diff --git a/.gitignore b/.gitignore
index 37f572851..c33a87daf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ tools/testcertgen/*.der
*.code-workspace
.vscode
compile_commands.json
+.cache
# Static analysis
tools/static-analysis/reports/
diff --git a/benchmark/wh_bench.c b/benchmark/wh_bench.c
index 2be892e9c..3ce39ae06 100644
--- a/benchmark/wh_bench.c
+++ b/benchmark/wh_bench.c
@@ -1047,9 +1047,7 @@ int wh_Bench_ClientServer_Posix(int transport, int moduleIndex)
#ifndef WOLFHSM_CFG_NO_CRYPTO
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
/* Set up server configuration with NVM and crypto */
@@ -1085,7 +1083,7 @@ int wh_Bench_ClientServer_Posix(int transport, int moduleIndex)
}
/* Initialize RNG */
- ret = wc_InitRng_ex(crypto->rng, NULL, crypto->devId);
+ ret = wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID);
if (ret != 0) {
WH_BENCH_PRINTF("Failed to initialize RNG: %d\n", ret);
wolfCrypt_Cleanup();
diff --git a/docs/draft/crypto_affinity.md b/docs/draft/crypto_affinity.md
new file mode 100644
index 000000000..e6521fc04
--- /dev/null
+++ b/docs/draft/crypto_affinity.md
@@ -0,0 +1,94 @@
+# Crypto Affinity Client API
+
+The crypto affinity feature allows a client to control whether the server uses **software** or **hardware** cryptographic implementations on a per-request basis.
+
+Affinity is stored as **client-local state** and is transmitted to the server in every crypto request message header. There is no dedicated round-trip required to change affinity -- setting it is instantaneous and takes effect on the next crypto operation. Affinity persists for all subsequent requests once changed.
+
+## Affinity Values
+
+```c
+enum WH_CRYPTO_AFFINITY_ENUM {
+ WH_CRYPTO_AFFINITY_HW = 0, // Attempt to use hardware crypto (devId = configured value)
+ WH_CRYPTO_AFFINITY_SW = 1, // Use software crypto (devId = INVALID_DEVID)
+};
+```
+
+The default affinity after client initialization is `WH_CRYPTO_AFFINITY_HW`.
+
+## API
+
+### SetCryptoAffinity
+
+```c
+int wh_Client_SetCryptoAffinity(whClientContext* c, uint32_t affinity);
+```
+
+Sets the client's crypto affinity. This is a **local operation** that does not communicate with the server. The new affinity value will be included in all subsequent crypto request messages.
+
+**Parameters:**
+- `c` -- Client context
+- `affinity` -- `WH_CRYPTO_AFFINITY_SW` or `WH_CRYPTO_AFFINITY_HW`
+
+**Returns:**
+- `WH_ERROR_OK` -- Affinity set successfully
+- `WH_ERROR_BADARGS` -- NULL context or invalid affinity value
+
+### GetCryptoAffinity
+
+```c
+int wh_Client_GetCryptoAffinity(whClientContext* c, uint32_t* out_affinity);
+```
+
+Retrieves the client's current crypto affinity. This is a **local operation** that does not communicate with the server.
+
+**Parameters:**
+- `c` -- Client context
+- `out_affinity` -- Pointer to receive the current affinity value
+
+**Returns:**
+- `WH_ERROR_OK` -- Affinity retrieved successfully
+- `WH_ERROR_BADARGS` -- NULL context or NULL output pointer
+
+## Usage Example
+
+```c
+uint32_t affinity;
+
+/* Default affinity is WH_CRYPTO_AFFINITY_SW after wh_Client_Init() */
+wh_Client_GetCryptoAffinity(client, &affinity);
+/* affinity == WH_CRYPTO_AFFINITY_SW */
+
+/* Switch to hardware crypto -- takes effect immediately, no round-trip */
+int rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
+if (rc == WH_ERROR_OK) {
+ /* All subsequent crypto operations will request HW acceleration */
+}
+
+/* Perform a crypto operation -- affinity is sent in the request header */
+wc_AesCbcEncrypt(&aes, out, in, len);
+/* If server has a valid devId, hardware crypto callback is used */
+
+/* Switch back to software crypto */
+wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
+/* Subsequent crypto operations use software implementation */
+```
+
+## Server Behavior
+
+When the server receives a crypto request, it reads the affinity field from the generic crypto request header and selects the appropriate `devId`:
+
+| Affinity in Request | Server Action |
+|---------------------|---------------|
+| `WH_CRYPTO_AFFINITY_SW` | Uses `INVALID_DEVID` (wolfCrypt software implementation) |
+| `WH_CRYPTO_AFFINITY_HW` | Uses `server->defaultDevId` if valid, otherwise falls back to `INVALID_DEVID` |
+
+The `defaultDevId` is configured at server initialization from `config->devId`. If the server was not configured with a valid hardware `devId`, hardware affinity requests will silently fall back to software crypto.
+
+## Protocol Details
+
+Affinity is transmitted in the `affinity` field of `whMessageCrypto_GenericRequestHeader`, which is included at the start of every crypto request message. This means:
+
+- Each crypto operation independently specifies its desired affinity
+- Multiple clients can use different affinities concurrently without interference
+- No server-side affinity state is maintained per-client
+- Changing affinity has zero latency (no communication overhead)
diff --git a/docs/src-ja/chapter03.md b/docs/src-ja/chapter03.md
index 04daad7b8..a92b0f4b2 100644
--- a/docs/src-ja/chapter03.md
+++ b/docs/src-ja/chapter03.md
@@ -171,15 +171,14 @@ whNvmContext nvmCtx = {0};
wh_Nvm_Init(&nvmCtx, &whNvmConfig);
/* 手順3: 暗号コンテキスト構造体の割り当てと初期化 */
-whServerCryptoContext cryptoCtx {
- .devID = INVALID_DEVID; /* あるいは、カスタム暗号コールバックdevIDを設定 */
-};
+whServerCryptoContext cryptoCtx = {0};
/* サーバー設定の割り当てと初期化 */
whServerConfig serverCfg = {
.comm = commServerCfg,
.nvm = nvmCtx,
- .crypto = cryptoCtx,
+ .crypto = &cryptoCtx,
+ .devId = INVALID_DEVID, /* あるいは、カスタム暗号コールバックdevIDを設定 */
};
/* 手順4: wolfCryptの初期化 */
diff --git a/docs/src/chapter03.md b/docs/src/chapter03.md
index 38de120d3..c00dad25c 100644
--- a/docs/src/chapter03.md
+++ b/docs/src/chapter03.md
@@ -169,15 +169,14 @@ whNvmContext nvmCtx = {0};
wh_Nvm_Init(&nvmCtx, &whNvmConfig);
/* Step 3: Allocate and initialize a crypto context structure */
-whServerCryptoContext cryptoCtx {
- .devID = INVALID_DEVID; /* or set to custom crypto callback devID */
-};
+whServerCryptoContext cryptoCtx = {0};
/* Allocate and initialize the Server configuration*/
whServerConfig serverCfg = {
.comm = commServerCfg,
.nvm = nvmCtx,
- .crypto = cryptoCtx,
+ .crypto = &cryptoCtx,
+ .devId = INVALID_DEVID, /* or set to custom crypto callback devID */
};
/* Step 4: Initialize wolfCrypt*/
diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c
index 0f0d9bca1..03c9b7a8a 100644
--- a/examples/posix/wh_posix_server/wh_posix_server.c
+++ b/examples/posix/wh_posix_server/wh_posix_server.c
@@ -416,9 +416,7 @@ int main(int argc, char** argv)
}
#if !defined(WOLFHSM_CFG_NO_CRYPTO)
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#if defined(WOLFHSM_CFG_SHE_EXTENSION)
whServerSheContext she[1] = {{0}};
@@ -452,11 +450,11 @@ int main(int argc, char** argv)
wh_Utils_Hexdump("Context 4: Server HW RNG:\n", buffer, sizeof(buffer));
/* Context 5: Set default server crypto to use cryptocb */
- crypto->devId = HW_DEV_ID;
+ s_conf->devId = HW_DEV_ID;
WOLFHSM_CFG_PRINTF("Context 5: Setting up default server crypto with devId=%d\n",
- crypto->devId);
+ s_conf->devId);
- rc = wc_InitRng_ex(crypto->rng, NULL, crypto->devId);
+ rc = wc_InitRng_ex(crypto->rng, NULL, s_conf->devId);
if (rc != 0) {
WOLFHSM_CFG_PRINTF("Failed to wc_InitRng_ex: %d\n", rc);
return rc;
diff --git a/src/wh_client.c b/src/wh_client.c
index 132841b7b..2d6c2f867 100644
--- a/src/wh_client.c
+++ b/src/wh_client.c
@@ -410,6 +410,28 @@ int wh_Client_CommInfo(whClientContext* c,
return rc;
}
+int wh_Client_SetCryptoAffinity(whClientContext* c, uint32_t affinity)
+{
+ if (c == NULL) {
+ return WH_ERROR_BADARGS;
+ }
+ if (affinity != WH_CRYPTO_AFFINITY_SW &&
+ affinity != WH_CRYPTO_AFFINITY_HW) {
+ return WH_ERROR_BADARGS;
+ }
+ c->cryptoAffinity = affinity;
+ return WH_ERROR_OK;
+}
+
+int wh_Client_GetCryptoAffinity(whClientContext* c, uint32_t* out_affinity)
+{
+ if (c == NULL || out_affinity == NULL) {
+ return WH_ERROR_BADARGS;
+ }
+ *out_affinity = c->cryptoAffinity;
+ return WH_ERROR_OK;
+}
+
int wh_Client_CommCloseRequest(whClientContext* c)
{
diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c
index dffcfe922..2109301d9 100644
--- a/src/wh_client_crypto.c
+++ b/src/wh_client_crypto.c
@@ -138,28 +138,34 @@ static int _xferSha224BlockAndUpdateDigest(whClientContext* ctx,
uint32_t isLastBlock);
#endif /* WOLFSSL_SHA224 */
-static uint8_t* _createCryptoRequest(uint8_t* reqBuf, uint16_t type);
+static uint8_t* _createCryptoRequest(uint8_t* reqBuf, uint16_t type,
+ uint32_t affinity);
static uint8_t* _createCryptoRequestWithSubtype(uint8_t* reqBuf, uint16_t type,
- uint16_t algoSubType);
+ uint16_t algoSubType,
+ uint32_t affinity);
static int _getCryptoResponse(uint8_t* respBuf, uint16_t type,
uint8_t** outResponse);
/* Helper function to prepare a crypto request buffer with generic header */
-static uint8_t* _createCryptoRequest(uint8_t* reqBuf, uint16_t type)
+static uint8_t* _createCryptoRequest(uint8_t* reqBuf, uint16_t type,
+ uint32_t affinity)
{
- return _createCryptoRequestWithSubtype(reqBuf, type, WH_MESSAGE_CRYPTO_ALGO_SUBTYPE_NONE);
+ return _createCryptoRequestWithSubtype(
+ reqBuf, type, WH_MESSAGE_CRYPTO_ALGO_SUBTYPE_NONE, affinity);
}
/* Helper function to prepare a crypto request buffer with generic header and
* subtype */
static uint8_t* _createCryptoRequestWithSubtype(uint8_t* reqBuf, uint16_t type,
- uint16_t algoSubType)
+ uint16_t algoSubType,
+ uint32_t affinity)
{
whMessageCrypto_GenericRequestHeader* header =
(whMessageCrypto_GenericRequestHeader*)reqBuf;
header->algoType = type;
header->algoSubType = algoSubType;
+ header->affinity = affinity;
return reqBuf + sizeof(whMessageCrypto_GenericRequestHeader);
}
@@ -202,7 +208,8 @@ int wh_Client_RngGenerate(whClientContext* ctx, uint8_t* out, uint32_t size)
}
/* Setup generic header and get pointer to request data */
- reqData = _createCryptoRequest(dataPtr, WC_ALGO_TYPE_RNG);
+ reqData =
+ _createCryptoRequest(dataPtr, WC_ALGO_TYPE_RNG, ctx->cryptoAffinity);
/* Setup request header */
req = (whMessageCrypto_RngRequest*)reqData;
@@ -288,7 +295,7 @@ int wh_Client_RngGenerateDma(whClientContext* ctx, uint8_t* out, uint32_t size)
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_RngDmaRequest*)_createCryptoRequest(
- dataPtr, WC_ALGO_TYPE_RNG);
+ dataPtr, WC_ALGO_TYPE_RNG, ctx->cryptoAffinity);
/* Set up output buffer address and size */
req->output.sz = size;
@@ -369,7 +376,7 @@ int wh_Client_AesCtr(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
}
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_AesCtrRequest*)_createCryptoRequest(
- dataPtr, WC_CIPHER_AES_CTR);
+ dataPtr, WC_CIPHER_AES_CTR, ctx->cryptoAffinity);
uint8_t* req_in = (uint8_t*)(req + 1);
uint8_t* req_key = req_in + len;
uint8_t* req_iv = req_key + key_len;
@@ -485,7 +492,7 @@ int wh_Client_AesEcb(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
}
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_AesEcbRequest*)_createCryptoRequest(
- dataPtr, WC_CIPHER_AES_ECB);
+ dataPtr, WC_CIPHER_AES_ECB, ctx->cryptoAffinity);
uint8_t* req_in = (uint8_t*)(req + 1);
uint8_t* req_key = req_in + len;
uint8_t* req_iv = req_key + key_len;
@@ -586,7 +593,7 @@ int wh_Client_AesCbc(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
}
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_AesCbcRequest*)_createCryptoRequest(
- dataPtr, WC_CIPHER_AES_CBC);
+ dataPtr, WC_CIPHER_AES_CBC, ctx->cryptoAffinity);
uint8_t* req_in = (uint8_t*)(req + 1);
uint8_t* req_key = req_in + len;
uint8_t* req_iv = req_key + key_len;
@@ -694,8 +701,8 @@ int wh_Client_AesGcm(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
/* Setup generic header and get pointer to request data */
whMessageCrypto_AesGcmRequest* req =
- (whMessageCrypto_AesGcmRequest*)_createCryptoRequest(dataPtr,
- WC_CIPHER_AES_GCM);
+ (whMessageCrypto_AesGcmRequest*)_createCryptoRequest(
+ dataPtr, WC_CIPHER_AES_GCM, ctx->cryptoAffinity);
uint8_t* req_in = (uint8_t*)(req + 1);
uint8_t* req_key = req_in + len;
@@ -855,7 +862,7 @@ int wh_Client_AesGcmDma(whClientContext* ctx, Aes* aes, int enc,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_AesDmaRequest*)_createCryptoRequest(
- dataPtr, WC_CIPHER_AES_GCM);
+ dataPtr, WC_CIPHER_AES_GCM, ctx->cryptoAffinity);
memset(req, 0, sizeof(*req));
req->enc = enc;
req->type = type;
@@ -1122,7 +1129,7 @@ static int _EccMakeKey(whClientContext* ctx, int size, int curveId,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_EccKeyGenRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_EC_KEYGEN);
+ dataPtr, WC_PK_TYPE_EC_KEYGEN, ctx->cryptoAffinity);
/* Use the supplied key id if provided */
if (inout_key_id != NULL) {
@@ -1293,7 +1300,7 @@ int wh_Client_EccSharedSecret(whClientContext* ctx, ecc_key* priv_key,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_EcdhRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ECDH);
+ dataPtr, WC_PK_TYPE_ECDH, ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
if (pub_evict != 0) {
@@ -1421,7 +1428,7 @@ int wh_Client_EccSign(whClientContext* ctx, ecc_key* key, const uint8_t* hash,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_EccSignRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ECDSA_SIGN);
+ dataPtr, WC_PK_TYPE_ECDSA_SIGN, ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
uint8_t* req_hash = (uint8_t*)(req + 1);
@@ -1563,7 +1570,7 @@ int wh_Client_EccVerify(whClientContext* ctx, ecc_key* key, const uint8_t* sig,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_EccVerifyRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ECDSA_VERIFY);
+ dataPtr, WC_PK_TYPE_ECDSA_VERIFY, ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
uint8_t* req_sig = (uint8_t*)(req + 1);
@@ -1811,7 +1818,7 @@ static int _Curve25519MakeKey(whClientContext* ctx, uint16_t size,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Curve25519KeyGenRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_CURVE25519_KEYGEN);
+ dataPtr, WC_PK_TYPE_CURVE25519_KEYGEN, ctx->cryptoAffinity);
/* Use the supplied key id if provided */
