Skip to content

Add crypto callback only mode for ed25519#10830

Open
padelsbach wants to merge 5 commits into
wolfSSL:masterfrom
padelsbach:ed25519-cryptocb-only
Open

Add crypto callback only mode for ed25519#10830
padelsbach wants to merge 5 commits into
wolfSSL:masterfrom
padelsbach:ed25519-cryptocb-only

Conversation

@padelsbach

@padelsbach padelsbach commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

Expand existing ed25519 crypto callback to support the "only" mode which strips the software implementation for use with HSM or other hardware accelerators.

make_key, check_key, make_pub, sign_msg and verify_msg supported. No streaming support.

Testing

Added unit test and updated CI workflow

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

Comment thread wolfcrypt/src/ed25519.c

#ifdef WOLF_CRYPTO_CB
if (key->devId != INVALID_DEVID) {
#ifndef WOLF_CRYPTO_CB_FIND

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semi-related change to add these missing guards. The cb find mechanism would have failed here.

@padelsbach padelsbach self-assigned this Jul 1, 2026
@padelsbach

Copy link
Copy Markdown
Contributor Author

Jenkins retest this please

@padelsbach padelsbach marked this pull request as ready for review July 1, 2026 19:51
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

retest this please

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10830

Scan targets checked: wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

@padelsbach padelsbach force-pushed the ed25519-cryptocb-only branch from 80c6f68 to 37b0c37 Compare July 6, 2026 15:34
@padelsbach padelsbach requested review from bigbrett and rizlik July 6, 2026 18:10
@padelsbach padelsbach removed their assignment Jul 6, 2026
@padelsbach padelsbach requested a review from Frauschi July 6, 2026 18:10
@bigbrett bigbrett assigned padelsbach and unassigned rizlik Jul 6, 2026
@padelsbach

Copy link
Copy Markdown
Contributor Author

jenkins retest this please

@rizlik rizlik left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, but the problem is that make_public and check-key survives and so ge_operations can't be removed from the build.
Given that the main goal of ONLY_ED25519 is to reduce code/data size, we should aim at removing all the software math.

I see two options:

  1. Gating out the make_public and check_key with new gating macros
  2. Adding two crypto callbacks for make_public and check_key

Comment thread wolfcrypt/src/ed25519.c Outdated
Comment on lines +636 to +637
#if defined(WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN) && \
!defined(WOLF_CRYPTO_CB_ONLY_ED25519)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me it looks like that the priv check must be inside the software blocks, not outside. So this is a bug that predate the PR. Probably a good idea to move it inside that software block instead of gating on !ONLY_ED25519, or just ignore it in this PR.

@padelsbach padelsbach Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great find. I moved this block up.

@Frauschi Frauschi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: COMMENT
Findings: 1 total — 1 posted, 0 skipped

Posted findings

  • [Low] Sign CB_ONLY path omits (void)ed25519Ctx suppression present in verify pathwolfcrypt/src/ed25519.c:445

Review generated by Skoll via Claude/Codex

Comment thread wolfcrypt/src/ed25519.c
(void)type;
ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
#elif defined(WOLF_CRYPTO_CB_ONLY_ED25519)
ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Sign CB_ONLY path omits (void)ed25519Ctx suppression present in verify path
🔧 NIT convention

The WOLF_CRYPTO_CB_ONLY_ED25519 branch of wc_ed25519_verify_msg_ex adds (void)ed25519Ctx; to suppress an unused-const-variable warning, but the equivalent WOLF_CRYPTO_CB_ONLY_ED25519 branch of wc_ed25519_sign_msg_ex does not. ed25519Ctx is defined whenever HAVE_ED25519_SIGN || HAVE_ED25519_VERIFY. In a narrow configuration built with HAVE_ED25519_SIGN but without HAVE_ED25519_VERIFY under WOLF_CRYPTO_CB_ONLY_ED25519, ed25519Ctx is never referenced (both the sign software path and the streaming-verify code that use it are compiled out), which can trigger -Wunused-const-variable under -Werror. The default/CI configs enable both sign and verify, so this does not fire in the added CI job.

