ci: honest wolfssl version resolution + fix sanitizer WOLFSSL_CONFIG_CFLAGS

Two real bugs the latest sanitizer + osp-version failures surfaced.

Sanitizer build failure
=======================
sanitizers.yml's overridden WOLFSSL_CONFIG_CFLAGS dropped all the
defaults that scripts/utils-wolfssl.sh would have provided when the
env var is unset. wolfprov then built without -DWC_RSA_NO_PADDING and
the compiler treated wc_RsaDirect as an implicit declaration:

  src/wp_rsa_sig.c:817: error: implicit declaration of function
    'wc_RsaDirect'; did you mean 'wc_ReadDirNext'?

Fix: spell out the defaults explicitly in the workflow and append the
sanitizer flags. (Keep this in sync with the default in
scripts/utils-wolfssl.sh -- if that default changes, the workflow
needs to track it.)

wolfssl_ref now reflects the actual .deb on ghcr
================================================
The old _discover-versions.yml computed wolfssl_ref via
`git ls-remote upstream wolfssl/wolfssl 'v*-stable'`. That gives
"what's the latest -stable tag" (v5.9.1-stable today), but the OSP
workflows install the wolfprov .deb on ghcr.io which Jenkins built
against a different tag (v5.8.4-stable today). The matrix label lied.

_discover-versions.yml now probes the actual non-FIPS .deb:

  oras pull ghcr.io/wolfssl/wolfprovider/debs:nonfips
  -> parse libwolfssl_<VER>+...amd64.deb filename for VER
  -> wolfssl_ref = "v<VER>-stable"

Two outputs now:

  wolfssl_ref / wolfssl_ref_array
    Actual version installed by the wolfprov .deb on ghcr.
    Used by the 40 OSP workflows (they use the .deb).

  wolfssl_latest_ref / wolfssl_latest_ref_array
    Latest upstream v*-stable tag. Used by source-built workflows
    (smoke, simple, sanitizers, libtss2, cmdline, seed-src,
    openssl-version) that clone wolfssl from git.

If the .deb probe fails (network blip, packages-read scope missing
on a fork PR token, future filename change), the resolver falls back
to upstream-latest with a ::warning:: so it's visible in the run log.

Updates to consumer workflows:
  simple, smoke-test, libtss2, sanitizers, cmdline, seed-src,
  openssl-version  ->  switch from wolfssl_ref to wolfssl_latest_ref

Author: aidangarske

.github/workflows/_discover-versions.yml

@@ -1,33 +1,48 @@
 name: Discover wolfSSL + OpenSSL versions
 
 # Reusable workflow that resolves at run time:
-#   - latest wolfSSL v*-stable tag (from upstream wolfssl/wolfssl)
-#   - Debian Bookworm's stock OpenSSL version (matches what the
-#     wolfprov-patched .deb on ghcr.io was built against)
 #
-# Consumers use these outputs to populate matrix values so the
-# matrix labels honestly reflect what the test actually installed.
-# Today: latest -> v5.8.4-stable, openssl -> 3.0.20 (Bookworm stock).
-# When Bookworm bumps OpenSSL or wolfSSL ships a new -stable, the
-# resolver picks it up without a CI edit.
+#   wolfssl_ref / wolfssl_ref_array  -- "what's the actual wolfSSL
+#       version installed by the wolfprov .deb on ghcr.io". Probes the
+#       deb itself so the matrix label matches what's tested, not what
+#       upstream wolfSSL last tagged.
+#
+#   wolfssl_latest_ref               -- "what's the latest v*-stable
+#       tag upstream has". For source-built workflows (smoke, simple,
+#       sanitizers, libtss2) that pull wolfSSL from git directly.
+#
+#   openssl_ref / openssl_ref_array  -- Debian Bookworm's stock
+#       OpenSSL version (matches the wolfprov-patched .deb).
+#
+#   openssl_latest_ref / *_array     -- Latest upstream openssl-3.x.y
+#       release tag. For source-built workflows.
+#
+#   openssl_all_releases_array       -- Every upstream openssl-3.X.Y
+#       release tag, sorted. Used by openssl-version.yml.
 
 on:
   workflow_call:
     outputs:
       wolfssl_ref:
-        description: 'Plain string, latest -stable e.g. v5.8.4-stable'
+        description: 'Plain string, actual wolfSSL version in the wolfprov nonfips .deb on ghcr (e.g. v5.8.4-stable)'
         value: ${{ jobs.discover.outputs.wolfssl_ref }}
       wolfssl_ref_array:
-        description: 'JSON array of master + latest -stable for matrix use'
+        description: 'JSON array of master + actual .deb wolfssl ref for matrix use'
         value: ${{ jobs.discover.outputs.wolfssl_ref_array }}
+      wolfssl_latest_ref:
+        description: 'Plain string, latest v*-stable tag upstream wolfssl has'
+        value: ${{ jobs.discover.outputs.wolfssl_latest_ref }}
+      wolfssl_latest_ref_array:
+        description: 'JSON array form: master + latest upstream stable'
+        value: ${{ jobs.discover.outputs.wolfssl_latest_ref_array }}
       openssl_ref:
         description: 'Plain string. Bookworm stock OpenSSL (matches the wolfprov .deb).'
         value: ${{ jobs.discover.outputs.openssl_ref }}
       openssl_ref_array:
         description: 'JSON array form of openssl_ref'
         value: ${{ jobs.discover.outputs.openssl_ref_array }}
       openssl_latest_ref:
-        description: 'Plain string, latest upstream openssl-3.x.y release tag (e.g. openssl-3.5.4)'
+        description: 'Plain string, latest upstream openssl-3.x.y release tag (e.g. openssl-3.6.2)'
         value: ${{ jobs.discover.outputs.openssl_latest_ref }}
       openssl_latest_ref_array:
         description: 'JSON array form of openssl_latest_ref'
@@ -40,35 +55,84 @@ jobs:
   discover:
     name: Resolve wolfSSL + OpenSSL refs
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      packages: read
     outputs:
       wolfssl_ref: ${{ steps.resolve.outputs.wolfssl_ref }}
       wolfssl_ref_array: ${{ steps.resolve.outputs.wolfssl_ref_array }}
+      wolfssl_latest_ref: ${{ steps.resolve.outputs.wolfssl_latest_ref }}
+      wolfssl_latest_ref_array: ${{ steps.resolve.outputs.wolfssl_latest_ref_array }}
       openssl_ref: ${{ steps.resolve.outputs.openssl_ref }}
       openssl_ref_array: ${{ steps.resolve.outputs.openssl_ref_array }}
       openssl_latest_ref: ${{ steps.resolve.outputs.openssl_latest_ref }}
       openssl_latest_ref_array: ${{ steps.resolve.outputs.openssl_latest_ref_array }}
       openssl_all_releases_array: ${{ steps.resolve.outputs.openssl_all_releases_array }}
     steps:
+      - name: Install ORAS
+        run: |
+          set -euo pipefail
+          ORAS_VERSION="1.2.2"
+          curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
+          tar xzf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras
+          sudo mv oras /usr/local/bin/oras
+          rm -f "oras_${ORAS_VERSION}_linux_amd64.tar.gz"
+          oras version
+
+      - name: Login to ghcr.io (best-effort)
+        continue-on-error: true
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io \
+            --username "${{ github.actor }}" --password-stdin
+
       - name: Resolve versions
         id: resolve
         run: |
           set -euo pipefail
 
