Add an error-checking wc_curve25519_make_pub() routine to the API for use by Wireguard

src/internal.c

@@ -18999,6 +18999,8 @@ const char* GetCipherAuthStr(char n[][MAX_SEGMENT_SZ]) {
         authStr = "SRP";
     else if (XSTRNCMP(n1,"ECDSA",5) == 0)
         authStr = "ECDSA";
+    else if (XSTRNCMP(n0,"ADH",3) == 0)
+        authStr = "None";
     else
         authStr = "unknown";
 

tests/api.c

@@ -690,11 +690,11 @@ static void test_for_double_Free(void)
 "HA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-"
 "8-SHA256:TLS13-SHA256-SHA256:TLS13-SHA384-SHA384";
 #ifndef NO_RSA
-	testCertFile = svrCertFile;
-	testKeyFile = svrKeyFile;
+        testCertFile = svrCertFile;
+        testKeyFile = svrKeyFile;
 #elif defined(HAVE_ECC)
-	testCertFile = eccCertFile;
-	testKeyFile = eccKeyFile;
+        testCertFile = eccCertFile;
+        testKeyFile = eccKeyFile;
 #else
     skipTest = 1;
 #endif
@@ -16690,7 +16690,7 @@ static int test_wc_curve25519_export_key_raw_ex (void)
     pubkSz = CURVE25519_KEYSIZE;
 
     if(BAD_FUNC_ARG != wc_curve25519_export_key_raw_ex( &key,privateKey,
-	                    NULL,publicKey, &pubkSz,EC25519_LITTLE_ENDIAN)){
+                            NULL,publicKey, &pubkSz,EC25519_LITTLE_ENDIAN)){
 
         printf(testingFmt,"failed at bad-arg-case-3.");
         fflush( stdout );
@@ -16755,7 +16755,7 @@ static int test_wc_curve25519_export_key_raw_ex (void)
     pubkSz = CURVE25519_KEYSIZE;
 
     if(BAD_FUNC_ARG != wc_curve25519_export_key_raw_ex( &key, privateKey,
-	                      NULL, publicKey, &pubkSz, EC25519_BIG_ENDIAN)){
+                              NULL, publicKey, &pubkSz, EC25519_BIG_ENDIAN)){
 
         printf(testingFmt,"failed at bad-arg-case-8.");
         fflush( stdout );
@@ -17099,6 +17099,74 @@ static int test_wc_curve25519_shared_secret_ex (void)
 #endif
     return ret;
 } /*END test_wc_curve25519_shared_secret_ex*/
+/*
+ * Testing wc_curve25519_make_pub
+ */
+static int test_wc_curve25519_make_pub (void)
+{
+    int ret = 0;
+#if defined(HAVE_CURVE25519)
+    WC_RNG          rng;
+    curve25519_key  key;
+    byte            out[CURVE25519_KEYSIZE];
+
+    printf(testingFmt, "wc_curve25519_make_pub()");
+
+    ret = wc_curve25519_init(&key);
+    if (ret == 0) {
+        ret = wc_InitRng(&rng);
+        if (ret == 0) {
+            ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE, &key);
+        }
+    }
+    if (ret == 0) {
+      ret = wc_curve25519_make_pub((int)sizeof out, out, (int)sizeof key.k.point, key.k.point);
+    }
+    /*test bad cases*/
+    if (ret == 0) {
+        ret = wc_curve25519_make_pub((int)sizeof key.k.point - 1, key.k.point, (int)sizeof out, out);
+        if (ret == ECC_BAD_ARG_E) {
+            ret = 0;
+        }
+    }
+    if (ret == 0) {
+        ret = wc_curve25519_make_pub((int)sizeof out, out, (int)sizeof key.k.point, NULL);
+        if (ret == ECC_BAD_ARG_E) {
+            ret = 0;
+        }
+    }
+    if (ret == 0) {
+        ret = wc_curve25519_make_pub((int)sizeof out - 1, out, (int)sizeof key.k.point, key.k.point);
+        if (ret == ECC_BAD_ARG_E) {
+            ret = 0;
+        }
+    }
+    if (ret == 0) {
+        ret = wc_curve25519_make_pub((int)sizeof out, NULL, (int)sizeof key.k.point, key.k.point);
+        if (ret == ECC_BAD_ARG_E) {
+            ret = 0;
+        }
+    }
+    if (ret == 0) {
+        /* verify clamping test */
+        key.k.point[0] |= ~248;
+        ret = wc_curve25519_make_pub((int)sizeof out, out, (int)sizeof key.k.point, key.k.point);
+        if (ret == ECC_BAD_ARG_E) {
+            ret = 0;
+        }
+        key.k.point[0] &= 248;
+    }
+    /* repeat the expected-to-succeed test. */
+    if (ret == 0) {
+      ret = wc_curve25519_make_pub((int)sizeof out, out, (int)sizeof key.k.point, key.k.point);
+    }
+
+    printf(resultFmt, ret == 0 ? passed : failed);
+    wc_curve25519_free(&key);
+    wc_FreeRng(&rng);
+#endif
+    return ret;
+} /*END test_wc_curve25519_make_pub */
 /*
  * Testing test_wc_curve25519_export_public_ex
  */
@@ -30385,8 +30453,8 @@ static void test_wolfSSL_sk_CIPHER_description(void)
     SSL_CTX *ctx = NULL;
     SSL *ssl = NULL;
     char buf[256];
-    char test_str[9] = "0000000\0";
-    const char badStr[] = "unknown\0";
+    char test_str[9] = "0000000";
+    const char badStr[] = "unknown";
     const char certPath[] = "./certs/client-cert.pem";
     XMEMSET(buf, 0, sizeof(buf));
 
