Peer review cleanups. ECDHE improvements.

dgarske · dgarske · commit 654901782cd4 · 2026-01-21T00:03:26.000Z
diff --git a/wolfcrypt/src/port/st/stsafe.c b/wolfcrypt/src/port/st/stsafe.c
@@ -288,7 +288,7 @@ static int stsafe_create_key(stsafe_slot_t* pSlot, stsafe_curve_id_t curve_id,
      * but stsafe_curve_id_t values match stse_ecc_key_type_t enum values */
     ret = stse_generate_ecc_key_pair(&g_stse_handler, slot,
         (stse_ecc_key_type_t)curve_id,
-        255, /* usage_limit */
+        STSAFE_PERSISTENT_KEY_USAGE_LIMIT,
         pPubKeyRaw);
     if (ret != STSE_OK) {
         STSAFE_INTERFACE_PRINTF("stse_generate_ecc_key_pair error: %d\n", ret);
@@ -454,7 +454,7 @@ static int stsafe_shared_secret_ecdhe(stsafe_curve_id_t curve_id,
     /* Compute shared secret using ephemeral slot (0xFF)
      * The ephemeral private key was generated by stse_generate_ECDHE_key_pair() */
     ret = stse_ecc_establish_shared_secret(&g_stse_handler,
-        STSAFE_KEY_SLOT_EPHEMERAL, curve_id, peerPubKey, pSharedSecret);
+        STSAFE_KEY_SLOT_EPHEMERAL, (stse_ecc_key_type_t)curve_id, peerPubKey, pSharedSecret);
     if (ret != STSE_OK) {
         STSAFE_INTERFACE_PRINTF("stse_ecc_establish_shared_secret (ECDHE) error: %d\n",
             ret);
@@ -1554,7 +1554,7 @@ int wolfSSL_STSAFE_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
                 slot = STSAFE_KEY_SLOT_1;  /* Use persistent slot for ECDSA signing */
                 ret = stse_generate_ecc_key_pair(&g_stse_handler, slot,
                     (stse_ecc_key_type_t)curve_id,
-                    255,  /* usage_limit for persistent keys */
+                    STSAFE_PERSISTENT_KEY_USAGE_LIMIT,
                     pubKeyRaw);
                 if (ret != STSE_OK) {
                     STSAFE_INTERFACE_PRINTF("stse_generate_ecc_key_pair (slot 1) error: %d\n", ret);
@@ -1852,6 +1852,7 @@ int wolfSSL_STSAFE_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
                     }
 
                     if (need_ephemeral_key) {
+#ifdef WOLFSSL_STSAFEA120
                         /* Key is in slot 1 (for ECDSA), but ECDH requires ephemeral slot.
                          * Generate ephemeral key pair for ECDH. Note: This will overwrite any
                          * existing key in ephemeral slot, so for bidirectional ECDH, both keys
@@ -1886,6 +1887,13 @@ int wolfSSL_STSAFE_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
                                 }
                             }
                         }
+#else /* WOLFSSL_STSAFEA100 */
+                        /* For A100/A110, ephemeral key generation in ECDH callback
+                         * is not supported. Keys must be generated in ephemeral slot
+                         * from the start for ECDH operations. */
+                        WOLFSSL_MSG("STSAFE: ECDH requires ephemeral slot - key must be generated in ephemeral slot");
+                        rc = WC_HW_E;
+#endif
                     } else {
                         /* Key is already in ephemeral slot, use it */
                         slot = STSAFE_KEY_SLOT_EPHEMERAL;
diff --git a/wolfssl/wolfcrypt/port/st/stsafe.h b/wolfssl/wolfcrypt/port/st/stsafe.h
@@ -92,6 +92,10 @@
     /* Return codes */
     #define STSAFE_A_OK                 0  /* STSE_OK */
 
+    /* Key usage limits */
+    #define STSAFE_PERSISTENT_KEY_USAGE_LIMIT  255  /* Usage limit for persistent keys in slot 1 */
+    #define STSAFE_EPHEMERAL_KEY_USAGE_LIMIT   255  /* Usage limit for ephemeral keys in slot 0xFF */
+
     /* Hash types - must match stse_hash_algorithm_t values in STSELib */
     #define STSAFE_HASH_SHA256          0  /* STSE_SHA_256 */
     #define STSAFE_HASH_SHA384          1  /* STSE_SHA_384 */
