wolfSSL · padelsbach · Nov 3, 2025
diff --git a/debian/install-openssl.sh b/debian/install-openssl.sh
@@ -23,6 +23,7 @@
 set -e
 
 REPO_ROOT=${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)}
+source ${REPO_ROOT}/scripts/utils-general.sh
 
 openssl_clone() {
     local debian_version=${1:-bookworm}
@@ -47,59 +48,9 @@ openssl_clone() {
     cd $openssl_dir
 }
 
-openssl_patch_version() {
-    local replace_default=${1:-0}
-    printf "\tPatching OpenSSL version"
-    # Patch the OpenSSL version with our BUILD_METADATA
-    if [ "$replace_default" = "1" ]; then
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' VERSION.dat
-    else
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' VERSION.dat
-    fi
-    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
-    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" VERSION.dat
-}
-
-openssl_is_patched() {
-    # Return 0 if patched, 1 if not
-    local file="crypto/provider_predefined.c"
-
-    # File must exist to be patched
-    [[ -f "$file" ]] || return 1
-
-    # Any time we see libwolfprov, we're patched
-    if grep -q 'libwolfprov' -- "$file"; then
-        return 0
-    fi
-
-    # Not patched
-    return 1
-}
-
-openssl_patch() {
-    local replace_default=${1:-0}
-
-    if openssl_is_patched; then
-        printf "\tOpenSSL already patched\n"
-    elif [ "$replace_default" = "1" ]; then
-        printf "\tApplying OpenSSL default provider patch ... "
-
-        # Apply the patch
-        patch -p1 < ${REPO_ROOT}/patches/openssl3-replace-default.patch
-        if [ $? != 0 ]; then
-            printf "ERROR.\n"
-            printf "\n\nPatch application failed.\n"
-            exit 1
-        fi
-    fi
-    # Patch the OpenSSL version with our metadata
-    openssl_patch_version $replace_default
-
+openssl_build() {
     DEBFULLNAME="${DEBFULLNAME:-WolfSSL Developer}" DEBEMAIL="${DEBEMAIL:-support@wolfssl.com}" dch -l +wolfprov "Adjust VERSION.dat for custom build"
     DEBIAN_FRONTEND=noninteractive EDITOR=true dpkg-source --commit . adjust-version-dat
-}
-
-openssl_build() {
     DEB_BUILD_OPTIONS="parallel=$(nproc) nocheck" dpkg-buildpackage -us -uc
 }
 
@@ -171,7 +122,7 @@ main() {
         exit 0
     fi
 
-    if [ -n "output_dir" ]; then
+    if [ -n "$output_dir" ]; then
         output_dir=$(realpath $output_dir)
     fi
 

diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh
@@ -27,6 +27,7 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once
     export UTILS_GENERAL_LOADED=yes
 fi
 
+# Check if the current git repository matches the target commit/tag/branch
 # Usage: check_git_match <target_ref> [<repo_dir>]
 check_git_match() {
     local target_ref="$1"
@@ -64,3 +65,69 @@ check_git_match() {
         exit 1
     fi
 }
+
+# Apply patch for OpenSSL version info
+openssl_patch_metadata() {
+    local replace_default=${1:-0}
+    local openssl_source_dir=${2:-.}
+    printf "\tPatching OpenSSL version metadata ... "
+    # Patch the OpenSSL version with our BUILD_METADATA
+    if [ "$replace_default" = "1" ]; then
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-replace-default/g' $openssl_source_dir/VERSION.dat
+    else
+        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/g' $openssl_source_dir/VERSION.dat
+    fi
+    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
+    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=\"$(date '+%d %b %Y')\"/g" $openssl_source_dir/VERSION.dat
+
+    printf "Done.\n"
+}
+
+# Check if replace-default patch is applied
+# Return 0 if patched, 1 if not
+openssl_is_patched() {
+    local openssl_source_dir=${1:-.}
+    local file="$openssl_source_dir/crypto/provider_predefined.c"
+    local ret=1
+
+    # File must exist to be patched
+    if [[ ! -f "$file" ]]; then
+        printf "\tOpenSSL source file not found: %s\n" "$file"
+    elif grep -q 'libwolfprov' -- "$file"; then
+        # Any time we see libwolfprov, we're patched
+        ret=0
+    else
+        : # Not patched
+    fi
+
+    return $ret
+}
+
+# Apply replace-default and version patches
+openssl_patch() {
+    local replace_default=${1:-0}
+    local openssl_source_dir=${2:-.}
+    local patch_file="${SCRIPT_DIR}/../patches/openssl3-replace-default.patch"
+
+    if openssl_is_patched $openssl_source_dir; then
+        printf "\tOpenSSL already patched\n"
+    elif [ "$replace_default" = "1" ]; then
+        if [ ! -f "${patch_file}" ]; then
+            printf "ERROR: OpenSSL replace-default patch file not found: ${patch_file}\n"
+            printf "  Looked in directory: $(dirname ${patch_file})\n"
+            exit 1
+        fi
+
+        printf "\tApplying OpenSSL default provider patch ... "
+
+        # Apply the patch
+        patch -d $openssl_source_dir -p1 < ${patch_file}
+        if [ $? != 0 ]; then
+            printf "ERROR.\n"
+            printf "\n\nPatch application failed.\n"
+            exit 1
+        fi
+    fi
+    # Patch the OpenSSL version with our metadata
+    openssl_patch_metadata $replace_default $openssl_source_dir
+}
diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh
@@ -100,97 +100,24 @@ clone_openssl() {
     fi
 }
 
