wolfCrypt adds support for cryptographic callbacks that can be registered for replacing stock software calls with your own custom implementations. The goal is to make adding hardware cryptographic support easier.
Currently supported crypto callbacks:
- RNG and RNG Seed
- ECC (key gen, sign/verify and shared secret)
- RSA (key gen, sign/verify, encrypt/decrypt)
- AES CBC and GCM
- SHA1 and SHA256
- HMAC
This feature is enabled using “–enable-cryptocb” or “#define WOLF_CRYPTO_CB”.
To register a cryptographic callback function use the “wc_CryptoCb_RegisterDevice” API. This takes a unique device ID (devId), callback function and optional user context.
typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
WOLFSSL_API int wc_CryptoCb_RegisterDevice(
int devId,
CryptoDevCallbackFunc cb,
void* ctx);
To enable use of the crypto callbacks you must supply the “devId” arguments on initialization.
For TLS use:
- wolfSSL_CTX_SetDevId(ctx, devId);
- wolfSSL_SetDevId(ssl, devId);
For wolfCrypt API’s use the init functions that accept “devId” such as:
- wc_InitRsaKey_ex
- wc_ecc_init_ex
- wc_AesInit
- wc_InitSha256_ex
- wc_InitSha_ex
- wc_HmacInit
Examples:
- STSAFE-A100 ECC Crypto Callbacks: https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/port/st/stsafe.c#L330
- TPM 2.0 wolfTPM Crypto Callbacks: https://github.com/wolfSSL/wolfTPM/blob/master/src/tpm2_wrap.c#L2937
- Generic wolfCrypt tests: https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/test/test.c#L24304
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.