wolfSSL · padelsbach · Sep 9, 2025
diff --git a/.github/scripts/check-workflow-result.sh b/.github/scripts/check-workflow-result.sh
@@ -293,6 +293,23 @@ if [ "$WOLFPROV_FORCE_FAIL" = "WOLFPROV_FORCE_FAIL=1" ]; then
             echo "Error: $IPERF_TEST_LOG not found"
             exit 1
         fi
+    # ----- BIND9 -----
+    elif [ "$TEST_SUITE" = "bind9" ]; then
+        if [ -f "bind9-test.log" ]; then
+            # Check for expected error count (12 errors) and non-zero exit code
+            if grep -q "ERROR: 12" bind9-test.log; then
+                echo "PASS: BIND9 tests failed as expected with force fail enabled (12 errors)"
+                exit 0
+            else
+                echo "FAIL: BIND9 tests did not fail as expected with force fail enabled"
+                echo "  Expected: 12 errors and non-zero exit code"
+                echo "  Got: $(grep 'ERROR:' bind9-test.log | tail -1)"
+                exit 1
+            fi
+        else
+            echo "Error: bind9-test.log not found"
+            exit 1
+        fi
     else
         if [ $TEST_RESULT -eq 0 ]; then
             echo "$TEST_SUITE tests unexpectedly succeeded with force fail enabled"

diff --git a/.github/workflows/bind9.yml b/.github/workflows/bind9.yml
@@ -18,13 +18,19 @@ jobs:
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
       openssl_ref: ${{ matrix.openssl_ref }}
+      replace_default: ${{ matrix.replace_default || false }}
     strategy:
       matrix:
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
+        replace_default: [ false, true ]
 
   test_bind:
     runs-on: ubuntu-22.04
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     needs: build_wolfprovider
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
@@ -34,8 +40,14 @@ jobs:
         bind_ref: [ 'v9.18.28' ]
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
+        replace_default: [ false, true ]
         force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
     steps:
+      - name: Install sudo
+        run: |
+          apt-get update
+          apt-get install -y sudo
+
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
@@ -52,7 +64,7 @@ jobs:
             openssl-install/include
             openssl-install/bin
 
-          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
+          key: wolfprov${{ matrix.replace_default && '-replace-default' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
           fail-on-cache-miss: true
 
       - name: Install bind9 test dependencies
@@ -62,7 +74,7 @@ jobs:
           sudo apt install -y build-essential automake libtool gnutls-bin \
           pkg-config make libidn2-dev libuv1-dev libnghttp2-dev libcap-dev \
           libjemalloc-dev zlib1g-dev libxml2-dev libjson-c-dev libcmocka-dev \
-          python3-pytest python3-dnspython python3-hypothesis
+          python3-pytest python3-dnspython python3-hypothesis net-tools iproute2
           sudo PERL_MM_USE_DEFAULT=1 cpan -i Net::DNS
 
       - name: Checkout bind9
@@ -85,6 +97,7 @@ jobs:
 
       - name: Build and test bind9 with wolfProvider
         working-directory: bind9
+        shell: bash
         run: |
           # Set up the environment for wolfProvider
           source $GITHUB_WORKSPACE/scripts/env-setup
@@ -96,6 +109,5 @@ jobs:
           sudo ./bin/tests/system/ifconfig.sh up
 
