Merge pull request #10473 from douzzer/20260512-fips-gating-fixes

Frauschi · web-flow · commit 12070eb032ba · 2026-05-13T16:15:30.000+02:00
20260512-fips-gating-fixes
diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c
@@ -1932,8 +1932,9 @@ int test_dtls13_frag_ch2_with_ch1_rtx(void)
 {
     EXPECT_DECLS;
 #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) &&                           \
-    defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS) &&                         \
-    defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG)
+    defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS) &&                        \
+    defined(WOLFSSL_DTLS_MTU) && defined(WOLFSSL_DTLS_CH_FRAG) &&              \
+    (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
     struct test_memio_ctx test_ctx;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -34317,6 +34317,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pbkdf2_test(void)
     if (XMEMCMP(derived, verify, sizeof(verify)) != 0)
         return WC_TEST_RET_ENC_NC;
 
+#if !defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0))
     {
         int cur_pbkdf_limit = wc_PBKDF_max_iterations_set(iterations - 1);
         if (cur_pbkdf_limit <= 0)
@@ -34340,9 +34342,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pbkdf2_test(void)
             return WC_TEST_RET_ENC_EC(ret);
         ret = 0;
     }
+#endif /* !HAVE_SELFTEST) && (!HAVE_FIPS || FIPS_VERSION3_GE(7,0,0)) */
 
     return ret;
-
 }
 #endif /* HAVE_PBKDF2 && !NO_SHA256 && !NO_HMAC */
 
@@ -34397,7 +34399,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pwdbased_test(void)
         return ret;
 #endif
 #if defined(HAVE_PKCS12) && !defined(NO_ASN) && !defined(NO_PWDBASED) && \
-    !defined(NO_HMAC) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_MALLOC)
+    !defined(NO_HMAC) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_MALLOC) && \
+    !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0))
     /* Test that a crafted PKCS#12 with INT_MAX MAC iterations is rejected
      * immediately rather than hanging in DoPKCS12Hash(). */
     {
@@ -34445,7 +34448,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pwdbased_test(void)
             return ret;
     }
 #endif /* HAVE_PKCS12 && !NO_ASN && !NO_PWDBASED && !NO_HMAC && !NO_CERTS && */
-       /* !WOLFSSL_NO_MALLOC                                                 */
+       /* !WOLFSSL_NO_MALLOC &&                                              */
+       /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS_VERSION_GE(7,0))             */
 #ifdef HAVE_SCRYPT
     ret = scrypt_test();
 #endif
@@ -34543,6 +34547,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_test(void)
         goto out;
     }
 
+#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0))
     /* Test that a crafted PKCS#12 with INT_MAX MAC iterations is rejected
      * immediately rather than hanging in DoPKCS12Hash(). This is a 90-byte
      * minimal PKCS#12 with mac->itt = 0x7FFFFFFF (2,147,483,647). */
@@ -34587,6 +34592,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t pkcs12_test(void)
             ret = 0;  /* rejection is the expected outcome */
         }
     }
+#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) */
 
 out:
 
@@ -43255,13 +43261,16 @@ static wc_test_ret_t ecc_buffers_encrypt_test(ecc_key* cliKey, ecc_key* servKey,
     if (XMEMCMP(plain, in, inLen))
         return WC_TEST_RET_ENC_NC;
 
+#if !defined(HAVE_SELFTEST) && \
+    (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0))
     /* Negative test: corrupt HMAC tag in encrypted msg, expect
      * HASH_TYPE_E from wc_ecc_decrypt. */
     out[x - 1] ^= 0x01;
     y = 256;
     ret = wc_ecc_decrypt(servKey, tmpKey, out, x, plain, &y, NULL);
     if (ret != WC_NO_ERR_TRACE(HASH_TYPE_E))
         return WC_TEST_RET_ENC_EC(ret);
+#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || FIPS_VERSION3_GE(6,0,0)) */
 
     (void)tmpKey;
     return 0;
diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h
@@ -552,7 +552,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag,
 
 #if defined(WOLFSSL_LINUXKM) || defined(WC_SYM_RELOC_TABLES) || \
     defined(WC_SYM_RELOC_TABLES_SUPPORT)
-    #include "linuxkm/linuxkm_memory.h"
+    #include "../../linuxkm/linuxkm_memory.h"
 #endif
 
 #ifdef __cplusplus
