diff --git a/classes/wolfssl-helper.bbclass b/classes/wolfssl-helper.bbclass index aca77da2..48fc4c4a 100644 --- a/classes/wolfssl-helper.bbclass +++ b/classes/wolfssl-helper.bbclass @@ -26,6 +26,131 @@ def wolfssl_conditional_require(d, package_name, inc_path): bb.parse.mark_dependency(d, inc_file) bb.parse.handle(inc_file, d, True) + +def wolfssl_conditional_require_mode(d, package_name, mode, inc_file): + """ + Conditionally include an .inc file based on a mode variable and WOLFSSL_FEATURES. + Supports space-separated modes (e.g., "replace-default enable-tests"). + + Args: + d: BitBake datastore + package_name: Name of the package to check for (e.g., 'wolfprovider') + mode: The expected mode (e.g., 'standalone' or 'replace-default') + inc_file: Relative path from layer root to the .inc file + + Returns: + True if configuration was included, False otherwise + + Example: + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='standalone', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' + ) + + # Supports multiple modes in WOLFPROVIDER_MODE: + # WOLFPROVIDER_MODE = "replace-default enable-tests" + """ + import os + import bb.parse + + # Check if package is enabled + if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ + bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)): + bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping") + return False + + # Build the mode variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_MODE') + mode_var_name = f"{package_name.upper()}_MODE" + current_mode_str = d.getVar(mode_var_name) or 'standalone' # Default to standalone + + # Support space-separated modes: split into list and check if expected mode is in the list + current_modes = [m.strip() for m in current_mode_str.split() if m.strip()] + + # Check if expected mode is in the current modes list + if mode not in current_modes: + bb.debug(2, f"{package_name}: {mode_var_name}='{current_mode_str}' does not contain '{mode}' - skipping") + return False + + # Mode found in list - include the configuration + # Show all detected modes for clarity + bb.note(f"{package_name}: {mode_var_name}='{current_mode_str}' contains '{mode}' mode - including {inc_file}") + + layerdir = d.getVar('WOLFSSL_LAYERDIR') + if not layerdir: + bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") + + full_inc_file = os.path.join(layerdir, inc_file) + bb.parse.mark_dependency(d, full_inc_file) + try: + bb.parse.handle(full_inc_file, d, True) + return True + except Exception as e: + bb.fatal(f"Failed to include {full_inc_file}: {e}") + + +def wolfssl_conditional_require_flag(d, package_name, flag_name, inc_file): + """ + Conditionally include an .inc file based on a flags variable and WOLFSSL_FEATURES. + Flags are separate from modes - use for features like tests, not OpenSSL configuration. + + Args: + d: BitBake datastore + package_name: Name of the package to check for (e.g., 'wolfprovider') + flag_name: The flag to check for (e.g., 'enable-tests') + inc_file: Relative path from layer root to the .inc file + + Returns: + True if configuration was included, False otherwise + + Example: + wolfssl_conditional_require_flag( + d, + package_name='wolfprovider', + flag_name='enable-tests', + inc_file='inc/wolfprovider/wolfprovider-enable-test.inc' + ) + + # Usage in local.conf: + # WOLFPROVIDER_FLAGS = "enable-tests" # Can be space-separated: "enable-tests other-flag" + """ + import os + import bb.parse + + # Check if package is enabled + if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \ + bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)): + bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping") + return False + + # Build the flags variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_FLAGS') + flags_var_name = f"{package_name.upper()}_FLAGS" + current_flags_str = d.getVar(flags_var_name) or '' + + # Support space-separated flags: split into list and check if expected flag is in the list + current_flags = [f.strip() for f in current_flags_str.split() if f.strip()] + + # Check if expected flag is in the current flags list + if flag_name not in current_flags: + bb.debug(2, f"{package_name}: {flags_var_name}='{current_flags_str}' does not contain '{flag_name}' - skipping") + return False + + # Flag found in list - include the configuration + bb.note(f"{package_name}: {flags_var_name}='{current_flags_str}' contains '{flag_name}' flag - including {inc_file}") + + layerdir = d.getVar('WOLFSSL_LAYERDIR') + if not layerdir: + bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured") + + full_inc_file = os.path.join(layerdir, inc_file) + bb.parse.mark_dependency(d, full_inc_file) + try: + bb.parse.handle(full_inc_file, d, True) + return True + except Exception as e: + bb.fatal(f"Failed to include {full_inc_file}: {e}") + python do_wolfssl_check_package() { """ Task to check if package is enabled via IMAGE_INSTALL or WOLFSSL_FEATURES diff --git a/conf/layer.conf b/conf/layer.conf index d91520ca..16b4b6e9 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -22,6 +22,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bb \ + ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfssl*.bbappend \ ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfengine*.bb \ ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfssl*.bbappend \ @@ -35,6 +36,10 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ ${LAYERDIR}/recipes-examples/wolfssl-py/wolf-py-tests/*.bbappend \ ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bb \ ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bbappend \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bb \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bbappend \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bb \ + ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bbappend \ ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bb \ ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bbappend \ ${LAYERDIR}/recipes-support/gnutls/*.bbappend \ @@ -78,6 +83,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \ BBFILE_COLLECTIONS += "wolfssl" BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/" +# When doing a build with replace default mode enabled, we need to prioritize the wolfssl layer BBFILE_PRIORITY_wolfssl = "5" # Weak default preferred providers for wolf libraries @@ -156,7 +162,10 @@ BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-image-minimal', '${LA BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolftpm-image-minimal', '${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-py-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bbappend', '', d)}" -BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bbappend', '', d)}" +BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bbappend', '', d)}" BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'libgcrypt-image-minimal', '${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bbappend', '', d)}" diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc new file mode 100644 index 00000000..7b8a9f43 --- /dev/null +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc @@ -0,0 +1,82 @@ +# OpenSSL wolfProvider REPLACE-DEFAULT mode configuration +# This file is included when wolfProvider is configured to replace OpenSSL's default crypto provider +# It should be included from the image recipe when replace-default mode is desired + +# Build OpenSSL as plain, non-FIPS OpenSSL +# wolfProvider will provide FIPS functionality using wolfSSL FIPS + +PACKAGECONFIG:class-target = "" +EXTRA_OECONF:append:class-target = " no-fips shared " + +# OpenSSL target-only tweaks for replace-default mode +do_configure:prepend:class-target () { + set -eu + + # Be explicit