From b9925e72f7330ebb2b04c90d205bbbe2da53d54a Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Tue, 7 Jul 2026 11:29:03 +0200 Subject: [PATCH] tests: skip RsaDecisionCoverage under the self-test module The PRB-CAVP-selftest-v2 leg (./configure --enable-selftest=v2, which overlays frozen wolfCrypt 4.1.0 crypto) failed in test_wc_RsaDecisionCoverage. Reproduced against that exact build; the failing assertion is: tests/api/test_rsa.c:1474 ExpectIntEQ(wc_RsaSetRNG(&key, NULL), BAD_FUNC_ARG) /* got 0 */ So the assertion is correct for current wolfCrypt but not part of the frozen self-test module's contract. This test's whole purpose is MC/DC of the *open* wolfcrypt/src/rsa.c decision branches, which is not even the rsa.c compiled under --enable-selftest, so under self-test it measures nothing and only risks divergent error codes like this one. The sibling key-gen/decision tests in this file (test_wc_CheckProbablePrime, the RsaKeyGeneration group) exclude HAVE_SELFTEST for the same reason; do so here too. Guard the whole function rather than the single assertion: none of it counts toward the (open-build) MC/DC campaign under self-test, and a whole-function guard is robust against any other frozen-vs-current divergence in the same body. HAVE_FIPS is intentionally left running -- that (newer) module honours these decisions (and excludes the WC_RSA_BLINDING wc_RsaSetRNG block anyway), and the open MC/DC campaign builds are unaffected. Verified: with the guard, the test is cleanly skipped under --enable-selftest=v2 (test index 365, matching CI); the open build still runs and passes it. --- tests/api/test_rsa.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/api/test_rsa.c b/tests/api/test_rsa.c index f88eee8746..acfe49a49c 100644 --- a/tests/api/test_rsa.c +++ b/tests/api/test_rsa.c @@ -1418,8 +1418,18 @@ int test_wc_RsaKeyToDer_SizeOverflow(void) int test_wc_RsaDecisionCoverage(void) { EXPECT_DECLS; +/* This function asserts wolfcrypt/src/rsa.c *internal* decision outcomes + * (short-buffer RSA_BUFFER_E, invalid pad-type, OAEP-vs-PKCSv15 padding + * mismatch) whose whole value is MC/DC of the open wolfCrypt rsa.c. Under the + * frozen self-test module that rsa.c is not the code being exercised, so these + * error-code decisions are not part of its contract and can legitimately + * differ. The sibling key-gen/decision tests in this file (e.g. + * test_wc_CheckProbablePrime, the RsaKeyGeneration group) exclude HAVE_SELFTEST + * for the same reason; do so here too. HAVE_FIPS is intentionally left running: + * that (newer) module honours these decisions and the campaign gains coverage + * from it. */ #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(WOLFSSL_RSA_PUBLIC_ONLY) + !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(HAVE_SELFTEST) RsaKey key; WC_RNG rng; const char inStr[] = TEST_STRING;