1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
/*!
\ingroup CryptoCb
\brief This function registers a unique device identifier (devID) and
callback function for offloading crypto operations to external
hardware such as Key Store, Secure Element, HSM, PKCS11 or TPM.
For STSAFE with Crypto Callbacks example see
wolfcrypt/src/port/st/stsafe.c and the wolfSSL_STSAFE_CryptoDevCb function.
For TPM based crypto callbacks example see the wolfTPM2_CryptoDevCb
function in wolfTPM src/tpm2_wrap.c
\return CRYPTOCB_UNAVAILABLE to fallback to using software crypto
\return 0 for success
\return negative value for failure
\param devId any unique value, not -2 (INVALID_DEVID)
\param cb a callback function with prototype:
typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
_Example_
\code
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/cryptocb.h>
static int myCryptoCb_Func(int devId, wc_CryptoInfo* info, void* ctx)
{
int ret = CRYPTOCB_UNAVAILABLE;
if (info->algo_type == WC_ALGO_TYPE_PK) {
#ifndef NO_RSA
if (info->pk.type == WC_PK_TYPE_RSA) {
switch (info->pk.rsa.type) {
case RSA_PUBLIC_ENCRYPT:
case RSA_PUBLIC_DECRYPT:
// RSA public op
ret = wc_RsaFunction(
info->pk.rsa.in, info->pk.rsa.inLen,
info->pk.rsa.out, info->pk.rsa.outLen,
info->pk.rsa.type, info->pk.rsa.key,
info->pk.rsa.rng);
break;
case RSA_PRIVATE_ENCRYPT:
case RSA_PRIVATE_DECRYPT:
// RSA private op
ret = wc_RsaFunction(
info->pk.rsa.in, info->pk.rsa.inLen,
info->pk.rsa.out, info->pk.rsa.outLen,
info->pk.rsa.type, info->pk.rsa.key,
info->pk.rsa.rng);
break;
}
}
#endif
#if defined(WC_RSA_PSS) && !defined(NO_RSA)
if (info->pk.type == WC_PK_TYPE_RSA_PSS) {
// RSA-PSS sign/verify
ret = wc_RsaPSS_Sign_ex(
info->pk.rsa.in, info->pk.rsa.inLen,
info->pk.rsa.out, *info->pk.rsa.outLen,
WC_HASH_TYPE_SHA256, WC_MGF1SHA256,
RSA_PSS_SALT_LEN_DEFAULT,
info->pk.rsa.key, info->pk.rsa.rng);
}
#endif
#ifdef HAVE_ECC
if (info->pk.type == WC_PK_TYPE_ECDSA_SIGN) {
// ECDSA
ret = wc_ecc_sign_hash(
info->pk.eccsign.in, info->pk.eccsign.inlen,
info->pk.eccsign.out, info->pk.eccsign.outlen,
info->pk.eccsign.rng, info->pk.eccsign.key);
}
#endif
#ifdef HAVE_ED25519
if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) {
// ED25519 sign
ret = wc_ed25519_sign_msg_ex(
info->pk.ed25519sign.in, info->pk.ed25519sign.inLen,
info->pk.ed25519sign.out, info->pk.ed25519sign.outLen,
info->pk.ed25519sign.key, info->pk.ed25519sign.type,
info->pk.ed25519sign.context,
info->pk.ed25519sign.contextLen);
}
#endif
}
return ret;
}
int devId = 1;
wc_CryptoCb_RegisterDevice(devId, myCryptoCb_Func, &myCtx);
wolfSSL_CTX_SetDevId(ctx, devId);
\endcode
\sa wc_CryptoCb_UnRegisterDevice
\sa wolfSSL_SetDevId
\sa wolfSSL_CTX_SetDevId
*/
int ;
/*!
\ingroup CryptoCb
\brief This function un-registers a unique device identifier (devID)
callback function.
\return none No returns.
\param devId any unique value, not -2 (INVALID_DEVID)
_Example_
\code
wc_CryptoCb_UnRegisterDevice(devId);
devId = INVALID_DEVID;
wolfSSL_CTX_SetDevId(ctx, devId);
\endcode
\sa wc_CryptoCb_RegisterDevice
\sa wolfSSL_SetDevId
\sa wolfSSL_CTX_SetDevId
*/
void ;
/*!
\ingroup CryptoCb
\brief This function returns the default device ID for crypto
callbacks. This is useful when you want to get the device ID that
was set as the default for the library.
\return The default device ID, or INVALID_DEVID if no default is set.
_Example_
\code
int devId = wc_CryptoCb_DefaultDevID();
if (devId != INVALID_DEVID) {
// default device ID is set
}
\endcode
\sa wc_CryptoCb_RegisterDevice
\sa wc_CryptoCb_UnRegisterDevice
*/
int ;
/*!
\ingroup CryptoCb
\brief This function sets a callback for finding crypto devices.
The callback is invoked when a device ID needs to be resolved to
a device context. This is useful for dynamic device management.
\return none No returns.
\param cb callback function with prototype:
typedef void* (*CryptoDevCallbackFind)(int devId);
_Example_
\code
void* myDeviceFindCb(int devId) {
// lookup device context by ID
return deviceContext;
}
wc_CryptoCb_SetDeviceFindCb(myDeviceFindCb);
\endcode
\sa wc_CryptoCb_RegisterDevice
*/
void ;
/*!
\ingroup CryptoCb
\brief This function converts a wc_CryptoInfo structure to a
human-readable string for debugging purposes. The string is printed
to stdout and describes the cryptographic operation being performed.
\return none No returns.
\param info pointer to the wc_CryptoInfo structure to convert
_Example_
\code
int myCryptoCb(int devId, wc_CryptoInfo* info, void* ctx) {
// print debug info about the operation
wc_CryptoCb_InfoString(info);
// handle the operation
return CRYPTOCB_UNAVAILABLE;
}
\endcode
\sa wc_CryptoCb_RegisterDevice
*/
void ;
/*!
\ingroup CryptoCb
\brief Import an AES key into a CryptoCB device for hardware offload.
This function allows AES keys to be handled by an external device
(e.g. Secure Element or HSM). When supported, the device callback stores
the key internally and sets an opaque handle in aes->devCtx.
When CryptoCB AES SetKey support is enabled
(WOLF_CRYPTO_CB_AES_SETKEY), wolfCrypt routes AES-GCM operations
through the CryptoCB interface.
**TLS Builds (Default):**
- Key bytes ARE stored in wolfCrypt memory (devKey) for fallback
- GCM tables ARE generated for software fallback
- Provides hardware acceleration with automatic fallback
**Crypto-Only Builds (--disable-tls):**
- Key bytes NOT stored in wolfCrypt memory (true key isolation)
- GCM tables skipped (true hardware offload)
- Callback must handle all GCM operations (SetKey, Encrypt, Decrypt, Free)
If the callback returns success (0), full AES-GCM offload is assumed.
The callback must handle SetKey, Encrypt, Decrypt, and Free operations.
\param aes AES context
\param key Pointer to raw AES key material
\param keySz Size of key in bytes
\return 0 on success
\return CRYPTOCB_UNAVAILABLE if device does not support this operation
\return BAD_FUNC_ARG on invalid parameters
_Example_
\code
#include <wolfssl/wolfcrypt/cryptocb.h>
#include <wolfssl/wolfcrypt/aes.h>
Aes aes;
byte key[32] = { /* 256-bit key */ };
int devId = 1;
/* Register your CryptoCB callback first */
;
;
/* wc_AesGcmSetKey internally calls wc_CryptoCb_AesSetKey */
if
\endcode
\sa wc_CryptoCb_RegisterDevice
\sa wc_AesInit
*/
int ;