about where we are + echo "TARGET do_configure prepend: S='${S}', B='${B}'" + + vfile="${S}/VERSION.dat" + + # Sanity check: VERSION.dat must exist at the top of the OpenSSL tree + if [ ! -f $vfile ]; then + echo "ERROR: $vfile not found in ${S}" >&2 + exit 1 + fi + + echo "Injecting BUILD_METADATA into VERSION.dat (target only)" + sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/' $vfile + + # Optional FIPS tag based on image features + if echo "${IMAGE_FEATURES}" | grep -qw "fips"; then + sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/' $vfile + fi + +} + +# Override do_configure to filter enable-fips from the actual configure command +do_configure:append:class-target () { + # The base do_configure uses ${PACKAGECONFIG_CONFARGS} which still has enable-fips + # We need to regenerate it without enable-fips + # Re-run configure with enable-fips explicitly removed + if [ -f "${B}/configdata.pm" ] && grep -q "enable-fips" "${B}/configdata.pm" 2>/dev/null; then + bbwarn "REPLACE-DEFAULT MODE: FIPS detected in config, forcing reconfigure without FIPS" + cd "${B}" + # Get the target from the original config + target=$(grep "our \$config{target}" "${B}/configdata.pm" 2>/dev/null | sed "s/.*'\(.*\)'.*/\1/" || echo "linux-x86_64") + # Reconfigure without enable-fips + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl "${S}/Configure" no-fips shared ${EXTRA_OECONF} ${DEPRECATED_CRYPTO_FLAGS} \ + --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${libdir} "$target" + perl "${B}/configdata.pm" --dump + fi +} + +# Ensure provider is present on TARGET runtime (doesn't touch -native/-nativesdk) +RDEPENDS:libcrypto3:append:class-target = " wolfprovider" + +# Bring in the replace-default patch (target only) +SRC_URI:append:class-target = " \ + git://github.com/wolfSSL/wolfProvider.git;protocol=https;nobranch=1;rev=v1.1.0;destsuffix=git/wolfProvider \ +" + +python do_patch:append:class-target () { + import os, subprocess + s = d.getVar("S") + patch_path = os.path.join(d.getVar("WORKDIR"), "git/wolfProvider/patches/openssl3-replace-default.patch") + bb.note("REPLACE-DEFAULT MODE: Checking if patch needs to be applied") + # Try to apply patch; if it fails with "already applied", log it and continue + try: + # First check with --dry-run to see if patch can be applied + result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], + capture_output=True, text=True, check=False) + if result.returncode == 0: + bb.note("REPLACE-DEFAULT MODE: Patch can be applied, applying now...") + subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path], check=True) + else: + bb.note("REPLACE-DEFAULT MODE: Patch already applied or cannot apply, skipping") + bb.debug(1, f"Patch check output: {result.stderr}") + except Exception as e: + bb.warn(f"REPLACE-DEFAULT MODE: Error applying patch: {e}") +} + + diff --git a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc index 0e0c9e10..c21a78b0 100644 --- a/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc @@ -1,2 +1,6 @@ +# OpenSSL standalone wolfProvider mode configuration +# Include this file for standard wolfProvider integration as a provider plugin + EXTRA_OECONF += " no-fips shared " + diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc new file mode 100644 index 00000000..61b69ca4 --- /dev/null +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc @@ -0,0 +1,22 @@ +# Configuration to enable wolfprovider FIPS support in wolfssl +# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF + +EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist --enable-debug --enable-keylog-export" +TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA" + +# Use a marker file to signal we are a FIPS build +WOLFSSL_ISFIPS = "1" + +# commercial bundle missing stamp-h.in required by automake with 5.2.1 +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + +do_install:append() { + install -d ${D}${sysconfdir}/wolfssl + echo "1" > ${D}${sysconfdir}/wolfssl/fips-enabled +} + + diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc index addd53c0..e7dc9f2a 100644 --- a/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +++ b/inc/wolfprovider/wolfssl-enable-wolfprovider.inc @@ -1,5 +1,15 @@ # Configuration to enable wolfprovider support in wolfssl -EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 " -TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024" -TARGET_CFLAGS += " ${@'-DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER' if d.getVar('WOLFSSL_TYPE') not in ("fips", "fips-ready") else ''}" +# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF + +EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha --enable-debug --enable-keylog-export" +TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM" + +# Use a marker file to signal we are a non-FIPS build +WOLFSSL_ISFIPS = "0" + +do_install:append() { + install -d ${D}${sysconfdir}/wolfssl + echo "0" > ${D}${sysconfdir}/wolfssl/fips-enabled +} + diff --git a/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc b/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc new file mode 100644 index 00000000..d26b54e0 --- /dev/null +++ b/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc @@ -0,0 +1,81 @@ +# Configuration to enable wolfProvider unit tests +# Modeled exactly after wolfcrypttest approach - simple and clean + +FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/files:" +SRC_URI += "file://wolfprovidertest.sh" + +# Unit test directory and binary names +WOLFPROVIDER_TEST_DIR = "${B}/test/.libs" +WOLFPROVIDER_TEST = "unit.test" +WOLFPROVIDER_TEST_YOCTO = "unit.test" +WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}" +WOLFPROVIDER_CERTS_DIR = "${S}/certs" +WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs" + +# Override CERTS_DIR to point to the installed location instead of build directory +CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' +CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"' + +# Simple installation using Python function, exactly like wolfcrypttest +python () { + # Get the environment variables + test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) + test_bin = d.getVar('WOLFPROVIDER_TEST', True) + test_yocto = d.getVar('WOLFPROVIDER_TEST_YOCTO', True) + install_dir = d.getVar('WOLFPROVIDER_INSTALL_DIR', True) + certs_dir = d.getVar('WOLFPROVIDER_CERTS_DIR', True) + certs_install_dir = d.getVar('WOLFPROVIDER_CERTS_INSTALL_DIR', True) + + bbnote = 'bbnote "Installing wolfProvider Tests"\n' + installDir = 'install -m 0755 -d "%s"\n' % (install_dir) + + # Try multiple locations for the test binary (exactly like wolfcrypttest) + cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; ' % (test_dir, test_bin, test_dir, test_bin, install_dir, test_yocto) + cpTest += 'elif [ -f "${B}/test/%s" ]; then cp "${B}/test/%s" "%s/%s"; ' % (test_bin, test_bin, install_dir, test_yocto) + cpTest += 'elif [ -f "${B}/%s" ]; then cp "${B}/%s" "%s/%s"; fi\n' % (test_bin, test_bin, install_dir, test_yocto) + + # Install wrapper script + installScript = 'cp "${WORKDIR}/wolfprovidertest.sh" "%s/wolfprovidertest"\n' % (install_dir) + installScript += 'chmod 755 "%s/wolfprovidertest"\n' % (install_dir) + + # Install certificates + installCerts = 'bbnote "Installing wolfProvider Certificates"\n' + installCerts += 'install -m 0755 -d "%s"\n' % (certs_install_dir) + installCerts += 'if [ -d "%s" ]; then cp -r %s/*.pem %s/ 2>/dev/null || true; fi\n' % (certs_dir, certs_dir, certs_install_dir) + + d.appendVar('do_install', bbnote) + d.appendVar('do_install', installDir) + d.appendVar('do_install', cpTest) + d.appendVar('do_install', installScript) + d.appendVar('do_install', installCerts) +} + +# Append test files and library files to FILES using Python +python __anonymous() { + pn = d.getVar('PN') + + # Get existing FILES value (set by autotools class and base recipe) + existing_files = d.getVar('FILES:' + pn) or '' + + # Append our test files (don't re-add library files - they're in base recipe FILES) + new_files = existing_files + ' ' + ' '.join([ + '${bindir}/wolfprovidertest', + '${bindir}/unit.test', + '${datadir}/wolfprovider-test/certs/*' + ]) + + # Set the combined value (this avoids the "replaces original key" warning) + d.setVar('FILES:' + pn, new_files) + + # Same approach for RDEPENDS + existing_rdepends = d.getVar('RDEPENDS:' + pn) or '' + new_rdepends = existing_rdepends + ' bash wolfproviderenv' + d.setVar('RDEPENDS:' + pn, new_rdepends) + + # Same approach for INSANE_SKIP + existing_skip = d.getVar('INSANE_SKIP:' + pn) or '' + new_skip = existing_skip + ' dev-so build-deps' + d.setVar('INSANE_SKIP:' + pn, new_skip) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/README.md b/recipes-core/images/wolfprovider-image-minimal/README.md new file mode 100644 index 00000000..e19ce465 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/README.md @@ -0,0 +1,149 @@ +# wolfProvider Minimal Images + +Minimal demo images showcasing wolfProvider integration with OpenSSL 3.x in various configurations. + +## Overview + +These images demonstrate different wolfProvider configurations for OpenSSL 3.x integration. Each image is self-contained and requires no `local.conf` configuration (except FIPS images which require `wolfssl-fips.conf`). + +## Available Images + +### 1. wolfprovider-image-minimal +**Standalone mode, non-FIPS** + +- wolfProvider configured as an additional provider alongside OpenSSL's default +- Applications can explicitly load wolfProvider or use it alongside the default provider +- Includes test utilities and unit tests + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-image-minimal" +``` + +**Build:** +```bash +bitbake wolfprovider-image-minimal +``` + +### 2. wolfprovider-fips-image-minimal +**Standalone mode, FIPS** + +- wolfProvider configured as an additional provider using FIPS-validated cryptography +- Applications can explicitly load FIPS-validated wolfProvider +- Includes test utilities and unit tests + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-fips-image-minimal wolfssl-image-minimal" + +# In build/conf/local.conf: +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +**Build:** +```bash +bitbake wolfprovider-fips-image-minimal +``` + +### 3. wolfprovider-replace-default-image-minimal +**Replace-default mode, non-FIPS** + +- wolfProvider replaces OpenSSL's default provider +- All OpenSSL operations automatically use wolfProvider +- No code changes needed - transparent drop-in replacement + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-replace-default-image-minimal" +``` + +**Build:** +```bash +bitbake wolfprovider-replace-default-image-minimal +``` + +### 4. wolfprovider-replace-default-fips-image-minimal +**Replace-default mode, FIPS** + +- wolfProvider replaces OpenSSL's default provider using FIPS-validated cryptography +- All OpenSSL operations automatically use FIPS cryptography +- Complete system-wide FIPS 140-3 validated cryptography + +**Configuration:** +```bitbake +# Enable demo images +WOLFSSL_DEMOS = "wolfprovider-replace-default-fips-image-minimal wolfssl-image-minimal" + +# In build/conf/local.conf: +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +**Build:** +```bash +bitbake wolfprovider-replace-default-fips-image-minimal +``` + +## What's Included + +All images include: +- Everything from `wolfssl-image-minimal` +- wolfSSL (or wolfSSL FIPS) with wolfProvider support +- OpenSSL 3.x with wolfProvider backend +- wolfProvider environment setup tools (`wolfproviderenv`, `wolfprovidercmd`) +- Unit tests (standalone mode images only) + +## Testing + +Inside QEMU, test wolfProvider: + +```bash +# Run wolfProvider environment setup (standalone mode only) +wolfprovidertest + +# Run wolfProvider command-line tests +wolfprovidercmd + +# Run wolfProvider environment setup +wolfproviderenv + +# Verify provider configuration (replace-default images) +openssl list -providers +``` + +## How It Works + +Each image directory contains `bbappend` files that automatically configure packages: + +- **wolfssl_%.bbappend** or **wolfssl-fips_%.bbappend**: Configures wolfSSL with wolfProvider support +- **openssl_%.bbappend**: Configures OpenSSL to support wolfProvider (standalone or replace-default) +- **wolfprovider_%.bbappend**: Enables unit tests (standalone mode only) + +All configurations use conditional functions (`wolfssl_osp_include_if_provider`) that automatically detect the provider and include the appropriate configuration files. + +## Mode Comparison + +### Standalone Mode +- wolfProvider is an additional provider +- Applications must explicitly load wolfProvider +- OpenSSL's default provider remains available +- Useful for testing and selective adoption + +### Replace-Default Mode +- wolfProvider replaces OpenSSL's default provider +- All OpenSSL operations automatically use wolfProvider +- No application code changes needed +- Useful for system-wide deployment + +## Requirements + +- **FIPS images**: Valid wolfSSL FIPS commercial bundle and `wolfssl-fips.conf` configuration +- **Non-FIPS images**: No additional requirements + +## More Information + +- Main README: [../../../README.md](../../../README.md) +- wolfProvider: [../../../recipes-wolfssl/wolfprovider/README.md](../../../recipes-wolfssl/wolfprovider/README.md) +- wolfSSL FIPS: [../../../recipes-wolfssl/wolfssl/README-fips.md](../../../recipes-wolfssl/wolfssl/README-fips.md) diff --git a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend deleted file mode 100644 index dc8c1497..00000000 --- a/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -# Manual configuration for wolfprovider-image-minimal -# Configure OpenSSL for wolfProvider support - -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc - - diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..c3073d67 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (FIPS standalone mode) for wolfprovider-fips-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb new file mode 100644 index 00000000..49e4b989 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider-fips-image-minimal.bb @@ -0,0 +1,18 @@ +SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in standalone mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, test/benchmark utilities, and wolfProvider configured in standalone mode" + +# Add wolfProvider packages with OpenSSL 3.x support in standalone mode (FIPS) +# The bbappend files in this directory configure packages based on provider +IMAGE_INSTALL:append = " \ + wolfssl-fips \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidertest \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..ef9640d3 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,9 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + +# Enable unit tests for standalone mode +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc + +# Enable quick test mode for standalone mode +CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips.bbappend new file mode 100644 index 00000000..d41e1cf1 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/wolfssl-fips.bbappend @@ -0,0 +1,15 @@ +# Configure wolfSSL (FIPS standalone mode) for wolfprovider-fips-image-minimal +# +# This bbappend directly configures wolfSSL to use FIPS mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..ecff7c8a --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/openssl_%.bbappend @@ -0,0 +1,16 @@ +# Configure OpenSSL (non-FIPS