Add and rebase deb testing

Author: aidangarske

.github/scripts/check-workflow-result.sh

@@ -60,9 +60,6 @@ if [ "$WOLFPROV_FORCE_FAIL" = "WOLFPROV_FORCE_FAIL=1" ]; then
             "curl-8_4_0")
                 EXPECTED_FAILS="9 31 39 41 44 46 61 64 65 70 71 72 73 88 153 154 158 163 166 167 168 169 170 171 173 186 206 245 246 258 259 273 277 327 335 388 420 444 540 551 552 554 565 579 584 643 645 646 647 648 649 650 651 652 653 654 666 667 668 669 670 671 672 673 977 1001 1002 1030 1053 1060 1061 1071 1072 1079 1095 1105 1133 1136 1151 1155 1158 1160 1161 1186 1187 1189 1190 1191 1192 1193 1194 1195 1196 1198 1199 1229 1284 1285 1286 1293 1315 1404 1412 1415 1418 1437 1568 1903 1905 1916 1917 1964 2024 2026 2027 2028 2030 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2073 2076 2200 2201 2202 2203 2204 3017 3018"
                 ;;
-            "master")
-                EXPECTED_FAILS="9 31 39 41 44 46 61 64 65 70 71 72 73 88 153 154 158 163 166 167 168 169 170 171 173 186 206 245 246 258 259 273 277 327 335 388 420 444 483 540 551 552 554 565 579 584 643 645 646 647 648 649 650 651 652 653 654 666 667 668 669 670 671 672 673 695 977 1001 1002 1030 1053 1060 1061 1071 1072 1079 1095 1105 1133 1136 1151 1155 1158 1160 1161 1186 1187 1189 1190 1191 1192 1193 1194 1195 1196 1198 1199 1229 1284 1285 1286 1293 1315 1404 1412 1415 1418 1437 1476 1568 1608 1610 1615 1654 1660 1903 1905 1916 1917 1964 2024 2026 2027 2028 2030 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2073 2076 2200 2201 2202 2203 2204 3017 3018"
-                ;;
             *)
                 echo "Error: Unknown curl version: $CURL_VERSION"
                 exit 1

.github/scripts/install-packages.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# install-packages.sh
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfProvider.
+#
+# wolfProvider is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# wolfProvider is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with wolfProvider. If not, see <http://www.gnu.org/licenses/>.
+
+set -e
+
+echo "WolfSSL artifacts:"
+ls -la /tmp/wolfssl-artifacts || true
+echo "OpenSSL/wolfProvider artifacts:"
+ls -la /tmp/openssl-wolfprov-artifacts || true
+
+# Install wolfSSL first
+wolfssl_debs=$(ls -1 /tmp/wolfssl-artifacts/*.deb 2>/dev/null || true)
+if [ -n "$wolfssl_debs" ]; then
+  echo "Installing wolfSSL packages: $wolfssl_debs"
+  apt install -y $wolfssl_debs
+fi
+
+# Install OpenSSL packages (runtime + development headers)
+openssl_debs=$(ls -1 /tmp/openssl-wolfprov-artifacts/openssl_[0-9]*.deb 2>/dev/null || true)
+libssl3_debs=$(ls -1 /tmp/openssl-wolfprov-artifacts/libssl3_[0-9]*.deb 2>/dev/null || true)
+libssl_dev_debs=$(ls -1 /tmp/openssl-wolfprov-artifacts/libssl-dev_[0-9]*.deb 2>/dev/null || true)
+
+# Install in dependency order: libssl3 first, then openssl, then dev headers
+if [ -n "$libssl3_debs" ]; then
+  echo "Installing libssl3: $libssl3_debs"
+  apt install -y $libssl3_debs
+fi
+if [ -n "$openssl_debs" ]; then
+  echo "Installing openssl: $openssl_debs"
+  apt install -y $openssl_debs
+fi
+if [ -n "$libssl_dev_debs" ]; then
+  echo "Installing libssl-dev: $libssl_dev_debs"
+  apt install -y $libssl_dev_debs
+fi
+
+# Install wolfProvider main package only (no dev/debug needed for testing)
+wolfprov_main=$(ls -1 /tmp/openssl-wolfprov-artifacts/libwolfprov_[0-9]*.deb 2>/dev/null | head -n1 || true)
+
+if [ -z "$wolfprov_main" ]; then
+  echo "ERROR: libwolfprov main package not found in artifacts"
+  ls -la /tmp/openssl-wolfprov-artifacts
+  exit 1
+fi
+
+echo "Installing wolfProvider main package: $wolfprov_main"
+apt install -y "$wolfprov_main"

