Skip to content

Support for Curve25519 non-blocking cryptography (based on PR #5764) #9721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dgarske wants to merge 5 commits into
base: master
Choose a base branch
from
+2,399 −438
Open

Support for Curve25519 non-blocking cryptography (based on PR #5764) #9721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
79602b0
Support for Curve25519 non-blocking cryptography (based on PR #5764)
dgarske Jan 30, 2026
50dea8f
Update the async examples and add CI for it.
dgarske Jan 30, 2026
8c483e4
Cleanups. Fix some multi-test issues.
dgarske Feb 2, 2026
f7c1f77
Progress with TLS v1.3 using X25519
dgarske Feb 3, 2026
f682c6b
Fixes for TLS v1.3 and x25519 non-blocking crypto
dgarske Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions .github/workflows/async-examples.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
name: Async Examples

on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '*' ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
async_examples:
if: github.repository_owner == 'wolfssl'
runs-on: ubuntu-24.04
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
name: Checkout wolfSSL

- name: Build async examples (no configure)
run: |
make -C examples/async clean
make -C examples/async

- name: Run async examples
run: |
set -euo pipefail

MIN_PENDING=100

run_pair() {
local label="$1"
shift
local args="$*"
local ready="/tmp/wolfssl_async_ready_${label}"
rm -f "$ready"

WOLFSSL_ASYNC_READYFILE="$ready" \
./examples/async/async_server $args \
> "/tmp/async_server_${label}.log" 2>&1 &
local pid=$!

WOLFSSL_ASYNC_READYFILE="$ready" \
./examples/async/async_client $args 127.0.0.1 11111 \
> "/tmp/async_client_${label}.log" 2>&1
local rc=$?

kill "$pid" >/dev/null 2>&1 || true
wait "$pid" >/dev/null 2>&1 || true

if [ "$rc" -ne 0 ]; then
echo "FAIL: $label (exit=$rc)"
return 1
fi

# Validate WC_PENDING_E count is a proper value
local count
count=$(awk '/WC_PENDING_E count:/ {print $NF}' \
"/tmp/async_client_${label}.log")
if [ -z "$count" ] || [ "$count" -lt "$MIN_PENDING" ]; then
echo "FAIL: $label - WC_PENDING_E count too low:" \
"${count:-missing} (expected >= $MIN_PENDING)"
return 1
fi
echo "PASS: $label (WC_PENDING_E: $count)"
return 0
}

# TLS 1.3
run_pair ecc_tls13 --ecc
run_pair x25519_tls13 --x25519

# TLS 1.2
run_pair ecc_tls12 --tls12 --ecc
run_pair x25519_tls12 --tls12 --x25519

# BELOW ARE NOT WORKING YET
# TLS 1.3 mutual auth
#run_pair ecc_tls13_mutual --mutual --ecc
#run_pair x25519_tls13_mutual --mutual --x25519