if (inout_key_id != NULL) {
@@ -1965,7 +1972,7 @@ int wh_Client_Curve25519SharedSecret(whClientContext* ctx,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Curve25519Request*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_CURVE25519);
+ dataPtr, WC_PK_TYPE_CURVE25519, ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
if (pub_evict != 0) {
@@ -2136,7 +2143,7 @@ static int _Ed25519MakeKey(whClientContext* ctx, whKeyId* inout_key_id,
}
req = (whMessageCrypto_Ed25519KeyGenRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ED25519_KEYGEN);
+ dataPtr, WC_PK_TYPE_ED25519_KEYGEN, ctx->cryptoAffinity);
uint16_t group = WH_MESSAGE_GROUP_CRYPTO;
uint16_t action = WC_ALGO_TYPE_PK;
@@ -2279,7 +2286,7 @@ int wh_Client_Ed25519Sign(whClientContext* ctx, ed25519_key* key,
}
req = (whMessageCrypto_Ed25519SignRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ED25519_SIGN);
+ dataPtr, WC_PK_TYPE_ED25519_SIGN, ctx->cryptoAffinity);
uint8_t* req_msg = (uint8_t*)(req + 1);
uint8_t* req_ctx = req_msg + msgLen;
@@ -2415,7 +2422,7 @@ int wh_Client_Ed25519Verify(whClientContext* ctx, ed25519_key* key,
}
req = (whMessageCrypto_Ed25519VerifyRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ED25519_VERIFY);
+ dataPtr, WC_PK_TYPE_ED25519_VERIFY, ctx->cryptoAffinity);
uint8_t* req_sig = (uint8_t*)(req + 1);
uint8_t* req_msg = req_sig + sigLen;
@@ -2544,7 +2551,7 @@ int wh_Client_Ed25519SignDma(whClientContext* ctx, ed25519_key* key,
}
req = (whMessageCrypto_Ed25519SignDmaRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ED25519_SIGN);
+ dataPtr, WC_PK_TYPE_ED25519_SIGN, ctx->cryptoAffinity);
uint8_t* req_ctx = (uint8_t*)(req + 1);
@@ -2691,7 +2698,7 @@ int wh_Client_Ed25519VerifyDma(whClientContext* ctx, ed25519_key* key,
}
req = (whMessageCrypto_Ed25519VerifyDmaRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_ED25519_VERIFY);
+ dataPtr, WC_PK_TYPE_ED25519_VERIFY, ctx->cryptoAffinity);
uint8_t* req_ctx = (uint8_t*)(req + 1);
@@ -2881,7 +2888,7 @@ static int _RsaMakeKey(whClientContext* ctx, uint32_t size, uint32_t e,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_RsaKeyGenRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_RSA_KEYGEN);
+ dataPtr, WC_PK_TYPE_RSA_KEYGEN, ctx->cryptoAffinity);
uint16_t req_len =
sizeof(whMessageCrypto_GenericRequestHeader) + sizeof(*req);
@@ -3045,8 +3052,8 @@ int wh_Client_RsaFunction(whClientContext* ctx, RsaKey* key, int rsa_type,
return WH_ERROR_BADARGS;
}
- req = (whMessageCrypto_RsaRequest*)_createCryptoRequest(dataPtr,
- WC_PK_TYPE_RSA);
+ req = (whMessageCrypto_RsaRequest*)_createCryptoRequest(
+ dataPtr, WC_PK_TYPE_RSA, ctx->cryptoAffinity);
uint16_t group = WH_MESSAGE_GROUP_CRYPTO;
uint16_t action = WC_ALGO_TYPE_PK;
@@ -3173,7 +3180,7 @@ int wh_Client_RsaGetSize(whClientContext* ctx, const RsaKey* key, int* out_size)
}
req = (whMessageCrypto_RsaGetSizeRequest*)_createCryptoRequest(
- dataPtr, WC_PK_TYPE_RSA_GET_SIZE);
+ dataPtr, WC_PK_TYPE_RSA_GET_SIZE, ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
if (evict != 0) {
@@ -3256,7 +3263,7 @@ static int _HkdfMakeKey(whClientContext* ctx, int hashType, whKeyId keyIdIn,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_HkdfRequest*)_createCryptoRequestWithSubtype(
- dataPtr, WC_ALGO_TYPE_KDF, WC_KDF_TYPE_HKDF);
+ dataPtr, WC_ALGO_TYPE_KDF, WC_KDF_TYPE_HKDF, ctx->cryptoAffinity);
/* Calculate request length including variable-length data */
uint16_t req_len = sizeof(whMessageCrypto_GenericRequestHeader) +
@@ -3427,7 +3434,8 @@ static int _CmacKdfMakeKey(whClientContext* ctx, whKeyId saltKeyId,
/* Prepare request structure with subtype information */
req = (whMessageCrypto_CmacKdfRequest*)_createCryptoRequestWithSubtype(
- dataPtr, WC_ALGO_TYPE_KDF, WC_KDF_TYPE_TWOSTEP_CMAC);
+ dataPtr, WC_ALGO_TYPE_KDF, WC_KDF_TYPE_TWOSTEP_CMAC,
+ ctx->cryptoAffinity);
uint32_t total_len = sizeof(whMessageCrypto_GenericRequestHeader) +
sizeof(*req) + saltSz + zSz + fixedInfoSz;
@@ -3632,7 +3640,7 @@ int wh_Client_Cmac(whClientContext* ctx, Cmac* cmac, CmacType type,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_CmacAesRequest*)_createCryptoRequest(
- dataPtr, WC_ALGO_TYPE_CMAC);
+ dataPtr, WC_ALGO_TYPE_CMAC, ctx->cryptoAffinity);
uint8_t* req_in = (uint8_t*)(req + 1);
uint8_t* req_key = req_in + inLen;
@@ -3755,7 +3763,7 @@ int wh_Client_CmacDma(whClientContext* ctx, Cmac* cmac, CmacType type,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_CmacAesDmaRequest*)_createCryptoRequest(
- dataPtr, WC_ALGO_TYPE_CMAC);
+ dataPtr, WC_ALGO_TYPE_CMAC, ctx->cryptoAffinity);
memset(req, 0, sizeof(*req));
uint8_t* req_key = (uint8_t*)(req + 1);
@@ -3870,7 +3878,7 @@ static int _xferSha256BlockAndUpdateDigest(whClientContext* ctx,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha256Request*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA256);
+ dataPtr, WC_HASH_TYPE_SHA256, ctx->cryptoAffinity);
/* Send the full block to the server, along with the
@@ -4020,7 +4028,7 @@ int wh_Client_Sha256Dma(whClientContext* ctx, wc_Sha256* sha, const uint8_t* in,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha2DmaRequest*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA256);
+ dataPtr, WC_HASH_TYPE_SHA256, ctx->cryptoAffinity);
/* map addresses and setup default request structure */
if (in != NULL || out != NULL) {
@@ -4157,7 +4165,7 @@ static int _xferSha224BlockAndUpdateDigest(whClientContext* ctx,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha256Request*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA224);
+ dataPtr, WC_HASH_TYPE_SHA224, ctx->cryptoAffinity);
/* Send the full block to the server, along with the
@@ -4307,7 +4315,7 @@ int wh_Client_Sha224Dma(whClientContext* ctx, wc_Sha224* sha, const uint8_t* in,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha2DmaRequest*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA224);
+ dataPtr, WC_HASH_TYPE_SHA224, ctx->cryptoAffinity);
if (in != NULL || out != NULL) {
req->state.sz = sizeof(*sha224);
@@ -4438,7 +4446,7 @@ static int _xferSha384BlockAndUpdateDigest(whClientContext* ctx,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha512Request*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA384);
+ dataPtr, WC_HASH_TYPE_SHA384, ctx->cryptoAffinity);
/* Send the full block to the server, along with the
@@ -4588,7 +4596,7 @@ int wh_Client_Sha384Dma(whClientContext* ctx, wc_Sha384* sha, const uint8_t* in,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha2DmaRequest*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA384);
+ dataPtr, WC_HASH_TYPE_SHA384, ctx->cryptoAffinity);
if (in != NULL || out != NULL) {
req->state.sz = sizeof(*sha384);
@@ -4720,7 +4728,7 @@ static int _xferSha512BlockAndUpdateDigest(whClientContext* ctx,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha512Request*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA512);
+ dataPtr, WC_HASH_TYPE_SHA512, ctx->cryptoAffinity);
/* Send the full block to the server, along with the
@@ -4881,7 +4889,7 @@ int wh_Client_Sha512Dma(whClientContext* ctx, wc_Sha512* sha, const uint8_t* in,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_Sha2DmaRequest*)_createCryptoRequest(
- dataPtr, WC_HASH_TYPE_SHA512);
+ dataPtr, WC_HASH_TYPE_SHA512, ctx->cryptoAffinity);
if (in != NULL || out != NULL) {
req->state.sz = sizeof(*sha512);
@@ -5099,7 +5107,8 @@ static int _MlDsaMakeKey(whClientContext* ctx, int size, int level,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_MlDsaKeyGenRequest*)_createCryptoRequestWithSubtype(
- dataPtr, WC_PK_TYPE_PQC_SIG_KEYGEN, WC_PQC_SIG_TYPE_DILITHIUM);
+ dataPtr, WC_PK_TYPE_PQC_SIG_KEYGEN, WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
/* Use the supplied key id if provided */
if (inout_key_id != NULL) {
@@ -5267,7 +5276,8 @@ int wh_Client_MlDsaSign(whClientContext* ctx, const byte* in, word32 in_len,
/* Setup generic header and get pointer to request data */
req =
(whMessageCrypto_MlDsaSignRequest*)_createCryptoRequestWithSubtype(
- dataPtr, WC_PK_TYPE_PQC_SIG_SIGN, WC_PQC_SIG_TYPE_DILITHIUM);
+ dataPtr, WC_PK_TYPE_PQC_SIG_SIGN, WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
uint8_t* req_hash = (uint8_t*)(req + 1);
@@ -5395,7 +5405,8 @@ int wh_Client_MlDsaVerify(whClientContext* ctx, const byte* sig, word32 sig_len,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_MlDsaVerifyRequest*)
_createCryptoRequestWithSubtype(dataPtr, WC_PK_TYPE_PQC_SIG_VERIFY,
- WC_PQC_SIG_TYPE_DILITHIUM);
+ WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
uint8_t* req_sig = (uint8_t*)(req + 1);
@@ -5556,7 +5567,8 @@ static int _MlDsaMakeKeyDma(whClientContext* ctx, int level,
/* Setup generic header and get pointer to request data */
req =
(whMessageCrypto_MlDsaKeyGenDmaRequest*)_createCryptoRequestWithSubtype(
- dataPtr, WC_PK_TYPE_PQC_SIG_KEYGEN, WC_PQC_SIG_TYPE_DILITHIUM);
+ dataPtr, WC_PK_TYPE_PQC_SIG_KEYGEN, WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
/* Use the supplied key id if provided */
if (inout_key_id != NULL) {
@@ -5713,7 +5725,8 @@ int wh_Client_MlDsaSignDma(whClientContext* ctx, const byte* in, word32 in_len,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_MlDsaSignDmaRequest*)
_createCryptoRequestWithSubtype(dataPtr, WC_PK_TYPE_PQC_SIG_SIGN,
- WC_PQC_SIG_TYPE_DILITHIUM);
+ WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
if (evict != 0) {
@@ -5849,7 +5862,8 @@ int wh_Client_MlDsaVerifyDma(whClientContext* ctx, const byte* sig,
/* Setup generic header and get pointer to request data */
req = (whMessageCrypto_MlDsaVerifyDmaRequest*)
_createCryptoRequestWithSubtype(dataPtr, WC_PK_TYPE_PQC_SIG_VERIFY,
- WC_PQC_SIG_TYPE_DILITHIUM);
+ WC_PQC_SIG_TYPE_DILITHIUM,
+ ctx->cryptoAffinity);
if (req_len <= WOLFHSM_CFG_COMM_DATA_LEN) {
if (evict != 0) {
diff --git a/src/wh_message_comm.c b/src/wh_message_comm.c
index 1c42b03ae..a9f9afb44 100644
--- a/src/wh_message_comm.c
+++ b/src/wh_message_comm.c
@@ -82,5 +82,3 @@ int wh_MessageComm_TranslateInfoResponse(uint16_t magic,
WH_T32(magic, dest, src, nvm_state);
return 0;
}
-
-
diff --git a/src/wh_message_crypto.c b/src/wh_message_crypto.c
index 085fd34de..46bc398d0 100644
--- a/src/wh_message_crypto.c
+++ b/src/wh_message_crypto.c
@@ -37,6 +37,7 @@ int wh_MessageCrypto_TranslateGenericRequestHeader(
}
WH_T32(magic, dest, src, algoType);
WH_T32(magic, dest, src, algoSubType);
+ WH_T32(magic, dest, src, affinity);
return 0;
}
@@ -50,6 +51,7 @@ int wh_MessageCrypto_TranslateGenericResponseHeader(
}
WH_T32(magic, dest, src, algoType);
WH_T32(magic, dest, src, rc);
+ WH_T32(magic, dest, src, reserved);
return 0;
}
diff --git a/src/wh_server.c b/src/wh_server.c
index 5098a2da4..8e55cc8b9 100644
--- a/src/wh_server.c
+++ b/src/wh_server.c
@@ -77,14 +77,8 @@ int wh_Server_Init(whServerContext* server, whServerConfig* config)
server->nvm = config->nvm;
#ifndef WOLFHSM_CFG_NO_CRYPTO
- server->crypto = config->crypto;
- if (server->crypto != NULL) {
-#if defined(WOLF_CRYPTO_CB)
- server->crypto->devId = config->devId;
-#else
- server->crypto->devId = INVALID_DEVID;
-#endif
- }
+ server->crypto = config->crypto;
+ server->defaultDevId = config->devId;
#ifdef WOLFHSM_CFG_SHE_EXTENSION
server->she = config->she;
#endif
@@ -247,7 +241,6 @@ static int _wh_Server_HandleCommRequest(whServerContext* server,
*out_resp_size = sizeof(resp);
}; break;
-
case WH_MESSAGE_COMM_ACTION_CLOSE:
{
/* No message */
diff --git a/src/wh_server_crypto.c b/src/wh_server_crypto.c
index cfbc7692b..246e266a4 100644
--- a/src/wh_server_crypto.c
+++ b/src/wh_server_crypto.c
@@ -61,30 +61,30 @@
#ifndef NO_RSA
#ifdef WOLFSSL_KEY_GEN
/* Process a Generate RsaKey request packet and produce a response packet */
-static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* WOLFSSL_KEY_GEN */
/* Process a Rng request packet and produce a response packet */
-static int _HandleRng(whServerContext* ctx, uint16_t magic,
+static int _HandleRng(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
/* Process a Rsa Function request packet and produce a response packet */
-static int _HandleRsaFunction(whServerContext* ctx, uint16_t magic,
+static int _HandleRsaFunction(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
/* Process a Rsa Get Size request packet and produce a response packet */
-static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic,
+static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* !NO_RSA */
#ifdef HAVE_HKDF
/* Process an HKDF request packet and produce a response packet */
-static int _HandleHkdf(whServerContext* ctx, uint16_t magic,
+static int _HandleHkdf(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_HKDF */
@@ -93,22 +93,22 @@ static int _HandleHkdf(whServerContext* ctx, uint16_t magic,
#ifdef WOLFSSL_AES_COUNTER
/* Process a AES CBC request packet and produce a response packet */
-static int _HandleAesCtr(whServerContext* ctx, uint16_t magic,
+static int _HandleAesCtr(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* WOLFSSL_AES_COUNTER */
#ifdef HAVE_AES_ECB
-static int _HandleAesEcb(whServerContext* ctx, uint16_t magic,
+static int _HandleAesEcb(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_AES_ECB */
#ifdef HAVE_AES_CBC
-static int _HandleAesCbc(whServerContext* ctx, uint16_t magic,
+static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
-static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
+static int _HandleAesGcm(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_AESGCM */
@@ -116,83 +116,82 @@ static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
#endif /* !NO_AES */
#ifdef HAVE_ECC
-static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#ifdef HAVE_ECC_DHE
static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize);
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize);
#endif /* HAVE_ECC_DHE */
#ifdef HAVE_ECC_SIGN
-static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
+static int _HandleEccSign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_ECC_SIGN */
#ifdef HAVE_ECC_VERIFY
