Code review feedback

Author: padelsbach

.github/workflows/cjose.yml

@@ -24,6 +24,7 @@ jobs:
         wolfssl_ref: [ 'v5.8.2-stable' ]
         openssl_ref: [ 'openssl-3.5.2' ]
         replace_default: [ true ]
+        fips: [ false ]
 
   test_cjose:
     runs-on: ubuntu-22.04
@@ -43,6 +44,7 @@ jobs:
         openssl_ref: [ 'openssl-3.5.2' ]
         force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
         replace_default: [ true ]
+        fips: [ false ]
     env:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
@@ -108,7 +110,7 @@ jobs:
         working-directory: cjose
         run: |
           # Verify wolfProvider is properly installed
-          $GITHUB_WORKSPACE/scripts/verify-debian.sh
+          $GITHUB_WORKSPACE/scripts/verify-install.sh ${{ matrix.replace_default && '-replace-default' || '' }} ${{ matrix.fips && '--fips' || '' }}
           export ${{ matrix.force_fail }}
 
           make test 2>&1 | tee cjose-test.log

scripts/utils-openssl.sh

@@ -167,7 +167,7 @@ check_openssl_replace_default_mismatch() {
 patch_openssl_version() {
     # Patch the OpenSSL version (wolfProvider/openssl-source/VERSION.dat) 
     # with our BUILD_METADATA, depending on the FIPS flag. Either "wolfProvider" or "wolfProvider-fips".
-    if [ "$WOLFSSL_ISFIPS" = "1" ]; then
+    if [ ${WOLFSSL_ISFIPS:-0} -eq 1 ]; then
         sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat
     else
         sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-nonfips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat

scripts/utils-wolfssl.sh

@@ -35,6 +35,7 @@ WOLFSSL_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include
 WOLFSSL_DEBUG_ASN_TEMPLATE=${DWOLFSSL_DEBUG_ASN_TEMPLATE:-0}
 WOLFPROV_DISABLE_ERR_TRACE=${WOLFPROV_DISABLE_ERR_TRACE:-0}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}
+WOLFPROV_BUILD_DEBIAN=${WOLFPROV_BUILD_DEBIAN:-0}
 USE_CUR_TAG=${USE_CUR_TAG:-0}
 
 clean_wolfssl() {
@@ -106,7 +107,7 @@ install_wolfssl() {
                 printf "ERROR: System wolfSSL is FIPS, but WOLFSSL_ISFIPS is not set to 1\n"
                 do_cleanup
                 exit 1
-            elif [ $? -eq 0 ] && [ "$WOLFSSL_ISFIPS" != "0" ]; then
+            elif [ $? -ne 0 ] && [ "$WOLFSSL_ISFIPS" != "0" ]; then
                 printf "ERROR: System wolfSSL is non-FIPS, but WOLFSSL_ISFIPS is set to 1\n"
                 do_cleanup
                 exit 1

