Improvements to increase number of iterations for each.

Author: dgarske

.github/workflows/os-check.yml

@@ -81,6 +81,7 @@ jobs:
           '--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
           '--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
           '--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
+          '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock --disable-examples CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
@@ -124,6 +125,7 @@ jobs:
         user-settings: [
           # Add new user_settings.h here
           'examples/configs/user_settings_eccnonblock.h',
+          'examples/configs/user_settings_curve25519nonblock.h',
           'examples/configs/user_settings_min_ecc.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
           'examples/configs/user_settings_wolftpm.h',

examples/configs/README.md

@@ -10,6 +10,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 *.`user_settings_EBSnet.h`: Example configuration file for use with EBSnet ports.
 * `user_settings_fipsv2.h`: The FIPS v2 (3389) 140-2 certificate build options.
 * `user_settings_fipsv5.h`: The FIPS v5 (ready) 140-3 build options. Equivalent to `./configure --enable-fips=v5-dev`.
+* `user_settings_curve25519nonblock.h`: Example Curve25519 (X25519) non-blocking configuration.
 * `user_settings_min_ecc.h`: This is ECC and SHA-256 only. For ECC verify only add `BUILD_VERIFY_ONLY`.
 * `user_settings_platformio.h`: An example for PlatformIO library. See also [platformio/wolfssl](https://registry.platformio.org/libraries/wolfssl/wolfssl)
 * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.

examples/configs/user_settings_curve25519nonblock.h

@@ -0,0 +1,88 @@
+/* user_settings_curve25519nonblock.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Example wolfSSL user_settings.h file for Curve25519 (X25519) non-blocking.
+ * See doc/dox_comments/header_files/curve25519.h wc_curve25519_set_nonblock.
+ */
+
+/* Settings based on this configure:
+./configure --enable-curve25519=nonblock --enable-ecc=nonblock \
+    --enable-sp=yes,nonblock \
+    CFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"
+*/
+
+/* Tested using:
+cp ./examples/configs/user_settings_curve25519nonblock.h user_settings.h
+./configure --enable-usersettings --enable-debug --disable-examples
+make
+./wolfcrypt/test/testwolfcrypt
+*/
+
+/* Example test results:
+CURVE25519 non-block key gen: 1273 times
+CURVE25519 non-block shared secret: 1275 times
+CURVE25519 test passed!
+*/
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Features */
+#define WOLFCRYPT_ONLY
+#define WOLFSSL_ASN_TEMPLATE
+#define WOLFSSL_PUBLIC_MP /* expose mp_ math API's */
+#define HAVE_HASHDRBG
+
+/* Curve25519 (X25519) */
+#define HAVE_CURVE25519
+#define CURVE25519_SMALL
+#define WC_X25519_NONBLOCK
+
+/* Debugging */
+#if 1
+    #undef  DEBUG_WOLFSSL
+    #define DEBUG_WOLFSSL
+    #define WOLFSSL_DEBUG_NONBLOCK
+#endif
+
+/* Disabled algorithms */
+#define NO_OLD_TLS
+#define NO_RSA
+#define NO_DH
+#define NO_PSK
+#define NO_MD4
+#define NO_MD5
+#define NO_SHA
+#define NO_DSA
+#define NO_DES3
+#define NO_RC4
+#define WOLFSSL_NO_SHAKE128
+#define WOLFSSL_NO_SHAKE256
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_USER_SETTINGS_H */

wolfcrypt/src/curve25519.c

@@ -69,6 +69,11 @@
     #endif
 #endif
 
+#if defined(WOLFSSL_CURVE25519_BLINDING)
+WOLFSSL_LOCAL int curve25519_blind(byte* q, const byte* n, const byte* mask,
+    const byte* p, const byte* rz);
+#endif
+
 #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && !defined(USE_INTEL_SPEEDUP)
     /* force off unneeded vector register save/restore. */
     #undef SAVE_VECTOR_REGISTERS

