wolfSSL · douzzer · Mar 6, 2026 · Mar 6, 2026
diff --git a/configure.ac b/configure.ac
@@ -6038,8 +6038,10 @@ AS_CASE([$FIPS_VERSION],
     [v6|ready|dev],[ # FIPS 140-3 SRTP-KDF
 
         AS_IF([test "$FIPS_VERSION" = "dev"],
+	    ENABLED_FIPS_DEV=yes
             [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_DEV"])
         AS_IF([test "$FIPS_VERSION" = "ready"],
+	    ENABLED_FIPS_READY=yes
             [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_FIPS_READY"])
 
         AM_CFLAGS="$AM_CFLAGS \
@@ -11048,6 +11050,19 @@ fi
 LIB_SOCKET_NSL
 AX_HARDEN_CC_COMPILER_FLAGS
 
+if test "$ENABLED_SELFTEST" = yes || test "$ENABLED_FIPS" = yes
+then
+    if ! test "$ENABLED_FIPS_DEV" = yes && ! test "$ENABLED_FIPS_READY" = yes
+    then
+        # rsa.c wc_hash2mgf() switches on enum wc_HashType, which is defined
+        # outside the FIPS boundary.  Unsupported hashes are correctly handled
+        # by the default clause.
+        AC_LANG_PUSH([C])
+        AX_APPEND_COMPILE_FLAGS([-Wno-switch-enum],,[$ax_append_compile_cflags_extra])
+        AC_LANG_POP
+    fi
+fi
+
 # -Wdeprecated-enum-enum-conversion is on by default in C++20, but conflicts with
 # our use of enum constructs to define fungible constants.
 if test "$KERNEL_MODE_DEFAULTS" != "yes"

diff --git a/tests/api/test_hash.c b/tests/api/test_hash.c
@@ -102,24 +102,35 @@ static const enum wc_HashType notCompiledHash[] = {
     WC_HASH_TYPE_SHA3_384,
     WC_HASH_TYPE_SHA3_512,
 #endif
-    WC_HASH_TYPE_NONE   /* Dummy value to ensure list is non-zero. */
-};
-static const int notCompiledHashLen = (sizeof(notCompiledHash) /
-                                       sizeof(enum wc_HashType)) - 1;
-
-static const enum wc_HashType notSupportedHash[] = {
-#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
+#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE128)
     WC_HASH_TYPE_SHAKE128,
 #endif
-#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
+#if !defined(WOLFSSL_SHA3) || !defined(WOLFSSL_SHAKE256)
     WC_HASH_TYPE_SHAKE256,
 #endif
+#if defined(NO_MD5) || defined(NO_SHA)
     WC_HASH_TYPE_MD5_SHA,
+#endif
+#ifndef WOLFSSL_MD2
     WC_HASH_TYPE_MD2,
+#endif
+#ifdef NO_MD4
     WC_HASH_TYPE_MD4,
+#endif
+#if !defined(HAVE_BLAKE2) && !defined(HAVE_BLAKE2S)
     WC_HASH_TYPE_BLAKE2B,
+#endif
+#if !defined(HAVE_BLAKE2) && !defined(HAVE_BLAKE2B)
     WC_HASH_TYPE_BLAKE2S,
-    WC_HASH_TYPE_NONE
+#endif
+    WC_HASH_TYPE_NONE   /* Dummy value to ensure list is non-zero. */
+};
+static const int notCompiledHashLen = (sizeof(notCompiledHash) /
+                                       sizeof(enum wc_HashType)) - 1;
+
+static const int notSupportedHash[] = {
+    WC_HASH_TYPE_NONE,
+    WC_HASH_TYPE_MAX + 1
 };
 static const int notSupportedHashLen = (sizeof(notSupportedHash) /
                                         sizeof(enum wc_HashType));
@@ -156,18 +167,15 @@ static const enum wc_HashType sizeNotCompiledHash[] = {
     WC_HASH_TYPE_BLAKE2B,
     WC_HASH_TYPE_BLAKE2S,
 #endif
+    WC_HASH_TYPE_SHAKE128,
+    WC_HASH_TYPE_SHAKE256,
     WC_HASH_TYPE_NONE   /* Dummy value to ensure list is non-zero. */
 };
 static const int sizeNotCompiledHashLen = (sizeof(sizeNotCompiledHash) /
                                            sizeof(enum wc_HashType)) - 1;
-static const enum wc_HashType sizeNotSupportedHash[] = {
-#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE128)
-    WC_HASH_TYPE_SHAKE128,
-#endif
-#if defined(WOLFSSL_SHA3) && defined(WOLFSSL_SHAKE256)
-    WC_HASH_TYPE_SHAKE256,
-#endif
-    WC_HASH_TYPE_NONE
+static const int sizeNotSupportedHash[] = {
+    WC_HASH_TYPE_NONE,
+    WC_HASH_TYPE_MAX + 1
 };
 static const int sizeNotSupportedHashLen = (sizeof(sizeNotSupportedHash) /
                                             sizeof(enum wc_HashType));
@@ -214,19 +222,19 @@ int test_wc_HashInit(void)
 
     for (i = 0; i < notSupportedHashLen; i++) {
         /* check for null ptr */
-        ExpectIntEQ(wc_HashInit(NULL, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(NULL, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashInit_ex(NULL, notSupportedHash[i], HEAP_HINT,
+        ExpectIntEQ(wc_HashInit_ex(NULL, (enum wc_HashType)notSupportedHash[i], HEAP_HINT,
             INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-        ExpectIntEQ(wc_HashInit(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        wc_HashFree(&hash, notSupportedHash[i]);
-        ExpectIntEQ(wc_HashInit_ex(&hash, notSupportedHash[i], HEAP_HINT,
+        wc_HashFree(&hash, (enum wc_HashType)notSupportedHash[i]);
+        ExpectIntEQ(wc_HashInit_ex(&hash, (enum wc_HashType)notSupportedHash[i], HEAP_HINT,
             INVALID_DEVID), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        wc_HashFree(&hash,  notSupportedHash[i]);
+        wc_HashFree(&hash,  (enum wc_HashType)notSupportedHash[i]);
 
-        wc_HashFree(NULL,  notSupportedHash[i]);
+        wc_HashFree(NULL,  (enum wc_HashType)notSupportedHash[i]);
     }  /* end of for loop */
 
 #endif
@@ -282,25 +290,25 @@ int test_wc_HashUpdate(void)
     }
 
     for (i = 0; i < notSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashInit(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
         /* Invalid parameters */
-        ExpectIntEQ(wc_HashUpdate(NULL, notSupportedHash[i], NULL, 1),
+        ExpectIntEQ(wc_HashUpdate(NULL, (enum wc_HashType)notSupportedHash[i], NULL, 1),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashUpdate(&hash, notSupportedHash[i], NULL, 1),
+        ExpectIntEQ(wc_HashUpdate(&hash, (enum wc_HashType)notSupportedHash[i], NULL, 1),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashUpdate(NULL, notSupportedHash[i], NULL, 0),
+        ExpectIntEQ(wc_HashUpdate(NULL, (enum wc_HashType)notSupportedHash[i], NULL, 0),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashUpdate(NULL, notSupportedHash[i], (byte*)"a", 1),
+        ExpectIntEQ(wc_HashUpdate(NULL, (enum wc_HashType)notSupportedHash[i], (byte*)"a", 1),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-        ExpectIntEQ(wc_HashUpdate(&hash, notSupportedHash[i], NULL, 0),
+        ExpectIntEQ(wc_HashUpdate(&hash, (enum wc_HashType)notSupportedHash[i], NULL, 0),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashUpdate(&hash, notSupportedHash[i], (byte*)"a", 1),
+        ExpectIntEQ(wc_HashUpdate(&hash, (enum wc_HashType)notSupportedHash[i], (byte*)"a", 1),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-        wc_HashFree(&hash, notSupportedHash[i]);
+        wc_HashFree(&hash, (enum wc_HashType)notSupportedHash[i]);
     }
 
