Add support for wolfCrypt CMAC KDF#228
Merged
AlexLanzano merged 2 commits intowolfSSL:mainfrom Oct 30, 2025
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for the NIST SP 800-108 CMAC-based Key Derivation Function (KDF) to wolfHSM, following the introduction of this feature in wolfCrypt. The implementation provides both client and server-side APIs for deriving key material using the two-step CMAC KDF, with support for caching inputs and outputs on the HSM.
Key changes:
- Added CMAC KDF client/server API functions for deriving and caching key material
- Implemented message translation and request handling infrastructure for CMAC KDF operations
- Added comprehensive test coverage including direct API calls, cached inputs, and cached outputs
Reviewed Changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_server_crypto.h | Added server-side function declaration for CMAC KDF key cache import |
| wolfhsm/wh_message_crypto.h | Added request/response structures and translation functions for CMAC KDF messages |
| wolfhsm/wh_client_crypto.h | Added client API functions with documentation for CMAC KDF operations |
| test/wh_test_crypto.c | Added comprehensive test cases covering multiple CMAC KDF usage patterns |
| test/config/user_settings.h | Enabled HAVE_CMAC_KDF feature flag |
| src/wh_server_crypto.c | Implemented server-side CMAC KDF request handler and cache import function |
| src/wh_message_crypto.c | Implemented message translation functions for CMAC KDF structures |
| src/wh_client_cryptocb.c | Added crypto callback support for routing CMAC KDF operations to HSM |
| src/wh_client_crypto.c | Implemented client-side CMAC KDF functions for cache and export operations |
| examples/posix/wh_posix_server/user_settings.h | Enabled HAVE_CMAC_KDF in example configuration |
| examples/demo/client/wh_demo_client_crypto.h | Added function declarations for CMAC KDF demo examples |
| examples/demo/client/wh_demo_client_crypto.c | Added three demo functions showcasing different CMAC KDF usage patterns |
| examples/demo/client/wh_demo_client_all.c | Integrated CMAC KDF demos into the comprehensive demo suite |
| benchmark/wh_bench_ops.h | Incremented MAX_BENCH_OPS to accommodate new benchmark module |
| benchmark/wh_bench.c | Added CMAC KDF benchmark module registration |
| benchmark/config/user_settings.h | Enabled HAVE_CMAC_KDF for benchmark builds |
| benchmark/bench_modules/wh_bench_mod_hkdf.c | Updated HKDF benchmark to use cache-based approach for consistency |
| benchmark/bench_modules/wh_bench_mod_cmac_kdf.c | Added new benchmark module for CMAC KDF performance testing |
| benchmark/bench_modules/wh_bench_mod_all.h | Added CMAC KDF benchmark module prototype |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
billphipps
previously approved these changes
Oct 30, 2025
Contributor
billphipps
left a comment
billphipps
left a comment
There was a problem hiding this comment.
No changes required. just some comments. Looks great!
AlexLanzano
previously approved these changes
Oct 30, 2025
AlexLanzano
approved these changes
Oct 30, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for the NIST SP-800 108 CMAC KDF, now that is supported in wolfCrypt (wolfSSL/wolfssl#9289)