adjust test case for CI tests after additional sanity check

JacobBarthelmeh · JacobBarthelmeh · commit f762a424d816 · 2026-04-29T14:20:37.000-06:00
diff --git a/tests/api/test_evp_cipher.c b/tests/api/test_evp_cipher.c
@@ -2195,7 +2195,7 @@ int test_wolfssl_EVP_sm4_ecb(void)
     };
     byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE];
     byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE];
-    EVP_CIPHER_CTX* ctx;
+    EVP_CIPHER_CTX* ctx = NULL;
     int outSz;
 
     XMEMSET(key, 0, sizeof(key));
@@ -2251,7 +2251,7 @@ int test_wolfssl_EVP_sm4_cbc(void)
     };
     byte cipherText[sizeof(plainText) + SM4_BLOCK_SIZE];
     byte decryptedText[sizeof(plainText) + SM4_BLOCK_SIZE];
-    EVP_CIPHER_CTX* ctx;
+    EVP_CIPHER_CTX* ctx = NULL;
     int outSz;
 
     XMEMSET(key, 0, sizeof(key));
@@ -2319,7 +2319,7 @@ int test_wolfssl_EVP_sm4_ctr(void)
     byte plainText[] = {0xDE, 0xAD, 0xBE, 0xEF};
     byte cipherText[sizeof(plainText)];
     byte decryptedText[sizeof(plainText)];
-    EVP_CIPHER_CTX* ctx;
+    EVP_CIPHER_CTX* ctx = NULL;
     int outSz;
 
     XMEMSET(key, 0, sizeof(key));
diff --git a/tests/api/test_evp_pkey.c b/tests/api/test_evp_pkey.c
@@ -1594,11 +1594,17 @@ static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType)
         WOLFSSL_SUCCESS);
 
     if (keyType == EVP_PKEY_EC) {
+#if (!defined(HAVE_FIPS) || FIPS_VERSION_GT(7,0)) && !defined(HAVE_SELFTEST)
         /* wolfSSL differs from OpenSSL in that it treats a hash of all 0's as a
          * fatal error and does not attempt to verify */
         ExpectIntEQ(EVP_PKEY_verify(
             ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
             WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
+#else
+        ExpectIntEQ(EVP_PKEY_verify(
+            ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
+            WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+#endif
     }
     else {
         ExpectIntEQ(EVP_PKEY_verify(
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -36756,7 +36756,12 @@ static wc_test_ret_t ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerif
 #if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && \
     !defined(WC_NO_RNG) && !defined(WOLFSSL_KCAPI_ECC))
 #ifdef HAVE_ECC_SIGN
-    /* test DSA sign hash with zeros */
+    /* WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST: build rejects all-zero digest,
+     * so test expects failure. */
+#ifdef WOLFSSL_SM2
+    if (curve_id != ECC_SM2P256V1)
+#endif
+    {
     for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
         digest[i] = 0;
     }
@@ -36770,13 +36775,17 @@ static wc_test_ret_t ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerif
             ret = wc_ecc_sign_hash(digest, ECC_DIGEST_SIZE, sig, &x, rng,
                                                                         userA);
     } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
+#ifdef WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST
     if (ret == 0) {
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
     }
     else {
-        /* reset ret value, was expecting a failure */
         ret = 0;
     }
+#else
+    if (ret != 0)
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
+#endif
     TEST_SLEEP();
 
 #ifdef HAVE_ECC_VERIFY
@@ -36789,17 +36798,24 @@ static wc_test_ret_t ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerif
             ret = wc_ecc_verify_hash(sig, x, digest, ECC_DIGEST_SIZE,
                                                            &verify, userA);
     } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
+#ifdef WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST
     if (ret == 0) {
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
     }
     else {
-        /* reset ret value, was expecting a failure */
         ret = 0;
     }
     if (verify == 1)
         ERROR_OUT(WC_TEST_RET_ENC_NC, done);
+#else
+    if (ret != 0)
+        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
+    if (verify != 1)
+        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
+#endif
     TEST_SLEEP();
 #endif /* HAVE_ECC_VERIFY */
+    }
 
     /* test DSA sign hash with sequence (0,1,2,3,4,...) */
     for (i = 0; i < (int)ECC_DIGEST_SIZE; i++) {
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -3514,6 +3514,21 @@ extern void uITRON4_free(void *p) ;
     #undef NO_DH
 #endif
 
+/* Base wolfCrypt rejects an all-zero ECC digest on sign/verify. Builds whose
+ * sign/verify path can't enforce that (HW offload firmware) */
+#if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && \
+    !defined(WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST)
+    #define WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST
+    #if defined(WOLFSSL_CRYPTOCELL) || defined(WOLFSSL_SE050) || \
+        defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
+        defined(WOLFSSL_KCAPI_ECC) || defined(WOLFSSL_SILABS_SE_ACCEL) || \
+        defined(WOLFSSL_XILINX_CRYPT_VERSAL) || defined(PLUTON_CRYPTO_ECC) || \
+        defined(HAVE_SELFTEST) || \
+        (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0))
+        #undef WC_TEST_NO_ECC_SIGN_VERIFY_ZERO_DIGEST
+    #endif
+#endif
+
 /* Asynchronous Crypto */
 #ifdef WOLFSSL_ASYNC_CRYPT
     #if !defined(HAVE_CAVIUM) && !defined(HAVE_INTEL_QA) && \
