Add SHE (Secure Hardware Extension) support to wolfCrypt

[night1rider]

Implements software-only SHE CMD_LOAD_KEY message generation (M1/M2/M3)
and verification message computation (M4/M5) with optional crypto
callback support for hardware offload.

New files:

• wolfssl/wolfcrypt/she.h: API declarations, constants, wc_SHE context
• wolfcrypt/src/she.c: Miyaguchi-Preneel KDF, message generation,
  verification computation, and crypto callback integration
• tests/api/test_she.c/h: API tests with 97% line / 100% function coverage

API:

• wc_SHE_Init/Free, Init_Id, Init_Label (lifecycle)
• wc_SHE_GenerateM1M2M3 (generate M1/M2/M3 to caller buffers, callback optional)
• wc_SHE_GenerateM4M5 (generate M4/M5 to caller buffers, independent of
  M1/M2/M3, callback optional)
• wc_SHE_ImportM1M2M3 (import external M1/M2/M3 into context)
• wc_SHE_GetUID (callback required, fetches UID from hardware)
• wc_SHE_GetCounter (callback required, reads monotonic counter from hardware)
• wc_SHE_ExportKey (callback required, exports key slot as M1-M5 from hardware)
• wc_SHE_SetKdfConstants (callback optional, WOLFSSL_SHE_EXTENDED only)
• wc_SHE_SetM2Header (callback optional, WOLFSSL_SHE_EXTENDED only)
• wc_SHE_SetM4Header (callback optional, WOLFSSL_SHE_EXTENDED only)
• No key material stored in the context; all inputs passed at generation time

Crypto callback integration:

• WC_ALGO_TYPE_SHE added to wc_AlgoType enum
• Callback sub-types: WC_SHE_SET_UID, WC_SHE_GET_COUNTER,
  WC_SHE_GENERATE_M1M2M3, WC_SHE_GENERATE_M4M5, WC_SHE_EXPORT_KEY
• Per-operation structs in wc_CryptoInfo union with full parameter passthrough
• Dispatch functions in cryptocb.c
• Optional features: NO_WC_SHE_GETUID, NO_WC_SHE_GETCOUNTER,
  NO_WC_SHE_EXPORTKEY, NO_WC_SHE_IMPORT_M123

Build system:

• configure.ac: --enable-she=standard|extended
• CMakeLists.txt: WOLFSSL_SHE standard|extended|no
• src/include.am: she.c compilation
• .github/workflows/os-check.yml: CI configs for standard, extended,
  and NO_* disable flag combinations

Ported from wolfHSM wh_she_crypto.c.

[bigbrett]

Absolutely fantastic work @night1rider. A few issues to address but overall looks great.

[bigbrett]

?

[night1rider]

This was a copy paste mistake I introduced, removed.

[bigbrett]

I'm wondering if she.{c,h} is bound to cause some annoying conflicts in automotive codebases and vendor libs. Perhaps we could namespace it to wc_she.{c,h} just to get ahead of that?

[night1rider]

This makes sense since we already have files following this convention (wc_encrypt, wc_lms, wc_mlkem, wc_port, etc.) there's no issue doing it now. Names should be updated now

[bigbrett]

I think it is a little confusing to mention the "Callback optional" field here, since the dispatch to cryptoCb is internal and not exposed in this module. For example, we don't say "Callback optional" in our AES API.

Same comment for other functions in this file

[night1rider]

I wanted to mention usefulness of the callbacks somewhere, especially for generating M1/M2/M3 or M4/M5 when they need to access a secure element/hardware. This can be covered in the source comments and docs instead of the public header. I removed the callback language from all five API comments in wc_she.h.

[bigbrett]

make sure to update the out-of-tree doxygen with your lovely API comments too, so it renders in the website docs!

[night1rider]

I will link a PR shortly with the doc update in the main body of the pr description

[bigbrett]

All the other APIs use wc_SHE but this has wc_She. Unify for consistency

[night1rider]

I overlooked this due to it being an internal function, updated the name.

[bigbrett]

shouldn't this be "get" UID based on calling function? Though the crypto callbacks do only have a set function. What is the intent here?

[night1rider]

This was overlooked. Renamed wc_CryptoCb_SheSetUid to wc_CryptoCb_SheGetUid, WC_SHE_SET_UID to WC_SHE_GET_UID, and the union field setUid to getUid in cryptocb.h and cryptocb.c. The intent is to allow someone to use the same API after implementing the callback across different platforms. This is the same intent for GetCounter as well.

[bigbrett]

Same comment here - I wonder if a default software impl with dumb global counter would be worthwhile just to enable testing? Could have a build macro enabling this to prevent inclusion in production builds maybe?

[night1rider]

Addressed in my previous comment regarding the "default global "wolfCrypt" UID".

[bigbrett]

I'm confused, can you set the UID? Shouldn't this be "get" UID? Same comment is made in she.c.

Are we setting ID in local wolfCrypt struct or are we getting it from HW?

[night1rider]

I just overlooked this, addressed. We are getting the UID from hardware and some hardware supports a challenge to get the UID to prove that the hardware is real, hence the void context parameter. This is just an API to get the UID to then pass to the generate API calls. There is no setting the UID in the structure. The struct is now very basic and holds only M1/M2/M3 if they are imported and the import function is on, plus devId for callbacks, KDF constants, etc.

[bigbrett]

Need to reset ret=0 in fallback case for good measure

[night1rider]

Updated, overlooked this.

[bigbrett]

Ever a case where we want to ForceZero here?

[night1rider]

We already have a ForceZero on the fall-through path. The person who implements their callback should be allowed to control how free works. If they want our software cleanup, they can clean up what they want and then return CRYPTOCB_UNAVAILABLE to continue to the ForceZero. If they handle everything themselves, they return success and we skip it and the callback implementer assumes the responsibility.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10009

Scan targets checked: wolfcrypt-bugs, wolfcrypt-src
Findings: 1

Low (1)

Missing NULL check on id parameter in wc_SHE_Init_Id

File: wolfcrypt/src/she.c:155-157
Function: wc_SHE_Init_Id
Category: NULL pointer dereference

The function wc_SHE_Init_Id validates she == NULL and checks that len is within bounds (0 to WC_SHE_MAX_ID_LEN), but does not check whether id is NULL before calling XMEMCPY(she->id, id, (size_t)len). If a caller passes id = NULL with len > 0, this results in a NULL pointer dereference. By contrast, the sibling function wc_SHE_Init_Label correctly validates label == NULL before use. The impact is limited because this requires caller misuse and would crash immediately (no memory corruption beyond the dereference), but it is inconsistent with the defensive validation pattern used throughout the rest of the SHE API.

if (len < 0 || len > WC_SHE_MAX_ID_LEN) {
        return BUFFER_E;
    }

    XMEMCPY(she->id, id, (size_t)len);

Recommendation: Add a NULL check for id when len > 0, consistent with the pattern in wc_SHE_Init_Label: if (id == NULL && len > 0) { return BAD_FUNC_ARG; } or simply if (id == NULL) { return BAD_FUNC_ARG; } before the length check.

---

This review was generated automatically by Fenrir. Findings are non-blocking.

[night1rider]

Rebased off current master