Guard test_wrong_cs_downgrade on SHA-384 cipher suite; enable SHA disables in minimal DTLS os-check build

julek-wolfssl · julek-wolfssl · commit aff7885baffc · 2026-05-28T19:36:19.000Z
diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
@@ -117,14 +117,14 @@ jobs:
           # variants of mod_exp_<words>_nb / RSA / DH wrappers.
           '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
-          # Minimal DTLS 1.3 client-only build. The SHA-224/384/512/3
-          # disables are deliberately omitted: --disable-sha384 alone
-          # trips a pre-existing wolfSSL bug in
-          # test_tls13_duplicate_extension (reproducible on clean master).
+          # Minimal DTLS 1.3 client-only build with the SHA-224/384/512/3
+          # hash families disabled. SHA-256 (used by TLS_AES_128_GCM_SHA256)
+          # and SHA-1 remain enabled.
           '--enable-dtls13 --disable-tlsv12 --disable-oldtls --disable-rsa --disable-dh
             --disable-aescbc --disable-aesecb --disable-md5 --disable-chacha
             --disable-poly1305 --disable-errorstrings --disable-asn-print
             --disable-eccshamir --disable-base64encode --disable-coding --disable-sni
+            --disable-sha224 --disable-sha384 --disable-sha512 --disable-sha3
             --enable-aesgcm=small --enable-sp-math --enable-sp=smallec256 --disable-sp-asm
             CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE
             -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO
diff --git a/tests/api.c b/tests/api.c
@@ -33475,7 +33475,8 @@ static int test_extra_alerts_wrong_cs(void)
 #endif
 
 #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) &&   \
-    defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_AES_256)
+    defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_AES_256) && \
+    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
 
 #define TEST_CS_DOWNGRADE_CLIENT "ECDHE-RSA-AES256-GCM-SHA384"
 