-is_openssl_patched() {
-    # Return 0 if patched, 1 if not
-    local dir="${OPENSSL_SOURCE_DIR:?OPENSSL_SOURCE_DIR not set}"
-    local file="${dir%/}/crypto/provider_predefined.c"
-
-    # File must exist to be patched
-    [[ -f "$file" ]] || return 1
-
-    # Any time we see libwolfprov, we're patched
-    if grep -q 'libwolfprov' -- "$file"; then
-        return 0
-    fi
-
-    # Not patched
-    return 1
-}
-
-patch_openssl_version() {
-    # Patch the OpenSSL version (wolfProvider/openssl-source/VERSION.dat)
-    # with our BUILD_METADATA, depending on the FIPS flag. Either "wolfProvider" or "wolfProvider-fips".
-    if [ ${WOLFSSL_ISFIPS:-0} -eq 1 ]; then
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat
-    else
-        sed -i 's/BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-nonfips/g' ${OPENSSL_SOURCE_DIR}/VERSION.dat
-    fi
-
-    # Patch the OpenSSL RELEASE_DATE field with the current date in the format DD MMM YYYY
-    sed -i "s/RELEASE_DATE=.*/RELEASE_DATE=$(date '+%d %b %Y')/g" ${OPENSSL_SOURCE_DIR}/VERSION.dat
-}
-
-patch_openssl() {
-    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
-
-        if [ -d "${OPENSSL_INSTALL_DIR}" ]; then
-            # If openssl is already installed, patching makes no sense as
-            # it will not be rebuilt. It may already be built as patched,
-            # just return and let check_openssl_replace_default_mismatch
-            # check for the mismatch.
-            return 0
-        fi
-
-        printf "\tApplying OpenSSL default provider patch ... "
-        pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
-
-        # Check if patch is already applied
-        if is_openssl_patched; then
-            printf "Already applied.\n"
-            popd &> /dev/null
-            return 0
-        fi
-
-        # Apply the patch
-        patch -p1 < ${SCRIPT_DIR}/../patches/openssl3-replace-default.patch >>$LOG_FILE 2>&1
-        if [ $? != 0 ]; then
-            printf "ERROR.\n"
-            printf "\n\nPatch application failed. Last 40 lines of log:\n"
-            tail -n 40 $LOG_FILE
-            do_cleanup
-            exit 1
-        fi
-        patch_openssl_version
-        printf "Done.\n"
-
-        popd &> /dev/null
-    else
-        printf "\tPatching OpenSSL version only ... "
-        pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
-        patch_openssl_version
-        printf "Done.\n"
-        popd &> /dev/null
-    fi
-}
-
 check_openssl_replace_default_mismatch() {
-    local openssl_is_patched=0
+    local is_patched=0
 
     # Check if the source was patched for --replace-default
-    if is_openssl_patched; then
-        openssl_is_patched=1
+    if openssl_is_patched $OPENSSL_SOURCE_DIR; then
+        is_patched=1
         printf "INFO: OpenSSL source modified - wolfProvider integrated as default provider (non-stock build).\n"
     fi
 
     # Check for mismatch
-    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$openssl_is_patched" = "0" ]; then
+    if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ] && [ "$is_patched" = "0" ]; then
         printf "ERROR: --replace-default build mode mismatch!\n"
         printf "Existing OpenSSL was built WITHOUT --replace-default patch\n"
         printf "Current request: --replace-default build\n\n"
         printf "Fix: ./scripts/build-wolfprovider.sh --distclean\n"
         printf "Then rebuild with desired configuration.\n"
         exit 1
-    elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$openssl_is_patched" = "1" ]; then
+    elif [ "$WOLFPROV_REPLACE_DEFAULT" != "1" ] && [ "$is_patched" = "1" ]; then
         printf "ERROR: Standard build mode mismatch!\n"
         printf "Existing OpenSSL was built WITH --replace-default patch\n"
         printf "Current request: standard build\n\n"
@@ -203,7 +130,7 @@ check_openssl_replace_default_mismatch() {
 install_openssl() {
     printf "\nInstalling OpenSSL ${OPENSSL_TAG} ...\n"
     clone_openssl
-    patch_openssl
+    openssl_patch "$WOLFPROV_REPLACE_DEFAULT" "${OPENSSL_SOURCE_DIR}"
     check_openssl_replace_default_mismatch
 
     pushd ${OPENSSL_SOURCE_DIR} &> /dev/null
@@ -266,7 +193,7 @@ init_openssl() {
         if [ "$WOLFPROV_REPLACE_DEFAULT" = "1" ]; then
             OPENSSL_OPTS+=" --replace-default"
         fi
-        $SCRIPT_DIR/debian/install-openssl.sh $OPENSSL_OPTS --output-dir ${REPO_DIR}/..
+        $SCRIPT_DIR/debian/install-openssl.sh $OPENSSL_OPTS --output-dir ..
     else
         install_openssl
     fi

diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
@@ -310,18 +310,18 @@ verify_wolfprovider() {
 #     version: 1.0.2
 #     status: active
 
