From 3f119b761d20a24c2300c2e5ffbcce9dfa1afc2e Mon Sep 17 00:00:00 2001 From: Aidan Garske Date: Mon, 26 Jan 2026 11:11:49 -0800 Subject: [PATCH 1/2] Add fixed RD detection --- scripts/cmd_test/cmd-test-common.sh | 32 +++++++++++++++++++++---- scripts/cmd_test/do-cmd-tests.sh | 33 ++++++++++++++++++++++---- scripts/cmd_test/hash-cmd-test.sh | 6 ++--- scripts/utils-general.sh | 36 ++++++++++++++++++++++++++--- 4 files changed, 93 insertions(+), 14 deletions(-) diff --git a/scripts/cmd_test/cmd-test-common.sh b/scripts/cmd_test/cmd-test-common.sh index 59ac9c19..4169877d 100644 --- a/scripts/cmd_test/cmd-test-common.sh +++ b/scripts/cmd_test/cmd-test-common.sh @@ -95,15 +95,30 @@ use_default_provider() { unset OPENSSL_CONF unset OPENSSL_MODULES fi - + # Re-detect after disabling detect_wolfprovider_mode # Verify that we are using the OpenSSL default provider (not wolfProvider) if [ "$is_openssl_default_provider" != "1" ]; then - echo "FAIL: unable to switch to default provider, wolfProvider is still active" - echo "is_openssl_default_provider: $is_openssl_default_provider" - exit 1 + # If we can't switch, this indicates replace-default mode + # Check if wolfProvider is still active - if so, we're in replace-default mode + if [ "$is_wp_active" = "1" ]; then + echo "INFO: Cannot switch to OpenSSL default provider - detected replace-default mode" + echo "INFO: Setting is_openssl_replace_default=1 for remaining tests" + is_openssl_replace_default=1 + is_wp_default=1 + export is_openssl_replace_default + export is_wp_default + # Also set the environment variable for child processes + export WOLFPROV_REPLACE_DEFAULT=1 + return 0 # Return success - this is expected in replace-default mode + else + echo "FAIL: unable to switch to default provider, and wolfProvider is not active" + echo "is_openssl_default_provider: $is_openssl_default_provider" + echo "is_wp_active: $is_wp_active" + exit 1 + fi fi echo "INFO: Switched to OpenSSL default provider" return 0 @@ -240,3 +255,12 @@ use_provider_by_name() { use_default_provider fi } + +# Check if we can perform provider comparison tests +# Returns 0 if comparison possible (normal mode), 1 if replace-default mode (no comparison) +can_compare_providers() { + if [ "$is_openssl_replace_default" = "1" ] || [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then + return 1 # Cannot compare - replace-default mode + fi + return 0 # Can compare - normal mode +} diff --git a/scripts/cmd_test/do-cmd-tests.sh b/scripts/cmd_test/do-cmd-tests.sh index 3ab64dda..c79a4170 100755 --- a/scripts/cmd_test/do-cmd-tests.sh +++ b/scripts/cmd_test/do-cmd-tests.sh @@ -129,14 +129,39 @@ if [ "${WOLFPROV_FORCE_FAIL}" = "1" ]; then echo "Force-fail mode: ENABLED" fi +# Detect mode first +detect_wolfprovider_mode + +# Display mode information +echo "" +echo "Detected configuration:" +echo " is_openssl_replace_default: $is_openssl_replace_default" +echo " is_wp_active: $is_wp_active" +echo " is_wp_default: $is_wp_default" +echo " is_openssl_default_provider: $is_openssl_default_provider" +echo "" + +if [ "$is_openssl_replace_default" = "1" ] || [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then + echo "INFO: Running in replace-default mode" + echo "INFO: Tests will run with wolfProvider only (no provider switching)" + # Just verify wolfProvider is active + use_wolf_provider +else + echo "INFO: Running in normal mode" + echo "INFO: Tests will compare OpenSSL default vs wolfProvider" + # Ensure we can switch providers before proceeding + use_default_provider + use_wolf_provider +fi + # Export detection variables for child scripts +export is_openssl_replace_default +export is_wp_active +export is_wp_default +export is_openssl_default_provider export WOLFPROV_REPLACE_DEFAULT export WOLFPROV_FIPS -# Ensure we can switch providers before proceeding -use_default_provider -use_wolf_provider - # Initialize result variables HASH_RESULT=0 AES_RESULT=0 diff --git a/scripts/cmd_test/hash-cmd-test.sh b/scripts/cmd_test/hash-cmd-test.sh index 0d4818a7..d77e1d68 100755 --- a/scripts/cmd_test/hash-cmd-test.sh +++ b/scripts/cmd_test/hash-cmd-test.sh @@ -90,15 +90,15 @@ compare_hashes() { # Run tests for each hash algorithm for algo in "${HASH_ALGOS[@]}"; do echo -e "\n=== Testing ${algo^^} ===" - + # Test with OpenSSL default provider use_default_provider run_hash_test $algo "hash_outputs/openssl_${algo}.txt" - + # Test with wolfProvider use_wolf_provider run_hash_test $algo "hash_outputs/wolf_${algo}.txt" - + # Compare results compare_hashes $algo done diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh index bec1c3a0..cc633997 100644 --- a/scripts/utils-general.sh +++ b/scripts/utils-general.sh @@ -75,13 +75,15 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once local