Merge pull request #5406 from SparkiDev/mp_int_size

Maths bit size: ensure size is right

src/pk.c

@@ -35,6 +35,16 @@
     #include <wolfssl/wolfcrypt/rsa.h>
 #endif
 
+#if defined(OPENSSL_EXTRA) && !defined(NO_BIO) && defined(WOLFSSL_KEY_GEN) && \
+    (!defined(HAVE_USER_RSA) || defined(HAVE_ECC) || \
+     (!defined(NO_DSA) && !defined(HAVE_SELFTEST)))
+/* Forward declaration for wolfSSL_PEM_write_bio_RSA_PUBKEY,
+ * wolfSSL_PEM_write_bio_DSA_PUBKEY and wolfSSL_PEM_write_bio_EC_PUBKEY.
+ * Implementation in ssl.c.
+ */
+static int pem_write_bio_pubkey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key);
+#endif
+
 /*******************************************************************************
  * COMMON FUNCTIONS
  ******************************************************************************/
@@ -1429,11 +1439,6 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa,
 }
 
 #if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA)
-/* Forward declaration for wolfSSL_PEM_write_bio_RSA_PUBKEY.
- * Implementation in ssl.c.
- */
-static int pem_write_bio_pubkey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key);
-
 /* Writes PEM encoding of an RSA public key to a BIO.
  *
  * @param [in] bio  BIO object to write to.

tests/api.c

@@ -962,7 +962,7 @@ static int test_wolfSSL_CTX_use_PrivateKey_file(void)
 static int test_wolfSSL_CTX_trust_peer_cert(void)
 {
 #if !defined(NO_CERTS) && defined(WOLFSSL_TRUST_PEER_CERT) && \
-    !defined(NO_WOLFSSL_CLIENT)
+    !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA)
     WOLFSSL_CTX *ctx;
     WOLFSSL* ssl;
 
@@ -2334,7 +2334,7 @@ static int test_wolfSSL_CertManagerNameConstraint5(void)
 
 static int test_wolfSSL_FPKI(void)
 {
-#if defined(WOLFSSL_FPKI) && !defined(NO_FILESYSTEM)
+#if defined(WOLFSSL_FPKI) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     XFILE f;
     const char* fpkiCert = "./certs/fpki-cert.der";
     DecodedCert cert;
@@ -27552,8 +27552,8 @@ static int test_wc_PKCS7_InitWithCert (void)
 #ifdef HAVE_ECC
         AssertIntLT(wc_PKCS7_InitWithCert(pkcs7, certWithInvalidEccKey,
                                           sizeof(certWithInvalidEccKey)), 0);
-#endif
     }
+#endif
 
     printf(resultFmt, passed);
 
@@ -28737,7 +28737,7 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
     wc_FreeRng(&rng);
 #endif
 
-#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DES3)
+#if defined(USE_CERT_BUFFERS_2048) && !defined(NO_DES3) && !defined(NO_RSA)
     {
         byte   out[7];
         byte   *cms;
@@ -39266,7 +39266,7 @@ static int test_wolfSSL_PEM_write_bio_X509(void)
 {
 #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_AKID_NAME) && \
     defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) && \
-    !defined(NO_BIO)
+    !defined(NO_BIO) && !defined(NO_RSA)
     /* This test contains the hard coded expected
      * lengths. Update if necessary */
 
@@ -47903,7 +47903,7 @@ static int test_wc_SetIssueBuffer(void)
 static int test_wc_SetSubjectKeyId(void)
 {
 #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && defined(HAVE_ECC)
     Cert cert;
     const char* file = "certs/ecc-client-keyPub.pem";
 
@@ -47927,7 +47927,7 @@ static int test_wc_SetSubjectKeyId(void)
 static int test_wc_SetSubject(void)
 {
 #if !defined(NO_ASN) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)
+    defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT) && defined(HAVE_ECC)
     Cert cert;
     const char* file = "./certs/ca-ecc-cert.pem";
 
