wolfSSL
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 3 additions & 0 deletions b/‎.wolfssl_known_macro_extras‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎wolfcrypt/src/ecc.c‎
Lines changed: 178 additions & 5 deletions b/‎wolfcrypt/src/ecc.c‎
Lines changed: 178 additions & 5 deletions
diff --git a/‎wolfcrypt/src/port/st/README.md‎
Lines changed: 53 additions & 1 deletion b/‎wolfcrypt/src/port/st/README.md‎
Lines changed: 53 additions & 1 deletion
@@ -520,13 +520,15 @@ QAT_ENABLE_RNG
 QAT_USE_POLLING_CHECK
 RCC_AHB1ENR_PKAEN
 RCC_AHB2ENR1_AESEN
+RCC_AHB2ENR1_CCBEN
 RCC_AHB2ENR1_HASHEN
 RCC_AHB2ENR1_PKAEN
 RCC_AHB2ENR1_SAESEN
 RCC_AHB2ENR_AESEN
 RCC_AHB2ENR_HASHEN
 RCC_AHB2ENR_PKAEN
 RCC_AHB2ENR_SAESEN
+RCC_AHB2RSTR1_CCBRST
 RCC_AHB2RSTR_PKARST
 RCC_AHB3ENR_AESEN
 RCC_AHB3ENR_CRYPEN
@@ -985,6 +987,7 @@ WOLFSSL_STM32C5
 WOLFSSL_STM32F3
 WOLFSSL_STM32F427_RNG
 WOLFSSL_STM32U0
+WOLFSSL_STM32_CCB
 WOLFSSL_STM32_DHUK_UNWRAP
 WOLFSSL_STM32_USE_SAES
 WOLFSSL_STRONGEST_HASH_SIG
 
@@ -246,7 +246,9 @@ ECC Curve Sizes:
     #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
 #endif
 
-#if defined(WOLFSSL_STM32_PKA)
+#if defined(WOLFSSL_STM32_PKA) || defined(WOLFSSL_STM32_CCB)
+    /* CCB without PKA still needs stm32.h so its consistency #errors (e.g. CCB
+     * requires DHUK + BARE/CUBEMX) are visible to this translation unit. */
     #include <wolfssl/wolfcrypt/port/st/stm32.h>
 #endif
 
@@ -280,8 +282,15 @@ ECC Curve Sizes:
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
     !defined(WOLFSSL_KCAPI_ECC) && !defined(WOLFSSL_SE050) && \
     !defined(WOLFSSL_XILINX_CRYPT_VERSAL) && \
-    !defined(WOLFSSL_STM32_PKA) && \
+    (!defined(WOLFSSL_STM32_PKA) || defined(WC_STM32_PKA_SIGN_ONLY)) && \
     !defined(WOLFSSL_PSOC6_CRYPTO)
+    /* STM32 sign-only (e.g. C5): the HW PKA cannot run the integrated ECDSA
+     * verify (mode 0x26) correctly, so use the SW verify helper rather than the
+     * HW-accelerator sigRS path. Note the helper's scalar multiplications still
+     * run on the HW PKA generic-mul (stm32.c provides wc_ecc_mulmod_ex under
+     * !WC_STM32_PKA_VERIFY_ONLY) -- the C5 issue is specifically the verify-mode
+     * wrapper, not the point math, which is exercised and correct (the lead for
+     * a future real HW verify). */
     #undef  HAVE_ECC_VERIFY_HELPER
     #define HAVE_ECC_VERIFY_HELPER
 #endif
@@ -7106,6 +7115,11 @@ int wc_ecc_import_wrapped_private(ecc_key* key, const byte* seed, word32 seedSz,
     key->dhuk_wrapped_priv_len = wrappedLen;
     key->dhuk_plain_priv_len   = plainLen;
     key->dhuk_seed_sz          = seedSz;
+#ifdef WOLFSSL_STM32_CCB
+    /* This is a DHUK seed-wrapped (non-CCB) scalar; clear any CCB blob
+     * routing left from a prior import so signing uses the DHUK path. */
+    key->dhuk_is_ccb = 0;
+#endif
     return 0;
 }
 #endif /* WOLFSSL_DHUK && WOLFSSL_STM32_BARE && WC_STM32_HAS_DHUK */
@@ -8099,6 +8113,163 @@ int wc_ecc_sign_set_k(const byte* k, word32 klen, ecc_key* key)
 #endif /* WOLFSSL_ECDSA_SET_K || WOLFSSL_ECDSA_SET_K_ONE_LOOP */
 #endif /* WOLFSSL_ATECC508A && WOLFSSL_CRYPTOCELL */
 