@@ -35149,11 +35217,11 @@ static void test_wolfSSL_dtls_set_mtu(void)
 
     AssertNotNull(ctx = wolfSSL_CTX_new(wolfDTLSv1_2_server_method()));
 #ifndef NO_RSA
-	testCertFile = svrCertFile;
-	testKeyFile = svrKeyFile;
+        testCertFile = svrCertFile;
+        testKeyFile = svrKeyFile;
 #elif defined(HAVE_ECC)
-	testCertFile = eccCertFile;
-	testKeyFile = eccKeyFile;
+        testCertFile = eccCertFile;
+        testKeyFile = eccKeyFile;
 #endif
     if  (testCertFile != NULL && testKeyFile != NULL) {
         AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, testCertFile,
@@ -35974,6 +36042,7 @@ void ApiTest(void)
     AssertIntEQ(test_wc_curve25519_size (), 0);
     AssertIntEQ(test_wc_curve25519_make_key (), 0);
     AssertIntEQ(test_wc_curve25519_shared_secret_ex (), 0);
+    AssertIntEQ(test_wc_curve25519_make_pub (), 0);
     AssertIntEQ(test_wc_curve25519_export_public_ex (), 0);
     AssertIntEQ(test_wc_curve25519_export_private_raw_ex (), 0);
     AssertIntEQ(test_wc_curve25519_import_private_raw_ex (), 0);

wolfcrypt/src/curve25519.c

@@ -51,14 +51,48 @@ const curve25519_set_type curve25519_sets[] = {
     }
 };
 
-int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
-{
+static const unsigned char kCurve25519BasePoint[CURVE25519_KEYSIZE] = {9};
+
+/* compute the public key from an existing private key, using bare vectors.
+ *
+ * return value is propagated from curve25519() (0 on success), or ECC_BAD_ARG_E,
+ * and the byte vectors are little endian.
+ */
+int wc_curve25519_make_pub(int public_size, byte* public, int private_size, const byte* private) {
+    int ret;
+
+    if ((public_size != CURVE25519_KEYSIZE) ||
+        (private_size != CURVE25519_KEYSIZE)) {
+        return ECC_BAD_ARG_E;
+    }
+    if ((public == NULL) || (private == NULL))
+        return ECC_BAD_ARG_E;
+
+    /* check clamping */
+    if ((private[0] & ~248) ||
+        (private[CURVE25519_KEYSIZE-1] & 128)) {
+        return ECC_BAD_ARG_E;
+    }
+
 #ifdef FREESCALE_LTC_ECC
-    const ECPoint* basepoint = wc_curve25519_GetBasePoint();
+    {
+        const ECPoint* basepoint = nxp_ltc_curve25519_GetBasePoint();
+        ECPoint wc_pub;
+        ret = nxp_ltc_curve25519(&wc_pub, private, basepoint, kLTC_Weierstrass); /* input basepoint on Weierstrass curve */
+        if (ret == 0)
+            XMEMCPY(public, wc_pub.point, CURVE25519_KEYSIZE);
+    }
 #else
-    unsigned char basepoint[CURVE25519_KEYSIZE] = {9};
+    fe_init();
+    ret = curve25519(public, private, kCurve25519BasePoint);
 #endif
-    int  ret;
+
+    return ret;
+}
+
+int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
+{
+    int ret;
 
     if (key == NULL || rng == NULL)
         return BAD_FUNC_ARG;
@@ -67,10 +101,6 @@ int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
     if (keysize != CURVE25519_KEYSIZE)
         return ECC_BAD_ARG_E;
 
