Regression testing

Fixes to get WOLFSSL_PUBLIC_MP testing passing. Fix DH constant time agreement: - implement constant time encoding to big-endian byte array in TFM - only force x to be zero for SP math as others implementations ensure unused words are zero - exponentiate in constant time to the smallest number of words possible - no need to encode into separate buffer anymore as encoding is constant time and front padded - make requested_sz be the maximum size for the parameters and check against agreeSz - update agreeSz to be the maximum valid size instead of filling all the buffer which may be many times too big - fix SP result to front pad when doing constant time
2025-08-02 04:04:39 +02:00 · 2025-06-26 12:24:43 +10:00
parent 5503ea8e6d
commit f1cb4d579c
6 changed files with 195 additions and 174 deletions
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2058,80 +2058,19 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
 #endif
 #ifdef WOLFSSL_HAVE_SP_DH
    if (0
 #ifndef WOLFSSL_SP_NO_2048
-    if (mp_count_bits(&key->p) == 2048) {
+        || mp_count_bits(&key->p) == 2048
        if (mp_init(y) != MP_OKAY)
            ret = MP_INIT_E;
        if (ret == 0) {
            SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
            if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
                ret = MP_READ_E;
            if (ret == 0)
                ret = sp_DhExp_2048(y, priv, privSz, &key->p, agree, agreeSz);
            mp_clear(y);
            RESTORE_VECTOR_REGISTERS();
        }
        /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */
        if ((ret == 0) &&
            ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1))))
        {
            ret = MP_VAL;
        }
    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
    #if !defined(WOLFSSL_SP_MATH)
        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
    #endif
        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
    #endif
        return ret;
    }
 #endif
 #ifndef WOLFSSL_SP_NO_3072
-    if (mp_count_bits(&key->p) == 3072) {
+        || mp_count_bits(&key->p) == 3072
        if (mp_init(y) != MP_OKAY)
            ret = MP_INIT_E;
        if (ret == 0) {
            SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
            if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
                ret = MP_READ_E;
            if (ret == 0)
                ret = sp_DhExp_3072(y, priv, privSz, &key->p, agree, agreeSz);
            mp_clear(y);
            RESTORE_VECTOR_REGISTERS();
        }
        /* make sure agree is > 1 (SP800-56A, 5.7.1.1) */
        if ((ret == 0) &&
            ((*agreeSz == 0) || ((*agreeSz == 1) && (agree[0] == 1))))
        {
            ret = MP_VAL;
        }
    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
    #if !defined(WOLFSSL_SP_MATH)
        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
        XFREE(x, key->heap, DYNAMIC_TYPE_DH);
    #endif
        XFREE(y, key->heap, DYNAMIC_TYPE_DH);
    #endif
        return ret;
    }
 #endif
 #ifdef WOLFSSL_SP_4096
-    if (mp_count_bits(&key->p) == 4096) {
+        || mp_count_bits(&key->p) == 4096
 #endif
       ) {
        int i = (int)*agreeSz - 1;
        if (mp_init(y) != MP_OKAY)
            ret = MP_INIT_E;
@@ -2141,8 +2080,26 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
            if (ret == 0 && mp_read_unsigned_bin(y, otherPub, pubSz) != MP_OKAY)
                ret = MP_READ_E;
-            if (ret == 0)
+            if (ret == 0) {
-                ret = sp_DhExp_4096(y, priv, privSz, &key->p, agree, agreeSz);
+            #ifndef WOLFSSL_SP_NO_2048
                if (mp_count_bits(&key->p) == 2048) {
                    ret = sp_DhExp_2048(y, priv, privSz, &key->p, agree,
                                        agreeSz);
                }
            #endif
            #ifndef WOLFSSL_SP_NO_3072
                if (mp_count_bits(&key->p) == 3072) {
                    ret = sp_DhExp_3072(y, priv, privSz, &key->p, agree,
                                        agreeSz);
                }
            #endif
            #ifdef WOLFSSL_SP_4096
                if (mp_count_bits(&key->p) == 4096) {
                    ret = sp_DhExp_4096(y, priv, privSz, &key->p, agree,
                                        agreeSz);
                }
            #endif
            }
            mp_clear(y);
@@ -2156,6 +2113,18 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
            ret = MP_VAL;
        }
        if ((ret == 0) && ct) {
            word16 mask = 0xff;
            sword16 o = (sword16)(*agreeSz - 1);
            *agreeSz = (word32)(i + 1);
            for (; i >= 0 ; i--) {
                agree[i] = agree[o] & (byte)mask;
                mask = ctMask16LT(0, (int)o);
                o = (sword16)(o + (sword16)mask);
            }
        }
    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
    #if !defined(WOLFSSL_SP_MATH)
        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
@@ -2166,16 +2135,8 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
        return ret;
    }
 #endif
 #endif
 #if !defined(WOLFSSL_SP_MATH)
    if (ct) {
        /* for the constant-time variant, we will probably use more bits in x for
         * the modexp than we read from the private key, and those extra bits need
         * to be zeroed.
