slhdsa: add WOLF_CRYPTO_CB and WOLF_PRIVATE_KEY_ID support

Wire SLH-DSA into the existing PQC CryptoCb dispatch (the same path
already used by ML-DSA / Dilithium) so a registered device can intercept
key generation, signing, verification, and key release. Also add
algorithm-specific id/label storage on SlhDsaKey for use with
WOLF_PRIVATE_KEY_ID, mirroring the dilithium_key API.

- types.h: add WC_PQC_SIG_TYPE_SLHDSA and widen the WC_PK_TYPE_PQC_SIG_*
  / wc_PqcSignatureType guards to include WOLFSSL_HAVE_SLHDSA.
- cryptocb.h/.c: include wc_slhdsa.h, widen the PQC sig guards, and
  teach wc_CryptoCb_PqcSigGetDevId to extract devId from SlhDsaKey.
- wc_slhdsa.h: add devCtx (alongside devId) under WOLF_CRYPTO_CB; add
  id/label storage and SLHDSA_MAX_{ID,LABEL}_LEN under WOLF_PRIVATE_KEY_ID;
  declare wc_SlhDsaKey_Init_id and _Init_label.
- wc_slhdsa.c: implement Init_id / Init_label; hook
  wc_CryptoCb_MakePqcSignatureKey in MakeKey, wc_CryptoCb_PqcSign in
  Sign / SignHash, wc_CryptoCb_PqcVerify in Verify / VerifyHash, and
  wc_CryptoCb_Free in Free; scrub id/label/devCtx on free.

Author: claude

wolfcrypt/src/cryptocb.c

@@ -1286,7 +1286,8 @@ int wc_CryptoCb_PqcDecapsulate(const byte* ciphertext, word32 ciphertextLen,
 }
 #endif /* WOLFSSL_HAVE_MLKEM */
 
-#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
+#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM) || \
+    defined(WOLFSSL_HAVE_SLHDSA)
 int wc_CryptoCb_PqcSigGetDevId(int type, void* key)
 {
     int devId = INVALID_DEVID;
@@ -1305,6 +1306,11 @@ int wc_CryptoCb_PqcSigGetDevId(int type, void* key)
         devId = ((falcon_key*) key)->devId;
     }
 #endif
+#if defined(WOLFSSL_HAVE_SLHDSA)
+    if (type == WC_PQC_SIG_TYPE_SLHDSA) {
+        devId = ((SlhDsaKey*) key)->devId;
+    }
+#endif
 
     return devId;
 }
@@ -1454,7 +1460,7 @@ int wc_CryptoCb_PqcSignatureCheckPrivKey(void* key, int type,
 
     return wc_CryptoCb_TranslateErrorCode(ret);
 }
-#endif /* HAVE_FALCON || HAVE_DILITHIUM */
+#endif /* HAVE_FALCON || HAVE_DILITHIUM || WOLFSSL_HAVE_SLHDSA */
 
 #ifndef NO_AES
 #ifdef HAVE_AESGCM

wolfcrypt/src/wc_slhdsa.c

@@ -6557,9 +6557,14 @@ int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param, void* heap,
         /* Set heap hint to use with all allocations. */
         key->heap = heap;
     #ifdef WOLF_CRYPTO_CB
-        /* Set device id. */
+        /* Set device context and id. */
+        key->devCtx = NULL;
         key->devId = devId;
     #endif
+    #ifdef WOLF_PRIVATE_KEY_ID
+        key->idLen = 0;
+        key->labelLen = 0;
+    #endif
 
 #ifdef WOLFSSL_SLHDSA_SHA2
         if (SLHDSA_IS_SHA2(param)) {
@@ -6595,6 +6600,86 @@ int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param, void* heap,
     return ret;
 }
 
