Fix WPFF CI failures

Author: padelsbach

.github/scripts/pam-pkcs11-test.sh

@@ -10,6 +10,22 @@ else
     exit 1
 fi
 
+# Deterministic force-fail probe. The pam_pkcs11 test below exercises PAM via
+# 'su' as root, which never actually authenticates, so a force-fail-induced
+# crypto failure inside pam_pkcs11.so will not propagate to the script's exit
+# status. Probe wolfProvider directly here so the workflow fails closed if
+# WOLFPROV_FORCE_FAIL=1 is set but crypto still succeeds (e.g. apt replaced
+# the patched libssl3 and OpenSSL fell back to its built-in default provider).
+if [ "${WOLFPROV_FORCE_FAIL:-0}" = "1" ]; then
+    if openssl rand -hex 16 >/dev/null 2>&1; then
+        echo "FAIL: openssl rand succeeded with WOLFPROV_FORCE_FAIL=1;"
+        echo "      wolfProvider is not actually intercepting crypto."
+        exit 1
+    fi
+    echo "[*] Force-fail probe confirmed wolfProvider is failing as expected"
+    exit 1
+fi
+
 echo "[*] Installing build dependencies..."
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y \