@@ -48838,7 +48838,9 @@ static int test_X509_REQ(void)
 #if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
     defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_BIO)
     X509_NAME* name;
+#ifndef NO_RSA
     X509_NAME* subject;
+#endif
 #if !defined(NO_RSA) || defined(HAVE_ECC)
     X509_REQ* req;
     EVP_PKEY* priv;
@@ -51069,7 +51071,8 @@ static int test_wolfSSL_X509_load_crl_file(void)
 static int test_wolfSSL_d2i_X509_REQ(void)
 {
 #if defined(WOLFSSL_CERT_REQ) && !defined(NO_RSA) && !defined(NO_BIO) && \
-    (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
+    (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \
+    !defined(WOLFSSL_SP_MATH)
     /* ./certs/csr.signed.der, ./certs/csr.ext.der, and ./certs/csr.attr.der were
      * generated by libest
      * ./certs/csr.attr.der contains sample attributes
@@ -54344,7 +54347,7 @@ static int test_ENGINE_cleanup(void)
 
 static int test_wolfSSL_CTX_LoadCRL(void)
 {
-#ifdef HAVE_CRL
+#if defined(HAVE_CRL) && !defined(NO_RSA)
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL* ssl = NULL;
     const char* badPath = "dummypath";

wolfcrypt/src/rsa.c

@@ -4221,7 +4221,7 @@ int wc_RsaExportKey(RsaKey* key,
 #ifdef WOLFSSL_KEY_GEN
 
 /* Check that |p-q| > 2^((size/2)-100) */
-static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
+static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size, int* valid)
 {
 #ifdef WOLFSSL_SMALL_STACK
     mp_int *c = NULL, *d = NULL;
@@ -4265,10 +4265,7 @@ static int wc_CompareDiffPQ(mp_int* p, mp_int* q, int size)
 
     /* compare */
     if (ret == 0)
-        ret = mp_cmp(d, c);
-
-    if (ret == MP_GT)
-        ret = MP_OKAY;
+        *valid = (mp_cmp(d, c) == MP_GT);
 
 #ifdef WOLFSSL_SMALL_STACK
     if (d != NULL) {
@@ -4380,9 +4377,10 @@ static int _CheckProbablePrime(mp_int* p, mp_int* q, mp_int* e, int nlen,
     *isPrime = MP_NO;
 
     if (q != NULL) {
+        int valid = 0;
         /* 5.4 - check that |p-q| <= (2^(1/2))(2^((nlen/2)-1)) */
-        ret = wc_CompareDiffPQ(p, q, nlen);
-        if (ret != MP_OKAY) goto notOkay;
+        ret = wc_CompareDiffPQ(p, q, nlen, &valid);
+        if ((ret != MP_OKAY) || (!valid)) goto notOkay;
         prime = q;
     }
     else

wolfcrypt/src/sp_int.c

@@ -5144,7 +5144,7 @@ int sp_set(sp_int* a, sp_int_digit d)
     return err;
 }
 
-#if defined(WOLFSSL_SP_MATH_ALL) || !defined(NO_RSA)
+#if defined(WOLFSSL_SP_MATH_ALL) || !defined(NO_RSA) || defined(OPENSSL_EXTRA)
 /* Set a number into the multi-precision number.
  *
  * Number may be larger than the size of a digit.
@@ -5579,7 +5579,7 @@ int sp_mul_d(sp_int* a, sp_int_digit d, sp_int* r)
 /* Predefine complicated rules of when to compile in sp_div_d and sp_mod_d. */
 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
     defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) || \
-    defined(WC_MP_TO_RADIX)
+    defined(OPENSSL_EXTRA) || defined(WC_MP_TO_RADIX)
 #define WOLFSSL_SP_DIV_D
 #endif
 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
@@ -5951,7 +5951,7 @@ int sp_div_d(sp_int* a, sp_int_digit d, sp_int* r, sp_int_digit* rem)
  * @return  MP_VAL when a is NULL or d is 0.
  */
 #if !defined(WOLFSSL_SP_MATH_ALL) && (!defined(HAVE_ECC) || \
-    !defined(HAVE_COMP_KEY))
+    !defined(HAVE_COMP_KEY)) && !defined(OPENSSL_EXTRA)
 static
 #endif /* !WOLFSSL_SP_MATH_ALL && (!HAVE_ECC || !HAVE_COMP_KEY) */
 int sp_mod_d(sp_int* a, const sp_int_digit d, sp_int_digit* r)