+/* Guard must match the ecc.h prototype and the ccb_ / dhuk_ ecc_key struct
+ * members (both WOLFSSL_DHUK && WOLFSSL_STM32_CCB) -- the implementation must
+ * not be broader than the members it dereferences. */
+#if defined(WOLFSSL_DHUK) && defined(WOLFSSL_STM32_CCB)
+/* Load a previously provisioned device-protected ECDSA blob (wrapped scalar +
+ * AES-GCM iv/tag) and its public key onto the ecc_key. Sets the curve so the
+ * sign path can derive the parameters, and marks the key for the device
+ * crypto-callback. The caller enables the device with
+ * wc_ecc_init_ex(&key, heap, WC_DHUK_DEVID). Generic name -- the wrapping is
+ * the STM32 CCB, but the surface is not CCB-specific. */
+int wc_ecc_import_wrapped_private_ex(ecc_key* key, int curve_id,
+                           const byte* wrapped, word32 wrappedLen,
+                           const byte* iv, word32 ivLen,
+                           const byte* tag, word32 tagLen,
+                           const byte* pub, word32 pubLen)
+{
+    int modSz;
+    int ret;
+
+    if (key == NULL || wrapped == NULL || iv == NULL || tag == NULL ||
+        pub == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    /* Fixed 16-byte AES-GCM iv/tag -- validate explicitly (no over-read). */
+    if (ivLen != sizeof(key->ccb_iv) || tagLen != sizeof(key->ccb_tag)) {
+        return BAD_FUNC_ARG;
+    }
+    modSz = wc_ecc_get_curve_size_from_id(curve_id);
+    if (modSz <= 0) {
+        return BAD_FUNC_ARG;
+    }
+    if (wrappedLen == 0u || wrappedLen > sizeof(key->dhuk_wrapped_priv)) {
+        return BAD_FUNC_ARG;
+    }
+    if (pubLen != (word32)(2 * modSz)) {
+        return BAD_FUNC_ARG;
+    }
+    /* Import public key (qx||qy) + set the curve (key->dp). */
+    ret = wc_ecc_import_unsigned(key, pub, pub + modSz, NULL, curve_id);
+    if (ret != 0) {
+        return ret;
+    }
+    XMEMCPY(key->dhuk_wrapped_priv, wrapped, wrappedLen);
+    key->dhuk_wrapped_priv_len = wrappedLen;
+    XMEMCPY(key->ccb_iv,  iv,  sizeof(key->ccb_iv));
+    XMEMCPY(key->ccb_tag, tag, sizeof(key->ccb_tag));
+    key->dhuk_is_ccb = 1;
+    /* Clear any DHUK seed-import state left from a prior import; the CCB
+     * path keys off the wrapped blob + iv/tag, not the seed. */
+    ForceZero(key->dhuk_seed, sizeof(key->dhuk_seed));
+    key->dhuk_seed_sz        = 0;
+    key->dhuk_plain_priv_len = 0;
+    return 0;
+}
+
+/* Crypto-callback keygen handler (WC_PK_TYPE_EC_KEYGEN). Provisions a fresh
+ * device-protected key: generate a scalar, have the CCB wrap it into a
+ * device-bound blob and derive its public key, and store both on the ecc_key
+ * (the scalar is zeroized and never leaves this call / the hardware). The
+ * scalar is generated in software with the supplied rng on a throwaway key with
+ * no devId (so no callback recursion). Returns CRYPTOCB_UNAVAILABLE for curves
+ * the CCB cannot wrap so keygen falls back to software. Not a public entry
+ * point -- reached via wc_ecc_make_key() on a WC_DHUK_DEVID key. */
+int wc_ecc_dev_make_key(WC_RNG* rng, int keysize, ecc_key* key, int curve_id)
+{
+#ifdef WOLFSSL_SMALL_STACK
