$1" + if ! grep -Fqx "$line" /etc/apt/sources.list; then + printf "\tAdding: %s\n" "$line" + echo "$line" >> /etc/apt/sources.list + fi + } + add_deb_src "deb-src http://deb.debian.org/debian ${debian_version} main" + add_deb_src "deb-src http://deb.debian.org/debian-security ${debian_version}-security main" + add_deb_src "deb-src http://deb.debian.org/debian ${debian_version}-updates main" apt update - apt-get source -t ${debian_version} openssl + # No -t release pin: apt treats bookworm-security / bookworm-updates as + # distinct suites, so '-t bookworm' would exclude them even with their + # deb-src lines configured and always resolve to the original release + # version. Letting apt pick the highest available version across the + # configured suites selects the security-patched source (e.g. 3.0.19) + # when one exists. + apt-get source openssl openssl_dir=$(ls -td openssl-* | head -n 1) printf "OpenSSL source directory: $openssl_dir\n" @@ -82,15 +95,23 @@ openssl_patch() { if openssl_is_patched; then printf "\tOpenSSL already patched\n" elif [ "$replace_default" = "1" ]; then - printf "\tApplying OpenSSL default provider patch ... " - - # Apply the patch - patch -p1 < ${REPO_ROOT}/patches/openssl3-replace-default.patch + printf "\tInstalling wolfProvider replace-default provider_predefined.c ... " + + # Drop-in replacement of crypto/provider_predefined.c. We used to + # apply a unified-diff patch here, but its context lines tracked + # trivial upstream whitespace reshuffles (e.g. '#ifdef' vs + # '# ifdef' around STATIC_LEGACY), making it break on every other + # openssl point release. The replacement file below is output- + # identical to what the old patch produced and is independent of + # which upstream version we started from. + cp ${REPO_ROOT}/patches/provider_predefined.c.replace-default \ + crypto/provider_predefined.c if [ $? != 0 ]; then printf "ERROR.\n" - printf "\n\nPatch application failed.\n" + printf "\n\nReplacement copy failed.\n" exit 1 fi + printf "Done.\n" fi # Patch the OpenSSL version with our metadata openssl_patch_version $replace_default diff --git a/docs/FIPS_INTEGRATION_GUIDE.md b/docs/FIPS_INTEGRATION_GUIDE.md index 3567c3b5..cb2c3586 100644 --- a/docs/FIPS_INTEGRATION_GUIDE.md +++ b/docs/FIPS_INTEGRATION_GUIDE.md @@ -157,8 +157,9 @@ For more control, build each component directly using autotools—the core build git clone --depth=1 -b openssl-3.5.0 https://github.com/openssl/openssl.git cd openssl -# Apply replace-default patch (recommended for FIPS) -patch -p1 < /path/to/wolfProvider/patches/openssl3-replace-default.patch +# Install the replace-default provider_predefined.c (recommended for FIPS) +cp /path/to/wolfProvider/patches/provider_predefined.c.replace-default \ + crypto/provider_predefined.c ./config shared --prefix=/usr/local/openssl no-external-tests no-tests make -j$(nproc) diff --git a/patches/openssl3-replace-default.patch b/patches/openssl3-replace-default.patch deleted file mode 100644 index 127d51c9..00000000 --- a/patches/openssl3-replace-default.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff --git a/crypto/provider_predefined.c b/crypto/provider_predefined.c -index 068e0b7..e9ae469 100644 ---- a/crypto/provider_predefined.c -+++ b/crypto/provider_predefined.c -@@ -5,28 +5,69 @@ - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html -- */ -+*/ - - #include -+#include -+#include -+#include "internal/dso.h" - #include "provider_local.h" - --OSSL_provider_init_fn ossl_default_provider_init; -+/* For the replace default model we actually do not want OpenSSL built with FIPS. -+ * It pushes FIPS related logic into OpenSSL itself, when that should really be -+ * handled by wolfCrypt. */ -+#ifdef FIPS_MODULE -+#error "For wolfProvider replace default mode, do not build OpenSSL with FIPS" -+#endif -+ -+static DSO *d = NULL; -+ -+/* Common function to dynamically load libwolfprov and call wolfssl_provider_init */ -+static int load_wolfprov_and_init(const OSSL_CORE_HANDLE *handle, -+ const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, -+ void **provctx) { -+ int ret = 0; -+ OSSL_provider_init_fn *wolfssl_provider_init_fn = NULL; -+ -+ if (!d) { -+ d = DSO_new(); -+ if (!d) { -+ fprintf(stderr, "DSO_new() failed\n"); -+ return 0; -+ } -+ -+ if (!DSO_load(d, "wolfprov", NULL, 0)) { -+ fprintf(stderr, "Could not load libwolfprov.so. Is the libwolfprov package installed?\n"); -+ DSO_free(d); -+ d = NULL; -+ return 0; -+ } -+ } -+ -+ wolfssl_provider_init_fn = (OSSL_provider_init_fn*)DSO_bind_func(d, "wolfssl_provider_init"); -+ if (!wolfssl_provider_init_fn) { -+ fprintf(stderr, "Failed to find wolfssl_provider_init symbol\n"); -+ return 0; -+ } -+ -+ // Intentionally preserve the DSO 'd' here, since it needs to stay loaded -+ ret = wolfssl_provider_init_fn(handle, in, out, provctx); -+ -+ return ret; -+} -+ - OSSL_provider_init_fn ossl_base_provider_init; - OSSL_provider_init_fn ossl_null_provider_init; --OSSL_provider_init_fn ossl_fips_intern_provider_init; --#ifdef STATIC_LEGACY --OSSL_provider_init_fn ossl_legacy_provider_init; --#endif -+ -+/* For replace default mode, we will always be the selected provider for attempts -+ * to load either the "fips" or "default" providers by name.*/ - const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { --#ifdef FIPS_MODULE -- { "fips", NULL, ossl_fips_intern_provider_init, NULL, 1 }, --#else -- { "default", NULL, ossl_default_provider_init, NULL, 1 }, -+ { "fips", NULL, load_wolfprov_and_init, NULL, 0 }, -+ { "default", NULL, load_wolfprov_and_init, NULL, 1 }, - # ifdef STATIC_LEGACY -- { "legacy", NULL, ossl_legacy_provider_init, NULL, 0 }, -+ { "legacy", NULL, load_wolfprov_and_init, NULL, 0 }, - # endif - { "base", NULL, ossl_base_provider_init, NULL, 0 }, - { "null", NULL, ossl_null_provider_init, NULL, 0 }, --#endif - { NULL, NULL, NULL, NULL, 0 } - }; diff --git a/patches/provider_predefined.c.replace-default b/patches/provider_predefined.c.replace-default new file mode 100644 index 00000000..910ba166 --- /dev/null +++ b/patches/provider_predefined.c.replace-default @@ -0,0 +1,73 @@ +/* + * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html +*/ + +#include +#include +#include +#include "internal/dso.h" +#include "provider_local.h" + +/* For the replace default model we actually do not want OpenSSL built with FIPS. + * It pushes FIPS related logic into OpenSSL itself, when that should really be + * handled by wolfCrypt. */ +#ifdef FIPS_MODULE +#error "For wolfProvider replace default mode, do not build OpenSSL with FIPS" +#endif + +static DSO *d = NULL; + +/* Common function to dynamically load libwolfprov and call wolfssl_provider_init */ +static int load_wolfprov_and_init(const OSSL_CORE_HANDLE *handle, + const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, + void **provctx) { + int ret = 0; + OSSL_provider_init_fn *wolfssl_provider_init_fn = NULL; + + if (!d) { + d = DSO_new(); + if (!d) { + fprintf(stderr, "DSO_new() failed\n"); + return 0; + } + + if (!DSO_load(d, "wolfprov", NULL, 0)) { + fprintf(stderr, "Could not load libwolfprov.so. Is the libwolfprov package installed?\n"); + DSO_free(d); + d = NULL; + return 0; + } + } + + wolfssl_provider_init_fn = (OSSL_provider_init_fn*)DSO_bind_func(d, "wolfssl_provider_init"); + if (!wolfssl_provider_init_fn) { + fprintf(stderr, "Failed to find wolfssl_provider_init symbol\n"); + return 0; + } + + /* Intentionally preserve the DSO 'd' here, since it needs to stay loaded */ + ret = wolfssl_provider_init_fn(handle, in, out, provctx); + + return ret; +} + +OSSL_provider_init_fn ossl_base_provider_init; +OSSL_provider_init_fn ossl_null_provider_init; + +/* For replace default mode, we will always be the selected provider for attempts + * to load either the "fips" or "default" providers by name.*/ +const OSSL_PROVIDER_INFO ossl_predefined_providers[] = { + { "fips", NULL, load_wolfprov_and_init, NULL, 0 }, + { "default", NULL, load_wolfprov_and_init, NULL, 1 }, +# ifdef STATIC_LEGACY + { "legacy", NULL, load_wolfprov_and_init, NULL, 0 }, +# endif + { "base", NULL, ossl_base_provider_init, NULL, 0 }, + { "null", NULL, ossl_null_provider_init, NULL, 0 }, + { NULL, NULL, NULL, NULL, 0 } +}; diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh index 84a9c9f4..5285aa7a 100755 --- a/scripts/utils-openssl.sh +++ b/scripts/utils-openssl.sh @@ -193,21 +193,28 @@ patch_openssl() { return 0 fi - printf "\tApplying OpenSSL default provider patch ... " + printf "\tInstalling wolfProvider replace-default provider_predefined.c ... " pushd ${OPENSSL_SOURCE_DIR} &> /dev/null - # Check if patch is already applied + # Check if already in place if is_openssl_patched; then printf "Already applied.\n" popd &> /dev/null return 0 fi - # Apply the patch - patch -p1 < ${SCRIPT_DIR}/../patches/openssl3-replace-default.patch >>$LOG_FILE 2>&1 + # Drop-in replacement of crypto/provider_predefined.c. We used to + # apply a unified-diff patch here, but its context lines tracked + # trivial upstream whitespace reshuffles (e.g. '#ifdef' vs + # '# ifdef' around STATIC_LEGACY), making it break on every other + # openssl point release. The replacement file below is output- + # identical to what the old patch produced and is independent of + # which upstream version we started from. + cp ${SCRIPT_DIR}/../patches/provider_predefined.c.replace-default \ + crypto/provider_predefined.c >>$LOG_FILE 2>&1 if [ $? != 0 ]; then printf "ERROR.\n" - printf "\n\nPatch application failed. Last 40 lines of log:\n" + printf "\n\nReplacement copy failed. Last 40 lines of log:\n" tail -n 40 $LOG_FILE do_cleanup exit 1 diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh index 23d37fb9..5c8ad4ea 100755 --- a/scripts/verify-install.sh +++ b/scripts/verify-install.sh @@ -201,8 +201,10 @@ verify_wolfprovider() { detect_wolfprovider_mode dpkg_output=$(dpkg -l 2> /dev/null | grep wolf) - is_wolfssl_installed=$(echo "$dpkg_output" | grep -Eq '^ii\s+libwolfssl\s' && echo 1 || echo 0) - is_wolfssl_fips=$(echo "$dpkg_output" | grep -E '^ii\s+libwolfssl\s' | grep -qi "fips" && echo 1 || echo 0) + # Match any dpkg status whose second char is 'i' (installed state), so a + # package marked on hold ('hi') is still recognized as installed. + is_wolfssl_installed=$(echo "$dpkg_output" | grep -Eq '^[ih]i\s+libwolfssl\s' && echo 1 || echo 0) + is_wolfssl_fips=$(echo "$dpkg_output" | grep -E '^[ih]i\s+libwolfssl\s' | grep -qi "fips" && echo 1 || echo 0) if [ $VERBOSE -eq 1 ]; then echo "fips: $fips"