wolfSSL
diff --git a/‎.github/workflows/os-check.yml‎
Lines changed: 8 additions & 1 deletion b/‎.github/workflows/os-check.yml‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 0 additions & 1 deletion b/‎.wolfssl_known_macro_extras‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎configure.ac‎
Lines changed: 27 additions & 2 deletions b/‎configure.ac‎
Lines changed: 27 additions & 2 deletions
diff --git a/‎src/internal.c‎
Lines changed: 66 additions & 0 deletions b/‎src/internal.c‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎src/tls.c‎
Lines changed: 67 additions & 2 deletions b/‎src/tls.c‎
Lines changed: 67 additions & 2 deletions
@@ -107,7 +107,14 @@ jobs:
           'CPPFLAGS=-DNO_WOLFSSL_SERVER',
           '--enable-lms=small,verify-only --enable-xmss=small,verify-only',
           '--enable-opensslall --enable-ecc CPPFLAGS="-DWC_ALLOW_ECC_ZERO_HASH"',
-          '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
+          # Non-blocking ECC + Curve25519 + RSA + DH on the default SP word
+          # size for the host (sp_c64.c on x86_64). RSA/DH non-block require
+          # RSA_LOW_MEM (CRT path is not supported in non-block mode).
+          '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM"',
+          # Same configuration but force SP_WORD_SIZE=32 to exercise sp_c32.c
+          # on a 64-bit host. The two builds together cover both generated
+          # variants of mod_exp_<words>_nb / RSA / DH wrappers.
+          '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-rsa=nonblock --enable-dh=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK -DRSA_LOW_MEM -DSP_WORD_SIZE=32"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
           # Minimal DTLS 1.3 client-only build. The SHA-224/384/512/3
           # disables are deliberately omitted: --disable-sha384 alone
 
@@ -673,7 +673,6 @@ WC_PROTECT_ENCRYPTED_MEM
 WC_PUF_SHA3
 WC_RNG_BANK_NO_DEFAULT_SUPPORT
 WC_RNG_BLOCKING
-WC_RSA_NONBLOCK
 WC_RSA_NONBLOCK_TIME
 WC_RSA_NO_FERMAT_CHECK
 WC_RWLOCK_OPS_INLINE
 
@@ -5009,6 +5009,15 @@ then
     test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
 fi
 
+# Handle RSA/DH nonblock - the SP non-blocking dispatch wants the same
+# WOLFSSL_ASYNC_CRYPT_SW shim that ECC/Curve25519 nonblock use so the
+# TLS layer can manage per-SSL nb contexts and yield MP_WOULDBLOCK.
+if test "$enable_rsa" = "nonblock" || test "$enable_dh" = "nonblock"
+then
+    test -z "$enable_asynccrypt" && enable_asynccrypt=yes
+    test -z "$enable_asynccrypt_sw" && enable_asynccrypt_sw=yes
+fi
+
 if test "$ENABLED_CURVE25519" = "no" && test "$ENABLED_QUIC" = "yes" && test "$ENABLED_FIPS" = "no"
 then
     ENABLED_CURVE25519=yes
@@ -5525,14 +5534,25 @@ fi
 
 # RSA
 AC_ARG_ENABLE([rsa],
-    [AS_HELP_STRING([--enable-rsa],[Enable RSA (default: enabled)])],
+    [AS_HELP_STRING([--enable-rsa],[Enable RSA (default: enabled). Set to "nonblock" to enable non-blocking RSA via TFM fp_exptmod_nb or SP small mod_exp_nb])],
     [ ENABLED_RSA=$enableval ],
     [ ENABLED_RSA=yes ]
     )
 
 if test "$ENABLED_RSA" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
+elif test "$ENABLED_RSA" = "nonblock"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWC_RSA_NONBLOCK"
+    ENABLED_RSA=yes
+    ENABLED_CERTS=yes
+    # asynccrypt + asynccrypt-sw are auto-enabled earlier in this file when
+    # --enable-rsa=nonblock is detected, so the TLS layer can pick up the
+    # per-SSL nb context and yield MP_WOULDBLOCK. RSA_LOW_MEM is left as a
+    # user choice - the SP non-block backend's compile-time check in
+    # wolfssl/wolfcrypt/rsa.h enforces it for SP, while the TFM (fastmath)
+    # backend supports the CRT path without it.
 else
     # turn off RSA if leanpsk or leantls on
     if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
@@ -5612,7 +5632,7 @@ fi
 
