wolfSSL
diff --git a/‎doc/dox_comments/header_files/cryptocb.h‎
Lines changed: 7 additions & 24 deletions b/‎doc/dox_comments/header_files/cryptocb.h‎
Lines changed: 7 additions & 24 deletions
diff --git a/‎tests/api/test_aes.c‎
Lines changed: 0 additions & 210 deletions b/‎tests/api/test_aes.c‎
Lines changed: 0 additions & 210 deletions
diff --git a/‎tests/api/test_aes.h‎
Lines changed: 1 addition & 3 deletions b/‎tests/api/test_aes.h‎
Lines changed: 1 addition & 3 deletions
@@ -198,27 +198,18 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info);
     - Key bytes ARE stored in wolfCrypt memory (devKey) for fallback
     - GCM tables ARE generated for software fallback
     - Provides hardware acceleration with automatic fallback
-    - Even when WC_CRYPTOCB_AES_GCM is set, tables are generated for safety
 
     **Crypto-Only Builds (--disable-tls):**
     - Key bytes NOT stored in wolfCrypt memory (true key isolation)
-    - GCM tables skipped when WC_CRYPTOCB_AES_GCM is set
-    - True hardware offload - callback must handle all GCM operations
+    - GCM tables skipped (true hardware offload)
+    - Callback must handle all GCM operations (SetKey, Encrypt, Decrypt, Free)
 
-    The callback declares its capabilities by setting flags in the
-    capabilities parameter. If WC_CRYPTOCB_AES_GCM is set, the callback
-    supports AES-GCM acceleration. In TLS builds, tables are ALWAYS generated
-    for fallback regardless of this flag. In crypto-only builds, tables are
-    skipped only when WC_CRYPTOCB_AES_GCM is set. If not set, wolfCrypt
-    generates tables for software fallback.
+    If the callback returns success (0), full AES-GCM offload is assumed.
+    The callback must handle SetKey, Encrypt, Decrypt, and Free operations.
 
     \param aes          AES context
     \param key          Pointer to raw AES key material
     \param keySz        Size of key in bytes
-    \param capabilities Output parameter receiving capability flags set by
-                        callback. May be NULL if capabilities are not needed.
-                        Callback sets WC_CRYPTOCB_AES_GCM to indicate full
-                        GCM offload support.
 
     \return 0 on success
     \return CRYPTOCB_UNAVAILABLE if device does not support this operation
@@ -232,28 +223,20 @@ void wc_CryptoCb_InfoString(wc_CryptoInfo* info);
     Aes aes;
     byte key[32] = { /* 256-bit key */ };
     int devId = 1;
-    int capabilities = 0;
 
     /* Register your CryptoCB callback first */
     wc_CryptoCb_RegisterDevice(devId, myCryptoCallback, NULL);
 
     wc_AesInit(&aes, NULL, devId);
     /* wc_AesGcmSetKey internally calls wc_CryptoCb_AesSetKey */
-    if (wc_CryptoCb_AesSetKey(&aes, key, sizeof(key), &capabilities) == 0) {
+    if (wc_CryptoCb_AesSetKey(&aes, key, sizeof(key)) == 0) {
         /* Key successfully imported to device via callback */
         /* aes.devCtx now contains device handle */
-        /* Check if GCM acceleration is supported */
-        if (capabilities & WC_CRYPTOCB_AES_GCM) {
-            /* GCM acceleration active */
-            /* Note: In TLS builds, tables still generated for fallback */
-            /* In crypto-only builds, tables skipped (true offload) */
-        }
+        /* Full GCM offload is assumed - callback must handle all operations */
     }
     \endcode
 
