Merge pull request #9275 from SparkiDev/xtensa_ct_x25519

Xtensa: mitigate potential non-CT assembly output

.wolfssl_known_macro_extras

@@ -428,6 +428,7 @@ NO_WOLFSSL_AUTOSAR_CRYPTO
 NO_WOLFSSL_AUTOSAR_CSM
 NO_WOLFSSL_BASE64_DECODE
 NO_WOLFSSL_BN_CTX
+NO_WOLFSSL_CURVE25519_BLINDING
 NO_WOLFSSL_MSG_EX
 NO_WOLFSSL_RENESAS_FSPSM_AES
 NO_WOLFSSL_RENESAS_FSPSM_HASH
@@ -1079,6 +1080,7 @@ __svr4__
 __thumb__
 __ti__
 __x86_64__
+__xtensa__
 byte
 configTICK_RATE_HZ
 fallthrough

wolfssl/wolfcrypt/settings.h

@@ -2708,6 +2708,22 @@ extern void uITRON4_free(void *p) ;
     #endif
 #endif
 
+#if defined(__xtensa__)
+    /* Compilers for Xtensa have been seen to compile C code into
+     * non-constant time assembly code. The small implementation is not known
+     * to have these issues. */
+    #undef CURVE25519_SMALL
+    #define CURVE25519_SMALL
+    #undef ED25519_SMALL
+    #define ED25519_SMALL
+    #undef CURVE448_SMALL
+    #define CURVE448_SMALL
+    #undef ED448_SMALL
+    #define ED448_SMALL
+    #warning "Contact wolfSSL support for a fast implementation that is " \
+             "constant time"
+#endif
+
 #if defined(NO_WC_SSIZE_TYPE) || defined(ssize_t)
     /* ssize_t comes from system headers or user_settings.h */
 #elif defined(WC_SSIZE_TYPE)