From b5d7a77b817a2220126d3d54bc1046a65c664daf Mon Sep 17 00:00:00 2001
From: Mark Atwood <mark.atwood@gmail.com>
Date: Thu, 9 Apr 2026 18:31:36 -0700
Subject: [PATCH] feat: route configurable devId through key init calls

Adds int devId to WOLFPROV_CTX (initialized to INVALID_DEVID) and
exposes it as a settable OSSL_PARAM ("wolfprovider_devid") so callers
can route provider operations through a wolfHSM device callback.

Routes devId through:
- RSA: wc_InitRsaKey -> wc_InitRsaKey_ex
- ECC: wc_ecc_init_ex (was hardcoding INVALID_DEVID)
- DH:  wc_InitDhKey_ex (was hardcoding INVALID_DEVID)
- ECX gen-context RNG: wc_InitRng -> wc_InitRng_ex

Known gap: ECX key init functions (wc_curve25519_init, wc_ed25519_init,
wc_ed448_init) use WP_ECX_INIT function pointers with no devId
parameter; fixing them requires a table-shape change tracked separately.
---
 include/wolfprovider/internal.h |  1 +
 src/wp_dh_kmgmt.c               |  2 +-
 src/wp_ecc_kmgmt.c              |  2 +-
 src/wp_ecx_kmgmt.c              |  7 +++--
 src/wp_rsa_kmgmt.c              |  6 ++--
 src/wp_wolfprov.c               | 49 +++++++++++++++++++++++++++++++++
 6 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/include/wolfprovider/internal.h b/include/wolfprovider/internal.h
index 6c584f1b..5914db50 100644
--- a/include/wolfprovider/internal.h
+++ b/include/wolfprovider/internal.h
@@ -146,6 +146,7 @@ typedef struct WOLFPROV_CTX {
    wolfSSL_Mutex rng_mutex;
 #endif
    BIO_METHOD *coreBioMethod;
+   int devId;
 } WOLFPROV_CTX;
 
 #if defined(WP_HAVE_SEED_SRC) && defined(WP_HAVE_RANDOM)
diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c
index e5a21cbc..359bcd4a 100644
--- a/src/wp_dh_kmgmt.c
+++ b/src/wp_dh_kmgmt.c
@@ -396,7 +396,7 @@ static wp_Dh* wp_dh_new(WOLFPROV_CTX *provCtx)
         int ok = 1;
         int rc;
 
-        rc = wc_InitDhKey_ex(&dh->key, NULL, INVALID_DEVID);
+        rc = wc_InitDhKey_ex(&dh->key, NULL, provCtx->devId);
         if (rc != 0) {
             WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitDhKey_ex", rc);
             ok = 0;
diff --git a/src/wp_ecc_kmgmt.c b/src/wp_ecc_kmgmt.c
index c3caf6d2..8a5246bd 100644
--- a/src/wp_ecc_kmgmt.c
+++ b/src/wp_ecc_kmgmt.c
@@ -334,7 +334,7 @@ static wp_Ecc* wp_ecc_new(WOLFPROV_CTX *provCtx)
         int ok = 1;
         int rc;
 
-        rc = wc_ecc_init_ex(&ecc->key, NULL, INVALID_DEVID);
+        rc = wc_ecc_init_ex(&ecc->key, NULL, provCtx->devId);
         if (rc != 0) {
             WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_ecc_init_ex", rc);
             ok = 0;
diff --git a/src/wp_ecx_kmgmt.c b/src/wp_ecx_kmgmt.c
index 2cbaa839..55ee5752 100644
--- a/src/wp_ecx_kmgmt.c
+++ b/src/wp_ecx_kmgmt.c
@@ -1203,13 +1203,14 @@ static wp_EcxGenCtx* wp_ecx_gen_init(WOLFPROV_CTX* provCtx,
         int rc;
         int ok = 1;
 
-        rc = wc_InitRng(&ctx->rng);
+        /* provCtx assigned before RNG init: ctx->provCtx->devId must be valid */
+        ctx->provCtx = provCtx;
+        rc = wc_InitRng_ex(&ctx->rng, NULL, ctx->provCtx->devId);
         if (rc != 0) {
-            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitRng", rc);
+            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitRng_ex", rc);
             ok = 0;
         }
         if (ok) {
-            ctx->provCtx = provCtx;
             ctx->name = name;
             if (!wp_ecx_gen_set_params(ctx, params)) {
                 wc_FreeRng(&ctx->rng);
diff --git a/src/wp_rsa_kmgmt.c b/src/wp_rsa_kmgmt.c
index b4de0013..380927d0 100644
--- a/src/wp_rsa_kmgmt.c
+++ b/src/wp_rsa_kmgmt.c
@@ -464,9 +464,9 @@ static wp_Rsa* wp_rsa_base_new(WOLFPROV_CTX* provCtx, int type)
         int ok = 1;
         int rc;
 