         */
        XMEMSET(x, 0, sizeof *x);
    }
    if (mp_init_multi(x, y, z, 0, 0, 0) != MP_OKAY) {
    #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
        XFREE(z, key->heap, DYNAMIC_TYPE_DH);
@@ -2184,6 +2145,14 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
    #endif
        return MP_INIT_E;
    }
 #if defined(WOLFSSL_SP_MATH_ALL)
    if (ct) {
        /* TFM and Integer implementations keep high words zero.
         * SP math implementation needs all words set to zero as it doesn't
         * ensure unused words are zero. */
        mp_forcezero(x);
    }
 #endif
    SAVE_VECTOR_REGISTERS(ret = _svr_ret;);
@@ -2198,12 +2167,24 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
        ret = MP_READ_E;
    if (ret == 0) {
-        if (ct)
+        if (ct) {
-            ret = mp_exptmod_ex(y, x,
+            int bits;
-                                ((int)*agreeSz + DIGIT_BIT - 1) / DIGIT_BIT,
+
            /* x is mod q but if q not available, use p (> q). */
            if (mp_iszero(&key->q) == MP_NO) {
                bits = mp_count_bits(&key->q);
            }
            else {
                bits = mp_count_bits(&key->p);
            }
            /* Exponentiate to the maximum words of a valid x to ensure a
             * constant time operation. */
            ret = mp_exptmod_ex(y, x, (bits + DIGIT_BIT - 1) / DIGIT_BIT,
                                &key->p, z);
-        else
+        }
        else {
            ret = mp_exptmod(y, x, &key->p, z);
        }
        if (ret != MP_OKAY)
            ret = MP_EXPTMOD_E;
    }
@@ -2219,6 +2200,7 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
    if (ret == 0) {
        if (ct) {
            /* Put the secret into a buffer in constant time. */
            ret = mp_to_unsigned_bin_len_ct(z, agree, (int)*agreeSz);
        }
        else {
@@ -2316,7 +2298,8 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
 #else
 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_DH)
    if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_DH) {
-        ret = wc_DhAgree_Async(key, agree, agreeSz, priv, privSz, otherPub, pubSz);
+        ret = wc_DhAgree_Async(key, agree, agreeSz, priv, privSz, otherPub,
                               pubSz);
    }
    else
 #endif
@@ -2332,56 +2315,21 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv,
 int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv,
            word32 privSz, const byte* otherPub, word32 pubSz)
 {
    int ret;
    word32 requested_agreeSz;
 #ifndef WOLFSSL_NO_MALLOC
    byte *agree_buffer = NULL;
 #else
    byte agree_buffer[DH_MAX_SIZE / 8];
 #endif
    if (key == NULL || agree == NULL || agreeSz == NULL || priv == NULL ||
                                                            otherPub == NULL) {
        return BAD_FUNC_ARG;
    }
-    requested_agreeSz = *agreeSz;
+    requested_agreeSz = (word32)mp_unsigned_bin_size(&key->p);
-
+    if (requested_agreeSz > *agreeSz) {
-#ifndef WOLFSSL_NO_MALLOC
+        return BUFFER_E;
    agree_buffer = (byte *)XMALLOC(requested_agreeSz, key->heap,
                                   DYNAMIC_TYPE_DH);
    if (agree_buffer == NULL)
        return MEMORY_E;
 #endif
    XMEMSET(agree_buffer, 0, requested_agreeSz);
    ret = wc_DhAgree_Sync(key, agree_buffer, agreeSz, priv, privSz, otherPub,
                          pubSz, 1);
    if (ret == 0) {
        /* Arrange for correct fixed-length, right-justified key, even if the
         * crypto back end doesn't support it.  This assures that the key is
         * unconditionally agreed correctly.  With some crypto back ends,
         * e.g. heapmath, there are no provisions for actual constant time, but
         * with others the key computation and clamping is constant time, and
         * the unclamping here is also constant time.
