From 5c97374156c624fa26721d9d1c971b5f3f48e4fe Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 26 Apr 2018 14:04:54 -0700
Subject: [PATCH] Fix for RSA RSS check to make sure RSA is enabled. Added TLS
 1.3 DH check for key sizes.

---
 src/tls.c   | 13 +++++++++++++
 src/tls13.c |  5 +----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index 6ae031a66..bfd944765 100755
--- a/src/tls.c
+++ b/src/tls.c
@@ -48,6 +48,7 @@
     #include "libntruencrypt/ntru_crypto.h"
     #include <wolfssl/wolfcrypt/random.h>
 #endif
+
 #ifdef HAVE_QSH
     static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key);
     static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name);
@@ -76,6 +77,18 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
     #endif
 #endif
 
+#ifdef WOLFSSL_TLS13
+    #if !defined(NO_DH) && \
+        !defined(HAVE_FFDHE_2048) && !defined(HAVE_FFDHE_3072) && \
+        !defined(HAVE_FFDHE_4096) && !defined(HAVE_FFDHE_6144) && \
+        !defined(HAVE_FFDHE_8192)
+        #error Please configure your TLS 1.3 DH key size using either: HAVE_FFDHE_2048, HAVE_FFDHE_3072, HAVE_FFDHE_4096, HAVE_FFDHE_6144 or HAVE_FFDHE_8192
+    #endif
+    #if !defined(NO_RSA) && !defined(WC_RSA_PSS)
+        #error The build option WC_RSA_PSS is required for TLS 1.3 with RSA
+    #endif
+#endif
+
 
 #ifdef WOLFSSL_SHA384
     #define P_HASH_MAX_SIZE WC_SHA384_DIGEST_SIZE
diff --git a/src/tls13.c b/src/tls13.c
index 46b410762..09bfc9806 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -129,10 +129,7 @@
 #endif
 
 #ifndef HAVE_HKDF
-    #error The build option `HAVE_HKDF` is required for TLS 1.3
-#endif
-#ifndef WC_RSA_PSS
-    #error The build option `WC_RSA_PSS` is required for TLS 1.3
+    #error The build option HAVE_HKDF is required for TLS 1.3
 #endif