From 9bf4a947961dcd0bf1ca9e79354436f276e249ee Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Mon, 25 Apr 2022 15:13:24 -0600
Subject: [PATCH 1/2] with WOLFSSL_NO_DH186 restriction allow odd DH param size
 generations

---
 wolfcrypt/src/dh.c    |  9 +++++++++
 wolfcrypt/test/test.c | 31 +++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index 273af07a5..0a7c1ac77 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2845,7 +2845,16 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh)
                 groupSz = 32;
                 break;
             default:
+        #if !defined(HAVE_FIPS) && defined(WOLFSSL_NO_DH186)
+                /* in non fips mode attempt to match strength of group size with
+                 * mod size */
+                if (modSz < 2048)
+                    groupSz = 20;
+                else
+                    groupSz = 32;
+        #else
                 ret = BAD_FUNC_ARG;
+        #endif
                 break;
         }
     }
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 1a702fbcd..aa19cee38 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -16038,6 +16038,37 @@ static int dh_generate_test(WC_RNG *rng)
     ret = 0;
 #endif
 
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_NO_DH186)
+    {
+        byte   priv[260];
+        byte   pub[260];
+        word32 privSz = sizeof(priv);
+        word32 pubSz = sizeof(pub);
+
+        /* test odd ball param generation with DH */
+        wc_FreeDhKey(smallKey);
+        ret = wc_InitDhKey_ex(smallKey, HEAP_HINT, devId);
+        if (ret != 0)
+            ERROR_OUT(-8019, exit_gen_test);
+
+        ret = wc_DhGenerateParams(rng, 2056, smallKey);
+        if (ret != 0) {
+            ERROR_OUT(-8020, exit_gen_test);
+        }
+
+        privSz = sizeof(priv);
+        pubSz = sizeof(pub);
+
+        ret = wc_DhGenerateKeyPair(smallKey, rng, priv, &privSz, pub, &pubSz);
+    #if defined(WOLFSSL_ASYNC_CRYPT)
+        ret = wc_AsyncWait(ret, &smallKey->asyncDev, WC_ASYNC_FLAG_NONE);
+    #endif
+        if (ret != 0) {
+            ERROR_OUT(-8021, exit_gen_test);
+        }
+    }
+#endif /* !HAVE_FIPS and WOLFSSL_NO_DH186 */
+
 exit_gen_test:
     if (smallKey_inited)
         wc_FreeDhKey(smallKey);

From 5caef7eaba457a6bf489c7321e9fb70d96943801 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 11 May 2022 11:53:17 -0600
Subject: [PATCH 2/2] avoid dead store with test case

---
 wolfcrypt/test/test.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index aa19cee38..7961a9652 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -16035,7 +16035,9 @@ static int dh_generate_test(WC_RNG *rng)
     }
 #else
     (void)rng;
+    #if defined(HAVE_FIPS) || !defined(WOLFSSL_NO_DH186)
     ret = 0;
+    #endif
 #endif
 
 #if !defined(HAVE_FIPS) && defined(WOLFSSL_NO_DH186)