-static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
+static int _HandleEccVerify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#endif /* HAVE_ECC_VERIFY */
-#if 0
-#ifdef HAVE_ECC_CHECK_KEY
-static int _HandleEccCheckPrivKey(whServerContext* server, whPacket* packet,
- uint16_t* size)
-#endif /* HAVE_ECC_CHECK_KEY */
-#endif
#endif /* HAVE_ECC */
#ifdef HAVE_CURVE25519
/* Process a Generate curve25519_key request packet and produce a response */
static int _HandleCurve25519KeyGen(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize);
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize);
/* Process a curve25519_key Function request packet and produce a response */
static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn,
+ int devId, const void* cryptoDataIn,
uint16_t inSize, void* cryptoDataOut,
uint16_t* outSize);
#endif /* HAVE_CURVE25519 */
#ifdef HAVE_ED25519
-static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
-static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
-static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
#ifdef WOLFHSM_CFG_DMA
static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize);
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize);
static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize);
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize);
#endif /* WOLFHSM_CFG_DMA */
#endif /* HAVE_ED25519 */
#ifdef HAVE_DILITHIUM
/* Process a Dilithium KeyGen request packet and produce a response packet */
-static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
/* Process a Dilithium Sign request packet and produce a response packet */
-static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
/* Process a Dilithium Verify request packet and produce a response packet */
-static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize);
/* Process a Dilithium Check PrivKey request packet and produce a response
* packet */
static int _HandleMlDsaCheckPrivKey(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize);
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize);
#endif /* HAVE_DILITHIUM */
/** Public server crypto functions */
@@ -267,9 +266,9 @@ int wh_Server_CacheExportRsaKey(whServerContext* ctx, whKeyId keyId,
}
#ifdef WOLFSSL_KEY_GEN
-static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic, int devId,
+ const void* cryptoDataIn, uint16_t inSize,
+ void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
RsaKey rsa[1] = {0};
@@ -305,7 +304,7 @@ static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic,
uint16_t der_size = 0;
/* init the rsa key */
- ret = wc_InitRsaKey_ex(rsa, NULL, ctx->crypto->devId);
+ ret = wc_InitRsaKey_ex(rsa, NULL, devId);
if (ret == 0) {
/* make the rsa key with the given params */
ret = wc_MakeRsaKey(rsa, key_size, e, ctx->crypto->rng);
@@ -360,9 +359,9 @@ static int _HandleRsaKeyGen(whServerContext* ctx, uint16_t magic,
}
#endif /* WOLFSSL_KEY_GEN */
-static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleRsaFunction(whServerContext* ctx, uint16_t magic, int devId,
+ const void* cryptoDataIn, uint16_t inSize,
+ void* cryptoDataOut, uint16_t* outSize)
{
int ret;
RsaKey rsa[1];
@@ -457,7 +456,7 @@ static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
}
/* init rsa key */
- ret = wc_InitRsaKey_ex(rsa, NULL, ctx->crypto->devId);
+ ret = wc_InitRsaKey_ex(rsa, NULL, devId);
/* load the key from the keystore */
if (ret == 0) {
ret = wh_Server_CacheExportRsaKey(ctx, key_id, rsa);
@@ -489,7 +488,7 @@ static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
return ret;
}
-static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic,
+static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -517,7 +516,7 @@ static int _HandleRsaGetSize(whServerContext* ctx, uint16_t magic,
int evict = !!(options & WH_MESSAGE_CRYPTO_RSA_GET_SIZE_OPTIONS_EVICT);
/* init rsa key */
- ret = wc_InitRsaKey_ex(rsa, NULL, ctx->crypto->devId);
+ ret = wc_InitRsaKey_ex(rsa, NULL, devId);
/* load the key from the keystore */
if (ret == 0) {
ret = wh_Server_CacheExportRsaKey(ctx, key_id, rsa);
@@ -803,7 +802,7 @@ int wh_Server_MlDsaKeyCacheExport(whServerContext* ctx, whKeyId keyId,
/** Request/Response Handling functions */
#ifdef HAVE_ECC
-static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -838,7 +837,7 @@ static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic,
uint16_t res_size = 0;
/* init ecc key */
- ret = wc_ecc_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ecc_init_ex(key, NULL, devId);
if (ret == 0) {
/* generate the key */
ret = wc_ecc_make_key_ex(ctx->crypto->rng, key_size, key, curve_id);
@@ -900,8 +899,9 @@ static int _HandleEccKeyGen(whServerContext* ctx, uint16_t magic,
#ifdef HAVE_ECC_DHE
static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)inSize;
@@ -943,9 +943,9 @@ static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
word32 res_len = 0;
/* init ecc keys */
- ret = wc_ecc_init_ex(pub_key, NULL, ctx->crypto->devId);
+ ret = wc_ecc_init_ex(pub_key, NULL, devId);
if (ret == 0) {
- ret = wc_ecc_init_ex(prv_key, NULL, ctx->crypto->devId);
+ ret = wc_ecc_init_ex(prv_key, NULL, devId);
if (ret == 0) {
/* set rng */
ret = wc_ecc_set_rng(prv_key, ctx->crypto->rng);
@@ -989,7 +989,7 @@ static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_ECC_DHE */
#ifdef HAVE_ECC_SIGN
-static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
+static int _HandleEccSign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -1040,7 +1040,7 @@ static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
word32 res_len = max_len;
/* init private key */
- ret = wc_ecc_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ecc_init_ex(key, NULL, devId);
if (ret == 0) {
/* load the private key */
ret = wh_Server_EccKeyCacheExport(ctx, key_id, key);
@@ -1074,7 +1074,7 @@ static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_ECC_SIGN */
#ifdef HAVE_ECC_VERIFY
-static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
+static int _HandleEccVerify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -1136,7 +1136,7 @@ static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
int result = 0;
/* init public key */
- ret = wc_ecc_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ecc_init_ex(key, NULL, devId);
if (ret == 0) {
/* load the public key */
ret = wh_Server_EccKeyCacheExport(ctx, key_id, key);
@@ -1183,56 +1183,18 @@ static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
return ret;
}
#endif /* HAVE_ECC_VERIFY */
-
-#if 0
-#ifdef HAVE_ECC_CHECK_KEY
-/* TODO: Implement check key */
-static int _HandleEccCheckPrivKey(whServerContext* server, whPacket* packet,
- uint16_t* size)
-{
- int ret;
- ecc_key key[1];
-
- /* Request packet */
- wh_Packet_pk_ecc_check_req* req = &packet->pkEccCheckReq;
- whKeyId key_id = WH_MAKE_KEYID( WH_KEYTYPE_CRYPTO,
- server->comm->client_id,
- req->keyId);
- uint32_t curve_id = req->curveId;
-
- /* Response packet */
- wh_Packet_pk_ecc_check_res* res = &packet->pkEccCheckRes;
-
- ret = wc_ecc_init_ex(key, NULL, server->crypto->devId);
- if (ret == 0) {
- /* load the private key */
- ret = wh_Server_EccKeyCacheExport(server, key, key_id);
-
- if (ret == 0) {
- /* check the key */
- ret = wc_ecc_check_key(key);
- if (ret == 0) {
- res->ok = 1;
- *size = WH_PACKET_STUB_SIZE + sizeof(*res);
- }
- }
- wc_ecc_free(key);
- }
- return ret;
-}
-#endif /* HAVE_ECC_CHECK_KEY */
-#endif
#endif /* HAVE_ECC */
#ifndef WC_NO_RNG
-static int _HandleRng(whServerContext* ctx, uint16_t magic,
+static int _HandleRng(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = WH_ERROR_OK;
whMessageCrypto_RngRequest req;
whMessageCrypto_RngResponse res;
+ (void)devId;
if (inSize < sizeof(whMessageCrypto_RngRequest)) {
return WH_ERROR_BADARGS;
@@ -1355,13 +1317,14 @@ int wh_Server_CmacKdfKeyCacheImport(whServerContext* ctx,
#endif /* HAVE_CMAC_KDF */
#ifdef HAVE_HKDF
-static int _HandleHkdf(whServerContext* ctx, uint16_t magic,
+static int _HandleHkdf(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = WH_ERROR_OK;
whMessageCrypto_HkdfRequest req;
whMessageCrypto_HkdfResponse res;
+ (void)devId;
/* Validate minimum size */
if (inSize < sizeof(whMessageCrypto_HkdfRequest)) {
@@ -1494,7 +1457,7 @@ static int _HandleHkdf(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_HKDF */
#ifdef HAVE_CMAC_KDF
-static int _HandleCmacKdf(whServerContext* ctx, uint16_t magic,
+static int _HandleCmacKdf(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -1602,9 +1565,9 @@ static int _HandleCmacKdf(whServerContext* ctx, uint16_t magic,
return WH_ERROR_BADARGS;
}
- ret = wc_KDA_KDF_twostep_cmac(
- salt, saltSz, z, zSz, (fixedInfoSz > 0) ? fixedInfo : NULL, fixedInfoSz,
- out, outSz, NULL, ctx->crypto->devId);
+ ret = wc_KDA_KDF_twostep_cmac(salt, saltSz, z, zSz,
+ (fixedInfoSz > 0) ? fixedInfo : NULL,
+ fixedInfoSz, out, outSz, NULL, devId);
if (ret == 0) {
if (flags & WH_NVM_FLAGS_EPHEMERAL) {
keyIdOut = WH_KEYID_ERASED;
@@ -1643,8 +1606,9 @@ static int _HandleCmacKdf(whServerContext* ctx, uint16_t magic,
#ifdef HAVE_CURVE25519
static int _HandleCurve25519KeyGen(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)inSize;
@@ -1677,7 +1641,7 @@ static int _HandleCurve25519KeyGen(whServerContext* ctx, uint16_t magic,
(word32)(WOLFHSM_CFG_COMM_DATA_LEN - (out - (uint8_t*)cryptoDataOut));
/* init key */
- ret = wc_curve25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_curve25519_init_ex(key, NULL, devId);
if (ret == 0) {
/* make the key */
ret = wc_curve25519_make_key(ctx->crypto->rng, key_size, key);
@@ -1729,7 +1693,7 @@ static int _HandleCurve25519KeyGen(whServerContext* ctx, uint16_t magic,
}
static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn,
+ int devId, const void* cryptoDataIn,
uint16_t inSize, void* cryptoDataOut,
uint16_t* outSize)
{
@@ -1776,10 +1740,10 @@ static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
word32 res_len = max_len;
/* init private key */
- ret = wc_curve25519_init_ex(priv, NULL, ctx->crypto->devId);
+ ret = wc_curve25519_init_ex(priv, NULL, devId);
if (ret == 0) {
/* init public key */
- ret = wc_curve25519_init_ex(pub, NULL, ctx->crypto->devId);
+ ret = wc_curve25519_init_ex(pub, NULL, devId);
if (ret == 0) {
#ifdef WOLFSSL_CURVE25519_BLINDING
ret = wc_curve25519_set_rng(priv, ctx->crypto->rng);
@@ -1824,7 +1788,7 @@ static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_CURVE25519 */
#ifdef HAVE_ED25519
-static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -1853,7 +1817,7 @@ static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic,
(res_out - (uint8_t*)cryptoDataOut));
uint16_t ser_size = 0;
- ret = wc_ed25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ed25519_init_ex(key, NULL, devId);
if (ret == 0) {
ret = wc_ed25519_make_key(ctx->crypto->rng, ED25519_KEY_SIZE, key);
if (ret == 0) {
@@ -1898,7 +1862,7 @@ static int _HandleEd25519KeyGen(whServerContext* ctx, uint16_t magic,
return ret;
}
-static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -1957,7 +1921,7 @@ static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
(uint8_t*)cryptoDataOut + sizeof(whMessageCrypto_Ed25519SignResponse);
word32 sig_len = sizeof(sig);
- ret = wc_ed25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ed25519_init_ex(key, NULL, devId);
if (ret == 0) {
ret = wh_Server_CacheExportEd25519Key(ctx, key_id, key);
if (ret == WH_ERROR_OK) {
@@ -1995,7 +1959,7 @@ static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
return ret;
}
-static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
+static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -2056,7 +2020,7 @@ static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
int result = 0;
- ret = wc_ed25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ed25519_init_ex(key, NULL, devId);
if (ret == 0) {
ret = wh_Server_CacheExportEd25519Key(ctx, key_id, key);
if (ret == WH_ERROR_OK) {
@@ -2085,8 +2049,9 @@ static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
}
#ifdef WOLFHSM_CFG_DMA
static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
int ret = 0;
ed25519_key key[1];
@@ -2151,7 +2116,7 @@ static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
}
}
if (ret == WH_ERROR_OK) {
- ret = wc_ed25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ed25519_init_ex(key, NULL, devId);
if (ret == 0) {
ret = wh_Server_CacheExportEd25519Key(ctx, key_id, key);
if (ret == WH_ERROR_OK) {
@@ -2192,8 +2157,9 @@ static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
}
static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
int ret = 0;
ed25519_key key[1];
@@ -2258,7 +2224,7 @@ static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
}
if (ret == WH_ERROR_OK) {
- ret = wc_ed25519_init_ex(key, NULL, ctx->crypto->devId);
+ ret = wc_ed25519_init_ex(key, NULL, devId);
if (ret == 0) {
ret = wh_Server_CacheExportEd25519Key(ctx, key_id, key);
if (ret == WH_ERROR_OK) {
@@ -2300,7 +2266,7 @@ static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
#ifndef NO_AES
#ifdef WOLFSSL_AES_COUNTER
-static int _HandleAesCtr(whServerContext* ctx, uint16_t magic,
+static int _HandleAesCtr(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -2369,7 +2335,7 @@ static int _HandleAesCtr(whServerContext* ctx, uint16_t magic,
}
if (ret == 0) {
/* init key with possible hardware */
- ret = wc_AesInit(aes, NULL, ctx->crypto->devId);
+ ret = wc_AesInit(aes, NULL, devId);
}
if (ret == 0) {
/* load the key */
@@ -2414,7 +2380,7 @@ static int _HandleAesCtr(whServerContext* ctx, uint16_t magic,
}
#endif /* WOLFSSL_AES_COUNTER */
#ifdef HAVE_AES_ECB
-static int _HandleAesEcb(whServerContext* ctx, uint16_t magic,
+static int _HandleAesEcb(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -2481,7 +2447,7 @@ static int _HandleAesEcb(whServerContext* ctx, uint16_t magic,
}
if (ret == 0) {
/* init key with possible hardware */
- ret = wc_AesInit(aes, NULL, ctx->crypto->devId);
+ ret = wc_AesInit(aes, NULL, devId);
}
if (ret == 0) {
/* load the key */
@@ -2519,9 +2485,9 @@ static int _HandleAesEcb(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_AES_ECB */
