Skip to content

Run the FIPS CAST tests under lock during wolfprovider init #634

Run the FIPS CAST tests under lock during wolfprovider init

Run the FIPS CAST tests under lock during wolfprovider init #634

Workflow file for this run

name: Debian Package Test
# START OF COMMON SECTION
on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
build_wolfprovider:
uses: ./.github/workflows/build-wolfprovider.yml
with:
wolfssl_ref: ${{ matrix.wolfssl_ref }}
openssl_ref: ${{ matrix.openssl_ref }}
replace_default: ${{ matrix.replace_default }}
strategy:
matrix:
# Test 5.8.2 since our .deb is based on that version
wolfssl_ref: [ 'v5.8.2-stable' ]
openssl_ref: [ 'openssl-3.5.2' ]
replace_default: [ true ]
libwolfprov-standalone:
runs-on: ubuntu-22.04
needs: build_wolfprovider
# Run inside Debian Bookworm to match packaging environment
container:
image: debian:bookworm
env:
DEBIAN_FRONTEND: noninteractive
# This should be a safe limit for the tests to run.
timeout-minutes: 20
strategy:
matrix:
wolfssl_ref: [ 'v5.8.2-stable' ]
openssl_ref: [ 'openssl-3.5.2' ]
replace_default: [ false ]
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
steps:
- name: Checkout wolfProvider
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Checking OpenSSL/wolfProvider packages in cache
uses: actions/cache/restore@v4
id: wolfprov-cache
with:
path: |
${{ env.WOLFSSL_PACKAGES_PATH }}
${{ env.OPENSSL_PACKAGES_PATH }}
${{ env.WOLFPROV_PACKAGES_PATH }}
key: openssl-wolfprov-debian-packages-${{ github.sha }}${{ matrix.replace_default && '-replace-default' || '' }}
fail-on-cache-miss: true
- name: Install package without custom openssl
run: |
printf "Installing OpenSSL/wolfProvider packages:\n"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
apt-get update && \
apt install --reinstall -y openssl libssl3
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
- name: Verify wolfProvider is properly installed
run: |
$GITHUB_WORKSPACE/scripts/verify-install.sh ${{ matrix.fips && '--fips' || '' }}
- name: Test OpenSSL provider functionality
run: |
WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
# Temporarily move wolfprovider config so we can toggle between providers
echo "Temporarily disabling wolfprovider for default provider tests:"
mkdir -p /tmp/openssl-test
if [ -f $WOLFPROV_CONF_FILE ]; then
mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP
echo " - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP"
else
echo "$WOLFPROV_CONF_FILE not found!"
exit 1
fi
# Run the do-cmd-test.sh script to execute interoperability tests
echo "Running OpenSSL provider interoperability tests..."
OPENSSL_BIN=$(eval which openssl) ./scripts/cmd_test/do-cmd-tests.sh
# Restore wolfprovider configuration
echo "Restoring wolfprovider configuration:"
if [ -f $WOLFPROV_CONF_BACKUP ]; then
mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE
echo " - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP"
fi
echo "PASS: All provider interoperability tests successful"
- name: Uninstall package and verify cleanup
run: |
# Uninstall the package
apt-get remove -y libwolfprov
# Verify default OpenSSL provider is active
$GITHUB_WORKSPACE/scripts/verify-install.sh --no-wp ${{ matrix.replace_default && '--replace-default' || '' }} ${{ matrix.fips && '--fips' || '' }}
# Purge the package to remove all files
apt-get remove --purge -y libwolfprov
# Verify the package is removed
if dpkg -l | grep -q libwolfprov; then
echo "Package still installed after removal"
dpkg -l | grep libwolfprov
exit 1
else
echo "Package successfully removed"
fi
# Check if the config file is removed
if [ -f $WOLFPROV_CONF_FILE ]; then
echo "wolfprovider.conf still exists after package removal"
ls -la $(dirname $WOLFPROV_CONF_FILE)
exit 1
else
echo "wolfprovider.conf successfully removed"
fi
# Check if the library files are removed
WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
if [ -n "$WOLFPROV_OBJS" ]; then
echo "libwolfprov.so still exists after package removal"
echo "$WOLFPROV_OBJS"
exit 1
else
echo "libwolfprov.so successfully removed"
fi
# Verify that the default provider is present and active
$GITHUB_WORKSPACE/scripts/verify-install.sh --no-wp ${{ matrix.replace_default && '--replace-default' || '' }} ${{ matrix.fips && '--fips' || '' }}
