ci: fix nightly Sanitizers + Interop failures#8
Merged
Conversation
wolfSSL master's wc_port.h defines XFENCE() as C11 atomic_thread_fence(), which GCC rejects under -fsanitize=thread with the -Wtsan diagnostic "atomic_thread_fence is not supported with -fsanitize=thread". wolfSSL's default GCC build enables -Werror, so this aborts the full-tsan wolfSSL build (in random.c/kdf.c via ForceZero's XFENCE) before any test runs. Append -Wno-error=tsan to the full-tsan CFLAGS to demote that diagnostic back to a warning. It precedes wolfSSL's trailing -Werror on the command line, and an explicit -Wno-error= survives a later bare -Werror, so the build completes with the warning still visible. Verified on GCC: the unpatched build fails at wc_port.h:1941, the patched build compiles and installs cleanly.
The openssl interop test drove EST over plaintext http://, which wolfcert-client refuses (EST mandates TLS, RFC 7030), so the job failed on its first scheduled run. Stand wolfcert-server up behind TLS with a throwaway CA + server cert (SAN localhost/127.0.0.1) that the client trusts via --trust, exercising wolfCert's real TLS transport. Also: - Rename openssl_cms.sh -> openssl_pkcs7_xcheck.sh: the test never used `openssl cms`; it cross-checks with x509/pkcs7/pkey/req/verify. - Enroll across the full client key-type matrix (RSA, ECC P-256/384/521, Ed25519, Ed448, and ML-DSA when OpenSSL >= 3.5) rather than only ecc:256. For each: verify the issued cert chains to the CA, the emitted private key parses, and its public half matches the certificate. - Pin the job to ubuntu-26.04 (OpenSSL 3.5.5) so the ML-DSA path is covered; the script probes for support and degrades to classical/EdDSA on older OpenSSL rather than failing. - Encode/decode base64 via `openssl base64` so the script is portable (the base64(1) CLI differs between GNU and BSD/macOS).
The D2 case (wolfcert-client enroll against micromdm scepserver) fails because wolfSSL's wc_PKCS7_VerifySignedData rejects micromdm's CertRep with SIG_VERIFY_E: micromdm's SignerInfo digestAlgorithm omits the SHA NULL params while its RSA signature covers a NULL-present DigestInfo, so wolfSSL rebuilds the comparison DigestInfo from the wrong encoding and it never matches. This is an upstream wolfSSL PKCS#7 bug, not fixable in wolfCert. Wrap D2 in the same tolerant `set +e` / rc-check pattern D1 already uses so the interop job stays green on this known gap. It self-heals to PASS once the wolfSSL fix reaches master (the enroll then succeeds), while a different failure (wrong subject, broken chain) still fails the job loudly. The otherwise-hidden wolfcert-client.log "detail" line is now surfaced in the KNOWN-FAIL output.
JacobBarthelmeh
approved these changes
Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The first scheduled runs of the nightly Sanitizers and Interop workflows both failed. This branch fixes them. CI-only — no library or source changes, independent of the SCEP work.
Changes
-fsanitize=thread: GCC's-Wtsanfires onwc_port.h's C11atomic_thread_fence()and wolfSSL's default-Werrormakes it fatal. Append-Wno-error=tsanto thefull-tsanCFLAGS. Verified on real GCC (fails without, builds + installs with).http://, which the client rejects (EST mandates TLS, RFC 7030). Now stands the server up behind TLS (throwaway CA +--trust). Also: renamedopenssl_cms.sh→openssl_pkcs7_xcheck.sh(it never usedopenssl cms); enroll across the full key-type matrix (RSA, ECC P-256/384/521, Ed25519, Ed448, and ML-DSA when OpenSSL ≥ 3.5) and check each cert + private key with OpenSSL; pinned toubuntu-26.04(OpenSSL 3.5.5) so ML-DSA is covered.KNOWN-FAIL(same tolerant pattern D1 already uses). It fails on an upstream wolfSSL PKCS#7 bug (wc_PKCS7_VerifySignedDatareturnsSIG_VERIFY_E: micromdm's SignerInfo digestAlgorithm omits the NULL params while its RSA signature covers a NULL-present DigestInfo, so wolfSSL rebuilds the wrong comparison DigestInfo). Not fixable in wolfCert. D2 self-heals to PASS once the wolfSSL fix reaches master; any other failure still fails loudly.Verification
wc_port.h, patched builds clean.openssl_pkcs7_xcheck.shpasses end-to-end locally across all key types (incl. ML-DSA on OpenSSL 3.6).