     \sa wc_CryptoCb_RegisterDevice
     \sa wc_AesInit
-    \sa WC_CRYPTOCB_AES_GCM
 */
-int wc_CryptoCb_AesSetKey(Aes* aes, const byte* key, word32 keySz,
-                          int* capabilities);
+int wc_CryptoCb_AesSetKey(Aes* aes, const byte* key, word32 keySz);
@@ -5284,10 +5284,6 @@ static int test_CryptoCb_Aes_Cb(int devId, wc_CryptoInfo* info, void* ctx)
         /* Store handle in aes->devCtx - this is what wolfSSL will use */
         aes->devCtx = cryptoCbAesMockHandle;
 
-        /* Declare AES-GCM capability.
-         * In TLS builds: wolfSSL will still generate tables for fallback.
-         * In crypto-only builds: wolfSSL skips tables (true offload). */
-        info->cipher.aessetkey.capabilities = WC_CRYPTOCB_AES_GCM;
 
         cryptoCbAesSetKeyCalled++;
 
@@ -5491,9 +5487,6 @@ int test_wc_CryptoCb_AesSetKey(void)
     /* Verify callback was invoked */
     ExpectIntEQ(cryptoCbAesSetKeyCalled, 1);
 
-    /* Verify GCM offload flag was set (callback declared capability) */
-    ExpectIntEQ(aes->gcmCryptoCbOffload, 1);
-
     /* Verify handle stored in devCtx */
     ExpectPtrEq(aes->devCtx, cryptoCbAesMockHandle);
 
@@ -5654,10 +5647,6 @@ static int test_CryptoCb_AesGcm_Offload_Cb(int devId, wc_CryptoInfo* info, void*
         /* Store handle in aes->devCtx - this is what wolfSSL will use */
         aes->devCtx = cryptoCbAesGcmMockHandle;
 
-        /* Declare full AES-GCM offload capability.
-         * This tells wolfSSL to skip GCM table generation and expect
-         * all GCM operations to go through CryptoCB. */
-        info->cipher.aessetkey.capabilities = WC_CRYPTOCB_AES_GCM;
 
         cryptoCbAesGcmSetKeyCalled++;
 
@@ -5894,9 +5883,6 @@ int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void)
     /* Verify SetKey callback was invoked */
     ExpectIntEQ(cryptoCbAesGcmSetKeyCalled, 1);
 
-    /* Verify GCM offload flag was set (callback declared capability) */
-    ExpectIntEQ(aes->gcmCryptoCbOffload, 1);
-
     /* Verify handle stored in devCtx */
     ExpectPtrEq(aes->devCtx, cryptoCbAesGcmMockHandle);
 
@@ -5984,201 +5970,5 @@ int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void)
     return EXPECT_RESULT();
 }
 
-/*
- * Test: Key import only callback - verifies software fallback works
- * when callback does NOT declare WC_CRYPTOCB_AES_GCM capability
- */
-#define TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID  9
-
-/* Test state tracking for key-import-only test */
-static int cryptoCbKeyImportOnlySetKeyCalled = 0;
-static void* cryptoCbKeyImportOnlyMockHandle = (void*)0xDEADBEEF;
-
-/* Mock SE key storage for key-import-only test */
-static struct {
-    byte key[AES_256_KEY_SIZE];
-    word32 keySz;
-    int valid;
-} mockSeKeyImportOnly;
-
-/* Callback that handles key import but NOT GCM operations */
-static int test_CryptoCb_KeyImportOnly_Cb(int devId, wc_CryptoInfo* info, void* ctx)
-{
-    (void)ctx;
-
-    if (devId != TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID)
-        return CRYPTOCB_UNAVAILABLE;
-
-    /* AES SetKey operation - simulate SE key import */
-    if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
-        info->cipher.type == WC_CIPHER_AES &&
-        info->cipher.aessetkey.aes != NULL) {
-
-        Aes* aes = info->cipher.aessetkey.aes;
-        const byte* key = info->cipher.aessetkey.key;
-        word32 keySz = info->cipher.aessetkey.keySz;
-
-        /* Validate key */
-        if (key == NULL || keySz == 0 || keySz > AES_256_KEY_SIZE) {
-            return BAD_FUNC_ARG;
-        }
-
-        /* "Import" key to simulated SE storage */
-        XMEMCPY(mockSeKeyImportOnly.key, key, keySz);
-        mockSeKeyImportOnly.keySz = keySz;
-        mockSeKeyImportOnly.valid = 1;
-
-        /* Store handle in aes->devCtx */
-        aes->devCtx = cryptoCbKeyImportOnlyMockHandle;
-
-        /* Do not set WC_CRYPTOCB_AES_GCM capability.
-         * This simulates a device that can import keys but cannot
-         * perform GCM operations. wolfSSL should generate GCM tables
-         * and use software fallback for GCM operations. */
-        /* info->cipher.aessetkey.capabilities stays 0 (default) */
-
-        cryptoCbKeyImportOnlySetKeyCalled++;
-
-        return 0;
-    }
-
-    /* GCM operations not supported - return UNAVAILABLE to trigger software fallback */
-    if (info->algo_type == WC_ALGO_TYPE_CIPHER &&
-        info->cipher.type == WC_CIPHER_AES_GCM) {
-        return CRYPTOCB_UNAVAILABLE;
-    }
-
-    return CRYPTOCB_UNAVAILABLE;
-}
-
-int test_wc_CryptoCb_AesKeyImportOnly(void)
-{
-    EXPECT_DECLS;
-#ifdef WOLFSSL_SMALL_STACK
-    Aes* aes = NULL;
-    byte* key = NULL;
-    byte* iv = NULL;
-    byte* plaintext = NULL;
-    byte* ciphertext = NULL;
-    byte* decrypted = NULL;
-    byte* authTag = NULL;
-    byte* aad = NULL;
-#else
-    Aes aes[1];
-    byte key[AES_128_KEY_SIZE];
-    byte iv[GCM_NONCE_MID_SZ];
-    byte plaintext[32];
-    byte ciphertext[32];
-    byte decrypted[32];
-    byte authTag[AES_BLOCK_SIZE];
-    byte aad[16];
-#endif
-    int ret;
-
-#ifdef WOLFSSL_SMALL_STACK
-    aes = (Aes*)XMALLOC(sizeof(Aes), NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    key = (byte*)XMALLOC(AES_128_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    iv = (byte*)XMALLOC(GCM_NONCE_MID_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    plaintext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    ciphertext = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    decrypted = (byte*)XMALLOC(32, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    authTag = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    aad = (byte*)XMALLOC(16, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-
-    if (aes == NULL || key == NULL || iv == NULL || plaintext == NULL ||
-        ciphertext == NULL || decrypted == NULL || authTag == NULL || aad == NULL) {
-        ret = MEMORY_E;
-        goto out;
-    }
-#endif
-
-    /* Initialize test data */
-    XMEMSET(key, 0x01, AES_128_KEY_SIZE);
-    XMEMSET(iv, 0x02, GCM_NONCE_MID_SZ);
-    XMEMSET(plaintext, 0x03, 32);
-    XMEMSET(aad, 0x04, 16);
-    XMEMSET(aes, 0, sizeof(Aes));
-    XMEMSET(&mockSeKeyImportOnly, 0, sizeof(mockSeKeyImportOnly));
-    cryptoCbKeyImportOnlySetKeyCalled = 0;
-
-    /* Register callback for key-import-only device */
-    ret = wc_CryptoCb_RegisterDevice(TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID,
-                                     test_CryptoCb_KeyImportOnly_Cb, NULL);
-    ExpectIntEQ(ret, 0);
-
-    /* Initialize Aes with device ID */
-    ret = wc_AesInit(aes, NULL, TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID);
-    ExpectIntEQ(ret, 0);
-    ExpectIntEQ(aes->devId, TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID);
-
-    /* Set key - should trigger CryptoCB and "import" to mock SE */
-    ret = wc_AesGcmSetKey(aes, key, sizeof(key));
-    ExpectIntEQ(ret, 0);
-
-    /* Verify SetKey callback was invoked (callback is called but then we fall through) */
-    ExpectIntEQ(cryptoCbKeyImportOnlySetKeyCalled, 1);
-
-    /* Verify GCM offload flag is 0 (capability not declared) */
-    ExpectIntEQ(aes->gcmCryptoCbOffload, 0);
-
-    /* Verify keylen is set (software path sets this after falling through) */
-    ExpectIntEQ(aes->keylen, (int)sizeof(key));
-
-    /* The callback sets devCtx, but since capability is not set, we fall through
-     * to software path. The software path will set up the key in aes->key for GCM
-     * table generation. devCtx may or may not be cleared by software path. */
-
-    /* Verify GCM tables were generated (H table should be non-zero) */
-    /* If gcmCryptoCbOffload is 0, tables should be generated for software fallback */
-    {
-        int hTableNonZero = 0;
-        int i;
-        for (i = 0; i < WC_AES_BLOCK_SIZE; i++) {
-            if (aes->gcm.H[i] != 0) {
-                hTableNonZero = 1;
-                break;
-            }
-        }
-        ExpectIntEQ(hTableNonZero, 1); /* H table should be generated */
-    }
-
-    /* Encrypt via wolfCrypt API - should fall back to software */
-    /* Callback will return CRYPTOCB_UNAVAILABLE, triggering software path */
-    ret = wc_AesGcmEncrypt(aes, ciphertext, plaintext, 32,
-                           iv, sizeof(iv), authTag, sizeof(authTag),
-                           aad, 16);
-    ExpectIntEQ(ret, 0);
-
-    /* Decrypt via wolfCrypt API - should fall back to software */
-    ret = wc_AesGcmDecrypt(aes, decrypted, ciphertext, 32,
-                           iv, sizeof(iv), authTag, sizeof(authTag),
-                           aad, 16);
-    ExpectIntEQ(ret, 0);
-
-    /* Verify decrypted plaintext matches original */
-    ExpectIntEQ(XMEMCMP(plaintext, decrypted, 32), 0);
-
-    /* Cleanup */
-    wc_AesFree(aes);
-    wc_CryptoCb_UnRegisterDevice(TEST_CRYPTOCB_AES_KEYIMPORT_ONLY_DEVID);
-
-    /* mockSeKeyImportOnly.valid may still be 1 since callback was called,
-     * but the key is not actually used (software path is taken) */
-
-#ifdef WOLFSSL_SMALL_STACK
-out:
-    XFREE(aes, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(iv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(aad, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(plaintext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(ciphertext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(decrypted, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(authTag, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
-    return EXPECT_RESULT();
-}
-
 #endif /* WOLF_CRYPTO_CB && WOLF_CRYPTO_CB_AES_SETKEY && !NO_AES && HAVE_AESGCM */
 
@@ -57,14 +57,12 @@ int test_wc_GmacUpdate(void);
     !defined(NO_AES) && defined(HAVE_AESGCM)
 int test_wc_CryptoCb_AesSetKey(void);
 int test_wc_CryptoCb_AesGcm_EncryptDecrypt(void);
-int test_wc_CryptoCb_AesKeyImportOnly(void);
 #endif
 
 #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_AES_SETKEY) && \
     !defined(NO_AES) && defined(HAVE_AESGCM)
 #define TEST_CRYPTOCB_AES_SETKEY_DECL , TEST_DECL_GROUP("aes", test_wc_CryptoCb_AesSetKey), \
-                                      TEST_DECL_GROUP("aes", test_wc_CryptoCb_AesGcm_EncryptDecrypt), \
-                                      TEST_DECL_GROUP("aes", test_wc_CryptoCb_AesKeyImportOnly)
+                                      TEST_DECL_GROUP("aes", test_wc_CryptoCb_AesGcm_EncryptDecrypt)
 #else
 #define TEST_CRYPTOCB_AES_SETKEY_DECL
 #endif