#ifdef HAVE_AES_CBC
-static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, const void* cryptoDataIn,
- uint16_t inSize, void* cryptoDataOut,
- uint16_t* outSize)
+static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, int devId,
+ const void* cryptoDataIn, uint16_t inSize,
+ void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
Aes aes[1] = {0};
@@ -2595,7 +2561,7 @@ static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, const void* crypt
}
if (ret == 0) {
/* init key with possible hardware */
- ret = wc_AesInit(aes, NULL, ctx->crypto->devId);
+ ret = wc_AesInit(aes, NULL, devId);
}
if (ret == 0) {
/* load the key */
@@ -2633,7 +2599,7 @@ static int _HandleAesCbc(whServerContext* ctx, uint16_t magic, const void* crypt
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
-static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
+static int _HandleAesGcm(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -2738,7 +2704,7 @@ static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
}
if (ret == 0) {
/* init key with possible hardware */
- ret = wc_AesInit(aes, NULL, ctx->crypto->devId);
+ ret = wc_AesInit(aes, NULL, devId);
}
if (ret == 0) {
/* load the key */
@@ -2796,9 +2762,10 @@ static int _HandleAesGcm(whServerContext* ctx, uint16_t magic,
}
#ifdef WOLFHSM_CFG_DMA
-static int _HandleAesGcmDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleAesGcmDma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
int ret = 0;
whMessageCrypto_AesDmaRequest req;
@@ -2829,7 +2796,7 @@ static int _HandleAesGcmDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
}
if (ret == WH_ERROR_OK) {
- ret = wc_AesInit(aes, NULL, ctx->crypto->devId);
+ ret = wc_AesInit(aes, NULL, devId);
}
/* Handle key operations */
@@ -3028,8 +2995,8 @@ static int _CmacResolveKey(whServerContext* ctx, const uint8_t* requestKey,
return ret;
}
-static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
+static int _HandleCmac(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
(void)seq;
@@ -3085,9 +3052,8 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
WH_DEBUG_SERVER_VERBOSE("cmac generate oneshot\n");
- ret =
- wc_AesCmacGenerate_ex(cmac, out, &len, in, req.inSz, tmpKey,
- (word32)tmpKeyLen, NULL, ctx->crypto->devId);
+ ret = wc_AesCmacGenerate_ex(cmac, out, &len, in, req.inSz, tmpKey,
+ (word32)tmpKeyLen, NULL, devId);
if (ret == 0) {
res.outSz = len;
@@ -3102,7 +3068,7 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
/* Initialize CMAC context with key (re-derives k1/k2 subkeys) */
ret = wc_InitCmac_ex(cmac, tmpKey, tmpKeyLen, WC_CMAC_AES, NULL, NULL,
- ctx->crypto->devId);
+ devId);
WH_DEBUG_SERVER_VERBOSE("cmac init with keylen:%d ret:%d\n", tmpKeyLen,
ret);
@@ -3150,12 +3116,13 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT */
#ifndef NO_SHA256
-static int _HandleSha256(whServerContext* ctx, uint16_t magic,
+static int _HandleSha256(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
wc_Sha256 sha256[1];
+ (void)ctx;
whMessageCrypto_Sha256Request req;
whMessageCrypto_Sha2Response res = {0};
@@ -3170,7 +3137,7 @@ static int _HandleSha256(whServerContext* ctx, uint16_t magic,
return ret;
}
/* always init sha2 struct with the devid */
- ret = wc_InitSha256_ex(sha256, NULL, ctx->crypto->devId);
+ ret = wc_InitSha256_ex(sha256, NULL, devId);
if (ret != 0) {
return ret;
}
@@ -3219,12 +3186,13 @@ static int _HandleSha256(whServerContext* ctx, uint16_t magic,
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SHA224
-static int _HandleSha224(whServerContext* ctx, uint16_t magic,
+static int _HandleSha224(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
wc_Sha224 sha224[1];
+ (void)ctx;
whMessageCrypto_Sha256Request req;
whMessageCrypto_Sha2Response res;
@@ -3243,7 +3211,7 @@ static int _HandleSha224(whServerContext* ctx, uint16_t magic,
if (req.isLastBlock && req.lastBlockLen > WC_SHA224_BLOCK_SIZE) {
return WH_ERROR_BADARGS;
}
- ret = wc_InitSha224_ex(sha224, NULL, ctx->crypto->devId);
+ ret = wc_InitSha224_ex(sha224, NULL, devId);
if (ret != 0) {
return ret;
}
@@ -3293,12 +3261,13 @@ static int _HandleSha224(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_SHA224 */
#ifdef WOLFSSL_SHA384
-static int _HandleSha384(whServerContext* ctx, uint16_t magic,
+static int _HandleSha384(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
wc_Sha384 sha384[1];
+ (void)ctx;
whMessageCrypto_Sha512Request req;
whMessageCrypto_Sha2Response res;
@@ -3319,7 +3288,7 @@ static int _HandleSha384(whServerContext* ctx, uint16_t magic,
}
/* init sha2 struct with the devid */
- ret = wc_InitSha384_ex(sha384, NULL, ctx->crypto->devId);
+ ret = wc_InitSha384_ex(sha384, NULL, devId);
if (ret != 0) {
return ret;
}
@@ -3370,12 +3339,13 @@ static int _HandleSha384(whServerContext* ctx, uint16_t magic,
}
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_SHA512
-static int _HandleSha512(whServerContext* ctx, uint16_t magic,
+static int _HandleSha512(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
int ret = 0;
wc_Sha512 sha512[1];
+ (void)ctx;
whMessageCrypto_Sha512Request req;
whMessageCrypto_Sha2Response res;
int hashType = WC_HASH_TYPE_SHA512;
@@ -3400,16 +3370,16 @@ static int _HandleSha512(whServerContext* ctx, uint16_t magic,
switch (hashType) {
#ifndef WOLFSSL_NOSHA512_224
case WC_HASH_TYPE_SHA512_224:
- ret = wc_InitSha512_224_ex(sha512, NULL, ctx->crypto->devId);
+ ret = wc_InitSha512_224_ex(sha512, NULL, devId);
break;
#endif
#ifndef WOLFSSL_NOSHA512_256
case WC_HASH_TYPE_SHA512_256:
- ret = wc_InitSha512_256_ex(sha512, NULL, ctx->crypto->devId);
+ ret = wc_InitSha512_256_ex(sha512, NULL, devId);
break;
#endif
default:
- ret = wc_InitSha512_ex(sha512, NULL, ctx->crypto->devId);
+ ret = wc_InitSha512_ex(sha512, NULL, devId);
break;
}
if (ret != 0) {
@@ -3502,7 +3472,7 @@ static int _IsMlDsaLevelSupported(int level)
}
#endif /* WOLFSSL_DILITHIUM_NO_MAKE_KEY */
-static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -3555,7 +3525,7 @@ static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic,
}
else {
/* init mldsa key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret == 0) {
/* Set the ML-DSA security level */
ret = wc_MlDsaKey_SetParams(key, level);
@@ -3612,7 +3582,7 @@ static int _HandleMlDsaKeyGen(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_DILITHIUM_NO_MAKE_KEY */
}
-static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -3674,7 +3644,7 @@ static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
word32 res_len = max_len;
/* init private key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret == 0) {
/* load the private key */
ret = wh_Server_MlDsaKeyCacheExport(ctx, key_id, key);
@@ -3702,7 +3672,7 @@ static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_DILITHIUM_NO_SIGN */
}
-static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -3764,7 +3734,7 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
int result = 0;
/* init public key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret == 0) {
/* load the public key */
ret = wh_Server_MlDsaKeyCacheExport(ctx, key_id, key);
@@ -3793,11 +3763,13 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
}
static int _HandleMlDsaCheckPrivKey(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)ctx;
(void)magic;
+ (void)devId;
(void)cryptoDataIn;
(void)inSize;
(void)cryptoDataOut;
@@ -3808,7 +3780,7 @@ static int _HandleMlDsaCheckPrivKey(whServerContext* ctx, uint16_t magic,
#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON)
static int _HandlePqcSigAlgorithm(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn,
+ int devId, const void* cryptoDataIn,
uint16_t cryptoInSize, void* cryptoDataOut,
uint16_t* cryptoOutSize, uint32_t pkAlgoType,
uint32_t pqAlgoType)
@@ -3822,24 +3794,24 @@ static int _HandlePqcSigAlgorithm(whServerContext* ctx, uint16_t magic,
case WC_PQC_SIG_TYPE_DILITHIUM: {
switch (pkAlgoType) {
case WC_PK_TYPE_PQC_SIG_KEYGEN:
- ret = _HandleMlDsaKeyGen(ctx, magic, cryptoDataIn,
+ ret = _HandleMlDsaKeyGen(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_SIGN:
- ret =
- _HandleMlDsaSign(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, cryptoOutSize);
+ ret = _HandleMlDsaSign(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_VERIFY:
- ret = _HandleMlDsaVerify(ctx, magic, cryptoDataIn,
+ ret = _HandleMlDsaVerify(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_CHECK_PRIV_KEY:
- ret = _HandleMlDsaCheckPrivKey(ctx, magic, cryptoDataIn,
- cryptoInSize, cryptoDataOut,
- cryptoOutSize);
+ ret = _HandleMlDsaCheckPrivKey(
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, cryptoOutSize);
break;
default:
ret = WH_ERROR_NOHANDLER;
@@ -3857,9 +3829,18 @@ static int _HandlePqcSigAlgorithm(whServerContext* ctx, uint16_t magic,
#endif
#if defined(HAVE_KYBER)
-static int _HandlePqcKemAlgorithm(whServerContext* ctx, whPacket* packet,
- uint16_t* size)
+static int _HandlePqcKemAlgorithm(whServerContext* ctx, uint16_t magic,
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
+ (void)ctx;
+ (void)magic;
+ (void)devId;
+ (void)cryptoDataIn;
+ (void)inSize;
+ (void)cryptoDataOut;
+ (void)outSize;
/* Placeholder for KEM algorithm handling */
return WH_ERROR_NOHANDLER;
}
@@ -3899,6 +3880,11 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
wh_MessageCrypto_TranslateGenericRequestHeader(
magic, (whMessageCrypto_GenericRequestHeader*)req_packet, &rqstHeader);
+ /* Compute devId from the per-message affinity field */
+ int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
+ ctx->defaultDevId != INVALID_DEVID)
+ ? ctx->defaultDevId
+ : INVALID_DEVID;
WH_DEBUG_SERVER_VERBOSE("HandleCryptoRequest. Action:%u\n", action);
WH_DEBUG_VERBOSE_HEXDUMP("[server] Crypto Request:\n", (const uint8_t*)req_packet,
@@ -3909,26 +3895,30 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifndef NO_AES
#ifdef WOLFSSL_AES_COUNTER
case WC_CIPHER_AES_CTR:
- ret = _HandleAesCtr(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleAesCtr(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* WOLFSSL_AES_COUNTER */
#ifdef HAVE_AES_ECB
case WC_CIPHER_AES_ECB:
- ret = _HandleAesEcb(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleAesEcb(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_AES_ECB */
#ifdef HAVE_AES_CBC
case WC_CIPHER_AES_CBC:
- ret = _HandleAesCbc(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleAesCbc(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
case WC_CIPHER_AES_GCM:
- ret = _HandleAesGcm(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleAesGcm(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_AESGCM */
#endif /* !NO_AES */
@@ -3943,19 +3933,19 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifndef NO_RSA
#ifdef WOLFSSL_KEY_GEN
case WC_PK_TYPE_RSA_KEYGEN:
- ret =
- _HandleRsaKeyGen(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleRsaKeyGen(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* WOLFSSL_KEY_GEN */
case WC_PK_TYPE_RSA:
- ret = _HandleRsaFunction(ctx, magic, cryptoDataIn,
+ ret = _HandleRsaFunction(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
case WC_PK_TYPE_RSA_GET_SIZE:
- ret = _HandleRsaGetSize(ctx, magic, cryptoDataIn,
+ ret = _HandleRsaGetSize(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
@@ -3963,32 +3953,34 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifdef HAVE_ECC
case WC_PK_TYPE_EC_KEYGEN:
- ret =
- _HandleEccKeyGen(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleEccKeyGen(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#ifdef HAVE_ECC_DHE
case WC_PK_TYPE_ECDH:
- ret = _HandleEccSharedSecret(ctx, magic, cryptoDataIn,
- cryptoInSize, cryptoDataOut,
- &cryptoOutSize);
+ ret = _HandleEccSharedSecret(ctx, magic, devId,
+ cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize);
break;
#endif /* HAVE_ECC_DHE */
#ifdef HAVE_ECC_SIGN
case WC_PK_TYPE_ECDSA_SIGN:
- ret = _HandleEccSign(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleEccSign(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_ECC_SIGN */
#ifdef HAVE_ECC_VERIFY
case WC_PK_TYPE_ECDSA_VERIFY:
- ret = _HandleEccVerify(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleEccVerify(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_ECC_VERIFY */
#if 0
case WC_PK_TYPE_EC_CHECK_PRIV_KEY:
- ret = _HandleEccCheckPrivKey(ctx, magic, cryptoDataIn, cryptoInSize,
+ ret = _HandleEccCheckPrivKey(ctx, magic, devId, cryptoDataIn, cryptoInSize,
cryptoDataOut, &cryptoOutSize);
break;
#endif
@@ -3996,30 +3988,30 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifdef HAVE_CURVE25519
case WC_PK_TYPE_CURVE25519_KEYGEN:
- ret = _HandleCurve25519KeyGen(ctx, magic, cryptoDataIn,
- cryptoInSize, cryptoDataOut,
- &cryptoOutSize);
+ ret = _HandleCurve25519KeyGen(
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize);
break;
case WC_PK_TYPE_CURVE25519:
ret = _HandleCurve25519SharedSecret(
- ctx, magic, cryptoDataIn, cryptoInSize, cryptoDataOut,
- &cryptoOutSize);
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize);
break;
#endif /* HAVE_CURVE25519 */
#ifdef HAVE_ED25519
case WC_PK_TYPE_ED25519_KEYGEN:
- ret = _HandleEd25519KeyGen(ctx, magic, cryptoDataIn,
+ ret = _HandleEd25519KeyGen(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
case WC_PK_TYPE_ED25519_SIGN:
- ret = _HandleEd25519Sign(ctx, magic, cryptoDataIn,
+ ret = _HandleEd25519Sign(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
case WC_PK_TYPE_ED25519_VERIFY:
- ret = _HandleEd25519Verify(ctx, magic, cryptoDataIn,
+ ret = _HandleEd25519Verify(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
@@ -4031,8 +4023,8 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_PK_TYPE_PQC_SIG_VERIFY:
case WC_PK_TYPE_PQC_SIG_CHECK_PRIV_KEY:
ret = _HandlePqcSigAlgorithm(
- ctx, magic, cryptoDataIn, cryptoInSize, cryptoDataOut,
- &cryptoOutSize, rqstHeader.algoType,
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize, rqstHeader.algoType,
rqstHeader.algoSubType);
break;
#endif
@@ -4041,9 +4033,9 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_PK_TYPE_PQC_KEM_KEYGEN:
case WC_PK_TYPE_PQC_KEM_ENCAPS:
case WC_PK_TYPE_PQC_KEM_DECAPS:
- ret =
- _HandlePqcKemAlgorithm(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandlePqcKemAlgorithm(ctx, magic, devId,
+ cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize);
break;
#endif
@@ -4055,7 +4047,7 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifndef WC_NO_RNG
case WC_ALGO_TYPE_RNG:
- ret = _HandleRng(ctx, magic, cryptoDataIn, cryptoInSize,
+ ret = _HandleRng(ctx, magic, devId, cryptoDataIn, cryptoInSize,
cryptoDataOut, &cryptoOutSize);
break;
#endif /* !WC_NO_RNG */
@@ -4065,14 +4057,16 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
switch (rqstHeader.algoSubType) {
#ifdef HAVE_HKDF
case WC_KDF_TYPE_HKDF:
- ret = _HandleHkdf(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleHkdf(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_HKDF */
#ifdef HAVE_CMAC_KDF
case WC_KDF_TYPE_TWOSTEP_CMAC:
- ret = _HandleCmacKdf(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleCmacKdf(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
break;
#endif /* HAVE_CMAC_KDF */
default:
@@ -4084,8 +4078,8 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
case WC_ALGO_TYPE_CMAC:
- ret = _HandleCmac(ctx, magic, seq, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleCmac(ctx, magic, devId, seq, cryptoDataIn,
+ cryptoInSize, cryptoDataOut, &cryptoOutSize);
break;
#endif
@@ -4095,8 +4089,9 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_HASH_TYPE_SHA256:
WH_DEBUG_SERVER("SHA256 req recv. type:%u\n",
rqstHeader.algoType);
- ret = _HandleSha256(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleSha256(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
if (ret != 0) {
WH_DEBUG_SERVER("SHA256 ret = %d\n", ret);
}
@@ -4106,8 +4101,9 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_HASH_TYPE_SHA224:
WH_DEBUG_SERVER("SHA224 req recv. type:%u\n",
rqstHeader.algoType);
- ret = _HandleSha224(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleSha224(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
if (ret != 0) {
WH_DEBUG_SERVER("SHA224 ret = %d\n", ret);
}
@@ -4117,8 +4113,9 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_HASH_TYPE_SHA384:
WH_DEBUG_SERVER("SHA384 req recv. type:%u\n",
rqstHeader.algoType);
- ret = _HandleSha384(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleSha384(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
if (ret != 0) {
WH_DEBUG_SERVER("SHA384 ret = %d\n", ret);
}
@@ -4128,8 +4125,9 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
case WC_HASH_TYPE_SHA512:
WH_DEBUG_SERVER("SHA512 req recv. type:%u\n",
rqstHeader.algoType);
- ret = _HandleSha512(ctx, magic, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleSha512(ctx, magic, devId, cryptoDataIn,
+ cryptoInSize, cryptoDataOut,
+ &cryptoOutSize);
if (ret != 0) {
WH_DEBUG_SERVER("SHA512 ret = %d\n", ret);
}
@@ -4172,9 +4170,10 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
#ifdef WOLFHSM_CFG_DMA
#ifndef NO_SHA256
-static int _HandleSha256Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleSha256Dma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
@@ -4213,7 +4212,7 @@ static int _HandleSha256Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
* copied back into client memory. */
clientDevId = sha256->devId;
/* overwrite the devId to that of the server for local crypto */
- sha256->devId = ctx->crypto->devId;
+ sha256->devId = devId;
}
}
@@ -4294,9 +4293,10 @@ static int _HandleSha256Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
#endif /* ! NO_SHA256 */
#ifdef WOLFSSL_SHA224
-static int _HandleSha224Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleSha224Dma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
int ret = 0;
@@ -4334,7 +4334,7 @@ static int _HandleSha224Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
* copied back into client memory. */
clientDevId = sha224->devId;
/* overwrite the devId to that of the server for local crypto */
- sha224->devId = ctx->crypto->devId;
+ sha224->devId = devId;
}
}
@@ -4415,9 +4415,10 @@ static int _HandleSha224Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
#endif /* WOLFSSL_SHA224 */
#ifdef WOLFSSL_SHA384
-static int _HandleSha384Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleSha384Dma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
int ret = 0;
@@ -4455,7 +4456,7 @@ static int _HandleSha384Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
* copied back into client memory. */
clientDevId = sha384->devId;
/* overwrite the devId to that of the server for local crypto */
- sha384->devId = ctx->crypto->devId;
+ sha384->devId = devId;
}
}
@@ -4536,9 +4537,10 @@ static int _HandleSha384Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_SHA512
-static int _HandleSha512Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleSha512Dma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
int ret = 0;
@@ -4576,7 +4578,7 @@ static int _HandleSha512Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
* copied back into client memory. */
clientDevId = sha512->devId;
/* overwrite the devId to that of the server for local crypto */
- sha512->devId = ctx->crypto->devId;
+ sha512->devId = devId;
/* retrieve hash Type to handle 512, 512-224, or 512-256 */
hashType = sha512->hashType;
}
@@ -4672,8 +4674,9 @@ static int _HandleSha512Dma(whServerContext* ctx, uint16_t magic, uint16_t seq,
#if defined(HAVE_DILITHIUM)
static int _HandleMlDsaKeyGenDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
#ifdef WOLFSSL_DILITHIUM_NO_MAKE_KEY
(void)ctx;
@@ -4709,7 +4712,7 @@ static int _HandleMlDsaKeyGenDma(whServerContext* ctx, uint16_t magic,
}
else {
/* init mldsa key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret == 0) {
/* Set the ML-DSA security level */
ret = wc_MlDsaKey_SetParams(key, req.level);
@@ -4792,7 +4795,7 @@ static int _HandleMlDsaKeyGenDma(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_DILITHIUM_NO_MAKE_KEY */
}
-static int _HandleMlDsaSignDma(whServerContext* ctx, uint16_t magic,
+static int _HandleMlDsaSignDma(whServerContext* ctx, uint16_t magic, int devId,
const void* cryptoDataIn, uint16_t inSize,
void* cryptoDataOut, uint16_t* outSize)
{
@@ -4835,7 +4838,7 @@ static int _HandleMlDsaSignDma(whServerContext* ctx, uint16_t magic,
evict = !!(req.options & WH_MESSAGE_CRYPTO_MLDSA_SIGN_OPTIONS_EVICT);
/* Initialize key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret == 0) {
/* Export key from cache */
/* TODO: sanity check security level against key pulled from cache? */
@@ -4904,8 +4907,9 @@ static int _HandleMlDsaSignDma(whServerContext* ctx, uint16_t magic,
}
static int _HandleMlDsaVerifyDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+ int devId, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
#ifdef WOLFSSL_DILITHIUM_NO_VERIFY
(void)ctx;
@@ -4946,7 +4950,7 @@ static int _HandleMlDsaVerifyDma(whServerContext* ctx, uint16_t magic,
evict = !!(req.options & WH_MESSAGE_CRYPTO_MLDSA_VERIFY_OPTIONS_EVICT);
/* Initialize key */
- ret = wc_MlDsaKey_Init(key, NULL, ctx->crypto->devId);
+ ret = wc_MlDsaKey_Init(key, NULL, devId);
if (ret != 0) {
return ret;
}
@@ -5014,12 +5018,13 @@ static int _HandleMlDsaVerifyDma(whServerContext* ctx, uint16_t magic,
}
static int _HandleMlDsaCheckPrivKeyDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn,
+ int devId, const void* cryptoDataIn,
uint16_t inSize, void* cryptoDataOut,
uint16_t* outSize)
{
(void)ctx;
(void)magic;
+ (void)devId;
(void)cryptoDataIn;
(void)inSize;
(void)cryptoDataOut;
@@ -5030,7 +5035,7 @@ static int _HandleMlDsaCheckPrivKeyDma(whServerContext* ctx, uint16_t magic,
#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON)
static int _HandlePqcSigAlgorithmDma(whServerContext* ctx, uint16_t magic,
- const void* cryptoDataIn,
+ int devId, const void* cryptoDataIn,
uint16_t cryptoInSize, void* cryptoDataOut,
uint16_t* cryptoOutSize,
uint32_t pkAlgoType, uint32_t pqAlgoType)
@@ -5044,24 +5049,24 @@ static int _HandlePqcSigAlgorithmDma(whServerContext* ctx, uint16_t magic,
case WC_PQC_SIG_TYPE_DILITHIUM: {
switch (pkAlgoType) {
case WC_PK_TYPE_PQC_SIG_KEYGEN:
- ret = _HandleMlDsaKeyGenDma(ctx, magic, cryptoDataIn,
+ ret = _HandleMlDsaKeyGenDma(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_SIGN:
- ret = _HandleMlDsaSignDma(ctx, magic, cryptoDataIn,
+ ret = _HandleMlDsaSignDma(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_VERIFY:
- ret = _HandleMlDsaVerifyDma(ctx, magic, cryptoDataIn,
+ ret = _HandleMlDsaVerifyDma(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
cryptoOutSize);
break;
case WC_PK_TYPE_PQC_SIG_CHECK_PRIV_KEY:
ret = _HandleMlDsaCheckPrivKeyDma(
- ctx, magic, cryptoDataIn, cryptoInSize, cryptoDataOut,
- cryptoOutSize);
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, cryptoOutSize);
break;
default:
ret = WH_ERROR_NOHANDLER;
@@ -5079,9 +5084,10 @@ static int _HandlePqcSigAlgorithmDma(whServerContext* ctx, uint16_t magic,
#endif /* HAVE_DILITHIUM || HAVE_FALCON */
#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT)
-static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
@@ -5149,8 +5155,7 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
WH_DEBUG_SERVER_VERBOSE("dma cmac generate oneshot\n");
ret = wc_AesCmacGenerate_ex(cmac, out, &len, inAddr, req.input.sz,
- tmpKey, (word32)tmpKeyLen, NULL,
- ctx->crypto->devId);
+ tmpKey, (word32)tmpKeyLen, NULL, devId);
}
else if (ret == WH_ERROR_OK) {
/* HSM-local key via keyId - init then generate */
@@ -5158,12 +5163,11 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
req.keyId);
ret = wc_InitCmac_ex(cmac, tmpKey, (word32)tmpKeyLen, WC_CMAC_AES,
- NULL, NULL, ctx->crypto->devId);
+ NULL, NULL, devId);
if (ret == WH_ERROR_OK) {
- ret =
- wc_AesCmacGenerate_ex(cmac, out, &len, inAddr, req.input.sz,
- NULL, 0, NULL, ctx->crypto->devId);
+ ret = wc_AesCmacGenerate_ex(cmac, out, &len, inAddr,
+ req.input.sz, NULL, 0, NULL, devId);
}
}
@@ -5184,7 +5188,7 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
/* Initialize CMAC context with key (re-derives k1/k2 subkeys) */
if (ret == 0) {
ret = wc_InitCmac_ex(cmac, tmpKey, (word32)tmpKeyLen, WC_CMAC_AES,
- NULL, NULL, ctx->crypto->devId);
+ NULL, NULL, devId);
WH_DEBUG_SERVER_VERBOSE("dma cmac init with keylen:%d ret:%d\n",
tmpKeyLen, ret);
}
@@ -5248,11 +5252,13 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
#endif /* WOLFSSL_CMAC && !NO_AES && WOLFSSL_AES_DIRECT */
#ifndef WC_NO_RNG
-static int _HandleRngDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
- const void* cryptoDataIn, uint16_t inSize,
- void* cryptoDataOut, uint16_t* outSize)
+static int _HandleRngDma(whServerContext* ctx, uint16_t magic, int devId,
+ uint16_t seq, const void* cryptoDataIn,
+ uint16_t inSize, void* cryptoDataOut,
+ uint16_t* outSize)
{
(void)seq;
+ (void)devId;
int ret = 0;
whMessageCrypto_RngDmaRequest req;
@@ -5343,13 +5349,18 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
wh_MessageCrypto_TranslateGenericRequestHeader(
magic, (whMessageCrypto_GenericRequestHeader*)req_packet, &rqstHeader);
+ /* Compute devId from the per-message affinity field */
+ int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
+ ctx->defaultDevId != INVALID_DEVID)
+ ? ctx->defaultDevId
+ : INVALID_DEVID;
switch (action) {
case WC_ALGO_TYPE_HASH:
switch (rqstHeader.algoType) {
#ifndef NO_SHA256
case WC_HASH_TYPE_SHA256:
- ret = _HandleSha256Dma(ctx, magic, seq, cryptoDataIn,
+ ret = _HandleSha256Dma(ctx, magic, devId, seq, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
if (ret != 0) {
@@ -5359,7 +5370,7 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
#endif /* !NO_SHA256 */
#ifdef WOLFSSL_SHA224
case WC_HASH_TYPE_SHA224:
- ret = _HandleSha224Dma(ctx, magic, seq, cryptoDataIn,
+ ret = _HandleSha224Dma(ctx, magic, devId, seq, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
if (ret != 0) {
@@ -5369,7 +5380,7 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_SHA224 */
#ifdef WOLFSSL_SHA384
case WC_HASH_TYPE_SHA384:
- ret = _HandleSha384Dma(ctx, magic, seq, cryptoDataIn,
+ ret = _HandleSha384Dma(ctx, magic, devId, seq, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
if (ret != 0) {
@@ -5379,7 +5390,7 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
#endif /* WOLFSSL_SHA384 */
#ifdef WOLFSSL_SHA512
case WC_HASH_TYPE_SHA512:
- ret = _HandleSha512Dma(ctx, magic, seq, cryptoDataIn,
+ ret = _HandleSha512Dma(ctx, magic, devId, seq, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
if (ret != 0) {
@@ -5394,7 +5405,7 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
switch (rqstHeader.algoType) {
#ifdef HAVE_AESGCM
case WC_CIPHER_AES_GCM:
- ret = _HandleAesGcmDma(ctx, magic, seq, cryptoDataIn,
+ ret = _HandleAesGcmDma(ctx, magic, devId, seq, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
@@ -5410,21 +5421,21 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
case WC_PK_TYPE_PQC_SIG_VERIFY:
case WC_PK_TYPE_PQC_SIG_CHECK_PRIV_KEY:
ret = _HandlePqcSigAlgorithmDma(
- ctx, magic, cryptoDataIn, cryptoInSize, cryptoDataOut,
- &cryptoOutSize, rqstHeader.algoType,
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize, rqstHeader.algoType,
rqstHeader.algoSubType);
break;
#endif /* HAVE_DILITHIUM || HAVE_FALCON */
#ifdef HAVE_ED25519
case WC_PK_TYPE_ED25519_SIGN:
- ret = _HandleEd25519SignDma(ctx, magic, cryptoDataIn,
+ ret = _HandleEd25519SignDma(ctx, magic, devId, cryptoDataIn,
cryptoInSize, cryptoDataOut,
&cryptoOutSize);
break;
case WC_PK_TYPE_ED25519_VERIFY:
- ret = _HandleEd25519VerifyDma(ctx, magic, cryptoDataIn,
- cryptoInSize, cryptoDataOut,
- &cryptoOutSize);
+ ret = _HandleEd25519VerifyDma(
+ ctx, magic, devId, cryptoDataIn, cryptoInSize,
+ cryptoDataOut, &cryptoOutSize);
break;
#endif /* HAVE_ED25519 */
}
@@ -5432,15 +5443,15 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
#ifdef WOLFSSL_CMAC
case WC_ALGO_TYPE_CMAC:
- ret = _HandleCmacDma(ctx, magic, seq, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleCmacDma(ctx, magic, devId, seq, cryptoDataIn,
+ cryptoInSize, cryptoDataOut, &cryptoOutSize);
break;
#endif /* WOLFSSL_CMAC */
#ifndef WC_NO_RNG
case WC_ALGO_TYPE_RNG:
- ret = _HandleRngDma(ctx, magic, seq, cryptoDataIn, cryptoInSize,
- cryptoDataOut, &cryptoOutSize);
+ ret = _HandleRngDma(ctx, magic, devId, seq, cryptoDataIn,
+ cryptoInSize, cryptoDataOut, &cryptoOutSize);
break;
#endif /* !WC_NO_RNG */
diff --git a/src/wh_server_img_mgr.c b/src/wh_server_img_mgr.c
index 9a32c1093..76a1c09e4 100644
--- a/src/wh_server_img_mgr.c
+++ b/src/wh_server_img_mgr.c
@@ -239,11 +239,11 @@ int wh_Server_ImgMgrVerifyMethodEccWithSha256(whServerImgMgrContext* context,
/* Hash the image data from server pointer using one-shot API */
ret = wc_Sha256Hash_ex((const uint8_t*)serverPtr, (word32)img->size, hash,
- NULL, server->crypto->devId);
+ NULL, server->defaultDevId);
#else
/* Hash the image data using one-shot API */
ret = wc_Sha256Hash_ex((const uint8_t*)img->addr, (word32)img->size, hash,
- NULL, context->server->crypto->devId);
+ NULL, context->server->defaultDevId);
#endif
if (ret != 0) {
wc_ecc_free(&eccKey);
@@ -319,11 +319,11 @@ int wh_Server_ImgMgrVerifyMethodAesCmac(whServerImgMgrContext* context,
/* Compute CMAC of the image data from server pointer */
ret = wc_AesCmacVerify_ex(&cmac, sig, (word32)sigSz, (const byte*)serverPtr,
(word32)img->size, key, (word32)keySz, NULL,
- server->crypto->devId);
+ server->defaultDevId);
#else
ret = wc_AesCmacVerify_ex(&cmac, sig, (word32)sigSz, (const byte*)img->addr,
(word32)img->size, key, (word32)keySz, NULL,
- context->server->crypto->devId);
+ context->server->defaultDevId);
#endif
if (ret != 0) {
return ret;
@@ -389,11 +389,11 @@ int wh_Server_ImgMgrVerifyMethodRsaSslWithSha256(
/* Hash the image data from server pointer using one-shot API */
ret = wc_Sha256Hash_ex((const uint8_t*)serverPtr, (word32)img->size, hash,
- NULL, server->crypto->devId);
+ NULL, server->defaultDevId);
#else
/* Hash the image data using one-shot API */
ret = wc_Sha256Hash_ex((const uint8_t*)img->addr, (word32)img->size, hash,
- NULL, context->server->crypto->devId);
+ NULL, context->server->defaultDevId);
#endif
if (ret != 0) {
wc_FreeRsaKey(&rsaKey);
diff --git a/src/wh_server_keystore.c b/src/wh_server_keystore.c
index bbf0eca0c..c13d279b2 100644
--- a/src/wh_server_keystore.c
+++ b/src/wh_server_keystore.c
@@ -942,7 +942,7 @@ static int _AesGcmKeyWrap(whServerContext* server, whKeyId serverKeyId,
}
/* Initialize AES context and set it to use the server side key */
- ret = wc_AesInit(aes, NULL, server->crypto->devId);
+ ret = wc_AesInit(aes, NULL, server->defaultDevId);
if (ret != 0) {
return ret;
}
@@ -1022,7 +1022,7 @@ static int _AesGcmKeyUnwrap(whServerContext* server, uint16_t serverKeyId,
}
/* Initialize AES context and set it to use the server side key */
- ret = wc_AesInit(aes, NULL, server->crypto->devId);
+ ret = wc_AesInit(aes, NULL, server->defaultDevId);
if (ret != 0) {
return ret;
}
@@ -1083,7 +1083,7 @@ static int _AesGcmDataWrap(whServerContext* server, whKeyId serverKeyId,
serverKeySz = serverKeyMetadata->len;
/* Initialize AES context and set it to use the server side key */
- ret = wc_AesInit(aes, NULL, server->crypto->devId);
+ ret = wc_AesInit(aes, NULL, server->defaultDevId);
if (ret != 0) {
return ret;
}
@@ -1149,7 +1149,7 @@ static int _AesGcmDataUnwrap(whServerContext* server, uint16_t serverKeyId,
serverKeySz = serverKeyMetadata->len;
/* Initialize AES context and set it to use the server side key */
- ret = wc_AesInit(aes, NULL, server->crypto->devId);
+ ret = wc_AesInit(aes, NULL, server->defaultDevId);
if (ret != 0) {
return ret;
}
diff --git a/src/wh_server_she.c b/src/wh_server_she.c
index cbb7ed680..1c9098c91 100644
--- a/src/wh_server_she.c
+++ b/src/wh_server_she.c
@@ -166,7 +166,7 @@ static int _AesMp16(whServerContext* server, uint8_t* in, word32 inSz,
if (server == NULL || server->she == NULL) {
return WH_ERROR_BADARGS;
}
- return wh_She_AesMp16_ex(server->she->sheAes, NULL, server->crypto->devId,
+ return wh_She_AesMp16_ex(server->she->sheAes, NULL, server->defaultDevId,
in, inSz, out);
}
@@ -262,7 +262,7 @@ static int _SecureBootInit(whServerContext* server, uint16_t magic,
* expected digest so meta->len will be too long */
if (ret == 0) {
ret = wc_InitCmac_ex(server->she->sheCmac, macKey, WH_SHE_KEY_SZ,
- WC_CMAC_AES, NULL, NULL, server->crypto->devId);
+ WC_CMAC_AES, NULL, NULL, server->defaultDevId);
}
/* hash 12 zeros */
if (ret == 0) {
@@ -501,7 +501,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
ret = wc_AesCmacGenerate_ex(server->she->sheCmac, cmacOutput,
(word32*)&field, cmacInput,
sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ,
- NULL, server->crypto->devId);
+ NULL, server->defaultDevId);
}
/* compare digest to M3 */
if (ret == 0 && memcmp(req.messageThree, cmacOutput, field) != 0) {
@@ -518,7 +518,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
}
/* decrypt messageTwo */
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
if (ret == 0) {
ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -611,7 +611,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
meta->len + sizeof(_SHE_KEY_UPDATE_ENC_C), tmpKey);
}
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
if (ret == 0) {
ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -651,7 +651,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
ret = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageFive,
(word32*)&field, resp.messageFour,
sizeof(resp.messageFour), tmpKey,
- WH_SHE_KEY_SZ, NULL, server->crypto->devId);
+ WH_SHE_KEY_SZ, NULL, server->defaultDevId);
}
if (ret == 0) {
/* mark if the ram key was loaded */
@@ -764,7 +764,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
}
/* encrypt M2 with K1 */
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
if (ret == 0) {
ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -798,7 +798,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
ret = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageThree,
(word32*)&field, cmacInput,
sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ,
- NULL, server->crypto->devId);
+ NULL, server->defaultDevId);
}
if (ret == 0) {
/* copy the ram key to kdfInput */
@@ -812,7 +812,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
}
/* set K3 as encryption key */
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
if (ret == 0) {
ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -850,7 +850,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
ret = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageFive,
(word32*)&field, resp.messageFour,
sizeof(resp.messageFour), tmpKey,
- WH_SHE_KEY_SZ, NULL, server->crypto->devId);
+ WH_SHE_KEY_SZ, NULL, server->defaultDevId);
}
resp.rc = _TranslateSheReturnCode(ret);
@@ -914,7 +914,7 @@ static int _InitRnd(whServerContext* server, uint16_t magic, uint16_t req_size,
}
/* set up aes */
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
if (ret == 0) {
ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -979,7 +979,7 @@ static int _Rnd(whServerContext* server, uint16_t magic, uint16_t req_size,
/* set up aes */
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
/* use PRNG_KEY as the encryption key */
@@ -1105,7 +1105,7 @@ static int _EncEcb(whServerContext* server, uint16_t magic, uint16_t req_size,
WH_MAKE_KEYID(WH_KEYTYPE_SHE, server->comm->client_id, req.keyId), NULL,
tmpKey, &keySz);
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
else {
ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1164,7 +1164,7 @@ static int _EncCbc(whServerContext* server, uint16_t magic, uint16_t req_size,
tmpKey, &keySz);
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
else {
ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1229,7 +1229,7 @@ static int _DecEcb(whServerContext* server, uint16_t magic, uint16_t req_size,
WH_MAKE_KEYID(WH_KEYTYPE_SHE, server->comm->client_id, req.keyId), NULL,
tmpKey, &keySz);
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
else {
ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1293,7 +1293,7 @@ static int _DecCbc(whServerContext* server, uint16_t magic, uint16_t req_size,
tmpKey, &keySz);
if (ret == 0) {
- ret = wc_AesInit(server->she->sheAes, NULL, server->crypto->devId);
+ ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
}
else {
ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1355,7 +1355,7 @@ static int _GenerateMac(whServerContext* server, uint16_t magic,
if (ret == 0) {
ret = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.mac,
(word32*)&field, in, req.sz, tmpKey,
- WH_SHE_KEY_SZ, NULL, server->crypto->devId);
+ WH_SHE_KEY_SZ, NULL, server->defaultDevId);
}
else {
ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1399,7 +1399,7 @@ static int _VerifyMac(whServerContext* server, uint16_t magic,
if (ret == 0) {
ret = wc_AesCmacVerify_ex(server->she->sheCmac, mac, req.macLen,
message, req.messageLen, tmpKey, keySz, NULL,
- server->crypto->devId);
+ server->defaultDevId);
/* only evaluate if key was found */
if (ret == 0) {
resp.status = 0;
diff --git a/test/wh_test.c b/test/wh_test.c
index 3fd9a1bb5..c97a36897 100644
--- a/test/wh_test.c
+++ b/test/wh_test.c
@@ -42,6 +42,7 @@
#include "wh_test_log.h"
#include "wh_test_lock.h"
#include "wh_test_posix_threadsafe_stress.h"
+#include "wh_test_crypto_affinity.h"
#if defined(WOLFHSM_CFG_CERTIFICATE_MANAGER)
#include "wh_test_cert.h"
@@ -93,6 +94,10 @@ int whTest_Unit(void)
/* Crypto Tests */
WH_TEST_ASSERT(0 == whTest_Crypto());
+#ifdef WOLF_CRYPTO_CB
+ WH_TEST_ASSERT(0 == whTest_CryptoAffinity());
+#endif
+
#if defined(WOLFHSM_CFG_SERVER_IMG_MGR) && !defined(WOLFHSM_CFG_NO_CRYPTO)
/* Image Manager Tests */
WH_TEST_ASSERT(0 == whTest_ServerImgMgr(WH_NVM_TEST_BACKEND_FLASH));
diff --git a/test/wh_test_cert.c b/test/wh_test_cert.c
index 04250c77c..ede3a0b4a 100644
--- a/test/wh_test_cert.c
+++ b/test/wh_test_cert.c
@@ -625,9 +625,7 @@ int whTest_CertRamSim(whTestNvmBackendType nvmType)
whTest_NvmCfgBackend(nvmType, &nvm_setup, n_conf, fc_conf, fc, fcb));
#ifndef WOLFHSM_CFG_NO_CRYPTO
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
whServerConfig s_conf[1] = {{
@@ -644,7 +642,7 @@ int whTest_CertRamSim(whTestNvmBackendType nvmType)
WH_TEST_RETURN_ON_FAIL(wh_Nvm_Init(nvm, n_conf));
#ifndef WOLFHSM_CFG_NO_CRYPTO
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
#endif
/* Run certificate configuration tests */
diff --git a/test/wh_test_check_struct_padding.c b/test/wh_test_check_struct_padding.c
index 530b3e7ef..36af5c7b8 100644
--- a/test/wh_test_check_struct_padding.c
+++ b/test/wh_test_check_struct_padding.c
@@ -27,10 +27,11 @@
#include "wolfhsm/wh_message_comm.h"
-whMessageComm_ErrorResponse whMessageComm_ErrorResponse_test;
-whMessageCommInitRequest whMessageCommInitRequest_test;
-whMessageCommInitResponse whMessageCommInitResponse_test;
-whMessageCommInfoResponse whMessageCommInfoResponse_test;
+whMessageComm_ErrorResponse whMessageComm_ErrorResponse_test;
+whMessageCommInitRequest whMessageCommInitRequest_test;
+whMessageCommInitResponse whMessageCommInitResponse_test;
+whMessageCommInfoResponse whMessageCommInfoResponse_test;
+
#include "wolfhsm/wh_message_customcb.h"
whMessageCustomCb_Request whMessageCustomCb_Request_test;
diff --git a/test/wh_test_clientserver.c b/test/wh_test_clientserver.c
index 56107adb7..00cd19bb8 100644
--- a/test/wh_test_clientserver.c
+++ b/test/wh_test_clientserver.c
@@ -623,9 +623,7 @@ int whTest_ClientServerSequential(whTestNvmBackendType nvmType)
whTest_NvmCfgBackend(nvmType, &nvm_setup, n_conf, fc_conf, fc, fcb));
#ifndef WOLFHSM_CFG_NO_CRYPTO
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
whServerConfig s_conf[1] = {{
@@ -644,7 +642,7 @@ int whTest_ClientServerSequential(whTestNvmBackendType nvmType)
#ifndef WOLFHSM_CFG_NO_CRYPTO
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
#endif
WH_TEST_RETURN_ON_FAIL(wh_Nvm_Init(nvm, n_conf));
@@ -1613,9 +1611,7 @@ static int wh_ClientServer_MemThreadTest(whTestNvmBackendType nvmType)
#ifndef WOLFHSM_CFG_NO_CRYPTO
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
@@ -1632,7 +1628,7 @@ static int wh_ClientServer_MemThreadTest(whTestNvmBackendType nvmType)
#ifndef WOLFHSM_CFG_NO_CRYPTO
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
#endif
_whClientServerThreadTest(c_conf, s_conf);
@@ -1698,9 +1694,7 @@ static int wh_ClientServer_PosixMemMapThreadTest(whTestNvmBackendType nvmType)
#ifndef WOLFHSM_CFG_NO_CRYPTO
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
whServerConfig s_conf[1] = {{
@@ -1715,7 +1709,7 @@ static int wh_ClientServer_PosixMemMapThreadTest(whTestNvmBackendType nvmType)
#ifndef WOLFHSM_CFG_NO_CRYPTO
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
#endif
_whClientServerThreadTest(c_conf, s_conf);
diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c
index 93851fc01..29bb64c21 100644
--- a/test/wh_test_crypto.c
+++ b/test/wh_test_crypto.c
@@ -5721,9 +5721,7 @@ static int wh_ClientServer_MemThreadTest(whTestNvmBackendType nvmType)
whTest_NvmCfgBackend(nvmType, &nvm_setup, n_conf, fc_conf, fc, fcb));
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
whServerConfig s_conf[1] = {{
@@ -5737,7 +5735,7 @@ static int wh_ClientServer_MemThreadTest(whTestNvmBackendType nvmType)
ret = wolfCrypt_Init();
if (ret == 0) {
- ret = wc_InitRng_ex(crypto->rng, NULL, crypto->devId);
+ ret = wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID);
if (ret != 0) {
WH_ERROR_PRINT("Failed to initialize wolfCrypt rng: %d\n", ret);
}
diff --git a/test/wh_test_crypto_affinity.c b/test/wh_test_crypto_affinity.c
new file mode 100644
index 000000000..1d5e5e0e8
--- /dev/null
+++ b/test/wh_test_crypto_affinity.c
@@ -0,0 +1,459 @@
+/*
+ * Copyright (C) 2024 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+/*
+ * test/wh_test_crypto_affinity.c
+ *
+ * Tests for the crypto affinity API. Affinity is now client-local state
+ * transmitted per-message in the generic crypto header. No round-trip
+ * to the server is required to set or get the affinity.
