diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c index ae2a6b427..789db3fa2 100644 --- a/wolfcrypt/src/curve25519.c +++ b/wolfcrypt/src/curve25519.c @@ -194,11 +194,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p, if (ret < 0) { return ret; } - for (i = CURVE25519_KEYSIZE; i > 0; i--) { + for (i = CURVE25519_KEYSIZE - 1; i >= 0; i--) { if (rz[i] != 0xff) break; } - if ((i != 0) || (rz[0] <= 0xec)) { + if ((i >= 0) || (rz[0] <= 0xec)) { break; } } @@ -212,11 +212,11 @@ static int curve25519_smul_blind(byte* rp, const byte* n, const byte* p, return ret; a[CURVE25519_KEYSIZE-1] &= 0x7f; /* k' = k ^ 2k ^ a */ - n_a[0] = n[0] ^ (n[0] << 1) ^ a[0]; + n_a[0] = n[0] ^ (byte)(n[0] << 1) ^ a[0]; for (i = 1; i < CURVE25519_KEYSIZE; i++) { byte b1, b2, b3; b1 = n[i] ^ a[i]; - b2 = (n[i] << 1) ^ a[i]; + b2 = (byte)(n[i] << 1) ^ a[i]; b3 = (n[i-1] >> 7) ^ a[i]; n_a[i] = b1 ^ b2 ^ b3; } @@ -422,6 +422,9 @@ int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key) ret = wc_curve25519_make_pub_blind((int)sizeof(key->p.point), key->p.point, (int)sizeof(key->k), key->k, rng); + if (ret == 0) { + ret = wc_curve25519_set_rng(key, rng); + } #else ret = wc_curve25519_make_pub((int)sizeof(key->p.point), key->p.point, (int)sizeof(key->k), key->k); diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index 8ce209fa7..b9252845e 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -987,7 +987,7 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey, word16 pubKeySz, byte* sharedSecret) { int ret; -#ifdef ECC_TIMING_RESISTANT +#if defined(ECC_TIMING_RESISTANT) || defined(WOLFSSL_CURVE25519_BLINDING) WC_RNG* rng; #endif word32 dh_len; @@ -1052,9 +1052,22 @@ static int wc_HpkeDecap(Hpke* hpke, void* receiverKey, const byte* pubKey, #endif #if defined(HAVE_CURVE25519) case DHKEM_X25519_HKDF_SHA256: + #ifdef WOLFSSL_CURVE25519_BLINDING + rng = wc_rng_new(NULL, 0, hpke->heap); + + if (rng == NULL) { + ret = RNG_FAILURE_E; + break; + } + + wc_curve25519_set_rng((curve25519_key*)receiverKey, rng); + #endif ret = wc_curve25519_shared_secret_ex( (curve25519_key*)receiverKey, (curve25519_key*)ephemeralKey, dh, &dh_len, EC25519_LITTLE_ENDIAN); + #ifdef WOLFSSL_CURVE25519_BLINDING + wc_rng_free(rng); + #endif break; #endif case DHKEM_X448_HKDF_SHA512: diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a1c08177f..1bf1ee613 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3800,6 +3800,14 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_ALERT_COUNT_MAX 5 #endif +/* Enable blinding by default for C-only, non-small curve25519 implementation */ +#if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \ + !defined(FREESCALE_LTC_ECC) && !defined(WOLFSSL_ARMASM) && \ + !defined(USE_INTEL_SPEEDUP) && \ + !defined(WOLFSSL_CURVE25519_BLINDING) && !defined(NO_CURVE25519_BLINDING) + #define WOLFSSL_CURVE25519_BLINDING +#endif + /* warning for not using harden build options (default with ./configure) */ /* do not warn if big integer support is disabled */ #if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT) diff --git a/wrapper/CSharp/user_settings.h b/wrapper/CSharp/user_settings.h index 21fb7b11c..98d840f77 100644 --- a/wrapper/CSharp/user_settings.h +++ b/wrapper/CSharp/user_settings.h @@ -60,6 +60,9 @@ #define HAVE_ED25519 #define HAVE_CURVE25519 +/* C# wrapper has ephemeral RNG when creating curve25519 key */ +#define NO_CURVE25519_BLINDING + #define HAVE_AESGCM #define WOLFSSL_AESGCM_STREAM #define WOLFSSL_SHA384