 # DH
 AC_ARG_ENABLE([dh],
-    [AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled)])],
+    [AS_HELP_STRING([--enable-dh],[Enable DH (default: enabled). Set to "nonblock" to enable non-blocking DH key agreement via SP small mod_exp_nb])],
     [ ENABLED_DH=$enableval ],
     [ ENABLED_DH=yes ]
     )
@@ -5625,6 +5645,11 @@ fi
 if test "$ENABLED_DH" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_DH"
+elif test "$ENABLED_DH" = "nonblock"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWC_DH_NONBLOCK"
+    ENABLED_DH=yes
+    # asynccrypt + asynccrypt-sw are auto-enabled earlier in this file.
 else
     # turn off DH if leanpsk or leantls on
     if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
 
@@ -8305,6 +8305,15 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey)
         switch (type) {
         #ifndef NO_RSA
             case DYNAMIC_TYPE_RSA:
+            #if defined(WC_RSA_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+                defined(WC_ASYNC_ENABLE_RSA)
+                if (((RsaKey*)*pKey)->nb != NULL) {
+                    XFREE(((RsaKey*)*pKey)->nb, ssl->heap,
+                          DYNAMIC_TYPE_TMP_BUFFER);
+                    ((RsaKey*)*pKey)->nb = NULL;
+                }
+            #endif /* WC_RSA_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+                      WC_ASYNC_ENABLE_RSA */
                 wc_FreeRsaKey((RsaKey*)*pKey);
                 break;
         #endif /* ! NO_RSA */
@@ -8360,6 +8369,15 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey)
         #endif /* HAVE_DILITHIUM */
         #ifndef NO_DH
             case DYNAMIC_TYPE_DH:
+            #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+                defined(WC_ASYNC_ENABLE_DH)
+                if (((DhKey*)*pKey)->nb != NULL) {
+                    XFREE(((DhKey*)*pKey)->nb, ssl->heap,
+                          DYNAMIC_TYPE_TMP_BUFFER);
+                    ((DhKey*)*pKey)->nb = NULL;
+                }
+            #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+                      WC_ASYNC_ENABLE_DH */
                 wc_FreeDhKey((DhKey*)*pKey);
                 break;
         #endif /* !NO_DH */
@@ -8390,6 +8408,14 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
 #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
     x25519_nb_ctx_t* x25519NbCtx;
 #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW */
+#if !defined(NO_RSA) && defined(WC_RSA_NONBLOCK) && \
+    defined(WOLFSSL_ASYNC_CRYPT_SW) && defined(WC_ASYNC_ENABLE_RSA)
+    RsaNb* rsaNb;
+#endif
+#if !defined(NO_DH) && defined(WC_DH_NONBLOCK) && \
+    defined(WOLFSSL_ASYNC_CRYPT_SW) && defined(WC_ASYNC_ENABLE_DH)
+    DhNb* dhNb;
+#endif
 
     if (ssl == NULL || pKey == NULL) {
         return BAD_FUNC_ARG;
@@ -8469,6 +8495,26 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
     #ifndef NO_RSA
         case DYNAMIC_TYPE_RSA:
             ret = wc_InitRsaKey_ex((RsaKey*)*pKey, ssl->heap, ssl->devId);
+        #if defined(WC_RSA_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+            defined(WC_ASYNC_ENABLE_RSA)
+            /* Only set non-blocking context when async device is active. With
+             * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
+             * skip non-blocking setup and use blocking mode instead. */
+            if (ret == 0 && ssl->devId != INVALID_DEVID) {
+                rsaNb = (RsaNb*)XMALLOC(sizeof(RsaNb), ssl->heap,
+                                        DYNAMIC_TYPE_TMP_BUFFER);
+                if (rsaNb == NULL) {
+                    ret = MEMORY_E;
+                }
+                else {
+                    ret = wc_RsaSetNonBlock((RsaKey*)*pKey, rsaNb);
+                    if (ret != 0) {
+                        XFREE(rsaNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    }
+                }
+            }
+        #endif /* WC_RSA_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+                  WC_ASYNC_ENABLE_RSA */
             break;
     #endif /* ! NO_RSA */
     #ifdef HAVE_ECC
@@ -8556,6 +8602,26 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
     #ifndef NO_DH
         case DYNAMIC_TYPE_DH:
             ret = wc_InitDhKey_ex((DhKey*)*pKey, ssl->heap, ssl->devId);
+        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+            defined(WC_ASYNC_ENABLE_DH)
+            /* Only set non-blocking context when async device is active. With
+             * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
+             * skip non-blocking setup and use blocking mode instead. */
+            if (ret == 0 && ssl->devId != INVALID_DEVID) {
+                dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
+                                      DYNAMIC_TYPE_TMP_BUFFER);
+                if (dhNb == NULL) {
+                    ret = MEMORY_E;
+                }
+                else {
+                    ret = wc_DhSetNonBlock((DhKey*)*pKey, dhNb);
+                    if (ret != 0) {
+                        XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    }
+                }
+            }
+        #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+                  WC_ASYNC_ENABLE_DH */
             break;
     #endif /* !NO_DH */
         default:
 