+#ifdef WOLF_PRIVATE_KEY_ID
+/* Initialize an SLH-DSA key with a device key id.
+ *
+ * Mirrors wc_dilithium_init_id: initialize the key, then store an
+ * opaque device-side handle (id) of length len.
+ *
+ * @param [in] key    SLH-DSA key.
+ * @param [in] param  SLH-DSA parameter set to use.
+ * @param [in] id     Device-side key handle bytes.
+ * @param [in] len    Length of id in bytes.
+ * @param [in] heap   Dynamic memory allocation hint.
+ * @param [in] devId  Device Id.
+ * @return  0 on success.
+ * @return  BAD_FUNC_ARG when key is NULL.
+ * @return  BUFFER_E when len is negative or larger than SLHDSA_MAX_ID_LEN.
+ */
+int wc_SlhDsaKey_Init_id(SlhDsaKey* key, enum SlhDsaParam param,
+    const unsigned char* id, int len, void* heap, int devId)
+{
+    int ret = 0;
+
+    if (key == NULL) {
+        ret = BAD_FUNC_ARG;
+    }
+    if ((ret == 0) && ((len < 0) || (len > SLHDSA_MAX_ID_LEN))) {
+        ret = BUFFER_E;
+    }
+
+    if (ret == 0) {
+        ret = wc_SlhDsaKey_Init(key, param, heap, devId);
+    }
+    if ((ret == 0) && (id != NULL) && (len != 0)) {
+        XMEMCPY(key->id, id, (size_t)len);
+        key->idLen = len;
+    }
+
+    return ret;
+}
+
+/* Initialize an SLH-DSA key with a device key label.
+ *
+ * Mirrors wc_dilithium_init_label.
+ *
+ * @param [in] key    SLH-DSA key.
+ * @param [in] param  SLH-DSA parameter set to use.
+ * @param [in] label  NUL-terminated device-side key label.
+ * @param [in] heap   Dynamic memory allocation hint.
+ * @param [in] devId  Device Id.
+ * @return  0 on success.
+ * @return  BAD_FUNC_ARG when key or label is NULL.
+ * @return  BUFFER_E when label is empty or longer than SLHDSA_MAX_LABEL_LEN.
+ */
+int wc_SlhDsaKey_Init_label(SlhDsaKey* key, enum SlhDsaParam param,
+    const char* label, void* heap, int devId)
+{
+    int ret = 0;
+    int labelLen = 0;
+
+    if ((key == NULL) || (label == NULL)) {
+        ret = BAD_FUNC_ARG;
+    }
+    if (ret == 0) {
+        labelLen = (int)XSTRLEN(label);
+        if ((labelLen == 0) || (labelLen > SLHDSA_MAX_LABEL_LEN)) {
+            ret = BUFFER_E;
+        }
+    }
+
+    if (ret == 0) {
+        ret = wc_SlhDsaKey_Init(key, param, heap, devId);
+    }
+    if (ret == 0) {
+        XMEMCPY(key->label, label, (size_t)labelLen);
+        key->labelLen = labelLen;
+    }
+
+    return ret;
+}
+#endif /* WOLF_PRIVATE_KEY_ID */
+
 /* Free the SLH-DSA key.
  *
  * @param [in] key  SLH-DSA key. Cannot be used after this call.
@@ -6603,6 +6688,15 @@ void wc_SlhDsaKey_Free(SlhDsaKey* key)
 {
     /* Check we have a valid key to free. */
     if ((key != NULL) && (key->params != NULL)) {
+#if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE)
+        if (key->devId != INVALID_DEVID) {
+            (void)wc_CryptoCb_Free(key->devId, WC_ALGO_TYPE_PK,
+                                   WC_PK_TYPE_PQC_SIG_KEYGEN,
+                                   WC_PQC_SIG_TYPE_SLHDSA,
+                                   (void*)key);
+            /* always continue to software cleanup */
+        }
+#endif
         /* Ensure the private key data is zeroized. */
         ForceZero(key->sk, (size_t)key->params->n * 2);
 #ifdef WOLFSSL_SLHDSA_SHA2
@@ -6641,6 +6735,18 @@ void wc_SlhDsaKey_Free(SlhDsaKey* key)
             wc_Shake256_Free(&key->hash.shk.shake);
         }
     }
+    if (key != NULL) {
+#ifdef WOLF_PRIVATE_KEY_ID
+        ForceZero(key->id, sizeof(key->id));
+        ForceZero(key->label, sizeof(key->label));
+        key->idLen = 0;
+        key->labelLen = 0;
+#endif
+#ifdef WOLF_CRYPTO_CB
+        key->devCtx = NULL;
+        key->devId = INVALID_DEVID;
+#endif
+    }
 }
 
