ci: sanitizers -- drop ASan from OpenSSL, LD_PRELOAD libasan at build

Real cause of "Failed to source env-setup": build-wolfprovider.sh runs
its own internal `make test` after install. That triggers `openssl list
-providers` which dlopens libwolfprov.so. With both the openssl binary
and libwolfprov.so built with ASan, two ASan runtimes load and the
dlopen fails silently (stderr swallowed by the build script's
>/dev/null 2>&1).

Fix:
- Drop sanitizer flags from OpenSSL entirely. OpenSSL is third-party;
  we don't need to chase its upstream UBSan patterns. wolfprov is what
  this job is meant to instrument.
- Export LD_PRELOAD=libasan before invoking build-wolfprovider.sh so
  the runtime is in the process when openssl dlopens the ASan-built
  libwolfprov.so during the build script's internal env-setup phase.

Author: aidangarske

.github/workflows/sanitizers.yml

@@ -78,29 +78,12 @@ jobs:
 
       - name: Build wolfProvider with sanitizers
         env:
-          # Dynamic libasan (no -static-libasan). With a static libasan
-          # baked into the openssl binary, libwolfprov.so (which also
-          # compiles in -fsanitize=address) ends up with a SECOND ASan
-          # runtime when openssl dlopens it -- that aborts hard at
-          # startup. Dynamic libasan everywhere puts a single runtime in
-          # the process via the shared library.
-          #
-          # Test runs need LD_PRELOAD=libasan to keep ASan first in the
-          # link order; that's set per-step below.
+          # Only wolfprov + wolfssl get sanitizers. OpenSSL stays plain so
+          # `openssl list -providers` works during the build script's
+          # internal env-setup. LD_PRELOAD libasan keeps a single ASan
+          # runtime in the process when openssl dlopens libwolfprov.so.
           SAN_FLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g"
-          # OpenSSL gets -fsanitize-recover=undefined so benign upstream
-          # UBSan trips don't abort `openssl list -providers` in env-setup.
-          OPENSSL_CFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fsanitize-recover=undefined -g"
-          OPENSSL_CXXFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fsanitize-recover=undefined -g"
-          OPENSSL_LDFLAGS: "-fsanitize=address,undefined"
         run: |
-          # The wolfSSL build script (scripts/utils-wolfssl.sh) treats
-          # WOLFSSL_CONFIG_CFLAGS as a full override -- it only applies
-          # the in-script default when the env var is unset/empty. So we
-          # have to spell out the defaults explicitly here or wolfprov
-          # ends up missing -DWC_RSA_NO_PADDING and the build fails with
-          # "implicit declaration of wc_RsaDirect".
-          #
           # Keep this in sync with the default in scripts/utils-wolfssl.sh.
           OPENSSL_INSTALL_DIR="${GITHUB_WORKSPACE}/openssl-install"
           export WOLFSSL_CONFIG_CFLAGS="\
@@ -115,21 +98,20 @@ jobs:
             -DRSA_MIN_SIZE=1024 \
             -DWOLFSSL_OLD_OID_SUM \
             ${SAN_FLAGS}"
-
-          # wolfprov's default WOLFPROV_CONFIG_CFLAGS is empty and the
-          # script appends its own -D defines after this override, so
-          # only the sanitizer flags are needed here.
           export WOLFPROV_CONFIG_CFLAGS="${SAN_FLAGS}"
 
+          # Pre-load libasan so the build script's internal `make test`
+          # (which runs `openssl list -providers` -> dlopen libwolfprov.so)
+          # has the ASan runtime already mapped in. Without this, dlopen
+          # fails with "ASan runtime not loaded".
+          export LD_PRELOAD="$(gcc -print-file-name=libasan.so)"
+
           OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \
           WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
             ./scripts/build-wolfprovider.sh
 
       - name: Run cmd-tests under sanitizers
         run: |
-          # LD_PRELOAD libasan first so it wins symbol resolution against
-          # dlopen'd libwolfprov.so. Without this, depending on link
-          # order, ASan can complain about "interceptors not installed".
           export LD_PRELOAD="$(gcc -print-file-name=libasan.so)"
           source scripts/env-setup
           ./scripts/cmd_test/do-cmd-tests.sh