wolfssl/internal.h

@@ -1159,9 +1159,14 @@ enum {
 #endif
 
 #ifndef WOLFSSL_MAX_RSA_BITS
-    #if (defined(USE_FAST_MATH) && defined(FP_MAX_BITS) && FP_MAX_BITS >= 16384)
-        #define WOLFSSL_MAX_RSA_BITS (FP_MAX_BITS / 2)
+    #ifdef USE_FAST_MATH
+        /* FP implementation support numbers up to FP_MAX_BITS / 2 bits. */
+        #define WOLFSSL_MAX_RSA_BITS    (FP_MAX_BITS / 2)
+    #elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
+        /* SP implementation supports numbers of SP_INT_BITS bits. */
+        #define WOLFSSL_MAX_RSA_BITS    ((SP_INT_BITS + 7) / 8) * 8
     #else
+        /* Integer maths is dynamic but we only go up to 4096 bits. */
         #define WOLFSSL_MAX_RSA_BITS 4096
     #endif
 #endif
@@ -1171,26 +1176,59 @@ enum {
 
 
 /* MySQL wants to be able to use 8192-bit numbers. */
-#if defined(WOLFSSL_MYSQL_COMPATIBLE) || \
-        (defined(USE_FAST_MATH) && defined(FP_MAX_BITS) && \
-         FP_MAX_BITS >= 16384) || \
-        ((defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) && \
-         SP_INT_MAX_BITS >= 16384)
-     /* Maximum supported number length is 8192-bit. */
-     #define ENCRYPT_BASE_BITS  8192
-#elif defined(USE_FAST_MATH) && defined(FP_MAX_BITS)
-     /* Use the FP size down to a min of 1024-bit. */
-     #if FP_MAX_BITS > 2048
-         #define ENCRYPT_BASE_BITS  (FP_MAX_BITS / 2)
-     #else
-         #define ENCRYPT_BASE_BITS  1024
-     #endif
-#elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
-    /* Use the SP math size down to a min of 1024-bit. */
-    #if SP_INT_MAX_BITS > 2048
-        #define ENCRYPT_BASE_BITS  (SP_INT_MAX_BITS / 2)
+#if defined(USE_FAST_MATH) && defined(FP_MAX_BITS)
+    /* Use the FP size up to 8192-bit and down to a min of 1024-bit. */
+    #if FP_MAX_BITS >= 16384
+        #define ENCRYPT_BASE_BITS  8192
+    #elif defined(HAVE_ECC)
+        #if FP_MAX_BITS > 2224
+            #define ENCRYPT_BASE_BITS  (FP_MAX_BITS / 2)
+        #else
+            /* 521-bit ASN.1 signature - 3 + 2 * (2 + 66) bytes. */
+            #define ENCRYPT_BASE_BITS  1112
+        #endif
     #else
-        #define ENCRYPT_BASE_BITS  1024
+        #if FP_MAX_BITS > 2048
+            #define ENCRYPT_BASE_BITS  (FP_MAX_BITS / 2)
+        #else
+            #define ENCRYPT_BASE_BITS  1024
+        #endif
+    #endif
+
+    /* Check MySQL size requirements met. */
+    #if defined(WOLFSSL_MYSQL_COMPATIBLE) && ENCRYPT_BASE_BITS < 8192
+        #error "MySQL needs FP_MAX_BITS at least at 16384"
+    #endif
+
+    #if WOLFSSL_MAX_RSA_BITS > ENCRYPT_BASE_BITS
+        #error "FP_MAX_BITS too small for WOLFSSL_MAX_RSA_BITS"
+    #endif
+#elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
+    /* Use the SP size up to 8192-bit and down to a min of 1024-bit. */
+    #if SP_INT_BITS >= 8192
+        #define ENCRYPT_BASE_BITS  8192
+    #elif defined(HAVE_ECC)
+        #if SP_INT_BITS > 1112
+            #define ENCRYPT_BASE_BITS  SP_INT_BITS
+        #else
+            /* 521-bit ASN.1 signature - 3 + 2 * (2 + 66) bytes. */
+            #define ENCRYPT_BASE_BITS  1112
+        #endif
+    #else
+        #if SP_INT_BITS > 1024
+            #define ENCRYPT_BASE_BITS  SP_INT_BITS
+        #else
+            #define ENCRYPT_BASE_BITS  1024
+        #endif
+    #endif
+
+    /* Check MySQL size requirements met. */
+    #if defined(WOLFSSL_MYSQL_COMPATIBLE) && ENCRYPT_BASE_BITS < 8192
+        #error "MySQL needs SP_INT_BITS at least at 8192"
+    #endif
+
+    #if WOLFSSL_MAX_RSA_BITS > ENCRYPT_BASE_BITS
+        #error "SP_INT_BITS too small for WOLFSSL_MAX_RSA_BITS"
     #endif
 #else
     /* Integer/heap maths - support 4096-bit. */

wolfssl/wolfcrypt/rsa.h

@@ -107,7 +107,27 @@ RSA keys can be used to encrypt, decrypt, sign and verify data.
 #endif
 
