From 477d7fae545efb896914918370e630d670830e82 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Wed, 1 Oct 2025 09:38:27 -0500
Subject: [PATCH 1/2] remove WOLFSSL_DH_GEN_PUB, WOLFSSL_NO_DH_GEN_PUB, and
 WOLFSSL_DH_EXTRA gating re wc_DhGeneratePublic(), consistent with recent FIPS
 changes.

---
 .wolfssl_known_macro_extras |  1 -
 wolfcrypt/src/dh.c          |  2 --
 wolfcrypt/test/test.c       |  2 --
 wolfssl/wolfcrypt/dh.h      | 13 ++-----------
 4 files changed, 2 insertions(+), 16 deletions(-)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 94401ecbe..ace779580 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -782,7 +782,6 @@ WOLFSSL_NO_CT_MAX_MIN
 WOLFSSL_NO_DECODE_EXTRA
 WOLFSSL_NO_DER_TO_PEM
 WOLFSSL_NO_DH186
-WOLFSSL_NO_DH_GEN_PUB
 WOLFSSL_NO_DTLS_SIZE_CHECK
 WOLFSSL_NO_ETM_ALERT
 WOLFSSL_NO_FENCE
diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index b0ad185d9..99c09a97b 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -1373,7 +1373,6 @@ static int GeneratePublicDh(DhKey* key, byte* priv, word32 privSz,
     return ret;
 }
 
-#if defined(WOLFSSL_DH_GEN_PUB)
 /**
  * Given a DhKey with set params and a priv key, generate the corresponding
  * public key. If fips, does pub key validation.
@@ -1403,7 +1402,6 @@ int wc_DhGeneratePublic(DhKey* key, byte* priv, word32 privSz,
 
     return ret;
 }
-#endif /* WOLFSSL_DH_GEN_PUB */
 
 static int wc_DhGenerateKeyPair_Sync(DhKey* key, WC_RNG* rng,
     byte* priv, word32* privSz, byte* pub, word32* pubSz)
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 4bfc69bff..bf9d6ab0b 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -23614,7 +23614,6 @@ static wc_test_ret_t dh_ffdhe_test(WC_RNG *rng, int name)
         ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
 
-#if defined(WOLFSSL_DH_GEN_PUB) && defined(WOLFSSL_DH_EXTRA)
     /* additional test for wc_DhGeneratePublic:
      *   1. reset key2.
      *   2. using priv from dh key 1, generate pub2 with
@@ -23646,7 +23645,6 @@ static wc_test_ret_t dh_ffdhe_test(WC_RNG *rng, int name)
     if (pubSz != pubSz2 || XMEMCMP(pub, pub2, pubSz)) {
         ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
-#endif /* WOLFSSL_DH_GEN_PUB && WOLFSSL_DH_EXTRA */
 
 #if (defined(WOLFSSL_HAVE_SP_DH) || defined(USE_FAST_MATH)) && \
     !defined(HAVE_INTEL_QA)
diff --git a/wolfssl/wolfcrypt/dh.h b/wolfssl/wolfcrypt/dh.h
index eb1b128fd..0bb8508a7 100644
--- a/wolfssl/wolfcrypt/dh.h
+++ b/wolfssl/wolfcrypt/dh.h
@@ -171,17 +171,8 @@ WOLFSSL_API int wc_DhCmpNamedKey(int name, int noQ,
         const byte* q, word32 qSz);
 WOLFSSL_API int wc_DhCopyNamedKey(int name,
         byte* p, word32* pSz, byte* g, word32* gSz, byte* q, word32* qSz);
-
-#ifndef WOLFSSL_NO_DH_GEN_PUB
-    #if defined(WOLFSSL_DH_EXTRA) && !defined(WOLFSSL_DH_GEN_PUB)
-        #define WOLFSSL_DH_GEN_PUB
-    #endif
-    #ifdef WOLFSSL_DH_GEN_PUB
-        WOLFSSL_API int wc_DhGeneratePublic(DhKey* key, byte* priv,
-                                            word32 privSz, byte* pub,
-                                            word32* pubSz);
-    #endif /* WOLFSSL_DH_GEN_PUB */
-#endif /* !WOLFSSL_NO_DH_GEN_PUB */
+WOLFSSL_API int wc_DhGeneratePublic(DhKey* key, byte* priv,
+        word32 privSz, byte* pub, word32* pubSz);
 
 #ifdef WOLFSSL_DH_EXTRA
 WOLFSSL_API int wc_DhImportKeyPair(DhKey* key, const byte* priv, word32 privSz,

From 2ca9f66579dd5b6d055cc2886596d1de04886ecd Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Wed, 1 Oct 2025 10:23:49 -0500
Subject: [PATCH 2/2] wolfcrypt/test/test.c: add FIPS gate around
 wc_DhGeneratePublic() test in dh_ffdhe_test().

---
 .wolfssl_known_macro_extras |  1 +
 wolfcrypt/test/test.c       | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index ace779580..fd5bd6ca4 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -420,6 +420,7 @@ NO_STDIO_FGETS_REMAP
 NO_TKERNEL_MEM_POOL
 NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
 NO_VERIFY_OID
+NO_WC_DHGENERATEPUBLIC
 NO_WC_SSIZE_TYPE
 NO_WOLFSSL_ALLOC_ALIGN
 NO_WOLFSSL_AUTOSAR_CRYIF
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index bf9d6ab0b..273861b77 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -23614,6 +23614,15 @@ static wc_test_ret_t dh_ffdhe_test(WC_RNG *rng, int name)
         ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
 
+    /* wc_DhGeneratePublic_fips() was added in 5.2.3, but some customers are
+     * building with configure scripts that set version to 5.2.1, but with 5.2.3
+     * wolfCrypt sources.
+     */
+#if !(defined(HAVE_SELFTEST) || \
+      (defined(HAVE_FIPS) && FIPS_VERSION3_LT(5,2,3)) || \
+      FIPS_VERSION3_EQ(6,0,0) || \
+      defined(NO_WC_DHGENERATEPUBLIC))
+
     /* additional test for wc_DhGeneratePublic:
      *   1. reset key2.
      *   2. using priv from dh key 1, generate pub2 with
@@ -23645,6 +23654,7 @@ static wc_test_ret_t dh_ffdhe_test(WC_RNG *rng, int name)
     if (pubSz != pubSz2 || XMEMCMP(pub, pub2, pubSz)) {
         ERROR_OUT(WC_TEST_RET_ENC_NC, done);
     }
+#endif /* !(HAVE_SELFTEST || FIPS <5.2.3 || FIPS == 6.0.0 || NO_WC_DHGENERATEPUBLIC */
 
 #if (defined(WOLFSSL_HAVE_SP_DH) || defined(USE_FAST_MATH)) && \
     !defined(HAVE_INTEL_QA)