           export ${{ matrix.force_fail }}
-          make -j$(nproc) check 2>&1 | tee bind9-test.log
-          TEST_RESULT=${PIPESTATUS[0]}
+          { make -j$(nproc) check 2>&1 | tee bind9-test.log; TEST_RESULT=${PIPESTATUS[0]}; } || true
           $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} bind9
diff --git a/.github/workflows/build-wolfprovider.yml b/.github/workflows/build-wolfprovider.yml
@@ -9,6 +9,11 @@ on:
       openssl_ref:
         required: true
         type: string
+      replace_default:
+        required: false
+        type: boolean
+        default: false
+        description: "Build with --replace-default flag"
     outputs:
       cache_key:
         description: "Cache key for the build artifacts"
@@ -18,10 +23,20 @@ jobs:
   build_wolfprovider_common:
     name: Build wolfProvider
     runs-on: ubuntu-22.04
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     timeout-minutes: 20
     outputs:
-      cache_key: wolfprov-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
+      cache_key: wolfprov${{ inputs.replace_default && '-replace-default' }}-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
     steps:
+
+      - name: Install dependencies (needed for Debian)
+        run: |
+          apt-get update && \
+          apt-get install -y curl jq git build-essential autoconf libtool pkg-config patch
+
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
@@ -52,7 +67,7 @@ jobs:
         with:
           path: |
             openssl-install
-          key: ossl-depends-${{ steps.openssl-ref.outputs.ref }}
+          key: ossl${{ inputs.replace_default && '-replace-default' }}-depends-${{ steps.openssl-ref.outputs.ref }}
           lookup-only: false
 
       # Look for a cached version of WolfSSL
@@ -67,7 +82,17 @@ jobs:
 
       - name: Build wolfProvider
         run: |
-          OPENSSL_TAG=${{ inputs.openssl_ref }} WOLFSSL_TAG=${{ inputs.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          # Clean if there's a build mode mismatch
+          if ! OPENSSL_TAG=${{ inputs.openssl_ref }} WOLFSSL_TAG=${{ inputs.wolfssl_ref }} ./scripts/build-wolfprovider.sh ${{ inputs.replace_default && '--replace-default' || '' }}; then
+            echo "Build failed, attempting distclean and rebuild..."
+            ./scripts/build-wolfprovider.sh --distclean
+            OPENSSL_TAG=${{ inputs.openssl_ref }} WOLFSSL_TAG=${{ inputs.wolfssl_ref }} ./scripts/build-wolfprovider.sh ${{ inputs.replace_default && '--replace-default' || '' }}
+          fi
+
+      - name: Check paths before saving to cache
+        run: |
+          ls -al $GITHUB_WORKSPACE
+          ls -al $GITHUB_WORKSPACE/openssl-install
 
       # Save the wolfProvider outputs for use by the parent jobs.
       # Note that we don't try to restore since it will likely always 
@@ -81,7 +106,7 @@ jobs:
             openssl-install/lib64
             openssl-install/include
             openssl-install/bin
-          key: wolfprov-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
+          key: wolfprov${{ inputs.replace_default && '-replace-default' }}-${{ inputs.wolfssl_ref }}-${{ inputs.openssl_ref }}-${{ github.sha }}
 
       # If openssl cache miss, save it to the cache
       - name: Save OpenSSL into cache
@@ -90,7 +115,7 @@ jobs:
         with: 
           path: |
             openssl-install
-          key: ossl-depends-${{ steps.openssl-ref.outputs.ref }}
+          key: ossl${{ inputs.replace_default && '-replace-default' }}-depends-${{ steps.openssl-ref.outputs.ref }}
 
       - name: Save WolfSSL into cache
         if: steps.wolfssl-cache.outputs.cache-hit != 'true'

diff --git a/.github/workflows/cjose.yml b/.github/workflows/cjose.yml
@@ -18,23 +18,42 @@ jobs:
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
       openssl_ref: ${{ matrix.openssl_ref }}
+      replace_default: ${{ matrix.replace_default || false }}
     strategy:
       matrix:
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
+        replace_default: [ false, true ]
+        exclude:
+          - wolfssl_ref: 'master'
+            replace_default: true
 
   test_cjose:
     runs-on: ubuntu-22.04
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     needs: build_wolfprovider
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
     strategy:
       matrix:
-        cjose_ref: [ 'master', 'v0.6.2.1' ]
+        cjose_ref: [ 'v0.6.2.1' ]
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
         force_fail: [ 'WOLFPROV_FORCE_FAIL=1', '' ]
+        replace_default: [ false, true ]
+        exclude:
+          - wolfssl_ref: 'master'
+            replace_default: true
     steps:
+      - name: Install dependencies (needed for Debian)
+        if: ${{ matrix.replace_default }}
+        run: |
+          apt-get update && \
+          apt-get install -y curl jq
+
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
         with:
@@ -51,12 +70,15 @@ jobs:
             openssl-install/include
             openssl-install/bin
 
