Fix WPFF CI failures

Author: padelsbach

.github/scripts/pam-pkcs11-test.sh

@@ -10,6 +10,22 @@ else
     exit 1
 fi
 
+# Deterministic force-fail probe. The pam_pkcs11 test below exercises PAM via
+# 'su' as root, which never actually authenticates, so a force-fail-induced
+# crypto failure inside pam_pkcs11.so will not propagate to the script's exit
+# status. Probe wolfProvider directly here so the workflow fails closed if
+# WOLFPROV_FORCE_FAIL=1 is set but crypto still succeeds (e.g. apt replaced
+# the patched libssl3 and OpenSSL fell back to its built-in default provider).
+if [ "${WOLFPROV_FORCE_FAIL:-0}" = "1" ]; then
+    if openssl rand -hex 16 >/dev/null 2>&1; then
+        echo "FAIL: openssl rand succeeded with WOLFPROV_FORCE_FAIL=1;"
+        echo "      wolfProvider is not actually intercepting crypto."
+        exit 1
+    fi
+    echo "[*] Force-fail probe confirmed wolfProvider is failing as expected"
+    exit 1
+fi
+
 echo "[*] Installing build dependencies..."
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install -y \

.github/workflows/bind9.yml

@@ -74,6 +74,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/cjose.yml

@@ -81,6 +81,11 @@ jobs:
           apt install --reinstall -y \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/curl.yml

@@ -73,6 +73,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/debian-package.yml

@@ -85,6 +85,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
           # In standalone mode, use OPENSSL_CONF to enable wolfProvider.
           if [ "${{ matrix.replace_default }}" = "false" ]; then
             echo "Setting OPENSSL_CONF to /etc/ssl/openssl.cnf.d/wolfprovider.conf"

.github/workflows/git-ssh-dr.yml

@@ -73,6 +73,11 @@ jobs:
         apt install --reinstall -y \
           ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
     - name: Verify wolfProvider is properly installed
       run: |
         $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/grpc.yml

@@ -81,6 +81,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/hostap.yml

@@ -77,6 +77,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Show OpenSSL version
         run: |
           echo "OpenSSL version:"

.github/workflows/iperf.yml

@@ -73,6 +73,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \

.github/workflows/krb5.yml

@@ -73,6 +73,11 @@ jobs:
           apt install --reinstall -y --allow-downgrades --allow-change-held-packages \
             ${{ env.WOLFPROV_PACKAGES_PATH }}/libwolfprov_*.deb
 
+          # Prevent later 'apt-get install' of test dependencies from
+          # replacing the wolfprov-patched libssl3, which breaks 
+          # replace-default mode.
+          apt-mark hold libssl3 libssl-dev openssl libwolfssl libwolfprov
+
       - name: Verify wolfProvider is properly installed
         run: |
           $GITHUB_WORKSPACE/scripts/verify-install.sh \