         */
        byte *agree_src = agree_buffer + *agreeSz - 1,
            *agree_dst = agree + requested_agreeSz - 1;
        while (agree_dst >= agree) {
            word32 mask = (agree_src >= agree_buffer) - 1U;
            agree_src += (mask & requested_agreeSz);
            *agree_dst-- = *agree_src--;
        }
        *agreeSz = requested_agreeSz;
    }
    *agreeSz = requested_agreeSz;
-#ifndef WOLFSSL_NO_MALLOC
+    return wc_DhAgree_Sync(key, agree, agreeSz, priv, privSz, otherPub, pubSz,
-    XFREE(agree_buffer, key->heap, DYNAMIC_TYPE_DH);
+                           1);
 #endif
    return ret;
 }
 #ifdef WOLFSSL_DH_EXTRA
--- a/wolfcrypt/src/sp_int.c
+++ b/wolfcrypt/src/sp_int.c
@@ -5241,7 +5241,7 @@ int sp_grow(sp_int* a, int l)
 #endif /* (!NO_RSA && !WOLFSSL_RSA_VERIFY_ONLY) || !NO_DH || HAVE_ECC */
 #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
-    defined(HAVE_ECC)
+    defined(HAVE_ECC) || defined(WOLFSSL_PUBLIC_MP)
 /* Set the multi-precision number to zero.
 *
 * @param  [out]  a  SP integer to set to zero.
@@ -5826,7 +5826,7 @@ int sp_cmp_ct(const sp_int* a, const sp_int* b, unsigned int n)
 #if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
    ((defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_SM2)) && \
-     defined(HAVE_ECC)) || defined(OPENSSL_EXTRA)
+     defined(HAVE_ECC)) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_PUBLIC_MP)
 /* Check if a bit is set
 *
 * When a is NULL, result is 0.
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@@ -4198,6 +4198,58 @@ int fp_to_unsigned_bin(fp_int *a, unsigned char *b)
  return FP_OKAY;
 }
 int fp_to_unsigned_bin_len_ct(fp_int *a, unsigned char *out, int outSz)
 {
  int err = MP_OKAY;
  /* Validate parameters. */
  if ((a == NULL) || (out == NULL) || (outSz < 0)) {
    err = MP_VAL;
  }
 #if DIGIT_BIT > 8
  if (err == MP_OKAY) {
    /* Start at the end of the buffer - least significant byte. */
    int j;
    unsigned int i;
    fp_digit mask = (fp_digit)-1;
    fp_digit d;
    /* Put each digit in. */
    i = 0;
    for (j = outSz - 1; j >= 0; ) {
      unsigned int b;
      d = a->dp[i];
      /* Place each byte of a digit into the buffer. */
      for (b = 0; (j >= 0) && (b < (DIGIT_BIT / 8)); b++) {
        out[j--] = (byte)(d & mask);
        d >>= 8;
      }
      mask &= (fp_digit)0 - (i < (unsigned int)a->used - 1);
      i += (unsigned int)(1 & mask);
    }
  }
 #else
  if ((err == MP_OKAY) && ((unsigned int)outSz < a->used)) {
    err = MP_VAL;
  }
  if (err == MP_OKAY) {
    unsigned int i;
    int j;
    fp_digit mask = (fp_digit)-1;
    i = 0;
    for (j = outSz - 1; j >= 0; j--) {
      out[j] = a->dp[i] & mask;
      mask &= (fp_digit)0 - (i < (unsigned int)a->used - 1);
      i += (unsigned int)(1 & mask);
    }
  }
 #endif
  return err;
 }
 int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c)
 {
 #if DIGIT_BIT == 64 || DIGIT_BIT == 32 || DIGIT_BIT == 16
@@ -4823,6 +4875,11 @@ int mp_to_unsigned_bin (mp_int * a, unsigned char *b)
  return fp_to_unsigned_bin(a,b);
 }
 int mp_to_unsigned_bin_len_ct(mp_int * a, unsigned char *b, int c)
 {
  return fp_to_unsigned_bin_len_ct(a, b, c);
 }
 int mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c)
 {
  return fp_to_unsigned_bin_len(a, b, c);
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -801,7 +801,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t memory_test(void);
     defined(USE_FAST_MATH))
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void);
 #endif
