From c16127d9ab17225ce9b094d536dac8379893d681 Mon Sep 17 00:00:00 2001
From: Hayden Roche <hayden@wolfssl.com>
Date: Mon, 16 Aug 2021 15:13:36 -0700
Subject: [PATCH] Make improvements for rsyslog port.

- Remove FP_MAX_BITS and RSA_MAX_BITS definitions from rsyslog config. A user
configuring wolfSSL for rsyslog support should set them as they see fit (i.e.
based on the key sizes they need to support).
- After testing with wolfSSL FIPS, I discovered that some functions were missing
from the compatibility layer that rsyslog needs. Notably wolfSSL_DH_generate_key
and wolfSSL_DH_set0_pqg. These were gated out of compilation based on HAVE_FIPS.
However, they only need to be compiled out if WOLFSSL_DH_EXTRA is defined. This
is because these functions call SetDhInternal, which calls wc_DhImportKeyPair
if WOLFSSL_DH_EXTRA is defined. wc_DhImportKeyPair isn't available in the FIPS
module's dh.c. So, these functions can exist in the FIPS build provided
WOLFSSL_DH_EXTRA isn't defined. This commit accounts for this scenario.
---
 configure.ac |  3 +--
 src/ssl.c    | 10 +++++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 092cddad2..85a82fd11 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4461,8 +4461,7 @@ fi
 
 if test "$ENABLED_RSYSLOG" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSYSLOG -DFP_MAX_BITS=16384"
-    AM_CFLAGS="$AM_CFLAGS -DRSA_MAX_SIZE=8196 -DWOLFSSL_ERROR_CODE_OPENSSL"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSYSLOG -DWOLFSSL_ERROR_CODE_OPENSSL"
     AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS"
 fi
 
diff --git a/src/ssl.c b/src/ssl.c
index 7b612ffa1..3608311f7 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -31321,7 +31321,11 @@ WOLFSSL_BIGNUM* wolfSSL_DH_8192_prime(WOLFSSL_BIGNUM* bn)
     return bn;
 }
 
-#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))
+/* The functions inside the macro guard below are fine to use with FIPS provided
+ * WOLFSSL_DH_EXTRA isn't defined. That define will cause SetDhInternal to have
+ * a call to wc_DhImportKeyPair, which isn't defined in the FIPS v2 module. */
+#if !defined(HAVE_FIPS) || (defined(HAVE_FIPS) && !defined(WOLFSSL_DH_EXTRA)) \
+ || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))
 /* return code compliant with OpenSSL :
  *   1 if success, 0 if error
  */
@@ -31541,9 +31545,9 @@ int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p,
 
     return WOLFSSL_SUCCESS;
 }
-
 #endif /* v1.1.0 or later */
-#endif /* !HAVE_FIPS || HAVE_FIPS_VERSION > 2 */
+#endif /* !HAVE_FIPS || (HAVE_FIPS && !WOLFSSL_DH_EXTRA) || 
+        * HAVE_FIPS_VERSION > 2 */
 
 void wolfSSL_DH_get0_key(const WOLFSSL_DH *dh,
         const WOLFSSL_BIGNUM **pub_key, const WOLFSSL_BIGNUM **priv_key)