standalone mode) for wolfprovider-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb similarity index 80% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb index 8c4d1477..8dce4b87 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal.bb +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider-image-minimal.bb @@ -9,9 +9,11 @@ IMAGE_INSTALL:append = " \ openssl \ openssl-bin \ wolfprovidertest \ + wolfprovidercmd \ + wolfproviderenv \ bash \ " -require ${WOLFSSL_LAYERDIR}/recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..ef9640d3 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,9 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + +# Enable unit tests for standalone mode +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc + +# Enable quick test mode for standalone mode +CPPFLAGS:append = " -DWOLFPROV_QUICKTEST" + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend new file mode 100644 index 00000000..b364e89e --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/wolfssl_%.bbappend @@ -0,0 +1,16 @@ +# Configure wolfSSL (non-FIPS standalone mode) for wolfprovider-image-minimal +# +# This bbappend directly configures wolfSSL to use wolfProvider +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..65e1bec0 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (FIPS replace-default mode) for wolfprovider-replace-default-fips-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider in replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc', + allowed_providers=['wolfssl-fips'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb new file mode 100644 index 00000000..2aee6f6d --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider-replace-default-fips-image-minimal.bb @@ -0,0 +1,18 @@ +SUMMARY = "Minimal image with wolfSSL FIPS, test utilities, and wolfProvider in replace-default mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL FIPS library, and wolfProvider configured to replace OpenSSL's default provider" + +# Add wolfProvider packages with OpenSSL 3.x support in FIPS replace-default mode +# The bbappend files in this directory configure packages based on provider +# Unit tests are disabled in replace-default mode for now until we have a way to correctly run them +IMAGE_INSTALL:append = " \ + wolfssl-fips \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend similarity index 99% rename from recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend rename to recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend index 738c84fc..9c45ee3a 100644 --- a/recipes-core/images/wolfprovider-image-minimal/wolfprovider_%.bbappend +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfprovider_%.bbappend @@ -1,4 +1,3 @@ # Disable the feature check for manual image configuration require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc - diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips.bbappend new file mode 100644 index 00000000..164348e5 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/wolfssl-fips.bbappend @@ -0,0 +1,23 @@ +# Configure wolfSSL (FIPS replace-default mode) for wolfprovider-replace-default-fips-image-minimal +# +# This bbappend directly configures wolfSSL to use FIPS mode in replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) +} + +# Fix for commercial bundle missing stamp-h.in required by automake +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend new file mode 100644 index 00000000..0070df1d --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/openssl_%.bbappend @@ -0,0 +1,15 @@ +# Configure OpenSSL (non-FIPS replace-default mode) for wolfprovider-replace-default-image-minimal +# +# This bbappend directly configures OpenSSL to use wolfProvider in replace-default mode +# when wolfssl is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc', + allowed_providers=['wolfssl'] + ) +} + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb new file mode 100644 index 00000000..b92958f9 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider-replace-default-image-minimal.bb @@ -0,0 +1,18 @@ +SUMMARY = "Minimal image with wolfSSL, test utilities, and wolfProvider in replace-default mode" +DESCRIPTION = "A minimal Linux image that includes wolfSSL library, and wolfProvider configured to replace OpenSSL's default provider" + +# Add wolfProvider packages with OpenSSL 3.x support in replace-default mode +# The openssl_%.bbappend in this directory configures OpenSSL with replace-default mode +# Unit tests are disabled in replace-default mode for now until we have a way to correctly run them +IMAGE_INSTALL:append = " \ + wolfssl \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfprovidercmd \ + wolfproviderenv \ + bash \ +" + +require recipes-core/images/wolfssl-minimal-image/wolfssl-image-minimal.bb + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend new file mode 100644 index 00000000..9c45ee3a --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfprovider_%.bbappend @@ -0,0 +1,3 @@ +# Disable the feature check for manual image configuration +require ${WOLFSSL_LAYERDIR}/inc/wolfssl-manual-config.inc + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend new file mode 100644 index 00000000..b201dec2 --- /dev/null +++ b/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/wolfssl_%.bbappend @@ -0,0 +1,23 @@ +# Configure wolfSSL (non-FIPS replace-default mode) for wolfprovider-replace-default-image-minimal +# +# This bbappend directly configures wolfSSL to use replace-default mode +# when wolfssl-fips is the preferred provider. + +inherit wolfssl-osp-support + +python __anonymous() { + wolfssl_osp_include_if_provider( + d, + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) +} + +# Fix for commercial bundle missing stamp-h.in required by automake +do_configure:prepend() { + if [ ! -f ${S}/stamp-h.in ]; then + touch ${S}/stamp-h.in + fi +} + + diff --git a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend b/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend deleted file mode 100644 index 0f460653..00000000 --- a/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -# Manual configuration for wolfprovider-image-minimal -# Enable wolfProvider support in wolfSSL - -require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc - - diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh b/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh new file mode 100644 index 00000000..f6627e0d --- /dev/null +++ b/recipes-examples/wolfprovider/wolfprovidercmd/files/wolfprovidercmd.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +echo "Setting up environment..." +if [ -f /usr/bin/wolfproviderenv ]; then + source /usr/bin/wolfproviderenv + if [ $? -ne 0 ]; then + echo "✗ Failed to source environment setup!" + exit 1 + fi +else + echo "✗ wolfproviderenv not found!" + exit 1 +fi + +echo "==========================================" +echo "wolfProvider Command-Line Tests" +echo "==========================================" +if [ -f /usr/share/wolfprovider-cmd-tests/scripts/cmd_test/do-cmd-tests.sh ]; then + echo "Running command-line test suite..." + echo "" + + # Set environment for cmd tests - use system-wide installations + export WOLFSSL_ISFIPS=1 # openssl built without cfb which fips also is + export OPENSSL_BIN=$(which openssl) + export WOLFPROV_PATH=/usr/lib/ssl-3/modules + export WOLFPROV_CONFIG=/opt/wolfprovider-configs/wolfprovider.conf + + # Set library paths for system-wide OpenSSL/wolfSSL + export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH + export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig:$PKG_CONFIG_PATH + + # Prevent env-setup from trying to find build directories + export OPENSSL_DIR=/usr + export WOLFSSL_DIR=/usr + + # Change