 #ifndef RSA_MAX_SIZE
-#define RSA_MAX_SIZE 4096
+    #ifdef USE_FAST_MATH
+        /* FP implementation support numbers up to FP_MAX_BITS / 2 bits. */
+        #define RSA_MAX_SIZE    (FP_MAX_BITS / 2)
+        #if defined(WOLFSSL_MYSQL_COMPATIBLE) && RSA_MAX_SIZE < 8192
+            #error "MySQL needs FP_MAX_BITS at least at 16384"
+        #endif
+    #elif defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)
+        /* SP implementation supports numbers of SP_INT_BITS bits. */
+        #define RSA_MAX_SIZE    (((SP_INT_BITS + 7) / 8) * 8)
+        #if defined(WOLFSSL_MYSQL_COMPATIBLE) && RSA_MAX_SIZE < 8192
+            #error "MySQL needs SP_INT_BITS at least at 8192"
+        #endif
+    #else
+        #ifdef WOLFSSL_MYSQL_COMPATIBLE
+            /* Integer maths is dynamic but we only go up to 8192 bits. */
+            #define RSA_MAX_SIZE 8192
+        #else
+            /* Integer maths is dynamic but we only go up to 4096 bits. */
+            #define RSA_MAX_SIZE 4096
+        #endif
+    #endif
 #endif
 
 /* avoid redefinition of structs */

wolfssl/wolfcrypt/settings.h

@@ -2139,25 +2139,26 @@ extern void uITRON4_free(void *p) ;
     #endif
 #endif
 #if defined(HAVE_FFDHE_8192)
-    #define MIN_FFDHE_FP_MAX_BITS 16384
+    #define MIN_FFDHE_BITS 8192
 #elif defined(HAVE_FFDHE_6144)
-    #define MIN_FFDHE_FP_MAX_BITS 12288
+    #define MIN_FFDHE_BITS 6144
 #elif defined(HAVE_FFDHE_4096)
-    #define MIN_FFDHE_FP_MAX_BITS 8192
+    #define MIN_FFDHE_BITS 4096
 #elif defined(HAVE_FFDHE_3072)
-    #define MIN_FFDHE_FP_MAX_BITS 6144
+    #define MIN_FFDHE_BITS 3072
 #elif defined(HAVE_FFDHE_2048)
-    #define MIN_FFDHE_FP_MAX_BITS 4096
+    #define MIN_FFDHE_BITS 2048
 #else
-    #define MIN_FFDHE_FP_MAX_BITS 0
+    #define MIN_FFDHE_BITS 0
 #endif
+#define MIN_FFDHE_FP_MAX_BITS   (MIN_FFDHE_BITS * 2)
 #if defined(HAVE_FFDHE) && defined(FP_MAX_BITS)
     #if MIN_FFDHE_FP_MAX_BITS > FP_MAX_BITS
         #error "FFDHE parameters are too large for FP_MAX_BIT as set"
     #endif
 #endif
 #if defined(HAVE_FFDHE) && defined(SP_INT_BITS)
-    #if MIN_FFDHE_FP_MAX_BITS > SP_INT_BITS * 2
+    #if MIN_FFDHE_BITS > SP_INT_BITS
         #error "FFDHE parameters are too large for SP_INT_BIT as set"
     #endif
 #endif
@@ -2166,16 +2167,18 @@ extern void uITRON4_free(void *p) ;
 #if defined(WOLFSSL_X86_64_BUILD) || defined(WOLFSSL_AARCH64_BUILD)
     #if defined(USE_FAST_MATH) && !defined(FP_MAX_BITS)
         #if MIN_FFDHE_FP_MAX_BITS <= 8192
-            #define FP_MAX_BITS 8192
+            #define FP_MAX_BITS     8192
         #else
-            #define FP_MAX_BITS MIN_FFDHE_FP_MAX_BITS
+            #define FP_MAX_BITS     MIN_FFDHE_FP_MAX_BITS
         #endif
     #endif
     #if defined(WOLFSSL_SP_MATH_ALL) && !defined(SP_INT_BITS)
-        #if MIN_FFDHE_FP_MAX_BITS <= 8192
-            #define SP_INT_BITS 4096
+        #ifdef WOLFSSL_MYSQL_COMPATIBLE
+            #define SP_INT_BITS     8192
+        #elif MIN_FFDHE_BITS <= 4096
+            #define SP_INT_BITS     4096
         #else
-            #define PS_INT_BITS MIN_FFDHE_FP_MAX_BITS / 2
+            #define SP_INT_BITS     MIN_FFDHE_BITS
         #endif
     #endif
 #endif