+ */
+
+#include "wolfhsm/wh_settings.h"
+
+/* Only compile if we have crypto, client, server, and crypto callbacks */
+#if !defined(WOLFHSM_CFG_NO_CRYPTO) && defined(WOLF_CRYPTO_CB)
+
+#include
+#include
+#include
+
+#include "wolfssl/wolfcrypt/settings.h"
+#include "wolfssl/wolfcrypt/types.h"
+#include "wolfssl/wolfcrypt/cryptocb.h"
+#include "wolfssl/wolfcrypt/random.h"
+
+#include "wolfhsm/wh_error.h"
+#include "wolfhsm/wh_common.h"
+#include "wolfhsm/wh_comm.h"
+#include "wolfhsm/wh_transport_mem.h"
+#include "wolfhsm/wh_client.h"
+#include "wolfhsm/wh_server.h"
+#include "wolfhsm/wh_nvm.h"
+#include "wolfhsm/wh_nvm_flash.h"
+#include "wolfhsm/wh_flash_ramsim.h"
+
+#include "wh_test_common.h"
+#include "wh_test_crypto_affinity.h"
+
+#define BUFFER_SIZE 4096
+#define FLASH_RAM_SIZE (1024 * 1024)
+#define FLASH_SECTOR_SIZE (128 * 1024)
+#define FLASH_PAGE_SIZE (8)
+#define TEST_DEV_ID 0xCA
+
+/* Counter to track how many times the crypto callback is invoked */
+static int cryptoCbInvokeCount = 0;
+
+static whServerContext* cryptoAffinityTestServerCtx = NULL;
+
+/* Test crypto callback that just increments a counter and returns
+ * CRYPTOCB_UNAVAILABLE to fall back to software */
+static int _testCryptoCb(int devId, wc_CryptoInfo* info, void* ctx)
+{
+ (void)devId;
+ (void)info;
+ (void)ctx;
+
+ cryptoCbInvokeCount++;
+
+ /* Return CRYPTOCB_UNAVAILABLE to indicate we don't handle this operation
+ * and wolfCrypt should fall back to software implementation */
+ return CRYPTOCB_UNAVAILABLE;
+}
+
+static int _cryptoAffinityTestConnectCb(void* context,
+ whCommConnected connected)
+{
+ (void)context;
+
+ if (cryptoAffinityTestServerCtx == NULL) {
+ WH_ERROR_PRINT("Client connect callback server context is NULL\n");
+ WH_TEST_ASSERT_RETURN(0);
+ }
+
+ /* Set server connect flag. In a "real" system, this should signal the
+ * server via out-of-band mechanism. The server app is responsible for
+ * receiving this signal and calling wh_Server_SetConnected() */
+ return wh_Server_SetConnected(cryptoAffinityTestServerCtx, connected);
+}
+
+
+static int whTest_CryptoAffinityWithCb(void)
+{
+ int rc = 0;
+ uint32_t affinity = 0;
+
+ /* Transport memory configuration */
+ uint8_t req[BUFFER_SIZE] = {0};
+ uint8_t resp[BUFFER_SIZE] = {0};
+ whTransportMemConfig tmcf[1] = {{
+ .req = (whTransportMemCsr*)req,
+ .req_size = sizeof(req),
+ .resp = (whTransportMemCsr*)resp,
+ .resp_size = sizeof(resp),
+ }};
+
+ /* Client configuration/contexts */
+ whTransportClientCb tccb[1] = {WH_TRANSPORT_MEM_CLIENT_CB};
+ whTransportMemClientContext tmcc[1] = {0};
+ whCommClientConfig cc_conf[1] = {{
+ .transport_cb = tccb,
+ .transport_context = (void*)tmcc,
+ .transport_config = (void*)tmcf,
+ .client_id = 1,
+ .connect_cb = _cryptoAffinityTestConnectCb,
+ }};
+ whClientConfig c_conf[1] = {{
+ .comm = cc_conf,
+ }};
+ whClientContext client[1] = {0};
+
+ /* Server configuration/contexts */
+ whTransportServerCb tscb[1] = {WH_TRANSPORT_MEM_SERVER_CB};
+ whTransportMemServerContext tmsc[1] = {0};
+ whCommServerConfig cs_conf[1] = {{
+ .transport_cb = tscb,
+ .transport_context = (void*)tmsc,
+ .transport_config = (void*)tmcf,
+ .server_id = 123,
+ }};
+
+ /* Flash/NVM configuration */
+ uint8_t flash_memory[FLASH_RAM_SIZE] = {0};
+ whFlashRamsimCtx fc[1] = {0};
+ whFlashRamsimCfg fc_conf[1] = {{
+ .size = FLASH_RAM_SIZE,
+ .sectorSize = FLASH_SECTOR_SIZE,
+ .pageSize = FLASH_PAGE_SIZE,
+ .erasedByte = ~(uint8_t)0,
+ .memory = flash_memory,
+ }};
+ const whFlashCb fcb[1] = {WH_FLASH_RAMSIM_CB};
+
+ whNvmFlashContext nfc[1] = {0};
+ whNvmFlashConfig nf_conf[1] = {{
+ .cb = fcb,
+ .context = fc,
+ .config = fc_conf,
+ }};
+
+
+ whNvmCb nfcb[1] = {WH_NVM_FLASH_CB};
+ whNvmConfig n_conf[1] = {{
+ .cb = nfcb,
+ .context = nfc,
+ .config = nf_conf,
+ }};
+ whNvmContext nvm[1] = {0};
+
+ /* Crypto context */
+ whServerCryptoContext crypto[1] = {0};
+
+ whServerConfig s_conf[1] = {{
+ .comm_config = cs_conf,
+ .nvm = nvm,
+ .crypto = crypto,
+ .devId = TEST_DEV_ID,
+ }};
+ whServerContext server[1] = {0};
+
+ cryptoAffinityTestServerCtx = server;
+
+ WH_TEST_PRINT(" whTest_CryptoAffinityWithCb...");
+
+ /* Initialize wolfCrypt and register our test crypto callback */
+ WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
+ WH_TEST_RETURN_ON_FAIL(
+ wc_CryptoCb_RegisterDevice(TEST_DEV_ID, _testCryptoCb, NULL));
+
+ /* Initialize NVM */
+ WH_TEST_RETURN_ON_FAIL(wh_Nvm_Init(nvm, n_conf));
+
+ /* Initialize RNG */
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
+
+ /* Initialize server and client */
+ WH_TEST_RETURN_ON_FAIL(wh_Server_Init(server, s_conf));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_Init(client, c_conf));
+
+ /* Check that the server side is ready to recv */
+ WH_TEST_ASSERT_RETURN(WH_ERROR_NOTREADY ==
+ wh_Server_HandleRequestMessage(server));
+
+ /* Send comm init */
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitRequest(client));
+ WH_TEST_RETURN_ON_FAIL(wh_Server_HandleRequestMessage(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitResponse(client, NULL, NULL));
+
+ /* Verify server initial state - defaultDevId should be set */
+ WH_TEST_ASSERT_RETURN(server->defaultDevId == TEST_DEV_ID);
+
+ /* Test 1: Default affinity after init should be HW (0) */
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
+
+ /* Test 2: Set HW affinity - local only, no round-trip */
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_SW);
+
+ /* Test 3: Restore HW affinity */
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
+
+ /* Test 4: Invalid affinity returns WH_ERROR_BADARGS */
+ rc = wh_Client_SetCryptoAffinity(client, 0xFF);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_BADARGS);
+ /* Affinity should remain unchanged */
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
+
+ /* Test 5: With HW affinity, crypto op triggers HW callback.
+ * Set HW affinity, then use the wolfHSM client devId to do a crypto op.
+ * The server should see affinity=HW in the message and use the HW devId. */
+ cryptoCbInvokeCount = 0;
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ {
+ WC_RNG testRng[1];
+ uint8_t randomBytes[16];
+ /* Use the HW devId directly to verify the crypto callback is invoked */
+ rc = wc_InitRng_ex(testRng, NULL, TEST_DEV_ID);
+ if (rc == 0) {
+ (void)wc_RNG_GenerateBlock(testRng, randomBytes,
+ sizeof(randomBytes));
+ wc_FreeRng(testRng);
+ }
+ }
+ /* Crypto callback should have been invoked at least once */
+ WH_TEST_ASSERT_RETURN(cryptoCbInvokeCount > 0);
+
+ /* Test 6: With SW affinity, same devId does NOT trigger HW callback */
+ cryptoCbInvokeCount = 0;
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ {
+ WC_RNG testRng[1];
+ uint8_t randomBytes[16];
+ /* Use INVALID_DEVID (SW) - callback should NOT be invoked */
+ rc = wc_InitRng_ex(testRng, NULL, INVALID_DEVID);
+ if (rc == 0) {
+ (void)wc_RNG_GenerateBlock(testRng, randomBytes,
+ sizeof(randomBytes));
+ wc_FreeRng(testRng);
+ }
+ }
+ /* Crypto callback should NOT have been invoked */
+ WH_TEST_ASSERT_RETURN(cryptoCbInvokeCount == 0);
+
+ /* Test 7: NULL args validation */
+ rc = wh_Client_SetCryptoAffinity(NULL, WH_CRYPTO_AFFINITY_SW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_BADARGS);
+ rc = wh_Client_GetCryptoAffinity(NULL, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_BADARGS);
+ rc = wh_Client_GetCryptoAffinity(client, NULL);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_BADARGS);
+
+ /* Cleanup */
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommCloseRequest(client));
+ WH_TEST_RETURN_ON_FAIL(wh_Server_HandleRequestMessage(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommCloseResponse(client));
+
+ WH_TEST_RETURN_ON_FAIL(wh_Server_Cleanup(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_Cleanup(client));
+
+ wc_FreeRng(crypto->rng);
+ wh_Nvm_Cleanup(nvm);
+ wc_CryptoCb_UnRegisterDevice(TEST_DEV_ID);
+ wolfCrypt_Cleanup();
+
+ WH_TEST_PRINT("PASS\n");
+ return WH_ERROR_OK;
+}
+
+
+static int whTest_CryptoAffinityNoCb(void)
+{
+ int rc = 0;
+ uint32_t affinity = 0;
+
+ /* Transport memory configuration */
+ uint8_t req[BUFFER_SIZE] = {0};
+ uint8_t resp[BUFFER_SIZE] = {0};
+ whTransportMemConfig tmcf[1] = {{
+ .req = (whTransportMemCsr*)req,
+ .req_size = sizeof(req),
+ .resp = (whTransportMemCsr*)resp,
+ .resp_size = sizeof(resp),
+ }};
+
+ /* Client configuration/contexts */
+ whTransportClientCb tccb[1] = {WH_TRANSPORT_MEM_CLIENT_CB};
+ whTransportMemClientContext tmcc[1] = {0};
+ whCommClientConfig cc_conf[1] = {{
+ .transport_cb = tccb,
+ .transport_context = (void*)tmcc,
+ .transport_config = (void*)tmcf,
+ .client_id = 1,
+ .connect_cb = _cryptoAffinityTestConnectCb,
+ }};
+ whClientConfig c_conf[1] = {{
+ .comm = cc_conf,
+ }};
+ whClientContext client[1] = {0};
+
+ /* Server configuration/contexts */
+ whTransportServerCb tscb[1] = {WH_TRANSPORT_MEM_SERVER_CB};
+ whTransportMemServerContext tmsc[1] = {0};
+ whCommServerConfig cs_conf[1] = {{
+ .transport_cb = tscb,
+ .transport_context = (void*)tmsc,
+ .transport_config = (void*)tmcf,
+ .server_id = 123,
+ }};
+
+ /* Flash/NVM configuration */
+ uint8_t flash_memory[FLASH_RAM_SIZE] = {0};
+ whFlashRamsimCtx fc[1] = {0};
+ whFlashRamsimCfg fc_conf[1] = {{
+ .size = FLASH_RAM_SIZE,
+ .sectorSize = FLASH_SECTOR_SIZE,
+ .pageSize = FLASH_PAGE_SIZE,
+ .erasedByte = ~(uint8_t)0,
+ .memory = flash_memory,
+ }};
+ const whFlashCb fcb[1] = {WH_FLASH_RAMSIM_CB};
+
+ whNvmFlashContext nfc[1] = {0};
+ whNvmFlashConfig nf_conf[1] = {{
+ .cb = fcb,
+ .context = fc,
+ .config = fc_conf,
+ }};
+
+
+ whNvmCb nfcb[1] = {WH_NVM_FLASH_CB};
+ whNvmConfig n_conf[1] = {{
+ .cb = nfcb,
+ .context = nfc,
+ .config = nf_conf,
+ }};
+ whNvmContext nvm[1] = {0};
+
+ /* Crypto context */
+ whServerCryptoContext crypto[1] = {0};
+
+ whServerConfig s_conf[1] = {{
+ .comm_config = cs_conf,
+ .nvm = nvm,
+ .crypto = crypto,
+ .devId = INVALID_DEVID,
+ }};
+ whServerContext server[1] = {0};
+
+ cryptoAffinityTestServerCtx = server;
+
+ WH_TEST_PRINT(" whTest_CryptoAffinityNoCb...");
+
+ /* Initialize wolfCrypt */
+ WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
+
+ /* Initialize NVM */
+ WH_TEST_RETURN_ON_FAIL(wh_Nvm_Init(nvm, n_conf));
+
+ /* Initialize RNG */
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
+
+ /* Initialize server and client */
+ WH_TEST_RETURN_ON_FAIL(wh_Server_Init(server, s_conf));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_Init(client, c_conf));
+
+ /* Check that the server side is ready to recv */
+ WH_TEST_ASSERT_RETURN(WH_ERROR_NOTREADY ==
+ wh_Server_HandleRequestMessage(server));
+
+ /* Send comm init */
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitRequest(client));
+ WH_TEST_RETURN_ON_FAIL(wh_Server_HandleRequestMessage(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitResponse(client, NULL, NULL));
+
+ /* Verify server configured with INVALID_DEVID */
+ WH_TEST_ASSERT_RETURN(server->defaultDevId == INVALID_DEVID);
+
+ /* Test 1: Default affinity should be HW */
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
+
+ /* Test 2: Set SW affinity - should succeed */
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_SW);
+
+ /* Test 3: Set HW affinity on client side succeeds (it's just local state).