+    ecc_key* tmp = NULL;             /* ecc_key is ~1-2KB -- heap it on the
+                                      * small-stack embedded targets this port
+                                      * runs on (repo convention). */
+#else
+    ecc_key  tmp[1];
+#endif
+#ifdef WOLFSSL_SMALL_STACK
+    /* d || pub || wrapped in one heap scratch buffer (~326 B) -- keep the
+     * fixed byte buffers off the stack too, like tmp above. */
+    byte*   scratch = NULL;
+    byte*   d;
+    byte*   pub;       /* qx || qy, contiguous */
+    byte*   wrapped;
+#else
+    byte    d[MAX_ECC_BYTES];
+    byte    pub[2 * MAX_ECC_BYTES];   /* qx || qy, contiguous */
+    byte    wrapped[96];
+#endif
+    byte    iv[16];
+    byte    tag[16];
+    word32  dLen;
+    word32  wrappedSz = 0;
+    int     modSz;
+    int     ret;
+    int     tmpInit = 0;
+
+    (void)keysize;
+    if (rng == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    /* wc_ecc_set_curve() ran before the callback, so key->dp is resolved even
+     * when curve_id came in as the default. */
+    if (curve_id <= 0 && key->dp != NULL) {
+        curve_id = key->dp->id;
+    }
+    modSz = wc_ecc_get_curve_size_from_id(curve_id);
+    if (modSz <= 0 || (word32)modSz > MAX_ECC_BYTES) {
+        return CRYPTOCB_UNAVAILABLE;   /* unsupported -> software keygen */
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    tmp = (ecc_key*)XMALLOC(sizeof(ecc_key), key->heap, DYNAMIC_TYPE_ECC);
+    if (tmp == NULL) {
+        return MEMORY_E;
+    }
+    scratch = (byte*)XMALLOC((3 * MAX_ECC_BYTES) + 96, key->heap,
+                             DYNAMIC_TYPE_TMP_BUFFER);
+    if (scratch == NULL) {
+        XFREE(tmp, key->heap, DYNAMIC_TYPE_ECC);
+        return MEMORY_E;
+    }
+    d       = scratch;
+    pub     = scratch + MAX_ECC_BYTES;
+    wrapped = scratch + (3 * MAX_ECC_BYTES);
+#endif
+
+    ret = wc_ecc_init_ex(tmp, key->heap, INVALID_DEVID);
+    if (ret == 0) {
+        tmpInit = 1;
+        ret = wc_ecc_make_key_ex(rng, modSz, tmp, curve_id);
+    }
+    if (ret == 0) {
+        dLen = (word32)modSz;
+        ret = wc_ecc_export_private_only(tmp, d, &dLen);
+    }
+    if (ret == 0) {
+        ret = wc_Stm32_Ccb_EccMakeBlob(curve_id, d, dLen, iv, tag, wrapped,
+                                       &wrappedSz, pub, pub + modSz);
+        if (ret != 0) {
+            ret = CRYPTOCB_UNAVAILABLE;   /* curve not CCB-wrappable -> SW */
+        }
+    }
+    if (ret == 0) {
+        ret = wc_ecc_import_wrapped_private_ex(key, curve_id, wrapped, wrappedSz,
+                                     iv, (word32)sizeof(iv), tag,
+                                     (word32)sizeof(tag), pub,
+                                     (word32)(2 * modSz));
+    }
+
+    ForceZero(d, MAX_ECC_BYTES);
+    if (tmpInit) {
+        wc_ecc_free(tmp);
+    }
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(scratch, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(tmp, key->heap, DYNAMIC_TYPE_ECC);
+#endif
+    return ret;
+}
+#endif /* WOLFSSL_DHUK && WOLFSSL_STM32_CCB */
+
 #endif /* !HAVE_ECC_SIGN */
 
