Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ ready_for_review) and on every push to `master`, `main`, or
| `smoke-test.yml` | Minimal end-to-end: build, load the provider into stock OpenSSL, run `openssl list -providers` and a handful of `openssl` subcommands. Catches link-time and provider-registration regressions. |
| `cmdline.yml` | Runs `scripts/cmd_test/do-cmd-tests.sh` — exercises every `openssl` CLI verb (genrsa, pkeyutl, enc, dgst, …) through wolfProvider. |
| `fips-ready.yml` | Same as `simple` but builds wolfSSL with `--enable-fips=ready`. Sanity check that FIPS-ready compiles and basic tests pass without the full FIPS bundle. |
| `seed-src.yml` | Builds with `--enable-seed-src` (entropy seed source variant) and runs the unit tests. |
| `seed-src.yml` | Builds with `--enable-seed-src` (entropy seed source variant) and `-DWP_TEST_SECCOMP_SANDBOX`, then runs the unit tests including the OpenSSH fork+seccomp-sandbox regression suite. |
| `multi-compiler.yml` | Cross-compiler sweep: gcc-9 through gcc-14 and clang-12 through latest. Catches toolchain-specific warnings / UB. |
| `codespell.yml` | Spell-check on tracked source. `*.patch` is excluded because OSP patches mirror upstream source whose original spelling we shouldn't silently rewrite. |
| `sanitizers.yml` | Builds wolfProvider with `-fsanitize=address,undefined` (one job) and `-fsanitize=thread` (separate job — TSan and ASan can't coexist in one binary), runs `make test` + `cmd_test/do-cmd-tests.sh` under each. Caches OpenSSL + wolfSSL source/install to avoid the ~15 min rebuild on every push. |
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/seed-src.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,13 @@ jobs:

- name: Build and test wolfProvider with SEED-SRC
run: |
# Force wolfSSL to not use getrandom syscall via ac_cv_func_getrandom=no.
# This ensures /dev/urandom is used as the entropy source, which is
# required to test the SEED-SRC feature's fork-safe caching behavior.
# ac_cv_func_getrandom=no forces wolfSSL onto /dev/urandom, the
# entropy path the SEED-SRC fork-safe caching test needs.
# WOLFPROV_CONFIG_CFLAGS reaches the unit.test compile via configure
# CFLAGS; -DWP_TEST_SECCOMP_SANDBOX compiles in the OpenSSH preauth
# seccomp suite (else it builds to a skip stub). ubuntu-22.04 runners
# are full VMs where PR_SET_SECCOMP works.
WOLFPROV_CONFIG_CFLAGS="-DWP_TEST_SECCOMP_SANDBOX" \
WOLFSSL_CONFIG_OPTS="--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha ac_cv_func_getrandom=no" \
OPENSSL_TAG=${{ matrix.openssl_ref }} \
WOLFSSL_TAG=${{ matrix.wolfssl_ref }} \
Expand Down
18 changes: 12 additions & 6 deletions include/wolfprovider/internal.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@
#include <wolfssl/wolfcrypt/coding.h>
#include <wolfssl/wolfcrypt/asn_public.h>

/* WP_HAVE_* feature macros: keep the config-guarded WOLFPROV_CTX fields below
* consistent across every translation unit that includes this header. */
#include <wolfprovider/settings.h>

#include "wp_params.h"

#ifndef AES_BLOCK_SIZE
Expand Down Expand Up @@ -146,16 +150,18 @@ typedef struct WOLFPROV_CTX {
wolfSSL_Mutex rng_mutex;
#endif
BIO_METHOD *coreBioMethod;
#if defined(WP_HAVE_SEED_SRC) && defined(WP_HAVE_RANDOM)
/** Set once this context holds a urandom reference, so a failed init is not
* balanced by a cleanup that releases a reference it never took. */
int urandomInitialized;
#endif
} WOLFPROV_CTX;

#if defined(WP_HAVE_SEED_SRC) && defined(WP_HAVE_RANDOM)
/*
* Global /dev/urandom subsystem functions.
*
* These manage a cached file handle to /dev/urandom that is opened lazily
* on first entropy request (matching OpenSSL's default provider behavior).
* The file stays open so child processes inherit it and can read even
* in sandboxed environments that block openat().
* Shared /dev/urandom entropy subsystem (cached fd + wolfSSL seed callback),
* reference counted: balance each wp_urandom_init() with one
* wp_urandom_cleanup(). See wp_seed_src.c.
*/
int wp_urandom_init(void);
void wp_urandom_cleanup(void);
Expand Down
Loading
Loading