wolfssl/wolfcrypt/sp_int.h

@@ -358,78 +358,76 @@ typedef struct sp_ecc_ctx {
 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
 #include <wolfssl/wolfcrypt/random.h>
 
-#ifdef SP_INT_BITS
-    /* Calculate number of digits to have in an sp_int based maximum size of
+#ifndef SP_INT_BITS
+    #ifdef SP_INT_DIGITS
+        #define SP_INT_BITS (((SP_INT_DIGITS - 1) * SP_WORD_SIZE) / 2)
+    #else
+        /* Calculate number of bits to have in an sp_int based on features
+         * compiled in.
+         */
+        #ifdef WOLFSSL_MYSQL_COMPATIBLE
+            /* MySQL wants to be able to use 8192-bit numbers. */
+            #define SP_INT_BITS     8192
+        #elif !defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_HAVE_SP_DH) && \
+            !defined(WOLFSSL_HAVE_SP_ECC)
+            /* Not using SP - must be SP math all. */
+            #if !defined(NO_RSA) || !defined(NO_DH) || !defined(NO_DSA)
+                /* Support max size FFHDE parameters compiled in. */
+                #if !defined(NO_DH) && defined(HAVE_FFDHE_8192)
+                    #define SP_INT_BITS     8192
+                #elif !defined(NO_DH) && defined(HAVE_FFDHE_6144)
+                    #define SP_INT_BITS     6144
+                #elif !defined(NO_DH) && defined(HAVE_FFDHE_4096)
+                    #define SP_INT_BITS     4096
+                #else
+                    /* Default to max 3072 for general RSA and DH. */
+                    #define SP_INT_BITS     3072
+                #endif
+            #elif defined(WOLFCRYPT_HAVE_SAKKE)
+                #define SP_INT_BITS     1024
+            #elif defined(HAVE_ECC)
+                /* P521 is the largest supported ECC algorithm curve. */
+                #define SP_INT_BITS     521
+            #elif !defined(NO_PWDBASED) && defined(HAVE_PKCS12)
+                /*  wc_PKCS12_PBKDF_ex() */
+                #define SP_INT_BITS     WC_MAX_DIGEST_SIZE * 8
+            #else
+                #define SP_INT_BITS     128
+            #endif
+        #elif !defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_HAVE_SP_DH)
+            /* Not use SP_RSA or DH but are using SP ECC. */
+            #if defined(WOLFCRYPT_HAVE_SAKKE)
+                #define SP_INT_BITS     1024
+            #elif defined(WOLFSSL_SP_521) || defined(WOLFSSL_SP_MATH_ALL)
+                /* P521 is the largest supported ECC algorithm curve. */
+                #define SP_INT_BITS     521
+            #elif defined(WOLFSSL_SP_384)
+                /* No generic support - largest curve P384. */
+                #define SP_INT_BITS     384
+            #else
+                /* No generic support - largest curve P256. */
+                #define SP_INT_BITS     256
+            #endif
+        /* SP RSA and DH supported so base on max size of RSA/DH in SP. */
+        #elif defined(WOLFSSL_SP_4096)
+            #define SP_INT_BITS     4096
+        #elif !defined(WOLFSSL_SP_NO_3072) || defined(WOLFSSL_SP_MATH_ALL)
+            #define SP_INT_BITS     3072
+        #else
+            #define SP_INT_BITS     2048
+        #endif
+    #endif
+#endif
+
+#ifndef SP_INT_DIGITS
+    /* Calculate number of digits to have in an sp_int based on maximum size of
      * numbers in bits that will be used.
      * Double the size to hold multiplication result.
      * Add one to accommodate extra digit used by sp_mul(), sp_mulmod(),
      * sp_sqr(), and sp_sqrmod().
      */
     #define SP_INT_DIGITS                                                      \
-        ((((SP_INT_BITS + (SP_WORD_SIZE - 1)) * 2 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-#endif
-
-#ifndef SP_INT_DIGITS
-    /* Calculate number of digits to have in an sp_int based on features