to test directory and run + ( + cd /usr/share/wolfprovider-cmd-tests/scripts/cmd_test + bash ./do-cmd-tests.sh + ) + CMD_TEST_RESULT=$? + + echo "" + echo "==========================================" + if [ $CMD_TEST_RESULT -eq 0 ]; then + echo "✓ Command-line tests PASSED!" + else + echo "✗ Command-line tests FAILED! (exit code: $CMD_TEST_RESULT)" + exit $CMD_TEST_RESULT + fi +else + echo "Command-line test suite not found at + /usr/share/wolfprovider-cmd-tests/scripts/cmd_test/do-cmd-tests.sh" + exit 1 +fi + +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb new file mode 100644 index 00000000..1fd54ab3 --- /dev/null +++ b/recipes-examples/wolfprovider/wolfprovidercmd/wolfprovidercmd.bb @@ -0,0 +1,59 @@ +SUMMARY = "wolfProvider Command-Line Test Suite" +DESCRIPTION = "Command-line test scripts for wolfProvider - tests hash, AES, RSA, ECC, and certificate operations" +HOMEPAGE = "https://github.com/wolfssl/wolfProvider" +BUGTRACKER = "https://github.com/wolfssl/wolfProvider/issues" +SECTION = "examples" + +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openssl virtual/wolfssl wolfprovider" +RDEPENDS:${PN} = "bash openssl wolfprovider" + +SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a \ + file://wolfprovidercmd.sh" + + +S = "${WORKDIR}/git" + +do_configure[noexec] = "1" +do_compile[noexec] = "1" + +WOLFPROV_CMD_TEST_DIR = "${datadir}/wolfprovider-cmd-tests" +WOLFPROV_CMD_TEST_INSTALL_DIR = "${D}${WOLFPROV_CMD_TEST_DIR}" + +do_install() { + # Create directory structure that do-cmd-tests.sh expects + install -d ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test + + # Copy main cmd-test scripts to scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/do-cmd-tests.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/cmd-test-common.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/clean-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/hash-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/aes-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/rsa-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/ecc-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + install -m 0755 ${S}/scripts/cmd_test/req-cmd-test.sh ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/cmd_test/ + + # Copy env setup script to scripts/ + install -m 0755 ${S}/scripts/env-setup ${WOLFPROV_CMD_TEST_INSTALL_DIR}/scripts/ + + # Copy provider configuration files to root of test dir + install -m 0644 ${S}/provider.conf ${WOLFPROV_CMD_TEST_INSTALL_DIR}/ + install -m 0644 ${S}/provider-fips.conf ${WOLFPROV_CMD_TEST_INSTALL_DIR}/ || true + + # Install wrapper script to bindir + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfprovidercmd.sh ${D}${bindir}/wolfprovidercmd +} + +python() { + distro_version = d.getVar('DISTRO_VERSION', True) + pn = d.getVar('PN', True) + + files_var_name = 'FILES_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'FILES:' + pn + + wolfprov_cmd_test_dir = d.getVar('WOLFPROV_CMD_TEST_DIR', True) + d.setVar(files_var_name, wolfprov_cmd_test_dir + '/* ${bindir}/wolfprovidercmd') +} diff --git a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c similarity index 99% rename from recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c rename to recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c index 882f745a..2b8d182f 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfprovidertest.c +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.c @@ -12,4 +12,4 @@ int main(void) { printf("Custom provider 'libwolfprov' loaded successfully.\n"); OSSL_PROVIDER_unload(prov); return 0; -} \ No newline at end of file +} diff --git a/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh new file mode 100644 index 00000000..6ca5033e --- /dev/null +++ b/recipes-examples/wolfprovider/wolfproviderenv/files/wolfproviderenv.sh @@ -0,0 +1,138 @@ +#!/bin/bash + +# This script can be both executed and sourced +# When sourced: Sets up environment variables for other scripts to use +# When executed: Also runs verification tests + +REPLACE_DEFAULT_MODE=0 +WOLFSSL_FIPS_MODE=0 + +# Method 1: Check build-time configuration file +if [ -f /etc/wolfprovider/replace-default-mode ]; then + MODE=$(cat /etc/wolfprovider/replace-default-mode) + if [ "$MODE" = "1" ]; then + REPLACE_DEFAULT_MODE=1 + echo "Detected replace-default mode (from config file)" + else + echo "Detected normal wolfprovider mode (from config file)" + fi +else + # Method 2: Runtime detection by checking default provider + DEFAULT_PROVIDER=$(openssl list -providers 2>/dev/null | grep -A1 "^ default$" | grep "name:" | grep -i "wolfSSL Provider") + if [ -n "$DEFAULT_PROVIDER" ]; then + REPLACE_DEFAULT_MODE=1 + echo "Detected replace-default mode (runtime detection)" + else + echo "Detected normal wolfprovider mode (runtime detection)" + fi +fi + +# Setup for libwolfprov.so +mkdir -p /usr/lib/ssl-3/modules +if [ ! -L /usr/lib/ssl-3/modules/libwolfprov.so ]; then + ln -s /usr/lib/libwolfprov.so.0.0.0 /usr/lib/ssl-3/modules/libwolfprov.so +fi + +# Environment variables +export OPENSSL_MODULES=/usr/lib/ssl-3/modules +export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH + +# Method 1: Check build-time configuration file +if [ -f /etc/wolfssl/fips-enabled ]; then + FIPS_VALUE=$(cat /etc/wolfssl/fips-enabled) + if [ "$FIPS_VALUE" = "1" ]; then + WOLFSSL_FIPS_MODE=1 + echo "Detected wolfSSL FIPS build (from config file)" + else + echo "Detected wolfSSL non-FIPS build (from config file)" + fi +else + # Method 2: Runtime detection (Replace default and FIPS mode) + DEFAULT_PROVIDER=$(openssl list -providers 2>/dev/null | grep -A1 "^ default$" | grep "name:" | grep -i "wolfSSL Provider FIPS") + if [ -n "$DEFAULT_PROVIDER" ]; then + WOLFSSL_FIPS_MODE=1 + echo "Detected wolfSSL FIPS build (runtime detection)" + else + echo "Detected wolfSSL non-FIPS build (runtime detection)" + fi +fi + +OPENSSL_CNF="/etc/ssl/openssl.cnf" +PROVIDER_CONF="" + +if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then + PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider-fips.conf" +else + PROVIDER_CONF="/etc/ssl/openssl.cnf.d/wolfprovider.conf" +fi + +if [ -f "$OPENSSL_CNF" ] && [ -f "$PROVIDER_CONF" ]; then + # Replace the OpenSSL configuration with the wolfProvider configuration + if ! cmp -s "$PROVIDER_CONF" "$OPENSSL_CNF"; then + cp "$PROVIDER_CONF" "$OPENSSL_CNF" + echo "Replaced $OPENSSL_CNF with wolfProvider configuration ($PROVIDER_CONF)" + fi +fi + +echo "==========================================" +echo "wolfProvider Environment Setup" +echo "==========================================" +echo "" +if [ "$REPLACE_DEFAULT_MODE" -eq 1 ]; then + echo "Mode: Replace-Default (wolfProvider is the default provider)" +else + echo "Mode: Explicit Load (provider config included in openssl.cnf)" +fi +echo "" +if [ "$WOLFSSL_FIPS_MODE" -eq 1 ]; then + echo "FIPS Mode: Enabled (wolfSSL FIPS)" +else + echo "FIPS Mode: Disabled (wolfSSL non-FIPS)" +fi +echo "" +echo "Environment Variables:" +echo " OPENSSL_MODULES: $OPENSSL_MODULES" +echo " LD_LIBRARY_PATH: $LD_LIBRARY_PATH" +echo "" + +# Test 1: Provider Verification +echo "==========================================" +echo "Test 1: Provider Load Verification" +echo "==========================================" +if [ "$REPLACE_DEFAULT_MODE" -eq 1 ]; then + # In replace-default mode, just verify the default provider is wolfSSL + if openssl list -providers | grep -q "wolfSSL Provider"; then + echo "Default provider is wolfSSL Provider" + echo "Passed!" + else + echo "Failed - default provider is not wolfSSL Provider" + return 1 2>/dev/null || exit 1 + fi +else + # In explicit load mode, test explicit provider loading + if wolfproviderverify; then + echo "Passed!" + else + echo "Failed!" + return 1 2>/dev/null || exit 1 + fi +fi + +# Test 2: Provider List +echo "" +echo "==========================================" +echo "Test 2: OpenSSL Provider List" +echo "==========================================" +openssl list -providers -verbose + +# Test 3: OpenSSL Version +echo "" +echo "==========================================" +echo "Test 3: OpenSSL Version" +echo "==========================================" +openssl version -a + +echo "" +echo "==========================================" +echo "Environment setup completed." +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb new file mode 100644 index 00000000..7f002270 --- /dev/null +++ b/recipes-examples/wolfprovider/wolfproviderenv/wolfproviderenv.bb @@ -0,0 +1,54 @@ +SUMMARY = "Test suite for wolfProvider OpenSSL provider" +DESCRIPTION = "Enviroment setup for wolfProvider OpenSSL provider" +HOMEPAGE = "https://www.wolfssl.com" +SECTION = "examples" +LICENSE = "CLOSED" +LIC_FILES_CHKSUM = "" + +DEPENDS = "openssl pkgconfig-native virtual/wolfssl wolfprovider" +PROVIDES += "wolfproviderenv" +RPROVIDES_${PN} = "wolfproviderenv" + +SRC_URI = "file://wolfproviderenv.c \ + file://wolfproviderenv.sh \ + https://raw.githubusercontent.com/wolfSSL/wolfProvider/master/provider.conf;name=provider_conf \ + https://raw.githubusercontent.com/wolfSSL/wolfProvider/master/provider-fips.conf;name=provider_fips_conf \ + " + +# SHA256 checksums for the config files +SRC_URI[provider_conf.sha256sum] = "3ad9e7cf5aefb9d36b9482232365094f42390f3ef03778fa84c3efb39d48e4c2" +SRC_URI[provider_fips_conf.sha256sum] = "0b2174ab296aefa9a3f1fe40ccf0b988b25d09188ae5abad27fb60923754e98f" + +S = "${WORKDIR}" + +inherit pkgconfig + +do_compile() { + ${CC} ${WORKDIR}/wolfproviderenv.c -o wolfproviderverify \ + ${CFLAGS} ${LDFLAGS} $(pkg-config --cflags --libs openssl) -ldl -lwolfssl -lwolfprov +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/wolfproviderverify ${D}${bindir}/wolfproviderverify + install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv + + # Install config files to openssl.cnf.d/ (following Debian convention) + install -d ${D}${sysconfdir}/ssl/openssl.cnf.d + install -m 0644 ${WORKDIR}/provider.conf ${D}${sysconfdir}/ssl/openssl.cnf.d/wolfprovider.conf + install -m 0644 ${WORKDIR}/provider-fips.conf ${D}${sysconfdir}/ssl/openssl.cnf.d/wolfprovider-fips.conf +} + +FILES_${PN} = "${bindir}/wolfproviderverify ${bindir}/wolfproviderenv ${sysconfdir}/ssl/openssl.cnf.d/wolfprovider*.conf" + +# Dynamic RDEPENDS adjustment for bash +python() { + distro_version = d.getVar('DISTRO_VERSION', True) + pn = d.getVar('PN', True) + + rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn + + current_rdepends = d.getVar(rdepends_var_name, True) or "" + new_rdepends = current_rdepends + " bash" + d.setVar(rdepends_var_name, new_rdepends) +} diff --git a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh b/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh deleted file mode 100644 index b0624029..00000000 --- a/recipes-examples/wolfprovider/wolfprovidertest/files/wolfproviderenv.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -# Setup for libwolfprov.so -mkdir -p /usr/lib/ssl-3/modules -if [ ! -L /usr/lib/ssl-3/modules/libwolfprov.so ]; then - ln -s /usr/lib/libwolfprov.so.0.0.0 /usr/lib/ssl-3/modules/libwolfprov.so -fi - -# Environment variables -export OPENSSL_MODULES=/usr/lib/ssl-3/modules -export LD_LIBRARY_PATH=/usr/lib:/lib:$LD_LIBRARY_PATH - -# Configuration for wolfprovider -mkdir -p /opt/wolfprovider-configs -cat > /opt/wolfprovider-configs/wolfprovider.conf </dev/null || true + + # Verify certificates are installed (CERTS_DIR is compiled to point here) + echo "Verifying test certificates..." + if [ -d /usr/share/wolfprovider-test/certs ]; then + echo "Certificates found at /usr/share/wolfprovider-test/certs:" + ls -la /usr/share/wolfprovider-test/certs/ + else + echo "Warning: Certificate directory not found at /usr/share/wolfprovider-test/certs" + fi + echo "" + + # Run the test from /tmp where .libs is available + # CERTS_DIR is compiled to point to /usr/share/wolfprovider-test/certs + ( + cd /tmp + echo "Running unit tests from: $(pwd)" + echo "Checking for .libs directory:" + ls -la .libs/ 2>/dev/null || echo "ERROR: .libs directory not found!" + echo "" + unit.test + ) + TEST_RESULT=$? + + echo "" + echo "==========================================" + if [ $TEST_RESULT -eq 0 ]; then + echo "✓ Unit tests PASSED!" + else + echo "✗ Unit tests FAILED! (exit code: $TEST_RESULT)" + exit $TEST_RESULT + fi +else + echo "Unit test binary not found at /usr/bin/unit.test" + exit 1 +fi + +echo "==========================================" diff --git a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb index 2e513e6f..c55b0f62 100644 --- a/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb +++ b/recipes-examples/wolfprovider/wolfprovidertest/wolfprovidertest.bb @@ -1,46 +1,42 @@ -SUMMARY = "Test program for custom OpenSSL provider 'libwolfprov'" -DESCRIPTION = "Compiles and runs a test program to verify the functionality of the custom OpenSSL provider libwolfprov." +SUMMARY = "wolfProvider Unit Test Application" +DESCRIPTION = "wolfProvider unit test application used to test provider functionality" HOMEPAGE = "https://www.wolfssl.com" -SECTION = "examples" -LICENSE = "CLOSED" -LIC_FILES_CHKSUM = "" +BUGTRACKER = "https://github.com/wolfssl/wolfprovider/issues" +SECTION = "x11/applications" -DEPENDS = "openssl pkgconfig-native virtual/wolfssl wolfprovider" -PROVIDES += "wolfprovidertest" -RPROVIDES_${PN} = "wolfprovidertest" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-3.0-only;md5=c79ff39f19dfec6d293b95dea7b07891" +DEPENDS += "wolfprovider" +do_configure[noexec] = "1" +do_compile[noexec] = "1" -SRC_URI = "file://wolfprovidertest.c \ - file://wolfproviderenv.sh \ - " +WOLFPROVIDER_TEST_DIR = "${datadir}/wolfprovider-test" +WOLFPROVIDER_TEST_INSTALL_DIR = "${D}${WOLFPROVIDER_TEST_DIR}" +WOLFPROVIDER_TEST_README = "README.txt" +WOLFPROVIDER_TEST_README_DIR = "${WOLFPROVIDER_TEST_INSTALL_DIR}/${WOLFPROVIDER_TEST_README}" -S = "${WORKDIR}" - -inherit pkgconfig - -do_compile() { - ${CC} ${WORKDIR}/wolfprovidertest.c -o wolfprovidertest \ - ${CFLAGS} ${LDFLAGS} $(pkg-config --cflags --libs openssl) -ldl -lwolfssl -lwolfprov -} +python () { + distro_version = d.getVar('DISTRO_VERSION', True) + wolfprovider_test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True) + wolfprovider_test_install_dir = d.getVar('WOLFPROVIDER_TEST_INSTALL_DIR', True) + wolfprovider_test_readme_dir = d.getVar('WOLFPROVIDER_TEST_README_DIR', True) -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/wolfprovidertest ${D}${bindir}/wolfprovidertest - install -m 0755 ${WORKDIR}/wolfproviderenv.sh ${D}${bindir}/wolfproviderenv -} + bbnote = 'bbnote "Installing dummy file for wolfProvider test example"\n' + installDir = 'install -m 0755 -d "%s"\n' % wolfprovider_test_install_dir + makeDummy = 'echo "This is a dummy package" > "%s"\n' % wolfprovider_test_readme_dir -FILES_${PN} += "${bindir}/wolfprovidertest \ - ${bindir}/wolfproviderenv \ - " + d.appendVar('do_install', bbnote) + d.appendVar('do_install', installDir) + d.appendVar('do_install', makeDummy) -# Dynamic RDEPENDS adjustment for bash -python() { - distro_version = d.getVar('DISTRO_VERSION', True) pn = d.getVar('PN', True) - - rdepends_var_name = 'RDEPENDS_' + pn if (distro_version.startswith('2.') or distro_version.startswith('3.')) else 'RDEPENDS:' + pn - - current_rdepends = d.getVar(rdepends_var_name, True) or "" - new_rdepends = current_rdepends + " bash" - d.setVar(rdepends_var_name, new_rdepends) + if distro_version and (distro_version.startswith('2.') or distro_version.startswith('3.')): + files_var_name = 'FILES_' + pn + else: + files_var_name = 'FILES:' + pn + + current_files = d.getVar(files_var_name, True) or "" + new_files = current_files + ' ' + wolfprovider_test_dir + '/*' + d.setVar(files_var_name, new_files) } diff --git a/recipes-wolfssl/wolfprovider/README.md b/recipes-wolfssl/wolfprovider/README.md index 28528dbd..6642efef 100644 --- a/recipes-wolfssl/wolfprovider/README.md +++ b/recipes-wolfssl/wolfprovider/README.md @@ -36,45 +36,202 @@ The `wolfprovidertest` yocto package will provide two apps, `wolfproviderenv` an 3. **Add wolfprovider to your image**: - Modify your image recipe or `local.conf` file to include `wolfprovider`, `wolfssl`, `openssl`, `openssl-bin`, and `wolfprovidertest`. You will only need `openssl-bin` and `wolfprovidertest` if you want to use and test with our included example and conf file. + Enable the wolfprovider demo image in your `local.conf` file: + ```bitbake + WOLFSSL_DEMOS = "wolfprovider-image-minimal" + ``` +4. **Configure wolfProvider Mode (Optional)**: - For yocto kirkstone or newer: - ``` - IMAGE_INSTALL:append = "wolfprovider wolfssl openssl openssl-bin wolfprovidertest" - ``` + wolfProvider can operate in two modes: + + **Normal Mode (Default)**: wolfProvider acts as a supplementary provider alongside OpenSSL's default provider. No configuration needed. + + **Replace-Default Mode**: wolfProvider replaces OpenSSL's default provider by patching OpenSSL, making wolfSSL the primary crypto backend. + + To enable and disable modes like FIPS, replace default, etc. for testing you can use these files: + `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/wolfssl_%.bbappend` + `layers/meta-wolfssl/recipes-core/images/wolfprovider-image-minimal/openssl_%.bbappend` - For yocto dunfell or earlier: - ``` - IMAGE_INSTALL_append = "wolfprovider wolfssl openssl openssl-bin wolfprovidertest" + to rebuild with replace default we need to run a clean on the wolfprovider and openssl then rebuild: + + ```sh + bitbake -c cleanall openssl wolfprovider + bitbake wolfprovider-image-minimal ``` -4. **Build Your Image**: +5. **Build Your Image**: With the `meta-wolfssl` layer added and the necessary packages included in your image configuration, proceed to build your Yocto image as usual. ```sh - bitbake + bitbake wolfprovider-image-minimal ``` -### Testing wolfprovider +## Testing wolfProvider -After building and deploying your image to the target device, you can test `wolfprovider` functionality through the `wolfproviderenv` script. +After building and deploying your image to the target device, you can test `wolfprovider` functionality with three test suites: -1. **Execute the wolfproviderenv Script**: - - `wolfproviderenv` is located in `/usr/bin`, so just execute the script upon entering into your terminal. +1. **Environment Setup and Verification**: ```sh wolfproviderenv ``` + + This sets up the environment and verifies wolfProvider is correctly installed and loaded. It automatically detects the mode you are in and does the neccesary things to prepare the env for testing. + +2. **Unit Tests**: + + ```sh + wolfprovidertest + ``` + + Runs the comprehensive wolfProvider unit test suite from the upstream wolfProvider repository. Tests cover all cryptographic operations. + +3. **Command-Line Tests**: + + ```sh + wolfprovidercmd + ``` + + Runs OpenSSL command-line tests including: + - Hash operations (SHA, MD5, etc.) + - AES encryption/decryption + - RSA operations + - ECC operations + - Certificate operations + +## Demo Image + +See `recipes-core/images/wolfprovider-image-minimal/` for complete working examples of all configurations. +Refer to the [recipes-core/images/wolfprovider-image-minimal/README.md](recipes-core/images/wolfprovider-image-minimal/README.md) file for more information. + +### Integrating wolfProvider with Custom Image + +To integrate wolfProvider into your own image recipe (not using the demo images), directly require the appropriate `.inc` files in `bbappend` files. + +#### Direct Include in bbappend Files + +Create `bbappend` files in your custom layer that directly require the `.inc` files you need. + +**1. Create `recipes-wolfssl/wolfssl/wolfssl_%.bbappend` in your layer:** + +For non-FIPS: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider.inc +``` + +For FIPS: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc +``` + +**2. Create `recipes-connectivity/openssl/openssl_%.bbappend` in your layer:** + +For standalone mode: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc +``` + +For replace-default mode: +```bitbake +require ${WOLFSSL_LAYERDIR}/inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc +``` + +**3. Add packages to your image recipe:** + +```bitbake +# In your-image.bb +IMAGE_INSTALL:append = " \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfproviderenv \ + wolfprovidercmd \ +" + +**3. For FIPS mode, configure in `local.conf`:** + +```bitbake +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +**See working examples:** +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/` (standalone, non-FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-fips-image-minimal/` (standalone, FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/` (replace-default, non-FIPS) +- `recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/` (replace-default, FIPS) + +#### Using WOLFSSL_FEATURES (For Testing/Development) + +If you want conditional configuration based on variables, you can use the existing `bbappend` files in `recipes-wolfssl/wolfprovider/`: + +Add to your `local.conf`: + +```bitbake +# Enable wolfProvider feature +WOLFSSL_FEATURES = "wolfprovider" + +# For replace-default mode (optional) +WOLFPROVIDER_MODE = "replace-default" + +# For FIPS mode (optional) +require /path/to/meta-wolfssl/conf/wolfssl-fips.conf +``` + +Then add packages to your image recipe: + +```bitbake +# In your-image.bb +IMAGE_INSTALL:append = " \ + wolfprovider \ + openssl \ + openssl-bin \ + wolfproviderenv \ + wolfprovidercmd \ +" +``` + +The following existing files will automatically handle configuration: +- `recipes-wolfssl/wolfprovider/wolfssl_%.bbappend` - Configures wolfSSL with wolfProvider support +- `recipes-wolfssl/wolfprovider/openssl_3.%.bbappend` - Configures OpenSSL for wolfProvider + +#### Available Reusable Files + +**`.inc` files in `inc/wolfprovider/`:** +- `wolfssl-enable-wolfprovider.inc` - Configure wolfSSL for wolfProvider (non-FIPS) +- `wolfssl-enable-wolfprovider-fips.inc` - Configure wolfSSL for wolfProvider (FIPS) +- `openssl/openssl-enable-wolfprovider.inc` - Configure OpenSSL for standalone mode +- `openssl/openssl-enable-wolfprovider-replace-default.inc` - Configure OpenSSL for replace-default mode +- `wolfssl-enable-wolfprovidertest.inc` - Enable unit tests (optional only for standalone mode) + +**Existing `bbappend` files in `recipes-wolfssl/wolfprovider/`:** +- `wolfssl_%.bbappend` - Automatically configures wolfSSL based on `WOLFSSL_FEATURES` +- `openssl_3.