rename defaultDevId back to devId. Address copilot comments

Author: AlexLanzano

docs/draft/crypto_affinity.md

@@ -54,23 +54,23 @@ Retrieves the client's current crypto affinity. This is a **local operation** th
 ```c
 uint32_t affinity;
 
-/* Default affinity is WH_CRYPTO_AFFINITY_SW after wh_Client_Init() */
+/* Default affinity is WH_CRYPTO_AFFINITY_HW after wh_Client_Init() */
 wh_Client_GetCryptoAffinity(client, &affinity);
-/* affinity == WH_CRYPTO_AFFINITY_SW */
-
-/* Switch to hardware crypto -- takes effect immediately, no round-trip */
-int rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
-if (rc == WH_ERROR_OK) {
-    /* All subsequent crypto operations will request HW acceleration */
-}
+/* affinity == WH_CRYPTO_AFFINITY_HW */
 
 /* Perform a crypto operation -- affinity is sent in the request header */
 wc_AesCbcEncrypt(&aes, out, in, len);
 /* If server has a valid devId, hardware crypto callback is used */
 
-/* Switch back to software crypto */
-wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
-/* Subsequent crypto operations use software implementation */
+/* Switch to software crypto -- takes effect immediately, no round-trip */
+int rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
+if (rc == WH_ERROR_OK) {
+    /* All subsequent crypto operations will use software implementation */
+}
+
+/* Switch back to hardware crypto */
+wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
+/* Subsequent crypto operations request HW acceleration */
 ```
 
 ## Server Behavior
@@ -80,9 +80,9 @@ When the server receives a crypto request, it reads the affinity field from the
 | Affinity in Request | Server Action |
 |---------------------|---------------|
 | `WH_CRYPTO_AFFINITY_SW` | Uses `INVALID_DEVID` (wolfCrypt software implementation) |
-| `WH_CRYPTO_AFFINITY_HW` | Uses `server->defaultDevId` if valid, otherwise falls back to `INVALID_DEVID` |
+| `WH_CRYPTO_AFFINITY_HW` | Uses `server->devId` if valid, otherwise falls back to `INVALID_DEVID` |
 
-The `defaultDevId` is configured at server initialization from `config->devId`. If the server was not configured with a valid hardware `devId`, hardware affinity requests will silently fall back to software crypto.
+The `devId` is configured at server initialization from `config->devId`. If the server was not configured with a valid hardware `devId`, hardware affinity requests will silently fall back to software crypto.
 
 ## Protocol Details
 

src/wh_server.c

@@ -77,8 +77,8 @@ int wh_Server_Init(whServerContext* server, whServerConfig* config)
     server->nvm = config->nvm;
 
 #ifndef WOLFHSM_CFG_NO_CRYPTO
-    server->crypto       = config->crypto;
-    server->defaultDevId = config->devId;
+    server->crypto = config->crypto;
+    server->devId  = config->devId;
 #ifdef WOLFHSM_CFG_SHE_EXTENSION
     server->she = config->she;
 #endif

src/wh_server_crypto.c

@@ -4431,8 +4431,8 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
 
     /* Compute devId from the per-message affinity field */
     int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
-                 ctx->defaultDevId != INVALID_DEVID)
-                    ? ctx->defaultDevId
+                 ctx->devId != INVALID_DEVID)
+                    ? ctx->devId
                     : INVALID_DEVID;
 
     WH_DEBUG_SERVER_VERBOSE("HandleCryptoRequest. Action:%u\n", action);
@@ -4527,12 +4527,6 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
                                            &cryptoOutSize);
                     break;
 #endif /* HAVE_ECC_VERIFY */
-#if 0
-        case WC_PK_TYPE_EC_CHECK_PRIV_KEY:
-            ret = _HandleEccCheckPrivKey(ctx, magic, devId, cryptoDataIn, cryptoInSize,
-                                          cryptoDataOut, &cryptoOutSize);
-            break;
-#endif
 #endif /* HAVE_ECC */
 
 #ifdef HAVE_CURVE25519
@@ -5900,8 +5894,8 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
 
     /* Compute devId from the per-message affinity field */
     int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
-                 ctx->defaultDevId != INVALID_DEVID)
-                    ? ctx->defaultDevId
+                 ctx->devId != INVALID_DEVID)
+                    ? ctx->devId
                     : INVALID_DEVID;
 
     switch (action) {

src/wh_server_img_mgr.c

@@ -239,11 +239,11 @@ int wh_Server_ImgMgrVerifyMethodEccWithSha256(whServerImgMgrContext*   context,
 
     /* Hash the image data from server pointer using one-shot API */
     ret = wc_Sha256Hash_ex((const uint8_t*)serverPtr, (word32)img->size, hash,
-                           NULL, server->defaultDevId);
+                           NULL, server->devId);
 #else
     /* Hash the image data using one-shot API */
     ret = wc_Sha256Hash_ex((const uint8_t*)img->addr, (word32)img->size, hash,
-                           NULL, context->server->defaultDevId);
+                           NULL, context->server->devId);
 #endif
     if (ret != 0) {
         wc_ecc_free(&eccKey);
@@ -319,11 +319,11 @@ int wh_Server_ImgMgrVerifyMethodAesCmac(whServerImgMgrContext*   context,
     /* Compute CMAC of the image data from server pointer */
     ret = wc_AesCmacVerify_ex(&cmac, sig, (word32)sigSz, (const byte*)serverPtr,
                               (word32)img->size, key, (word32)keySz, NULL,
-                              server->defaultDevId);
+                              server->devId);
 #else
     ret = wc_AesCmacVerify_ex(&cmac, sig, (word32)sigSz, (const byte*)img->addr,
                               (word32)img->size, key, (word32)keySz, NULL,
-                              context->server->defaultDevId);
+                              context->server->devId);
 #endif
     if (ret != 0) {
         return ret;
@@ -389,11 +389,11 @@ int wh_Server_ImgMgrVerifyMethodRsaSslWithSha256(
 
     /* Hash the image data from server pointer using one-shot API */
     ret = wc_Sha256Hash_ex((const uint8_t*)serverPtr, (word32)img->size, hash,
-                           NULL, server->defaultDevId);
+                           NULL, server->devId);
 #else
     /* Hash the image data using one-shot API */
     ret = wc_Sha256Hash_ex((const uint8_t*)img->addr, (word32)img->size, hash,
-                           NULL, context->server->defaultDevId);
+                           NULL, context->server->devId);
 #endif
     if (ret != 0) {
         wc_FreeRsaKey(&rsaKey);

src/wh_server_keystore.c

@@ -943,7 +943,7 @@ static int _AesGcmKeyWrap(whServerContext* server, whKeyId serverKeyId,
     }
 
     /* Initialize AES context and set it to use the server side key */
-    ret = wc_AesInit(aes, NULL, server->defaultDevId);
+    ret = wc_AesInit(aes, NULL, server->devId);
     if (ret != 0) {
         return ret;
     }
@@ -1023,7 +1023,7 @@ static int _AesGcmKeyUnwrap(whServerContext* server, uint16_t serverKeyId,
     }
 
     /* Initialize AES context and set it to use the server side key */
-    ret = wc_AesInit(aes, NULL, server->defaultDevId);
+    ret = wc_AesInit(aes, NULL, server->devId);
     if (ret != 0) {
         return ret;
     }
@@ -1084,7 +1084,7 @@ static int _AesGcmDataWrap(whServerContext* server, whKeyId serverKeyId,
     serverKeySz = serverKeyMetadata->len;
 
     /* Initialize AES context and set it to use the server side key */
-    ret = wc_AesInit(aes, NULL, server->defaultDevId);
+    ret = wc_AesInit(aes, NULL, server->devId);
     if (ret != 0) {
         return ret;
     }
@@ -1150,7 +1150,7 @@ static int _AesGcmDataUnwrap(whServerContext* server, uint16_t serverKeyId,
     serverKeySz = serverKeyMetadata->len;
 
