From 506a8649e9478e6a75e46a4127964d954df2f2cc Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 18 Jun 2026 00:26:22 -0600 Subject: [PATCH 1/2] add macro guard around new test case for specific builds --- tests/api/test_ecc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/api/test_ecc.c b/tests/api/test_ecc.c index c6f7cb9ecea..7ac7d1fb7e7 100644 --- a/tests/api/test_ecc.c +++ b/tests/api/test_ecc.c @@ -579,7 +579,10 @@ int test_wc_ecc_shared_secret(void) } /* END tests_wc_ecc_shared_secret */ #if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \ - (defined(HAVE_ECC384) || defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) + (defined(HAVE_ECC384) || defined(HAVE_ECC521) || \ + defined(HAVE_ALL_CURVES)) && \ + (!defined(WOLFSSL_SP_521) || \ + ((!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0)) && !defined(HAVE_SELFTEST))) /* Verify the output-buffer size contract of wc_ecc_shared_secret() at the * field-size boundary. The single-precision (SP) math secret generators for * P-384/P-521 historically validated the caller's buffer against the wrong @@ -655,7 +658,10 @@ int test_wc_ecc_shared_secret_size_bounds(void) { EXPECT_DECLS; #if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \ - (defined(HAVE_ECC384) || defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) + (defined(HAVE_ECC384) || defined(HAVE_ECC521) || \ + defined(HAVE_ALL_CURVES)) && \ + (!defined(WOLFSSL_SP_521) || \ + ((!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0)) && !defined(HAVE_SELFTEST))) WC_RNG rng; int rngInit = 0; From 100142863755e78dc3fb04fd1f3e2f7b823f330c Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 18 Jun 2026 08:20:33 -0600 Subject: [PATCH 2/2] adjust test case macro guard for ALLOW_INVALID_CERTSIGN builds --- tests/api/test_ossl_x509_str.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/api/test_ossl_x509_str.c b/tests/api/test_ossl_x509_str.c index 21f4d81d4e3..01deabf8e18 100644 --- a/tests/api/test_ossl_x509_str.c +++ b/tests/api/test_ossl_x509_str.c @@ -1510,7 +1510,7 @@ int test_X509_verify_cert_untrusted_inter(void) #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \ defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && \ !defined(NO_SHA256) && defined(USE_CERT_BUFFERS_2048) && \ - !defined(NO_ASN_TIME) + !defined(NO_ASN_TIME) && !defined(ALLOW_INVALID_CERTSIGN) /* Build a CA:TRUE intermediate signed by the 2048-bit test root * (ca_cert_der_2048 / ca_key_der_2048). keyUsage == NULL omits the KeyUsage * extension entirely. Returns the DER length, or <= 0 on failure. */ @@ -1619,7 +1619,9 @@ int test_X509_verify_cert_ca_no_keycertsign(void) #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \ defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && \ !defined(NO_SHA256) && defined(USE_CERT_BUFFERS_2048) && \ - !defined(NO_ASN_TIME) + !defined(NO_ASN_TIME) && !defined(ALLOW_INVALID_CERTSIGN) + /* ALLOW_INVALID_CERTSIGN disables the keyCertSign enforcement that Case 1 + * relies on, so the test is only meaningful when it is not defined. */ WC_RNG rng; RsaKey caKey, intKey, leafKey; int rngI = 0, caI = 0, intI = 0, leafI = 0;