 /* Set the HashAddress based on message digest data.
@@ -6752,6 +6858,23 @@ int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng)
     if ((key == NULL) || (key->params == NULL) || (rng == NULL)) {
         ret = BAD_FUNC_ARG;
     }
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0) {
+    #ifndef WOLF_CRYPTO_CB_FIND
+        if (key->devId != INVALID_DEVID)
+    #endif
+        {
+            ret = wc_CryptoCb_MakePqcSignatureKey(rng,
+                WC_PQC_SIG_TYPE_SLHDSA, (int)key->params->param, key);
+            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+                return ret;
+            /* fall-through when unavailable */
+            ret = 0;
+        }
+    }
+#endif
+
     if (ret == 0) {
         /* Steps 1-5: Generate the 3 random hashes. */
         ret = wc_RNG_GenerateBlock(rng, key->sk, 3U * key->params->n);
@@ -7251,6 +7374,23 @@ int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx, byte ctxSz,
     else if ((key->flags & WC_SLHDSA_FLAG_PRIVATE) == 0) {
         ret = MISSING_KEY;
     }
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0) {
+    #ifndef WOLF_CRYPTO_CB_FIND
+        if (key->devId != INVALID_DEVID)
+    #endif
+        {
+            ret = wc_CryptoCb_PqcSign(msg, msgSz, sig, sigSz, ctx, ctxSz,
+                WC_HASH_TYPE_NONE, rng, WC_PQC_SIG_TYPE_SLHDSA, key);
+            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+                return ret;
+            /* fall-through when unavailable */
+            ret = 0;
+        }
+    }
+#endif
+
     if (ret == 0) {
         /* Generate n bytes of random. */
         ret = wc_RNG_GenerateBlock(rng, addRnd, key->params->n);
@@ -7418,6 +7558,24 @@ int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx, byte ctxSz,
     else if ((key->flags & WC_SLHDSA_FLAG_PUBLIC) == 0) {
         ret = MISSING_KEY;
     }
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0) {
+    #ifndef WOLF_CRYPTO_CB_FIND
+        if (key->devId != INVALID_DEVID)
+    #endif
+        {
+            int res = 0;
+            ret = wc_CryptoCb_PqcVerify(sig, sigSz, msg, msgSz, ctx, ctxSz,
+                WC_HASH_TYPE_NONE, &res, WC_PQC_SIG_TYPE_SLHDSA, key);
+            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+                return (ret == 0 && res == 1) ? 0 : SIG_VERIFY_E;
+            /* fall-through when unavailable */
+            ret = 0;
+        }
+    }
+#endif
+
     if (ret == 0) {
         byte md[SLHDSA_MAX_MD];
         byte n = key->params->n;
@@ -8048,6 +8206,23 @@ int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx, byte ctxSz,
     else if ((key->flags & WC_SLHDSA_FLAG_PRIVATE) == 0) {
         ret = MISSING_KEY;
     }
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0) {
+    #ifndef WOLF_CRYPTO_CB_FIND
+        if (key->devId != INVALID_DEVID)
+    #endif
+        {
+            ret = wc_CryptoCb_PqcSign(msg, msgSz, sig, sigSz, ctx, ctxSz,
+                (word32)hashType, rng, WC_PQC_SIG_TYPE_SLHDSA, key);
+            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+                return ret;
+            /* fall-through when unavailable */
+            ret = 0;
+        }
+    }
+#endif
+
     if (ret == 0) {
         /* Generate n bytes of random. */
         ret = wc_RNG_GenerateBlock(rng, addRnd, key->params->n);
@@ -8147,6 +8322,24 @@ int wc_SlhDsaKey_VerifyHash(SlhDsaKey* key, const byte* ctx, byte ctxSz,
     else if ((key->flags & WC_SLHDSA_FLAG_PUBLIC) == 0) {
         ret = MISSING_KEY;
     }
+
+#ifdef WOLF_CRYPTO_CB
+    if (ret == 0) {
+    #ifndef WOLF_CRYPTO_CB_FIND
+        if (key->devId != INVALID_DEVID)
+    #endif
+        {
+            int res = 0;
+            ret = wc_CryptoCb_PqcVerify(sig, sigSz, msg, msgSz, ctx, ctxSz,
+                (word32)hashType, &res, WC_PQC_SIG_TYPE_SLHDSA, key);
+            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+                return (ret == 0 && res == 1) ? 0 : SIG_VERIFY_E;
+            /* fall-through when unavailable */
+            ret = 0;
+        }
+    }
+#endif
+
     if (ret == 0) {
         /* Alg 24, Steps 4-19: Pre-hash message with hash algorithm specified.
          */

