fix GCM test

sameehj · sameehj · commit aaa54dc9b77d · 2026-01-19T20:27:51.000+02:00
Signed-off-by: Sameeh Jubran &lt;sameeh@wolfssl.com&gt;
diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c
@@ -5283,6 +5283,7 @@ static int test_CryptoCb_Aes_Cb(int devId, wc_CryptoInfo* info, void* ctx)
 
         /* Store handle in aes->devCtx - this is what wolfSSL will use */
         aes->devCtx = cryptoCbAesMockHandle;
+        aes->devFlags |= WC_AES_FLAG_GCM_OFFLOAD;  /* We handle GCM ops */
 
         cryptoCbAesSetKeyCalled++;
 
@@ -5627,6 +5628,7 @@ static int test_CryptoCb_AesGcm_Offload_Cb(int devId, wc_CryptoInfo* info, void*
 
         /* Store handle in aes->devCtx - this is what wolfSSL will use */
         aes->devCtx = cryptoCbAesGcmMockHandle;
+        aes->devFlags |= WC_AES_FLAG_GCM_OFFLOAD;  /* We handle GCM ops */
 
         cryptoCbAesGcmSetKeyCalled++;
 
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
@@ -4361,24 +4361,26 @@ static WARN_UNUSED_RESULT int wc_AesDecrypt(
     #ifdef WOLF_CRYPTO_CB
         if (aes->devId != INVALID_DEVID) {
         #ifdef WOLF_CRYPTO_CB_AES_SETKEY
-            /* CryptoCB key import path */
-            ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen);
-
-            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
-                /* Callback handled it (success or error) */
-                if (ret == 0) {
-                    /* Store metadata only - NO raw key */
-                    aes->keylen = (int)keylen;
-                    /* Set IV if provided */
-                    if (iv != NULL) {
-                        XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE);
-                    } else {
-                        XMEMSET(aes->reg, 0, WC_AES_BLOCK_SIZE);
+            /* CryptoCB key import path - only if device exists and supports AES */
+            if (wc_CryptoCb_FindDevice(aes->devId, WC_ALGO_TYPE_CIPHER) != NULL) {
+                ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen);
+
+                if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
+                    /* Callback handled it (success or error) */
+                    if (ret == 0) {
+                        /* Store metadata only - NO raw key */
+                        aes->keylen = (int)keylen;
+                        /* Set IV if provided */
+                        if (iv != NULL) {
+                            XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE);
+                        } else {
+                            XMEMSET(aes->reg, 0, WC_AES_BLOCK_SIZE);
+                        }
                     }
+                    return ret;
                 }
-                return ret;
+                /* CRYPTOCB_UNAVAILABLE: fall through to software */
             }
-            /* CRYPTOCB_UNAVAILABLE: fall through to software */
         #else
             /* Standard CryptoCB path - copy key to devKey */
             if (keylen > sizeof(aes->devKey)) {
@@ -4812,25 +4814,28 @@ static void AesSetKey_C(Aes* aes, const byte* key, word32 keySz, int dir)
         if (aes->devId != INVALID_DEVID) {
         #ifdef WOLF_CRYPTO_CB_AES_SETKEY
             /* CryptoCB key import mode: attempt to import key to secure element.
+             * Only if device exists and supports AES.
              * If the callback handles it, we're done.
              * If CRYPTOCB_UNAVAILABLE, fall through to software path. */
-            ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen);
-
-            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
-                /* Callback handled it (success or error) */
-                if (ret == 0) {
-                    /* Store metadata only - NO raw key */
-                    aes->keylen = (int)keylen;
-                    /* Set IV if provided */
-                    if (iv != NULL) {
-                        XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE);
-                    } else {
-                        XMEMSET(aes->reg, 0, WC_AES_BLOCK_SIZE);
+            if (wc_CryptoCb_FindDevice(aes->devId, WC_ALGO_TYPE_CIPHER) != NULL) {
+                ret = wc_CryptoCb_AesSetKey(aes, userKey, keylen);
+
+                if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
+                    /* Callback handled it (success or error) */
+                    if (ret == 0) {
+                        /* Store metadata only - NO raw key */
+                        aes->keylen = (int)keylen;
+                        /* Set IV if provided */
+                        if (iv != NULL) {
+                            XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE);
+                        } else {
+                            XMEMSET(aes->reg, 0, WC_AES_BLOCK_SIZE);
+                        }
                     }
+                    return ret;
                 }
-                return ret;
+                /* CRYPTOCB_UNAVAILABLE: fall through to software */
             }
-            /* CRYPTOCB_UNAVAILABLE: fall through to software */
         #else
             /* Copy key to devKey for standard CryptoCB path */
             XMEMCPY(aes->devKey, userKey, keylen);
@@ -7511,7 +7516,8 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
 #ifdef WOLF_CRYPTO_CB_AES_SETKEY
         /* In CryptoCB key import mode, skip H table generation.
          * The secure element handles GCM internally. */
-        if (aes->devId != INVALID_DEVID && aes->devCtx != NULL) {
+        if (aes->devId != INVALID_DEVID && aes->devCtx != NULL &&
+            (aes->devFlags & WC_AES_FLAG_GCM_OFFLOAD)) {
             /* H table not needed - SE does GCM */
         }
         else
@@ -7529,7 +7535,8 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
 #ifdef WOLF_CRYPTO_CB_AES_SETKEY
         /* In CryptoCB key import mode, skip M0 table generation.
          * The secure element handles GCM internally. */
-        if (aes->devId != INVALID_DEVID && aes->devCtx != NULL) {
+        if (aes->devId != INVALID_DEVID && aes->devCtx != NULL &&
+            (aes->devFlags & WC_AES_FLAG_GCM_OFFLOAD)) {
             /* M0 table not needed - SE does GCM */
         }
         else
@@ -13381,6 +13388,9 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
 
 #if defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_STM32U5_DHUK)
     aes->devId = devId;
+#ifdef WOLF_CRYPTO_CB
+    aes->devFlags = 0;  /* Defensive init: ensure flags start clean */
+#endif
 #else
     (void)devId;
 #endif
@@ -13473,14 +13483,17 @@ void wc_AesFree(Aes* aes)
     {
         int ret = wc_CryptoCb_Free(aes->devId, WC_ALGO_TYPE_CIPHER,
                                    WC_CIPHER_AES, aes);
+        if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
+            /* Callback didn't handle it - fall through to software cleanup */
+        }
+        else {
+            /* Callback handled cleanup */
     #ifdef WOLF_CRYPTO_CB_AES_SETKEY
-        aes->devCtx = NULL;  /* Clear device context handle */
+            aes->devCtx = NULL;
+            aes->devFlags = 0;
     #endif
-        /* If callback wants standard free, it can set devId to INVALID_DEVID.
-         * Otherwise assume the callback handled cleanup. */
-        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
             return;
-        /* fall-through when unavailable */
+        }
     }
 #endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_FREE */
 
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
@@ -301,7 +301,7 @@ static CryptoCb* wc_CryptoCb_GetDevice(int devId)
 
 /* Filters through find callback set when trying to get the device,
  * returns the device found on success and null if not found. */
-static CryptoCb* wc_CryptoCb_FindDevice(int devId, int algoType)
+WOLFSSL_LOCAL CryptoCb* wc_CryptoCb_FindDevice(int devId, int algoType)
 {
     int localDevId = devId;
 
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
@@ -237,6 +237,10 @@ enum {
     WOLF_ENUM_DUMMY_LAST_ELEMENT(AES)
 };
 
+/* CryptoCB device capability flags */
+#define WC_AES_FLAG_NONE        0x00
+#define WC_AES_FLAG_GCM_OFFLOAD 0x01  /* Device handles AES-GCM encrypt/decrypt */
+
 #ifdef WC_AES_BITSLICED
     #ifdef WC_AES_BS_WORD_SIZE
         #define BS_WORD_SIZE        WC_AES_BS_WORD_SIZE
@@ -335,6 +339,9 @@ struct Aes {
 #if defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_STM32U5_DHUK)
     int    devId;
     void*  devCtx;
+#ifdef WOLF_CRYPTO_CB
+    byte   devFlags;  /* CryptoCB capability flags */
+#endif
 #endif
 #ifdef WOLF_PRIVATE_KEY_ID
     byte id[AES_MAX_ID_LEN];
diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h
@@ -539,6 +539,8 @@ typedef int (*CryptoDevCallbackFunc)(int devId, struct wc_CryptoInfo* info, void
 WOLFSSL_LOCAL void wc_CryptoCb_Init(void);
 WOLFSSL_LOCAL void wc_CryptoCb_Cleanup(void);
 WOLFSSL_LOCAL int wc_CryptoCb_GetDevIdAtIndex(int startIdx);
+/* Internal function to check if CryptoCB device exists - returns NULL if not found */
+WOLFSSL_LOCAL void* wc_CryptoCb_FindDevice(int devId, int algoType);
 WOLFSSL_API int  wc_CryptoCb_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx);
 WOLFSSL_API void wc_CryptoCb_UnRegisterDevice(int devId);
 WOLFSSL_API int wc_CryptoCb_DefaultDevID(void);

Original file line number	Diff line number	Diff line change
`@@ -301,7 +301,7 @@ static CryptoCb* wc_CryptoCb_GetDevice(int devId)`
`301`	`301`
`302`	`302`	`/* Filters through find callback set when trying to get the device,`
`303`	`303`	`* returns the device found on success and null if not found. */`
`304`		`-static CryptoCb* wc_CryptoCb_FindDevice(int devId, int algoType)`
	`304`	`+WOLFSSL_LOCAL CryptoCb* wc_CryptoCb_FindDevice(int devId, int algoType)`
`305`	`305`	`{`
`306`	`306`	`int localDevId = devId;`
`307`	`307`