Merge pull request #9721 from dgarske/x25519_nb

Add X25519 non-blocking support and async example improvements

Author: SparkiDev

.github/workflows/async-examples.yml

@@ -0,0 +1,104 @@
+name: Async Examples
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  async_examples:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        extra_cflags:
+          - ''
+          - '-DWOLFSSL_SMALL_CERT_VERIFY'
+          - '-DWOLFSSL_STATIC_MEMORY'
+    name: Async Examples (${{ matrix.extra_cflags || 'default' }})
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Build async examples (no configure)
+        run: |
+          make -C examples/async clean
+          make -C examples/async EXTRA_CFLAGS="${{ matrix.extra_cflags }}"
+
+      - name: Run async examples
+        run: |
+          set -euo pipefail
+
+          MIN_PENDING=100
+
+          run_pair() {
+            local label="$1"
+            shift
+            local args="$*"
+            local ready="/tmp/wolfssl_async_ready_${label}"
+            rm -f "$ready"
+
+            WOLFSSL_ASYNC_READYFILE="$ready" \
+              ./examples/async/async_server $args \
+              > "/tmp/async_server_${label}.log" 2>&1 &
+            local pid=$!
+
+            WOLFSSL_ASYNC_READYFILE="$ready" \
+              ./examples/async/async_client $args 127.0.0.1 11111 \
+              > "/tmp/async_client_${label}.log" 2>&1
+            local rc=$?
+
+            kill "$pid" >/dev/null 2>&1 || true
+            wait "$pid" >/dev/null 2>&1 || true
+
+            if [ "$rc" -ne 0 ]; then
+              echo "FAIL: $label (exit=$rc)"
+              return 1
+            fi
+
+            # Validate WC_PENDING_E count is a proper value
+            local count
+            count=$(awk '/WC_PENDING_E count:/ {print $NF}' \
+              "/tmp/async_client_${label}.log")
+            if [ -z "$count" ] || [ "$count" -lt "$MIN_PENDING" ]; then
+              echo "FAIL: $label - WC_PENDING_E count too low:" \
+                "${count:-missing} (expected >= $MIN_PENDING)"
+              return 1
+            fi
+            echo "PASS: $label (WC_PENDING_E: $count)"
+            return 0
+          }
+
+          # TLS 1.3
+          run_pair ecc_tls13              --ecc
+          run_pair x25519_tls13           --x25519
+
+          # TLS 1.2
+          run_pair ecc_tls12              --tls12 --ecc
+          run_pair x25519_tls12           --tls12 --x25519
+
+          # TLS 1.3 mutual auth
+          run_pair ecc_tls13_mutual       --mutual --ecc
+          run_pair x25519_tls13_mutual    --mutual --x25519
+
+          # TLS 1.2 mutual auth
+          run_pair ecc_tls12_mutual       --mutual --tls12 --ecc
+          run_pair x25519_tls12_mutual    --mutual --tls12 --x25519
+
+
+      - name: Print async logs
+        if: ${{ failure() }}
+        run: |
+          for f in /tmp/async_server_*.log /tmp/async_client_*.log; do
+            if [ -f "$f" ]; then
+              echo "==> $f"
+              cat "$f"
+            fi
+          done

.github/workflows/os-check.yml

@@ -84,6 +84,8 @@ jobs:
           '--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
           '--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
           '--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
+          '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
+          '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
@@ -130,6 +132,7 @@ jobs:
           'examples/configs/user_settings_dtls13.h',
           'examples/configs/user_settings_EBSnet.h',
           'examples/configs/user_settings_eccnonblock.h',
+          'examples/configs/user_settings_curve25519nonblock.h',
           'examples/configs/user_settings_min_ecc.h',
           'examples/configs/user_settings_openssl_compat.h',
           'examples/configs/user_settings_pkcs7.h',

.wolfssl_known_macro_extras

@@ -354,6 +354,7 @@ MUTEX_DURING_INIT
 NEED_THREADX_TYPES
 NETX_DUO
 NET_SECURE_MODULE_EN
+NET_GETDEVRANDOM
 NOTE_TRIGGER
 NO_AES_DECRYPT
 NO_ARDUINO_DEFAULT
@@ -619,13 +620,13 @@ WC_ASYNC_NO_SHA256
 WC_ASYNC_NO_SHA3
 WC_ASYNC_NO_SHA384
 WC_ASYNC_NO_SHA512
+WC_ASYNC_NO_X25519
 WC_ASYNC_THREAD_BIND
 WC_CACHE_RESISTANT_BASE64_TABLE
 WC_DILITHIUM_CACHE_PRIV_VECTORS
 WC_DILITHIUM_CACHE_PUB_VECTORS
 WC_DILITHIUM_FIXED_ARRAY
 WC_DISABLE_RADIX_ZERO_PAD
-WC_ECC_NONBLOCK_ONLY
 WC_FLAG_DONT_USE_AESNI
 WC_FORCE_LINUXKM_FORTIFY_SOURCE
 WC_LMS_FULL_HASH

configure.ac

@@ -4847,11 +4847,18 @@ ENABLED_ED25519_SMALL=no
 
 # CURVE25519
 AC_ARG_ENABLE([curve25519],
-    [AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled)])],
+    [AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled). Set to "nonblock" to enable non-blocking support for key gen and shared secret])],
     [ ENABLED_CURVE25519=$enableval ],
     [ ENABLED_CURVE25519=no ]
     )
 