wolfssl/wolfcrypt/cryptocb.h

@@ -86,6 +86,9 @@
 #if defined(HAVE_FALCON)
     #include <wolfssl/wolfcrypt/falcon.h>
 #endif
+#if defined(WOLFSSL_HAVE_SLHDSA)
+    #include <wolfssl/wolfcrypt/wc_slhdsa.h>
+#endif
 #if defined(WOLFSSL_HAVE_LMS)
     #include <wolfssl/wolfcrypt/wc_lms.h>
 #endif
@@ -312,7 +315,8 @@ typedef struct wc_CryptoInfo {
                 int         type; /* enum wc_PqcKemType */
             } pqc_decaps;
         #endif
-        #if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
+        #if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM) || \
+            defined(WOLFSSL_HAVE_SLHDSA)
             struct {
                 WC_RNG*     rng;
                 int         size;
@@ -775,7 +779,8 @@ WOLFSSL_LOCAL int wc_CryptoCb_PqcDecapsulate(const byte* ciphertext,
     int type, void* key);
 #endif /* WOLFSSL_HAVE_MLKEM */
 
-#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)
+#if defined(HAVE_FALCON) || defined(HAVE_DILITHIUM) || \
+    defined(WOLFSSL_HAVE_SLHDSA)
 WOLFSSL_LOCAL int wc_CryptoCb_PqcSigGetDevId(int type, void* key);
 
 WOLFSSL_LOCAL int wc_CryptoCb_MakePqcSignatureKey(WC_RNG* rng, int type,
@@ -791,7 +796,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_PqcVerify(const byte* sig, word32 siglen,
 
 WOLFSSL_LOCAL int wc_CryptoCb_PqcSignatureCheckPrivKey(void* key, int type,
     const byte* pubKey, word32 pubKeySz);
-#endif /* HAVE_FALCON || HAVE_DILITHIUM */
+#endif /* HAVE_FALCON || HAVE_DILITHIUM || WOLFSSL_HAVE_SLHDSA */
 
 #ifndef NO_AES
 #ifdef HAVE_AESGCM

wolfssl/wolfcrypt/types.h

@@ -1559,7 +1559,8 @@ enum wc_PkType {
     #undef _WC_PK_TYPE_MAX
     #define _WC_PK_TYPE_MAX WC_PK_TYPE_PQC_KEM_DECAPS
 #endif
-#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON)
+#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON) || \
+    defined(WOLFSSL_HAVE_SLHDSA)
     WC_PK_TYPE_PQC_SIG_KEYGEN = 21,
     WC_PK_TYPE_PQC_SIG_SIGN = 22,
     WC_PK_TYPE_PQC_SIG_VERIFY = 23,
@@ -1597,7 +1598,8 @@ enum wc_PkType {
     };
 #endif
 
-#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON)
+#if defined(HAVE_DILITHIUM) || defined(HAVE_FALCON) || \
+    defined(WOLFSSL_HAVE_SLHDSA)
     /* Post quantum signature algorithms */
     enum wc_PqcSignatureType {
         WC_PQC_SIG_TYPE_NONE = 0,
@@ -1611,6 +1613,11 @@ enum wc_PkType {
         WC_PQC_SIG_TYPE_FALCON = 2,
         #undef _WC_PQC_SIG_TYPE_MAX
         #define _WC_PQC_SIG_TYPE_MAX WC_PQC_SIG_TYPE_FALCON
+    #endif
+    #if defined(WOLFSSL_HAVE_SLHDSA)
+        WC_PQC_SIG_TYPE_SLHDSA = 3,
+        #undef _WC_PQC_SIG_TYPE_MAX
+        #define _WC_PQC_SIG_TYPE_MAX WC_PQC_SIG_TYPE_SLHDSA
     #endif
         WC_PQC_SIG_TYPE_MAX = _WC_PQC_SIG_TYPE_MAX
     };