+ * But when the server processes a request with HW affinity and no valid
+ * defaultDevId, it will use INVALID_DEVID (SW) anyway. */
+ rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+
+ rc = wh_Client_GetCryptoAffinity(client, &affinity);
+ WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
+ WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
+
+ /* Cleanup */
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommCloseRequest(client));
+ WH_TEST_RETURN_ON_FAIL(wh_Server_HandleRequestMessage(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_CommCloseResponse(client));
+
+ WH_TEST_RETURN_ON_FAIL(wh_Server_Cleanup(server));
+ WH_TEST_RETURN_ON_FAIL(wh_Client_Cleanup(client));
+
+ wc_FreeRng(crypto->rng);
+ wh_Nvm_Cleanup(nvm);
+ wolfCrypt_Cleanup();
+
+ WH_TEST_PRINT("PASS\n");
+ return WH_ERROR_OK;
+}
+
+
+int whTest_CryptoAffinity(void)
+{
+ WH_TEST_PRINT("Testing Crypto Affinity...\n");
+ WH_TEST_RETURN_ON_FAIL(whTest_CryptoAffinityWithCb());
+ WH_TEST_RETURN_ON_FAIL(whTest_CryptoAffinityNoCb());
+
+ return WH_ERROR_OK;
+}
+
+#endif /* !WOLFHSM_CFG_NO_CRYPTO && WOLF_CRYPTO_CB */
diff --git a/test/wh_test_crypto_affinity.h b/test/wh_test_crypto_affinity.h
new file mode 100644
index 000000000..8254c50f2
--- /dev/null
+++ b/test/wh_test_crypto_affinity.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2024 wolfSSL Inc.
+ *
+ * This file is part of wolfHSM.
+ *
+ * wolfHSM is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfHSM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with wolfHSM. If not, see .
+ */
+#ifndef WH_TEST_CRYPTO_AFFINITY_H_
+#define WH_TEST_CRYPTO_AFFINITY_H_
+
+int whTest_CryptoAffinity(void);
+
+#endif /* WH_TEST_CRYPTO_AFFINITY_H_ */
diff --git a/test/wh_test_log.c b/test/wh_test_log.c
index e58a4ea68..eeea1b843 100644
--- a/test/wh_test_log.c
+++ b/test/wh_test_log.c
@@ -1487,9 +1487,7 @@ static int whTest_LogClientServerMemTransport(void)
WH_NVM_TEST_BACKEND_FLASH, &nvm_setup, n_conf, fc_conf, fc, fcb));
#ifndef WOLFHSM_CFG_NO_CRYPTO
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
#endif
posixLogFileContext posixCtx[1] = {0};
@@ -1519,7 +1517,7 @@ static int whTest_LogClientServerMemTransport(void)
#ifndef WOLFHSM_CFG_NO_CRYPTO
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
#endif
_whLogClientServerThreadTest(c_conf, s_conf);
diff --git a/test/wh_test_multiclient.c b/test/wh_test_multiclient.c
index 54114cf66..8e54e9e64 100644
--- a/test/wh_test_multiclient.c
+++ b/test/wh_test_multiclient.c
@@ -1502,8 +1502,8 @@ static int whTest_MultiClientSequential(void)
#if !defined(WOLFHSM_CFG_NO_CRYPTO)
/* Crypto contexts for both servers */
- whServerCryptoContext crypto1[1] = {{.devId = INVALID_DEVID}};
- whServerCryptoContext crypto2[1] = {{.devId = INVALID_DEVID}};
+ whServerCryptoContext crypto1[1] = {0};
+ whServerCryptoContext crypto2[1] = {0};
#endif
/* Server 1 configuration */
@@ -1561,11 +1561,11 @@ static int whTest_MultiClientSequential(void)
#if !defined(WOLFHSM_CFG_NO_CRYPTO)
/* Initialize RNGs */
- ret = wc_InitRng_ex(crypto1->rng, NULL, crypto1->devId);
+ ret = wc_InitRng_ex(crypto1->rng, NULL, INVALID_DEVID);
if (ret != 0)
return ret;
- ret = wc_InitRng_ex(crypto2->rng, NULL, crypto2->devId);
+ ret = wc_InitRng_ex(crypto2->rng, NULL, INVALID_DEVID);
if (ret != 0)
return ret;
#endif
diff --git a/test/wh_test_posix_threadsafe_stress.c b/test/wh_test_posix_threadsafe_stress.c
index fb4c6a0fc..e66db7e16 100644
--- a/test/wh_test_posix_threadsafe_stress.c
+++ b/test/wh_test_posix_threadsafe_stress.c
@@ -641,11 +641,8 @@ static int initClientServerPair(StressTestContext* ctx, int pairIndex)
pair->serverCommConfig.transport_config = &pair->tmConfig;
pair->serverCommConfig.server_id = (uint16_t)(200 + pairIndex);
- /* Configure crypto context */
- pair->cryptoCtx.devId = INVALID_DEVID;
-
/* Initialize RNG for this server */
- rc = wc_InitRng_ex(pair->cryptoCtx.rng, NULL, pair->cryptoCtx.devId);
+ rc = wc_InitRng_ex(pair->cryptoCtx.rng, NULL, INVALID_DEVID);
if (rc != 0) {
WH_ERROR_PRINT("Failed to init RNG for pair %d: %d\n", pairIndex, rc);
return rc;
diff --git a/test/wh_test_server_img_mgr.c b/test/wh_test_server_img_mgr.c
index dbd4e1484..986b2fe90 100644
--- a/test/wh_test_server_img_mgr.c
+++ b/test/wh_test_server_img_mgr.c
@@ -1236,9 +1236,7 @@ int whTest_ServerImgMgr(whTestNvmBackendType nvmType)
WH_TEST_RETURN_ON_FAIL(
whTest_NvmCfgBackend(nvmType, &nvm_setup, n_conf, fc_conf, fc, fcb));
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
whServerConfig s_conf[1] = {{
.comm_config = cs_conf,
diff --git a/test/wh_test_she.c b/test/wh_test_she.c
index ea918fcd9..d12b8fe82 100644
--- a/test/wh_test_she.c
+++ b/test/wh_test_she.c
@@ -563,9 +563,7 @@ static int wh_ClientServer_MemThreadTest(void)
whNvmContext nvm[1] = {{0}};
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
whServerSheContext she[1];
memset(she, 0, sizeof(she));
@@ -581,7 +579,7 @@ static int wh_ClientServer_MemThreadTest(void)
WH_TEST_RETURN_ON_FAIL(wh_Nvm_Init(nvm, n_conf));
WH_TEST_RETURN_ON_FAIL(wolfCrypt_Init());
- WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, crypto->devId));
+ WH_TEST_RETURN_ON_FAIL(wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID));
_whClientServerThreadTest(c_conf, s_conf);
diff --git a/test/wh_test_wolfcrypt_test.c b/test/wh_test_wolfcrypt_test.c
index fbe74d58c..f1db0ca7c 100644
--- a/test/wh_test_wolfcrypt_test.c
+++ b/test/wh_test_wolfcrypt_test.c
@@ -240,9 +240,7 @@ static int wh_ClientServer_MemThreadTest(void)
whNvmContext nvm[1] = {{0}};
/* Crypto context */
- whServerCryptoContext crypto[1] = {{
- .devId = INVALID_DEVID,
- }};
+ whServerCryptoContext crypto[1] = {0};
whServerConfig s_conf[1] = {{
.comm_config = cs_conf,
@@ -254,7 +252,7 @@ static int wh_ClientServer_MemThreadTest(void)
ret = wolfCrypt_Init();
if (ret == 0) {
- ret = wc_InitRng_ex(crypto->rng, NULL, crypto->devId);
+ ret = wc_InitRng_ex(crypto->rng, NULL, INVALID_DEVID);
if (ret != 0) {
WH_ERROR_PRINT("Failed to initialize wolfCrypt rng: %d\n", ret);
}
diff --git a/wolfhsm/wh_client.h b/wolfhsm/wh_client.h
index 2990ed297..b65626ca6 100644
--- a/wolfhsm/wh_client.h
+++ b/wolfhsm/wh_client.h
@@ -48,6 +48,7 @@
/* Component includes */
#include "wolfhsm/wh_comm.h"
+#include "wolfhsm/wh_message_comm.h"
#include "wolfhsm/wh_message_customcb.h"
#ifdef WOLFHSM_CFG_DMA
#include "wolfhsm/wh_dma.h"
@@ -108,6 +109,7 @@ typedef struct {
struct whClientContext_t {
uint16_t last_req_id;
uint16_t last_req_kind;
+ uint32_t cryptoAffinity;
#ifdef WOLFHSM_CFG_DMA
whClientDmaContext dma;
#endif /* WOLFHSM_CFG_DMA */
@@ -336,6 +338,28 @@ int wh_Client_CommInfo(whClientContext* c,
uint32_t *out_lifecycle_state,
uint32_t *out_nvm_state);
+/**
+ * @brief Sets the crypto affinity on the client context.
+ *
+ * Affinity is stored locally and transmitted per-message in every crypto
+ * request. No round-trip to the server is required.
+ *
+ * @param[in] c Pointer to the client context.
+ * @param[in] affinity Requested crypto affinity (WH_CRYPTO_AFFINITY_SW or
+ * WH_CRYPTO_AFFINITY_HW).
+ * @return int Returns 0 on success, or WH_ERROR_BADARGS on invalid input.
+ */
+int wh_Client_SetCryptoAffinity(whClientContext* c, uint32_t affinity);
+
+/**
+ * @brief Gets the current crypto affinity from the client context.
+ *
+ * @param[in] c Pointer to the client context.
+ * @param[out] out_affinity Pointer to store the current crypto affinity.
+ * @return int Returns 0 on success, or WH_ERROR_BADARGS on invalid input.
+ */
+int wh_Client_GetCryptoAffinity(whClientContext* c, uint32_t* out_affinity);
+
/**
* @brief Sends a communication close request to the server.
*
diff --git a/wolfhsm/wh_common.h b/wolfhsm/wh_common.h
index 6d60c5d2d..2cfe3e5ea 100644
--- a/wolfhsm/wh_common.h
+++ b/wolfhsm/wh_common.h
@@ -140,4 +140,9 @@ typedef uint16_t whCertFlags;
#define WH_KEYWRAP_AES_GCM_HEADER_SIZE \
(WH_KEYWRAP_AES_GCM_IV_SIZE + WH_KEYWRAP_AES_GCM_TAG_SIZE)
+enum WH_CRYPTO_AFFINITY_ENUM {
+ WH_CRYPTO_AFFINITY_HW = 0,
+ WH_CRYPTO_AFFINITY_SW = 1,
+};
+
#endif /* !WOLFHSM_WH_COMMON_H_ */
diff --git a/wolfhsm/wh_message_crypto.h b/wolfhsm/wh_message_crypto.h
index 67ffd6479..10ab3f2aa 100644
--- a/wolfhsm/wh_message_crypto.h
+++ b/wolfhsm/wh_message_crypto.h
@@ -76,6 +76,7 @@ typedef struct {
whMessageCrypto_AlgoType algoSubType; /* Subtype, specific to algoType.
Right now only used for PQ algos */
#define WH_MESSAGE_CRYPTO_ALGO_SUBTYPE_NONE 0
+ uint32_t affinity; /* Crypto affinity for this request */
} whMessageCrypto_GenericRequestHeader;
/* Generic crypto response header message. This must always be the first element
@@ -83,6 +84,7 @@ typedef struct {
typedef struct {
whMessageCrypto_AlgoType algoType; /* Type of crypto operation */
int32_t rc; /* Return code */
+ uint32_t reserved; /* Reserved for future use */
} whMessageCrypto_GenericResponseHeader;
WH_UTILS_STATIC_ASSERT(
diff --git a/wolfhsm/wh_server.h b/wolfhsm/wh_server.h
index 6cf08d3d3..f9838ff85 100644
--- a/wolfhsm/wh_server.h
+++ b/wolfhsm/wh_server.h
@@ -66,7 +66,6 @@ typedef struct whServerContext_t whServerContext;
#ifndef WOLFHSM_CFG_NO_CRYPTO
typedef struct whServerCryptoContext {
- int devId;
#ifndef WC_NO_RNG
WC_RNG rng[1];
#endif
@@ -161,6 +160,7 @@ struct whServerContext_t {
whCommServer comm[1];
#ifndef WOLFHSM_CFG_NO_CRYPTO
whServerCryptoContext* crypto;
+ int defaultDevId;
whKeyCacheContext localCache; /* Unified cache structure */
#ifdef WOLFHSM_CFG_SHE_EXTENSION
whServerSheContext* she;