-#ifndef FREESCALE_LTC_ECC
-    fe_init();
-#endif
-
     /* random number for private key */
     ret = wc_RNG_GenerateBlock(rng, key->k.point, keysize);
     if (ret != 0)
@@ -81,19 +111,7 @@ int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key)
     key->k.point[CURVE25519_KEYSIZE-1] &= 63; /* same &=127 because |=64 after */
     key->k.point[CURVE25519_KEYSIZE-1] |= 64;
 
-    /* compute public key */
-    #ifdef FREESCALE_LTC_ECC
-        ret = wc_curve25519(&key->p, key->k.point, basepoint, kLTC_Weierstrass); /* input basepoint on Weierstrass curve */
-    #else
-        ret = curve25519(key->p.point, key->k.point, basepoint);
-    #endif
-    if (ret != 0) {
-        ForceZero(key->k.point, keysize);
-        ForceZero(key->p.point, keysize);
-        return ret;
-    }
-
-    return ret;
+    return wc_curve25519_make_pub((int)sizeof key->p.point, key->p.point, sizeof key->k.point, key->k.point);
 }
 
 #ifdef HAVE_CURVE25519_SHARED_SECRET
@@ -127,7 +145,7 @@ int wc_curve25519_shared_secret_ex(curve25519_key* private_key,
         return ECC_BAD_ARG_E;
 
     #ifdef FREESCALE_LTC_ECC
-        ret = wc_curve25519(&o, private_key->k.point, &public_key->p, kLTC_Curve25519 /* input point P on Curve25519 */);
+        ret = nxp_ltc_curve25519(&o, private_key->k.point, &public_key->p, kLTC_Curve25519 /* input point P on Curve25519 */);
     #else
         ret = curve25519(o, private_key->k.point, public_key->p.point);
     #endif

wolfcrypt/src/fe_low_mem.c

@@ -141,7 +141,7 @@ static void xc_diffadd(byte *x5, byte *z5,
 }
 
 #ifndef FREESCALE_LTC_ECC
-int curve25519(byte *result, byte *e, byte *q)
+int curve25519(byte *result, const byte *e, const byte *q)
 {
 	/* Current point: P_m */
 	byte xm[F25519_SIZE];

wolfcrypt/src/fe_operations.c

@@ -129,7 +129,7 @@ void fe_init(void)
 
 #if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \
     !defined(FREESCALE_LTC_ECC)
-int curve25519(byte* q, byte* n, byte* p)
+int curve25519(byte* q, const byte* n, const byte* p)
 {
 #if 0
   unsigned char e[32];

wolfcrypt/src/fe_x25519_128.i

@@ -406,7 +406,7 @@ void fe_invert(fe r, const fe a)
  * n  The scalar as an array of bytes.
  * a  A field element as an array of bytes.
  */
-int curve25519(byte* r, byte* n, byte* a)
+int curve25519(byte* r, const byte* n, const byte* a)
 {
     fe           x1, x2, z2, x3, z3;
     fe           t0, t1;

wolfcrypt/src/port/arm/armv8-32-curve25519.c

@@ -2910,7 +2910,7 @@ void fe_invert(fe r, const fe a)
     );
 }
 
-int curve25519(byte* r, byte* n, byte* a)
+int curve25519(byte* r, const byte* n, const byte* a)
 {
     __asm__ __volatile__ (
         "sub	sp, sp, #0xbc\n\t"

wolfcrypt/src/port/arm/armv8-curve25519.c

@@ -1007,7 +1007,7 @@ void fe_invert(fe r, const fe a)
     );
 }
 
-int curve25519(byte* r, byte* n, byte* a)
+int curve25519(byte* r, const byte* n, const byte* a)
 {
     __asm__ __volatile__ (
         "stp	x29, x30, [sp, #-192]!\n\t"

wolfcrypt/src/port/nxp/ksdk_port.c

@@ -974,7 +974,7 @@ static const ECPoint ecBasePoint = {
     0x1e, 0xe0, 0xb4, 0x86, 0xa0, 0xb8, 0xa1, 0x19, 0xae, 0x20},
 };
 
-const ECPoint *wc_curve25519_GetBasePoint(void)
+const ECPoint *nxp_ltc_curve25519_GetBasePoint(void)
 {
     return &ecBasePoint;
 }
@@ -985,7 +985,7 @@ static const uint8_t curve25519_aCurveParam[CURVE25519_KEYSIZE] = {
     0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
     0xaa, 0xaa, 0xaa, 0xaa, 0x2a};
 
-static const uint8_t curve_bCurveParam[CURVE25519_KEYSIZE] = {
+static const uint8_t curve25519_bCurveParam[CURVE25519_KEYSIZE] = {
     0x64, 0xc8, 0x10, 0x77, 0x9c, 0x5e, 0x0b, 0x26, 0xb4, 0x97, 0xd0,
     0x5e, 0x42, 0x7b, 0x09, 0xed,
     0x25, 0xb4, 0x97, 0xd0, 0x5e, 0x42, 0x7b, 0x09, 0xed, 0x25, 0xb4,
@@ -1122,7 +1122,7 @@ status_t LTC_PKHA_Curve25519ComputeY(ltc_pkha_ecc_point_t *ltcPoint)
 /* if type is set, the input point p is in Montgomery curve coordinates,
     so there is a map to Weierstrass curve */
 /* q output point is always in Montgomery curve coordinates */
-int wc_curve25519(ECPoint *q, byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type)
+int nxp_ltc_curve25519(ECPoint *q, const byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type)
 {
     status_t status;
     ltc_pkha_ecc_point_t ltcPoint;

wolfcrypt/src/wc_pkcs11.c

@@ -1061,8 +1061,8 @@ static int Pkcs11GetRsaPublicKey(RsaKey* key, Pkcs11Session* session,
         ret = WC_HW_E;
 
     if (ret == 0) {
-        modSz = tmpl[0].ulValueLen;
-        expSz = tmpl[1].ulValueLen;
+        modSz = (int)tmpl[0].ulValueLen;
+        expSz = (int)tmpl[1].ulValueLen;
         mod = (unsigned char*)XMALLOC(modSz, key->heap,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
         if (mod == NULL)
@@ -1162,9 +1162,9 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info)
         ret = Pkcs11GetRsaPublicKey(key, session, pubKey);
 
     if (pubKey != NULL_PTR)
-        ret = session->func->C_DestroyObject(session->handle, pubKey);
+        ret = (int)session->func->C_DestroyObject(session->handle, pubKey);
     if (ret != 0 && privKey != NULL_PTR)
-        ret = session->func->C_DestroyObject(session->handle, privKey);
+        ret = (int)session->func->C_DestroyObject(session->handle, privKey);
 
     return ret;
 }

wolfssl/wolfcrypt/curve25519.h

@@ -86,6 +86,9 @@ enum {
     EC25519_BIG_ENDIAN=1
 };
 
+WOLFSSL_API
+int wc_curve25519_make_pub(int public_size, byte* public, int private_size, const byte* private);
+
 WOLFSSL_API
 int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key);
 

wolfssl/wolfcrypt/fe_operations.h

@@ -79,7 +79,7 @@ Bounds on each t[i] vary depending on context.
 #if !defined(FREESCALE_LTC_ECC)
 WOLFSSL_LOCAL void fe_init(void);
 
-WOLFSSL_LOCAL int  curve25519(byte * q, byte * n, byte * p);
+WOLFSSL_LOCAL int  curve25519(byte * q, const byte * n, const byte * p);
 #endif
 
 /* default to be faster but take more memory */

wolfssl/wolfcrypt/port/nxp/ksdk_port.h

@@ -65,8 +65,8 @@ int ksdk_port_init(void);
 	int wc_ecc_point_add(ecc_point *mG, ecc_point *mQ, ecc_point *mR, mp_int *m);
 
 	#ifdef HAVE_CURVE25519
-		int wc_curve25519(ECPoint *q, byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
-		const ECPoint *wc_curve25519_GetBasePoint(void);
+		int nxp_ltc_curve25519(ECPoint *q, const byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
+		const ECPoint *nxp_ltc_curve25519_GetBasePoint(void);
 		status_t LTC_PKHA_Curve25519ToWeierstrass(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_WeierstrassToCurve25519(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_Curve25519ComputeY(ltc_pkha_ecc_point_t *ltcPoint);