@@ -27612,25 +27612,26 @@ static wc_test_ret_t dh_fips_generate_test(WC_RNG *rng)
2761227612 if (ret != 0)
2761327613 ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_gen_test);
2761427614
27615- #ifndef WOLFSSL_NO_DH186
27615+ #if !defined(WOLFSSL_NO_DH186) && !defined(HAVE_SELFTEST) && \
27616+ !defined(HAVE_FIPS)
2761627617 /* Regression: an oversized *privSz must be rejected before
2761727618 * GeneratePrivateDh186 writes (*privSz + 8) bytes of RNG output into the
2761827619 * stack-allocated cBuf (sized DH_MAX_SIZE + 8 in non-WOLFSSL_SMALL_STACK
2761927620 * builds). The key still has q set here, so the call dispatches through
27620- * GeneratePrivateDh186. Accept BAD_FUNC_ARG from src/dh.c's bound check
27621- * or MP_VAL from the FIPS-validated module's own param validation. */
27621+ * GeneratePrivateDh186. Only exercised when the local src/dh.c bound
27622+ * check is in play (not HAVE_SELFTEST / HAVE_FIPS builds, which use
27623+ * separate validated modules). */
2762227624 {
2762327625 word32 hugePrivSz = (word32)DH_MAX_SIZE + 1;
2762427626 word32 outPubSz = sizeof(pub);
2762527627 ret = wc_DhGenerateKeyPair(key, rng, priv, &hugePrivSz, pub, &outPubSz);
2762627628 #if defined(WOLFSSL_ASYNC_CRYPT)
2762727629 ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
2762827630 #endif
27629- if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG) &&
27630- ret != WC_NO_ERR_TRACE(MP_VAL))
27631+ if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
2763127632 ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_gen_test);
2763227633 }
27633- #endif /* !WOLFSSL_NO_DH186 */
27634+ #endif /* !WOLFSSL_NO_DH186 && !HAVE_SELFTEST && !HAVE_FIPS */
2763427635
2763527636 wc_FreeDhKey(key);
2763627637 ret = wc_InitDhKey_ex(key, HEAP_HINT, devId);
0 commit comments