From 2159b15a66bdaf09271f058d7c9735fe64d63606 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 7 Jul 2026 19:34:04 +0200 Subject: [PATCH] tests: keep test_wolfSSL_X509V3_EXT OPENSSL_ALL-only PRB-generic-config-parser failed in test_wolfSSL_X509V3_EXT under an OPENSSL_EXTRA (non-OPENSSL_ALL) config: test_ossl_x509_ext.c:1519 ExpectIntEQ(actual, 0) /* got -5 */ The function walks the OCSP root CA's extensions by hardcoded index (i=0 basic constraints, i=1 subject key id, i=2 authority key id, ...) and asserts fixed values. The strcmp result -5 is exactly '2'-'7': the i=1 i2s produced the authority-key-id value ("27:8E:...") instead of the subject-key-id ("73:B0:..."), i.e. the stored-extension order differs in OPENSSL_EXTRA-only builds, so the index assumption breaks. On master this test is gated on OPENSSL_ALL; the MC/DC campaign commit (bc92090b3) over-widened it to (OPENSSL_EXTRA || OPENSSL_ALL) when splitting api.c. Revert just this function's guard to OPENSSL_ALL. The by-NID test_wolfSSL_X509V3_EXT_aia above keeps its OPENSSL_EXTRA widening (that is the one the AIA leak fix needed, and it looks extensions up by NID so it is order-independent). Verified: skipped under --enable-opensslextra (no longer runs/fails there), runs and passes under --enable-all. --- tests/api/test_ossl_x509_ext.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/api/test_ossl_x509_ext.c b/tests/api/test_ossl_x509_ext.c index cbceb8047d..18849b4fd6 100644 --- a/tests/api/test_ossl_x509_ext.c +++ b/tests/api/test_ossl_x509_ext.c @@ -1415,8 +1415,14 @@ int test_wolfSSL_X509V3_EXT_aia(void) int test_wolfSSL_X509V3_EXT(void) { EXPECT_DECLS; -#if !defined(NO_FILESYSTEM) && \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && !defined(NO_RSA) +/* This test walks the OCSP root CA's extensions by hardcoded index (i=0 basic + * constraints, i=1 subject key id, i=2 authority key id, ...) and asserts fixed + * values. That ordering/index assumption only holds for OPENSSL_ALL builds; in + * OPENSSL_EXTRA-only configs the stored-extension order can differ, so the SKID + * i2s check reads the AKID instead and fails. Keep this test OPENSSL_ALL-only + * (its state on master); the by-NID AIA test above is the one that needed + * widening to OPENSSL_EXTRA. */ +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) XFILE f = XBADFILE; int numOfExt = 0, nid = 0, i = 0, expected, actual = 0; char* str = NULL;