From b6ca8e1661610963343a01113c2b63de2050e283 Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Mon, 25 May 2026 09:04:31 -0700
Subject: [PATCH 1/4] Bake RPATH into OpenSSL build so binaries self-locate
 libssl/libcrypto

Adds -Wl,-rpath flags for both lib and lib64 to OPENSSL_LDFLAGS default, and
canonicalizes OPENSSL_INSTALL_DIR with realpath -m to avoid embedding a '..'
segment in the baked rpath. The OpenSSL CLI binary (openssl-install/bin/openssl)
now finds its sibling libssl/libcrypto without depending on LD_LIBRARY_PATH or
on env-setup having been sourced. Callers passing OPENSSL_LDFLAGS still override
the default.
---
 scripts/utils-openssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/utils-openssl.sh b/scripts/utils-openssl.sh
index 5285aa7a..5d7d93cc 100755
--- a/scripts/utils-openssl.sh
+++ b/scripts/utils-openssl.sh
@@ -28,13 +28,13 @@ source ${SCRIPT_DIR}/utils-general.sh
 OPENSSL_GIT_URL="https://github.com/openssl/openssl.git"
 OPENSSL_TAG=${OPENSSL_TAG:-"openssl-3.5.4"}
 OPENSSL_SOURCE_DIR=${SCRIPT_DIR}/../openssl-source
-OPENSSL_INSTALL_DIR=${SCRIPT_DIR}/../openssl-install
+OPENSSL_INSTALL_DIR=$(cd "${SCRIPT_DIR}/.." && pwd -P)/openssl-install
 OPENSSL_BIN=${OPENSSL_INSTALL_DIR}/bin/openssl
 OPENSSL_TEST=${OPENSSL_SOURCE_DIR}/test
 OPENSSL_LIB_DIRS="${OPENSSL_INSTALL_DIR}/lib:${OPENSSL_INSTALL_DIR}/lib64"
 OPENSSL_CFLAGS=${OPENSSL_CFLAGS:-""}
 OPENSSL_CXXFLAGS=${OPENSSL_CXXFLAGS:-""}
-OPENSSL_LDFLAGS=${OPENSSL_LDFLAGS:-""}
+OPENSSL_LDFLAGS=${OPENSSL_LDFLAGS:-"-Wl,-rpath,${OPENSSL_INSTALL_DIR}/lib -Wl,-rpath,${OPENSSL_INSTALL_DIR}/lib64"}
 
 NUMCPU=${NUMCPU:-8}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}

From 5599bed542084a82524312e0920339f70b8706b2 Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Mon, 25 May 2026 09:42:21 -0700
Subject: [PATCH 2/4] Dump FIPS check script log on failure for actionable
 error reporting

When fips-check-PILOT.sh or fips-check.sh exits non-zero, cat the captured
log to stdout instead of leaving the user with just the rc value and a log
file they may not have access to (e.g. inside a Jenkins workspace). The
preceding redirect on line 229 uses single '>' so LOG_FILE at this point
contains only the failed script's output. Diagnostic-only change; success
path is unchanged.
---
 scripts/utils-wolfssl.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
index 9a79bfca..59adc926 100644
--- a/scripts/utils-wolfssl.sh
+++ b/scripts/utils-wolfssl.sh
@@ -235,6 +235,11 @@ install_wolfssl() {
                 fi
                 if [ $RET_CODE != 0 ]; then
                     printf "ERROR checking out FIPS (return code: $RET_CODE)\n"
+                    if [ -f "$LOG_FILE" ]; then
+                        printf "\n--- %s output: ---\n" "$fips_check_script"
+                        cat "$LOG_FILE"
+                        printf "--- end %s output ---\n\n" "$fips_check_script"
+                    fi
                     rm -rf ${WOLFSSL_INSTALL_DIR}
                     do_cleanup
                     exit 1