 #if defined(DEBUG_WOLFSSL) && !defined(NO_SHA256) && defined(WOLFSSL_SHA512)
@@ -357,21 +365,21 @@ int test_wc_HashFinal(void)
     }
 
     for (i = 0; i < notSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashInit(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
         /* Invalid parameters */
-        ExpectIntEQ(wc_HashFinal(NULL, notSupportedHash[i], NULL),
+        ExpectIntEQ(wc_HashFinal(NULL, (enum wc_HashType)notSupportedHash[i], NULL),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashFinal(&hash, notSupportedHash[i], NULL),
+        ExpectIntEQ(wc_HashFinal(&hash, (enum wc_HashType)notSupportedHash[i], NULL),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashFinal(NULL, notSupportedHash[i], digest),
+        ExpectIntEQ(wc_HashFinal(NULL, (enum wc_HashType)notSupportedHash[i], digest),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-        ExpectIntEQ(wc_HashFinal(&hash, notSupportedHash[i], digest),
+        ExpectIntEQ(wc_HashFinal(&hash, (enum wc_HashType)notSupportedHash[i], digest),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
-        wc_HashFree(&hash, notSupportedHash[i]);
+        wc_HashFree(&hash, (enum wc_HashType)notSupportedHash[i]);
     }
 #if defined(DEBUG_WOLFSSL) && !defined(NO_SHA256) && defined(WOLFSSL_SHA512)
     ExpectIntEQ(wc_HashInit(&hash, WC_HASH_TYPE_SHA256), 0);
@@ -417,7 +425,7 @@ int test_wc_HashNewDelete(void)
     }
 
     for (i = 0; i < notSupportedHashLen; i++) {
-         ExpectNull(wc_HashNew(notSupportedHash[i], HEAP_HINT, INVALID_DEVID,
+         ExpectNull(wc_HashNew((enum wc_HashType)notSupportedHash[i], HEAP_HINT, INVALID_DEVID,
              &ret));
          ExpectIntEQ(ret, WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
@@ -438,17 +446,13 @@ int test_wc_HashGetDigestSize(void)
         ExpectIntGT(wc_HashGetDigestSize(sizeSupportedHash[i]), 0);
     }
 
-    for (i = 0; i < notCompiledHashLen; i++) {
-        ExpectIntEQ(wc_HashGetDigestSize(notCompiledHash[i]),
-            WC_NO_ERR_TRACE(HASH_TYPE_E));
-    }
     for (i = 0; i < sizeNotCompiledHashLen; i++) {
         ExpectIntEQ(wc_HashGetDigestSize(sizeNotCompiledHash[i]),
             WC_NO_ERR_TRACE(HASH_TYPE_E));
     }
 
     for (i = 0; i < sizeNotSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashGetDigestSize(sizeNotSupportedHash[i]),
+        ExpectIntEQ(wc_HashGetDigestSize((enum wc_HashType)sizeNotSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
 #endif
@@ -468,17 +472,13 @@ int test_wc_HashGetBlockSize(void)
         ExpectIntGT(wc_HashGetBlockSize(sizeSupportedHash[i]), 0);
     }
 
