Merge pull request #8736 from JacobBarthelmeh/build

adjust default build with curve25519

wolfcrypt/src/curve25519.c

@@ -194,11 +194,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
         if (ret < 0) {
             return ret;
         }
-        for (i = CURVE25519_KEYSIZE; i > 0; i--) {
+        for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) {
             if (rz[i] != 0xff)
                 break;
         }
-        if ((i != 0) || (rz[0] <= 0xec)) {
+        if ((i >= 0) || (rz[0] <= 0xec)) {
             break;
         }
     }
@@ -212,11 +212,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p,
         return ret;
     a[CURVE25519_KEYSIZE-1] &= 0x7f;
     /* k' = k ^ 2k ^ a */
-    n_a[0] = n[0] ^ (n[0] << 1) ^ a[0];
+    n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0];
     for (i = 1; i < CURVE25519_KEYSIZE; i++) {
         byte b1, b2, b3;
         b1 = n[i] ^ a[i];
-        b2 = (n[i] << 1) ^ a[i];
+        b2 = (byte)(n[i] << 1) ^ a[i];
         b3 = (n[i-1] >> 7) ^ a[i];
         n_a[i] = b1 ^ b2 ^ b3;
     }
@@ -422,6 +422,9 @@ int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
         ret = wc_curve25519_make_pub_blind((int)sizeof(key->p.point),
                                            key->p.point, (int)sizeof(key->k),
                                            key->k, rng);
+        if (ret == 0) {
+            ret = wc_curve25519_set_rng(key, rng);
+        }
 #else
         ret = wc_curve25519_make_pub((int)sizeof(key->p.point), key->p.point,
                                      (int)sizeof(key->k), key->k);

wolfcrypt/src/hpke.c

@@ -987,7 +987,7 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey,
     word16 pubKeySz, byte* sharedSecret)
 {
     int ret;
-#ifdef ECC_TIMING_RESISTANT
+#if defined(ECC_TIMING_RESISTANT) || defined(WOLFSSL_CURVE25519_BLINDING)
     WC_RNG* rng;
 #endif
     word32 dh_len;
@@ -1052,9 +1052,22 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey,
 #endif
 #if defined(HAVE_CURVE25519)
             case DHKEM_X25519_HKDF_SHA256:
+            #ifdef WOLFSSL_CURVE25519_BLINDING
+                rng = wc_rng_new(NULL, 0, hpke->heap);
+
+                if (rng == NULL) {
+                    ret = RNG_FAILURE_E;
+                    break;
+                }
+
+                wc_curve25519_set_rng((curve25519_key*)receiverKey, rng);
+            #endif
                 ret = wc_curve25519_shared_secret_ex(
                     (curve25519_key*)receiverKey, (curve25519_key*)ephemeralKey,
                     dh, &dh_len, EC25519_LITTLE_ENDIAN);
+            #ifdef WOLFSSL_CURVE25519_BLINDING
+                wc_rng_free(rng);
+            #endif
                 break;
 #endif
             case DHKEM_X448_HKDF_SHA512:

wolfssl/wolfcrypt/settings.h

@@ -3800,6 +3800,14 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_ALERT_COUNT_MAX 5
 #endif
 
+/* Enable blinding by default for C-only, non-small curve25519 implementation */
+#if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \
+    !defined(FREESCALE_LTC_ECC) && !defined(WOLFSSL_ARMASM) && \
+    !defined(USE_INTEL_SPEEDUP) && \
+    !defined(WOLFSSL_CURVE25519_BLINDING) && !defined(NO_CURVE25519_BLINDING)
+    #define WOLFSSL_CURVE25519_BLINDING
+#endif
+
 /* warning for not using harden build options (default with ./configure) */
 /* do not warn if big integer support is disabled */
 #if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)

wrapper/CSharp/user_settings.h

@@ -60,6 +60,9 @@
 #define HAVE_ED25519
 #define HAVE_CURVE25519
 
+/* C# wrapper has ephemeral RNG when creating curve25519 key */
+#define NO_CURVE25519_BLINDING
+
 #define HAVE_AESGCM
 #define WOLFSSL_AESGCM_STREAM
 #define WOLFSSL_SHA384