From 12b4c0e5f1f21b7c78fdecd32a52d655cc1f48ba Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Wed, 9 Jul 2025 08:40:42 -0700
Subject: [PATCH 1/4] Add ref for pam-pkcs11 test and fix WPFF

---
 .github/scripts/pam-pkcs11-test.sh                   | 2 +-
 .github/workflows/{pam_pkcs11.yml => pam-pkcs11.yml} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename .github/workflows/{pam_pkcs11.yml => pam-pkcs11.yml} (92%)

diff --git a/.github/scripts/pam-pkcs11-test.sh b/.github/scripts/pam-pkcs11-test.sh
index c49e514a..f44333c6 100755
--- a/.github/scripts/pam-pkcs11-test.sh
+++ b/.github/scripts/pam-pkcs11-test.sh
@@ -42,7 +42,7 @@ DEBIAN_FRONTEND=noninteractive apt-get install -y \
 echo "[*] Cloning pam_pkcs11..."
 cd /opt
 if [[ ! -d "pam_pkcs11" ]]; then
-  git clone https://github.com/OpenSC/pam_pkcs11.git
+  git clone --branch=${PAM_PKCS11_REF} https://github.com/OpenSC/pam_pkcs11.git
 fi
 cd pam_pkcs11
 
diff --git a/.github/workflows/pam_pkcs11.yml b/.github/workflows/pam-pkcs11.yml
similarity index 92%
rename from .github/workflows/pam_pkcs11.yml
rename to .github/workflows/pam-pkcs11.yml
index b8aa9ef4..3690ee80 100644
--- a/.github/workflows/pam_pkcs11.yml
+++ b/.github/workflows/pam-pkcs11.yml
@@ -64,7 +64,7 @@ jobs:
           source $GITHUB_WORKSPACE/scripts/env-setup
 
           # Run tests
-          if timeout 300 ${{ matrix.force_fail }} sudo bash -c $GITHUB_WORKSPACE/.github/scripts/pam-pkcs11-test.sh; then
+          if timeout 300 sudo bash -c "${{ matrix.force_fail }} PAM_PKCS11_REF=${{ matrix.pam_pkcs11_ref }} $GITHUB_WORKSPACE/.github/scripts/pam-pkcs11-test.sh"; then
             TEST_RESULT=0
           else
             TEST_RESULT=1

From 2271e4c1ae3995eef2cefa0232ce24529a178b6f Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Wed, 9 Jul 2025 09:24:33 -0700
Subject: [PATCH 2/4] Unset / set WPFF so we can test the actual test case

---
 .github/scripts/pam-pkcs11-test.sh | 7 +++++++
 .github/workflows/pam-pkcs11.yml   | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/scripts/pam-pkcs11-test.sh b/.github/scripts/pam-pkcs11-test.sh
index f44333c6..6871b0b8 100755
--- a/.github/scripts/pam-pkcs11-test.sh
+++ b/.github/scripts/pam-pkcs11-test.sh
@@ -63,6 +63,10 @@ fi
 
 echo "[*] Configuring pam_pkcs11..."
 
+# Temporarily unset WOLFPROV_FORCE_FAIL so we can test the failure case
+ORIG_WOLFPROV_FORCE_FAIL="$WOLFPROV_FORCE_FAIL"
+unset WOLFPROV_FORCE_FAIL
+
 # Generate dummy CA cert if missing
 if [ ! -f /test/certs/test-ca.crt ]; then
     echo "[*] Generating dummy test-ca.crt..."
@@ -99,6 +103,9 @@ cp /etc/pam.d/common-auth /etc/pam.d/common-auth.bak
 echo "auth sufficient pam_pkcs11.so debug" | tee /etc/pam.d/common-auth > /dev/null
 cat /etc/pam.d/common-auth.bak | tee -a /etc/pam.d/common-auth > /dev/null
 
+# Restore WOLFPROV_FORCE_FAIL
+export WOLFPROV_FORCE_FAIL="$ORIG_WOLFPROV_FORCE_FAIL"
+
 echo "[*] Initializing SoftHSM (simulated smartcard)..."
 mkdir -p /var/lib/softhsm/tokens
 softhsm2-util --init-token --free --label "testtoken" --pin 1234 --so-pin 123456
diff --git a/.github/workflows/pam-pkcs11.yml b/.github/workflows/pam-pkcs11.yml
index 3690ee80..4603b1a0 100644
--- a/.github/workflows/pam-pkcs11.yml
+++ b/.github/workflows/pam-pkcs11.yml
@@ -1,4 +1,4 @@
-name: pam_pkcs11 Tests
+name: pam-pkcs11 Tests
 
 # START OF COMMON SECTION
 on:

From cea66afaa60993e2b90cae73e076bf6554d15a5d Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Wed, 9 Jul 2025 09:58:50 -0700
Subject: [PATCH 3/4] Use parameter expansion for WPFF flag

---
 .github/scripts/pam-pkcs11-test.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/scripts/pam-pkcs11-test.sh b/.github/scripts/pam-pkcs11-test.sh
index 6871b0b8..6641a064 100755
--- a/.github/scripts/pam-pkcs11-test.sh
+++ b/.github/scripts/pam-pkcs11-test.sh
@@ -64,8 +64,8 @@ fi
 echo "[*] Configuring pam_pkcs11..."
 
 # Temporarily unset WOLFPROV_FORCE_FAIL so we can test the failure case
-ORIG_WOLFPROV_FORCE_FAIL="$WOLFPROV_FORCE_FAIL"
-unset WOLFPROV_FORCE_FAIL
+ORIG_WOLFPROV_FORCE_FAIL="${WOLFPROV_FORCE_FAIL:-}"
+unset WOLFPROV_FORCE_FAIL || true
 
 # Generate dummy CA cert if missing
 if [ ! -f /test/certs/test-ca.crt ]; then

From d67ac514ca7e7a5552cb610b9cfb7f9331ec1ecd Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Wed, 23 Jul 2025 10:53:00 -0700
Subject: [PATCH 4/4] Add more descriptive comment

---
 .github/scripts/pam-pkcs11-test.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/scripts/pam-pkcs11-test.sh b/.github/scripts/pam-pkcs11-test.sh
index 6641a064..4c5a53b1 100755
--- a/.github/scripts/pam-pkcs11-test.sh
+++ b/.github/scripts/pam-pkcs11-test.sh
@@ -63,7 +63,7 @@ fi
 
 echo "[*] Configuring pam_pkcs11..."
 
-# Temporarily unset WOLFPROV_FORCE_FAIL so we can test the failure case
+# Temporarily unset WOLFPROV_FORCE_FAIL so we can generate certs correctly
 ORIG_WOLFPROV_FORCE_FAIL="${WOLFPROV_FORCE_FAIL:-}"
 unset WOLFPROV_FORCE_FAIL || true