From 9e90eb8843ea0231398489f9e8d0dc87e29c194a Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Fri, 4 Jul 2025 13:12:11 -0700
Subject: [PATCH 1/2] RSA FIPS decode fix and empty keygen OID

---
 scripts/utils-wolfssl.sh | 11 +++++++++--
 src/wp_dh_kmgmt.c        |  7 +++++--
 src/wp_internal.c        |  2 ++
 src/wp_rsa_kmgmt.c       |  2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/scripts/utils-wolfssl.sh b/scripts/utils-wolfssl.sh
index f156a022..4e8f20a8 100755
--- a/scripts/utils-wolfssl.sh
+++ b/scripts/utils-wolfssl.sh
@@ -27,10 +27,12 @@ WOLFSSL_SOURCE_DIR=${SCRIPT_DIR}/../wolfssl-source
 WOLFSSL_INSTALL_DIR=${SCRIPT_DIR}/../wolfssl-install
 WOLFSSL_ISFIPS=${WOLFSSL_ISFIPS:-0}
 WOLFSSL_FIPS_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-opensslcoexist '}
-WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include"}
+WOLFSSL_FIPS_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWOLFSSL_OLD_OID_SUM"}
 WOLFSSL_CONFIG_OPTS=${WOLFSSL_CONFIG_OPTS:-'--enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha'}
 WOLFSSL_CONFIG_CFLAGS=${WOLFSSL_CONFIG_CFLAGS:-"-I${OPENSSL_INSTALL_DIR}/include -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM "}
 
+WOLFSSL_DEBUG_ASN_TEMPLATE=${DWOLFSSL_DEBUG_ASN_TEMPLATE:-0}
+WOLFPROV_DISABLE_ERR_TRACE=${WOLFPROV_DISABLE_ERR_TRACE:-0}
 WOLFPROV_DEBUG=${WOLFPROV_DEBUG:-0}
 USE_CUR_TAG=${USE_CUR_TAG:-0}
 
@@ -84,12 +86,17 @@ install_wolfssl() {
 
         if [ "$WOLFPROV_DEBUG" = "1" ]; then
             CONF_ARGS+=" --enable-debug --enable-keylog-export"
-            if [[ "$OSTYPE" != "darwin"* ]]; then
+            if [[ "$OSTYPE" != "darwin"* ]] && [ "$WOLFPROV_DISABLE_ERR_TRACE" != "1" ]; then
                 # macOS doesn't support backtrace
                 CONF_ARGS+=" --enable-debug-trace-errcodes=backtrace"
             fi
             WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_LOGGINGENABLED_DEFAULT=1"
         fi
+        if [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" != "1" ] || [ -z "$WOLFSSL_FIPS_BUNDLE" ] ); then
+            WOLFSSL_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE"
+        elif [ "$WOLFSSL_DEBUG_ASN_TEMPLATE" = "1" ] && ( [ "$WOLFSSL_ISFIPS" = "1" ] || [ -n "$WOLFSSL_FIPS_BUNDLE" ] ); then
+            WOLFSSL_FIPS_CONFIG_CFLAGS+=" -DWOLFSSL_DEBUG_ASN_TEMPLATE"
+        fi
         if [ -n "$WOLFSSL_FIPS_BUNDLE" ]; then
             if [ ! -n "$WOLFSSL_FIPS_VERSION" ]; then
                 printf "ERROR, must specify version if using FIPS bundle (v5, v6, ready)"
diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c
index 7dd0408b..8358dbe7 100644
--- a/src/wp_dh_kmgmt.c
+++ b/src/wp_dh_kmgmt.c
@@ -2529,9 +2529,10 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     OSSL_PASSPHRASE_CALLBACK *pwCb, void *pwCbArg)
 {
     int ok = 1;
+    BIO* out = NULL;
 #if (LIBWOLFSSL_VERSION_HEX >= 0x05000000 && defined(WOLFSSL_DH_EXTRA))
     int rc;
-    BIO* out = wp_corebio_get_bio(ctx->provCtx, cBio);
+    out = wp_corebio_get_bio(ctx->provCtx, cBio);
     unsigned char* keyData = NULL;
     size_t keyLen;
     unsigned char* derData = NULL;
@@ -2665,7 +2666,9 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     (void)pwCbArg;
 #endif
 
-    BIO_free(out);
+    if (out != NULL) {
+        BIO_free(out);
+    }
     WOLFPROV_LEAVE(WP_LOG_KE, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }
diff --git a/src/wp_internal.c b/src/wp_internal.c
index 9405f15f..55f8a6f8 100644
--- a/src/wp_internal.c
+++ b/src/wp_internal.c
@@ -573,6 +573,7 @@ int wp_cipher_from_params(const OSSL_PARAM params[], int* cipher,
 }
 
 #ifndef WOLFSSL_ENCRYPTED_KEYS
+#ifdef WP_HAVE_MD5
 /*
  * wolfProvider version of EncryptedInfo.
  */
@@ -695,6 +696,7 @@ static int wp_BufferKeyEncrypt(wp_EncryptedInfo* info, byte* der, word32 derSz,
 
     return ret;
 }
+#endif /* WP_HAVE_MD5 */
 #endif /* WOLFSSL_ENCRYPTED_KEYS */
 
 /**
diff --git a/src/wp_rsa_kmgmt.c b/src/wp_rsa_kmgmt.c
index e8c6e6b1..92d4a9dd 100644
--- a/src/wp_rsa_kmgmt.c
+++ b/src/wp_rsa_kmgmt.c
@@ -2167,7 +2167,7 @@ static int wp_rsa_decode_pki(wp_Rsa* rsa, unsigned char* data, word32 len)
     if (rc != 0) {
         ok = 0;
     }
-#if LIBWOLFSSL_VERSION_HEX < 0x05000000
+#if LIBWOLFSSL_VERSION_HEX < 0x05000000 || defined(HAVE_FIPS)
     if (!ok) {
         idx = 0;
         rc = wc_GetPkcs8TraditionalOffset(data, &idx, len);

From ebd84143d52b9d60467e036351f32f49dd7bcad6 Mon Sep 17 00:00:00 2001
From: Aidan Garske <aidan@wolfssl.com>
Date: Wed, 9 Jul 2025 13:09:59 -0700
Subject: [PATCH 2/2] Move bio in gate so no need for null check

---
 src/wp_dh_kmgmt.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c
index 8358dbe7..2e407f3b 100644
--- a/src/wp_dh_kmgmt.c
+++ b/src/wp_dh_kmgmt.c
@@ -2529,10 +2529,9 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     OSSL_PASSPHRASE_CALLBACK *pwCb, void *pwCbArg)
 {
     int ok = 1;
-    BIO* out = NULL;
 #if (LIBWOLFSSL_VERSION_HEX >= 0x05000000 && defined(WOLFSSL_DH_EXTRA))
     int rc;
-    out = wp_corebio_get_bio(ctx->provCtx, cBio);
+    BIO* out = wp_corebio_get_bio(ctx->provCtx, cBio);
     unsigned char* keyData = NULL;
     size_t keyLen;
     unsigned char* derData = NULL;
@@ -2656,6 +2655,8 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
         OPENSSL_free(pemData);
     }
     OPENSSL_free(cipherInfo);
+
+    BIO_free(out);
 #else
     (void)ctx;
     (void)cBio;
@@ -2666,9 +2667,6 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     (void)pwCbArg;
 #endif
 
-    if (out != NULL) {
-        BIO_free(out);
-    }
     WOLFPROV_LEAVE(WP_LOG_KE, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
     return ok;
 }