wolfhsm/wh_client_crypto.h
Functions
| Name | |
|---|---|
| int | wh_Client_RngGenerate(whClientContext * ctx, uint8_t * out, uint32_t size) Generate random bytes. |
| int | wh_Client_RngGenerateRequest(whClientContext * ctx, uint32_t size) Async request half of a non-DMA RNG generate. |
| int | wh_Client_RngGenerateResponse(whClientContext * ctx, uint8_t * out, uint32_t * inout_size) Async response half of a non-DMA RNG generate. |
| int | wh_Client_RngGenerateDma(whClientContext * ctx, uint8_t * out, uint32_t size) Generate random bytes using DMA. |
| int | wh_Client_RngGenerateDmaRequest(whClientContext * ctx, uint8_t * out, uint32_t size) Async request half of a DMA RNG generate. |
| int | wh_Client_RngGenerateDmaResponse(whClientContext * ctx) Async response half of a DMA RNG generate. |
| int | wh_Client_Curve25519SetKeyId(curve25519_key * key, whKeyId keyId) Associates a Curve25519 key with a specific key ID. |
| int | wh_Client_Curve25519GetKeyId(curve25519_key * key, whKeyId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_Curve25519ImportKey(whClientContext * ctx, curve25519_key * key, whKeyId * inout_keyId, whNvmFlags flags, uint16_t label_len, uint8_t * label) Imports wolfCrypt Curve25519 key as a raw byte array into the wolfHSM server key cache. |
| int | wh_Client_Curve25519ExportKey(whClientContext * ctx, whKeyId keyId, curve25519_key * key, uint16_t label_len, uint8_t * label) Exports a serialized curve25519 key from the wolfHSM server keycache and decodes it into the wolfCrypt curve25519 key structure. |
| int | wh_Client_Curve25519ExportPublicKey(whClientContext * ctx, whKeyId keyId, curve25519_key * key, uint16_t label_len, uint8_t * label) Exports only the public part of a cached Curve25519 key. |
| int | wh_Client_Curve25519MakeCacheKey(whClientContext * ctx, uint16_t size, whKeyId * inout_key_id, whNvmFlags flags, const uint8_t * label, uint16_t label_len) Generate a Curve25519 key in the server key cache. |
| int | wh_Client_Curve25519MakeExportKey(whClientContext * ctx, uint16_t size, curve25519_key * key) Generate a Curve25519 key by the server and export to the client. |
| int | wh_Client_Curve25519SharedSecret(whClientContext * ctx, curve25519_key * priv_key, curve25519_key * pub_key, int endian, uint8_t * out, uint16_t * out_size) Compute an X25519 shared secret using a public and private key. |
| int | wh_Client_EccSetKeyId(ecc_key * key, whKeyId keyId) Associates a Ecc key with a specific key ID. |
| int | wh_Client_EccGetKeyId(ecc_key * key, whKeyId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_EccImportKey(whClientContext * ctx, ecc_key * key, whKeyId * inout_keyId, whNvmFlags flags, uint16_t label_len, uint8_t * label) Imports a wolfCrypt ECC key as a DER-formatted blob into the wolfHSM server key cache. |
| int | wh_Client_EccExportKey(whClientContext * ctx, whKeyId keyId, ecc_key * key, uint16_t label_len, uint8_t * label) Exports a DER-formatted ECC key from the wolfHSM server keycache and decodes it into the wolfCrypt ECC key structure. |
| int | wh_Client_EccExportPublicKey(whClientContext * ctx, whKeyId keyId, ecc_key * key, uint16_t label_len, uint8_t * label) Exports only the public part of a cached ECC key. |
| int | wh_Client_EccMakeExportKey(whClientContext * ctx, int size, int curveId, ecc_key * key) Generate an ECC key pair on the server and export it to the client. |
| int | wh_Client_EccMakeCacheKey(whClientContext * ctx, int size, int curveId, whKeyId * inout_key_id, whNvmFlags flags, uint16_t label_len, uint8_t * label) Generate an ECC key pair in the server key cache. |
| int | wh_Client_EccSharedSecret(whClientContext * ctx, ecc_key * priv_key, ecc_key * pub_key, uint8_t * out, uint16_t * inout_size) Compute an ECDH shared secret using a public and private ECC key. |
| int | wh_Client_EccSign(whClientContext * ctx, ecc_key * key, const uint8_t * hash, uint16_t hash_len, uint8_t * sig, uint16_t * inout_sig_len) Generate an ECDSA signature of the provided hash on the server. |
| int | wh_Client_EccVerify(whClientContext * ctx, ecc_key * key, const uint8_t * sig, uint16_t sig_len, const uint8_t * hash, uint16_t hash_len, int * out_res) Verify an ECDSA signature of the provided hash on the server. |
| int | wh_Client_EccSignRequest(whClientContext * ctx, whKeyId keyId, const uint8_t * hash, uint16_t hash_len) Async request half of an ECC sign operation. |
| int | wh_Client_EccSignResponse(whClientContext * ctx, uint8_t * sig, uint16_t * inout_sig_len) Async response half of an ECC sign operation. |
| int | wh_Client_EccVerifyRequest(whClientContext * ctx, whKeyId keyId, const uint8_t * sig, uint16_t sig_len, const uint8_t * hash, uint16_t hash_len) Async request half of an ECC verify operation. |
| int | wh_Client_EccVerifyResponse(whClientContext * ctx, ecc_key * opt_key, int * out_res) Async response half of an ECC verify operation. |
| int | wh_Client_EccSharedSecretRequest(whClientContext * ctx, whKeyId prv_key_id, whKeyId pub_key_id) Async request half of an ECDH shared-secret operation. |
| int | wh_Client_EccSharedSecretResponse(whClientContext * ctx, uint8_t * out, uint16_t * inout_size) Async response half of an ECDH shared-secret operation. |
| int | wh_Client_EccMakeCacheKeyRequest(whClientContext * ctx, int size, int curveId, whKeyId key_id, whNvmFlags flags, uint16_t label_len, uint8_t * label) Async request half of an ECC server-side keygen that caches the new key in the server. |
| int | wh_Client_EccMakeCacheKeyResponse(whClientContext * ctx, whKeyId * out_key_id) Async response half of an ECC server-side keygen that caches the new key in the server. |
| int | wh_Client_EccMakeExportKeyRequest(whClientContext * ctx, int size, int curveId) Async request half of an ECC server-side keygen that exports the new key back to the client. |
| int | wh_Client_EccMakeExportKeyResponse(whClientContext * ctx, ecc_key * key) Async response half of an ECC server-side keygen that exports the new key back to the client. |
| int | wh_Client_Ed25519SetKeyId(ed25519_key * key, whKeyId keyId) Associates an Ed25519 key with a specific key ID. |
| int | wh_Client_Ed25519GetKeyId(ed25519_key * key, whKeyId * outId) Retrieves the key ID from an Ed25519 key device context. |
| int | wh_Client_Ed25519ImportKey(whClientContext * ctx, ed25519_key * key, whKeyId * inout_keyId, whNvmFlags flags, uint16_t label_len, uint8_t * label) Import an Ed25519 key into the server keystore/cache. |
| int | wh_Client_Ed25519ExportKey(whClientContext * ctx, whKeyId keyId, ed25519_key * key, uint16_t label_len, uint8_t * label) Export an Ed25519 key from the server to the client. |
| int | wh_Client_Ed25519ExportPublicKey(whClientContext * ctx, whKeyId keyId, ed25519_key * key, uint16_t label_len, uint8_t * label) Exports only the public part of a cached Ed25519 key. |
| int | wh_Client_Ed25519MakeExportKey(whClientContext * ctx, ed25519_key * key) Create a new Ed25519 key on the server and export it without caching. |
| int | wh_Client_Ed25519MakeCacheKey(whClientContext * ctx, whKeyId * inout_key_id, whNvmFlags flags, uint16_t label_len, uint8_t * label) Create a new Ed25519 key on the server and store it in cache/NVM. |
| int | wh_Client_Ed25519Sign(whClientContext * ctx, ed25519_key * key, const uint8_t * msg, uint32_t msgLen, uint8_t type, const uint8_t * context, uint32_t contextLen, uint8_t * sig, uint32_t * inout_sig_len) Sign a message using an Ed25519 key on the server. |
| int | wh_Client_Ed25519Verify(whClientContext * ctx, ed25519_key * key, const uint8_t * sig, uint32_t sigLen, const uint8_t * msg, uint32_t msgLen, uint8_t type, const uint8_t * context, uint32_t contextLen, int * out_res) Verify a message signature using an Ed25519 key on the server. |
| int | wh_Client_Ed25519SignDma(whClientContext * ctx, ed25519_key * key, const uint8_t * msg, uint32_t msgLen, uint8_t type, const uint8_t * context, uint32_t contextLen, uint8_t * sig, uint32_t * inout_sig_len) Sign a message using an Ed25519 key via DMA. |
| int | wh_Client_Ed25519VerifyDma(whClientContext * ctx, ed25519_key * key, const uint8_t * sig, uint32_t sigLen, const uint8_t * msg, uint32_t msgLen, uint8_t type, const uint8_t * context, uint32_t contextLen, int * out_res) Verify a signature using an Ed25519 key via DMA. |
| int | wh_Client_RsaSetKeyId(RsaKey * key, whNvmId keyId) Associates an RSA key with a specific key ID. |
| int | wh_Client_RsaGetKeyId(RsaKey * key, whNvmId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_RsaImportKey(whClientContext * ctx, const RsaKey * key, whKeyId * inout_keyId, whNvmFlags flags, uint32_t label_len, uint8_t * label) Imports wolfCrypt RSA key as a PCKS1 DER-formatted file into the wolfHSM server key cache. |
| int | wh_Client_RsaExportKey(whClientContext * ctx, whKeyId keyId, RsaKey * key, uint32_t label_len, uint8_t * label) Exports a PKCS1 DER-formated RSA key from the wolfHSM server keycache and decodes it into the wolfCrypt RSA key structure. |
| int | wh_Client_RsaExportPublicKey(whClientContext * ctx, whKeyId keyId, RsaKey * key, uint32_t label_len, uint8_t * label) Exports only the public part of a cached RSA key. |
| int | wh_Client_RsaMakeExportKey(whClientContext * ctx, uint32_t size, uint32_t e, RsaKey * rsa) |
| int | wh_Client_RsaMakeCacheKey(whClientContext * ctx, uint32_t size, uint32_t e, whKeyId * inout_key_id, whNvmFlags flags, uint32_t label_len, uint8_t * label) |
| int | wh_Client_RsaFunction(whClientContext * ctx, RsaKey * key, int rsa_type, const uint8_t * in, uint16_t in_len, uint8_t * out, uint16_t * inout_out_len) |
| int | wh_Client_RsaGetSize(whClientContext * ctx, const RsaKey * key, int * out_size) |
| int | wh_Client_HkdfMakeCacheKey(whClientContext * ctx, int hashType, whKeyId keyIdIn, const uint8_t * inKey, uint32_t inKeySz, const uint8_t * salt, uint32_t saltSz, const uint8_t * info, uint32_t infoSz, whKeyId * inout_key_id, whNvmFlags flags, const uint8_t * label, uint32_t label_len, uint32_t outSz) Generate HKDF output and store in the server key cache. |
| int | wh_Client_HkdfMakeExportKey(whClientContext * ctx, int hashType, whKeyId keyIdIn, const uint8_t * inKey, uint32_t inKeySz, const uint8_t * salt, uint32_t saltSz, const uint8_t * info, uint32_t infoSz, uint8_t * out, uint32_t outSz) Generate HKDF output and export to the client. |
| int | wh_Client_CmacKdfMakeCacheKey(whClientContext * ctx, whKeyId saltKeyId, const uint8_t * salt, uint32_t saltSz, whKeyId zKeyId, const uint8_t * z, uint32_t zSz, const uint8_t * fixedInfo, uint32_t fixedInfoSz, whKeyId * inout_key_id, whNvmFlags flags, const uint8_t * label, uint32_t label_len, uint32_t outSz) Generate CMAC two-step KDF output and store it in the server cache. |
| int | wh_Client_CmacKdfMakeExportKey(whClientContext * ctx, whKeyId saltKeyId, const uint8_t * salt, uint32_t saltSz, whKeyId zKeyId, const uint8_t * z, uint32_t zSz, const uint8_t * fixedInfo, uint32_t fixedInfoSz, uint8_t * out, uint32_t outSz) Generate CMAC two-step KDF output and export to the client. |
| int | wh_Client_AesSetKeyId(Aes * key, whNvmId keyId) Associates an AES key with a specific key ID. |
| int | wh_Client_AesGetKeyId(Aes * key, whNvmId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_AesCtr(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-CTR operation. |
| int | wh_Client_AesCtrDma(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-CTR operation using DMA. |
| int | wh_Client_AesCtrRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len) Send an AES-CTR encrypt/decrypt request to the server (non-blocking) |
| int | wh_Client_AesCtrResponse(whClientContext * ctx, Aes * aes, uint8_t * out, uint32_t * out_size) Receive the server's AES-CTR response (non-blocking) |
| int | wh_Client_AesCtrDmaRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Send an AES-CTR encrypt/decrypt DMA request to the server (non-blocking) |
| int | wh_Client_AesCtrDmaResponse(whClientContext * ctx, Aes * aes) Receive the server's AES-CTR DMA response (non-blocking) |
| int | wh_Client_AesEcb(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-ECB operation. |
| int | wh_Client_AesEcbDma(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-ECB operation using DMA. |
| int | wh_Client_AesEcbRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len) Send an AES-ECB encrypt/decrypt request to the server (non-blocking) |
| int | wh_Client_AesEcbResponse(whClientContext * ctx, Aes * aes, uint8_t * out, uint32_t * out_size) Receive the server's AES-ECB response (non-blocking) |
| int | wh_Client_AesEcbDmaRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Send an AES-ECB DMA request to the server (non-blocking) |
| int | wh_Client_AesEcbDmaResponse(whClientContext * ctx, Aes * aes) Receive the server's AES-ECB DMA response (non-blocking) |
| int | wh_Client_AesCbc(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-CBC operation. |
| int | wh_Client_AesCbcDma(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Performs an AES-CBC operation using DMA. |
| int | wh_Client_AesCbcRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len) Send an AES-CBC encrypt/decrypt request to the server (non-blocking) |
| int | wh_Client_AesCbcResponse(whClientContext * ctx, Aes * aes, uint8_t * out, uint32_t * out_size) Receive the server's AES-CBC response (non-blocking) |
| int | wh_Client_AesCbcDmaRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out) Send an AES-CBC DMA request to the server (non-blocking) |
| int | wh_Client_AesCbcDmaResponse(whClientContext * ctx, Aes * aes) Receive the server's AES-CBC DMA response (non-blocking) |
| int | wh_Client_AesGcm(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, const uint8_t * iv, uint32_t iv_len, const uint8_t * authin, uint32_t authin_len, const uint8_t * dec_tag, uint8_t * enc_tag, uint32_t tag_len, uint8_t * out) Performs an AES-GCM operation. |
| int | wh_Client_AesGcmDma(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, const uint8_t * iv, uint32_t iv_len, const uint8_t * authin, uint32_t authin_len, const uint8_t * dec_tag, uint8_t * enc_tag, uint32_t tag_len, uint8_t * out) Performs an AES-GCM operation using DMA. |
| int | wh_Client_AesGcmRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, const uint8_t * iv, uint32_t iv_len, const uint8_t * authin, uint32_t authin_len, const uint8_t * dec_tag, uint32_t tag_len) Send an AES-GCM encrypt/decrypt request to the server (non-blocking) |
| int | wh_Client_AesGcmResponse(whClientContext * ctx, Aes * aes, uint8_t * out, uint32_t out_capacity, uint32_t * out_size, uint8_t * enc_tag, uint32_t tag_len) Receive the server's AES-GCM response (non-blocking) |
| int | wh_Client_AesGcmDmaRequest(whClientContext * ctx, Aes * aes, int enc, const uint8_t * in, uint32_t len, uint8_t * out, const uint8_t * iv, uint32_t iv_len, const uint8_t * authin, uint32_t authin_len, const uint8_t * dec_tag, uint32_t tag_len) Send an AES-GCM DMA request to the server (non-blocking) |
| int | wh_Client_AesGcmDmaResponse(whClientContext * ctx, Aes * aes, uint8_t * enc_tag, uint32_t tag_len) Receive the server's AES-GCM DMA response (non-blocking) |
| int | wh_Client_Cmac(whClientContext * ctx, Cmac * cmac, CmacType type, const uint8_t * key, uint32_t keyLen, const uint8_t * in, uint32_t inLen, uint8_t * outMac, uint32_t * outMacLen) Performs a CMAC operation on the input data. |
| int | wh_Client_CmacSetKeyId(Cmac * key, whNvmId keyId) Associates a CMAC key with a specific key ID. |
| int | wh_Client_CmacGetKeyId(Cmac * key, whNvmId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_CmacDma(whClientContext * ctx, Cmac * cmac, CmacType type, const uint8_t * key, uint32_t keyLen, const uint8_t * in, uint32_t inLen, uint8_t * outMac, uint32_t * outMacLen) Performs CMAC operations using DMA for data transfer. |
| int | wh_Client_Sha256(whClientContext * ctx, wc_Sha256 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-256 hash operation on the input data. |
| int | wh_Client_Sha256UpdateRequest(whClientContext * ctx, wc_Sha256 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) Async request half of a non-DMA SHA-256 Update. |
| int | wh_Client_Sha256UpdateResponse(whClientContext * ctx, wc_Sha256 * sha) Async response half of a non-DMA SHA-256 Update. |
| int | wh_Client_Sha256FinalRequest(whClientContext * ctx, wc_Sha256 * sha) Async request half of a non-DMA SHA-256 Final. |
| int | wh_Client_Sha256FinalResponse(whClientContext * ctx, wc_Sha256 * sha, uint8_t * out) Async response half of a non-DMA SHA-256 Final. |
| int | wh_Client_Sha256Dma(whClientContext * ctx, wc_Sha256 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-256 hash operation on the input data using DMA. |
| int | wh_Client_Sha256DmaUpdateRequest(whClientContext * ctx, wc_Sha256 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) Async request half of a DMA SHA-256 Update. |
| int | wh_Client_Sha256DmaUpdateResponse(whClientContext * ctx, wc_Sha256 * sha) Async response half of a DMA SHA-256 Update. |
| int | wh_Client_Sha256DmaFinalRequest(whClientContext * ctx, wc_Sha256 * sha) Async request half of a DMA SHA-256 Final. |
| int | wh_Client_Sha256DmaFinalResponse(whClientContext * ctx, wc_Sha256 * sha, uint8_t * out) Async response half of a DMA SHA-256 Final. |
| int | wh_Client_Sha224(whClientContext * ctx, wc_Sha224 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-224 hash operation on the input data. |
| int | wh_Client_Sha224UpdateRequest(whClientContext * ctx, wc_Sha224 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) Async request half of a non-DMA SHA-224 Update. |
| int | wh_Client_Sha224UpdateResponse(whClientContext * ctx, wc_Sha224 * sha) Async response half of a non-DMA SHA-224 Update. |
| int | wh_Client_Sha224FinalRequest(whClientContext * ctx, wc_Sha224 * sha) Async request half of a non-DMA SHA-224 Final. |
| int | wh_Client_Sha224FinalResponse(whClientContext * ctx, wc_Sha224 * sha, uint8_t * out) Async response half of a non-DMA SHA-224 Final. |
| int | wh_Client_Sha224Dma(whClientContext * ctx, wc_Sha224 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-224 hash operation on the input data using DMA. |
| int | wh_Client_Sha224DmaUpdateRequest(whClientContext * ctx, wc_Sha224 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) |
| int | wh_Client_Sha224DmaUpdateResponse(whClientContext * ctx, wc_Sha224 * sha) |
| int | wh_Client_Sha224DmaFinalRequest(whClientContext * ctx, wc_Sha224 * sha) |
| int | wh_Client_Sha224DmaFinalResponse(whClientContext * ctx, wc_Sha224 * sha, uint8_t * out) |
| int | wh_Client_Sha384(whClientContext * ctx, wc_Sha384 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-384 hash operation on the input data. |
| int | wh_Client_Sha384UpdateRequest(whClientContext * ctx, wc_Sha384 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) Async request half of a non-DMA SHA-384 Update. |
| int | wh_Client_Sha384UpdateResponse(whClientContext * ctx, wc_Sha384 * sha) Async response half of a non-DMA SHA-384 Update. |
| int | wh_Client_Sha384FinalRequest(whClientContext * ctx, wc_Sha384 * sha) Async request half of a non-DMA SHA-384 Final. |
| int | wh_Client_Sha384FinalResponse(whClientContext * ctx, wc_Sha384 * sha, uint8_t * out) Async response half of a non-DMA SHA-384 Final. |
| int | wh_Client_Sha384Dma(whClientContext * ctx, wc_Sha384 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-384 hash operation on the input data using DMA. |
| int | wh_Client_Sha384DmaUpdateRequest(whClientContext * ctx, wc_Sha384 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) |
| int | wh_Client_Sha384DmaUpdateResponse(whClientContext * ctx, wc_Sha384 * sha) |
| int | wh_Client_Sha384DmaFinalRequest(whClientContext * ctx, wc_Sha384 * sha) |
| int | wh_Client_Sha384DmaFinalResponse(whClientContext * ctx, wc_Sha384 * sha, uint8_t * out) |
| int | wh_Client_Sha512(whClientContext * ctx, wc_Sha512 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-512 hash operation on the input data. |
| int | wh_Client_Sha512UpdateRequest(whClientContext * ctx, wc_Sha512 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) Async request half of a non-DMA SHA-512 Update. |
| int | wh_Client_Sha512UpdateResponse(whClientContext * ctx, wc_Sha512 * sha) Async response half of a non-DMA SHA-512 Update. |
| int | wh_Client_Sha512FinalRequest(whClientContext * ctx, wc_Sha512 * sha) Async request half of a non-DMA SHA-512 Final. |
| int | wh_Client_Sha512FinalResponse(whClientContext * ctx, wc_Sha512 * sha, uint8_t * out) Async response half of a non-DMA SHA-512 Final. |
| int | wh_Client_Sha512Dma(whClientContext * ctx, wc_Sha512 * sha, const uint8_t * in, uint32_t inLen, uint8_t * out) Performs a SHA-512 hash operation on the input data using DMA. |
| int | wh_Client_Sha512DmaUpdateRequest(whClientContext * ctx, wc_Sha512 * sha, const uint8_t * in, uint32_t inLen, bool * requestSent) |
| int | wh_Client_Sha512DmaUpdateResponse(whClientContext * ctx, wc_Sha512 * sha) |
| int | wh_Client_Sha512DmaFinalRequest(whClientContext * ctx, wc_Sha512 * sha) |
| int | wh_Client_Sha512DmaFinalResponse(whClientContext * ctx, wc_Sha512 * sha, uint8_t * out) |
| int | wh_Client_MlDsaSetKeyId(MlDsaKey * key, whKeyId keyId) Associates a ML-DSA key with a specific key ID. |
| int | wh_Client_MlDsaGetKeyId(MlDsaKey * key, whKeyId * outId) Gets the wolfHSM keyId being used by the wolfCrypt struct. |
| int | wh_Client_MlDsaImportKey(whClientContext * ctx, MlDsaKey * key, whKeyId * inout_keyId, whNvmFlags flags, uint16_t label_len, uint8_t * label) Import a ML-DSA key to the server key cache. |
| int | wh_Client_MlDsaExportKey(whClientContext * ctx, whKeyId keyId, MlDsaKey * key, uint16_t label_len, uint8_t * label) Export a ML-DSA key from the server. |
| int | wh_Client_MlDsaExportPublicKey(whClientContext * ctx, whKeyId keyId, MlDsaKey * key, uint16_t label_len, uint8_t * label) Exports only the public part of a cached ML-DSA key. |
| int | wh_Client_MlDsaMakeExportKey(whClientContext * ctx, int level, int size, MlDsaKey * key) Generate a new ML-DSA key pair and export the public key. |
| int | wh_Client_MlDsaMakeCacheKey(whClientContext * ctx, int size, int level, whKeyId * inout_key_id, whNvmFlags flags, uint16_t label_len, uint8_t * label) Create and cache a new ML-DSA key on the server. |
| int | wh_Client_MlDsaSign(whClientContext * ctx, const byte * in, word32 in_len, byte * out, word32 * out_len, MlDsaKey * key, const byte * context, byte contextLen, word32 preHashType) Sign a message using a ML-DSA private key. |
| int | wh_Client_MlDsaVerify(whClientContext * ctx, const byte * sig, word32 sig_len, const byte * msg, word32 msg_len, int * res, MlDsaKey * key, const byte * context, byte contextLen, word32 preHashType) Verify a ML-DSA signature. |
| int | wh_Client_MlDsaCheckPrivKey(whClientContext * ctx, MlDsaKey * key, const byte * pubKey, word32 pubKeySz) Check a ML-DSA private key. |
| int | wh_Client_MlDsaImportKeyDma(whClientContext * ctx, MlDsaKey * key, whKeyId * inout_keyId, whNvmFlags flags, uint16_t label_len, uint8_t * label) Import a ML-DSA key using DMA. |
| int | wh_Client_MlDsaExportKeyDma(whClientContext * ctx, whKeyId keyId, MlDsaKey * key, uint16_t label_len, uint8_t * label) Export a ML-DSA key using DMA. |
| int | wh_Client_MlDsaExportPublicKeyDma(whClientContext * ctx, whKeyId keyId, MlDsaKey * key, uint16_t label_len, uint8_t * label) Export only the public part of a cached ML-DSA key using DMA. |
| int | wh_Client_MlDsaMakeExportKeyDma(whClientContext * ctx, int level, MlDsaKey * key) Generate a new ML-DSA key pair and export it using DMA. |
| int | wh_Client_MlDsaSignDma(whClientContext * ctx, const byte * in, word32 in_len, byte * out, word32 * out_len, MlDsaKey * key, const byte * context, byte contextLen, word32 preHashType) Sign a message using ML-DSA with DMA. |
| int | wh_Client_MlDsaVerifyDma(whClientContext * ctx, const byte * sig, word32 sig_len, const byte * msg, word32 msg_len, int * res, MlDsaKey * key, const byte * context, byte contextLen, word32 preHashType) Verify a ML-DSA signature with DMA. |
| int | wh_Client_MlDsaCheckPrivKeyDma(whClientContext * ctx, MlDsaKey * key, const byte * pubKey, word32 pubKeySz) Check a ML-DSA private key against public key with DMA. |
Functions Documentation
function wh_Client_RngGenerate
int wh_Client_RngGenerate(
whClientContext * ctx,
uint8_t * out,
uint32_t size
)
Generate random bytes.
Parameters:
- ctx Pointer to the client context
- out Pointer to where the bytes are to be placed. Must not be NULL.
- size Number of bytes to generate.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate random bytes by repeatedly requesting the maximum block size of data from the server at a time
function wh_Client_RngGenerateRequest
int wh_Client_RngGenerateRequest(
whClientContext * ctx,
uint32_t size
)
Async request half of a non-DMA RNG generate.
Parameters:
- ctx Client context.
- size Number of random bytes to request. Must be > 0 and must not exceed WH_MESSAGE_CRYPTO_RNG_MAX_INLINE_SZ.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args or a size exceeding the per-call inline capacity, or a negative error from the transport.
Serializes and sends a request for size bytes of random data. Does NOT wait for a reply. Single-shot per call: chunking large requests is the caller's responsibility. The blocking wrapper wh_Client_RngGenerate handles chunking automatically.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_RngGenerateResponse before issuing any other async Request on the same ctx.
function wh_Client_RngGenerateResponse
int wh_Client_RngGenerateResponse(
whClientContext * ctx,
uint8_t * out,
uint32_t * inout_size
)
Async response half of a non-DMA RNG generate.
Parameters:
- ctx Client context.
- out Buffer to receive random bytes. May be NULL only if *inout_size is 0.
- inout_size On entry: capacity of out (typically equals the size passed to wh_Client_RngGenerateRequest). On success: number of bytes actually written to out.
Return: WH_ERROR_OK on success, WH_ERROR_NOTREADY if no reply yet, WH_ERROR_ABORTED if the server returned more bytes than the buffer can hold, WH_ERROR_BADARGS for invalid args.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, copies up to inout_size random bytes into out and updates inout_size to the actual number received.
function wh_Client_RngGenerateDma
int wh_Client_RngGenerateDma(
whClientContext * ctx,
uint8_t * out,
uint32_t size
)
Generate random bytes using DMA.
Parameters:
- ctx Pointer to the client context
- out Pointer to where the bytes are to be placed
- size Number of bytes to generate
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate random bytes directly into client memory using DMA, eliminating the need for chunking and copying through the communication buffer.
function wh_Client_RngGenerateDmaRequest
int wh_Client_RngGenerateDmaRequest(
whClientContext * ctx,
uint8_t * out,
uint32_t size
)
Async request half of a DMA RNG generate.
Parameters:
- ctx Client context.
- out Client buffer that will receive the random bytes via DMA.
- size Number of random bytes to generate. Must be > 0.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args, or a negative error from the DMA layer or transport. On failure any acquired DMA mapping is released before returning.
Performs PRE address translation for the output buffer, sends the DMA request, and stashes the translated address for POST cleanup in the matching Response. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_RngGenerateDmaResponse before issuing any other async Request on the same ctx, and must keep out valid until the Response completes.
function wh_Client_RngGenerateDmaResponse
int wh_Client_RngGenerateDmaResponse(
whClientContext * ctx
)
Async response half of a DMA RNG generate.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. The random bytes are written by the server directly to the client buffer passed to wh_Client_RngGenerateDmaRequest. POST DMA cleanup for the output buffer is performed on every non-NOTREADY return so the client buffer is safe to read regardless of error.
function wh_Client_Curve25519SetKeyId
int wh_Client_Curve25519SetKeyId(
curve25519_key * key,
whKeyId keyId
)
Associates a Curve25519 key with a specific key ID.
Parameters:
- key Pointer to the Curve25519 key structure.
- keyId Key ID to be associated with the Curve25519 key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of a Curve25519 key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM
function wh_Client_Curve25519GetKeyId
int wh_Client_Curve25519GetKeyId(
curve25519_key * key,
whKeyId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the Curve25519 key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a Curve25519 key that was previously set by either the crypto callback layer or wh_Client_SetKeyCurve25519.
function wh_Client_Curve25519ImportKey
int wh_Client_Curve25519ImportKey(
whClientContext * ctx,
curve25519_key * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Imports wolfCrypt Curve25519 key as a raw byte array into the wolfHSM server key cache.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- key Pointer to the curve25519 key structure.
- inout_keyId Pointer to the key ID. Set to WH_KEYID_ERASED to have the server allocate a unique id. May be NULL.
- flags Value of flags to indicate server usage
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function converts the curve25519_key struct to serialized format, installs into the server's key cache, and provides the server-allocated keyId for reference.
function wh_Client_Curve25519ExportKey
int wh_Client_Curve25519ExportKey(
whClientContext * ctx,
whKeyId keyId,
curve25519_key * key,
uint16_t label_len,
uint8_t * label
)
Exports a serialized curve25519 key from the wolfHSM server keycache and decodes it into the wolfCrypt curve25519 key structure.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- out_keyId Server key ID to export.
- key Pointer to the Curve25519 key structure.
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function exports the specified key from wolfHSM server key cache as a serialized byte array and decodes the key into the wolfCrypt curve25519_key structure, optionally copying out the associated label as well.
function wh_Client_Curve25519ExportPublicKey
int wh_Client_Curve25519ExportPublicKey(
whClientContext * ctx,
whKeyId keyId,
curve25519_key * key,
uint16_t label_len,
uint8_t * label
)
Exports only the public part of a cached Curve25519 key.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized curve25519_key. On success, the public portion is populated.
- label_len Size of the optional label buffer in bytes. Values larger than WH_NVM_LABEL_LEN are truncated. Set to 0 if label is not needed.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success or a negative wolfHSM/wolfCrypt error code on failure (e.g. WH_ERROR_NOTFOUND, WH_ERROR_BADARGS).
Instructs the server to emit only the public portion of a cached Curve25519 key as SubjectPublicKeyInfo DER. The private scalar stays inside the HSM. The decoded key will have only the public part set.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive. The caller is responsible for initializing key (e.g. wc_curve25519_init_ex) prior to calling this function.
function wh_Client_Curve25519MakeCacheKey
int wh_Client_Curve25519MakeCacheKey(
whClientContext * ctx,
uint16_t size,
whKeyId * inout_key_id,
whNvmFlags flags,
const uint8_t * label,
uint16_t label_len
)
Generate a Curve25519 key in the server key cache.
Parameters:
- ctx Pointer to the client context
- size Size of the key to generate in bytes, normally set to CURVE25519_KEY_SIZE.
- inout_key_id. Set to WH_KEYID_ERASED to have the server select a unique id for this key.