     /* Initialize AES context and set it to use the server side key */
-    ret = wc_AesInit(aes, NULL, server->defaultDevId);
+    ret = wc_AesInit(aes, NULL, server->devId);
     if (ret != 0) {
         return ret;
     }

src/wh_server_she.c

@@ -166,8 +166,8 @@ static int _AesMp16(whServerContext* server, uint8_t* in, word32 inSz,
     if (server == NULL || server->she == NULL) {
         return WH_ERROR_BADARGS;
     }
-    return wh_She_AesMp16_ex(server->she->sheAes, NULL, server->defaultDevId,
-                             in, inSz, out);
+    return wh_She_AesMp16_ex(server->she->sheAes, NULL, server->devId, in, inSz,
+                             out);
 }
 
 /* AuthID is the 4 rightmost bits of messageOne */
@@ -262,7 +262,7 @@ static int _SecureBootInit(whServerContext* server, uint16_t magic,
      * expected digest so meta->len will be too long */
     if (ret == 0) {
         ret = wc_InitCmac_ex(server->she->sheCmac, macKey, WH_SHE_KEY_SZ,
-                             WC_CMAC_AES, NULL, NULL, server->defaultDevId);
+                             WC_CMAC_AES, NULL, NULL, server->devId);
     }
     /* hash 12 zeros */
     if (ret == 0) {
@@ -498,10 +498,9 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
                sizeof(req.messageTwo));
 
         field = AES_BLOCK_SIZE;
-        ret   = wc_AesCmacGenerate_ex(server->she->sheCmac, cmacOutput,
-                                      (word32*)&field, cmacInput,
-                                      sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ,
-                                      NULL, server->defaultDevId);
+        ret   = wc_AesCmacGenerate_ex(
+            server->she->sheCmac, cmacOutput, (word32*)&field, cmacInput,
+            sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ, NULL, server->devId);
     }
     /* compare digest to M3 */
     if (ret == 0 && memcmp(req.messageThree, cmacOutput, field) != 0) {
@@ -518,7 +517,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
     }
     /* decrypt messageTwo */
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     if (ret == 0) {
         ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -611,7 +610,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
                        meta->len + sizeof(_SHE_KEY_UPDATE_ENC_C), tmpKey);
     }
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     if (ret == 0) {
         ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -651,7 +650,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
         ret   = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageFive,
                                       (word32*)&field, resp.messageFour,
                                       sizeof(resp.messageFour), tmpKey,
-                                      WH_SHE_KEY_SZ, NULL, server->defaultDevId);
+                                      WH_SHE_KEY_SZ, NULL, server->devId);
     }
     if (ret == 0) {
         /* mark if the ram key was loaded */
@@ -764,7 +763,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
     }
     /* encrypt M2 with K1 */
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     if (ret == 0) {
         ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -795,10 +794,9 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
                sizeof(resp.messageTwo));
 
         field = AES_BLOCK_SIZE;
-        ret   = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageThree,
-                                      (word32*)&field, cmacInput,
-                                      sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ,
-                                      NULL, server->defaultDevId);
+        ret   = wc_AesCmacGenerate_ex(
+            server->she->sheCmac, resp.messageThree, (word32*)&field, cmacInput,
+            sizeof(cmacInput), tmpKey, WH_SHE_KEY_SZ, NULL, server->devId);
     }
     if (ret == 0) {
         /* copy the ram key to kdfInput */
@@ -812,7 +810,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
     }
     /* set K3 as encryption key */
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     if (ret == 0) {
         ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -850,7 +848,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
         ret   = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.messageFive,
                                       (word32*)&field, resp.messageFour,
                                       sizeof(resp.messageFour), tmpKey,
-                                      WH_SHE_KEY_SZ, NULL, server->defaultDevId);
+                                      WH_SHE_KEY_SZ, NULL, server->devId);
     }
 
     resp.rc = _TranslateSheReturnCode(ret);
@@ -914,7 +912,7 @@ static int _InitRnd(whServerContext* server, uint16_t magic, uint16_t req_size,
     }
     /* set up aes */
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     if (ret == 0) {
         ret = wc_AesSetKey(server->she->sheAes, tmpKey, WH_SHE_KEY_SZ, NULL,
@@ -979,7 +977,7 @@ static int _Rnd(whServerContext* server, uint16_t magic, uint16_t req_size,
 