-          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
+          key: wolfprov${{ matrix.replace_default && '-replace-default' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
           fail-on-cache-miss: true
 
       - name: Install cjose dependencies
         run: |
-          sudo apt-get install -y libjansson-dev check
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update && \
+          apt-get install -y build-essential autoconf automake libtool \
+              pkg-config gcc make libjansson-dev check
 
       - name: Download cjose
         uses: actions/checkout@v4
@@ -68,18 +90,27 @@ jobs:
 
       - name: Build cjose
         working-directory: cjose
+        shell: bash
         run: |
+          # Set up the environment for wolfProvider
+          source $GITHUB_WORKSPACE/scripts/env-setup
+
+          # Set additional environment variables for OpenSSL
+          export OPENSSL_INSTALL=$GITHUB_WORKSPACE/openssl-install
+          export LDFLAGS="-L${OPENSSL_INSTALL}/lib64 -L${OPENSSL_INSTALL}/lib"
+          export CPPFLAGS="-I${OPENSSL_INSTALL}/include"
+          export PKG_CONFIG_PATH="${OPENSSL_INSTALL}/lib64/pkgconfig:${OPENSSL_INSTALL}/lib/pkgconfig:${PKG_CONFIG_PATH}"
+
           # Configure with OpenSSL
-          ./configure CFLAGS="-Wno-error=deprecated-declarations" --with-openssl=$GITHUB_WORKSPACE/openssl-install
+          ./configure CFLAGS="-Wno-error=deprecated-declarations" --with-openssl=$OPENSSL_INSTALL
 
           # Build cjose
           make
 
       - name: Run cjose tests
         working-directory: cjose
+        shell: bash
         run: |
-          # Set up the environment for wolfProvider
-          source $GITHUB_WORKSPACE/scripts/env-setup
           export ${{ matrix.force_fail }}
 
           # Run tests

diff --git a/.github/workflows/cmdline.yml b/.github/workflows/cmdline.yml
@@ -21,8 +21,14 @@ jobs:
       matrix:
         openssl_ref: [ 'master', 'openssl-3.5.0' ]
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
+        # Command line tests require comparison between wolfSSL and OpenSSL, 
+        # so only test with replace_default false.
+        replace_default: [ false ]
         force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
         debug: ['WOLFPROV_DEBUG=1', '']
+        exclude:
+          - wolfssl_ref: 'master'
+            replace_default: true
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -43,18 +49,20 @@ jobs:
             openssl-install/include
             openssl-install/bin
 
-          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
+          key: wolfprov${{ matrix.replace_default && '-replace-default' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
                     # Normally we would fail on cache miss, but we rebuild below 
           # for the DEBUG build.
           fail-on-cache-miss: false
 
       # If not yet built this version, build it now
       - name: Build wolfProvider
         # Only run the test for a cache miss. On hit, we've already run the test.
-        if: steps.wolfprov-cache-restore.cache-hit != 'true'
+        if: steps.wolfprov-cache.outputs.cache-hit != 'true'
         run: |
-          ${{ matrix.debug }} OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh
+          ${{ matrix.debug }} OPENSSL_TAG=${{ matrix.openssl_ref }} WOLFSSL_TAG=${{ matrix.wolfssl_ref }} ./scripts/build-wolfprovider.sh ${{ matrix.replace_default && '--replace-default' || '' }}
 