-#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
+#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) && \
    (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG)
 WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prime_test(void);
 #endif
 #if defined(ASN_BER_TO_DER) && \
@@ -2481,7 +2482,8 @@ options: [-s max_relative_stack_bytes] [-m max_relative_heap_memory_bytes]\n\
        TEST_PASS("mp       test passed!\n");
 #endif
-#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN)
+#if defined(WOLFSSL_PUBLIC_MP) && defined(WOLFSSL_KEY_GEN) && \
    (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG)
    if ( (ret = prime_test()) != 0)
        TEST_FAIL("prime    test failed!\n", ret);
    else
@@ -23690,37 +23692,6 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dh_test(void)
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
            !defined(HAVE_SELFTEST)
    agreeSz = DH_TEST_BUF_SIZE;
    agreeSz2 = DH_TEST_BUF_SIZE;
    ret = wc_DhAgree_ct(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
    if (ret != 0)
        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
    ret = wc_DhAgree_ct(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
    if (ret != 0)
        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
 #ifdef WOLFSSL_PUBLIC_MP
    if (agreeSz != (word32)mp_unsigned_bin_size(&key->p))
    {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #endif
    if (agreeSz != agreeSz2)
    {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
    if (XMEMCMP(agree, agree2, agreeSz) != 0)
    {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #endif /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && !HAVE_SELFTEST */
 #endif /* !WC_NO_RNG */
 #if defined(WOLFSSL_KEY_GEN) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
@@ -23743,6 +23714,34 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t dh_test(void)
    }
 #endif
 #if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(7,0)) && \
            !defined(HAVE_SELFTEST)
    agreeSz = DH_TEST_BUF_SIZE;
    agreeSz2 = DH_TEST_BUF_SIZE;
    ret = wc_DhAgree_ct(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
    if (ret != 0)
        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
    ret = wc_DhAgree_ct(key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz);
    if (ret != 0)
        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
 #ifdef WOLFSSL_PUBLIC_MP
    if (agreeSz != (word32)mp_unsigned_bin_size(&key->p)) {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #endif
    if (agreeSz != agreeSz2) {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
    if (XMEMCMP(agree, agree2, agreeSz) != 0) {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #endif /* (!HAVE_FIPS || FIPS_VERSION_GE(7,0)) && !HAVE_SELFTEST */
    /* Test DH key import / export */
 #if defined(WOLFSSL_DH_EXTRA) && !defined(NO_FILESYSTEM) && \
        (!defined(HAVE_FIPS) || \
@@ -55539,9 +55538,9 @@ static wc_test_ret_t mp_test_div_3(mp_int* a, mp_int* r, WC_RNG* rng)
 #endif /* WOLFSSL_SP_MATH || !USE_FAST_MATH */
 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
-    !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
+     !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
    (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \
-    (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)))
+     (defined(OPENSSL_EXTRA) || !defined(NO_DSA) || defined(HAVE_ECC)))
 static wc_test_ret_t mp_test_radix_10(mp_int* a, mp_int* r, WC_RNG* rng)
 {
    wc_test_ret_t ret;
@@ -55754,6 +55753,8 @@ static wc_test_ret_t mp_test_shift(mp_int* a, mp_int* r1, WC_RNG* rng)
    return 0;
 }
 #if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \
    (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D))
 static wc_test_ret_t mp_test_add_sub_d(mp_int* a, mp_int* r1)
 {
    int i, j;
@@ -55793,6 +55794,7 @@ static wc_test_ret_t mp_test_add_sub_d(mp_int* a, mp_int* r1)
    return 0;
 }
 #endif
 static wc_test_ret_t mp_test_read_to_bin(mp_int* a)
 {
@@ -55921,7 +55923,8 @@ static wc_test_ret_t mp_test_param(mp_int* a, mp_int* b, mp_int* r, WC_RNG* rng)
    mp_free(NULL);
-#if !defined(WOLFSSL_RSA_VERIFY_ONLY) || !defined(NO_DH) || defined(HAVE_ECC)
+#if (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
    !defined(NO_DH) || defined(HAVE_ECC)
    ret = mp_grow(NULL, 1);
    if (ret != WC_NO_ERR_TRACE(MP_VAL))
        return WC_TEST_RET_ENC_EC(ret);
@@ -56101,8 +56104,8 @@ static wc_test_ret_t mp_test_param(mp_int* a, mp_int* b, mp_int* r, WC_RNG* rng)
    mp_zero(NULL);
-#if !defined(NO_DH) || defined(HAVE_ECC) || defined(WC_RSA_BLINDING) || \
+#if !defined(NO_DH) || defined(HAVE_ECC) || (!defined(NO_RSA) && \
-    !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+    (defined(WC_RSA_BLINDING) || !defined(WOLFSSL_RSA_PUBLIC_ONLY)))
    ret = mp_lshd(NULL, 0);
    if (ret != WC_NO_ERR_TRACE(MP_VAL))
        return WC_TEST_RET_ENC_EC(ret);
@@ -58009,8 +58012,8 @@ static wc_test_ret_t mp_test_exptmod(mp_int* b, mp_int* e, mp_int* m, mp_int* r)
 #endif /* !NO_RSA || !NO_DSA || !NO_DH || (HAVE_ECC && HAVE_COMP_KEY) ||
        * OPENSSL_EXTRA */
-#if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
+#if defined(HAVE_ECC) || \
-    defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
+    (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
 static wc_test_ret_t mp_test_mont(mp_int* a, mp_int* m, mp_int* n, mp_int* r, WC_RNG* rng)
 {
    wc_test_ret_t ret;
@@ -58259,6 +58262,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
         #endif
    #endif
        #if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \
            (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D) && \
             defined(WOLFSSL_SP_INVMOD))
            /* Ensure add digit produce same result as sub digit. */
            ret = mp_add_d(a, d, r1);
            if (ret != 0)
@@ -58275,6 +58281,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
            ret = mp_invmod(a, p, r1);
            if (ret != 0 && ret != WC_NO_ERR_TRACE(MP_VAL))
                ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
        #endif
        #ifndef WOLFSSL_SP_MATH
            /* Shift up and down number all bits in a digit. */
@@ -58293,6 +58300,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
        }
    }
 #if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \
    (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D))
    /* Test adding and subtracting zero from zero. */
    mp_zero(a);
    ret = mp_add_d(a, 0, r1);
@@ -58307,6 +58316,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
    if (!mp_iszero(r2)) {
        ERROR_OUT(WC_TEST_RET_ENC_NC, done);
    }
 #endif
 #if DIGIT_BIT >= 32
    /* Check that setting a 32-bit digit works. */
@@ -58357,9 +58367,9 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
        goto done;
 #endif
 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
-    !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
+     !defined(WOLFSSL_RSA_VERIFY_ONLY)) || \