 #ifdef WOLFSSL_CUSTOM_CURVES
@@ -8945,7 +9116,7 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
 
 #ifndef WOLF_CRYPTO_CB_ONLY_ECC
 
-#if !defined(WOLFSSL_STM32_PKA) && \
+#if (!defined(WOLFSSL_STM32_PKA) || defined(WC_STM32_PKA_SIGN_ONLY)) && \
     !defined(WOLFSSL_PSOC6_CRYPTO) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC)
 static int wc_ecc_check_r_s_range(ecc_key* key, mp_int* r, mp_int* s)
@@ -9463,9 +9634,11 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
 int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
                     word32 hashlen, int* res, ecc_key* key)
 {
-#if defined(WOLFSSL_STM32_PKA)
+#if defined(WOLFSSL_STM32_PKA) && !defined(WC_STM32_PKA_SIGN_ONLY)
     /* HW ECDSA verify via STM32 PKA. Works under both the CubeMX-HAL
-     * and the bare-metal direct-register paths. Mirror the non-FIPS
+     * and the bare-metal direct-register paths. (Under WC_STM32_PKA_SIGN_ONLY
+     * -- e.g. STM32C5 -- verify falls through to the software body below.)
+     * Mirror the non-FIPS
      * input-validation from the SW body below (length range, all-zero
      * digest rejection) so HW + SW share the same input contract. */
 #ifndef WC_ALLOW_ECC_ZERO_HASH
 
@@ -22,7 +22,7 @@ Support for STM32 on-chip crypto hardware acceleration across the following fami
 | `WOLFSSL_STM32WBA`    | WBA52 (TinyAES / HASH / RNG / SAES / V2 PKA / DHUK)                 |
 | `WOLFSSL_STM32WL`     | WL55 (TinyAES / RNG / V1 PKA)                                       |
 | `WOLFSSL_STM32C0`     | C0xx (not yet supported in settings.h; SW only)                     |
-| `WOLFSSL_STM32C5`     | C5xx (TinyAES / HASH / RNG / SAES / V2 PKA / DHUK)                  |
+| `WOLFSSL_STM32C5`     | C5xx (TinyAES / HASH / RNG / SAES / V2 PKA sign-only / DHUK / CCB)   |
 | `WOLFSSL_STM32N6`     | N6xx (TinyAES / HASH / RNG / SAES / V2 PKA / DHUK; M55 core)        |
 | `WOLFSSL_STM32MP13`   | MP13 (CRYP / HASH / RNG / PKA; Cortex-A7)                           |
 | `WOLFSSL_STM32MP25`   | MP25 (not yet supported in settings.h; Cortex-A35 + M33)            |
@@ -144,6 +144,58 @@ ECDSA mirrors this: init the key with `wc_ecc_init_ex(&key, NULL, WC_DHUK_DEVID)
 `wc_Stm32_Aes_DhukOp[_ex]()` unwraps a previously DHUK-wrapped key into SAES KEYR and runs AES ECB/CBC with it (importing an externally-chosen key, vs deriving one from a seed). It is compiled only with `WOLFSSL_STM32_DHUK_UNWRAP`, is called explicitly (not auto-routed), and is not re-validated on current hardware.
 
