Progress with TLS v1.3 using X25519

Author: dgarske

.wolfssl_known_macro_extras

@@ -616,6 +616,7 @@ WC_ASYNC_NO_SHA256
 WC_ASYNC_NO_SHA3
 WC_ASYNC_NO_SHA384
 WC_ASYNC_NO_SHA512
+WC_ASYNC_NO_X25519
 WC_ASYNC_THREAD_BIND
 WC_CACHE_RESISTANT_BASE64_TABLE
 WC_DILITHIUM_CACHE_PRIV_VECTORS

examples/async/async_client.c

@@ -157,6 +157,18 @@ static void usage(const char* prog)
     printf("usage: %s [--ecc|--x25519] [host] [port]\n", prog);
 }
 
+static const char* group_name(word16 group)
+{
+    switch (group) {
+        case WOLFSSL_ECC_SECP256R1:
+            return "secp256r1";
+        case WOLFSSL_ECC_X25519:
+            return "x25519";
+        default:
+            return "unknown";
+    }
+}
+
 static int parse_client_args(int argc, char** argv,
     const char** host, int* port, word16* group)
 {
@@ -214,11 +226,14 @@ int client_async_test(int argc, char** argv)
     const char* host = NULL;
     int port = 0;
     word16 group = WOLFSSL_ECC_SECP256R1;
+    const char* mode = NULL;
 
     if (parse_client_args(argc, argv, &host, &port, &group) != 0) {
         usage(argv[0]);
         return 0;
     }
+    mode = group_name(group);
+    printf("Async client mode: %s (keyshare 0x%04x)\n", mode, group);
 
     {
         const char* ready = getenv(WOLFSSL_ASYNC_READYFILE_ENV);
@@ -320,6 +335,13 @@ int client_async_test(int argc, char** argv)
         goto out;
     }
 
+    {
+        const char* cipher = wolfSSL_get_cipher_name(ssl);
+        const char* curve = wolfSSL_get_curve_name(ssl);
+        printf("Negotiated cipher: %s\n", cipher != NULL ? cipher : "unknown");
+        printf("Negotiated group: %s\n", curve != NULL ? curve : "unknown");
+    }
+
     tx_len = XSNPRINTF(tx, sizeof(tx),
         "GET / HTTP/1.1\r\n"
         "Host: %s\r\n"

examples/async/async_server.c

@@ -117,6 +117,18 @@ static void usage(const char* prog)
     printf("usage: %s [--ecc|--x25519] [port]\n", prog);
 }
 
+static const char* group_name(word16 group)
+{
+    switch (group) {
+        case WOLFSSL_ECC_SECP256R1:
+            return "secp256r1";
+        case WOLFSSL_ECC_X25519:
+            return "x25519";
+        default:
+            return "unknown";
+    }
+}
+
 static int parse_server_args(int argc, char** argv, int* port, word16* group)
 {
     int i;
@@ -160,6 +172,7 @@ int server_async_test(int argc, char** argv)
     int                port = DEFAULT_PORT;
     word16             group = WOLFSSL_ECC_SECP256R1;
     int                err = 0;
+    const char*        mode = NULL;
 #ifdef WOLFSSL_ASYNC_CRYPT
     int devId = INVALID_DEVID;
 #endif
@@ -183,6 +196,8 @@ int server_async_test(int argc, char** argv)
         usage(argv[0]);
         return 0;
     }
+    mode = group_name(group);
+    printf("Async server mode: %s (keyshare 0x%04x)\n", mode, group);
 
     /* Initialize the server address struct with zeros */
     memset(&servAddr, 0, sizeof(servAddr));
@@ -267,20 +282,42 @@ int server_async_test(int argc, char** argv)
     wolfSSL_SetIORecv(ctx, NET_IO_RECV_CB);
     wolfSSL_SetIOSend(ctx, NET_IO_SEND_CB);
 
-    /* Load server certificates into WOLFSSL_CTX */
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx, serv_ecc_der_256,
-        sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1);
-    if (ret != WOLFSSL_SUCCESS) {
-        fprintf(stderr, "ERROR: failed to load ECC server cert buffer.\n");
+    if (group == WOLFSSL_ECC_X25519) {
+    #ifdef HAVE_ED25519
+        ret = wolfSSL_CTX_use_certificate_buffer(ctx, server_ed25519_cert,
+            sizeof_server_ed25519_cert, WOLFSSL_FILETYPE_ASN1);
+        if (ret != WOLFSSL_SUCCESS) {
+            fprintf(stderr,
+                "ERROR: failed to load ED25519 server cert buffer.\n");
+            goto exit;
+        }
+
+        ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_ed25519_key,
+            sizeof_server_ed25519_key, WOLFSSL_FILETYPE_ASN1);
+        if (ret != WOLFSSL_SUCCESS) {
+            fprintf(stderr,
+                "ERROR: failed to load ED25519 server key buffer.\n");
+            goto exit;
+        }
+    #else
+        fprintf(stderr, "ERROR: --x25519 requires HAVE_ED25519 for certs\n");
         goto exit;
+    #endif
     }
+    else {
+        ret = wolfSSL_CTX_use_certificate_buffer(ctx, serv_ecc_der_256,
+            sizeof_serv_ecc_der_256, WOLFSSL_FILETYPE_ASN1);
+        if (ret != WOLFSSL_SUCCESS) {
+            fprintf(stderr, "ERROR: failed to load ECC server cert buffer.\n");
+            goto exit;
+        }
 
-    /* Load server key into WOLFSSL_CTX */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, ecc_key_der_256,
-        sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1);
-    if (ret != WOLFSSL_SUCCESS) {
-        fprintf(stderr, "ERROR: failed to load ECC server key buffer.\n");
-        goto exit;
+        ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, ecc_key_der_256,
+            sizeof_ecc_key_der_256, WOLFSSL_FILETYPE_ASN1);
+        if (ret != WOLFSSL_SUCCESS) {
+            fprintf(stderr, "ERROR: failed to load ECC server key buffer.\n");
+            goto exit;
+        }
     }
 
     /* Continue to accept clients until mShutdown is issued */
@@ -357,6 +394,14 @@ int server_async_test(int argc, char** argv)
             goto exit;
         }
 
+        {
+            const char* cipher = wolfSSL_get_cipher_name(ssl);
+            const char* curve = wolfSSL_get_curve_name(ssl);
+            printf("Negotiated cipher: %s\n",
+                cipher != NULL ? cipher : "unknown");
+            printf("Negotiated group: %s\n",
+                curve != NULL ? curve : "unknown");
+        }
         printf("Client connected successfully\n");
 
         /* Read the client data into our buff array */
@@ -434,6 +479,11 @@ int server_async_test(int argc, char** argv)
             goto exit;
         }
 
+#ifdef WOLFSSL_DEBUG_NONBLOCK
+        printf("WANT_READ/WRITE count: %d\n", wouldblock_count);
+        printf("WC_PENDING_E count: %d\n", pending_count);
+#endif
+
         /* Cleanup after this connection */
         wolfSSL_shutdown(ssl);
         if (ssl) {

examples/async/user_settings.h

@@ -1,3 +1,24 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2026 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
 /* Bare-metal user settings for TLS 1.3 client with WOLFSSL_USER_IO. */
 #ifndef WOLFSSL_USER_SETTINGS_H
 #define WOLFSSL_USER_SETTINGS_H
@@ -17,19 +38,21 @@
 #define WOLFSSL_SP_NO_MALLOC
 #define ECC_TIMING_RESISTANT
 
+#define HAVE_ED25519
 #define HAVE_CURVE25519
 #define CURVE25519_SMALL
+#define ED25519_SMALL
 #define WC_X25519_NONBLOCK
 
 #define WOLFSSL_ASYNC_CRYPT
 #define WOLFSSL_ASYNC_CRYPT_SW
 #define WC_NO_ASYNC_THREADING
 #define HAVE_WOLF_BIGINT
 
-#define NO_RSA
-
 #define HAVE_AESGCM
 
+#define WOLFSSL_SHA512
+
 #define WOLFSSL_TLS13
 #define WOLFSSL_NO_TLS12
 #define HAVE_HKDF
@@ -48,7 +71,8 @@ extern int posix_getdevrandom(unsigned char *out, unsigned int sz);
     #define CUSTOM_RAND_GENERATE_SEED  posix_getdevrandom
 #endif
 
-/* Minimal feature set - explicitly disable unwanted algorithms. */
+/* Minimal feature set - explicitly disable unwanted algorithms */
+#define NO_RSA
 #define NO_DH
 #define NO_DSA
 #define WOLFSSL_NO_SHAKE256
@@ -59,8 +83,10 @@ extern int posix_getdevrandom(unsigned char *out, unsigned int sz);
 #define NO_SHA
 #define NO_OLD_TLS
 
-/* Debugging helper. */
-//#define DEBUG_WOLFSSL
+/* Debugging */
+#if 0
+    #define DEBUG_WOLFSSL
+#endif
 #define WOLFSSL_DEBUG_NONBLOCK
 
 #endif /* WOLFSSL_USER_SETTINGS_H */

gencertbuf.pl

@@ -40,10 +40,10 @@
 # Used with HAVE_ED25519 define.
 my @fileList_ed = (
         [ "./certs/ed25519/server-ed25519.der",     "server_ed25519_cert" ],
-        [ "./certs/ed25519/server-ed25519-key.der", "server_ed25519_key" ],
+        [ "./certs/ed25519/server-ed25519-priv.der", "server_ed25519_key" ],
         [ "./certs/ed25519/ca-ed25519.der",         "ca_ed25519_cert" ],
         [ "./certs/ed25519/client-ed25519.der",     "client_ed25519_cert" ],
-        [ "./certs/ed25519/client-ed25519-key.der", "client_ed25519_key" ]
+        [ "./certs/ed25519/client-ed25519-priv.der", "client_ed25519_key" ]
         );
 