- flags Optional flags to be associated with the key while in the key cache or after being committed. Set to WH_NVM_FLAGS_NONE if not used.
- label Optional label to be associated with the key while in the key cache or after being committed. Set to NULL if not used.
- label_len Size of the label up to WH_NVM_LABEL_SIZE. Set to 0 if not used.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate a new Curve25519 key and insert it into the server's key cache.
function wh_Client_Curve25519MakeExportKey
int wh_Client_Curve25519MakeExportKey(
whClientContext * ctx,
uint16_t size,
curve25519_key * key
)
Generate a Curve25519 key by the server and export to the client.
Parameters:
- ctx Pointer to the client context
- size Size of the key to generate in bytes, normally set to CURVE25519_KEY_SIZE.
- key Pointer to a wolfCrypt key structure, which will be initialized to the new key pair when successful
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate a new Curve25519 key pair and export it to the client, without using any key cache or additional resources
function wh_Client_Curve25519SharedSecret
int wh_Client_Curve25519SharedSecret(
whClientContext * ctx,
curve25519_key * priv_key,
curve25519_key * pub_key,
int endian,
uint8_t * out,
uint16_t * out_size
)
Compute an X25519 shared secret using a public and private key.
Parameters:
- ctx Pointer to the client context
- priv_key Pointer to a wolfCrypt key structure that holds the private key
- pub_key Pointer to a wolfCrypt key structure that holds the public key
- endian Endianness of the values. EC25519_BIG_ENDIAN (typical) or EC25519_LITTLE_ENDIAN
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server compute the shared secret using the provided wolfCrypt private and public keys. Note, the client will temporarily import any missing key material to the server as required.
function wh_Client_EccSetKeyId
int wh_Client_EccSetKeyId(
ecc_key * key,
whKeyId keyId
)
Associates a Ecc key with a specific key ID.
Parameters:
- key Pointer to the Ecc key structure.
- keyId Key ID to be associated with the Ecc key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of a Ecc key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM
function wh_Client_EccGetKeyId
int wh_Client_EccGetKeyId(
ecc_key * key,
whKeyId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the Ecc key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a Ecc key that was previously set by either the crypto callback layer or wh_Client_EccSetKeyId.
function wh_Client_EccImportKey
int wh_Client_EccImportKey(
whClientContext * ctx,
ecc_key * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Imports a wolfCrypt ECC key as a DER-formatted blob into the wolfHSM server key cache.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- key Pointer to the ECC key structure.
- inout_keyId Pointer to the key ID. Set to WH_KEYID_ERASED to have the server allocate a unique id. May be NULL.
- flags Value of flags to indicate server usage
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function serializes the ecc_key struct to DER format, installs it into the server's key cache, and provides the server-allocated keyId for reference.
function wh_Client_EccExportKey
int wh_Client_EccExportKey(
whClientContext * ctx,
whKeyId keyId,
ecc_key * key,
uint16_t label_len,
uint8_t * label
)
Exports a DER-formatted ECC key from the wolfHSM server keycache and decodes it into the wolfCrypt ECC key structure.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- keyId Server key ID to export.
- key Pointer to the ECC key structure to populate.
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function exports the specified key from the wolfHSM server key cache as a DER blob and decodes it into the wolfCrypt ecc_key structure, optionally copying out the associated label as well.
function wh_Client_EccExportPublicKey
int wh_Client_EccExportPublicKey(
whClientContext * ctx,
whKeyId keyId,
ecc_key * key,
uint16_t label_len,
uint8_t * label
)
Exports only the public part of a cached ECC key.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized ecc_key. On success, the public point is populated and key->type is set to ECC_PUBLICKEY.
- label_len Size of the optional label buffer in bytes. Values larger than WH_NVM_LABEL_LEN are truncated. Set to 0 if label is not needed.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success or a negative wolfHSM/wolfCrypt error code on failure (e.g. WH_ERROR_NOTFOUND, WH_ERROR_BADARGS).
Instructs the server to emit only the public portion (SubjectPublicKeyInfo DER with curve parameters) of a cached ECC key. The private scalar stays inside the HSM. The decoded key is written into the caller-initialized ecc_key struct and will report type == ECC_PUBLICKEY.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive. The caller is responsible for initializing key (e.g. wc_ecc_init_ex) prior to calling this function.
function wh_Client_EccMakeExportKey
int wh_Client_EccMakeExportKey(
whClientContext * ctx,
int size,
int curveId,
ecc_key * key
)
Generate an ECC key pair on the server and export it to the client.
Parameters:
- ctx Pointer to the client context.
- size Size of the key to generate in bytes (e.g. 32 for P-256).
- curveId wolfCrypt curve identifier (e.g. ECC_SECP256R1).
- key Pointer to a wolfCrypt ECC key structure, which will be populated with the new key pair when successful.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate a new ECC key pair and export it to the client, without using any key cache or additional resources.
function wh_Client_EccMakeCacheKey
int wh_Client_EccMakeCacheKey(
whClientContext * ctx,
int size,
int curveId,
whKeyId * inout_key_id,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Generate an ECC key pair in the server key cache.
Parameters:
- ctx Pointer to the client context.
- size Size of the key to generate in bytes (e.g. 32 for P-256).
- curveId wolfCrypt curve identifier (e.g. ECC_SECP256R1).
- inout_key_id Pointer to the key ID. Set to WH_KEYID_ERASED to have the server allocate a unique id. Must not be NULL.
- flags Optional flags to be associated with the key while in the key cache or after being committed. Set to WH_NVM_FLAGS_NONE if not used.
- label_len Size of the label up to WH_NVM_LABEL_LEN. Set to 0 if not used.
- label Optional label to be associated with the key while in the key cache or after being committed. Set to NULL if not used.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate a new ECC key pair and insert it into the server's key cache. The generated key material is not returned to the client.
function wh_Client_EccSharedSecret
int wh_Client_EccSharedSecret(
whClientContext * ctx,
ecc_key * priv_key,
ecc_key * pub_key,
uint8_t * out,
uint16_t * inout_size
)
Compute an ECDH shared secret using a public and private ECC key.
Parameters:
- ctx Pointer to the client context.
- priv_key Pointer to a wolfCrypt key structure that either holds the private key material or references a server-cached private key via its devCtx (keyId).
- pub_key Pointer to a wolfCrypt key structure that either holds the public key material or references a server-cached public key via its devCtx (keyId).
- out Buffer to receive the computed shared secret. May be NULL to query the required size, in which case inout_size must be non-NULL and the required size will be written to *inout_size with WH_ERROR_BUFFER_SIZE returned.
- inout_size On input, the capacity of the out buffer in bytes when out is non-NULL. On output, the number of bytes written on success, or the required buffer size when WH_ERROR_BUFFER_SIZE is returned. Must not be NULL when out is non-NULL; may be NULL only when out is also NULL.
Return: int Returns 0 on success, WH_ERROR_BUFFER_SIZE if the caller's out buffer is too small to hold the shared secret (with required size written to *inout_size), or a negative error code on failure.
This function requests the server to compute the shared secret using the provided wolfCrypt private and public keys. Either key context may carry actual key material or refer to a server-cached key by keyId via its devCtx (associated by wh_Client_EccSetKeyId or returned from a server-side keygen). For any context that does not reference a cached keyId, the client will temporarily import its material to the server for the duration of the operation and evict it afterwards.
function wh_Client_EccSign
int wh_Client_EccSign(
whClientContext * ctx,
ecc_key * key,
const uint8_t * hash,
uint16_t hash_len,
uint8_t * sig,
uint16_t * inout_sig_len
)
Generate an ECDSA signature of the provided hash on the server.
Parameters:
- ctx Pointer to the client context.
- key Pointer to a wolfCrypt ECC key structure that either holds the private key material or references a server-cached private key via its devCtx (keyId).
- hash Hash data to sign. May be NULL only if hash_len is 0.
- hash_len Length of hash in bytes.
- sig Buffer to receive the generated signature. May be NULL to query the required size, in which case inout_sig_len must be non-NULL and the required size will be written to *inout_sig_len with WH_ERROR_BUFFER_SIZE returned.
- inout_sig_len On input, the capacity of the sig buffer in bytes when sig is non-NULL. On output, the number of bytes written on success, or the required buffer size when WH_ERROR_BUFFER_SIZE is returned. Must not be NULL when sig is non-NULL; may be NULL only when sig is also NULL.
Return: int Returns 0 on success, WH_ERROR_BUFFER_SIZE if the caller's sig buffer is too small to hold the signature (with required size written to *inout_sig_len), or a negative error code on failure.
This function requests the server to sign the provided hash using the specified ECC key. The key context may either carry actual key material or refer to a server-cached key by keyId via its devCtx (associated by wh_Client_EccSetKeyId or returned from a server-side keygen). If the key does not reference a cached keyId, the client will temporarily import its material to the server for the duration of the operation and evict it afterwards.
function wh_Client_EccVerify
int wh_Client_EccVerify(
whClientContext * ctx,
ecc_key * key,
const uint8_t * sig,
uint16_t sig_len,
const uint8_t * hash,
uint16_t hash_len,
int * out_res
)
Verify an ECDSA signature of the provided hash on the server.
Parameters:
- ctx Pointer to the client context.
- key Pointer to a wolfCrypt ECC key structure that either holds the public key material or references a server-cached public key via its devCtx (keyId).
- sig Signature bytes.
- sig_len Length of sig in bytes.
- hash Hash bytes that were signed.
- hash_len Length of hash in bytes.
- out_res Pointer to receive the verification result. Set to 1 if the signature is valid, 0 otherwise. Must not be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to verify the provided signature against the provided hash using the specified ECC key. The key context may either carry actual key material or refer to a server-cached key by keyId via its devCtx (associated by wh_Client_EccSetKeyId or returned from a server-side keygen). If the key does not reference a cached keyId, the client will temporarily import its material to the server for the duration of the operation and evict it afterwards. If the supplied key is private-only, the server will derive the public key as needed.
function wh_Client_EccSignRequest
int wh_Client_EccSignRequest(
whClientContext * ctx,
whKeyId keyId,
const uint8_t * hash,
uint16_t hash_len
)
Async request half of an ECC sign operation.
Parameters:
- ctx Client context.
- keyId Key ID of a cached ECC private key. Must not be erased.
- hash Hash data to sign (may be NULL only if hash_len == 0).
- hash_len Length of hash in bytes.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args or erased keyId, or a negative error from the transport.
Serializes and sends a sign request for the hash using the server-cached private key identified by keyId. Does NOT wait for a reply. The key must already be cached on the server; auto-import is only available via the blocking wrapper wh_Client_EccSign.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_EccSignResponse before issuing any other async Request on the same ctx.
function wh_Client_EccSignResponse
int wh_Client_EccSignResponse(
whClientContext * ctx,
uint8_t * sig,
uint16_t * inout_sig_len
)
Async response half of an ECC sign operation.
Parameters:
- ctx Client context.
- sig Buffer to receive the generated signature. May be NULL to query the required size, in which case inout_sig_len must be non-NULL and the required size will be written to *inout_sig_len with WH_ERROR_BUFFER_SIZE returned.
- inout_sig_len On input, the capacity of the sig buffer in bytes when sig is non-NULL. On output, the number of bytes written on success, or the required buffer size when WH_ERROR_BUFFER_SIZE is returned. Must not be NULL when sig is non-NULL; may be NULL only when sig is also NULL.
Return: WH_ERROR_OK on success, WH_ERROR_NOTREADY if no reply yet, WH_ERROR_BUFFER_SIZE if sig is too small (required size written to *inout_sig_len), WH_ERROR_BADARGS for invalid args, or a negative error code from the transport.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, copies the signature into sig and updates inout_sig_len. If the server-reported signature is larger than the caller's inout_sig_len capacity, returns WH_ERROR_BUFFER_SIZE with the required size written to *inout_sig_len.
function wh_Client_EccVerifyRequest
int wh_Client_EccVerifyRequest(
whClientContext * ctx,
whKeyId keyId,
const uint8_t * sig,
uint16_t sig_len,
const uint8_t * hash,
uint16_t hash_len
)
Async request half of an ECC verify operation.
Parameters:
- ctx Client context.
- keyId Key ID of a cached ECC public key. Must not be erased.
- sig Signature bytes.
- sig_len Length of sig.
- hash Hash bytes.
- hash_len Length of hash.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args or erased keyId, or a negative error from the transport.
Serializes and sends a verify request for (sig, hash) using the server-cached public key identified by keyId. Does NOT wait for a reply. The key must already be cached on the server; auto-import is only available via the blocking wrapper wh_Client_EccVerify.
Note: the async API does not support the EXPORTPUB convenience (deriving a public key from a private-only key) — that stays a blocking-wrapper convenience.
function wh_Client_EccVerifyResponse
int wh_Client_EccVerifyResponse(
whClientContext * ctx,
ecc_key * opt_key,
int * out_res
)
Async response half of an ECC verify operation.
Parameters:
- ctx Client context.
- opt_key Optional ecc_key whose public half should be updated from the server-supplied DER bytes when the matching Request had EXPORTPUB set. Pass NULL when no key update is desired. The async Request half does not currently expose EXPORTPUB, so this parameter is primarily for the blocking wrapper wh_Client_EccVerify.
- out_res 1 if the signature is valid, 0 otherwise.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, writes the verify result (1 = valid, 0 = invalid) to *out_res.
function wh_Client_EccSharedSecretRequest
int wh_Client_EccSharedSecretRequest(
whClientContext * ctx,
whKeyId prv_key_id,
whKeyId pub_key_id
)
Async request half of an ECDH shared-secret operation.
Parameters:
- ctx Client context.
- prv_key_id Key ID of the cached private key. Must not be erased.
- pub_key_id Key ID of the cached public key. Must not be erased.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args or erased keyIds, or a negative error from the transport.
Serializes and sends a shared-secret request using two server-cached keys (private and public). Does NOT wait for a reply. Both keys must already be cached on the server; auto-import is only available via the blocking wrapper wh_Client_EccSharedSecret.
function wh_Client_EccSharedSecretResponse
int wh_Client_EccSharedSecretResponse(
whClientContext * ctx,
uint8_t * out,
uint16_t * inout_size
)
Async response half of an ECDH shared-secret operation.
Parameters:
- ctx Client context.
- out Buffer to receive the computed shared secret. May be NULL to query the required size, in which case inout_size must be non-NULL and the required size will be written to *inout_size with WH_ERROR_BUFFER_SIZE returned.
- inout_size On input, the capacity of the out buffer in bytes when out is non-NULL. On output, the number of bytes written on success, or the required buffer size when WH_ERROR_BUFFER_SIZE is returned. Must not be NULL when out is non-NULL; may be NULL only when out is also NULL.
Return: WH_ERROR_OK on success, WH_ERROR_NOTREADY if no reply yet, WH_ERROR_BUFFER_SIZE if out is too small (required size written to *inout_size), WH_ERROR_BADARGS for invalid args, or a negative error code from the transport.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, copies the shared secret into out and updates inout_size. inout_size is in/out: when out is non-NULL, callers must initialize it to the capacity of the out buffer. If the server-reported secret is larger than the caller's capacity, returns WH_ERROR_BUFFER_SIZE with the required size written to *inout_size — the partial buffer is NOT written, since truncated key material would be unsafe to use.
function wh_Client_EccMakeCacheKeyRequest
int wh_Client_EccMakeCacheKeyRequest(
whClientContext * ctx,
int size,
int curveId,
whKeyId key_id,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Async request half of an ECC server-side keygen that caches the new key in the server.
Parameters:
- ctx Client context.
- size Size of the key to generate in bytes (e.g. 32 for P-256).
- curveId wolfCrypt curve identifier (e.g. ECC_SECP256R1).
- key_id Suggested key ID. Pass WH_KEYID_ERASED to have the server allocate one.
- flags Optional NVM flags. Must NOT include WH_NVM_FLAGS_EPHEMERAL — use the MakeExportKey async pair for ephemeral (export) keygen instead.
- label_len Size of the label up to WH_NVM_LABEL_LEN. Set to 0 if not used.
- label Optional label byte array. May be NULL when label_len is 0.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args (including EPHEMERAL flag), or a negative error from the transport.
Serializes and sends a keygen request that asks the server to generate a new ECC key pair on the specified curve and insert it into the server key cache. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_EccMakeCacheKeyResponse before issuing any other async Request on the same ctx.
function wh_Client_EccMakeCacheKeyResponse
int wh_Client_EccMakeCacheKeyResponse(
whClientContext * ctx,
whKeyId * out_key_id
)
Async response half of an ECC server-side keygen that caches the new key in the server.
Parameters:
- ctx Client context.
- out_key_id Pointer to receive the assigned key ID. Must not be NULL.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, writes the server-allocated key ID into *out_key_id.
function wh_Client_EccMakeExportKeyRequest
int wh_Client_EccMakeExportKeyRequest(
whClientContext * ctx,
int size,
int curveId
)
Async request half of an ECC server-side keygen that exports the new key back to the client.
Parameters:
- ctx Client context.
- size Size of the key to generate in bytes.
- curveId wolfCrypt curve identifier.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS for invalid args, or a negative error from the transport.
Serializes and sends an ephemeral keygen request that asks the server to generate a new ECC key pair on the specified curve and return its DER encoding to the client (the server does not retain the key). Does NOT wait for a reply.
function wh_Client_EccMakeExportKeyResponse
int wh_Client_EccMakeExportKeyResponse(
whClientContext * ctx,
ecc_key * key
)
Async response half of an ECC server-side keygen that exports the new key back to the client.
Parameters:
- ctx Client context.
- key Pointer to a wolfCrypt ECC key structure that will be populated with the new key pair. Must not be NULL.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, deserializes the DER blob returned by the server into the supplied wolfCrypt ecc_key.
function wh_Client_Ed25519SetKeyId
int wh_Client_Ed25519SetKeyId(
ed25519_key * key,
whKeyId keyId
)
Associates an Ed25519 key with a specific key ID.
Sets the device context of an Ed25519 key to the provided key ID.
function wh_Client_Ed25519GetKeyId
int wh_Client_Ed25519GetKeyId(
ed25519_key * key,
whKeyId * outId
)
Retrieves the key ID from an Ed25519 key device context.
function wh_Client_Ed25519ImportKey
int wh_Client_Ed25519ImportKey(
whClientContext * ctx,
ed25519_key * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Import an Ed25519 key into the server keystore/cache.
function wh_Client_Ed25519ExportKey
int wh_Client_Ed25519ExportKey(
whClientContext * ctx,
whKeyId keyId,
ed25519_key * key,
uint16_t label_len,
uint8_t * label
)
Export an Ed25519 key from the server to the client.
function wh_Client_Ed25519ExportPublicKey
int wh_Client_Ed25519ExportPublicKey(
whClientContext * ctx,
whKeyId keyId,
ed25519_key * key,
uint16_t label_len,
uint8_t * label
)
Exports only the public part of a cached Ed25519 key.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized ed25519_key. On success, only the public half is populated (pubKeySet == 1, privKeySet == 0).
- label_len Size of the optional label buffer in bytes. Values larger than WH_NVM_LABEL_LEN are truncated. Set to 0 if label is not needed.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success or a negative wolfHSM/wolfCrypt error code on failure (e.g. WH_ERROR_NOTFOUND, WH_ERROR_BADARGS).
Instructs the server to emit only the public portion of a cached Ed25519 key as SubjectPublicKeyInfo DER. The private seed stays inside the HSM. The decoded key will have pubKeySet == 1 and privKeySet == 0.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive. The caller is responsible for initializing key (e.g. wc_ed25519_init_ex) prior to calling this function.
function wh_Client_Ed25519MakeExportKey
int wh_Client_Ed25519MakeExportKey(
whClientContext * ctx,
ed25519_key * key
)
Create a new Ed25519 key on the server and export it without caching.
function wh_Client_Ed25519MakeCacheKey
int wh_Client_Ed25519MakeCacheKey(
whClientContext * ctx,
whKeyId * inout_key_id,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Create a new Ed25519 key on the server and store it in cache/NVM.
function wh_Client_Ed25519Sign
int wh_Client_Ed25519Sign(
whClientContext * ctx,
ed25519_key * key,
const uint8_t * msg,
uint32_t msgLen,
uint8_t type,
const uint8_t * context,
uint32_t contextLen,
uint8_t * sig,
uint32_t * inout_sig_len
)
Sign a message using an Ed25519 key on the server.
function wh_Client_Ed25519Verify
int wh_Client_Ed25519Verify(
whClientContext * ctx,
ed25519_key * key,
const uint8_t * sig,
uint32_t sigLen,
const uint8_t * msg,
uint32_t msgLen,
uint8_t type,
const uint8_t * context,
uint32_t contextLen,
int * out_res
)
Verify a message signature using an Ed25519 key on the server.
function wh_Client_Ed25519SignDma
int wh_Client_Ed25519SignDma(
whClientContext * ctx,
ed25519_key * key,
const uint8_t * msg,
uint32_t msgLen,
uint8_t type,
const uint8_t * context,
uint32_t contextLen,
uint8_t * sig,
uint32_t * inout_sig_len
)
Sign a message using an Ed25519 key via DMA.
function wh_Client_Ed25519VerifyDma
int wh_Client_Ed25519VerifyDma(
whClientContext * ctx,
ed25519_key * key,
const uint8_t * sig,
uint32_t sigLen,
const uint8_t * msg,
uint32_t msgLen,
uint8_t type,
const uint8_t * context,
uint32_t contextLen,
int * out_res
)
Verify a signature using an Ed25519 key via DMA.
function wh_Client_RsaSetKeyId
int wh_Client_RsaSetKeyId(
RsaKey * key,
whNvmId keyId
)
Associates an RSA key with a specific key ID.
Parameters:
- key Pointer to the RSA key structure.
- keyId Key ID to be associated with the RSA key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of an RSA key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM.
function wh_Client_RsaGetKeyId
int wh_Client_RsaGetKeyId(
RsaKey * key,
whNvmId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the RSA key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a RSA key that was previously set by either the crypto callback layer or wh_Client_SetKeyRsa.
function wh_Client_RsaImportKey
int wh_Client_RsaImportKey(
whClientContext * ctx,
const RsaKey * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint32_t label_len,
uint8_t * label
)
Imports wolfCrypt RSA key as a PCKS1 DER-formatted file into the wolfHSM server key cache.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- key Pointer to the RSA key structure.
- flags Value of flags to indicate server usage
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
- out_keyId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function converts the RsaKey struct to DER format, installs into the server's key cache, and provides the server-allocated keyId for reference.
function wh_Client_RsaExportKey
int wh_Client_RsaExportKey(
whClientContext * ctx,
whKeyId keyId,
RsaKey * key,
uint32_t label_len,
uint8_t * label
)
Exports a PKCS1 DER-formated RSA key from the wolfHSM server keycache and decodes it into the wolfCrypt RSA key structure.
Parameters:
- ctx Pointer to the wolfHSM client structure.
- out_keyId Server key ID to export.
- key Pointer to the RSA key structure.
- label_len Length of the optional label in bytes, Valid values are 0 to WH_NVM_LABEL_LEN.
- label pointer to the optional label byte array. May be NULL.
Return: int Returns 0 on success or a negative error code on failure.
This function exports the specified key from wolfHSM server key cache as a PCKS1 DER file and decodes the key into the wolfCrypt RsaKey structure, optionally copying out the associated label as well.
function wh_Client_RsaExportPublicKey
int wh_Client_RsaExportPublicKey(
whClientContext * ctx,
whKeyId keyId,
RsaKey * key,
uint32_t label_len,
uint8_t * label
)
Exports only the public part of a cached RSA key.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized RsaKey. On success, the modulus and public exponent are populated and key->type is set to RSA_PUBLIC.
- label_len Size of the optional label buffer in bytes. Values larger than WH_NVM_LABEL_LEN are truncated. Set to 0 if label is not needed.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success or a negative wolfHSM/wolfCrypt error code on failure (e.g. WH_ERROR_NOTFOUND, WH_ERROR_BADARGS).
Unlike wh_Client_RsaExportKey(), which returns the full cached key (including private material), this function instructs the server to emit only the public portion as a PKCS#1 DER blob. The private key stays inside the HSM. The decoded key is written into the caller-initialized RsaKey struct and will report type == RSA_PUBLIC.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive.
The caller is responsible for initializing key (e.g. wc_InitRsaKey_ex) prior to calling this function.
function wh_Client_RsaMakeExportKey
int wh_Client_RsaMakeExportKey(
whClientContext * ctx,
uint32_t size,
uint32_t e,
RsaKey * rsa
)
function wh_Client_RsaMakeCacheKey
int wh_Client_RsaMakeCacheKey(
whClientContext * ctx,
uint32_t size,
uint32_t e,
whKeyId * inout_key_id,
whNvmFlags flags,
uint32_t label_len,
uint8_t * label
)
function wh_Client_RsaFunction
int wh_Client_RsaFunction(
whClientContext * ctx,
RsaKey * key,
int rsa_type,
const uint8_t * in,
uint16_t in_len,
uint8_t * out,
uint16_t * inout_out_len
)
function wh_Client_RsaGetSize
int wh_Client_RsaGetSize(
whClientContext * ctx,
const RsaKey * key,
int * out_size
)
function wh_Client_HkdfMakeCacheKey
int wh_Client_HkdfMakeCacheKey(
whClientContext * ctx,
int hashType,
whKeyId keyIdIn,
const uint8_t * inKey,
uint32_t inKeySz,
const uint8_t * salt,
uint32_t saltSz,
const uint8_t * info,
uint32_t infoSz,
whKeyId * inout_key_id,
whNvmFlags flags,
const uint8_t * label,
uint32_t label_len,
uint32_t outSz
)
Generate HKDF output and store in the server key cache.
Parameters:
- ctx Pointer to the client context
- hashType Hash type (WC_SHA256, WC_SHA384, WC_SHA512, etc.)
- keyIdIn Key ID of input key material from cache. Set to WH_KEYID_ERASED to use inKey/inKeySz instead.
- inKey Input keying material (can be NULL if keyIdIn is set)
- inKeySz Size of input keying material (must be 0 if using keyIdIn)
- salt Optional salt (can be NULL)
- saltSz Size of salt (0 if NULL)
- info Optional info (can be NULL)
- infoSz Size of info (0 if NULL)
- inout_key_id. Set to WH_KEYID_ERASED to have the server select a unique id for this key.
- flags NVM flags to be associated with the key metadata
- label Label to be associated with the key metadata
- label_len Size of the label up to WH_NVM_LABEL_SIZE. Set to 0 if not used.
- outSz Size of key material to generate and cache
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate HKDF output and store it in the server's key cache. The generated key material is not returned to the client.
function wh_Client_HkdfMakeExportKey
int wh_Client_HkdfMakeExportKey(
whClientContext * ctx,
int hashType,
whKeyId keyIdIn,
const uint8_t * inKey,
uint32_t inKeySz,
const uint8_t * salt,
uint32_t saltSz,
const uint8_t * info,
uint32_t infoSz,
uint8_t * out,
uint32_t outSz
)
Generate HKDF output and export to the client.
Parameters:
- ctx Pointer to the client context
- hashType Hash type (WC_SHA256, WC_SHA384, WC_SHA512, etc.)
- keyIdIn Key ID of input key material from cache. Set to WH_KEYID_ERASED to use inKey/inKeySz instead.
- inKey Input keying material (can be NULL if keyIdIn is set)
- inKeySz Size of input keying material (must be 0 if using keyIdIn)
- salt Optional salt (can be NULL)
- saltSz Size of salt (0 if NULL)
- info Optional info (can be NULL)
- infoSz Size of info (0 if NULL)
- out Output buffer for key material
- outSz Size of output buffer
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to generate HKDF output and export it to the client, without using any key cache or additional resources
function wh_Client_CmacKdfMakeCacheKey
int wh_Client_CmacKdfMakeCacheKey(
whClientContext * ctx,
whKeyId saltKeyId,
const uint8_t * salt,
uint32_t saltSz,
whKeyId zKeyId,
const uint8_t * z,
uint32_t zSz,
const uint8_t * fixedInfo,
uint32_t fixedInfoSz,
whKeyId * inout_key_id,
whNvmFlags flags,
const uint8_t * label,
uint32_t label_len,
uint32_t outSz
)
Generate CMAC two-step KDF output and store it in the server cache.
Parameters:
- ctx Pointer to the client context.
- saltKeyId Key ID of the salt material. Set to WH_KEYID_ERASED to use the salt buffer instead.
- salt Pointer to the salt buffer. May be NULL when saltKeyId is provided.
- saltSz Size of the salt buffer in bytes.
- zKeyId Key ID of the Z shared secret. Set to WH_KEYID_ERASED to use the z buffer instead.
- z Pointer to the shared secret buffer. May be NULL when zKeyId is provided.
- zSz Size of the shared secret buffer in bytes.
- fixedInfo Optional fixed info buffer (may be NULL).
- fixedInfoSz Size of the fixed info buffer in bytes.
- inout_key_id Pointer to the key ID to use or update. Set to WH_KEYID_ERASED to have the server allocate one.
- flags NVM flags to associate with the generated key.
- label Optional label metadata to store alongside the key.
- label_len Length of the optional label in bytes.
- outSz Desired size of the derived key material.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to run the NIST SP 800-56C two-step CMAC KDF. The derived key material is cached on the server and not returned to the client.
function wh_Client_CmacKdfMakeExportKey
int wh_Client_CmacKdfMakeExportKey(
whClientContext * ctx,
whKeyId saltKeyId,
const uint8_t * salt,
uint32_t saltSz,
whKeyId zKeyId,
const uint8_t * z,
uint32_t zSz,
const uint8_t * fixedInfo,
uint32_t fixedInfoSz,
uint8_t * out,
uint32_t outSz
)
Generate CMAC two-step KDF output and export to the client.
Parameters:
- ctx Pointer to the client context.
- saltKeyId Key ID of the salt material. Set to WH_KEYID_ERASED to use the salt buffer instead.
- salt Pointer to the salt buffer. May be NULL when saltKeyId is provided.
- saltSz Size of the salt buffer in bytes.
- zKeyId Key ID of the Z shared secret. Set to WH_KEYID_ERASED to use the z buffer instead.
- z Pointer to the shared secret buffer. May be NULL when zKeyId is provided.
- zSz Size of the shared secret buffer in bytes.
- fixedInfo Optional fixed info buffer (may be NULL).
- fixedInfoSz Size of the fixed info buffer in bytes.
- out Output buffer for the derived key material.
- outSz Size of the output buffer in bytes.
Return: int Returns 0 on success or a negative error code on failure.
This function requests the server to run the NIST SP 800-56C two-step CMAC KDF and return the derived key material directly to the client.
function wh_Client_AesSetKeyId
int wh_Client_AesSetKeyId(
Aes * key,
whNvmId keyId
)
Associates an AES key with a specific key ID.
Parameters:
- key Pointer to the AES key structure.
- keyId Key ID to be associated with the AES key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of an AES key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM
function wh_Client_AesGetKeyId
int wh_Client_AesGetKeyId(
Aes * key,
whNvmId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the AES key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a AES key that was previously set by either the crypto callback layer or wh_Client_SetKeyAes.
function wh_Client_AesCtr
int wh_Client_AesCtr(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-CTR operation.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-CTR encrypt or decrypt operation on the input data and stores the result in the output buffer.
function wh_Client_AesCtrDma
int wh_Client_AesCtrDma(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-CTR operation using DMA.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-CTR encrypt or decrypt operation on the input data and stores the result in the output buffer using direct memory access when communicating with the wolfHSM server.
function wh_Client_AesCtrRequest
int wh_Client_AesCtrRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len
)
Send an AES-CTR encrypt/decrypt request to the server (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure with key and counter state
- enc 1 for encrypt, 0 for decrypt (ignored by CTR, present for API symmetry with the other modes)
- in Pointer to the input data (may be NULL only if len == 0)
- len Length of the input data in bytes
Return: int Returns 0 on success or a negative error code on failure.
Sends a single AES-CTR request to the server. The key material is read from the Aes struct (set via wc_AesSetKey or wh_Client_AesSetKeyId). The counter state (IV register and partial-block remainder) is carried on the Aes struct across the Request/Response boundary; callers must not mutate the Aes struct between the two halves. Use wh_Client_AesCtrResponse to retrieve the result.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesCtrResponse before issuing any other async Request on the same ctx.
function wh_Client_AesCtrResponse
int wh_Client_AesCtrResponse(
whClientContext * ctx,
Aes * aes,
uint8_t * out,
uint32_t * out_size
)
Receive the server's AES-CTR response (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure (counter state updated)
- out Pointer to where the output data is placed. Must not be NULL.
- out_size Set to the number of bytes produced. May be NULL.
Return: int Returns 0 on success, WH_ERROR_NOTREADY if the response is not yet available, or a negative error code on failure.
Retrieves the result of a prior wh_Client_AesCtrRequest call. The counter state (IV register and partial-block remainder) in the Aes struct is updated from the server response so subsequent CTR calls continue from the correct counter. Returns WH_ERROR_NOTREADY if the response is not yet available.
function wh_Client_AesCtrDmaRequest
int wh_Client_AesCtrDmaRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Send an AES-CTR encrypt/decrypt DMA request to the server (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure with key and counter state
- enc 1 for encrypt, 0 for decrypt
- in Pointer to the input data (may be NULL only if len == 0)
- len Length of the input data in bytes
- out Pointer to the output buffer
Return: int Returns 0 on success, WH_ERROR_REQUEST_PENDING if the transport is still busy with a prior request, or a negative error code on failure. On failure any acquired DMA mapping is released before returning.
Performs PRE address translation for the input and output buffers, stashes the translated addresses in ctx->dma.asyncCtx.aes for POST cleanup, and sends the DMA request to the server. Does NOT wait for a reply. Caller must keep in and out valid until the matching wh_Client_AesCtrDmaResponse completes.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesCtrDmaResponse before issuing any other async Request on the same ctx.
function wh_Client_AesCtrDmaResponse
int wh_Client_AesCtrDmaResponse(
whClientContext * ctx,
Aes * aes
)
Receive the server's AES-CTR DMA response (non-blocking)
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. The output data is written by the server directly to the client buffer passed to wh_Client_AesCtrDmaRequest. POST DMA cleanup for both input and output buffers is performed on every non-NOTREADY return so the client buffer is safe to read regardless of error. The counter state on the Aes struct is updated on success.
function wh_Client_AesEcb
int wh_Client_AesEcb(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-ECB operation.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-ECB encrypt or decrypt operation on the input data and stores the result in the output buffer.
function wh_Client_AesEcbDma
int wh_Client_AesEcbDma(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-ECB operation using DMA.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-ECB encrypt or decrypt operation on the input data and stores the result in the output buffer using direct memory access when communicating with the wolfHSM server.
function wh_Client_AesEcbRequest
int wh_Client_AesEcbRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len
)
Send an AES-ECB encrypt/decrypt request to the server (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure with key state
- enc 1 for encrypt, 0 for decrypt
- in Pointer to the input data (must be block-aligned)
- len Length of the input data in bytes (must be a multiple of AES_BLOCK_SIZE)
Return: int Returns 0 on success or a negative error code on failure.
Sends a single AES-ECB request to the server. The key material is read from the Aes struct (set via wc_AesSetKey or wh_Client_AesSetKeyId). Use wh_Client_AesEcbResponse to retrieve the result.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesEcbResponse before issuing any other async Request on the same ctx. As a special case, len == 0 is a no-op: this function returns WH_ERROR_OK without sending, and the caller MUST NOT call wh_Client_AesEcbResponse afterwards (no response will arrive).
function wh_Client_AesEcbResponse
int wh_Client_AesEcbResponse(
whClientContext * ctx,
Aes * aes,
uint8_t * out,
uint32_t * out_size
)
Receive the server's AES-ECB response (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure
- out Pointer to where the output data is placed. Must not be NULL.
- out_size Set to the number of bytes produced. May be NULL.
Return: int Returns 0 on success, WH_ERROR_NOTREADY if the response is not yet available, or a negative error code on failure.
Retrieves the result of a prior wh_Client_AesEcbRequest call. Returns WH_ERROR_NOTREADY if the response is not yet available.
function wh_Client_AesEcbDmaRequest
int wh_Client_AesEcbDmaRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Send an AES-ECB DMA request to the server (non-blocking)
Return: int Returns 0 on success, WH_ERROR_REQUEST_PENDING if the transport is still busy with a prior request, or a negative error code on failure. On failure any acquired DMA mapping is released before returning.
Performs PRE address translation for the input and output buffers, stashes the translated addresses in ctx->dma.asyncCtx.aes for POST cleanup, and sends the DMA request to the server. Does NOT wait for a reply. Caller must keep in and out valid until the matching wh_Client_AesEcbDmaResponse completes.
function wh_Client_AesEcbDmaResponse
int wh_Client_AesEcbDmaResponse(
whClientContext * ctx,
Aes * aes
)
Receive the server's AES-ECB DMA response (non-blocking)
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. The output data is written by the server directly to the client buffer passed to wh_Client_AesEcbDmaRequest. POST DMA cleanup for both input and output buffers is performed on every non-NOTREADY return so the client buffer is safe to read regardless of error.
function wh_Client_AesCbc
int wh_Client_AesCbc(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-CBC operation.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-CBC encrypt or decrypt operation on the input data and stores the result in the output buffer.
function wh_Client_AesCbcDma
int wh_Client_AesCbcDma(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Performs an AES-CBC operation using DMA.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-CBC encrypt or decrypt operation on the input data and stores the result in the output buffer using direct memory access when communicating with the wolfHSM server.
function wh_Client_AesCbcRequest
int wh_Client_AesCbcRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len
)
Send an AES-CBC encrypt/decrypt request to the server (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure with key and IV state
- enc 1 for encrypt, 0 for decrypt
- in Pointer to the input data (must be block-aligned)
- len Length of the input data in bytes (must be a multiple of AES_BLOCK_SIZE)
Return: int Returns 0 on success or a negative error code on failure.
Sends a single AES-CBC request to the server. The key material is read from the Aes struct (set via wc_AesSetKey or wh_Client_AesSetKeyId). The IV state on the Aes struct is updated only after the matching wh_Client_AesCbcResponse succeeds; a failed Request leaves aes->reg unchanged so callers can retry.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesCbcResponse before issuing any other async Request on the same ctx. As a special case, len == 0 is a no-op: this function returns WH_ERROR_OK without sending, and the caller MUST NOT call wh_Client_AesCbcResponse afterwards (no response will arrive).
function wh_Client_AesCbcResponse
int wh_Client_AesCbcResponse(
whClientContext * ctx,
Aes * aes,
uint8_t * out,
uint32_t * out_size
)
Receive the server's AES-CBC response (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure (IV updated on encrypt)
- out Pointer to where the output data is placed. Must not be NULL.
- out_size Set to the number of bytes produced. May be NULL.
Return: int Returns 0 on success, WH_ERROR_NOTREADY if the response is not yet available, or a negative error code on failure.
Retrieves the result of a prior wh_Client_AesCbcRequest call. For encryption, the IV in the Aes struct is updated with the last ciphertext block for CBC chaining. Returns WH_ERROR_NOTREADY if the response is not yet available.
function wh_Client_AesCbcDmaRequest
int wh_Client_AesCbcDmaRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out
)
Send an AES-CBC DMA request to the server (non-blocking)
Return: int Returns 0 on success, WH_ERROR_REQUEST_PENDING if the transport is still busy with a prior request, or a negative error code on failure. On failure any acquired DMA mapping is released before returning.
Performs PRE address translation for the input and output buffers, stashes the translated addresses in ctx->dma.asyncCtx.aes for POST cleanup, and sends the DMA request to the server. Does NOT wait for a reply. Caller must keep in and out valid until the matching wh_Client_AesCbcDmaResponse completes.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesCbcDmaResponse before issuing any other async Request on the same ctx.
function wh_Client_AesCbcDmaResponse
int wh_Client_AesCbcDmaResponse(
whClientContext * ctx,
Aes * aes
)
Receive the server's AES-CBC DMA response (non-blocking)
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. The output data is written by the server directly to the client buffer passed to wh_Client_AesCbcDmaRequest; the updated IV is returned inline and copied back onto the Aes struct for CBC chaining. POST DMA cleanup for both input and output buffers is performed on every non-NOTREADY return so the client buffer is safe to read regardless of error.
function wh_Client_AesGcm
int wh_Client_AesGcm(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
const uint8_t * iv,
uint32_t iv_len,
const uint8_t * authin,
uint32_t authin_len,
const uint8_t * dec_tag,
uint8_t * enc_tag,
uint32_t tag_len,
uint8_t * out
)
Performs an AES-GCM operation.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- iv Pointer to the IV data.
- iv_len Length of the IV data in bytes.
- authin Pointer to the authentication data.
- authin_len Length of the authentication data in bytes.
- dec_tag Pointer to the decryption tag data.
- enc_tag Pointer to the encryption tag data.
- tag_len Length of the tag data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-GCM encrypt or decrypt operation on the input data and stores the result in the output buffer.
function wh_Client_AesGcmDma
int wh_Client_AesGcmDma(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
const uint8_t * iv,
uint32_t iv_len,
const uint8_t * authin,
uint32_t authin_len,
const uint8_t * dec_tag,
uint8_t * enc_tag,
uint32_t tag_len,
uint8_t * out
)
Performs an AES-GCM operation using DMA.
Parameters:
- ctx Pointer to the wolfHSM client context.
- aes Pointer to the AES structure.
- enc 1 for encrypt, 0 for decrypt.
- in Pointer to the input data.
- len Length of the input and output data in bytes.
- iv Pointer to the IV data.
- iv_len Length of the IV data in bytes.
- authin Pointer to the authentication data.
- authin_len Length of the authentication data in bytes.
- dec_tag Pointer to the decryption tag data.
- enc_tag Pointer to the encryption tag data.
- tag_len Length of the tag data in bytes.
- out Pointer to the output data.
Return: int Returns 0 on success or a negative error code on failure.
This function performs an AES-GCM encrypt or decrypt operation on the input data and stores the result in the output buffer using direct memory access when communicating with the wolfHSM server.
function wh_Client_AesGcmRequest
int wh_Client_AesGcmRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
const uint8_t * iv,
uint32_t iv_len,
const uint8_t * authin,
uint32_t authin_len,
const uint8_t * dec_tag,
uint32_t tag_len
)
Send an AES-GCM encrypt/decrypt request to the server (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure with key state
- enc 1 for encrypt, 0 for decrypt
- in Pointer to the input data (may be NULL only if len == 0)
- len Length of the input data in bytes
- iv Pointer to the IV (may be NULL only if iv_len == 0)
- iv_len Length of the IV in bytes
- authin Pointer to the AAD (may be NULL only if authin_len == 0)
- authin_len Length of the AAD in bytes
- dec_tag For decrypt: pointer to the expected auth tag (NULL only if enc == 1). Ignored for encrypt.
- tag_len Length of the auth tag in bytes
Return: int Returns 0 on success or a negative error code on failure.
Sends a single AES-GCM request to the server. The key material is read from the Aes struct (set via wc_AesSetKey or wh_Client_AesSetKeyId). The ciphertext, AAD, and decrypt tag (if any) are inlined in the request. Use wh_Client_AesGcmResponse to retrieve the output ciphertext/plaintext and (for encrypt) the auth tag.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesGcmResponse before issuing any other async Request on the same ctx.
function wh_Client_AesGcmResponse
int wh_Client_AesGcmResponse(
whClientContext * ctx,
Aes * aes,
uint8_t * out,
uint32_t out_capacity,
uint32_t * out_size,
uint8_t * enc_tag,
uint32_t tag_len
)
Receive the server's AES-GCM response (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure
- out Pointer to where the output data is placed. May be NULL for GMAC (tag-only) operations, in which case out_capacity must be 0.
- out_capacity Capacity of the out buffer in bytes. If the server reports a larger payload, the call returns WH_ERROR_ABORTED instead of writing past out.
- out_size Set to the number of bytes produced. May be NULL.
- enc_tag For encrypt: buffer to receive the auth tag. Ignored for decrypt (may be NULL).
- tag_len Length of the enc_tag buffer in bytes.
Return: int Returns 0 on success, WH_ERROR_NOTREADY if the response is not yet available, WH_ERROR_ABORTED if the server's reported payload size exceeds out_capacity, or a negative error code on failure.
Retrieves the result of a prior wh_Client_AesGcmRequest call. For encrypt, the auth tag is copied into enc_tag. Returns WH_ERROR_NOTREADY if the response is not yet available. For decrypt, a failing tag comparison is surfaced as a negative error from the server (AES_GCM_AUTH_E).
function wh_Client_AesGcmDmaRequest
int wh_Client_AesGcmDmaRequest(
whClientContext * ctx,
Aes * aes,
int enc,
const uint8_t * in,
uint32_t len,
uint8_t * out,
const uint8_t * iv,
uint32_t iv_len,
const uint8_t * authin,
uint32_t authin_len,
const uint8_t * dec_tag,
uint32_t tag_len
)
Send an AES-GCM DMA request to the server (non-blocking)
Return: int Returns 0 on success, WH_ERROR_REQUEST_PENDING if the transport is still busy with a prior request, or a negative error code on failure. On failure any acquired DMA mapping is released before returning.
Performs PRE address translation for the input, output, and AAD buffers, stashes the translated addresses in ctx->dma.asyncCtx.aes for POST cleanup, and sends the DMA request to the server. Does NOT wait for a reply. The IV, auth tag (for decrypt), and key are passed inline. Caller must keep in, out, and authin valid until the matching wh_Client_AesGcmDmaResponse completes.
Contract: at most one outstanding async request may be in flight per whClientContext. The caller MUST call wh_Client_AesGcmDmaResponse before issuing any other async Request on the same ctx.
function wh_Client_AesGcmDmaResponse
int wh_Client_AesGcmDmaResponse(
whClientContext * ctx,
Aes * aes,
uint8_t * enc_tag,
uint32_t tag_len
)
Receive the server's AES-GCM DMA response (non-blocking)
Parameters:
- ctx Pointer to the client context
- aes Pointer to the AES structure
- enc_tag For encrypt: buffer to receive the auth tag. Ignored for decrypt (may be NULL).
- tag_len Length of the enc_tag buffer in bytes.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. The output data is written by the server directly to the client buffer passed to wh_Client_AesGcmDmaRequest; for encrypt the auth tag is returned inline and copied into enc_tag. POST DMA cleanup for input, output, and AAD buffers is performed on every non-NOTREADY return.
function wh_Client_Cmac
int wh_Client_Cmac(
whClientContext * ctx,
Cmac * cmac,
CmacType type,
const uint8_t * key,
uint32_t keyLen,
const uint8_t * in,
uint32_t inLen,
uint8_t * outMac,
uint32_t * outMacLen
)
Performs a CMAC operation on the input data.
Parameters:
- ctx Pointer to the wolfHSM client context.
- cmac Pointer to the CMAC structure.
- type The type of CMAC operation.
- key Pointer to the key buffer, or NULL if using a key stored in HSM.
- keyLen Length of the key in bytes.
- in Pointer to the input data buffer, or NULL for finalization.
- inLen Length of the input data in bytes.
- outMac Pointer to the output buffer for the CMAC tag.
- outMacLen Pointer to the size of the output buffer, updated with actual size.
Return: int Returns WH_ERROR_OK (0) on success, or a negative error code on failure.
This function performs a CMAC operation with the specified parameters. It can be used for initialization, update, or finalization of CMAC operations, depending on the input arguments.
function wh_Client_CmacSetKeyId
int wh_Client_CmacSetKeyId(
Cmac * key,
whNvmId keyId
)
Associates a CMAC key with a specific key ID.
Parameters:
- key Pointer to the CMAC key structure.
- keyId Key ID to be associated with the CMAC key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of a CMAC key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM
function wh_Client_CmacGetKeyId
int wh_Client_CmacGetKeyId(
Cmac * key,
whNvmId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the CMAC key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a CMAC key that was previously set by either the crypto callback layer or wh_Client_SetKeyCmac.
function wh_Client_CmacDma
int wh_Client_CmacDma(
whClientContext * ctx,
Cmac * cmac,
CmacType type,
const uint8_t * key,
uint32_t keyLen,
const uint8_t * in,
uint32_t inLen,
uint8_t * outMac,
uint32_t * outMacLen
)
Performs CMAC operations using DMA for data transfer.
Parameters:
- ctx Pointer to the client context structure.
- cmac Pointer to the CMAC structure to be used.
- type The type of CMAC operation (e.g., WC_CMAC_AES).
- key Pointer to the key data. NULL if using a stored key.
- keyLen Length of the key in bytes.
- in Pointer to the input data. NULL if not performing an update.
- inLen Length of the input data in bytes.
- outMac Pointer to store the CMAC result. NULL if not finalizing.
- outMacLen Pointer to the size of the outMac buffer. Updated with actual size on return.
Return: int Returns 0 on success or a negative error code on failure.
This function performs CMAC operations (initialize, update, finalize) using DMA for efficient data transfer between client and server. The operation performed depends on which parameters are non-NULL.
function wh_Client_Sha256
int wh_Client_Sha256(
whClientContext * ctx,
wc_Sha256 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-256 hash operation on the input data.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-256 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-256 hash operation on the input data and stores the result in the output buffer.
function wh_Client_Sha256UpdateRequest
int wh_Client_Sha256UpdateRequest(
whClientContext * ctx,
wc_Sha256 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
Async request half of a non-DMA SHA-256 Update.
Parameters:
- ctx Client context.
- sha SHA-256 context (buffer/buffLen updated on success).
- in Input data (may be NULL only if inLen == 0).
- inLen Input length. Must not exceed the per-call capacity (max inline + remaining buffer slack); use the blocking wrapper for arbitrary lengths.
- requestSent Set to true if a server request was sent and a matching Response call is required; false if the input was fully absorbed into sha->buffer and no round-trip was issued.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS if inLen exceeds the per-call capacity (sha is left unchanged in that case).
Serializes and sends an Update request carrying as many full blocks as fit in the comm buffer (up to WH_MESSAGE_CRYPTO_SHA256_MAX_INLINE_UPDATE_SZ bytes), absorbing any leading bytes already buffered in sha->buffer. Any tail (<64 bytes) remaining after this call is stored in sha->buffer for the next call. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext (enforced by the comm layer's pending-request tracking). If *requestSent is true, the caller MUST call wh_Client_Sha256UpdateResponse before issuing any other async Request on the same ctx, including a Request using a different wc_Sha256 instance or a different algorithm.
function wh_Client_Sha256UpdateResponse
int wh_Client_Sha256UpdateResponse(
whClientContext * ctx,
wc_Sha256 * sha
)
Async response half of a non-DMA SHA-256 Update.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, updates sha->digest/hiLen/loLen from the reply. MUST only be called if the matching Request returned requestSent == true.
function wh_Client_Sha256FinalRequest
int wh_Client_Sha256FinalRequest(
whClientContext * ctx,
wc_Sha256 * sha
)
Async request half of a non-DMA SHA-256 Final.
Sends the current sha->buffer (0..63 bytes) as the last block.
function wh_Client_Sha256FinalResponse
int wh_Client_Sha256FinalResponse(
whClientContext * ctx,
wc_Sha256 * sha,
uint8_t * out
)
Async response half of a non-DMA SHA-256 Final.
Single-shot RecvResponse. Copies final digest into out, then resets sha state via wc_InitSha256_ex (preserving devId).
function wh_Client_Sha256Dma
int wh_Client_Sha256Dma(
whClientContext * ctx,
wc_Sha256 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-256 hash operation on the input data using DMA.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-256 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-256 hash operation on the input data and stores the result in the output buffer using DMA.
function wh_Client_Sha256DmaUpdateRequest
int wh_Client_Sha256DmaUpdateRequest(
whClientContext * ctx,
wc_Sha256 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
Async request half of a DMA SHA-256 Update.
Buffers partial blocks on the client. Sends whole blocks via DMA to the server, with any assembled first block (from the partial buffer) as inline trailing data. Sets *requestSent to indicate whether a message was sent (false when all input was absorbed into the partial-block buffer).
function wh_Client_Sha256DmaUpdateResponse
int wh_Client_Sha256DmaUpdateResponse(
whClientContext * ctx,
wc_Sha256 * sha
)
Async response half of a DMA SHA-256 Update.
Receives the server response and restores the updated SHA state from the inline response. Runs POST DMA cleanup for the input buffer.
function wh_Client_Sha256DmaFinalRequest
int wh_Client_Sha256DmaFinalRequest(
whClientContext * ctx,
wc_Sha256 * sha
)
Async request half of a DMA SHA-256 Final.
Sends the partial-block tail as inline data with the resume state. No DMA addresses are used (the final hash is returned inline in the response).
function wh_Client_Sha256DmaFinalResponse
int wh_Client_Sha256DmaFinalResponse(
whClientContext * ctx,
wc_Sha256 * sha,
uint8_t * out
)
Async response half of a DMA SHA-256 Final.
Receives the final hash from the inline response and copies it to out.
function wh_Client_Sha224
int wh_Client_Sha224(
whClientContext * ctx,
wc_Sha224 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-224 hash operation on the input data.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-224 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-224 hash operation on the input data and stores the result in the output buffer.
function wh_Client_Sha224UpdateRequest
int wh_Client_Sha224UpdateRequest(
whClientContext * ctx,
wc_Sha224 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
Async request half of a non-DMA SHA-224 Update.
Parameters:
- ctx Client context.
- sha SHA-224 context (buffer/buffLen updated on success).
- in Input data (may be NULL only if inLen == 0).
- inLen Input length. Must not exceed the per-call capacity (max inline + remaining buffer slack); use the blocking wrapper for arbitrary lengths.
- requestSent Set to true if a server request was sent and a matching Response call is required; false if the input was fully absorbed into sha->buffer and no round-trip was issued.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS if inLen exceeds the per-call capacity (sha is left unchanged in that case).
Serializes and sends an Update request carrying as many full blocks as fit in the comm buffer (up to WH_MESSAGE_CRYPTO_SHA224_MAX_INLINE_UPDATE_SZ bytes), absorbing any leading bytes already buffered in sha->buffer. Any tail (<64 bytes) remaining after this call is stored in sha->buffer for the next call. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext (enforced by the comm layer's pending-request tracking). If *requestSent is true, the caller MUST call wh_Client_Sha224UpdateResponse before issuing any other async Request on the same ctx, including a Request using a different wc_Sha224 instance or a different algorithm.
function wh_Client_Sha224UpdateResponse
int wh_Client_Sha224UpdateResponse(
whClientContext * ctx,
wc_Sha224 * sha
)
Async response half of a non-DMA SHA-224 Update.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, updates sha->digest/hiLen/loLen from the reply. MUST only be called if the matching Request returned requestSent == true.
function wh_Client_Sha224FinalRequest
int wh_Client_Sha224FinalRequest(
whClientContext * ctx,
wc_Sha224 * sha
)
Async request half of a non-DMA SHA-224 Final.
Sends the current sha->buffer (0..63 bytes) as the last block.
function wh_Client_Sha224FinalResponse
int wh_Client_Sha224FinalResponse(
whClientContext * ctx,
wc_Sha224 * sha,
uint8_t * out
)
Async response half of a non-DMA SHA-224 Final.
Single-shot RecvResponse. Copies final digest into out, then resets sha state via wc_InitSha224_ex (preserving devId).
function wh_Client_Sha224Dma
int wh_Client_Sha224Dma(
whClientContext * ctx,
wc_Sha224 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-224 hash operation on the input data using DMA.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-224 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-224 hash operation on the input data and stores the result in the output buffer using DMA.
function wh_Client_Sha224DmaUpdateRequest
int wh_Client_Sha224DmaUpdateRequest(
whClientContext * ctx,
wc_Sha224 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
function wh_Client_Sha224DmaUpdateResponse
int wh_Client_Sha224DmaUpdateResponse(
whClientContext * ctx,
wc_Sha224 * sha
)
function wh_Client_Sha224DmaFinalRequest
int wh_Client_Sha224DmaFinalRequest(
whClientContext * ctx,
wc_Sha224 * sha
)
function wh_Client_Sha224DmaFinalResponse
int wh_Client_Sha224DmaFinalResponse(
whClientContext * ctx,
wc_Sha224 * sha,
uint8_t * out
)
function wh_Client_Sha384
int wh_Client_Sha384(
whClientContext * ctx,
wc_Sha384 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-384 hash operation on the input data.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-384 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-384 hash operation on the input data and stores the result in the output buffer.
function wh_Client_Sha384UpdateRequest
int wh_Client_Sha384UpdateRequest(
whClientContext * ctx,
wc_Sha384 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
Async request half of a non-DMA SHA-384 Update.
Parameters:
- ctx Client context.
- sha SHA-384 context (buffer/buffLen updated on success).
- in Input data (may be NULL only if inLen == 0).
- inLen Input length. Must not exceed the per-call capacity (max inline + remaining buffer slack); use the blocking wrapper for arbitrary lengths.
- requestSent Set to true if a server request was sent and a matching Response call is required; false if the input was fully absorbed into sha->buffer and no round-trip was issued.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS if inLen exceeds the per-call capacity (sha is left unchanged in that case).
Serializes and sends an Update request carrying as many full blocks as fit in the comm buffer (up to WH_MESSAGE_CRYPTO_SHA384_MAX_INLINE_UPDATE_SZ bytes), absorbing any leading bytes already buffered in sha->buffer. Any tail (<128 bytes) remaining after this call is stored in sha->buffer for the next call. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext (enforced by the comm layer's pending-request tracking). If *requestSent is true, the caller MUST call wh_Client_Sha384UpdateResponse before issuing any other async Request on the same ctx, including a Request using a different wc_Sha384 instance or a different algorithm.
function wh_Client_Sha384UpdateResponse
int wh_Client_Sha384UpdateResponse(
whClientContext * ctx,
wc_Sha384 * sha
)
Async response half of a non-DMA SHA-384 Update.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, updates sha->digest/hiLen/loLen from the reply. MUST only be called if the matching Request returned requestSent == true.
function wh_Client_Sha384FinalRequest
int wh_Client_Sha384FinalRequest(
whClientContext * ctx,
wc_Sha384 * sha
)
Async request half of a non-DMA SHA-384 Final.
Sends the current sha->buffer (0..127 bytes) as the last block.
function wh_Client_Sha384FinalResponse
int wh_Client_Sha384FinalResponse(
whClientContext * ctx,
wc_Sha384 * sha,
uint8_t * out
)
Async response half of a non-DMA SHA-384 Final.
Single-shot RecvResponse. Copies final digest into out, then resets sha state via wc_InitSha384_ex (preserving devId).
function wh_Client_Sha384Dma
int wh_Client_Sha384Dma(
whClientContext * ctx,
wc_Sha384 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-384 hash operation on the input data using DMA.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-384 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-384 hash operation on the input data and stores the result in the output buffer using DMA.
function wh_Client_Sha384DmaUpdateRequest
int wh_Client_Sha384DmaUpdateRequest(
whClientContext * ctx,
wc_Sha384 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
function wh_Client_Sha384DmaUpdateResponse
int wh_Client_Sha384DmaUpdateResponse(
whClientContext * ctx,
wc_Sha384 * sha
)
function wh_Client_Sha384DmaFinalRequest
int wh_Client_Sha384DmaFinalRequest(
whClientContext * ctx,
wc_Sha384 * sha
)
function wh_Client_Sha384DmaFinalResponse
int wh_Client_Sha384DmaFinalResponse(
whClientContext * ctx,
wc_Sha384 * sha,
uint8_t * out
)
function wh_Client_Sha512
int wh_Client_Sha512(
whClientContext * ctx,
wc_Sha512 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-512 hash operation on the input data.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-512 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-512 hash operation on the input data and stores the result in the output buffer.
function wh_Client_Sha512UpdateRequest
int wh_Client_Sha512UpdateRequest(
whClientContext * ctx,
wc_Sha512 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
Async request half of a non-DMA SHA-512 Update.
Parameters:
- ctx Client context.
- sha SHA-512 context (buffer/buffLen updated on success).
- in Input data (may be NULL only if inLen == 0).
- inLen Input length. Must not exceed the per-call capacity (max inline + remaining buffer slack); use the blocking wrapper for arbitrary lengths.
- requestSent Set to true if a server request was sent and a matching Response call is required; false if the input was fully absorbed into sha->buffer and no round-trip was issued.
Return: WH_ERROR_OK on success, WH_ERROR_BADARGS if inLen exceeds the per-call capacity (sha is left unchanged in that case).
Serializes and sends an Update request carrying as many full blocks as fit in the comm buffer (up to WH_MESSAGE_CRYPTO_SHA512_MAX_INLINE_UPDATE_SZ bytes), absorbing any leading bytes already buffered in sha->buffer. Any tail (<128 bytes) remaining after this call is stored in sha->buffer for the next call. Does NOT wait for a reply.
Contract: at most one outstanding async request may be in flight per whClientContext (enforced by the comm layer's pending-request tracking). If *requestSent is true, the caller MUST call wh_Client_Sha512UpdateResponse before issuing any other async Request on the same ctx, including a Request using a different wc_Sha512 instance or a different algorithm.
function wh_Client_Sha512UpdateResponse
int wh_Client_Sha512UpdateResponse(
whClientContext * ctx,
wc_Sha512 * sha
)
Async response half of a non-DMA SHA-512 Update.
Single-shot RecvResponse; returns WH_ERROR_NOTREADY if the server has not yet replied. On success, updates sha->digest/hiLen/loLen from the reply. MUST only be called if the matching Request returned requestSent == true.
function wh_Client_Sha512FinalRequest
int wh_Client_Sha512FinalRequest(
whClientContext * ctx,
wc_Sha512 * sha
)
Async request half of a non-DMA SHA-512 Final.
Sends the current sha->buffer (0..127 bytes) as the last block.
function wh_Client_Sha512FinalResponse
int wh_Client_Sha512FinalResponse(
whClientContext * ctx,
wc_Sha512 * sha,
uint8_t * out
)
Async response half of a non-DMA SHA-512 Final.
Single-shot RecvResponse. Copies final digest into out, then resets sha state via wc_InitSha512_ex (preserving devId and hashType).
function wh_Client_Sha512Dma
int wh_Client_Sha512Dma(
whClientContext * ctx,
wc_Sha512 * sha,
const uint8_t * in,
uint32_t inLen,
uint8_t * out
)
Performs a SHA-512 hash operation on the input data using DMA.
Parameters:
- ctx Pointer to the client context structure.
- sha Pointer to the SHA-512 context structure.
- in Pointer to the input data.
- inLen Length of the input data in bytes.
- out Pointer to the output buffer.
Return: int Returns 0 on success or a negative error code on failure.
This function performs a SHA-512 hash operation on the input data and stores the result in the output buffer using DMA.
function wh_Client_Sha512DmaUpdateRequest
int wh_Client_Sha512DmaUpdateRequest(
whClientContext * ctx,
wc_Sha512 * sha,
const uint8_t * in,
uint32_t inLen,
bool * requestSent
)
function wh_Client_Sha512DmaUpdateResponse
int wh_Client_Sha512DmaUpdateResponse(
whClientContext * ctx,
wc_Sha512 * sha
)
function wh_Client_Sha512DmaFinalRequest
int wh_Client_Sha512DmaFinalRequest(
whClientContext * ctx,
wc_Sha512 * sha
)
function wh_Client_Sha512DmaFinalResponse
int wh_Client_Sha512DmaFinalResponse(
whClientContext * ctx,
wc_Sha512 * sha,
uint8_t * out
)
function wh_Client_MlDsaSetKeyId
int wh_Client_MlDsaSetKeyId(
MlDsaKey * key,
whKeyId keyId
)
Associates a ML-DSA key with a specific key ID.
Parameters:
- key Pointer to the ML-DSA key structure.
- keyId Key ID to be associated with the ML-DSA key.
Return: int Returns 0 on success or a negative error code on failure.
This function sets the device context of a ML-DSA key to the specified key ID. On the server side, this key ID is used to reference the key stored in the HSM
function wh_Client_MlDsaGetKeyId
int wh_Client_MlDsaGetKeyId(
MlDsaKey * key,
whKeyId * outId
)
Gets the wolfHSM keyId being used by the wolfCrypt struct.
Parameters:
- key Pointer to the ML-DSA key structure.
- outId Pointer to the key ID to return.
Return: int Returns 0 on success or a negative error code on failure.
This function gets the device context of a ML-DSA key that was previously set by either the crypto callback layer or wh_Client_MlDsaSetKeyId.
function wh_Client_MlDsaImportKey
int wh_Client_MlDsaImportKey(
whClientContext * ctx,
MlDsaKey * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Import a ML-DSA key to the server key cache.
Parameters:
- ctx Pointer to the client context
- key Pointer to the key to import
- inout_keyId Pointer to key ID to use/receive
- flags Flags to control key persistence
- label_len Length of optional label
- label Optional label to associate with key
Return: int Returns 0 on success or a negative error code on failure.
function wh_Client_MlDsaExportKey
int wh_Client_MlDsaExportKey(
whClientContext * ctx,
whKeyId keyId,
MlDsaKey * key,
uint16_t label_len,
uint8_t * label
)
Export a ML-DSA key from the server.
Parameters:
- ctx Pointer to the client context
- keyId ID of key to export
- key Pointer to receive exported key
- label_len Length of optional label buffer
- label Optional buffer to receive key label
Return: int Returns 0 on success or a negative error code on failure.
function wh_Client_MlDsaExportPublicKey
int wh_Client_MlDsaExportPublicKey(
whClientContext * ctx,
whKeyId keyId,
MlDsaKey * key,
uint16_t label_len,
uint8_t * label
)
Exports only the public part of a cached ML-DSA key.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized MlDsaKey. On success, only the public half is populated (pubKeySet == 1, prvKeySet == 0).
- label_len Size of the optional label buffer in bytes. Values larger than WH_NVM_LABEL_LEN are truncated. Set to 0 if label is not needed.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success or a negative wolfHSM/wolfCrypt error code on failure (e.g. WH_ERROR_NOTFOUND, WH_ERROR_BADARGS).
Instructs the server to emit only the public portion of a cached ML-DSA key as SubjectPublicKeyInfo DER. The private key stays inside the HSM. The decoded key will have pubKeySet == 1 and prvKeySet == 0.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive. The caller is responsible for initializing key (e.g. wc_MlDsaKey_Init) and, if required, setting the ML-DSA parameter level via wc_MlDsaKey_SetParams prior to calling this function.
function wh_Client_MlDsaMakeExportKey
int wh_Client_MlDsaMakeExportKey(
whClientContext * ctx,
int level,
int size,
MlDsaKey * key
)
Generate a new ML-DSA key pair and export the public key.
Parameters:
- ctx Pointer to the client context structure.
- type The ML-DSA algorithm type.
- size Size of the key in bits.
- key Pointer to the ML-DSA key structure to store the key.
Return: int Returns 0 on success, or a negative error code on failure.
This function generates a new ML-DSA key pair in the HSM and exports the public key to the client. The private key remains securely stored in the HSM.
function wh_Client_MlDsaMakeCacheKey
int wh_Client_MlDsaMakeCacheKey(
whClientContext * ctx,
int size,
int level,
whKeyId * inout_key_id,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Create and cache a new ML-DSA key on the server.
Parameters:
- ctx Pointer to the client context
- size Size of key to generate
- level ML-DSA security level of the key to generate
- inout_key_id Pointer to key ID to use/receive
- flags Flags to control key persistence
- label_len Length of optional label
- label Optional label to associate with key
Return: int Returns 0 on success or a negative error code on failure.
function wh_Client_MlDsaSign
int wh_Client_MlDsaSign(
whClientContext * ctx,
const byte * in,
word32 in_len,
byte * out,
word32 * out_len,
MlDsaKey * key,
const byte * context,
byte contextLen,
word32 preHashType
)
Sign a message using a ML-DSA private key.
Parameters:
- ctx Pointer to the client context structure.
- in Pointer to the message to sign.
- in_len Length of the message in bytes.
- out Buffer to store the signature.
- out_len Pointer to size of output buffer, updated with actual size.
- key Pointer to the ML-DSA key structure.
- context Optional FIPS 204 context string for domain separation, or NULL for no context.
- contextLen Length of the context string (max 255).
- preHashType Hash type for HashML-DSA (e.g. WC_HASH_TYPE_SHA256), or WC_HASH_TYPE_NONE for pure ML-DSA.
Return: int Returns 0 on success, or a negative error code on failure.
This function signs a message using a ML-DSA private key stored in the HSM.
function wh_Client_MlDsaVerify
int wh_Client_MlDsaVerify(
whClientContext * ctx,
const byte * sig,
word32 sig_len,
const byte * msg,
word32 msg_len,
int * res,
MlDsaKey * key,
const byte * context,
byte contextLen,
word32 preHashType
)
Verify a ML-DSA signature.
Parameters:
- ctx Pointer to the client context structure.
- sig Pointer to the signature to verify.
- sig_len Length of the signature in bytes.
- msg Pointer to the original message.
- msg_len Length of the message in bytes.
- res Pointer to store verification result (1=success, 0=failure).
- key Pointer to the ML-DSA key structure.
- context Optional FIPS 204 context string for domain separation, or NULL for no context.
- contextLen Length of the context string (max 255).
- preHashType Hash type for HashML-DSA (e.g. WC_HASH_TYPE_SHA256), or WC_HASH_TYPE_NONE for pure ML-DSA.
Return: int Returns 0 on success, or a negative error code on failure.
This function verifies a ML-DSA signature using the HSM.
function wh_Client_MlDsaCheckPrivKey
int wh_Client_MlDsaCheckPrivKey(
whClientContext * ctx,
MlDsaKey * key,
const byte * pubKey,
word32 pubKeySz
)
Check a ML-DSA private key.
Parameters:
- ctx Pointer to the client context structure.
- key Pointer to the ML-DSA key structure.
- pubKey Pointer to the public key data.
- pubKeySz Size of the public key in bytes.
Return: int Returns 0 on success, or a negative error code on failure.
This function validates a ML-DSA private key against its public key using the HSM.
function wh_Client_MlDsaImportKeyDma
int wh_Client_MlDsaImportKeyDma(
whClientContext * ctx,
MlDsaKey * key,
whKeyId * inout_keyId,
whNvmFlags flags,
uint16_t label_len,
uint8_t * label
)
Import a ML-DSA key using DMA.
Parameters:
- ctx Pointer to the client context structure.
- key Pointer to the ML-DSA key structure representing the key to import.
- inout_keyId Pointer to store/provide the key ID.
- flags NVM flags for key storage.
- label_len Length of the key label in bytes.
- label Pointer to the key label.
Return: int Returns 0 on success, or a negative error code on failure.
This function imports a ML-DSA key into the HSM using DMA.
function wh_Client_MlDsaExportKeyDma
int wh_Client_MlDsaExportKeyDma(
whClientContext * ctx,
whKeyId keyId,
MlDsaKey * key,
uint16_t label_len,
uint8_t * label
)
Export a ML-DSA key using DMA.
Parameters:
- ctx Pointer to the client context structure.
- keyId ID of the key to export.
- key Pointer to the ML-DSA key structure to hold the exported key.
- label_len Length of the key label in bytes.
- label Pointer to the key label.
Return: int Returns 0 on success, or a negative error code on failure.
This function exports a ML-DSA key from the HSM using DMA.
function wh_Client_MlDsaExportPublicKeyDma
int wh_Client_MlDsaExportPublicKeyDma(
whClientContext * ctx,
whKeyId keyId,
MlDsaKey * key,
uint16_t label_len,
uint8_t * label
)
Export only the public part of a cached ML-DSA key using DMA.
Parameters:
- ctx Pointer to the wolfHSM client context.
- keyId Server key ID whose public key should be exported. Must not be WH_KEYID_ERASED.
- key Pointer to a caller-initialized MlDsaKey. On success, only the public half is populated (pubKeySet == 1, prvKeySet == 0).
- label_len Size of the optional label buffer in bytes.
- label Optional buffer to receive the key's label. May be NULL.
Return: int Returns 0 on success, or a negative error code on failure.
DMA counterpart to wh_Client_MlDsaExportPublicKey. The server emits the public-only DER and DMAs it directly into a client-side staging buffer; the wrapper then deserializes it into the caller-provided MlDsaKey.
The NONEXPORTABLE key flag does NOT block this call because public material is non-sensitive. The caller is responsible for initializing key (e.g. wc_MlDsaKey_Init + wc_MlDsaKey_SetParams) prior to calling.
function wh_Client_MlDsaMakeExportKeyDma
int wh_Client_MlDsaMakeExportKeyDma(
whClientContext * ctx,
int level,
MlDsaKey * key
)
Generate a new ML-DSA key pair and export it using DMA.
Parameters:
- ctx Pointer to the client context structure.
- level The ML-DSA security level.
- key Pointer to the ML-DSA key structure to store the key.
Return: int Returns 0 on success, or a negative error code on failure.
This function generates a new ML-DSA key pair in the HSM and exports it using DMA.
function wh_Client_MlDsaSignDma
int wh_Client_MlDsaSignDma(
whClientContext * ctx,
const byte * in,
word32 in_len,
byte * out,
word32 * out_len,
MlDsaKey * key,
const byte * context,
byte contextLen,
word32 preHashType
)
Sign a message using ML-DSA with DMA.
Parameters:
- ctx Pointer to the client context structure.
- in Pointer to the message to sign.
- in_len Length of the message in bytes.
- out Pointer to store the signature.
- out_len On input, size of out buffer. On output, length of signature.
- key Pointer to the ML-DSA key structure.
- context Optional FIPS 204 context string for domain separation, or NULL for no context.
- contextLen Length of the context string (max 255).
- preHashType Hash type for HashML-DSA (e.g. WC_HASH_TYPE_SHA256), or WC_HASH_TYPE_NONE for pure ML-DSA.
Return: int Returns 0 on success, or a negative error code on failure.
This function signs a message using ML-DSA with DMA.
function wh_Client_MlDsaVerifyDma
int wh_Client_MlDsaVerifyDma(
whClientContext * ctx,
const byte * sig,
word32 sig_len,
const byte * msg,
word32 msg_len,
int * res,
MlDsaKey * key,
const byte * context,
byte contextLen,
word32 preHashType
)
Verify a ML-DSA signature with DMA.
Parameters:
- ctx Pointer to the client context structure.
- sig Pointer to the signature to verify.
- sig_len Length of the signature in bytes.
- msg Pointer to the message that was signed.
- msg_len Length of the message in bytes.
- res Result of verification (1 = success, 0 = failure).
- key Pointer to the ML-DSA key structure.
- context Optional FIPS 204 context string for domain separation, or NULL for no context.
- contextLen Length of the context string (max 255).
- preHashType Hash type for HashML-DSA (e.g. WC_HASH_TYPE_SHA256), or WC_HASH_TYPE_NONE for pure ML-DSA.
Return: int Returns 0 on success, or a negative error code on failure.
This function verifies a ML-DSA signature with DMA.
function wh_Client_MlDsaCheckPrivKeyDma
int wh_Client_MlDsaCheckPrivKeyDma(
whClientContext * ctx,
MlDsaKey * key,
const byte * pubKey,
word32 pubKeySz
)
Check a ML-DSA private key against public key with DMA.
Parameters:
- ctx Pointer to the client context structure.
- key Pointer to the ML-DSA private key structure.
- pubKey Pointer to the public key to check against.
- pubKeySz Size of the public key in bytes.
Return: int Returns 0 on success, or a negative error code on failure.
This function checks if a ML-DSA private key matches a public key with DMA.
Source code
/*
* Copyright (C) 2024 wolfSSL Inc.
*
* This file is part of wolfHSM.
*
* wolfHSM is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfHSM is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with wolfHSM. If not, see <http://www.gnu.org/licenses/>.
*/
/*
* wolfhsm/wh_client_crypto.h
*/
#ifndef WOLFHSM_WH_CLIENT_CRYPTO_H_
#define WOLFHSM_WH_CLIENT_CRYPTO_H_
/* Pick up compile-time configuration */
#include "wolfhsm/wh_settings.h"
#ifndef WOLFHSM_CFG_NO_CRYPTO
/* System libraries */
#include <stdint.h>
#include <stdbool.h>
/* Common WolfHSM types and defines shared with the server */
#include "wolfhsm/wh_common.h"
/* Component includes */
#include "wolfhsm/wh_comm.h"
#include "wolfhsm/wh_client.h"
#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/wolfcrypt/types.h"
#include "wolfssl/wolfcrypt/error-crypt.h"
#include "wolfssl/wolfcrypt/wc_port.h"
#include "wolfssl/wolfcrypt/cryptocb.h"
#include "wolfssl/wolfcrypt/aes.h"
#include "wolfssl/wolfcrypt/cmac.h"
#include "wolfssl/wolfcrypt/curve25519.h"
#include "wolfssl/wolfcrypt/rsa.h"
#include "wolfssl/wolfcrypt/ecc.h"
#include "wolfssl/wolfcrypt/ed25519.h"
#include "wolfssl/wolfcrypt/dilithium.h"
#include "wolfssl/wolfcrypt/hmac.h"
int wh_Client_RngGenerate(whClientContext* ctx, uint8_t* out, uint32_t size);
int wh_Client_RngGenerateRequest(whClientContext* ctx, uint32_t size);
int wh_Client_RngGenerateResponse(whClientContext* ctx, uint8_t* out,
uint32_t* inout_size);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_RngGenerateDma(whClientContext* ctx, uint8_t* out, uint32_t size);
int wh_Client_RngGenerateDmaRequest(whClientContext* ctx, uint8_t* out,
uint32_t size);
int wh_Client_RngGenerateDmaResponse(whClientContext* ctx);
#endif /* WOLFHSM_CFG_DMA */
#ifdef HAVE_CURVE25519
int wh_Client_Curve25519SetKeyId(curve25519_key* key, whKeyId keyId);
int wh_Client_Curve25519GetKeyId(curve25519_key* key, whKeyId* outId);
int wh_Client_Curve25519ImportKey(whClientContext* ctx, curve25519_key* key,
whKeyId *inout_keyId, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_Curve25519ExportKey(whClientContext* ctx, whKeyId keyId,
curve25519_key* key, uint16_t label_len, uint8_t* label);
int wh_Client_Curve25519ExportPublicKey(whClientContext* ctx, whKeyId keyId,
curve25519_key* key, uint16_t label_len, uint8_t* label);
int wh_Client_Curve25519MakeCacheKey(whClientContext* ctx,
uint16_t size,
whKeyId *inout_key_id, whNvmFlags flags,
const uint8_t* label, uint16_t label_len);
int wh_Client_Curve25519MakeExportKey(whClientContext* ctx,
uint16_t size, curve25519_key* key);
int wh_Client_Curve25519SharedSecret(whClientContext* ctx,
curve25519_key* priv_key, curve25519_key* pub_key,
int endian, uint8_t* out, uint16_t *out_size);
#endif /* HAVE_CURVE25519 */
#ifdef HAVE_ECC
int wh_Client_EccSetKeyId(ecc_key* key, whKeyId keyId);
int wh_Client_EccGetKeyId(ecc_key* key, whKeyId* outId);
int wh_Client_EccImportKey(whClientContext* ctx, ecc_key* key,
whKeyId *inout_keyId, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_EccExportKey(whClientContext* ctx, whKeyId keyId,
ecc_key* key,
uint16_t label_len, uint8_t* label);
int wh_Client_EccExportPublicKey(whClientContext* ctx, whKeyId keyId,
ecc_key* key, uint16_t label_len, uint8_t* label);
int wh_Client_EccMakeExportKey(whClientContext* ctx,
int size, int curveId, ecc_key* key);
int wh_Client_EccMakeCacheKey(whClientContext* ctx,
int size, int curveId,
whKeyId *inout_key_id, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_EccSharedSecret(whClientContext* ctx, ecc_key* priv_key,
ecc_key* pub_key, uint8_t* out,
uint16_t* inout_size);
int wh_Client_EccSign(whClientContext* ctx,
ecc_key* key,
const uint8_t* hash, uint16_t hash_len,
uint8_t* sig, uint16_t *inout_sig_len);
int wh_Client_EccVerify(whClientContext* ctx, ecc_key* key,
const uint8_t* sig, uint16_t sig_len,
const uint8_t* hash, uint16_t hash_len,
int *out_res);
int wh_Client_EccSignRequest(whClientContext* ctx, whKeyId keyId,
const uint8_t* hash, uint16_t hash_len);
int wh_Client_EccSignResponse(whClientContext* ctx, uint8_t* sig,
uint16_t* inout_sig_len);
int wh_Client_EccVerifyRequest(whClientContext* ctx, whKeyId keyId,
const uint8_t* sig, uint16_t sig_len,
const uint8_t* hash, uint16_t hash_len);
int wh_Client_EccVerifyResponse(whClientContext* ctx, ecc_key* opt_key,
int* out_res);
int wh_Client_EccSharedSecretRequest(whClientContext* ctx, whKeyId prv_key_id,
whKeyId pub_key_id);
int wh_Client_EccSharedSecretResponse(whClientContext* ctx, uint8_t* out,
uint16_t* inout_size);
int wh_Client_EccMakeCacheKeyRequest(whClientContext* ctx, int size,
int curveId, whKeyId key_id,
whNvmFlags flags, uint16_t label_len,
uint8_t* label);
int wh_Client_EccMakeCacheKeyResponse(whClientContext* ctx,
whKeyId* out_key_id);
int wh_Client_EccMakeExportKeyRequest(whClientContext* ctx, int size,
int curveId);
int wh_Client_EccMakeExportKeyResponse(whClientContext* ctx, ecc_key* key);
#endif /* HAVE_ECC */
#ifdef HAVE_ED25519
int wh_Client_Ed25519SetKeyId(ed25519_key* key, whKeyId keyId);
int wh_Client_Ed25519GetKeyId(ed25519_key* key, whKeyId* outId);
int wh_Client_Ed25519ImportKey(whClientContext* ctx, ed25519_key* key,
whKeyId* inout_keyId, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_Ed25519ExportKey(whClientContext* ctx, whKeyId keyId,
ed25519_key* key, uint16_t label_len,
uint8_t* label);
int wh_Client_Ed25519ExportPublicKey(whClientContext* ctx, whKeyId keyId,
ed25519_key* key, uint16_t label_len,
uint8_t* label);
int wh_Client_Ed25519MakeExportKey(whClientContext* ctx, ed25519_key* key);
int wh_Client_Ed25519MakeCacheKey(whClientContext* ctx, whKeyId* inout_key_id,
whNvmFlags flags, uint16_t label_len,
uint8_t* label);
int wh_Client_Ed25519Sign(whClientContext* ctx, ed25519_key* key,
const uint8_t* msg, uint32_t msgLen, uint8_t type,
const uint8_t* context, uint32_t contextLen,
uint8_t* sig, uint32_t* inout_sig_len);
int wh_Client_Ed25519Verify(whClientContext* ctx, ed25519_key* key,
const uint8_t* sig, uint32_t sigLen,
const uint8_t* msg, uint32_t msgLen, uint8_t type,
const uint8_t* context, uint32_t contextLen,
int* out_res);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_Ed25519SignDma(whClientContext* ctx, ed25519_key* key,
const uint8_t* msg, uint32_t msgLen, uint8_t type,
const uint8_t* context, uint32_t contextLen,
uint8_t* sig, uint32_t* inout_sig_len);
int wh_Client_Ed25519VerifyDma(whClientContext* ctx, ed25519_key* key,
const uint8_t* sig, uint32_t sigLen,
const uint8_t* msg, uint32_t msgLen,
uint8_t type, const uint8_t* context,
uint32_t contextLen, int* out_res);
#endif /* WOLFHSM_CFG_DMA */
#endif /* HAVE_ED25519 */
#ifndef NO_RSA
int wh_Client_RsaSetKeyId(RsaKey* key, whNvmId keyId);
int wh_Client_RsaGetKeyId(RsaKey* key, whNvmId* outId);
int wh_Client_RsaImportKey(whClientContext* ctx, const RsaKey* key,
whKeyId *inout_keyId, whNvmFlags flags,
uint32_t label_len, uint8_t* label);
int wh_Client_RsaExportKey(whClientContext* ctx, whKeyId keyId,
RsaKey* key, uint32_t label_len, uint8_t* label);
int wh_Client_RsaExportPublicKey(whClientContext* ctx, whKeyId keyId,
RsaKey* key, uint32_t label_len, uint8_t* label);
/* Generate an RSA key on the server and export it inta an RSA struct */
int wh_Client_RsaMakeExportKey(whClientContext* ctx,
uint32_t size, uint32_t e, RsaKey* rsa);
/* Generate an RSA key on the server and put it in the server keycache */
int wh_Client_RsaMakeCacheKey(whClientContext* ctx,
uint32_t size, uint32_t e,
whKeyId* inout_key_id, whNvmFlags flags,
uint32_t label_len, uint8_t* label);
/* TODO: Request server to perform the RSA function */
int wh_Client_RsaFunction(whClientContext* ctx,
RsaKey* key, int rsa_type,
const uint8_t* in, uint16_t in_len,
uint8_t* out, uint16_t *inout_out_len);
/* TODO: Request server to get the RSA size */
int wh_Client_RsaGetSize(whClientContext* ctx,
const RsaKey* key, int* out_size);
#endif /* !NO_RSA */
#ifdef HAVE_HKDF
int wh_Client_HkdfMakeCacheKey(whClientContext* ctx, int hashType,
whKeyId keyIdIn, const uint8_t* inKey,
uint32_t inKeySz, const uint8_t* salt,
uint32_t saltSz, const uint8_t* info,
uint32_t infoSz, whKeyId* inout_key_id,
whNvmFlags flags, const uint8_t* label,
uint32_t label_len, uint32_t outSz);
int wh_Client_HkdfMakeExportKey(whClientContext* ctx, int hashType,
whKeyId keyIdIn, const uint8_t* inKey,
uint32_t inKeySz, const uint8_t* salt,
uint32_t saltSz, const uint8_t* info,
uint32_t infoSz, uint8_t* out, uint32_t outSz);
#endif /* HAVE_HKDF */
#ifdef HAVE_CMAC_KDF
int wh_Client_CmacKdfMakeCacheKey(whClientContext* ctx, whKeyId saltKeyId,
const uint8_t* salt, uint32_t saltSz,
whKeyId zKeyId, const uint8_t* z,
uint32_t zSz, const uint8_t* fixedInfo,
uint32_t fixedInfoSz, whKeyId* inout_key_id,
whNvmFlags flags, const uint8_t* label,
uint32_t label_len, uint32_t outSz);
int wh_Client_CmacKdfMakeExportKey(whClientContext* ctx, whKeyId saltKeyId,
const uint8_t* salt, uint32_t saltSz,
whKeyId zKeyId, const uint8_t* z,
uint32_t zSz, const uint8_t* fixedInfo,
uint32_t fixedInfoSz, uint8_t* out,
uint32_t outSz);
#endif /* HAVE_CMAC_KDF */
#ifndef NO_AES
int wh_Client_AesSetKeyId(Aes* key, whNvmId keyId);
int wh_Client_AesGetKeyId(Aes* key, whNvmId* outId);
#ifdef WOLFSSL_AES_COUNTER
int wh_Client_AesCtr(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
uint32_t len, uint8_t* out);
int wh_Client_AesCtrDma(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesCtrRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len);
int wh_Client_AesCtrResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
uint32_t* out_size);
int wh_Client_AesCtrDmaRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesCtrDmaResponse(whClientContext* ctx, Aes* aes);
#endif /* WOLFSSL_AES_COUNTER */
#ifdef HAVE_AES_ECB
int wh_Client_AesEcb(whClientContext* ctx, Aes* aes, int enc, const uint8_t* in,
uint32_t len, uint8_t* out);
int wh_Client_AesEcbDma(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesEcbRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len);
int wh_Client_AesEcbResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
uint32_t* out_size);
int wh_Client_AesEcbDmaRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesEcbDmaResponse(whClientContext* ctx, Aes* aes);
#endif /* HAVE_AES_ECB */
#ifdef HAVE_AES_CBC
int wh_Client_AesCbc(whClientContext* ctx,
Aes* aes, int enc,
const uint8_t* in, uint32_t len,
uint8_t* out);
int wh_Client_AesCbcDma(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesCbcRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len);
int wh_Client_AesCbcResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
uint32_t* out_size);
int wh_Client_AesCbcDmaRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out);
int wh_Client_AesCbcDmaResponse(whClientContext* ctx, Aes* aes);
#endif /* HAVE_AES_CBC */
#ifdef HAVE_AESGCM
int wh_Client_AesGcm(whClientContext* ctx,
Aes* aes, int enc,
const uint8_t* in, uint32_t len,
const uint8_t* iv, uint32_t iv_len,
const uint8_t* authin, uint32_t authin_len,
const uint8_t* dec_tag, uint8_t* enc_tag, uint32_t tag_len,
uint8_t* out);
int wh_Client_AesGcmDma(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, const uint8_t* iv,
uint32_t iv_len, const uint8_t* authin,
uint32_t authin_len, const uint8_t* dec_tag,
uint8_t* enc_tag, uint32_t tag_len, uint8_t* out);
int wh_Client_AesGcmRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, const uint8_t* iv,
uint32_t iv_len, const uint8_t* authin,
uint32_t authin_len, const uint8_t* dec_tag,
uint32_t tag_len);
int wh_Client_AesGcmResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
uint32_t out_capacity, uint32_t* out_size,
uint8_t* enc_tag, uint32_t tag_len);
int wh_Client_AesGcmDmaRequest(whClientContext* ctx, Aes* aes, int enc,
const uint8_t* in, uint32_t len, uint8_t* out,
const uint8_t* iv, uint32_t iv_len,
const uint8_t* authin, uint32_t authin_len,
const uint8_t* dec_tag, uint32_t tag_len);
int wh_Client_AesGcmDmaResponse(whClientContext* ctx, Aes* aes,
uint8_t* enc_tag, uint32_t tag_len);
#endif /* HAVE_AESGCM */
#endif /* !NO_AES */
#ifdef WOLFSSL_CMAC
int wh_Client_Cmac(whClientContext* ctx, Cmac* cmac, CmacType type,
const uint8_t* key, uint32_t keyLen, const uint8_t* in,
uint32_t inLen, uint8_t* outMac, uint32_t* outMacLen);
int wh_Client_CmacSetKeyId(Cmac* key, whNvmId keyId);
int wh_Client_CmacGetKeyId(Cmac* key, whNvmId* outId);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_CmacDma(whClientContext* ctx, Cmac* cmac, CmacType type,
const uint8_t* key, uint32_t keyLen, const uint8_t* in,
uint32_t inLen, uint8_t* outMac, uint32_t* outMacLen);
#endif /* WOLFHSM_CFG_DMA */
#endif /* WOLFSSL_CMAC */
#ifndef NO_SHA256
int wh_Client_Sha256(whClientContext* ctx, wc_Sha256* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
int wh_Client_Sha256UpdateRequest(whClientContext* ctx, wc_Sha256* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha256UpdateResponse(whClientContext* ctx, wc_Sha256* sha);
int wh_Client_Sha256FinalRequest(whClientContext* ctx, wc_Sha256* sha);
int wh_Client_Sha256FinalResponse(whClientContext* ctx, wc_Sha256* sha,
uint8_t* out);
int wh_Client_Sha256Dma(whClientContext* ctx, wc_Sha256* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_Sha256DmaUpdateRequest(whClientContext* ctx, wc_Sha256* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha256DmaUpdateResponse(whClientContext* ctx, wc_Sha256* sha);
int wh_Client_Sha256DmaFinalRequest(whClientContext* ctx, wc_Sha256* sha);
int wh_Client_Sha256DmaFinalResponse(whClientContext* ctx, wc_Sha256* sha,
uint8_t* out);
#endif /* WOLFHSM_CFG_DMA */
#endif /* !NO_SHA256 */
#if defined(WOLFSSL_SHA224)
int wh_Client_Sha224(whClientContext* ctx, wc_Sha224* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
int wh_Client_Sha224UpdateRequest(whClientContext* ctx, wc_Sha224* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha224UpdateResponse(whClientContext* ctx, wc_Sha224* sha);
int wh_Client_Sha224FinalRequest(whClientContext* ctx, wc_Sha224* sha);
int wh_Client_Sha224FinalResponse(whClientContext* ctx, wc_Sha224* sha,
uint8_t* out);
int wh_Client_Sha224Dma(whClientContext* ctx, wc_Sha224* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_Sha224DmaUpdateRequest(whClientContext* ctx, wc_Sha224* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha224DmaUpdateResponse(whClientContext* ctx, wc_Sha224* sha);
int wh_Client_Sha224DmaFinalRequest(whClientContext* ctx, wc_Sha224* sha);
int wh_Client_Sha224DmaFinalResponse(whClientContext* ctx, wc_Sha224* sha,
uint8_t* out);
#endif /* WOLFHSM_CFG_DMA */
#endif /* WOLFSSL_SHA224 */
#if defined(WOLFSSL_SHA384)
int wh_Client_Sha384(whClientContext* ctx, wc_Sha384* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
int wh_Client_Sha384UpdateRequest(whClientContext* ctx, wc_Sha384* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha384UpdateResponse(whClientContext* ctx, wc_Sha384* sha);
int wh_Client_Sha384FinalRequest(whClientContext* ctx, wc_Sha384* sha);
int wh_Client_Sha384FinalResponse(whClientContext* ctx, wc_Sha384* sha,
uint8_t* out);
int wh_Client_Sha384Dma(whClientContext* ctx, wc_Sha384* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_Sha384DmaUpdateRequest(whClientContext* ctx, wc_Sha384* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha384DmaUpdateResponse(whClientContext* ctx, wc_Sha384* sha);
int wh_Client_Sha384DmaFinalRequest(whClientContext* ctx, wc_Sha384* sha);
int wh_Client_Sha384DmaFinalResponse(whClientContext* ctx, wc_Sha384* sha,
uint8_t* out);
#endif /* WOLFHSM_CFG_DMA */
#endif /* WOLFSSL_SHA384 */
#if defined(WOLFSSL_SHA512)
int wh_Client_Sha512(whClientContext* ctx, wc_Sha512* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
int wh_Client_Sha512UpdateRequest(whClientContext* ctx, wc_Sha512* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha512UpdateResponse(whClientContext* ctx, wc_Sha512* sha);
int wh_Client_Sha512FinalRequest(whClientContext* ctx, wc_Sha512* sha);
int wh_Client_Sha512FinalResponse(whClientContext* ctx, wc_Sha512* sha,
uint8_t* out);
int wh_Client_Sha512Dma(whClientContext* ctx, wc_Sha512* sha, const uint8_t* in,
uint32_t inLen, uint8_t* out);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_Sha512DmaUpdateRequest(whClientContext* ctx, wc_Sha512* sha,
const uint8_t* in, uint32_t inLen,
bool* requestSent);
int wh_Client_Sha512DmaUpdateResponse(whClientContext* ctx, wc_Sha512* sha);
int wh_Client_Sha512DmaFinalRequest(whClientContext* ctx, wc_Sha512* sha);
int wh_Client_Sha512DmaFinalResponse(whClientContext* ctx, wc_Sha512* sha,
uint8_t* out);
#endif /* WOLFHSM_CFG_DMA */
#endif /* WOLFSSL_SHA512 */
#ifdef HAVE_DILITHIUM
int wh_Client_MlDsaSetKeyId(MlDsaKey* key, whKeyId keyId);
int wh_Client_MlDsaGetKeyId(MlDsaKey* key, whKeyId* outId);
int wh_Client_MlDsaImportKey(whClientContext* ctx, MlDsaKey* key,
whKeyId* inout_keyId, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_MlDsaExportKey(whClientContext* ctx, whKeyId keyId, MlDsaKey* key,
uint16_t label_len, uint8_t* label);
int wh_Client_MlDsaExportPublicKey(whClientContext* ctx, whKeyId keyId,
MlDsaKey* key, uint16_t label_len,
uint8_t* label);
int wh_Client_MlDsaMakeExportKey(whClientContext* ctx, int level, int size,
MlDsaKey* key);
int wh_Client_MlDsaMakeCacheKey(whClientContext* ctx, int size, int level,
whKeyId* inout_key_id, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_MlDsaSign(whClientContext* ctx, const byte* in, word32 in_len,
byte* out, word32* out_len, MlDsaKey* key,
const byte* context, byte contextLen,
word32 preHashType);
int wh_Client_MlDsaVerify(whClientContext* ctx, const byte* sig,
word32 sig_len, const byte* msg, word32 msg_len,
int* res, MlDsaKey* key, const byte* context,
byte contextLen, word32 preHashType);
int wh_Client_MlDsaCheckPrivKey(whClientContext* ctx, MlDsaKey* key,
const byte* pubKey, word32 pubKeySz);
#ifdef WOLFHSM_CFG_DMA
int wh_Client_MlDsaImportKeyDma(whClientContext* ctx, MlDsaKey* key,
whKeyId* inout_keyId, whNvmFlags flags,
uint16_t label_len, uint8_t* label);
int wh_Client_MlDsaExportKeyDma(whClientContext* ctx, whKeyId keyId,
MlDsaKey* key, uint16_t label_len,
uint8_t* label);
int wh_Client_MlDsaExportPublicKeyDma(whClientContext* ctx, whKeyId keyId,
MlDsaKey* key, uint16_t label_len,
uint8_t* label);
int wh_Client_MlDsaMakeExportKeyDma(whClientContext* ctx, int level,
MlDsaKey* key);
int wh_Client_MlDsaSignDma(whClientContext* ctx, const byte* in,
word32 in_len, byte* out, word32* out_len,
MlDsaKey* key, const byte* context,
byte contextLen, word32 preHashType);
int wh_Client_MlDsaVerifyDma(whClientContext* ctx, const byte* sig,
word32 sig_len, const byte* msg,
word32 msg_len, int* res, MlDsaKey* key,
const byte* context, byte contextLen,
word32 preHashType);
int wh_Client_MlDsaCheckPrivKeyDma(whClientContext* ctx, MlDsaKey* key,
const byte* pubKey, word32 pubKeySz);
#endif /* WOLFHSM_CFG_DMA */
#endif /* HAVE_DILITHIUM */
#endif /* !WOLFHSM_CFG_NO_CRYPTO */
#endif /* !WOLFHSM_WH_CLIENT_CRYPTO_H_ */
Updated on 2026-05-21 at 03:59:05 +0000