Recommendation: For symmetry with the verify branch and to avoid a possible unused-const warning in sign-only configurations, add (void)ed25519Ctx; at the top of the sign CB_ONLY branch.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@padelsbach padelsbach force-pushed the ed25519-cryptocb-only branch from 67cd0ad to d4cb29c Compare July 9, 2026 16:48
@padelsbach

Copy link
Copy Markdown
Contributor Author

Great work, but the problem is that make_public and check-key survives and so ge_operations can't be removed from the build. Given that the main goal of ONLY_ED25519 is to reduce code/data size, we should aim at removing all the software math.

I see two options:

  1. Gating out the make_public and check_key with new gating macros
  2. Adding two crypto callbacks for make_public and check_key

Option 2 added, following the pattern from ECC. The ge operations are completely gone, but I did have to inline a small chunk of math.

@padelsbach padelsbach assigned rizlik and unassigned padelsbach Jul 9, 2026
@padelsbach padelsbach force-pushed the ed25519-cryptocb-only branch from 8379f8d to ef4e304 Compare July 9, 2026 17:14

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10830

Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread wolfcrypt/test/test.c
ctx->exampleVar = 99;
ret = wc_ed25519_verify_msg(sig, (word32)sizeof(sig), msg,
(word32)sizeof(msg) - 1, &res, &key);
if (ret != 0)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Verify dispatch test never checks res output from callback · Weak or missing assertions

The exampleVar==99 (cb-handles) verify test checks only ret == 0, never res == 1. The mock callback returns 0 without writing *res, so res stays 0 after the call. A regression where the callback's res output is never populated would pass undetected.

Fix: Set *info->pk.ed25519verify.res = 1 in the exampleVar==99 branch of myCryptoDevCb, then assert res == 1 after the verify call in ed25519_onlycb_test.

Comment thread wolfcrypt/test/test.c
/* reset devId */
info->pk.ed25519makepub.key->devId = devIdArg;
}
else if (info->pk.type == WC_PK_TYPE_ED25519_CHECK_KEY) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] WC_PK_TYPE_ED25519_CHECK_KEY handler gated on HAVE_ED25519_MAKE_KEY in test callback · Missing/incorrect platform conditionals

The WC_PK_TYPE_ED25519_CHECK_KEY dispatch arm is an else if branch inside #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY), so it is compiled out when HAVE_ED25519_MAKE_KEY is absent. wc_ed25519_check_key requires only HAVE_ED25519; the reference swdev.c callback correctly places this case under #ifdef HAVE_ED25519 alone (line 964). In any HAVE_ED25519 && !HAVE_ED25519_MAKE_KEY build the callback returns NOT_COMPILED_IN instead of the expected result, causing ed25519_onlycb_test to fail.

Fix: Move the WC_PK_TYPE_ED25519_CHECK_KEY handler into a separate #if defined(HAVE_ED25519) block, outside the HAVE_ED25519_MAKE_KEY guard.

Comment thread tests/swdev/swdev.c
WC_ALLOC_VAR(pubOnly, ed25519_key, 1, key->heap);
if (!WC_VAR_OK(pubOnly))
return MEMORY_E;
ret = wc_ed25519_init_ex(pubOnly, key->heap, INVALID_DEVID);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Resource leak when wc_ed25519_init_ex fails in swdev_ed25519_check_key · Resource leaks

wc_ed25519_free(pubOnly) is inside if (ret == 0), so if wc_ed25519_init_ex fails (e.g., under WOLFSSL_ED25519_PERSISTENT_SHA where ed25519_hash_init can fail), any partially allocated SHA state is not released before WC_FREE_VAR frees the struct.

Fix: Move wc_ed25519_free(pubOnly) outside the if (ret == 0) block so it always runs before WC_FREE_VAR.

@padelsbach padelsbach force-pushed the ed25519-cryptocb-only branch from ef4e304 to 031d58b Compare July 9, 2026 20:28
@padelsbach padelsbach force-pushed the ed25519-cryptocb-only branch from 031d58b to 9a941fb Compare July 9, 2026 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants