Curve25519: add blinding when using private key

XOR in random value to scalar and perform special scalar multiplication. Multiply x3 and z3 by random value to randomize co-ordinates. Add new APIs to support passing in an RNG. Old APIs create a new RNG. Only needed for the C implementations that are not small. Modified TLS and OpenSSL compat API implementations to pass in RNG. Fixed tests and benchmark program to pass in RNG.
2026-01-30 02:42:13 +01:00 · 2025-01-29 21:41:31 +10:00
parent 45b385ade3
commit bb84ebfd7a
12 changed files with 410 additions and 23 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -6054,8 +6054,14 @@ static int X25519SharedSecret(WOLFSSL* ssl, curve25519_key* priv_key,
    else
 #endif
    {
-        ret = wc_curve25519_shared_secret_ex(priv_key, pub_key, out, outlen,
-                                             EC25519_LITTLE_ENDIAN);
+    #ifdef WOLFSSL_CURVE25519_BLINDING
+        ret = wc_curve25519_set_rng(priv_key, ssl->rng);
+        if (ret == 0)
+    #endif
+        {
+            ret = wc_curve25519_shared_secret_ex(priv_key, pub_key, out, outlen,
+                                                 EC25519_LITTLE_ENDIAN);
+        }
    }

    /* Handle async pending response */
--- a/src/pk.c
+++ b/src/pk.c
@@ -14663,6 +14663,13 @@ int wolfSSL_EC25519_shared_key(unsigned char *shared, unsigned int *sharedSz,
        res = 0;
    }
    if (res) {
+    #ifdef WOLFSSL_CURVE25519_BLINDING
+        /* An RNG is needed. */
+        if (wc_curve25519_set_rng(&privkey, wolfssl_make_global_rng()) != 0) {
+            res = 0;
+        }
+        else
+    #endif
        /* Initialize public key object. */
        if (wc_curve25519_init(&pubkey) != MP_OKAY) {
            WOLFSSL_MSG("wc_curve25519_init pubkey failed");
--- a/src/tls.c
+++ b/src/tls.c
@@ -8577,7 +8577,11 @@ static int TLSX_KeyShare_ProcessX25519(WOLFSSL* ssl,

    if (ret == 0) {
        ssl->ecdhCurveOID = ECC_X25519_OID;
-
+    #ifdef WOLFSSL_CURVE25519_BLINDING
+        ret = wc_curve25519_set_rng(key, ssl->rng);
+    }
+    if (ret == 0) {
+    #endif
        ret = wc_curve25519_shared_secret_ex(key, peerX25519Key,
                                                   ssl->arrays->preMasterSecret,
                                                   &ssl->arrays->preMasterSz,