.github/scripts/pam-pkcs11-test.sh

@@ -4,26 +4,12 @@ set -euo pipefail
 echo "[*] Setting up environment..."
 SCRIPT_PATH="$(cd "$(dirname "$0")" && pwd)/$(basename "$0")"
 REPO_ROOT=$(git -C "$(dirname "$SCRIPT_PATH")" rev-parse --show-toplevel)
-source $REPO_ROOT/scripts/env-setup || true
-
-if [[ -z "${OPENSSL_MODULES:-}" ]]; then
-    echo "Environment not set up: OPENSSL_MODULES is not defined or empty"
-    exit 1
-elif [[ ! -d "$OPENSSL_MODULES" ]]; then
-    echo "Could not find wolfProvider at $OPENSSL_MODULES"
-    echo "Please build it first..."
-    exit 1
-fi
 
 echo "[*] Installing build dependencies..."
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y \
     git \
-    build-essential \
     autotools-dev \
-    autoconf \
-    libtool \
-    pkg-config \
     libpam0g-dev \
     libnss3-dev \
     libpcsclite-dev \

.github/workflows/asan.yml

@@ -4,8 +4,8 @@ name: Asan Test
 on:
   push:
     branches: [ "*" ]
-  pull_request:
-    branches: [ "*" ]
+  #pull_request:
+    #branches: [ "*" ]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

.github/workflows/bind9.yml

@@ -4,8 +4,8 @@ name: Bind9 Tests
 on:
   push:
     branches: [ 'master', 'main', 'release/**' ]
-  pull_request:
-    branches: [ '*' ]
+  #pull_request:
+    #branches: [ '*' ]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,40 +20,54 @@ jobs:
       openssl_ref: ${{ matrix.openssl_ref }}
     strategy:
       matrix:
-        wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
+        # Test 5.8.2 since our .deb is based on that version
+        wolfssl_ref: [ 'v5.8.2-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
 
   test_bind:
     runs-on: ubuntu-22.04
     needs: build_wolfprovider
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     strategy:
       fail-fast: false
       matrix:
+        # Dont test osp master since it might be too unstable
         bind_ref: [ 'v9.18.28' ]
-        wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
+        wolfssl_ref: [ 'v5.8.2-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
         force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
     steps:
+      - name: Set up environment
+        run: |
+          apt-get update
+          apt-get install -y git sudo build-essential autoconf automake \
+            libtool pkg-config libjansson-dev check ca-certificates dpkg-dev
+
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Retrieving wolfSSL/wolfProvider from cache
-        uses: actions/cache/restore@v4
-        id: wolfprov-cache
+      - name: Download wolfSSL packages
+        uses: actions/download-artifact@v4
         with:
-          path: |
-            wolfssl-install
-            wolfprov-install
-            openssl-install/lib64
-            openssl-install/include
-            openssl-install/bin
+          name: wolfssl-debian-packages-${{ github.sha }}
+          path: /tmp/wolfssl-artifacts
 
-          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
-          fail-on-cache-miss: true
+      - name: Download OpenSSL/wolfProvider packages
+        uses: actions/download-artifact@v4
+        with:
+          name: openssl-wolfprov-debian-packages-${{ github.sha }}
+          path: /tmp/openssl-wolfprov-artifacts
+
+      - name: Install wolfSSL/OpenSSL/wolfprov packages
+        run: |
+          $GITHUB_WORKSPACE/.github/scripts/install-packages.sh
 