-          # ---- wolfSSL: highest v*-stable tag from upstream ----
-          WOLFSSL=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \
-                     | awk -F/ '{print $NF}' | sort -V | tail -n 1)
-          if [ -z "${WOLFSSL:-}" ]; then
+          # ---- wolfSSL: probe the actual .deb on ghcr.io ----
+          # The wolfprov non-FIPS .deb embeds the wolfSSL version in
+          # its filename (e.g. libwolfssl_5.8.4+commercial...amd64.deb).
+          # Pulling the .deb is the only honest way to know which
+          # wolfSSL the OSP workflows actually link against, because
+          # Jenkins (not this PR) chooses the source ref it builds from.
+          WOLFSSL_DEB_REF=""
+          PROBE_DIR=$(mktemp -d)
+          if oras pull ghcr.io/wolfssl/wolfprovider/debs:nonfips -o "$PROBE_DIR" >/dev/null 2>&1; then
+            DEB_FILE=$(find "$PROBE_DIR" -name 'libwolfssl_*.deb' | head -1)
+            if [ -n "${DEB_FILE:-}" ]; then
+              # libwolfssl_5.8.4+commercial.fips.linuxv5.2.4+1_amd64.deb
+              # -> 5.8.4
+              VER=$(basename "$DEB_FILE" \
+                | sed -E 's|^libwolfssl_([0-9]+\.[0-9]+\.[0-9]+).*|\1|')
+              if [ -n "$VER" ]; then
+                WOLFSSL_DEB_REF="v${VER}-stable"
+              fi
+            fi
+          fi
+          rm -rf "$PROBE_DIR"
+
+          # ---- wolfSSL: latest -stable tag upstream has ----
+          # Used by workflows that build wolfSSL from source.
+          WOLFSSL_LATEST=$(git ls-remote --tags --refs https://github.com/wolfSSL/wolfssl.git 'v*-stable' \
+                            | awk -F/ '{print $NF}' | sort -V | tail -n 1)
+          if [ -z "${WOLFSSL_LATEST:-}" ]; then
             echo "::error::Could not resolve latest wolfSSL -stable tag"
             exit 1
           fi
 
+          # If the .deb probe failed (no auth, or .deb naming changed),
+          # fall back to the upstream-latest value so downstream jobs
+          # still have a valid ref to use. Log loud so we notice.
+          if [ -z "${WOLFSSL_DEB_REF:-}" ]; then
+            echo "::warning::Could not probe wolfssl version from ghcr .deb; falling back to upstream latest ($WOLFSSL_LATEST). Matrix label may not match the actual installed library."
+            WOLFSSL_DEB_REF="$WOLFSSL_LATEST"
+          fi
+
           # ---- OpenSSL (Debian Bookworm stock) ----
           # The wolfprov-patched .deb on ghcr.io is built by patching
-          # Bookworm's stock libssl3 source, so this is the actual
-          # OpenSSL the Debian-container workflows end up linking against.
-          # Use docker to ask Bookworm's apt directly, then strip the
-          # Debian revision (3.0.20-1~deb12u1 -> 3.0.20).
+          # Bookworm's stock libssl3 source. Ask Bookworm's apt directly.
           OSSL_RAW=$(docker run --rm debian:bookworm sh -c \
             'apt-get update -qq >/dev/null 2>&1 && apt-cache madison openssl | head -1' \
             | awk '{print $3}')
@@ -79,12 +143,6 @@ jobs:
           OSSL=$(echo "$OSSL_RAW" | sed 's/-.*//')
 
