wolfProvider: 5.9.1 FIPS patches (krb5, hostap, stunnel, libssh2, curl)

wolfProvider/README.md

@@ -0,0 +1,50 @@
+# wolfProvider OSP patches
+
+Patches that adapt upstream open-source projects (curl, krb5, libssh2,
+hostap, etc.) to test cleanly against `wolfProvider` (FIPS and non-FIPS).
+
+## Naming convention
+
+Every patch follows exactly one pattern (no exceptions):
+
+    <project>/<project>-<projver>-wolfprov.patch          (non-FIPS)
+    <project>/<project>-<projver>-wolfprov-fips.patch     (FIPS)
+    <project>/<project>-<projver>-wolfssl-X.Y.Z-wolfprov.patch       (pinned snapshot)
+    <project>/<project>-<projver>-wolfssl-X.Y.Z-wolfprov-fips.patch  (pinned snapshot)
+
+Rules:
+- FIPS is always the `-fips` suffix before `.patch` (never an
+  uppercase `-FIPS-` infix).
+- The provider segment is always `-wolfprov` (never `-wolfprovider`).
+- `<projver>` is the upstream version ref the patch targets and may be
+  empty for version-agnostic patches.
+
+- **Universal** name (no `-wolfssl-X.Y.Z-` infix) is the **latest**
+  patch content. By default a patch should be universal — it tracks
+  current wolfSSL master / latest stable and is reused unchanged across
+  wolfSSL version bumps.
+- `-wolfssl-X.Y.Z-` infix marks a **pinned snapshot** for that wolfSSL
+  line. Add one only when the universal patch has diverged in a way
+  that breaks on an older wolfSSL release that is still supported.
+
+When you modify a patch for a new wolfSSL release in a way that breaks
+an older line:
+  1. Copy the pre-modification content as
+     `<stem>-wolfssl-<old-version>-wolfprov[-fips].patch`.
+  2. Keep editing the universal file for the new wolfSSL release.
+
+## How workflows pick the right patch
+
+`wolfssl/wolfProvider` workflows resolve patches via
+`scripts/resolve-osp-patch.sh`:
+
+| wolfssl_ref         | order tried                                |
+|---------------------|--------------------------------------------|
+| `v5.8.X-stable`     | `-wolfssl-5.8.4-` then universal           |
+| `v5.9.X-stable`     | `-wolfssl-5.9.1-` then universal           |
+| `master` / other    | universal only                             |
+
+For FIPS, the helper tries `-wolfprov-fips.patch` and falls back to the
+non-FIPS patch when no FIPS-specific one exists. Because the naming is
+uniform, the helper stays simple — one pattern, no per-project special
+cases.

wolfProvider/curl/README.md

@@ -1,4 +1,9 @@
-`wolfProvider/curl/curl-8_4_0-wolfprov.patch` adds support for testing curl 
-`8.4.0` with wolfProvider FIPS in Jenkins. This patch is only needed when 
-testing curl with Jenkins. It disables a non crypto related test that IDN 
-with different languages.
+`wolfProvider/curl/curl-8_4_0-wolfprov.patch` and
+`wolfProvider/curl/curl-7_88_1-wolfprov.patch` add support for testing the
+respective curl versions with wolfProvider. Both patches disable test 1560
+(`[URL API]` libtest) — a non-crypto IDN-related test that fails under the
+wolfProvider test-deps container regardless of IDN dependencies installed.
+
+These patches must be applied to the curl source tree (e.g. `patch -p1`)
+before running `make test-ci`. If they are not applied, test 1560 will
+appear as an unexpected failure in normal-mode runs.

wolfProvider/curl/curl-7_88_1-wolfprov.patch

@@ -0,0 +1,11 @@
+diff --git a/tests/data/DISABLED b/tests/data/DISABLED
+index 6edc0b4..98fa0ab 100644
+--- a/tests/data/DISABLED
++++ b/tests/data/DISABLED
+@@ -106,3 +106,6 @@
+ %if bearssl
+ 313
+ %endif
++# test 1560 requires IDN support - wolfProvider works locally in Jenkins
++# this fails even with the dependency installed
++1560

wolfProvider/grpc/README.md

@@ -1,3 +1,3 @@
-`grpc-FIPS-v1.60.0-wolfprov.patch` adds testing support for FIPS and non-FIPS 
+`grpc-v1.60.0-wolfprov-fips.patch` adds testing support for FIPS and non-FIPS 
 grpc `v1.60.0`. The patch also adds support for the use of `WOLFPROV_FORCE_FAIL=1` 
 env variable.

wolfProvider/hostap/README.md

@@ -1,11 +1,22 @@
-`wolfProvider/hostap/hostap-main-wolfprov.patch` adds support for testing hostap `main`
-with wolfProvider. It is needed to test the full testing suite.
+`wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch` adds support for
+testing hostap `hostap_2_11` with non-FIPS wolfProvider. It points the
+legacy provider load in `src/crypto/crypto_openssl.c` at `libwolfprov` and
+makes the `crda` call in `tests/hwsim/vm/inside.sh` non-fatal (`|| true`).
 
-The patch makes the following changes:
-1. Replaces OpenSSL provider references in `src/crypto/crypto_openssl.c`:
-   - Changes "default" provider to "libwolfprov"
-   - Changes "legacy" provider to "libwolfprov"
-2. Replaces OpenSSL provider reference in `src/crypto/tls_openssl.c`:
-   - Changes "pkcs11" provider to "libwolfprov"
-3. Fixes crda command failure handling in `tests/hwsim/vm/inside.sh`:
-   - Adds `|| true` to handle crda command failure gracefully
+`wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch` is the FIPS
+variant. It includes the changes above and additionally removes hwsim tests
+that require AES Key Wrap, which wolfProvider FIPS does not expose via the
+OpenSSL provider EVP cipher fetch interface. WPA2's 4-way handshake
+(message 3/4) encrypts the GTK with AES Key Wrap, so the affected tests
+cannot pass under FIPS. Removed:
+
+- `test_ap_wpa2_psk` (`tests/hwsim/test_ap_psk.py`)
+- `test_ap_wpa2_eap_tls` (`tests/hwsim/test_ap_eap.py`)
+- `test_ap_wpa2_eap_ttls_eap_gtc` (`tests/hwsim/test_ap_eap.py`)
+- `test_ap_wpa2_eap_peap_eap_tls` (`tests/hwsim/test_ap_eap.py`)
+
+`wolfProvider/hostap/hostap-main-wolfprov.patch` is the equivalent non-FIPS
+patch for hostap `main`. It points the default and legacy provider loads in
+`src/crypto/crypto_openssl.c` and the `pkcs11` provider load in
+`src/crypto/tls_openssl.c` at `libwolfprov`, and makes the same `crda` call
+non-fatal.

wolfProvider/hostap/hostap-hostap_2_11-wolfprov-fips.patch

@@ -0,0 +1,113 @@
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 2d8ff60..1bb28b6 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -196,7 +196,7 @@ void openssl_load_legacy_provider(void)
+ 	if (openssl_legacy_provider)
+ 		return;
+
+-	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
++	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "libwolfprov", 1);
+ #endif /* OpenSSL version >= 3.0 */
+ }
+
+diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
+index f8e75b5..3820ae0 100644
+--- a/tests/hwsim/test_ap_eap.py
++++ b/tests/hwsim/test_ap_eap.py
+@@ -2000,16 +2000,6 @@ def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
+         dev[2].request("REMOVE_NETWORK all")
+         dev[2].wait_disconnected()
+
+-def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
+-    """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
+-    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+-    hapd = hostapd.add_ap(apdev[0], params)
+-    eap_connect(dev[0], hapd, "TTLS", "user",
+-                anonymous_identity="ttls", password="password",
+-                ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
+-    hwsim_utils.test_connectivity(dev[0], hapd)
+-    eap_reauth(dev[0], "TTLS")
+-
+ def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
+     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
+     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+@@ -2548,17 +2538,6 @@ def test_ap_wpa2_eap_peap_eap_gtc(dev, apdev, params):
+                 anonymous_identity="peap", password="password",
+                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC")
+
+-def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
+-    """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
+-    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+-    hapd = hostapd.add_ap(apdev[0], params)
+-    eap_connect(dev[0], hapd, "PEAP", "cert user",
+-                ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
+-                ca_cert2="auth_serv/ca.pem",
+-                client_cert2="auth_serv/user.pem",
+-                private_key2="auth_serv/user.key")
+-    eap_reauth(dev[0], "PEAP")
+-
+ def test_ap_wpa2_eap_peap_eap_vendor(dev, apdev):
+     """WPA2-Enterprise connection using EAP-PEAP/EAP-vendor"""
+     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+@@ -2566,15 +2545,6 @@ def test_ap_wpa2_eap_peap_eap_vendor(dev, apdev):
+     eap_connect(dev[0], hapd, "PEAP", "vendor-test-2",
+                 ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST")
+
+-def test_ap_wpa2_eap_tls(dev, apdev):
+-    """WPA2-Enterprise connection using EAP-TLS"""
+-    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+-    hapd = hostapd.add_ap(apdev[0], params)
+-    eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
+-                client_cert="auth_serv/user.pem",
+-                private_key="auth_serv/user.key")
+-    eap_reauth(dev[0], "TLS")
+-
+ def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
+     """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
+     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+diff --git a/tests/hwsim/test_ap_psk.py b/tests/hwsim/test_ap_psk.py
+index 9655093..82e5d5c 100644
+--- a/tests/hwsim/test_ap_psk.py
++++ b/tests/hwsim/test_ap_psk.py
+@@ -35,27 +35,6 @@ def check_mib(dev, vals):
+             raise Exception("Unexpected {} = {} (expected {})".format(v[0], mib[v[0]], v[1]))
+
+ @remote_compatible
+-def test_ap_wpa2_psk(dev, apdev):
+-    """WPA2-PSK AP with PSK instead of passphrase"""
+-    ssid = "test-wpa2-psk"
+-    passphrase = 'qwertyuiop'
+-    psk = '602e323e077bc63bd80307ef4745b754b0ae0a925c2638ecd13a794b9527b9e6'
+-    params = hostapd.wpa2_params(ssid=ssid)
+-    params['wpa_psk'] = psk
+-    hapd = hostapd.add_ap(apdev[0], params)
+-    key_mgmt = hapd.get_config()['key_mgmt']
+-    if key_mgmt.split(' ')[0] != "WPA-PSK":
+-        raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
+-    dev[0].connect(ssid, raw_psk=psk, scan_freq="2412")
+-    dev[1].connect(ssid, psk=passphrase, scan_freq="2412")
+-
+-    sig = dev[0].request("SIGNAL_POLL").splitlines()
+-    pkt = dev[0].request("PKTCNT_POLL").splitlines()
+-    if "FREQUENCY=2412" not in sig:
+-        raise Exception("Unexpected SIGNAL_POLL value: " + str(sig))
+-    if "TXBAD=0" not in pkt:
+-        raise Exception("Unexpected TXBAD value: " + str(pkt))
+-
+ def test_ap_wpa2_psk_file(dev, apdev):
+     """WPA2-PSK AP with PSK from a file"""
+     ssid = "test-wpa2-psk"
+diff --git a/tests/hwsim/vm/inside.sh b/tests/hwsim/vm/inside.sh
+index 31dfb9d..424b48b 100755
+--- a/tests/hwsim/vm/inside.sh
++++ b/tests/hwsim/vm/inside.sh
+@@ -163,7 +163,7 @@ else
+ 	# some tests need CRDA, install a simple uevent helper
+ 	# and preload the 00 domain it will have asked for already
+ 	echo $TESTDIR/vm/uevent.sh > /sys/kernel/uevent_helper
+-	COUNTRY=00 crda
++	COUNTRY=00 crda || true
+
+ 	mkdir -p /var/run/dbus
+ 	touch /var/run/dbus/hwsim-test

wolfProvider/hostap/hostap-hostap_2_11-wolfprov.patch

@@ -0,0 +1,26 @@
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 2d8ff60..1bb28b6 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -196,7 +196,7 @@ void openssl_load_legacy_provider(void)
+ 	if (openssl_legacy_provider)
+ 		return;
+
+-	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "legacy", 1);
++	openssl_legacy_provider = OSSL_PROVIDER_try_load(NULL, "libwolfprov", 1);
+ #endif /* OpenSSL version >= 3.0 */
+ }
+
+diff --git a/tests/hwsim/vm/inside.sh b/tests/hwsim/vm/inside.sh
+index 31dfb9d..424b48b 100755
+--- a/tests/hwsim/vm/inside.sh
++++ b/tests/hwsim/vm/inside.sh
+@@ -163,7 +163,7 @@ else
+ 	# some tests need CRDA, install a simple uevent helper
+ 	# and preload the 00 domain it will have asked for already
+ 	echo $TESTDIR/vm/uevent.sh > /sys/kernel/uevent_helper
+-	COUNTRY=00 crda
++	COUNTRY=00 crda || true
+
+ 	mkdir -p /var/run/dbus
+ 	touch /var/run/dbus/hwsim-test

wolfProvider/krb5/krb5-1.20.1-final-wolfprov-fips.patch

@@ -1613,19 +1613,64 @@ index 8c3317fe4..c5b3230a4 100644
 
  TESTDEPS=t_test.o $(KRB5_BASE_DEPLIBS)
  TESTLIBS=t_test.o $(KRB5_BASE_LIBS)
-diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
-index e4b560fb8..4c25b9d42 100644
---- a/src/lib/krb5/krb/Makefile.in
-+++ b/src/lib/krb5/krb/Makefile.in
-@@ -361,7 +361,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
- 	$(srcdir)/t_parse_host_string.c	\
- 	$(srcdir)/t_princ.c	\
- 	$(srcdir)/t_etypes.c    \
--	$(srcdir)/t_expire_warn.c \
-+	#$(srcdir)/t_expire_warn.c \
- 	$(srcdir)/t_authdata.c	\
- 	$(srcdir)/t_cc_config.c	\
- 	$(srcdir)/t_copy_context.c \
+diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py
+index e163cc7..2b56d8f 100755
+--- a/src/lib/krb5/krb/t_expire_warn.py
++++ b/src/lib/krb5/krb/t_expire_warn.py
+@@ -26,41 +26,41 @@ from k5test import *
+ realm = K5Realm(create_user=False, create_host=False)
+
+ # Create principals with various password expirations.
+-realm.run([kadminl, 'addprinc', '-pw', 'pass', 'noexpire'])
+-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '30 minutes',
++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', 'noexpire'])
++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '30 minutes',
+            'minutes'])
+-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '12 hours',
++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '12 hours',
+            'hours'])
+-realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days'])
++realm.run([kadminl, 'addprinc', '-pw', 'password-test12', '-pwexpire', '3 days', 'days'])
+
+ # Check for expected prompter warnings when no expire callback is used.
+-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0', '0'])
++output = realm.run(['./t_expire_warn', 'noexpire', 'password-test12', '0', '0'])
+ if output:
+     fail('Unexpected output for noexpire')
+-realm.run(['./t_expire_warn', 'minutes', 'pass', '0', '0'],
++realm.run(['./t_expire_warn', 'minutes', 'password-test12', '0', '0'],
+           expected_msg=' less than one hour on ')
+-realm.run(['./t_expire_warn', 'hours', 'pass', '0', '0'],
++realm.run(['./t_expire_warn', 'hours', 'password-test12', '0', '0'],
+           expected_msg=' hours on ')
+-realm.run(['./t_expire_warn', 'days', 'pass', '0', '0'],
++realm.run(['./t_expire_warn', 'days', 'password-test12', '0', '0'],
+           expected_msg=' days on ')
+ # Try one case with the stepwise interface.
+-realm.run(['./t_expire_warn', 'days', 'pass', '0', '1'],
++realm.run(['./t_expire_warn', 'days', 'password-test12', '0', '1'],
+           expected_msg=' days on ')
+
+ # Check for expected expire callback behavior.  These tests are
+ # carefully agnostic about whether the KDC supports last_req fields,
+ # and could be made more specific if last_req support is added.
+-output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '1', '0'])
++output = realm.run(['./t_expire_warn', 'noexpire', 'password-test12', '1', '0'])
+ if 'password_expiration = 0\n' not in output or \
+         'account_expiration = 0\n' not in output or \
+         'is_last_req = ' not in output:
+     fail('Expected callback output not seen for noexpire')
+-output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '0'])
++output = realm.run(['./t_expire_warn', 'days', 'password-test12', '1', '0'])
+ if 'password_expiration = ' not in output or \
+         'password_expiration = 0\n' in output:
+     fail('Expected non-zero password expiration not seen for days')
+ # Try one case with the stepwise interface.
+-output = realm.run(['./t_expire_warn', 'days', 'pass', '1', '1'])
++output = realm.run(['./t_expire_warn', 'days', 'password-test12', '1', '1'])
+ if 'password_expiration = ' not in output or \
+         'password_expiration = 0\n' in output:
+     fail('Expected non-zero password expiration not seen for days')
 diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py
 index 3c9168591..0529b6729 100644
 --- a/src/lib/krb5/krb/t_get_etype_info.py

wolfProvider/libfido2/README.md

@@ -1,3 +1,3 @@
-`wolfProvider/libfido2/libfido2-FIPS-1.15.0-wolfprov.patch` adds testing support 
+`wolfProvider/libfido2/libfido2-1.15.0-wolfprov-fips.patch` adds testing support 
 for libfido2 with FIPS wolfprovider. To use this patch make sure to set the flag
 `HAVE_FIPS` to `ON` when configuring libfido2. This will disable EdDSA tests.

wolfProvider/liboauth2/README.md

@@ -1,4 +1,4 @@
-`liboauth2-FIPS-v1.4.5.4-wolfprov.patch` adds testing support for liboauth2 
+`liboauth2-v1.4.5.4-wolfprov-fips.patch` adds testing support for liboauth2 
 `v1.4.5.4` with FIPS wolfprovider. To use this patch make sure to configure liboauth2 
 with `--enable-wolfprov-fips`. This will disable problematic tests in Docker/valgrind.