     /* set up aes */
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
 
     /* use PRNG_KEY as the encryption key */
@@ -1105,7 +1103,7 @@ static int _EncEcb(whServerContext* server, uint16_t magic, uint16_t req_size,
         WH_MAKE_KEYID(WH_KEYTYPE_SHE, server->comm->client_id, req.keyId), NULL,
         tmpKey, &keySz);
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     else {
         ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1164,7 +1162,7 @@ static int _EncCbc(whServerContext* server, uint16_t magic, uint16_t req_size,
         tmpKey, &keySz);
 
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     else {
         ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1229,7 +1227,7 @@ static int _DecEcb(whServerContext* server, uint16_t magic, uint16_t req_size,
         WH_MAKE_KEYID(WH_KEYTYPE_SHE, server->comm->client_id, req.keyId), NULL,
         tmpKey, &keySz);
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     else {
         ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1293,7 +1291,7 @@ static int _DecCbc(whServerContext* server, uint16_t magic, uint16_t req_size,
         tmpKey, &keySz);
 
     if (ret == 0) {
-        ret = wc_AesInit(server->she->sheAes, NULL, server->defaultDevId);
+        ret = wc_AesInit(server->she->sheAes, NULL, server->devId);
     }
     else {
         ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1355,7 +1353,7 @@ static int _GenerateMac(whServerContext* server, uint16_t magic,
     if (ret == 0) {
         ret = wc_AesCmacGenerate_ex(server->she->sheCmac, resp.mac,
                                     (word32*)&field, in, req.sz, tmpKey,
-                                    WH_SHE_KEY_SZ, NULL, server->defaultDevId);
+                                    WH_SHE_KEY_SZ, NULL, server->devId);
     }
     else {
         ret = WH_SHE_ERC_KEY_NOT_AVAILABLE;
@@ -1399,7 +1397,7 @@ static int _VerifyMac(whServerContext* server, uint16_t magic,
     if (ret == 0) {
         ret = wc_AesCmacVerify_ex(server->she->sheCmac, mac, req.macLen,
                                   message, req.messageLen, tmpKey, keySz, NULL,
-                                  server->defaultDevId);
+                                  server->devId);
         /* only evaluate if key was found */
         if (ret == 0) {
             resp.status = 0;

test/wh_test_crypto_affinity.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2024 wolfSSL Inc.
+ * Copyright (C) 2026 wolfSSL Inc.
  *
  * This file is part of wolfHSM.
  *
@@ -202,8 +202,8 @@ static int whTest_CryptoAffinityWithCb(void)
     WH_TEST_RETURN_ON_FAIL(wh_Server_HandleRequestMessage(server));
     WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitResponse(client, NULL, NULL));
 
-    /* Verify server initial state - defaultDevId should be set */
-    WH_TEST_ASSERT_RETURN(server->defaultDevId == TEST_DEV_ID);
+    /* Verify server initial state - devId should be set */
+    WH_TEST_ASSERT_RETURN(server->devId == TEST_DEV_ID);
 
     /* Test 1: Default affinity after init should be HW (0) */
     rc = wh_Client_GetCryptoAffinity(client, &affinity);
@@ -421,7 +421,7 @@ static int whTest_CryptoAffinityNoCb(void)
     WH_TEST_RETURN_ON_FAIL(wh_Client_CommInitResponse(client, NULL, NULL));
 
     /* Verify server configured with INVALID_DEVID */
-    WH_TEST_ASSERT_RETURN(server->defaultDevId == INVALID_DEVID);
+    WH_TEST_ASSERT_RETURN(server->devId == INVALID_DEVID);
 
     /* Test 1: Default affinity should be HW */
     rc = wh_Client_GetCryptoAffinity(client, &affinity);
@@ -438,7 +438,7 @@ static int whTest_CryptoAffinityNoCb(void)
 
     /* Test 3: Set HW affinity on client side succeeds (it's just local state).
      * But when the server processes a request with HW affinity and no valid
-     * defaultDevId, it will use INVALID_DEVID (SW) anyway. */
+     * devId, it will use INVALID_DEVID (SW) anyway. */
     rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_HW);
     WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
 

test/wh_test_crypto_affinity.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2024 wolfSSL Inc.
+ * Copyright (C) 2026 wolfSSL Inc.
  *
  * This file is part of wolfHSM.
  *