echo "Package uninstallation and cleanup verification successful"
libwolfprov-replace-default:
runs-on: ubuntu-22.04
needs: build_wolfprovider
# Run inside Debian Bookworm to match packaging environment
container:
image: debian:bookworm
env:
DEBIAN_FRONTEND: noninteractive
# This should be a safe limit for the tests to run.
timeout-minutes: 20
strategy:
matrix:
wolfssl_ref: [ 'v5.8.2-stable' ]
openssl_ref: [ 'openssl-3.5.2' ]
replace_default: [ true ]
env:
WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
steps:
- name: Checkout wolfProvider
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Checking OpenSSL/wolfProvider packages in cache
uses: actions/cache/restore@v4
id: wolfprov-cache
with:
path: |
${{ env.WOLFSSL_PACKAGES_PATH }}
${{ env.OPENSSL_PACKAGES_PATH }}
${{ env.WOLFPROV_PACKAGES_PATH }}
key: openssl-wolfprov-debian-packages-${{ github.sha }}${{ matrix.replace_default && '-replace-default' || '' }}
fail-on-cache-miss: true
- name: Install wolfSSL/OpenSSL/wolfprov packages
run: |
printf "Installing OpenSSL/wolfProvider packages:\n"
ls -la ${{ env.WOLFSSL_PACKAGES_PATH }}
ls -la ${{ env.OPENSSL_PACKAGES_PATH }}
ls -la ${{ env.WOLFPROV_PACKAGES_PATH }}
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFSSL_PACKAGES_PATH }}/libwolfssl_*.deb
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.OPENSSL_PACKAGES_PATH }}/openssl_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl3_*.deb \
${{ env.OPENSSL_PACKAGES_PATH }}/libssl-dev_*.deb
- name: Show OpenSSL version
run: |
echo "OpenSSL version:"
openssl version -a || true
- name: Test OpenSSL providers before wolfprov installation
run: |
echo "Testing OpenSSL providers before wolfprov installation..."
echo "Expected: This should work normally with default providers"
# Test openssl list -providers
if openssl list -providers; then
echo "SUCCESS: openssl list -providers works before wolfprov installation"
else
echo "FAILURE: openssl list -providers failed before wolfprov installation"
exit 1
fi
echo "Provider list before wolfprov installation:"
openssl list -providers
- name: Install libwolfprov package
run: |
apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
echo "Installed packages after wolfprov:"
dpkg -l | grep -E "(wolfprov|wolfssl|openssl|libssl)"
- name: Verify wolfProvider is properly installed
run: |
$GITHUB_WORKSPACE/scripts/verify-install.sh ${{ matrix.replace_default && '--replace-default' || '' }} ${{ matrix.fips && '--fips' || '' }}
- name: Verify wolfprov configuration
run: |
echo "Verifying wolfprov configuration..."
# Check if configuration file exists
if [ -f $WOLFPROV_CONF_FILE ]; then
echo "SUCCESS: wolfprovider.conf exists"
cat $WOLFPROV_CONF_FILE
else
echo "WARNING: wolfprovider.conf not found"
fi
# Check if library file exists
WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
if [ -n "$WOLFPROV_OBJS" ]; then
echo "SUCCESS: libwolfprov.so exists"
echo "$WOLFPROV_OBJS"
else
echo "WARNING: libwolfprov.so not found"
fi
- name: Test basic OpenSSL functionality (digests, AES, ECDH, ECC)
shell: bash
run: |
set -e
echo "Testing OpenSSL digests..."
echo "test" | openssl dgst -sha256
echo "test" | openssl dgst -sha512
echo "Testing OpenSSL AES encryption/decryption..."
echo "secret" | openssl enc -aes-128-cbc -pass pass:mykey -out secret.enc
openssl enc -d -aes-128-cbc -pass pass:mykey -in secret.enc
echo "Testing OpenSSL ECDH key generation and shared secret..."
openssl ecparam -name prime256v1 -genkey -noout -out ec1.pem
openssl ecparam -name prime256v1 -genkey -noout -out ec2.pem
openssl pkey -in ec1.pem -pubout -out ec1.pub
openssl pkey -in ec2.pem -pubout -out ec2.pub
openssl pkeyutl -derive -inkey ec1.pem -peerkey ec2.pub -out secret1.bin
openssl pkeyutl -derive -inkey ec2.pem -peerkey ec1.pub -out secret2.bin
cmp secret1.bin secret2.bin && echo "ECDH shared secrets match"
echo "Testing OpenSSL ECC sign/verify..."
openssl ecparam -name prime256v1 -genkey -noout -out ecc_key.pem
echo "message" > msg.txt
openssl dgst -sha256 -sign ecc_key.pem -out msg.sig msg.txt
openssl dgst -sha256 -verify <(openssl pkey -in ecc_key.pem -pubout) -signature msg.sig msg.txt
- name: Cleanup test environment
run: |
echo "Cleaning up test environment..."
# Uninstall test packages
apt-get remove --purge -y libwolfprov || true
apt-get autoremove -y
echo "Cleanup completed"