openssl_version=$(${OPENSSL_BIN} version 2>/dev/null) local openssl_providers=$(${OPENSSL_BIN} list -providers 2>/dev/null) - # Check for "replace-default" in version string OR environment variable + # Method 1: Check for "replace-default" in version string is_openssl_replace_default=$(echo "$openssl_version" | grep -qi "replace-default" && echo 1 || echo 0) + + # Method 2: Check environment variable if [ "$is_openssl_replace_default" = "0" ] && [ "${WOLFPROV_REPLACE_DEFAULT:-0}" = "1" ]; then is_openssl_replace_default=1 fi - - # In replace-default mode, "default" provider has "wolfSSL Provider" name + + # Method 3: Check if provider list shows "default" with "wolfSSL Provider" name if [ "$is_openssl_replace_default" = "0" ]; then # Check if provider list shows "default" with "wolfSSL Provider" name but NOT "OpenSSL Default Provider" # This indicates replace-default mode @@ -91,6 +93,34 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once is_openssl_replace_default=1 fi fi + + # Method 4: Check for "+wolfProvider" in version string (Debian package indicator) + # AND no "OpenSSL Default Provider" available + if [ "$is_openssl_replace_default" = "0" ]; then + if echo "$openssl_version" | grep -qi "+wolfProvider" && \ + ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then + is_openssl_replace_default=1 + fi + fi + + # Method 5: Check if libwolfprov is the ONLY provider loaded (shown as "libwolfprov") + # and wolfSSL Provider is active with NO OpenSSL Default Provider + if [ "$is_openssl_replace_default" = "0" ]; then + if echo "$openssl_providers" | grep -q "^ libwolfprov$" && \ + echo "$openssl_providers" | grep -q "wolfSSL Provider" && \ + ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then + is_openssl_replace_default=1 + fi + fi + + # Method 6: If wolfSSL Provider is active but NO OpenSSL Default Provider exists at all, + # this strongly indicates replace-default mode + if [ "$is_openssl_replace_default" = "0" ]; then + if echo "$openssl_providers" | grep -q "wolfSSL Provider" && \ + ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then + is_openssl_replace_default=1 + fi + fi # In replace-default mode, there's no "OpenSSL Default Provider" - wolfProvider IS the default is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0) From 7c85aa0196ba0d3780c3e0285c61227d6c1a2892 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Mon, 26 Jan 2026 15:35:23 -0800 Subject: [PATCH 2/2] fix: updated incorrect detection --- scripts/utils-general.sh | 38 +++++++++++--------------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/scripts/utils-general.sh b/scripts/utils-general.sh index cc633997..4796bcda 100644 --- a/scripts/utils-general.sh +++ b/scripts/utils-general.sh @@ -94,33 +94,17 @@ if [ "$UTILS_GENERAL_LOADED" != "yes" ]; then # only set once fi fi - # Method 4: Check for "+wolfProvider" in version string (Debian package indicator) - # AND no "OpenSSL Default Provider" available - if [ "$is_openssl_replace_default" = "0" ]; then - if echo "$openssl_version" | grep -qi "+wolfProvider" && \ - ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then - is_openssl_replace_default=1 - fi - fi - - # Method 5: Check if libwolfprov is the ONLY provider loaded (shown as "libwolfprov") - # and wolfSSL Provider is active with NO OpenSSL Default Provider - if [ "$is_openssl_replace_default" = "0" ]; then - if echo "$openssl_providers" | grep -q "^ libwolfprov$" && \ - echo "$openssl_providers" | grep -q "wolfSSL Provider" && \ - ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then - is_openssl_replace_default=1 - fi - fi - - # Method 6: If wolfSSL Provider is active but NO OpenSSL Default Provider exists at all, - # this strongly indicates replace-default mode - if [ "$is_openssl_replace_default" = "0" ]; then - if echo "$openssl_providers" | grep -q "wolfSSL Provider" && \ - ! echo "$openssl_providers" | grep -q "OpenSSL Default Provider"; then - is_openssl_replace_default=1 - fi - fi + # Note: We intentionally do NOT check for absence of "OpenSSL Default Provider" + # as an indicator of replace-default mode. In standalone mode, wolfProvider + # loads as "libwolfprov" and OpenSSL Default Provider may simply not be + # configured to load - this doesn't mean OpenSSL was patched. + # + # The key distinction: + # - Replace-default mode: Provider shows as "default" with name "wolfSSL Provider" + # - Standalone mode: Provider shows as "libwolfprov" with name "wolfSSL Provider" + # + # Method 3 above correctly detects replace-default by checking for "default" + # provider with "wolfSSL Provider" name. # In replace-default mode, there's no "OpenSSL Default Provider" - wolfProvider IS the default is_openssl_default_provider=$(echo "$openssl_providers" | grep -qi "OpenSSL Default Provider" && echo 1 || echo 0)