Curve25519: improved smul

Use the Ed25519 base smul in Curve25519 base mul and covert to
Montogmery curve for a faster implementation.
Only when Ed25519 is compiled in or WOLFSSL_CURVE25519_USE_ED25519 is
defined.
When compiling Intel x64 assembly and Aarch64 assembly, always define
WOLFSSL_CURVE25519_USE_ED25519.
Can't use with blinding - normal C implementation.

Optimized the Curve25519 smul slightly for Intel x64 and Aarch64.
Improved the conditional table lookup on Intel x64 to use AVX2 when
available.

Author: SparkiDev

configure.ac

@@ -10275,6 +10275,12 @@ then
         AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
     fi
 
+    if test "$ENABLED_CURVE25519" = "ed"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
+        AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_CURVE25519_USE_ED25519"
+    fi
+
     AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
     AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
     ENABLED_FEMATH=yes

src/include.am

@@ -1401,6 +1401,7 @@ endif !BUILD_FIPS_V6_PLUS
 
 if BUILD_FEMATH
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fe_low_mem.c
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ge_operations.c
 if BUILD_CURVE25519_INTELASM
 if !BUILD_X86_ASM
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fe_x25519_asm.S
@@ -1460,8 +1461,8 @@ endif BUILD_FEMATH
 
 if BUILD_GEMATH
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ge_low_mem.c
-src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ge_operations.c
 if !BUILD_FEMATH
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/ge_operations.c
 if BUILD_CURVE25519_INTELASM
 if !BUILD_X86_ASM
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/fe_x25519_asm.S

wolfcrypt/src/curve25519.c

@@ -31,6 +31,7 @@
 #ifdef HAVE_CURVE25519
 
 #include <wolfssl/wolfcrypt/curve25519.h>
+#include <wolfssl/wolfcrypt/ge_operations.h>
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -54,6 +55,8 @@
         #error "Blinding not needed nor available for small implementation"
     #elif defined(USE_INTEL_SPEEDUP) || defined(WOLFSSL_ARMASM)
         #error "Blinding not needed nor available for assembly implementation"
+    #elif defined(WOLFSSL_CURVE25519_USE_ED25519)
+        #error "Ed25519 base scalar mult cannot be used with blinding "
     #endif
 #endif
 
@@ -72,13 +75,16 @@ const curve25519_set_type curve25519_sets[] = {
     }
 };
 
+#if !defined(WOLFSSL_CURVE25519_USE_ED25519) || \
+    defined(WOLFSSL_CURVE25519_BLINDING)
 static const word32 kCurve25519BasePoint[CURVE25519_KEYSIZE/sizeof(word32)] = {
 #ifdef BIG_ENDIAN_ORDER
     0x09000000
 #else
     9
 #endif
 };
+#endif /* !WOLFSSL_CURVE25519_USE_ED25519 || WOLFSSL_CURVE25519_BLINDING */
 
 /* Curve25519 private key must be less than order */
 /* These functions clamp private k and check it */
@@ -154,7 +160,31 @@ int wc_curve25519_make_pub(int public_size, byte* pub, int private_size,
 
     SAVE_VECTOR_REGISTERS(return _svr_ret;);
 
+#if defined(WOLFSSL_CURVE25519_USE_ED25519)
+    {
+        ge_p3 A;
+
+        ge_scalarmult_base(&A, priv);
+    #ifndef CURVE25519_SMALL
+        fe_add(A.X, A.Z, A.Y);
+        fe_sub(A.T, A.Z, A.Y);
+        fe_invert(A.T, A.T);
+        fe_mul(A.T, A.X, A.T);
+        fe_tobytes(pub, A.T);
+    #else
+        lm_add(A.X, A.Z, A.Y);
+        lm_sub(A.T, A.Z, A.Y);
+        lm_invert(A.T, A.T);
+        lm_mul(pub, A.X, A.T);
+    #endif
+        ret = 0;
+    }
+#elif defined(CURVED25519_X64) || (defined(WOLFSSL_ARMASM) && \
+    defined(__aarch64__))
+    ret = curve25519_base(pub, priv);
+#else
     ret = curve25519(pub, priv, (byte*)kCurve25519BasePoint);
+#endif
 
     RESTORE_VECTOR_REGISTERS();
 #else

wolfcrypt/src/ed25519.c

@@ -88,13 +88,7 @@ static int ed25519_hash_init(ed25519_key* key, wc_Sha512 *sha)
 {
     int ret;
 
-#ifndef WOLFSSL_ED25519_PERSISTENT_SHA
-    /* when not using persistent SHA, we'll zero the sha param */
-    XMEMSET(sha, 0, sizeof(wc_Sha512));
-#endif
-
     ret = wc_InitSha512_ex(sha, key->heap,
-
 #if defined(WOLF_CRYPTO_CB)
                            key->devId
 #else
@@ -103,8 +97,9 @@ static int ed25519_hash_init(ed25519_key* key, wc_Sha512 *sha)
         );
 
 #ifdef WOLFSSL_ED25519_PERSISTENT_SHA
-    if (ret == 0)
+    if (ret == 0) {
         key->sha_clean_flag = 1;
+    }
 #endif
 
     return ret;
@@ -114,8 +109,10 @@ static int ed25519_hash_init(ed25519_key* key, wc_Sha512 *sha)
 static int ed25519_hash_reset(ed25519_key* key)
 {
     int ret;
-    if (key->sha_clean_flag)
+
+    if (key->sha_clean_flag) {
         ret = 0;
+    }
     else {
         wc_Sha512Free(&key->sha);
         ret = wc_InitSha512_ex(&key->sha, key->heap,
@@ -128,6 +125,7 @@ static int ed25519_hash_reset(ed25519_key* key)
         if (ret == 0)
             key->sha_clean_flag = 1;
     }
+
     return ret;
 }
 #endif /* WOLFSSL_ED25519_PERSISTENT_SHA */
@@ -136,8 +134,9 @@ static int ed25519_hash_update(ed25519_key* key, wc_Sha512 *sha,
                                const byte* data, word32 len)
 {
 #ifdef WOLFSSL_ED25519_PERSISTENT_SHA
-    if (key->sha_clean_flag)
+    if (key->sha_clean_flag) {
         key->sha_clean_flag = 0;
+    }
 #else
     (void)key;
 #endif
@@ -148,8 +147,9 @@ static int ed25519_hash_final(ed25519_key* key, wc_Sha512 *sha, byte* hash)
 {
     int ret = wc_Sha512Final(sha, hash);
 #ifdef WOLFSSL_ED25519_PERSISTENT_SHA
-    if (ret == 0)
+    if (ret == 0) {
         key->sha_clean_flag = 1;
+    }
 #else
     (void)key;
 #endif
@@ -187,16 +187,15 @@ static int ed25519_hash(ed25519_key* key, const byte* in, word32 inLen,
 #else
     ret = ed25519_hash_init(key, sha);
 #endif
-    if (ret < 0)
-        return ret;
-
-    ret = ed25519_hash_update(key, sha, in, inLen);
-    if (ret == 0)
-        ret = ed25519_hash_final(key, sha, hash);
+    if (ret == 0) {
+        ret = ed25519_hash_update(key, sha, in, inLen);
+        if (ret == 0)
+            ret = ed25519_hash_final(key, sha, hash);
 
-#ifndef WOLFSSL_ED25519_PERSISTENT_SHA
-    ed25519_hash_free(key, sha);
-#endif
+    #ifndef WOLFSSL_ED25519_PERSISTENT_SHA
+        ed25519_hash_free(key, sha);
+    #endif
+    }
 
     return ret;
 }