wolfSSL · ColtonWilley · Aug 7, 2025 · Aug 5, 2025
diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml
@@ -0,0 +1,60 @@
+name: Command Line Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  cmdtest_test:
+    name: Command line test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        openssl_ref: [ 'master', 'openssl-3.5.0' ]
+        wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
+        force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
+        debug: ['WOLFPROV_DEBUG=1', '']
+    steps:
+      - name: Checkout wolfProvider
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Checking wolfSSL/wolfProvider in cache
+        # Debug builds are not currently supported by build-wolfprovider.yml
+        # so those are manually built as a separate step.
+        if: ${{ matrix.debug == '' }}
+        uses: actions/cache@v4
+        id: wolfprov-cache
+        with:
+          path: |
+            wolfssl-install
+            wolfprov-install
+            openssl-install/lib64
+            openssl-install/include
+            openssl-install/bin
+
+          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
+                    # Normally we would fail on cache miss, but we rebuild below 
+          # for the DEBUG build.
+          fail-on-cache-miss: false
+
+      # If not yet built this version, build it now
+      - name: Build wolfProvider
+        # Only run the test for a cache miss. On hit, we've already run the test.
+        if: steps.wolfprov-cache-restore.cache-hit != 'true'
+        run: |
+          ${{ matrix.debug }} OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+
+      - name: Run tests
+        run: |
+          ${{ matrix.force_fail }} ${{ matrix.debug }} ./scripts/cmd_test/do-cmd-tests.sh
diff --git a/.github/workflows/simple.yml b/.github/workflows/simple.yml
@@ -20,8 +20,19 @@ jobs:
       openssl_ref: ${{ matrix.openssl_ref }}
     strategy:
       matrix:
-        wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
-        openssl_ref: [ 'master', 'openssl-3.5.0' ]
+        wolfssl_ref: [ 
+          'master', 
+          'v5.8.2-stable',
+          'v5.8.0-stable']
+        # Test against the newest of each minor version
+        openssl_ref: [
+          'openssl-3.5.2',
+          'openssl-3.4.2',
+          'openssl-3.3.4',
+          'openssl-3.2.5',
+          'openssl-3.1.8',
+          'openssl-3.0.17']
+        force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
         debug: ['WOLFPROV_DEBUG=1', '']
 
   simple_test:
@@ -31,9 +42,20 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
-        openssl_ref: [ 'master', 'openssl-3.5.0' ]
+        wolfssl_ref: [ 
+          'master', 
+          'v5.8.2-stable', 
+          'v5.8.0-stable']
+        # Test against the newest of each minor version
+        openssl_ref: [
+          'openssl-3.5.2',
+          'openssl-3.4.2',
+          'openssl-3.3.4',
+          'openssl-3.2.5',
+          'openssl-3.1.8',
+          'openssl-3.0.17']
         force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
+        debug: ['WOLFPROV_DEBUG=1', '']
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -55,16 +77,22 @@ jobs:
             openssl-install/bin
 
           key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
-          fail-on-cache-miss: true
+          # Normally we would fail on cache miss, but we rebuild below 
+          # for the DEBUG build.
+          fail-on-cache-miss: false
 
-      - name: Build wolfProvider
-        if: ${{ matrix.debug != '' }}
+      - name: Build and test wolfProvider
+        # Only run the test for a cache miss. On hit, we've already run the test.
+        if: steps.wolfprov-cache-restore.cache-hit != 'true'
         run: |
           ${{ matrix.debug }} \
             OPENSSL_TAG=${{ matrix.openssl_ref }} \
             WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
             ./scripts/build-wolfprovider.sh
 
-      - name: Run simple tests
+      - name: Print errors
+        if: ${{ failure() }}
         run: |
-          ${{ matrix.force_fail }} ./scripts/cmd_test/do-cmd-tests.sh
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi
diff --git a/test/test_hkdf.c b/test/test_hkdf.c
@@ -109,56 +109,76 @@ static int test_hkdf_double_set_salt(OSSL_LIB_CTX* libCtx, unsigned char *key,
 
     ctx = EVP_PKEY_CTX_new_from_name(libCtx, "HKDF", NULL);
     if (ctx == NULL) {
+        PRINT_MSG("Failed to create HKDF context");
         err = 1;
     }
     if (err == 0) {
         if (EVP_PKEY_derive_init(ctx) != 1) {
+            PRINT_MSG("Failed to init HKDF derive");
             err = 1;
         }
     }
     if (err == 0) {
         if (EVP_PKEY_CTX_hkdf_mode(ctx, mode) != 1) {
+            PRINT_MSG("Failed to set HKDF mode");
             err = 1;
         }
     }
     if (err == 0) {
         if (EVP_PKEY_CTX_set_hkdf_md(ctx, md) != 1) {
+            PRINT_MSG("Failed to set HKDF md");
             err = 1;
         }
     }
     if (err == 0) {
         if (EVP_PKEY_CTX_set1_hkdf_key(ctx, inKey, sizeof(inKey)) != 1) {
+            PRINT_MSG("Failed to set HKDF key");
             err = 1;
         }
     }
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) {
+#if OPENSSL_VERSION_NUMBER >= 0x30100000L && \
+    OPENSSL_VERSION_NUMBER != 0x30200050L && \
+    OPENSSL_VERSION_NUMBER != 0x30300040L
         if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 1) {
+#else
+        /* In 3.1.x, the following code was added to hkdf_common_set_ctx_params()
+         * if (p->data_size != 0 && p->data != NULL) {
+         * The above code is not present in 3.2.5 and 3.3.4. */
+        if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, NULL, 0) != 0) {
+#endif
+            PRINT_MSG("Failed to set HKDF salt to NULL");
             err = 1;
         }
     }
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)) {
         if (EVP_PKEY_CTX_set1_hkdf_salt(ctx, salt, sizeof(salt)) != 1) {
+            PRINT_MSG("Failed to set HKDF salt");
             err = 1;
         }
     }
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)) {
         if (EVP_PKEY_CTX_add1_hkdf_info(ctx, info, sizeof(info)) != 1) {
+            PRINT_MSG("Failed to set HKDF info");
             err = 1;
         }
     }
     if (err == 0) {
         if (EVP_PKEY_derive(ctx, key, &len) != 1) {
+            PRINT_MSG("Failed to derive HKDF key");
             err = 1;
         }
     }
 
     if ((err == 0) && (mode != EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)) {
         if (len != (size_t)keyLen) {
+            PRINT_MSG("HKDF key length mismatch");
             err = 1;
         }
     }
     else {
         if (len != (size_t)EVP_MD_size(md)) {
+            PRINT_MSG("HKDF key length mismatch for extract only");
             err = 1;
         }
     }
@@ -204,6 +224,7 @@ static int test_hkdf_md(const EVP_MD *md, int mode)
     memset(wKey, 0, sizeof(wKey));
 
     if (err == 0) {
+        PRINT_MSG("Calc with OpenSSL");
         err = test_hkdf_double_set_salt(osslLibCtx, oKey, sizeof(oKey), md, mode);
         if (err == 1) {
             PRINT_MSG("FAILED OpenSSL");

diff --git a/test/test_rsa.c b/test/test_rsa.c
@@ -1170,7 +1170,7 @@ int test_rsa_fromdata(void* data)
         static const int selections[] = {
             EVP_PKEY_KEYPAIR,
             EVP_PKEY_PUBLIC_KEY,
-            EVP_PKEY_PRIVATE_KEY,
+            EVP_PKEY_PRIVATE_KEY, /* added in 3.0.12 and 3.1.4 */
         };
 
         /* Parameter data fields */