           # ---- OpenSSL (all upstream release tags, sorted) ----
-          # Used by openssl-version.yml so the sweep tracks upstream
-          # automatically as new releases ship. Release-shaped only:
-          # openssl-X.Y.Z, no -alpha/-beta/-pre. Floored at the
-          # historical oldest-supported version below so we don't
-          # silently re-introduce coverage of openssl-3.0.0/3.0.1/3.0.2
-          # that the static matrix used to exclude.
           OSSL_FLOOR="openssl-3.0.3"
           OSSL_ALL=$(git ls-remote --tags --refs https://github.com/openssl/openssl.git 'openssl-3.*' \
                      | awk -F/ '{print $NF}' \
@@ -95,21 +153,20 @@ jobs:
             echo "::error::Could not resolve upstream OpenSSL release tags (floor=$OSSL_FLOOR)"
             exit 1
           fi
-          # JSON array. jq -R reads each line as a string, -s collects
-          # them into an array, -c emits compact single-line JSON.
           OSSL_ALL_JSON=$(printf '%s\n' "$OSSL_ALL" | jq -R . | jq -s -c .)
-          # Highest version (last after sort -V) is the resolved
-          # "latest" used by source-built workflows.
           OSSL_LATEST=$(echo "$OSSL_ALL" | tail -n 1)
 
-          echo "wolfSSL latest -stable: $WOLFSSL (also testing master)"
-          echo "Bookworm OpenSSL: openssl-$OSSL (raw: $OSSL_RAW)"
-          echo "Upstream OpenSSL latest: $OSSL_LATEST"
-          echo "Upstream OpenSSL releases ($(echo "$OSSL_ALL" | wc -l) tags)"
+          echo "wolfSSL .deb ref (actual ghcr deb):  $WOLFSSL_DEB_REF"
+          echo "wolfSSL upstream latest -stable:    $WOLFSSL_LATEST"
+          echo "OpenSSL Bookworm stock:             openssl-$OSSL (raw: $OSSL_RAW)"
+          echo "OpenSSL upstream latest:            $OSSL_LATEST"
+          echo "OpenSSL upstream releases tracked:  $(echo "$OSSL_ALL" | wc -l) tags"
 
           {
-            echo "wolfssl_ref=$WOLFSSL"
-            echo "wolfssl_ref_array=[\"master\",\"$WOLFSSL\"]"
+            echo "wolfssl_ref=$WOLFSSL_DEB_REF"
+            echo "wolfssl_ref_array=[\"master\",\"$WOLFSSL_DEB_REF\"]"
+            echo "wolfssl_latest_ref=$WOLFSSL_LATEST"
+            echo "wolfssl_latest_ref_array=[\"master\",\"$WOLFSSL_LATEST\"]"
             echo "openssl_ref=openssl-$OSSL"
             echo "openssl_ref_array=[\"openssl-$OSSL\"]"
             echo "openssl_latest_ref=$OSSL_LATEST"

.github/workflows/cmdline.yml

@@ -41,7 +41,7 @@ jobs:
         openssl_ref:
           - master
           - ${{ needs.discover_versions.outputs.openssl_latest_ref }}
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
         debug: ['WOLFPROV_DEBUG=1', '']
         # force_fail collapsed into sequential test runs below
     steps:

.github/workflows/libtss2.yml

@@ -25,7 +25,7 @@ jobs:
       fail-fast: false
       matrix:
         tpm2_tss_ref: [ '4.1.3']
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
         openssl_ref: ${{ fromJson(needs.discover_versions.outputs.openssl_latest_ref_array) }}
         replace_default: [ true ]
     env:

.github/workflows/openssl-version.yml

@@ -26,7 +26,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
         # Every upstream openssl-3.X.Y release tag, resolved at run time
         # by _discover-versions.yml. New release ships -> next run picks
         # it up automatically; no PR needed to track the latest patch.

.github/workflows/sanitizers.yml

@@ -50,7 +50,7 @@ jobs:
       fail-fast: false
       matrix:
         # Test master + latest-stable (resolved at run time).
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
     env:
       # Surface every report. halt_on_error=1 fails the first time we
       # touch UB so we don't drown in cascades.
@@ -76,16 +76,36 @@ jobs:
           # Static libasan so the wolfProvider .so embeds it; otherwise
           # the runtime needs LD_PRELOAD and ordering issues bite.
           SAN_FLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g"
-          SAN_LDFLAGS: "-fsanitize=address,undefined -static-libasan"
           OPENSSL_CFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g -static-libasan"
           OPENSSL_CXXFLAGS: "-fsanitize=address,undefined -fno-omit-frame-pointer -fno-sanitize-recover=all -g -static-libasan"
           OPENSSL_LDFLAGS: "-fsanitize=address,undefined -static-libasan"
         run: |
-          # wolfSSL and wolfProvider build scripts accept _CONFIG_CFLAGS
-          # via env; append the sanitizer flags so all three layers
-          # (OpenSSL, wolfSSL, wolfProvider) get instrumented.
-          export WOLFSSL_CONFIG_CFLAGS="${WOLFSSL_CONFIG_CFLAGS:-} ${SAN_FLAGS}"
-          export WOLFPROV_CONFIG_CFLAGS="${WOLFPROV_CONFIG_CFLAGS:-} ${SAN_FLAGS}"
+          # The wolfSSL build script (scripts/utils-wolfssl.sh) treats
+          # WOLFSSL_CONFIG_CFLAGS as a full override -- it only applies
+          # the in-script default when the env var is unset/empty. So we
+          # have to spell out the defaults explicitly here or wolfprov
+          # ends up missing -DWC_RSA_NO_PADDING and the build fails with
+          # "implicit declaration of wc_RsaDirect".
+          #
+          # Keep this in sync with the default in scripts/utils-wolfssl.sh.
+          OPENSSL_INSTALL_DIR="${GITHUB_WORKSPACE}/openssl-install"
+          export WOLFSSL_CONFIG_CFLAGS="\
+            -I${OPENSSL_INSTALL_DIR}/include \
+            -DWC_RSA_NO_PADDING \
+            -DWOLFSSL_PUBLIC_MP \
+            -DHAVE_PUBLIC_FFDHE \
+            -DHAVE_FFDHE_6144 \
+            -DHAVE_FFDHE_8192 \
+            -DWOLFSSL_PSS_LONG_SALT \
+            -DWOLFSSL_PSS_SALT_LEN_DISCOVER \
+            -DRSA_MIN_SIZE=1024 \
+            -DWOLFSSL_OLD_OID_SUM \
+            ${SAN_FLAGS}"
+
+          # wolfprov's default WOLFPROV_CONFIG_CFLAGS is empty and the
+          # script appends its own -D defines after this override, so
+          # only the sanitizer flags are needed here.
+          export WOLFPROV_CONFIG_CFLAGS="${SAN_FLAGS}"
 
           OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \
           WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \

.github/workflows/seed-src.yml

@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
         openssl_ref:
           - ${{ needs.discover_versions.outputs.openssl_latest_ref }}
           - openssl-3.0.17

.github/workflows/simple.yml

@@ -41,7 +41,7 @@ jobs:
         # 2 wolfssl (master + latest-stable, resolved at run time) x
         # 2 openssl (latest upstream release + oldest 3.0.x LTS)
         # x 2 replace-default = 8 jobs.
-        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_ref_array) }}
+        wolfssl_ref: ${{ fromJson(needs.discover_versions.outputs.wolfssl_latest_ref_array) }}
         openssl_ref:
           - ${{ needs.discover_versions.outputs.openssl_latest_ref }}
           - openssl-3.0.17

.github/workflows/smoke-test.yml

@@ -59,7 +59,7 @@ jobs:
       - name: Build and test wolfProvider
         run: |
           # Substitute the resolved latest-stable for the "stable" matrix row.
-          WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.wolfssl_ref }}"
+          WOLFSSL_TAG="${{ matrix.wolfssl_ref || needs.discover_versions.outputs.wolfssl_latest_ref }}"
           OPENSSL_TAG=${{ needs.discover_versions.outputs.openssl_latest_ref }} \
           WOLFSSL_TAG="$WOLFSSL_TAG" \
             ./scripts/build-wolfprovider.sh