tests: skip RsaDecisionCoverage under the self-test module

The PRB-CAVP-selftest-v2 leg (./configure --enable-selftest=v2, which overlays
frozen wolfCrypt 4.1.0 crypto) failed in test_wc_RsaDecisionCoverage.

Reproduced against that exact build; the failing assertion is:

    tests/api/test_rsa.c:1474
      ExpectIntEQ(wc_RsaSetRNG(&key, NULL), BAD_FUNC_ARG)   /* got 0 */

So the assertion is correct for current wolfCrypt but not part of the frozen
self-test module's contract. This test's whole purpose is MC/DC of the *open*
wolfcrypt/src/rsa.c decision branches, which is not even the rsa.c compiled
under --enable-selftest, so under self-test it measures nothing and only risks
divergent error codes like this one. The sibling key-gen/decision tests in this
file (test_wc_CheckProbablePrime, the RsaKeyGeneration group) exclude
HAVE_SELFTEST for the same reason; do so here too.

Guard the whole function rather than the single assertion: none of it counts
toward the (open-build) MC/DC campaign under self-test, and a whole-function
guard is robust against any other frozen-vs-current divergence in the same
body. HAVE_FIPS is intentionally left running -- that (newer) module honours
these decisions (and excludes the WC_RSA_BLINDING wc_RsaSetRNG block anyway),
and the open MC/DC campaign builds are unaffected.

Verified: with the guard, the test is cleanly skipped under --enable-selftest=v2
(test index 365, matching CI); the open build still runs and passes it.
This commit is contained in:
Daniele Lacamera
2026-07-07 11:29:03 +02:00
parent b680985328
commit b9925e72f7
+11 -1
View File
@@ -1418,8 +1418,18 @@ int test_wc_RsaKeyToDer_SizeOverflow(void)
int test_wc_RsaDecisionCoverage(void)
{
EXPECT_DECLS;
/* This function asserts wolfcrypt/src/rsa.c *internal* decision outcomes
* (short-buffer RSA_BUFFER_E, invalid pad-type, OAEP-vs-PKCSv15 padding
* mismatch) whose whole value is MC/DC of the open wolfCrypt rsa.c. Under the
* frozen self-test module that rsa.c is not the code being exercised, so these
* error-code decisions are not part of its contract and can legitimately
* differ. The sibling key-gen/decision tests in this file (e.g.
* test_wc_CheckProbablePrime, the RsaKeyGeneration group) exclude HAVE_SELFTEST
* for the same reason; do so here too. HAVE_FIPS is intentionally left running:
* that (newer) module honours these decisions and the campaign gains coverage
* from it. */
#if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
!defined(WOLFSSL_RSA_PUBLIC_ONLY)
!defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(HAVE_SELFTEST)
RsaKey key;
WC_RNG rng;
const char inStr[] = TEST_STRING;