wolfcrypt/src/fe_low_mem.c

@@ -191,27 +191,64 @@ int fe_inv__distinct_nb(byte *r, const byte *x, fe_inv__distinct_nb_ctx_t* ctx)
             fe_mul__distinct(ctx->s, x, x);
             fe_mul__distinct(r, ctx->s, x);
             ctx->i = 0;
+            ctx->subState = 0;
             ctx->state = 1;
             break;
         case 1:
-            if ((ctx->i)++ < 248) {
-                fe_mul__distinct(ctx->s, r, r);
-                fe_mul__distinct(r, ctx->s, x);
+            if (ctx->i < 248) {
+                if (ctx->subState == 0) {
+                    fe_mul__distinct(ctx->s, r, r);
+                    ctx->subState = 1;
+                }
+                else {
+                    fe_mul__distinct(r, ctx->s, x);
+                    ctx->subState = 0;
+                    ++(ctx->i);
+                }
             }
             else {
                 ctx->state = 2;
+                ctx->subState = 0;
             }
             break;
         case 2:
-            fe_mul__distinct(ctx->s, r, r);
-            fe_mul__distinct(r, ctx->s, ctx->s);
-            fe_mul__distinct(ctx->s, r, x);
-            fe_mul__distinct(r, ctx->s, ctx->s);
-            fe_mul__distinct(ctx->s, r, r);
-            fe_mul__distinct(r, ctx->s, x);
-            fe_mul__distinct(ctx->s, r, r);
-            fe_mul__distinct(r, ctx->s, x);
-            ret = 0;
+            switch (ctx->subState) {
+                case 0:
+                    fe_mul__distinct(ctx->s, r, r);
+                    ctx->subState = 1;
+                    break;
+                case 1:
+                    fe_mul__distinct(r, ctx->s, ctx->s);
+                    ctx->subState = 2;
+                    break;
+                case 2:
+                    fe_mul__distinct(ctx->s, r, x);
+                    ctx->subState = 3;
+                    break;
+                case 3:
+                    fe_mul__distinct(r, ctx->s, ctx->s);
+                    ctx->subState = 4;
+                    break;
+                case 4:
+                    fe_mul__distinct(ctx->s, r, r);
+                    ctx->subState = 5;
+                    break;
+                case 5:
+                    fe_mul__distinct(r, ctx->s, x);
+                    ctx->subState = 6;
+                    break;
+                case 6:
+                    fe_mul__distinct(ctx->s, r, r);
+                    ctx->subState = 7;
+                    break;
+                case 7:
+                    fe_mul__distinct(r, ctx->s, x);
+                    ret = 0;
+                    break;
+                default:
+                    ctx->subState = 0;
+                    break;
+            }
             break;
     }
 
@@ -237,33 +274,134 @@ int curve25519_nb(byte *result, const byte *n, const byte *p,
             XMEMSET(ctx->zm1, 0, sizeof(ctx->zm1));
             lm_copy(ctx->xm, p);
             ctx->i = 253;
+            ctx->subState = 0;
             ctx->state = 1;
             break;
         case 1:
             if (ctx->i >= 0) {
-                const int bit = (n[ctx->i >> 3] >> (ctx->i & 7)) & 1;
-                byte xms[F25519_SIZE];
-                byte zms[F25519_SIZE];
-
-                /* From P_m and P_(m-1), compute P_(2m) and P_(2m-1) */
-                xc_diffadd(ctx->xm1, ctx->zm1, p, f25519_one, ctx->xm, ctx->zm,
-                    ctx->xm1, ctx->zm1);
-                xc_double(ctx->xm, ctx->zm, ctx->xm, ctx->zm);
-
-                /* Compute P_(2m+1) */
-                xc_diffadd(xms, zms, ctx->xm1, ctx->zm1, ctx->xm,
-                    ctx->zm, p, f25519_one);
-
-                /* Select:
-                 *   bit = 1 --> (P_(2m+1), P_(2m))
-                 *   bit = 0 --> (P_(2m), P_(2m-1))
-                 */
-                fe_select(ctx->xm1, ctx->xm1, ctx->xm, bit);
-                fe_select(ctx->zm1, ctx->zm1, ctx->zm, bit);
-                fe_select(ctx->xm, ctx->xm, xms, bit);
-                fe_select(ctx->zm, ctx->zm, zms, bit);
-
-                --(ctx->i);
+                switch (ctx->subState) {
+                    case 0:
+                        ctx->bit = (n[ctx->i >> 3] >> (ctx->i & 7)) & 1;
+                        /* Diffadd step 1 */
+                        lm_add(ctx->a, ctx->xm, ctx->zm);
+                        lm_sub(ctx->b, ctx->xm1, ctx->zm1);
+                        fe_mul__distinct(ctx->da, ctx->a, ctx->b);
+                        ctx->subState = 1;
+                        break;
+                    case 1:
+                        /* Diffadd step 2 */
+                        lm_sub(ctx->b, ctx->xm, ctx->zm);
+                        lm_add(ctx->a, ctx->xm1, ctx->zm1);
+                        fe_mul__distinct(ctx->cb, ctx->a, ctx->b);
+                        ctx->subState = 2;
+                        break;
+                    case 2:
+                        /* Diffadd step 3 */
+                        lm_add(ctx->a, ctx->da, ctx->cb);
+                        fe_mul__distinct(ctx->b, ctx->a, ctx->a);
+                        ctx->subState = 3;
+                        break;
+                    case 3:
+                        /* Diffadd step 4 */
+                        fe_mul__distinct(ctx->xm1, f25519_one, ctx->b);
+                        ctx->subState = 4;
+                        break;
+                    case 4:
+                        /* Diffadd step 5 */
+                        lm_sub(ctx->a, ctx->da, ctx->cb);
+                        fe_mul__distinct(ctx->b, ctx->a, ctx->a);
+                        ctx->subState = 5;
+                        break;
+                    case 5:
+                        /* Diffadd step 6 */
+                        fe_mul__distinct(ctx->zm1, p, ctx->b);
+                        ctx->subState = 6;
+                        break;
+                    case 6:
+                        /* Double step 1 */
+                        fe_mul__distinct(ctx->x1sq, ctx->xm, ctx->xm);
+                        ctx->subState = 7;
+                        break;
+                    case 7:
+                        /* Double step 2 */
+                        fe_mul__distinct(ctx->z1sq, ctx->zm, ctx->zm);
+                        ctx->subState = 8;
+                        break;
+                    case 8:
+                        /* Double step 3 */
+                        fe_mul__distinct(ctx->x1z1, ctx->xm, ctx->zm);
+                        ctx->subState = 9;
+                        break;
+                    case 9:
+                        /* Double step 4 */
+                        lm_sub(ctx->a, ctx->x1sq, ctx->z1sq);
+                        fe_mul__distinct(ctx->xm, ctx->a, ctx->a);
+                        ctx->subState = 10;
+                        break;
+                    case 10:
+                        /* Double step 5 */
+                        fe_mul_c(ctx->a, ctx->x1z1, 486662);
+                        lm_add(ctx->a, ctx->x1sq, ctx->a);
+                        lm_add(ctx->a, ctx->z1sq, ctx->a);
+                        fe_mul__distinct(ctx->x1sq, ctx->x1z1, ctx->a);
+                        ctx->subState = 11;
+                        break;
+                    case 11:
+                        fe_mul_c(ctx->zm, ctx->x1sq, 4);
+                        ctx->subState = 12;
+                        break;
+                    case 12:
+                        /* Diffadd2 step 1 */
+                        lm_add(ctx->a, ctx->xm, ctx->zm);
+                        lm_sub(ctx->b, p, f25519_one);
+                        fe_mul__distinct(ctx->da, ctx->a, ctx->b);
+                        ctx->subState = 13;
+                        break;
+                    case 13:
+                        /* Diffadd2 step 2 */
+                        lm_sub(ctx->b, ctx->xm, ctx->zm);
+                        lm_add(ctx->a, p, f25519_one);
+                        fe_mul__distinct(ctx->cb, ctx->a, ctx->b);
+                        ctx->subState = 14;
+                        break;
+                    case 14:
+                        /* Diffadd2 step 3 */
+                        lm_add(ctx->a, ctx->da, ctx->cb);
+                        fe_mul__distinct(ctx->b, ctx->a, ctx->a);
+                        ctx->subState = 15;
+                        break;
+                    case 15:
+                        /* Diffadd2 step 4 */
+                        fe_mul__distinct(ctx->xms, ctx->zm1, ctx->b);
+                        ctx->subState = 16;
+                        break;
+                    case 16:
+                        /* Diffadd2 step 5 */
+                        lm_sub(ctx->a, ctx->da, ctx->cb);
+                        fe_mul__distinct(ctx->b, ctx->a, ctx->a);
+                        ctx->subState = 17;
+                        break;
+                    case 17:
+                        /* Diffadd2 step 6 */
+                        fe_mul__distinct(ctx->zms, ctx->xm1, ctx->b);
+                        ctx->subState = 18;
+                        break;
+                    case 18:
+                        /* Select:
+                         *   bit = 1 --> (P_(2m+1), P_(2m))
+                         *   bit = 0 --> (P_(2m), P_(2m-1))
+                         */
+                        fe_select(ctx->xm1, ctx->xm1, ctx->xm, ctx->bit);
+                        fe_select(ctx->zm1, ctx->zm1, ctx->zm, ctx->bit);
+                        fe_select(ctx->xm, ctx->xm, ctx->xms, ctx->bit);
+                        fe_select(ctx->zm, ctx->zm, ctx->zms, ctx->bit);
+                        --(ctx->i);
+                        ctx->subState = 0;
+                        break;
+                    default:
+                        ctx->subState = 0;
+                        break;
+                }
             }
             else {
                 ctx->state = 2;

wolfcrypt/test/test.c

@@ -38586,7 +38586,11 @@ static wc_test_ret_t curve255519_der_test(void)
 #endif /* !NO_ASN && HAVE_CURVE25519_KEY_EXPORT && HAVE_CURVE25519_KEY_IMPORT */
 
 #ifdef WC_X25519_NONBLOCK
-
+/* build and test with:
+ * ./configure --enable-curve25519=nonblock CFLAGS="-DWOLFSSL_DEBUG_NONBLOCK"
+ * make
+ * ./wolfcrypt/test/testwolfcrypt
+ */
 static int x25519_nonblock_test(WC_RNG* rng)
 {
     int ret = 0;
@@ -38623,6 +38627,7 @@ static int x25519_nonblock_test(WC_RNG* rng)
         return -10724;
     }
 #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG_NONBLOCK)
+    /* CURVE25519 non-block key gen: 5335 times */
     printf("CURVE25519 non-block key gen: %d times\n", count);
 #endif
 
@@ -38669,6 +38674,7 @@ static int x25519_nonblock_test(WC_RNG* rng)
         return -10728;
     }
 #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG_NONBLOCK)
+    /* CURVE25519 non-block shared secret: 5337 times */
     printf("CURVE25519 non-block shared secret: %d times\n", count);
 #endif