fix: reorder wc_curve25519_make_pub/generic to input-before-output#10367
fix: reorder wc_curve25519_make_pub/generic to input-before-output#10367MarkAtwood wants to merge 2 commits intowolfSSL:masterfrom
Conversation
Four raw-bytes Curve25519 functions had output parameters before input parameters, opposite to every other wolfCrypt raw-bytes API: wc_curve25519_make_pub(pubSz, pub, privSz, priv) -- was wrong wc_curve25519_make_pub(privSz, priv, pubSz, pub) -- now correct Same fix applied to make_pub_blind, generic, and generic_blind. Update all five internal call sites in curve25519.c and the test suite. Update doc comments and code examples in dox_comments/. Refs: ZD-21733
MarkAtwood
requested review from
Copilot,
douzzer,
wolfSSL-Bot and
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10367
Scan targets checked: wolfcrypt-bugs, wolfcrypt-src
No new issues found in the changed files. ✅
There was a problem hiding this comment.
Pull request overview
Reorders the raw-bytes Curve25519 APIs to use input-before-output parameter ordering, aligning these low-level functions with the rest of wolfCrypt’s byte-buffer APIs and reducing the likelihood of accidental argument transposition.
Changes:
- Reordered parameters for
wc_curve25519_make_pub*andwc_curve25519_generic*declarations/definitions. - Updated in-tree call sites in
wolfcrypt/src/curve25519.cto match the new signatures. - Updated API tests and Doxygen documentation/examples to use the new parameter order.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| wolfssl/wolfcrypt/curve25519.h | Updates public API prototypes to private/input first, then public/output. |
| wolfcrypt/src/curve25519.c | Updates function definitions and internal call sites to the new ordering. |
| tests/api/test_curve25519.c | Updates test calls to the new ordering; opportunity to add a regression test for swapped-args misuse. |
| doc/dox_comments/header_files/curve25519.h | Updates doc prototypes and examples to match the new ordering (return-code docs need alignment with implementation). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| int wc_curve25519_make_pub_blind(int private_size, const byte* priv, | ||
| int public_size, byte* pub, WC_RNG* rng); |
There was a problem hiding this comment.
Reordering parameters on an exported C symbol changes the calling convention expected by already-compiled binaries while keeping the same symbol name. If this can ship in a shared library without a SONAME/major version bump, it can lead to silent runtime breakage (old callers will pass pub/priv swapped). Consider either providing deprecated compatibility wrappers that preserve the old signature (and introduce a new *_v2 name), or ensuring the shared-library ABI version is bumped for this release.
| int wc_curve25519_make_pub_blind(int private_size, const byte* priv, | |
| int public_size, byte* pub, WC_RNG* rng); | |
| int wc_curve25519_make_pub_blind(int public_size, byte* pub, | |
| int private_size, const byte* priv, | |
| WC_RNG* rng); |
| \return 0 On successfully generating the public key | ||
| \return ECC_BAD_ARG_E If the key sizes are invalid | ||
| \return BAD_FUNC_ARG If any input parameters are NULL | ||
|
|
||
| \param public_size Size of the public key buffer (must be 32) | ||
| \param pub Pointer to buffer to store the public key | ||
| \param private_size Size of the private key (must be 32) | ||
| \param priv Pointer to buffer containing the private key | ||
| \param public_size Size of the public key buffer (must be 32) | ||
| \param pub Pointer to buffer to store the public key |
There was a problem hiding this comment.
The documented return codes say BAD_FUNC_ARG is returned when parameters are NULL, but the implementation returns ECC_BAD_ARG_E for NULL pub/priv in wc_curve25519_make_pub(). Please update the Doxygen \return list to match the actual behavior (or change the implementation, but that would be a behavioral/API change).
| \return 0 On successfully generating the public key | ||
| \return ECC_BAD_ARG_E If the key sizes are invalid | ||
| \return BAD_FUNC_ARG If any input parameters are NULL | ||
|
|
||
| \param public_size Size of the public key buffer (must be 32) | ||
| \param pub Pointer to buffer to store the public key | ||
| \param private_size Size of the private key (must be 32) | ||
| \param priv Pointer to buffer containing the private key | ||
| \param public_size Size of the public key buffer (must be 32) | ||
| \param pub Pointer to buffer to store the public key | ||
| \param rng Pointer to initialized RNG for blinding |
There was a problem hiding this comment.
The documented return codes say BAD_FUNC_ARG is returned when parameters are NULL, but the implementation of wc_curve25519_make_pub_blind() returns ECC_BAD_ARG_E for NULL pub/priv. Please update the Doxygen \return list to match the actual behavior.
| \return 0 On successfully computing the result | ||
| \return ECC_BAD_ARG_E If the sizes are invalid | ||
| \return BAD_FUNC_ARG If any input parameters are NULL | ||
|
|
||
| \param public_size Size of the output buffer (must be 32) | ||
| \param pub Pointer to buffer to store the result | ||
| \param private_size Size of the scalar (must be 32) | ||
| \param priv Pointer to buffer containing the scalar | ||
| \param public_size Size of the output buffer (must be 32) | ||
| \param pub Pointer to buffer to store the result | ||
| \param basepoint_size Size of the basepoint (must be 32) | ||
| \param basepoint Pointer to buffer containing the basepoint |
There was a problem hiding this comment.
The documented return codes say BAD_FUNC_ARG is returned when parameters are NULL, but the implementation of wc_curve25519_generic() returns ECC_BAD_ARG_E for NULL pub/priv/basepoint. Please update the Doxygen \return list to match the actual behavior.
| \return 0 On successfully computing the result | ||
| \return ECC_BAD_ARG_E If the sizes are invalid | ||
| \return BAD_FUNC_ARG If any input parameters are NULL | ||
|
|
||
| \param public_size Size of the output buffer (must be 32) | ||
| \param pub Pointer to buffer to store the result | ||
| \param private_size Size of the scalar (must be 32) | ||
| \param priv Pointer to buffer containing the scalar | ||
| \param public_size Size of the output buffer (must be 32) | ||
| \param pub Pointer to buffer to store the result | ||
| \param basepoint_size Size of the basepoint (must be 32) | ||
| \param basepoint Pointer to buffer containing the basepoint | ||
| \param rng Pointer to initialized RNG for blinding |
There was a problem hiding this comment.
The documented return codes say BAD_FUNC_ARG is returned when parameters are NULL, but the implementation of wc_curve25519_generic_blind() returns ECC_BAD_ARG_E for NULL pub/priv/basepoint. Please update the Doxygen \return list to match the actual behavior.
| ExpectIntEQ(wc_curve25519_make_pub((int)sizeof(key.k), key.k, | ||
| (int)sizeof(out), out), 0); | ||
| /* test bad cases */ |
There was a problem hiding this comment.
To prevent regressions of the original issue (pub/priv swapped still compiles because both sizes are 32 and both pointers are byte*), add a negative test that intentionally calls wc_curve25519_make_pub() with the arguments swapped and verifies it returns an error (using a deliberately non-clamped buffer for the would-be private key).
…g order The parameter reorder (private-before-public) broke the four call sites in wrapper/rust/wolfssl-wolfcrypt/src/curve25519.rs.
|
Refs: ZD-21733
The Problem
Four raw-bytes Curve25519 functions had output parameters before input parameters:
Every other wolfCrypt raw-bytes function uses input-before-output ordering:
The same wrong ordering was shared by all four related raw-bytes functions:
wc_curve25519_make_pub,wc_curve25519_make_pub_blind,wc_curve25519_generic, andwc_curve25519_generic_blind.Why It Was Not Caught
Both size parameters are
intand both must equalCURVE25519_KEYSIZE(32). Transposing the arguments compiles without warning and passes the runtime size check. The clamping check (RFC 7748 §5) provides a partial accidental guard — an arbitrary 32-byte buffer will usually fail — but is not reliable. There was no test that deliberately passed arguments in the wrong order to verify the error path.Additionally, the original author got the argument order wrong in six places in the test suite when the function was first introduced (2020-08-05), then had to push a follow-up commit the next day titled "fix order of args to wc_curve25519_make_pub()". The signature was not corrected at that point; only the test was patched.
How Fixed
Reordered parameters to private-before-public on all four functions:
Updated all five internal call sites in
wolfcrypt/src/curve25519.c, the test suite, and the Doxygen doc comments and code examples.Risk to External Callers
This is a breaking API change for any external caller that uses these four functions directly. Mitigating factors:
wc_curve25519_make_key()insteadwolfcrypt/src/curve25519.c) have been updated atomicallyIf desired, a deprecated wrapper preserving the old name and signature can be added alongside.