work around oqsprovider out-of-source build bug

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25702)

test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Use newly built oqsprovider to save PKCS#12 files from keys and
+# and certificates files generated using alg $1.
+# Assumed oqsprovider-certgen.sh to have run before for same algorithm
+
+set -e
+set -x
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <algorithmname>. Exiting."
+    exit 1
+fi
+
+echo "oqsprovider-pkcs12gen.sh commencing..."
+
+if [ -z "$OPENSSL_APP" ]; then
+    echo "OPENSSL_APP env var not set. Exiting."
+    exit 1
+fi
+
+if [ -z "$OPENSSL_MODULES" ]; then
+    echo "Warning: OPENSSL_MODULES env var not set."
+fi
+
+if [ -z "$OPENSSL_CONF" ]; then
+    echo "OPENSSL_CONF env var not set. Exiting."
+    exit 1
+fi
+
+# Set OSX DYLD_LIBRARY_PATH if not already externally set
+if [ -z "$DYLD_LIBRARY_PATH" ]; then
+    export DYLD_LIBRARY_PATH=$LD_LIBRARY_PATH
+fi
+
+# Assumes certgen has been run before: Quick check
+if [[ -f tmp/$1_CA.crt &&  -f tmp/$1_CA.key ]]; then
+   echo "Key and certificate using $1 found."
+else
+   echo "File tmp/$1_CA.crt and/or tmp/$1_CA.key not found. Did certgen run before? Exiting."
+   exit -1
+fi
+
+echo "Generating PKCS#12 files..."
+
+# pkcs12 test:
+$OPENSSL_APP pkcs12 -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_1.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_1.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider enabled failed."
+    exit 1
+fi
+
+# Generate config file with oqsprovider disabled
+sed -e 's/^oqsprovider/# oqsprovider/' $OPENSSL_CONF > tmp/openssl-ca-no-oqsprovider.cnf
+
+# This print an error but OpenSSL returns 0 and .p12 file is generated correctly
+OPENSSL_CONF=tmp/openssl-ca-no-oqsprovider.cnf $OPENSSL_APP pkcs12 -provider default -provider oqsprovider -export -in tmp/$1_srv.crt -inkey tmp/$1_srv.key -passout pass: -out tmp/$1_srv_2.p12
+
+if [ $? -ne 0 ] || [ ! -f tmp/$1_srv_2.p12 ]; then
+    echo "PKCS#12 generation with oqsprovider disabled failed."
+    exit 1
+fi
+
+if [ $(cat tmp/$1_srv_1.p12 | $OPENSSL_APP sha256) -neq $(cat tmp/$1_srv_2.p12 | $OPENSSL_APP sha256) ]; then
+    echo "PKCS#12 files differ when oqsprovider is enabled or not."
+    exit 1
+fi

test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh

@@ -46,13 +46,13 @@ echo "   OpenSSL version:    $OPENSSL_VERSION"
 echo "------------------------------------------------------------------"
 
 if [ ! -d $SRCTOP/oqs-provider/.local ]; then
-# this version of oqsprovider dependent on v0.10.0 of liboqs, so set this;
+# this version of oqsprovider dependent on v0.11.0 of liboqs, so set this;
 # also be sure to use this openssl for liboqs-internal OpenSSL use;
 # see all libops config options listed at
 # https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs
 (
        cd $SRCTOP/oqs-provider \
-           && git clone --depth 1 --branch 0.10.0 https://github.com/open-quantum-safe/liboqs.git \
+           && git clone --depth 1 --branch 0.11.0 https://github.com/open-quantum-safe/liboqs.git \
            && cd liboqs \
            && mkdir build \
            && cd build \
@@ -71,4 +71,6 @@ export OPENSSL_MODULES=$PWD/_build/lib
 export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider/scripts
 export OPENSSL_CONF=$OQS_PROVIDER_TESTSCRIPTS/openssl-ca.cnf
 # Be verbose if harness is verbose:
+# Fixup for oqsprovider release snafu:
+cp $SRCTOP/test/recipes/95-test_external_oqsprovider_data/oqsprovider-pkcs12gen.sh $SRCTOP/oqs-provider/scripts/
 $SRCTOP/oqs-provider/scripts/runtests.sh -V