 # x25519 keys and certs

src/internal.c

@@ -8190,8 +8190,7 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey)
         #ifdef HAVE_CURVE25519
             case DYNAMIC_TYPE_CURVE25519:
             #if defined(WC_X25519_NONBLOCK) && \
-                defined(WOLFSSL_ASYNC_CRYPT_SW) && \
-                defined(WC_ASYNC_ENABLE_X25519)
+                defined(WOLFSSL_ASYNC_CRYPT_SW)
                 if (((curve25519_key*)*pKey)->nbCtx != NULL) {
                     XFREE(((curve25519_key*)*pKey)->nbCtx, ssl->heap,
                           DYNAMIC_TYPE_TMP_BUFFER);
@@ -8249,10 +8248,9 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
 #ifdef HAVE_CURVE25519
     curve25519_key* x25519Key;
 #endif /* HAVE_CURVE25519 */
-#if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
-    defined(WC_ASYNC_ENABLE_X25519)
+#if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
     x25519_nb_ctx_t* x25519NbCtx;
-#endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && WC_ASYNC_ENABLE_X25519 */
+#endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW */
 
     if (ssl == NULL || pKey == NULL) {
         return BAD_FUNC_ARG;
@@ -8367,8 +8365,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
         case DYNAMIC_TYPE_CURVE25519:
             x25519Key = (curve25519_key*)*pKey;
             ret = wc_curve25519_init_ex(x25519Key, ssl->heap, ssl->devId);
-        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
-            defined(WC_ASYNC_ENABLE_X25519)
+        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
             if (ret == 0) {
                 x25519NbCtx = (x25519_nb_ctx_t*)XMALLOC(sizeof(x25519_nb_ctx_t),
                                   ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -8382,8 +8379,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
                     }
                 }
             }
-        #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
-                  WC_ASYNC_ENABLE_X25519 */
+        #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW */
             break;
     #endif /* HAVE_CURVE25519 */
     #ifdef HAVE_ED448

src/tls.c

@@ -8002,7 +8002,7 @@ static int TLSX_KeyShare_GenX25519Key(WOLFSSL *ssl, KeyShareEntry* kse)
 
         /* Make an Curve25519 key. */
         ret = wc_curve25519_init_ex((curve25519_key*)kse->key, ssl->heap,
-            INVALID_DEVID);
+            ssl->devId);
         if (ret == 0) {
             /* setting "key" means okay to call wc_curve25519_free */
             key = (curve25519_key*)kse->key;
@@ -8014,6 +8014,13 @@ static int TLSX_KeyShare_GenX25519Key(WOLFSSL *ssl, KeyShareEntry* kse)
         #endif
             {
                 ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key);
+
+                /* Handle async pending response */
+            #ifdef WOLFSSL_ASYNC_CRYPT
+                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
+                    return wolfSSL_AsyncPush(ssl, &key->asyncDev);
+                }
+            #endif /* WOLFSSL_ASYNC_CRYPT */
             }
         }
     }

wolfcrypt/src/async.c

@@ -268,6 +268,28 @@ static int wolfAsync_DoSw(WC_ASYNC_DEV* asyncDev)
             break;
         }
 #endif /* !NO_DES3 */
+#ifdef HAVE_CURVE25519
+        case ASYNC_SW_X25519_MAKE:
+        {
+            ret = wc_curve25519_make_key(
+                (WC_RNG*)sw->x25519Make.rng,
+                sw->x25519Make.size,
+                (curve25519_key*)sw->x25519Make.key
+            );
+            break;
+        }
+        case ASYNC_SW_X25519_SHARED_SEC:
+        {
+            ret = wc_curve25519_shared_secret_ex(
+                (curve25519_key*)sw->x25519SharedSec.priv,
+                (curve25519_key*)sw->x25519SharedSec.pub,
+                sw->x25519SharedSec.out,
+                sw->x25519SharedSec.outLen,
+                sw->x25519SharedSec.endian
+            );
+            break;
+        }
+#endif /* HAVE_CURVE25519 */
         default:
             WOLFSSL_MSG("Invalid async crypt SW type!");
             ret = BAD_FUNC_ARG;

wolfcrypt/src/curve25519.c

@@ -86,7 +86,8 @@ const curve25519_set_type curve25519_sets[] = {
 
 #if (!defined(WOLFSSL_CURVE25519_USE_ED25519) && \
      !(defined(CURVED25519_X64) || (defined(WOLFSSL_ARMASM) && \
-     defined(__aarch64__)))) || defined(WOLFSSL_CURVE25519_BLINDING)
+     defined(__aarch64__)))) || defined(WOLFSSL_CURVE25519_BLINDING) || \
+     defined(WC_X25519_NONBLOCK)
 static const word32 kCurve25519BasePoint[CURVE25519_KEYSIZE/sizeof(word32)] = {
 #ifdef BIG_ENDIAN_ORDER
     0x09000000