       - name: Install bind9 test dependencies
         run: |
@@ -62,7 +76,8 @@ jobs:
           sudo apt install -y build-essential automake libtool gnutls-bin \
           pkg-config make libidn2-dev libuv1-dev libnghttp2-dev libcap-dev \
           libjemalloc-dev zlib1g-dev libxml2-dev libjson-c-dev libcmocka-dev \
-          python3-pytest python3-dnspython python3-hypothesis
+          python3-pytest python3-dnspython python3-hypothesis iproute2 \
+          net-tools iputils-ping
           sudo PERL_MM_USE_DEFAULT=1 cpan -i Net::DNS
 
       - name: Checkout bind9
@@ -85,9 +100,12 @@ jobs:
 
       - name: Build and test bind9 with wolfProvider
         working-directory: bind9
+        shell: bash
         run: |
-          # Set up the environment for wolfProvider
-          source $GITHUB_WORKSPACE/scripts/env-setup
+          # wolfProvider is already loaded as the default provider
+          echo "Current OpenSSL providers:"
+          openssl list -providers
+          openssl list -providers | grep -q "wolfSSL Provider" || (echo "ERROR: libwolfprov not found in OpenSSL providers" && exit 1)
 
           autoreconf -ivf
           ./configure
@@ -96,6 +114,9 @@ jobs:
           sudo ./bin/tests/system/ifconfig.sh up
 
           export ${{ matrix.force_fail }}
+          if [ "${{ matrix.force_fail }}" = "WOLFPROV_FORCE_FAIL=1" ]; then
+            set +e
+          fi
           make -j$(nproc) check 2>&1 | tee bind9-test.log
           TEST_RESULT=${PIPESTATUS[0]}
           $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} bind9

.github/workflows/build-wolfprovider.yml

@@ -18,87 +18,103 @@ jobs:
   build_wolfprovider_common:
     name: Build wolfProvider
     runs-on: ubuntu-22.04
+    # Run inside Debian Bookworm to match packaging environment
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     timeout-minutes: 20
     outputs:
       cache_key: wolfprov-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
     steps:
+      - name: Set up environment
+        run: |
+          apt-get update
+          apt-get install -y \
+            build-essential \
+            devscripts \
+            debhelper \
+            dh-autoreconf \
+            libtool \
+            pkg-config \
+            git \
+            wget \
+            curl \
+            ca-certificates \
+            openssl \
+            dpkg-dev \
+            lintian \
+            fakeroot \
+            dh-exec \
+            equivs \
+            expect \
+            xxd
+
+      - name: Ensure the working directory safe
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Get OpenSSL commit hash
-        id: openssl-ref
+      - name: Fetch tags (for Debian versioning)
         run: |
-          sha=$(./scripts/resolve-ref.sh "${{ inputs.openssl_ref }}" "openssl/openssl")
-          echo "ref=$sha" >> "$GITHUB_OUTPUT"
-        env:
-          # Used token to bypass rate limits
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          git fetch --tags --force --prune
 
-      - name: Get WolfSSL commit hash
-        id: wolfssl-ref
+      - name: Install wolfSSL Debian packages from repo tarball
         run: |
-          sha=$(./scripts/resolve-ref.sh "${{ inputs.wolfssl_ref }}" "wolfssl/wolfssl")
-          echo "ref=$sha" >> "$GITHUB_OUTPUT"
-        env:
-          # Used token to bypass rate limits
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          mkdir -p "/tmp/wolfssl-pkg"
+          chmod +x $GITHUB_WORKSPACE/debian/install-wolfssl.sh
+          $GITHUB_WORKSPACE/debian/install-wolfssl.sh \
+            $GITHUB_WORKSPACE/.github/packages/debian-wolfssl.tar.gz \
+            "/tmp/wolfssl-pkg"
 
-      # Look for a cached version of OpenSSL
-      - name: Checking OpenSSL in cache
-        uses: actions/cache/restore@v4
-        id: openssl-cache
-        with:
-          path: |
-            openssl-install
-          key: ossl-depends-${{ steps.openssl-ref.outputs.ref }}
-          lookup-only: false
+          # Stage wolfSSL debs into artifacts directory
+          mkdir -p "/tmp/wolfprov-packages"
+          echo "Moving wolfssl files to artifacts directory..."
 