%.bbappend` - Automatically configures OpenSSL based on `WOLFPROVIDER_MODE` + +**Demo implementations:** +See `recipes-core/images/wolfprovider-image-minimal/` for complete working examples of all configurations. + +#### Building Your Image + +After setting up your configuration: + +```bash +# Clean state if switching modes or providers +bitbake -c cleanall openssl wolfprovider + +# Build your image +bitbake your-image +``` - The script performs necessary setup actions, executes `wolfprovidertest` to validate the integration, and lists available OpenSSL providers to confirm `wolfprovider` is active and correctly configured. +#### Verifying Integration -2. **Expected Output**: +On your target device: - Look for messages indicating a successful environment setup, execution of `wolfprovidertest` with a custom provider loaded successfully, and `libwolfprovider` listed among active OpenSSL providers. +```bash +wolfproviderenv +``` -### Documentation and Support +## Documentation and Support For further information about `wolfprovider` and `wolfssl`, visit the [wolfSSL Documentation](https://www.wolfssl.com/docs/) and the [wolfProvider Github](https://www.github.com/wolfSSL/wolfprovider). If you encounter issues or require support regarding the integration of `wolfprovider` with Yocto, feel free to reach out through [wolfSSL Support](support@wolfssl.com). diff --git a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend index c62bfaf4..32930d82 100644 --- a/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend +++ b/recipes-wolfssl/wolfprovider/openssl_3.%.bbappend @@ -1,7 +1,30 @@ +# Conditionally configure openssl with wolfProvider support +# +# This bbappend automatically enables wolfProvider backend when: +# 1. 'wolfprovider' is in WOLFSSL_FEATURES (explicit intent) +# 2. AND WOLFPROVIDER_MODE specifies the desired mode +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# WOLFPROVIDER_MODE = "standalone" # or "replace-default" + inherit wolfssl-helper python __anonymous() { - wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc') + # wolfProvider standalone mode (default) + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='standalone', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc' + ) + # wolfProvider replace-default mode + wolfssl_conditional_require_mode( + d, + package_name='wolfprovider', + mode='replace-default', + inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc' + ) } # OpenSSL is a dependency of wolfprovider, not a direct image package diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend new file mode 100644 index 00000000..f22cb0f8 --- /dev/null +++ b/recipes-wolfssl/wolfprovider/wolfprovider_%.bbappend @@ -0,0 +1,26 @@ +# Conditionally configure wolfProvider with unit tests +# +# This bbappend automatically enables wolfProvider unit tests when: +# 1. 'wolfprovider' is in WOLFSSL_FEATURES (explicit intent) +# 2. AND WOLFPROVIDER_FLAGS contains "enable-tests" +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# WOLFPROVIDER_FLAGS = "enable-tests" # or dont set + +inherit wolfssl-helper + +python __anonymous() { + # wolfProvider enable unit tests (via WOLFPROVIDER_FLAGS - separate from mode) + wolfssl_conditional_require_flag( + d, + package_name='wolfprovider', + flag_name='enable-tests', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc' + ) +} + +# OpenSSL is a dependency of wolfprovider, not a direct image package +# The check above already validates wolfprovider is in IMAGE_INSTALL +deltask do_wolfssl_check_package + diff --git a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb index 90d4a65a..b8c22b7a 100644 --- a/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb +++ b/recipes-wolfssl/wolfprovider/wolfprovider_1.1.0.bb @@ -1,5 +1,5 @@ -SUMMARY = "wolfProvider is a Proivder designed for Openssl 3.X.X" -DESCRIPTION = "wolfProvider is a library that can be used as an Provider in OpenSSL" +SUMMARY = "wolfProvider is a Provider designed for Openssl 3.X.X" +DESCRIPTION = "wolfProvider is a crypto backend interface for use as an OpenSSL Provider" HOMEPAGE = "https://github.com/wolfSSL/wolfProvider" BUGTRACKER = "https://github.com/wolfSSL/wolfProvider/issues" SECTION = "libs" @@ -10,7 +10,7 @@ DEPENDS += "util-linux-native" PROVIDES += "wolfprovider" RPROVIDES_${PN} = "wolfprovider" -SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=f8f432408f2c6f446a9e5bd9330577d2c2e1ed4f" +SRC_URI = "git://github.com/wolfssl/wolfProvider.git;nobranch=1;protocol=https;rev=a8223f5707a9c4460d89f4cbe7b3a129c4e85c6a" DEPENDS += " virtual/wolfssl \ openssl \ @@ -22,7 +22,38 @@ inherit autotools pkgconfig wolfssl-helper S = "${WORKDIR}/git" -CFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." -CXXFLAGS += " -I${S}/include -g0 -O2 -ffile-prefix-map=${WORKDIR}=." -LDFLAGS += " -Wl,--build-id=none" -EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" \ No newline at end of file +# Install provider module symlink (autotools already creates libwolfprov.so symlinks) +install_provider_module() { + # Ensure target library exists + if [ ! -f ${D}${libdir}/libwolfprov.so.0.0.0 ]; then + echo "libwolfprov.so.0.0.0 not found in ${D}${libdir}/" >&2 + exit 1 + fi + + # Create the OpenSSL module directory symlink + install -d ${D}${libdir}/ssl-3/modules + if [ ! -e ${D}${libdir}/ssl-3/modules/libwolfprov.so ]; then + ln -sf ${libdir}/libwolfprov.so.0.0.0 ${D}${libdir}/ssl-3/modules/libwolfprov.so + fi +} + +do_install[postfuncs] += "install_provider_module" + +CFLAGS:append = " -I${S}/include" +CXXFLAGS:append = " -I${S}/include" +CPPFLAGS:append = " -I${S}/include" + +EXTRA_OECONF += " --with-openssl=${STAGING_EXECPREFIXDIR}" + +# Keep unversioned .so in the runtime package +FILES_SOLIBSDEV = "" + +# Explicitly list what goes to -dev instead (headers, pc) +FILES:${PN}-dev = "${includedir} ${libdir}/pkgconfig/*.pc" + +# Ensure the symlink is assigned to runtime +FILES:${PN} += "${libdir}/libwolfprov.so ${libdir}/ssl-3/modules/libwolfprov.so" + +# Shipping an unversioned .so in runtime: suppress QA warning +INSANE_SKIP:${PN} += "dev-so" + diff --git a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend index 3a37f3b8..c0cdfb85 100644 --- a/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend +++ b/recipes-wolfssl/wolfprovider/wolfssl_%.bbappend @@ -1,9 +1,32 @@ -# Conditionally configure wolfssl with wolfprovider support -# This bbappend checks the WOLFSSL_FEATURES and IMAGE_INSTALL variables +# Configure wolfProvider FIPS support for wolfSSL +# +# This bbappend automatically configures wolfssl or wolfssl-fips with the features +# needed by wolfprovider when 'wolfprovider' is in WOLFSSL_FEATURES +# +# Usage in local.conf: +# WOLFSSL_FEATURES = "wolfprovider" +# require conf/wolfssl-fips.conf # If FIPS mode is enabled -inherit wolfssl-helper -deltask do_wolfssl_check_package +inherit wolfssl-osp-support python __anonymous() { - wolfssl_conditional_require(d, 'wolfprovider', 'inc/wolfprovider/wolfssl-enable-wolfprovider.inc') + # wolfProvider non-FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider.inc', + allowed_providers=['wolfssl'] + ) + # wolfProvider FIPS mode + wolfssl_osp_conditional_include( + d, + feature_name='wolfprovider', + inc_file='inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc', + allowed_providers=['wolfssl-fips'] + ) } + +# Disable package check since this is configuration for wolfssl itself +deltask do_wolfssl_check_package + + diff --git a/recipes-wolfssl/wolfssl/wolfssl-fips.bb b/recipes-wolfssl/wolfssl/wolfssl-fips.bb index ebbd02b6..c306abe5 100644 --- a/recipes-wolfssl/wolfssl/wolfssl-fips.bb +++ b/recipes-wolfssl/wolfssl/wolfssl-fips.bb @@ -67,12 +67,8 @@ inherit autotools pkgconfig wolfssl-helper wolfssl-commercial wolfssl-fips-helpe # Skip the package check for wolfssl-fips itself (it's the base library) deltask do_wolfssl_check_package -# Conditionally enable native/nativesdk variants only when FIPS is configured -python __anonymous() { - wolfssl_src = d.getVar('WOLFSSL_SRC') - if wolfssl_src and wolfssl_src.strip(): - d.setVar('BBCLASSEXTEND', 'native nativesdk') -} +# Enable native/nativesdk variants when FIPS is configured +BBCLASSEXTEND = "${@'native nativesdk' if (d.getVar('WOLFSSL_SRC') or '').strip() else ''}" # FIPS-specific configuration # Note: FIPS hash is handled by wolfssl-fips-helper.bbclass