+# Handle curve25519 nonblock option - enable asynccrypt and asynccrypt-sw early
+if test "$ENABLED_CURVE25519" = "nonblock"
+then
+    test -z "$enable_asynccrypt" && enable_asynccrypt=yes
+    test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
+fi
+
 if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_QUIC" = "yes" && test "$ENABLED_FIPS" = "no"
 then
     ENABLED_CURVE25519=yes
@@ -10362,12 +10369,17 @@ fi
 
 if test "$ENABLED_CURVE25519" != "no"
 then
-    if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
+    if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_CURVE25519" = "nonblock" || test "$ENABLED_LOWRESOURCE" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
         ENABLED_CURVE25519_SMALL=yes
     fi
 
+    if test "$ENABLED_CURVE25519" = "nonblock"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DWC_X25519_NONBLOCK"
+    fi
+
     if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
     then
         AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"

doc/dox_comments/header_files/ecc.h

@@ -2093,7 +2093,7 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg,
     \return 0 Returned upon successfully setting the callback context the input message
 
     \param key pointer to the ecc_key object
-    \param ctx pointer to ecc_nb_ctx_t structure with stack data cache for SP
+    \param ctx pointer to ecc nb_ctx_t structure with stack data cache for SP
 
     _Example_
     \code

examples/async/Makefile

@@ -0,0 +1,61 @@
+CC ?= gcc
+AR ?= ar
+RM ?= rm -f
+
+WOLFSSL_TOP ?= $(abspath ../..)
+OBJDIR ?= build
+
+CFLAGS ?= -O0 -g
+CFLAGS += -I.
+CFLAGS += -I$(WOLFSSL_TOP)
+CFLAGS += -I$(WOLFSSL_TOP)/wolfssl
+CFLAGS += -I$(WOLFSSL_TOP)/wolfssl/wolfcrypt
+CFLAGS += -Wall -Wextra -Wpedantic -Werror
+CFLAGS += -DWOLFSSL_USER_SETTINGS
+CFLAGS += -DHAVE_SYS_TIME_H
+CFLAGS += -DUSE_CERT_BUFFERS_256
+CFLAGS += $(EXTRA_CFLAGS)
+
+LDFLAGS ?=
+LDLIBS ?=
+
+TARGETS = async_client async_server
+
+WOLFSSL_SRC := $(wildcard $(WOLFSSL_TOP)/src/*.c)
+WOLFCRYPT_SRC := $(wildcard $(WOLFSSL_TOP)/wolfcrypt/src/*.c)
+LOCAL_SRC := async_client.c async_server.c async_tls.c
+
+WOLFSSL_OBJS := $(patsubst $(WOLFSSL_TOP)/%, $(OBJDIR)/%, $(WOLFSSL_SRC:.c=.o))
+WOLFCRYPT_OBJS := $(patsubst $(WOLFSSL_TOP)/%, $(OBJDIR)/%, $(WOLFCRYPT_SRC:.c=.o))
+LOCAL_OBJS := $(patsubst %.c, $(OBJDIR)/%.o, $(LOCAL_SRC))
+
+ASYNC_CLIENT_OBJS := $(OBJDIR)/async_client.o $(OBJDIR)/async_tls.o
+ASYNC_SERVER_OBJS := $(OBJDIR)/async_server.o $(OBJDIR)/async_tls.o
+
+all: $(TARGETS)
+
+async_client: $(ASYNC_CLIENT_OBJS) $(WOLFSSL_OBJS) $(WOLFCRYPT_OBJS)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+async_server: $(ASYNC_SERVER_OBJS) $(WOLFSSL_OBJS) $(WOLFCRYPT_OBJS)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+$(OBJDIR)/%.o: %.c user_settings.h
+	@mkdir -p $(dir $@)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+$(OBJDIR)/%.o: $(WOLFSSL_TOP)/%.c
+	@mkdir -p $(dir $@)
+	$(CC) $(CFLAGS) -c $< -o $@
+
+# Possibly empty files (avoids "warning: ISO C forbids an empty translation unit")
+$(OBJDIR)/wolfcrypt/src/ecc_fp.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/fips.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/fips_test.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/fipsv2.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/selftest.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/wolfcrypt_first.o: CFLAGS += -Wno-pedantic
+$(OBJDIR)/wolfcrypt/src/wolfcrypt_last.o: CFLAGS += -Wno-pedantic
+
+clean:
+	$(RM) -r $(OBJDIR) $(TARGETS)

examples/async/README.md

@@ -15,11 +15,23 @@ Tested with:
 * `./configure --enable-asynccrypt --enable-pkcallbacks --disable-rsa --enable-ecc`
 
 ```
-make
-./examples/async/async_server
-./examples/async/async_client 127.0.0.1
+make -C examples/async
+./examples/async/async_server --ecc
+./examples/async/async_client --ecc 127.0.0.1 11111
+./examples/async/async_client --x25519 ecc256.badssl.com 443
 ```
 
+Optional ready-file sync (CI-friendly, avoids sleeps):
+```
+export WOLFSSL_ASYNC_READYFILE=/tmp/wolfssl_async_ready
+./examples/async/async_server --ecc
+WOLFSSL_ASYNC_READYFILE=/tmp/wolfssl_async_ready ./examples/async/async_client --ecc 127.0.0.1 11111
+```
+
+Porting the TCP/IP stack:
+Define `NET_USER_HEADER` to include your network shim and provide the
+`NET_*` macros plus `NET_IO_SEND_CB` / `NET_IO_RECV_CB`.
+
 ## Asynchronous Cryptography Design
 
 When a cryptographic call is handed off to hardware it return `WC_PENDING_E` up to caller. Then it can keep calling until the operation completes. For some platforms it is required to call `wolfSSL_AsyncPoll`. At the TLS layer a "devId" (Device ID) must be set using `wolfSSL_CTX_SetDevId` to indicate desire to offload cryptography.