From 838636c76b432eb8d0d745cf8787dbba950c33d7 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 2 Jun 2025 16:40:36 +0100
Subject: [PATCH 1/3] add option to not use CT code with min/max

---
 wolfcrypt/src/misc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c
index 98b83c7ae..e256073ba 100644
--- a/wolfcrypt/src/misc.c
+++ b/wolfcrypt/src/misc.c
@@ -761,7 +761,8 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
     /* returns the smaller of a and b */
     WC_MISC_STATIC WC_INLINE word32 min(word32 a, word32 b)
     {
-#if !defined(WOLFSSL_NO_CT_OPS) && defined(WORD64_AVAILABLE)
+#if !defined(WOLFSSL_NO_CT_OPS) && !defined(WOLFSSL_NO_CT_MAX_MIN) && \
+    defined(WORD64_AVAILABLE)
         word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
         return (a & ~gte_mask) | (b & gte_mask);
 #else /* WOLFSSL_NO_CT_OPS */
@@ -777,7 +778,8 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
     #endif
     WC_MISC_STATIC WC_INLINE word32 max(word32 a, word32 b)
     {
-#if !defined(WOLFSSL_NO_CT_OPS) && defined(WORD64_AVAILABLE)
+#if !defined(WOLFSSL_NO_CT_OPS) && !defined(WOLFSSL_NO_CT_MAX_MIN) && \
+    defined(WORD64_AVAILABLE)
         word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
         return (a & gte_mask) | (b & ~gte_mask);
 #else /* WOLFSSL_NO_CT_OPS */

From c33035e6a6190af419e2c2044c78c70fc9a1bc6b Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 2 Jun 2025 15:42:52 -0600
Subject: [PATCH 2/3] add conditions to constant time mask functions

---
 wolfcrypt/src/misc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c
index e256073ba..c41d08483 100644
--- a/wolfcrypt/src/misc.c
+++ b/wolfcrypt/src/misc.c
@@ -633,7 +633,13 @@ WC_MISC_STATIC WC_INLINE int ConstantCompare(const byte* a, const byte* b,
 }
 #endif
 
-#ifndef WOLFSSL_NO_CT_OPS
+
+#if defined(WOLFSSL_NO_CT_OPS) && (!defined(NO_RSA) || !defined(WOLFCRYPT_ONLY))
+/* constant time operations with mask are required for RSA and TLS operations */
+#warning constant time operations required unless using NO_RSA & WOLFCRYPT_ONLY
+#endif
+
+#if !defined(WOLFSSL_NO_CT_OPS) || !defined(NO_RSA) || !defined(WOLFCRYPT_ONLY)
 /* Constant time - mask set when a > b. */
 WC_MISC_STATIC WC_INLINE byte ctMaskGT(int a, int b)
 {

From 1c5e5313327ad23ea6efa9c2b6806e4762b18a78 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 24 Jun 2025 14:57:17 -0600
Subject: [PATCH 3/3] add new macro to known macro list

---
 .wolfssl_known_macro_extras | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index b41ed942d..3dbdfa8f9 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -744,6 +744,7 @@ WOLFSSL_NO_COPY_CERT
 WOLFSSL_NO_COPY_KEY
 WOLFSSL_NO_CRL_DATE_CHECK
 WOLFSSL_NO_CRL_NEXT_DATE
+WOLFSSL_NO_CT_MAX_MIN
 WOLFSSL_NO_DECODE_EXTRA
 WOLFSSL_NO_DER_TO_PEM
 WOLFSSL_NO_DH186