       - name: Run tests
+        shell: bash
         run: |
+          source $GITHUB_WORKSPACE/scripts/env-setup
           ${{ matrix.force_fail }} ${{ matrix.debug }} ./scripts/cmd_test/do-cmd-tests.sh
diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml
@@ -18,13 +18,19 @@ jobs:
     with:
       wolfssl_ref: ${{ matrix.wolfssl_ref }}
       openssl_ref: ${{ matrix.openssl_ref }}
+      replace_default: ${{ matrix.replace_default || false }}
     strategy:
       matrix:
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
+        replace_default: [ false, true ]
 
   test_curl:
     runs-on: ubuntu-22.04
+    container:
+      image: debian:bookworm
+      env:
+        DEBIAN_FRONTEND: noninteractive
     needs: build_wolfprovider
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
@@ -33,10 +39,13 @@ jobs:
         curl_ref: [ 'master', 'curl-8_4_0', 'curl-7_88_1' ]
         wolfssl_ref: [ 'master', 'v5.8.0-stable' ]
         openssl_ref: [ 'openssl-3.5.0' ]
+        replace_default: [ false, true ]
         force_fail: ['WOLFPROV_FORCE_FAIL=1', '']
         exclude:
           - curl_ref: 'master'
             force_fail: 'WOLFPROV_FORCE_FAIL=1'
+          - wolfssl_ref: 'master'
+            replace_default: true
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -54,21 +63,34 @@ jobs:
             openssl-install/include
             openssl-install/bin
 
-          key: wolfprov-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
+          key: wolfprov${{ matrix.replace_default && '-replace-default' }}-${{ matrix.wolfssl_ref }}-${{ matrix.openssl_ref }}-${{ github.sha }}
           fail-on-cache-miss: true
 
       - name: Install dependencies
         run: |
-          sudo apt-get update
-          sudo apt-get install nghttp2 libpsl5 libpsl-dev python3-impacket
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update
+          apt-get install -y build-essential autoconf automake libtool \
+              pkg-config nghttp2 libpsl5 libpsl-dev python3-impacket 
+
+      - name: Set up environment for curl build
+        shell: bash
+        run: |
+          # Set up the environment for wolfProvider
+          source $GITHUB_WORKSPACE/scripts/env-setup
+          echo "OPENSSL_LIB_PATH=$OPENSSL_LIB_PATH" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH"   >> $GITHUB_ENV
+          echo "PKG_CONFIG_PATH=$PKG_CONFIG_PATH"   >> $GITHUB_ENV
+          echo "CPPFLAGS=$CPPFLAGS" >> $GITHUB_ENV
+          echo "LDFLAGS=$LDFLAGS" >> $GITHUB_ENV
 
       - name: Build curl
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           repository: curl/curl
           path: curl
           ref: ${{ matrix.curl_ref }}
-          configure: --with-openssl
+          configure: --with-openssl=$GITHUB_WORKSPACE/openssl-install/
           check: false
 
       - name: Generate certificates for curl master force-fail tests
@@ -79,16 +101,17 @@ jobs:
             make test-ca.cacert
             cd ../..
           fi
+
       - name: Test curl with wolfProvider
         working-directory: curl
+        shell: bash
         run: |
           # Set up the environment for wolfProvider
           source $GITHUB_WORKSPACE/scripts/env-setup
           export ${{ matrix.force_fail }}
           export CURL_REF=${{ matrix.curl_ref }}
 
           # Run tests and save output to test.log
-          make -j$(nproc) test-ci 2>&1 | tee curl-test.log
-          # Capture the test result using PIPESTATUS (Bash only)
-          TEST_RESULT=${PIPESTATUS[0]}
+          # Don't use pipe status since it will exit on the first error when pipefail is set
+          { make -j$(nproc) test-ci 2>&1 | tee curl-test.log; TEST_RESULT=${PIPESTATUS[0]}; } || true
           $GITHUB_WORKSPACE/.github/scripts/check-workflow-result.sh $TEST_RESULT ${{ matrix.force_fail }} curl