-# When replace-default is 0, expect:
-# $ openssl version        
+# When using base openssl, expect:
+# $ openssl version
 # OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025
 
+# When using wolfProvider's openssl with replace-default 0, expect:
+# openssl version
+# OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025)
+
 # When replace-default is 1 and fips is 0, expect:
-# $ openssl version        
+# $ openssl version
 # OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)
 
-# When fips is 1, expect:
-# $ openssl version        
-# OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025)
-
 # When fips is 1, expect:
 # $ dpkg -l | grep libwolfssl
 # ii  libwolfssl                              5.8.2+commercial.fips.linuxv5.2.4   amd64        wolfSSL encryption library
@@ -341,8 +341,8 @@ self_test() {
 
     # Mock strings for openssl version
     local ver_base="OpenSSL 3.0.17 1 Jul 2025 (Library: OpenSSL 3.0.17 1 Jul 2025)"
-    local ver_replace_default_nonfips="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)"
-    local ver_replace_default_fips="OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025 (Library: OpenSSL 3.0.17+wolfProvider-fips 11 Oct 2025)"
+    local ver_wp="OpenSSL 3.0.17+wolfProvider 03 Nov 2025 (Library: OpenSSL 3.0.17+wolfProvider 03 Nov 2025)"
+    local ver_replace_default="OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025 (Library: OpenSSL 3.0.17+wolfProvider-nonfips 30 Sep 2025)"
 
     # Mock strings for provider listings
     read -r -d '' providers_libwolfprov_nonfips <<'EOF'
@@ -446,27 +446,26 @@ EOF
 
     # Positive cases per comment expectations
     run_case "pos: replace_default=0,fips=0" 0 0 0 0 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips
-    run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default_nonfips providers_default_wolf_nonfips dpkg_installed_nonfips
-    run_case "pos: replace_default=1,fips=1" 0 1 1 0 ver_replace_default_fips providers_default_wolf_fips dpkg_installed_fips
+    run_case "pos: replace_default=1,fips=0" 0 0 1 0 ver_replace_default providers_default_wolf_nonfips dpkg_installed_nonfips
     run_case "pos: replace_default=0,fips=1" 0 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_fips
     # run positive test cases with providers_default_openssl_only
     run_case "pos: no_wp true with OpenSSL default, default provider" 0 0 0 1 ver_base providers_default_openssl_only dpkg_installed_nonfips
-    run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips  dpkg_installed_nonfips
+    run_case "pos: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips  dpkg_installed_nonfips
 
     # Negative cases
-    run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default_nonfips providers_libwolfprov_nonfips dpkg_installed_nonfips
+    run_case "neg: rd=0 but OpenSSL replace-default" 1 0 0 0 ver_replace_default providers_libwolfprov_nonfips dpkg_installed_nonfips
+    run_case "neg: rd=0 but OpenSSL wp metadata" 1 0 0 0 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips
     run_case "neg: rd=0 but provider default" 1 0 0 0 ver_base providers_both_default_and_libwolfprov dpkg_installed_nonfips
     run_case "neg: rd=0 but no providers listed" 1 0 0 0 ver_base providers_none dpkg_installed_nonfips
     run_case "neg: rd=0 missing provider" 1 0 0 0 ver_base providers_default_openssl_only dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=0 but OpenSSL FIPS" 1 0 1 0 ver_replace_default_fips providers_default_wolf_nonfips dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default_nonfips providers_none dpkg_installed_nonfips
-    run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default_nonfips providers_default_wolf_fips dpkg_installed_fips
+    run_case "neg: rd=1,fips=0 but provider FIPS" 1 0 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_nonfips
+    run_case "neg: rd=1,fips=0 but no providers listed" 1 0 1 0 ver_replace_default providers_none dpkg_installed_nonfips
+    run_case "neg: rd=1,fips=1 but OpenSSL non-FIPS" 1 1 1 0 ver_replace_default providers_default_wolf_fips dpkg_installed_fips
     run_case "neg: fips=1 but wolfSSL non-FIPS" 1 1 0 0 ver_base providers_libwolfprov_fips dpkg_installed_nonfips
 
     # no_wp positive and negative cases
     run_case "neg: no_wp true with OpenSSL default, default provider" 1 0 0 1 ver_base providers_none dpkg_installed_nonfips
-    run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_base providers_libwolfprov_nonfips dpkg_installed_nonfips
+    run_case "neg: no_wp true but wolfProvider active" 1 0 0 1 ver_wp providers_libwolfprov_nonfips dpkg_installed_nonfips
 
     log_info "self_test results: ${pass_count} passed, ${fail_count} failed"
     if [ "$fail_count" -gt 0 ]; then