diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh index 59ac9c19..4169877d 100644 --- a/scripts/cmd_test/cmd-test-common.sh +++ b/scripts/cmd_test/cmd-test-common.sh @@ -95,15 +95,30 @@ use_default_provider() { unset OPENSSL_CONF unset OPENSSL_MODULES fi - + # Re-detect after disabling detect_wolfprovider_mode # Verify that we are using the OpenSSL default provider (not wolfProvider) if [ "$is_openssl_default_provider" != "1" ]; then - echo "FAIL: unable to switch to default provider, wolfProvider is still active" - echo "is_openssl_default_provider: $is_openssl_default_provider" - exit 1 + # If we can't switch, this indicates replace-default mode + # Check if wolfProvider is still active - if so, we're in replace-default mode + if [ "$is_wp_active" = "1" ]; then + echo "INFO: Cannot switch to OpenSSL default provider - detected replace-default mode" + echo "INFO: Setting is_openssl_replace_default=1 for remaining tests" + is_openssl_replace_default=1 + is_wp_default=1 + export is_openssl_replace_default + export is_wp_default + # Also set the environment variable for child processes + export WOLFPROV_REPLACE_DEFAULT=1 + return 0 # Return success - this is expected in replace-default mode + else + echo "FAIL: unable to switch to default provider, and wolfProvider is not active" + echo "is_openssl_default_provider: $is_openssl_default_provider" + echo "is_wp_active: $is_wp_active" + exit 1 + fi fi echo "INFO: Switched to OpenSSL default provider" return 0 @@ -240,3 +255,12 @@ use_provider_by_name() { use_default_provider fi } + +# Check if we can perform provider comparison tests +# Returns 0 if comparison possible (normal mode), 1 if replace-default mode (no comparison) +can_compare_providers() { + if [ "$is_openssl_replace_default" = "1" ] || [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then + return 1 # Cannot compare - replace-default mode + fi + return 0 # Can compare - normal mode +} diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh index 3ab64dda..c79a4170 100755 --- a/scripts/cmd_test/do-cmd-tests.sh +++ b/scripts/cmd_test/do-cmd-tests.sh @@ -129,14 +129,39 @@ if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then echo "Force-fail mode: ENABLED" fi +# Detect mode first +detect_wolfprovider_mode + +# Display mode information +echo "" +echo "Detected configuration:" +echo " is_openssl_replace_default: $is_openssl_replace_default" +echo " is_wp_active: $is_wp_active" +echo " is_wp_default: $is_wp_default" +echo " is_openssl_default_provider: $is_openssl_default_provider" +echo "" + +if [ "$is_openssl_replace_default" = "1" ] || [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then + echo "INFO: Running in replace-default mode" + echo "INFO: Tests will run with wolfProvider only (no provider switching)" + # Just verify wolfProvider is active + use_wolf_provider +else + echo "INFO: Running in normal mode" + echo "INFO: Tests will compare OpenSSL default vs wolfProvider" + # Ensure we can switch providers before proceeding + use_default_provider + use_wolf_provider +fi + # Export detection variables for child scripts +export is_openssl_replace_default +export is_wp_active +export is_wp_default +export is_openssl_default_provider export WOLFPROV_REPLACE_DEFAULT export WOLFPROV_FIPS -# Ensure we can switch providers before proceeding -use_default_provider -use_wolf_provider - # Initialize result variables HASH_RESULT=0 AES_RESULT=0 diff --git a/scripts/cmd_test/hash-cmd-test.sh b/scripts/cmd_test/hash-cmd-test.sh index 0d4818a7..d77e1d68 100755 --- a/scripts/cmd_test/hash-cmd-test.sh +++ b/scripts/cmd_test/hash-cmd-test.sh @@ -90,15 +90,15 @@ compare_hashes() { # Run tests for each hash algorithm for algo in "${HASH_ALGOS[@]}"; do echo -e "\n=== Testing ${algo^^} ===" - + # Test with OpenSSL default provider use_default_provider run_hash_test $algo "hash_outputs/openssl_${algo}.txt" - + # Test with wolfProvider use_wolf_provider run_hash_test $algo "hash_outputs/wolf_${algo}.txt" - + # Compare results compare_hashes $algo done diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh index bec1c3a0..4796bcda 100644 --- a/scripts/utils-general.sh +++ b/scripts/utils-general.sh @@ -75,13 +75,15 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once local openssl_version=$(${OPENSSL_BIN} version 2>/dev/null) local openssl_providers=$(${OPENSSL_BIN} list -providers 2>/dev/null) - # Check for "replace-default" in version string OR environment variable + # Method 1: Check for "replace-default" in version string is_openssl_replace_default=$(echo "$openssl_version" | grep -qi "replace-default" && echo 1 || echo 0) + + # Method 2: Check environment variable if [ "$is_openssl_replace_default" = "0" ] && [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then is_openssl_replace_default=1 fi - - # In replace-default mode, "default" provider has "wolfSSL Provider" name + + # Method 3: Check if provider list shows "default" with "wolfSSL Provider" name if [ "$is_openssl_replace_default" = "0" ]; then # Check if provider list shows "default" with "wolfSSL Provider" name but NOT "OpenSSL Default Provider" # This indicates replace-default mode @@ -91,6 +93,18 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once is_openssl_replace_default=1 fi fi + + # Note: We intentionally do NOT check for absence of "OpenSSL Default Provider" + # as an indicator of replace-default mode. In standalone mode, wolfProvider + # loads as "libwolfprov" and OpenSSL Default Provider may simply not be + # configured to load - this doesn't mean OpenSSL was patched. + # + # The key distinction: + # - Replace-default mode: Provider shows as "default" with name "wolfSSL Provider" + # - Standalone mode: Provider shows as "libwolfprov" with name "wolfSSL Provider" + # + # Method 3 above correctly detects replace-default by checking for "default" + # provider with "wolfSSL Provider" name. # In replace-default mode, there's no "OpenSSL Default Provider" - wolfProvider IS the default is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)