-    for (i = 0; i < notCompiledHashLen; i++) {
-        ExpectIntEQ(wc_HashGetBlockSize(notCompiledHash[i]),
-            WC_NO_ERR_TRACE(HASH_TYPE_E));
-    }
     for (i = 0; i < sizeNotCompiledHashLen; i++) {
         ExpectIntEQ(wc_HashGetBlockSize(sizeNotCompiledHash[i]),
             WC_NO_ERR_TRACE(HASH_TYPE_E));
     }
 
     for (i = 0; i < sizeNotSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashGetBlockSize(sizeNotSupportedHash[i]),
+        ExpectIntEQ(wc_HashGetBlockSize((enum wc_HashType)sizeNotSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
 #endif
@@ -525,9 +525,9 @@ int test_wc_Hash(void)
             /* Algorithm only supported with wc_Hash() and wc_Hash_ex(). */
             continue;
         }
-        ExpectIntEQ(wc_Hash(sizeNotSupportedHash[i], (byte*)"a", 1,
+        ExpectIntEQ(wc_Hash((enum wc_HashType)sizeNotSupportedHash[i], (byte*)"a", 1,
             digest, sizeof(digest)), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_Hash_ex(sizeNotSupportedHash[i], (byte*)"a", 1,
+        ExpectIntEQ(wc_Hash_ex((enum wc_HashType)sizeNotSupportedHash[i], (byte*)"a", 1,
             digest, sizeof(digest), HEAP_HINT, INVALID_DEVID),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
@@ -570,11 +570,11 @@ int test_wc_HashSetFlags(void)
 
     /* For loop to test not supported cases */
     for (i = 0; i < notSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashInit(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashSetFlags(&hash, notSupportedHash[i], flags),
+        ExpectIntEQ(wc_HashSetFlags(&hash, (enum wc_HashType)notSupportedHash[i], flags),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashFree(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashFree(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
 #endif
@@ -613,11 +613,11 @@ int test_wc_HashGetFlags(void)
 
     /* For loop to test not supported cases */
     for (i = 0; i < notSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashInit(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashInit(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashGetFlags(&hash, notSupportedHash[i], &flags),
+        ExpectIntEQ(wc_HashGetFlags(&hash, (enum wc_HashType)notSupportedHash[i], &flags),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
-        ExpectIntEQ(wc_HashFree(&hash, notSupportedHash[i]),
+        ExpectIntEQ(wc_HashFree(&hash, (enum wc_HashType)notSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
 #endif
@@ -682,7 +682,7 @@ int test_wc_HashGetOID(void)
     #ifdef WOLFSSL_MD2
         WC_HASH_TYPE_MD2,
     #endif
-    #ifndef NO_MD5
+    #if !defined(NO_MD5) && !defined(NO_SHA)
         WC_HASH_TYPE_MD5_SHA,
     #endif
         WC_HASH_TYPE_NONE   /* Dummy value to ensure list is non-zero. */
@@ -696,15 +696,16 @@ int test_wc_HashGetOID(void)
     #ifdef NO_MD5
         WC_HASH_TYPE_MD5_SHA,
     #endif
+        WC_HASH_TYPE_MD4,
+        WC_HASH_TYPE_BLAKE2B,
+        WC_HASH_TYPE_BLAKE2S,
         WC_HASH_TYPE_NONE   /* Dummy value to ensure list is non-zero. */
     };
     static const int oidOnlyNotCompiledHashLen =
         (sizeof(oidOnlyNotCompiledHash) / sizeof(enum wc_HashType)) - 1;
-    static const enum wc_HashType oidNotSupportedHash[] = {
-        WC_HASH_TYPE_MD4,
-        WC_HASH_TYPE_BLAKE2B,
-        WC_HASH_TYPE_BLAKE2S,
-        WC_HASH_TYPE_NONE
+    static const int oidNotSupportedHash[] = {
+        WC_HASH_TYPE_NONE,
+        WC_HASH_TYPE_MAX + 1
     };
     static const int oidNotSupportedHashLen = (sizeof(oidNotSupportedHash) /
                                                sizeof(enum wc_HashType));
@@ -727,7 +728,7 @@ int test_wc_HashGetOID(void)
     }
 
     for (i = 0; i < oidNotSupportedHashLen; i++) {
-        ExpectIntEQ(wc_HashGetOID(oidNotSupportedHash[i]),
+        ExpectIntEQ(wc_HashGetOID((enum wc_HashType)oidNotSupportedHash[i]),
             WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     }
 #endif