-     * compiled in.
-     */
-    #if !defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_HAVE_SP_DH) && \
-        !defined(WOLFSSL_HAVE_SP_ECC)
-        #if !defined(NO_RSA) || !defined(NO_DH) || !defined(NO_DSA)
-            /* large SP math requires 2048-bits + */
-            #if !defined(NO_DH) && defined(HAVE_FFDHE_8192)
-                #define SP_INT_DIGITS    (((16384 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-            #elif !defined(NO_DH) && defined(HAVE_FFDHE_6144)
-                #define SP_INT_DIGITS    (((12288 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-            #elif !defined(NO_DH) && defined(HAVE_FFDHE_4096)
-                #define SP_INT_DIGITS    (((8192 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-            #else
-                /* all else */
-                #define SP_INT_DIGITS    (((6144 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-            #endif
-        #elif defined(WOLFCRYPT_HAVE_SAKKE)
-            #define SP_INT_DIGITS   \
-                    (((2 * (1024 + SP_WORD_SIZE) + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #elif defined(HAVE_ECC)
-            #define SP_INT_DIGITS   \
-                    (((2 * ( 521 + SP_WORD_SIZE) + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #elif !defined(NO_PWDBASED) && defined(WOLFSSL_SHA512)
-            #define SP_INT_DIGITS        ((( 512 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #else
-            #define SP_INT_DIGITS        ((( 256 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #endif
-    #elif !defined(WOLFSSL_HAVE_SP_RSA) && !defined(WOLFSSL_HAVE_SP_DH)
-        #if defined(WOLFCRYPT_HAVE_SAKKE)
-            #define SP_INT_DIGITS   \
-                    (((2 * (1024 + SP_WORD_SIZE) + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #elif defined(WOLFSSL_SP_MATH_ALL)
-            #define SP_INT_DIGITS   \
-                    (((2 * ( 521 + SP_WORD_SIZE) + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #elif defined(WOLFSSL_SP_384)
-            #define SP_INT_DIGITS        ((( 768 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #else
-            #define SP_INT_DIGITS        ((( 512 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #endif
-    #elif defined(WOLFSSL_SP_4096)
-        #if defined(WOLFSSL_HAVE_SP_DH)
-            #define SP_INT_DIGITS        (((8192 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #else
-            #define SP_INT_DIGITS        (((4096 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #endif
-    #elif !defined(WOLFSSL_SP_NO_3072)
-        #if defined(WOLFSSL_HAVE_SP_DH)
-            #define SP_INT_DIGITS        (((6144 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #else
-            #define SP_INT_DIGITS        (((3072 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #endif
-    #else
-        #if defined(WOLFSSL_HAVE_SP_DH) || \
-                (defined(WOLFSSL_HAVE_SP_RSA) && defined(WOLFSSL_KEY_GEN))
-            #define SP_INT_DIGITS        (((4096 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #else
-            #define SP_INT_DIGITS        (((2048 + SP_WORD_SIZE) / SP_WORD_SIZE) + 1)
-        #endif
-    #endif
+        (((SP_INT_BITS * 2 + SP_WORD_SIZE - 1) / SP_WORD_SIZE) + 1)
 #endif
 
 #ifndef SP_INT_MAX_BITS
@@ -837,7 +835,7 @@ MP_API int sp_mul_d(sp_int* a, sp_int_digit d, sp_int* r);
 MP_API int sp_div_d(sp_int* a, sp_int_digit d, sp_int* r, sp_int_digit* rem);
 #endif
 #if defined(WOLFSSL_SP_MATH_ALL) || (defined(HAVE_ECC) && \
-    defined(HAVE_COMP_KEY))
+    defined(HAVE_COMP_KEY)) || defined(OPENSSL_EXTRA)
 MP_API int sp_mod_d(sp_int* a, sp_int_digit d, sp_int_digit* r);
 #endif
 #if defined(WOLFSSL_SP_MATH_ALL) && defined(HAVE_ECC)