-      # Look for a cached version of WolfSSL
-      - name: Checking WolfSSL in cache
-        uses: actions/cache/restore@v4
-        id: wolfssl-cache
-        with:
-          path: |
-            wolfssl-install
-          key: wolfssl-depends-${{ steps.wolfssl-ref.outputs.ref }}
-          lookup-only: false
+          find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.deb" -exec cp {} /tmp/wolfprov-packages/ \;
+          find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.dsc" -exec cp {} /tmp/wolfprov-packages/ \;
+          find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \;
+          find /tmp/wolfssl-pkg -name "*wolfssl*" -type f -name "*.orig.tar.gz" -exec cp {} /tmp/wolfprov-packages/ \;
 
-      - name: Build wolfProvider
+      - name: Build Debian packages (wolfProvider + OpenSSL)
         run: |
-          OPENSSL_TAG=${{ inputs.openssl_ref }} WOLFSSL_TAG=${{ inputs.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          yes Y | ./scripts/build-wolfprovider.sh --debian
 
-      # Save the wolfProvider outputs for use by the parent jobs.
-      # Note that we don't try to restore since it will likely always 
-      # be a cache miss.
-      - name: Save wolfProvider into cache
-        uses: actions/cache/save@v4
-        with: 
-          path: |
-            wolfssl-install
-            wolfprov-install
-            openssl-install/lib64
-            openssl-install/include
-            openssl-install/bin
-          key: wolfprov-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
+          echo "Generated packages in parent dir:"
+          ls -la ../ || true
+          ls -la ../*.deb ../*.dsc ../*.tar.gz 2>/dev/null || true
+
+      - name: Collect package artifacts
+        run: |
+          mkdir -p "/tmp/wolfprov-packages"
+          mv ../*.deb /tmp/wolfprov-packages/ 2>/dev/null || true
+          mv ../*.dsc /tmp/wolfprov-packages/ 2>/dev/null || true
+          mv ../*.tar.gz /tmp/wolfprov-packages/ 2>/dev/null || true
+          echo "Artifacts to upload:"
+          ls -la /tmp/wolfprov-packages || true
 
-      # If openssl cache miss, save it to the cache
-      - name: Save OpenSSL into cache
-        if: steps.openssl-cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
-        with: 
+      - name: Upload wolfSSL packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolfssl-debian-packages-${{ github.sha }}
           path: |
-            openssl-install
-          key: ossl-depends-${{ steps.openssl-ref.outputs.ref }}
+            /tmp/wolfprov-packages/*wolfssl*.deb
+          retention-days: 7
 
-      - name: Save WolfSSL into cache
-        if: steps.wolfssl-cache.outputs.cache-hit != 'true'
-        uses: actions/cache/save@v4
-        with: 
+      - name: Upload OpenSSL/wolfProvider packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: openssl-wolfprov-debian-packages-${{ github.sha }}
           path: |
-            wolfssl-install
-          key: wolfssl-depends-${{ steps.wolfssl-ref.outputs.ref }}
+            /tmp/wolfprov-packages/*openssl*.deb
+            /tmp/wolfprov-packages/*libssl3*.deb
+            /tmp/wolfprov-packages/*libssl-dev*.deb
+            /tmp/wolfprov-packages/*libwolfprov*.deb
+          retention-days: 7
 
       - name: Print errors
         if: ${{ failure() }}