scripts/verify-debian.sh

@@ -0,0 +1,211 @@
+#!/bin/bash
+#
+# Copyright (C) 2006-2024 wolfSSL Inc.
+#
+# This file is part of wolfProvider.
+#
+# wolfProvider is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# wolfProvider is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+#
+# This script verifies that wolfProvider is correctly installed and configured.
+
+# Default values
+REPLACE_DEFAULT=0
+FIPS=0
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --replace-default)
+            REPLACE_DEFAULT=1
+            shift
+            ;;
+        --fips)
+            FIPS=1
+            shift
+            ;;
+        --help|-h)
+            echo "Usage: $0 [--replace-default] [--fips]"
+            echo "  --replace-default       Set replace default to 1 (default: 0)"
+            echo "  --fips                  Set FIPS to 1 (default: 0)"
+            echo "  --help, -h              Show this help message"
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Use --help for usage information"
+            exit 1
+            ;;
+    esac
+done
+
+handle_error() {
+    local message="$1"
+    local exit_code="${2:-1}"
+
+    echo "ERROR: $message" >&2
+    exit $exit_code
+}
+
+log_success() {
+    echo "SUCCESS: $1"
+}
+log_info() {
+    echo "INFO: $1"
+}
+
+verify_provider_loaded() {
+    local replace_default="$1"
+    local fips="$2"
+
+    # When replace-default is 0, expect something like this:
+    # $ openssl list -providers
+    # Providers:
+    #   libwolfprov
+    #     name: wolfSSL Provider
+    #     version: 1.0.2
+    #     status: active
+
+    # When replace-default is 1, expect something like this:
+    # $ openssl list -providers
+    # Providers: 
+    #   default 
+    #     name: wolfSSL Provider 
+    #     version: 1.0.2 
+    #     status: active
+
+    log_info "Verifying wolfProvider is active..."
+
+    local provider_output
+    provider_output=$(openssl list -providers 2>&1)
+
+    echo "Provider list:"
+    echo "$provider_output"
+
+    # Check for the presence of "wolfSSL Provider" and "status: active"
+    if echo "$provider_output" | grep -qi "wolfSSL Provider" && echo "$provider_output" | grep -qi "status: active"; then
+        log_success "wolfProvider is loaded"
+    else
+        handle_error "wolfProvider not found in provider list"
+    fi
+
+    if [ $replace_default -eq 0 ]; then
+        if echo "$provider_output" | grep -qi "libwolfprov"; then
+            log_success "wolfProvider is non-default"
+        else
+            handle_error "wolfProvider is default"
+        fi
+    else
+        if echo "$provider_output" | grep -qi "default"; then
+            log_success "wolfProvider is default"
+        else
+            handle_error "wolfProvider is non-default"
+        fi
+    fi
+
+    # Expect "wolfSSL Provider" for non-FIPS, "wolfSSL Provider FIPS" for FIPS
+    if [ $fips -eq 0 ]; then
+        if echo "$provider_output" | grep -q "wolfSSL Provider FIPS"; then
+            handle_error "wolfSSL Provider is FIPS"
+        else
+            log_success "wolfSSL Provider is non-FIPS"
+        fi
+    else
+        if echo "$provider_output" | grep -q "wolfSSL Provider FIPS"; then
+            log_success "wolfSSL Provider is FIPS"
+        else
+            handle_error "wolfSSL Provider is non-FIPS"
+        fi
+    fi
+}
+
+verify_openssl_version() {
+    local replace_default="$1"
+    local fips="$2"
+
+    # When replace-default is 0, expect something like this:
+    # $openssl version
+    # OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025
+
+    # When replace-default is 1 and fips is 0, expect something like this:
+    # $ openssl version
+    # OpenSSL 3.5.2+wolfProvider-nonfips 03 Oct 2025 (Library: OpenSSL 3.5.2+wolfProvider-nonfips 03 Oct 2025)
+
+    log_info "Verifying OpenSSL version..."
+
+    local version_output
+    version_output=$(openssl version -a 2>&1)
+
+    echo "OpenSSL version information:"
+    echo "$version_output"
+
+    if [ $replace_default -eq 0 ]; then
+        # Verify that wolfProv (case-insensitive) is in the version output
+        if echo "$version_output" | grep -qi "wolfProv"; then
+            log_success "wolfProv is in the version output"
+        else
+            handle_error "wolfProv is not in the version output"
+        fi
+    else
+        # Verify that wolfProvider (case-insensitive) is in the version output
+        # for both the OpenSSL version and the Library version
+        # Check for both "# OpenSSL 3.x.y+wolfProvider" and "Library: OpenSSL 3.x.y+wolfProvider" separately
+        if echo "$version_output" | grep -qiE "OpenSSL 3\.[0-9]+\.[0-9]+\+wolfProvider"; then
+            log_success "OpenSSL version is correct"
+        else
+            handle_error "OpenSSL version is incorrect for replace default"
+        fi
+
+        if echo "$version_output" | grep -qiE "Library: OpenSSL 3\.[0-9]+\.[0-9]+\+wolfProvider"; then
+            log_success "libssl3 version is correct"
+        else
+            handle_error "libssl3 version is incorrect for replace default"
+        fi
+
+        if [ $fips -eq 0 ]; then
+            # For non-FIPS, expect "wolfProvider-nonfips" in the version output
+            # For FIPS, expect "wolfProvider-fips" in the version output
+            if echo "$version_output" | grep -qi "wolfProvider-nonfips"; then
+                log_success "wolfProvider-nonfips is in the version output"
+            else
+                handle_error "wolfProvider-nonfips is not in the version output"
+            fi
+        else
+            if echo "$version_output" | grep -qi "wolfProvider-fips"; then
+                log_success "wolfProvider-fips is in the version output"
+            else
+                handle_error "wolfProvider-fips is not in the version output"
+            fi
+        fi
+    fi
+}
+
+# Main verification function
+verify_wolfprovider() {
+    local replace_default="$1"
+    local fips="$2"
+
+    # echo "Replace default value: $replace_default"
+    # echo "FIPS value: $fips"
+
+    echo "--------------------------------"
+    verify_provider_loaded $replace_default $fips
+    echo "--------------------------------"
+    verify_openssl_version $replace_default $fips
+    echo "--------------------------------"
+    echo "wolfProvider installed correctly"
+
+    return 0
+}
+
+verify_wolfprovider "$REPLACE_DEFAULT" "$FIPS"

scripts/verify-install.sh

@@ -310,14 +310,20 @@ static int wolfprov_get_params(void* provCtx, OSSL_PARAM params[])
     int ok = 1;
     OSSL_PARAM* p;
 
+#ifdef HAVE_FIPS
+    static const char* provider_name = "wolfSSL Provider FIPS";
+#else
+    static const char* provider_name = "wolfSSL Provider";
+#endif
+
     WOLFPROV_ENTER(WP_LOG_PROVIDER, "wolfprov_get_params");
 
     (void)provCtx;
 
     /* Look for provider name as a parameter to return. */
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
     /* Set the string if name requested. */
-    if ((p != NULL) && (!OSSL_PARAM_set_utf8_ptr(p, "wolfSSL Provider"))) {
+    if ((p != NULL) && (!OSSL_PARAM_set_utf8_ptr(p, provider_name))) {
         ok = 0;
     }
     if (ok) {