- name: Print async logs
if: ${{ failure() }}
run: |
for f in /tmp/async_server_*.log /tmp/async_client_*.log; do
if [ -f "$f" ]; then
echo "==> $f"
cat "$f"
fi
done
3 changes: 3 additions & 0 deletions .github/workflows/os-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ jobs:
'--enable-all CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-all CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
'--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
'--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
]
name: make check
if: github.repository_owner == 'wolfssl'
Expand Down Expand Up @@ -127,6 +129,7 @@ jobs:
'examples/configs/user_settings_dtls13.h',
'examples/configs/user_settings_EBSnet.h',
'examples/configs/user_settings_eccnonblock.h',
'examples/configs/user_settings_curve25519nonblock.h',
'examples/configs/user_settings_min_ecc.h',
'examples/configs/user_settings_openssl_compat.h',
'examples/configs/user_settings_pkcs7.h',
Expand Down
4 changes: 2 additions & 2 deletions .wolfssl_known_macro_extras
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -597,6 +597,7 @@ WC_AES_GCM_DEC_AUTH_EARLY
WC_ASN_HASH_SHA256
WC_ASN_RUNTIME_DATE_CHECK_CONTROL
WC_ASYNC_ENABLE_ECC_KEYGEN
WC_ASYNC_ENABLE_X25519
WC_ASYNC_NO_3DES
WC_ASYNC_NO_AES
WC_ASYNC_NO_ARC4
Expand All @@ -615,13 +616,13 @@ WC_ASYNC_NO_SHA256
WC_ASYNC_NO_SHA3
WC_ASYNC_NO_SHA384
WC_ASYNC_NO_SHA512
WC_ASYNC_NO_X25519
WC_ASYNC_THREAD_BIND
WC_CACHE_RESISTANT_BASE64_TABLE
WC_DILITHIUM_CACHE_PRIV_VECTORS
WC_DILITHIUM_CACHE_PUB_VECTORS
WC_DILITHIUM_FIXED_ARRAY
WC_DISABLE_RADIX_ZERO_PAD
WC_ECC_NONBLOCK_ONLY
WC_FLAG_DONT_USE_AESNI
WC_FORCE_LINUXKM_FORTIFY_SOURCE
WC_LMS_FULL_HASH
Expand All @@ -637,7 +638,6 @@ WC_RSA_NONBLOCK
WC_RSA_NONBLOCK_TIME
WC_RSA_NO_FERMAT_CHECK
WC_RWLOCK_OPS_INLINE
WC_SHA3_HARDEN
WC_SHA384
WC_SHA384_DIGEST_SIZE
WC_SHA512
Expand Down
16 changes: 14 additions & 2 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4816,11 +4816,18 @@ ENABLED_ED25519_SMALL=no

# CURVE25519
AC_ARG_ENABLE([curve25519],
[AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled)])],
[AS_HELP_STRING([--enable-curve25519],[Enable Curve25519 (default: disabled). Set to "nonblock" to enable non-blocking support for key gen and shared secret])],
[ ENABLED_CURVE25519=$enableval ],
[ ENABLED_CURVE25519=no ]
)

# Handle curve25519 nonblock option - enable asynccrypt and asynccrypt-sw early
if test "$ENABLED_CURVE25519" = "nonblock"
then
test -z "$enable_asynccrypt" && enable_asynccrypt=yes
test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
fi

if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_QUIC" = "yes" && test "$ENABLED_FIPS" = "no"
then
ENABLED_CURVE25519=yes
Expand Down Expand Up @@ -10328,12 +10335,17 @@ fi

if test "$ENABLED_CURVE25519" != "no"
then
if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_CURVE25519" = "nonblock" || test "$ENABLED_LOWRESOURCE" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
ENABLED_CURVE25519_SMALL=yes
fi

if test "$ENABLED_CURVE25519" = "nonblock"
then
AM_CFLAGS="$AM_CFLAGS -DWC_X25519_NONBLOCK"
fi

if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
Expand Down
59 changes: 59 additions & 0 deletions examples/async/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
CC ?= gcc
AR ?= ar
RM ?= rm -f

WOLFSSL_TOP ?= $(abspath ../..)
OBJDIR ?= build

CFLAGS ?= -O0 -g
CFLAGS += -I.
CFLAGS += -I$(WOLFSSL_TOP)
CFLAGS += -I$(WOLFSSL_TOP)/wolfssl
CFLAGS += -I$(WOLFSSL_TOP)/wolfssl/wolfcrypt
CFLAGS += -Wall -Wextra -Wpedantic -Werror
CFLAGS += -DWOLFSSL_USER_SETTINGS
CFLAGS += -DHAVE_SYS_TIME_H
CFLAGS += -DUSE_CERT_BUFFERS_256

LDFLAGS ?=
LDLIBS ?=

TARGETS = async_client async_server

WOLFSSL_SRC := $(wildcard $(WOLFSSL_TOP)/src/*.c)
WOLFCRYPT_SRC := $(wildcard $(WOLFSSL_TOP)/wolfcrypt/src/*.c)
LOCAL_SRC := async_client.c async_server.c async_tls.c

WOLFSSL_OBJS := $(patsubst $(WOLFSSL_TOP)/%, $(OBJDIR)/%, $(WOLFSSL_SRC:.c=.o))
WOLFCRYPT_OBJS := $(patsubst $(WOLFSSL_TOP)/%, $(OBJDIR)/%, $(WOLFCRYPT_SRC:.c=.o))
LOCAL_OBJS := $(patsubst %.c, $(OBJDIR)/%.o, $(LOCAL_SRC))

ASYNC_CLIENT_OBJS := $(OBJDIR)/async_client.o $(OBJDIR)/async_tls.o
ASYNC_SERVER_OBJS := $(OBJDIR)/async_server.o $(OBJDIR)/async_tls.o

all: $(TARGETS)

async_client: $(ASYNC_CLIENT_OBJS) $(WOLFSSL_OBJS) $(WOLFCRYPT_OBJS)
$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)

async_server: $(ASYNC_SERVER_OBJS) $(WOLFSSL_OBJS) $(WOLFCRYPT_OBJS)
$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)

$(OBJDIR)/%.o: %.c user_settings.h
@mkdir -p $(dir $@)
$(CC) $(CFLAGS) -c $< -o $@

$(OBJDIR)/%.o: $(WOLFSSL_TOP)/%.c
@mkdir -p $(dir $@)
$(CC) $(CFLAGS) -c $< -o $@

# Possibly empty files (avoids "warning: ISO C forbids an empty translation unit")
$(OBJDIR)/wolfcrypt/src/ecc_fp.o: CFLAGS += -Wno-pedantic
$(OBJDIR)/wolfcrypt/src/fips.o: CFLAGS += -Wno-pedantic
$(OBJDIR)/wolfcrypt/src/fips_test.o: CFLAGS += -Wno-pedantic
$(OBJDIR)/wolfcrypt/src/selftest.o: CFLAGS += -Wno-pedantic
$(OBJDIR)/wolfcrypt/src/wolfcrypt_first.o: CFLAGS += -Wno-pedantic
$(OBJDIR)/wolfcrypt/src/wolfcrypt_last.o: CFLAGS += -Wno-pedantic

clean:
$(RM) -r $(OBJDIR) $(TARGETS)
18 changes: 15 additions & 3 deletions examples/async/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,23 @@ Tested with:
* `./configure --enable-asynccrypt --enable-pkcallbacks --disable-rsa --enable-ecc`

```
make
./examples/async/async_server
./examples/async/async_client 127.0.0.1
make -C examples/async
./examples/async/async_server --ecc
./examples/async/async_client --ecc 127.0.0.1 11111
./examples/async/async_client --x25519 ecc256.badssl.com 443
```

Optional ready-file sync (CI-friendly, avoids sleeps):
```
export WOLFSSL_ASYNC_READYFILE=/tmp/wolfssl_async_ready
./examples/async/async_server --ecc
WOLFSSL_ASYNC_READYFILE=/tmp/wolfssl_async_ready ./examples/async/async_client --ecc 127.0.0.1 11111
```

Porting the TCP/IP stack:
Define `NET_USER_HEADER` to include your network shim and provide the
`NET_*` macros plus `NET_IO_SEND_CB` / `NET_IO_RECV_CB`.

## Asynchronous Cryptography Design

When a cryptographic call is handed off to hardware it return `WC_PENDING_E` up to caller. Then it can keep calling until the operation completes. For some platforms it is required to call `wolfSSL_AsyncPoll`. At the TLS layer a "devId" (Device ID) must be set using `wolfSSL_CTX_SetDevId` to indicate desire to offload cryptography.
Expand Down
Loading
Loading