@@ -8021,6 +8021,26 @@ static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse)
                 ret = wc_DhSetNamedKey(dhKey, kse->group);
             #endif
             }
+        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+            defined(WC_ASYNC_ENABLE_DH)
+            /* Only set non-blocking context when async device is active. With
+             * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
+             * skip non-blocking setup and use blocking mode instead. */
+            if (ret == 0 && ssl->devId != INVALID_DEVID) {
+                DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
+                                            DYNAMIC_TYPE_TMP_BUFFER);
+                if (dhNb == NULL) {
+                    ret = MEMORY_E;
+                }
+                else {
+                    ret = wc_DhSetNonBlock((DhKey*)kse->key, dhNb);
+                    if (ret != 0) {
+                        XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                    }
+                }
+            }
+        #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+                  WC_ASYNC_ENABLE_DH */
         }
 
         /* Allocate space for the private and public key */
@@ -8096,8 +8116,16 @@ static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse)
 
     /* Always release the DH key to free up memory.
      * The DhKey will be setup again in TLSX_KeyShare_ProcessDh */
-    if (dhKey != NULL)
+    if (dhKey != NULL) {
+    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+        defined(WC_ASYNC_ENABLE_DH)
+        if (dhKey->nb != NULL) {
+            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            dhKey->nb = NULL;
+        }
+    #endif
         wc_FreeDhKey(dhKey);
+    }
     XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_DH);
     kse->key = NULL;
 
@@ -9062,6 +9090,15 @@ static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
         list = current->next;
         if (WOLFSSL_NAMED_GROUP_IS_FFDHE(current->group)) {
 #ifndef NO_DH
+        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+            defined(WC_ASYNC_ENABLE_DH)
+            if (current->key != NULL &&
+                    ((DhKey*)current->key)->nb != NULL) {
+                XFREE(((DhKey*)current->key)->nb, heap,
+                    DYNAMIC_TYPE_TMP_BUFFER);
+                ((DhKey*)current->key)->nb = NULL;
+            }
+        #endif
             wc_FreeDhKey((DhKey*)current->key);
             if (current->privKey != NULL && current->privKeyLen > 0) {
                 ForceZero(current->privKey, current->privKeyLen);
@@ -9321,6 +9358,26 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
             ret = wc_DhSetNamedKey(dhKey, keyShareEntry->group);
         #endif
         }
+    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+        defined(WC_ASYNC_ENABLE_DH)
+        /* Only set non-blocking context when async device is active. With
+         * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
+         * skip non-blocking setup and use blocking mode instead. */
+        if (ret == 0 && ssl->devId != INVALID_DEVID) {
+            DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
+                                        DYNAMIC_TYPE_TMP_BUFFER);
+            if (dhNb == NULL) {
+                ret = MEMORY_E;
+            }
+            else {
+                ret = wc_DhSetNonBlock((DhKey*)keyShareEntry->key, dhNb);
+                if (ret != 0) {
+                    XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+                }
+            }
+        }
+    #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
+              WC_ASYNC_ENABLE_DH */
     }
 
     if (ret == 0
@@ -9361,8 +9418,16 @@ static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
     }
 
     /* done with key share, release resources */
-    if (dhKey)
+    if (dhKey) {
+    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
+        defined(WC_ASYNC_ENABLE_DH)
+        if (dhKey->nb != NULL) {
+            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            dhKey->nb = NULL;
+        }
+    #endif
         wc_FreeDhKey(dhKey);
+    }
     XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_DH);
     keyShareEntry->key = NULL;
     if (keyShareEntry->privKey) {