-        rc = wc_InitRsaKey(&rsa->key, NULL);
+        rc = wc_InitRsaKey_ex(&rsa->key, NULL, provCtx->devId);
         if (rc != 0) {
-            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitRsaKey", rc);
+            WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitRsaKey_ex", rc);
             ok = 0;
         }
 
@@ -1533,7 +1533,7 @@ static wp_RsaGenCtx* wp_rsa_base_gen_init(WOLFPROV_CTX* provCtx,
         int ok = 1;
         int rc;
 
-        rc = wc_InitRng_ex(&ctx->rng, NULL, INVALID_DEVID);
+        rc = wc_InitRng_ex(&ctx->rng, NULL, provCtx->devId);
         if (rc != 0) {
             WOLFPROV_MSG_DEBUG_RETCODE(WP_LOG_LEVEL_DEBUG, "wc_InitRng_ex", rc);
             ok = 0;
diff --git a/src/wp_wolfprov.c b/src/wp_wolfprov.c
index 1b806bab..68adab1a 100644
--- a/src/wp_wolfprov.c
+++ b/src/wp_wolfprov.c
@@ -49,6 +49,7 @@ static const OSSL_PARAM wolfssl_param_types[] = {
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
+    OSSL_PARAM_int("wolfprovider_devid", NULL),
     OSSL_PARAM_END
 };
 
@@ -218,6 +219,9 @@ static WOLFPROV_CTX* wolfssl_prov_ctx_new(void)
     WP_CHECK_FIPS_ALGO_PTR(WP_CAST_ALGO_DRBG);
 
     ctx = (WOLFPROV_CTX*)OPENSSL_zalloc(sizeof(*ctx));
+    if (ctx != NULL) {
+        ctx->devId = INVALID_DEVID;
+    }
     if ((ctx != NULL) && (wc_InitRng(&ctx->rng) != 0)) {
         OPENSSL_free(ctx);
         ctx = NULL;
@@ -372,6 +376,49 @@ static int wolfprov_get_params(void* provCtx, OSSL_PARAM params[])
     return ok;
 }
 
+/*
+ * Get the table of parameters that can be set on wolfProv.
+ *
+ * @param [in] provCtx  Unused.
+ * @return  Table of settable parameters.
+ */
+static const OSSL_PARAM* wolfprov_settable_params(void* provCtx)
+{
+    static const OSSL_PARAM settable[] = {
+        OSSL_PARAM_int("wolfprovider_devid", NULL),
+        OSSL_PARAM_END
+    };
+    (void)provCtx;
+    return settable;
+}
+
+/*
+ * Set parameters on the provider context.
+ *
+ * @param [in] provCtx  Provider context.
+ * @param [in] params   Parameters to set.
+ * @return  1 on success.
+ * @return  0 on failure.
+ */
+static int wolfprov_set_params(void* provCtx, const OSSL_PARAM params[])
+{
+    int ok = 1;
+    const OSSL_PARAM* p;
+    WOLFPROV_CTX* ctx = (WOLFPROV_CTX*)provCtx;
+
+    WOLFPROV_ENTER(WP_LOG_COMP_PROVIDER, "wolfprov_set_params");
+
+    p = OSSL_PARAM_locate_const(params, "wolfprovider_devid");
+    if (p != NULL) {
+        if (!OSSL_PARAM_get_int(p, &ctx->devId)) {
+            ok = 0;
+        }
+    }
+
+    WOLFPROV_LEAVE(WP_LOG_COMP_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), ok);
+    return ok;
+}
+
 #ifdef HAVE_FIPS
 /* Properties of wolfSSL provider: name and FIPS wolfSSL. */
 #define WOLFPROV_PROPERTIES     "provider=wolfprov,fips=yes"
@@ -1214,6 +1261,8 @@ static const OSSL_DISPATCH wolfprov_dispatch_table[] = {
     { OSSL_FUNC_PROVIDER_TEARDOWN,        (DFUNC)wolfprov_teardown            },
     { OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (DFUNC)wolfprov_gettable_params     },
     { OSSL_FUNC_PROVIDER_GET_PARAMS,      (DFUNC)wolfprov_get_params          },
+    { OSSL_FUNC_PROVIDER_SETTABLE_PARAMS, (DFUNC)wolfprov_settable_params     },
+    { OSSL_FUNC_PROVIDER_SET_PARAMS,      (DFUNC)wolfprov_set_params          },
     { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (DFUNC)wolfprov_query               },
     { OSSL_FUNC_PROVIDER_GET_CAPABILITIES,
                                          (DFUNC)wolfssl_prov_get_capabilities },