From 190b6d03fdd84059937bd797d235c9c5e732a2df Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Mon, 25 May 2026 09:54:44 -0700
Subject: [PATCH 3/4] Resolve WOLFSSL_TAG default dynamically instead of
 hand-bumping

The hardcoded v5.8.4-stable default kept the 'default' FIPS scripts test
config pinned to an old wolfSSL whose headers no longer satisfy the v5.2.4
FIPS overlay (XXX-fips-test references WC_MIN_DIGEST_SIZE, which only
exists from v5.9.0-stable on). Rather than play tag-bump roulette every
release, walk a small resolution ladder:

  1. WOLFSSL_TAG (explicit caller override) - unchanged
  2. WOLFSSL_LATEST - set by the Jenkinsfile 'Resolve versions' stage, so
     CI gets the dynamic value with zero extra HTTP cost
  3. GitHub releases/latest API - for local dev runs without Jenkins
  4. v5.9.1-stable hardcoded floor - only used if all of the above fail
     (e.g. GitHub unreachable), so the script remains buildable offline
---
 scripts/utils-wolfssl.sh | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
index 59adc926..a3ab78de 100644
--- a/scripts/utils-wolfssl.sh
+++ b/scripts/utils-wolfssl.sh
@@ -22,7 +22,22 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 source ${SCRIPT_DIR}/utils-general.sh
 
 WOLFSSL_GIT=${WOLFSSL_GIT:-"https://github.com/wolfSSL/wolfssl.git"}
-WOLFSSL_TAG=${WOLFSSL_TAG:-"v5.8.4-stable"}
+# Resolve WOLFSSL_TAG dynamically so we don't have to hand-bump on every release.
+# Order: explicit WOLFSSL_TAG (caller override) -> WOLFSSL_LATEST (Jenkins "Resolve
+# versions" stage already sets this with zero extra HTTP cost) -> GitHub releases
+# API (for local runs without Jenkins) -> hardcoded floor as a last-resort safety
+# net in case GitHub is unreachable.
+if [ -z "$WOLFSSL_TAG" ]; then
+    if [ -n "$WOLFSSL_LATEST" ]; then
+        WOLFSSL_TAG="$WOLFSSL_LATEST"
+    else
+        WOLFSSL_TAG=$(curl -fsSL https://api.github.com/repos/wolfSSL/wolfssl/releases/latest 2>/dev/null \
+            | grep -oE '"tag_name"[[:space:]]*:[[:space:]]*"[^"]+"' \
+            | head -1 \
+            | sed -E 's/.*"([^"]+)"$/\1/')
+    fi
+fi
+WOLFSSL_TAG="${WOLFSSL_TAG:-v5.9.1-stable}"
 WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source
 WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install
 WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0}

From 3881f28c9d9c9309f82923b23cf2d6b979fa335d Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Mon, 25 May 2026 09:54:44 -0700
Subject: [PATCH 4/4] Fix bash printf misreading '---' as option in FIPS log
 dump

The leading '---' in the second printf format string makes bash bail with
'printf: --: invalid option' (the first call survived because of a leading
newline). Switch to echo, which has no equivalent parsing surprise for
content starting with dashes, and use '==>' markers in the captured log.
---
 scripts/utils-wolfssl.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
index a3ab78de..ea789733 100644
--- a/scripts/utils-wolfssl.sh
+++ b/scripts/utils-wolfssl.sh
@@ -251,9 +251,11 @@ install_wolfssl() {
                 if [ $RET_CODE != 0 ]; then
                     printf "ERROR checking out FIPS (return code: $RET_CODE)\n"
                     if [ -f "$LOG_FILE" ]; then
-                        printf "\n--- %s output: ---\n" "$fips_check_script"
+                        echo ""
+                        echo "==> $fips_check_script output:"
                         cat "$LOG_FILE"
-                        printf "--- end %s output ---\n\n" "$fips_check_script"
+                        echo "==> end $fips_check_script output"
+                        echo ""
                     fi
                     rm -rf ${WOLFSSL_INSTALL_DIR}
                     do_cleanup