    (!defined WOLFSSL_SP_MATH && !defined(WOLFSSL_SP_MATH_ALL) && \
-    (defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)))
+     (defined(OPENSSL_EXTRA) || !defined(NO_DSA) || defined(HAVE_ECC)))
    if ((ret = mp_test_radix_10(a, r1, &rng)) != 0)
        goto done;
 #endif
@@ -58371,8 +58381,11 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
    if ((ret = mp_test_shift(a, r1, &rng)) != 0)
        goto done;
 #if !(defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_SP_MATH)) || \
    (defined(WOLFSSL_SP_ADD_D) && defined(WOLFSSL_SP_SUB_D))
    if ((ret = mp_test_add_sub_d(a, r1)) != 0)
        goto done;
 #endif
    if ((ret = mp_test_read_to_bin(a)) != 0)
        goto done;
 #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
@@ -58427,8 +58440,8 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t mp_test(void)
    if ((ret = mp_test_exptmod(a, b, r1, r2)) != 0)
        goto done;
 #endif
-#if defined(WOLFSSL_SP_MATH_ALL) || defined(WOLFSSL_HAVE_SP_DH) || \
+#if defined(HAVE_ECC) || \
-    defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
+    (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY))
    if ((ret = mp_test_mont(a, b, r1, r2, &rng)) != 0)
        goto done;
 #endif
@@ -58482,6 +58495,7 @@ typedef struct pairs_t {
 } pairs_t;
 #if (!defined(NO_DH) || !defined(NO_DSA)) && !defined(WC_NO_RNG)
 /*
 n =p1p2p3, where pi = ki(p1-1)+1 with (k2,k3) = (173,293)
 p1 = 2^192 * 0x000000000000e24fd4f6d6363200bf2323ec46285cac1d3a
@@ -58796,6 +58810,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t prime_test(void)
    return ret;
 }
 #endif
 #endif /* WOLFSSL_PUBLIC_MP */
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2901,7 +2901,7 @@ extern void uITRON4_free(void *p) ;
 /* Determine when mp_read_radix with a radix of 10 is required. */
 #if (defined(WOLFSSL_SP_MATH_ALL) && !defined(NO_RSA) && \
    !defined(WOLFSSL_RSA_VERIFY_ONLY)) || defined(HAVE_ECC) || \
-    !defined(NO_DSA) || defined(OPENSSL_EXTRA)
+    !defined(NO_DSA) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_PUBLIC_MP)
    #define WOLFSSL_SP_READ_RADIX_16
 #endif
@@ -2914,7 +2914,7 @@ extern void uITRON4_free(void *p) ;
 /* Determine when mp_invmod is required. */
 #if defined(HAVE_ECC) || !defined(NO_DSA) || defined(OPENSSL_EXTRA) || \
    (!defined(NO_RSA) && !defined(WOLFSSL_RSA_VERIFY_ONLY) && \
-     !defined(WOLFSSL_RSA_PUBLIC_ONLY))
+     !defined(WOLFSSL_RSA_PUBLIC_ONLY)) || defined(OPENSSL_EXTRA)
    #define WOLFSSL_SP_INVMOD
 #endif
--- a/wolfssl/wolfcrypt/tfm.h
+++ b/wolfssl/wolfcrypt/tfm.h
@@ -725,6 +725,7 @@ int fp_leading_bit(fp_int *a);
 int fp_unsigned_bin_size(const fp_int *a);
 int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
 int fp_to_unsigned_bin(fp_int *a, unsigned char *b);
 int fp_to_unsigned_bin_len_ct(fp_int *a, unsigned char *b, int c);
 int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c);
 int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
@@ -847,7 +848,7 @@ MP_API int  mp_unsigned_bin_size(const mp_int * a);
 MP_API int  mp_read_unsigned_bin (mp_int * a, const unsigned char *b, int c);
 MP_API int  mp_to_unsigned_bin_at_pos(int x, mp_int *t, unsigned char *b);
 MP_API int  mp_to_unsigned_bin (mp_int * a, unsigned char *b);
-#define mp_to_unsigned_bin_len_ct   mp_to_unsigned_bin_len
+MP_API int  mp_to_unsigned_bin_len_ct(mp_int * a, unsigned char *b, int c);
 MP_API int  mp_to_unsigned_bin_len(mp_int * a, unsigned char *b, int c);
 MP_API int  mp_sub_d(fp_int *a, fp_digit b, fp_int *c);