 
+## STM32 CCB (Coupling and Chaining Bridge)
+
+STM32U3 and STM32C5 silicon (e.g. U385 / C5A3; RM0487 ch 31 and RM0522, the `WC_STM32_HAS_CCB` gate) carry the CCB peripheral, which chains the PKA, SAES and RNG over a private local interconnect. This lets a DHUK-protected ECDSA private scalar be unwrapped by the SAES and consumed by the PKA entirely in hardware -- the scalar never crosses the system bus or enters software, not even into a short-lived buffer (unlike the generic DHUK ECDSA path above, which decrypts the scalar into a stack buffer). CCB builds on DHUK: the private key is held as a chip-bound AES-GCM blob (`iv` / `tag` / wrapped scalar) created under the silicon DHUK.
+
+CCB is supported on both build paths: the bare-metal direct-register OPSTEP driver (`WOLFSSL_STM32_BARE`) and the CubeMX/HAL path (`WOLFSSL_STM32_CUBEMX`, via ST's `HAL_CCB_*` driver). It currently covers ECDSA over P-256.
+
+### Enabling
+
+```
+#define WOLFSSL_DHUK         /* CCB is a DHUK feature */
+#define WOLF_CRYPTO_CB       /* required -- transparent sign routes through crypto callbacks */
+#define WOLFSSL_STM32_CCB    /* opt in to the CCB-protected ECDSA path */
+```
+
+`WOLFSSL_STM32_CCB` requires CCB silicon (`WOLFSSL_STM32U3` or `WOLFSSL_STM32C5`) and either `WOLFSSL_STM32_BARE` or `WOLFSSL_STM32_CUBEMX` (a `#error` fires otherwise).
+
+### API
+
+The whole flow uses the **standard ECC API** -- there is no CCB-specific public API. Binding the key to `WC_DHUK_DEVID` routes keygen and sign through the STM32 crypto callback, which provisions and uses the CCB-protected key transparently (a drop-in for TLS and other consumers). The same flow works on both build paths.
+
+```c
+ecc_key key;
+
+/* one-time: register the STM32 DHUK/CCB crypto-callback device */
+wc_Stm32_DhukRegister(WC_DHUK_DEVID);
+
+wc_ecc_init_ex(&key, NULL, WC_DHUK_DEVID);
+
+/* provision a fresh device-bound key with the STANDARD keygen -- the crypto
+ * callback intercepts it: the CCB generates the scalar, wraps it into a blob
+ * and derives the public key, all in hardware. No CCB-specific API. */
+wc_ecc_make_key_ex(&rng, 32, &key, ECC_SECP256R1);
+
+/* transparent sign -- the scalar is unwrapped SAES->PKA in HW and signed */
+wc_ecc_sign_hash(hash, hashLen, sig, &sigLen, &rng, &key);
+
+/* verify with the in-clear public key, unchanged */
+wc_ecc_verify_hash(sig, sigLen, hash, hashLen, &verified, &key);
+
+wc_ecc_free(&key);
+wc_Stm32_DhukUnRegister(WC_DHUK_DEVID);
+```
+
+To reuse a key across resets, persist the blob from a provisioned key and reload it later with `wc_ecc_import_wrapped_private_ex(&key, curve_id, wrapped, wrappedLen, iv, tag, pub, pubLen)` (the public key in uncompressed `qx||qy` form), then sign as above. Both paths set `key->dhuk_is_ccb` and the device `devId`, so dispatch to the CCB happens automatically inside the crypto callback.
+
+### Current state
+
+- Validated on STM32U385 (NUCLEO-U385RG-Q, TZEN=0), P-256, on both the bare-metal and CubeMX/HAL build paths: `wc_ecc_make_key` -> `wc_ecc_sign_hash` -> `wc_ecc_verify_hash` round-trips, with the private scalar never present in software.
+- `Stm32Ccb_Init()` pulse-resets the PKA / SAES / RNG before each operation, so the first CCB op is robust even when prior standalone crypto (RNG seeding, ECC keygen) left an engine in a state that would otherwise stall the CCB's chained SAES GCM step. The family-specific reset register name is abstracted (`WC_STM32_CCB_RSTR`).
+- CCB requires the U3 at its full clock; the reference clock-tree bring-up (96 MHz) is in the bare example's `boards/u3/hw_init.c`.
+
+
 ## STM32 BARE-metal port
 
 `WOLFSSL_STM32_BARE` selects a direct-register integration with zero HAL or StdPeriLib dependency. Use this for: