wolfSSL
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 3 additions & 0 deletions b/‎.wolfssl_known_macro_extras‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎wolfcrypt/src/ecc.c‎
Lines changed: 107 additions & 0 deletions b/‎wolfcrypt/src/ecc.c‎
Lines changed: 107 additions & 0 deletions
diff --git a/‎wolfcrypt/src/port/st/README.md‎
Lines changed: 52 additions & 0 deletions b/‎wolfcrypt/src/port/st/README.md‎
Lines changed: 52 additions & 0 deletions
@@ -517,13 +517,15 @@ QAT_ENABLE_RNG
 QAT_USE_POLLING_CHECK
 RCC_AHB1ENR_PKAEN
 RCC_AHB2ENR1_AESEN
+RCC_AHB2ENR1_CCBEN
 RCC_AHB2ENR1_HASHEN
 RCC_AHB2ENR1_PKAEN
 RCC_AHB2ENR1_SAESEN
 RCC_AHB2ENR_AESEN
 RCC_AHB2ENR_HASHEN
 RCC_AHB2ENR_PKAEN
 RCC_AHB2ENR_SAESEN
+RCC_AHB2RSTR1_CCBRST
 RCC_AHB2RSTR_PKARST
 RCC_AHB3ENR_AESEN
 RCC_AHB3ENR_CRYPEN
@@ -973,6 +975,7 @@ WOLFSSL_STM32C5
 WOLFSSL_STM32F3
 WOLFSSL_STM32F427_RNG
 WOLFSSL_STM32U0
+WOLFSSL_STM32_CCB
 WOLFSSL_STM32_DHUK_UNWRAP
 WOLFSSL_STM32_USE_SAES
 WOLFSSL_STRONGEST_HASH_SIG
 
@@ -8065,6 +8065,113 @@ int wc_ecc_sign_set_k(const byte* k, word32 klen, ecc_key* key)
 #endif /* WOLFSSL_ECDSA_SET_K || WOLFSSL_ECDSA_SET_K_ONE_LOOP */
 #endif /* WOLFSSL_ATECC508A && WOLFSSL_CRYPTOCELL */
 
+#if defined(WOLFSSL_STM32_CCB)
+/* Load a previously provisioned device-protected ECDSA blob (wrapped scalar +
+ * AES-GCM iv/tag) and its public key onto the ecc_key. Sets the curve so the
+ * sign path can derive the parameters, and marks the key for the device
+ * crypto-callback. The caller enables the device with
+ * wc_ecc_init_ex(&key, heap, WC_DHUK_DEVID). Generic name -- the wrapping is
+ * the STM32 CCB, but the surface is not CCB-specific. */
+int wc_ecc_import_wrapped_private_ex(ecc_key* key, int curve_id,
+                           const byte* wrapped, word32 wrappedLen,
+                           const byte* iv, const byte* tag,
+                           const byte* pub, word32 pubLen)
+{
+    int modSz;
+    int ret;
+
+    if (key == NULL || wrapped == NULL || iv == NULL || tag == NULL ||
+        pub == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    modSz = wc_ecc_get_curve_size_from_id(curve_id);
+    if (modSz <= 0) {
+        return BAD_FUNC_ARG;
+    }
+    if (wrappedLen == 0u || wrappedLen > sizeof(key->dhuk_wrapped_priv)) {
+        return BAD_FUNC_ARG;
+    }
+    if (pubLen != (word32)(2 * modSz)) {
+        return BAD_FUNC_ARG;
+    }
+    /* Import public key (qx||qy) + set the curve (key->dp). */
+    ret = wc_ecc_import_unsigned(key, pub, pub + modSz, NULL, curve_id);
+    if (ret != 0) {
+        return ret;
+    }
+    XMEMCPY(key->dhuk_wrapped_priv, wrapped, wrappedLen);
+    key->dhuk_wrapped_priv_len = wrappedLen;
+    XMEMCPY(key->ccb_iv,  iv,  sizeof(key->ccb_iv));
+    XMEMCPY(key->ccb_tag, tag, sizeof(key->ccb_tag));
+    key->dhuk_is_ccb = 1;
+    return 0;
+}
+
+/* Crypto-callback keygen handler (WC_PK_TYPE_EC_KEYGEN). Provisions a fresh
+ * device-protected key: generate a scalar, have the CCB wrap it into a
+ * device-bound blob and derive its public key, and store both on the ecc_key
+ * (the scalar is zeroized and never leaves this call / the hardware). The
+ * scalar is generated in software with the supplied rng on a throwaway key with
+ * no devId (so no callback recursion). Returns CRYPTOCB_UNAVAILABLE for curves
+ * the CCB cannot wrap so keygen falls back to software. Not a public entry
+ * point -- reached via wc_ecc_make_key() on a WC_DHUK_DEVID key. */
+int wc_ecc_dev_make_key(WC_RNG* rng, int keysize, ecc_key* key, int curve_id)
+{
+    ecc_key tmp;
+    byte    d[MAX_ECC_BYTES];
+    byte    pub[2 * MAX_ECC_BYTES];   /* qx || qy, contiguous */
+    byte    iv[16];
+    byte    tag[16];
+    byte    wrapped[96];
+    word32  dLen;
+    word32  wrappedSz = 0;
+    int     modSz;
+    int     ret;
+    int     tmpInit = 0;
+
+    (void)keysize;
+    if (rng == NULL || key == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    /* wc_ecc_set_curve() ran before the callback, so key->dp is resolved even
+     * when curve_id came in as the default. */
+    if (curve_id <= 0 && key->dp != NULL) {
+        curve_id = key->dp->id;
+    }
+    modSz = wc_ecc_get_curve_size_from_id(curve_id);
+    if (modSz <= 0 || (word32)modSz > sizeof(d)) {
+        return CRYPTOCB_UNAVAILABLE;   /* unsupported -> software keygen */
+    }
+
+    ret = wc_ecc_init_ex(&tmp, key->heap, INVALID_DEVID);
+    if (ret == 0) {
+        tmpInit = 1;
+        ret = wc_ecc_make_key_ex(rng, modSz, &tmp, curve_id);
+    }
+    if (ret == 0) {
+        dLen = (word32)modSz;
+        ret = wc_ecc_export_private_only(&tmp, d, &dLen);
+    }
+    if (ret == 0) {
+        ret = wc_Stm32_Ccb_EccMakeBlob(curve_id, d, dLen, iv, tag, wrapped,
+                                       &wrappedSz, pub, pub + modSz);
+        if (ret != 0) {
+            ret = CRYPTOCB_UNAVAILABLE;   /* curve not CCB-wrappable -> SW */
+        }
+    }
+    if (ret == 0) {
+        ret = wc_ecc_import_wrapped_private_ex(key, curve_id, wrapped, wrappedSz,
+                                     iv, tag, pub, (word32)(2 * modSz));
+    }
+
+    ForceZero(d, sizeof(d));
+    if (tmpInit) {
+        wc_ecc_free(&tmp);
+    }
+    return ret;
+}
+#endif /* WOLFSSL_STM32_CCB */
+
 #endif /* !HAVE_ECC_SIGN */
 
 #ifdef WOLFSSL_CUSTOM_CURVES
 
@@ -144,6 +144,58 @@ ECDSA mirrors this: init the key with `wc_ecc_init_ex(&key, NULL, WC_DHUK_DEVID)
 `wc_Stm32_Aes_DhukOp[_ex]()` unwraps a previously DHUK-wrapped key into SAES KEYR and runs AES ECB/CBC with it (importing an externally-chosen key, vs deriving one from a seed). It is compiled only with `WOLFSSL_STM32_DHUK_UNWRAP`, is called explicitly (not auto-routed), and is not re-validated on current hardware.
 
 
+## STM32 CCB (Coupling and Chaining Bridge)
+
+STM32U3 silicon (e.g. U385; RM0487 ch 31, the `WC_STM32_HAS_CCB` gate) carries the CCB peripheral, which chains the PKA, SAES and RNG over a private local interconnect. This lets a DHUK-protected ECDSA private scalar be unwrapped by the SAES and consumed by the PKA entirely in hardware -- the scalar never crosses the system bus or enters software, not even into a short-lived buffer (unlike the generic DHUK ECDSA path above, which decrypts the scalar into a stack buffer). CCB builds on DHUK: the private key is held as a chip-bound AES-GCM blob (`iv` / `tag` / wrapped scalar) created under the silicon DHUK.
+
+CCB is supported on both build paths: the bare-metal direct-register OPSTEP driver (`WOLFSSL_STM32_BARE`) and the CubeMX/HAL path (`WOLFSSL_STM32_CUBEMX`, via ST's `HAL_CCB_*` driver). It currently covers ECDSA over P-256.
+
+### Enabling
+
+```
+#define WOLFSSL_DHUK         /* CCB is a DHUK feature */
+#define WOLF_CRYPTO_CB       /* required -- transparent sign routes through crypto callbacks */
+#define WOLFSSL_STM32_CCB    /* opt in to the CCB-protected ECDSA path */
+```
+
+`WOLFSSL_STM32_CCB` requires CCB silicon (`WOLFSSL_STM32U3`) and either `WOLFSSL_STM32_BARE` or `WOLFSSL_STM32_CUBEMX` (a `#error` fires otherwise).
+
+### API
+
+The whole flow uses the **standard ECC API** -- there is no CCB-specific public API. Binding the key to `WC_DHUK_DEVID` routes keygen and sign through the STM32 crypto callback, which provisions and uses the CCB-protected key transparently (a drop-in for TLS and other consumers). The same flow works on both build paths.
+
+```c
+ecc_key key;
+
+/* one-time: register the STM32 DHUK/CCB crypto-callback device */
+wc_Stm32_DhukRegister(WC_DHUK_DEVID);
+
+wc_ecc_init_ex(&key, NULL, WC_DHUK_DEVID);
+
+/* provision a fresh device-bound key with the STANDARD keygen -- the crypto
+ * callback intercepts it: the CCB generates the scalar, wraps it into a blob
+ * and derives the public key, all in hardware. No CCB-specific API. */
+wc_ecc_make_key_ex(&rng, 32, &key, ECC_SECP256R1);
+
+/* transparent sign -- the scalar is unwrapped SAES->PKA in HW and signed */
+wc_ecc_sign_hash(hash, hashLen, sig, &sigLen, &rng, &key);
+
+/* verify with the in-clear public key, unchanged */
+wc_ecc_verify_hash(sig, sigLen, hash, hashLen, &verified, &key);
+
+wc_ecc_free(&key);
+wc_Stm32_DhukUnRegister(WC_DHUK_DEVID);
+```
+
+To reuse a key across resets, persist the blob from a provisioned key and reload it later with `wc_ecc_import_wrapped_private_ex(&key, curve_id, wrapped, wrappedLen, iv, tag, pub, pubLen)` (the public key in uncompressed `qx||qy` form), then sign as above. Both paths set `key->dhuk_is_ccb` and the device `devId`, so dispatch to the CCB happens automatically inside the crypto callback.
+
+### Current state
+
+- Validated on STM32U385 (NUCLEO-U385RG-Q, TZEN=0), P-256, on both the bare-metal and CubeMX/HAL build paths: `wc_ecc_make_key` -> `wc_ecc_sign_hash` -> `wc_ecc_verify_hash` round-trips, with the private scalar never present in software.
+- `Stm32Ccb_Init()` pulse-resets the PKA / SAES / RNG before each operation, so the first CCB op is robust even when prior standalone crypto (RNG seeding, ECC keygen) left an engine in a state that would otherwise stall the CCB's chained SAES GCM step. The family-specific reset register name is abstracted (`WC_STM32_CCB_RSTR`).
+- CCB requires the U3 at its full clock; the reference clock-tree bring-up (96 MHz) is in the bare example's `boards/u3/hw_init.c`.
+
+
 ## STM32 BARE-metal port
 
 `WOLFSSL_STM32_BARE` selects a direct-register integration with zero HAL or StdPeriLib dependency. Use this for: