wolfSSL · billphipps · Oct 19, 2025 · Oct 16, 2025 · Oct 17, 2025 · Oct 17, 2025
diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c
diff --git a/src/wh_client_cryptocb.c b/src/wh_client_cryptocb.c
@@ -395,6 +395,13 @@ int wh_Client_CryptoCb(int devId, wc_CryptoInfo* info, void* inCtx)
 
         ret = wh_Client_RngGenerate(ctx, out, size);
     } break;
+    case WC_ALGO_TYPE_SEED: {
+        /* Extract info parameters */
+        uint8_t* seed = info->seed.seed;
+        uint32_t size = info->seed.sz;
+
+        ret = wh_Client_RngGenerate(ctx, seed, size);
+    } break;
 #endif /* !WC_NO_RNG */
 
 #ifdef WOLFSSL_CMAC
@@ -846,6 +853,23 @@ int wh_Client_CryptoCbDma(int devId, wc_CryptoInfo* info, void* inCtx)
         break;
 #endif /* !NO_AES || !NO_DES */
 
+#ifndef WC_NO_RNG
+    case WC_ALGO_TYPE_RNG: {
+        /* Extract info parameters */
+        uint8_t* out  = info->rng.out;
+        uint32_t size = info->rng.sz;
+
+        ret = wh_Client_RngGenerateDma(ctx, out, size);
+    } break;
+    case WC_ALGO_TYPE_SEED: {
+        /* Extract info parameters */
+        uint8_t* seed = info->seed.seed;
+        uint32_t size = info->seed.sz;
+
+        ret = wh_Client_RngGenerateDma(ctx, seed, size);
+    } break;
+#endif /* !WC_NO_RNG */
+
     case WC_ALGO_TYPE_NONE:
     default:
         ret = CRYPTOCB_UNAVAILABLE;

diff --git a/src/wh_message_crypto.c b/src/wh_message_crypto.c
@@ -1045,3 +1045,29 @@ int wh_MessageCrypto_TranslateAesDmaResponse(
     WH_T32(magic, dest, src, outSz);
     return 0;
 }
+
+/* RNG DMA Request translation */
+int wh_MessageCrypto_TranslateRngDmaRequest(
+    uint16_t magic, const whMessageCrypto_RngDmaRequest* src,
+    whMessageCrypto_RngDmaRequest* dest)
+{
+    if ((src == NULL) || (dest == NULL)) {
+        return WH_ERROR_BADARGS;
+    }
+
+    return wh_MessageCrypto_TranslateDmaBuffer(magic, &src->output,
+                                               &dest->output);
+}
+
+/* RNG DMA Response translation */
+int wh_MessageCrypto_TranslateRngDmaResponse(
+    uint16_t magic, const whMessageCrypto_RngDmaResponse* src,
+    whMessageCrypto_RngDmaResponse* dest)
+{
+    if ((src == NULL) || (dest == NULL)) {
+        return WH_ERROR_BADARGS;
+    }
+
+    return wh_MessageCrypto_TranslateDmaAddrStatus(magic, &src->dmaAddrStatus,
+                                                   &dest->dmaAddrStatus);
+}
diff --git a/src/wh_server_crypto.c b/src/wh_server_crypto.c
@@ -4563,7 +4563,66 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
     /* return value populates rc in response message */
     return ret;
 }
-#endif /* WOLFHSM_CFG_DMA */
+#endif /* WOLFSSL_CMAC */
+
+#ifndef WC_NO_RNG
+static int _HandleRngDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
+                         const void* cryptoDataIn, uint16_t inSize,
+                         void* cryptoDataOut, uint16_t* outSize)
+{
+    (void)seq;
+    (void)inSize;
+
+    int                            ret = 0;
+    whMessageCrypto_RngDmaRequest  req;
+    whMessageCrypto_RngDmaResponse res;
+    void*                          outAddr = NULL;
+
+    /* Translate the request */
+    ret = wh_MessageCrypto_TranslateRngDmaRequest(
+        magic, (whMessageCrypto_RngDmaRequest*)cryptoDataIn, &req);
+    if (ret != WH_ERROR_OK) {
+        return ret;
+    }
+
+    /* Process the output address (PRE operation) */
+    if (ret == WH_ERROR_OK) {
+        ret = wh_Server_DmaProcessClientAddress(
+            ctx, req.output.addr, &outAddr, req.output.sz,
+            WH_DMA_OPER_CLIENT_WRITE_PRE, (whServerDmaFlags){0});
+        if (ret == WH_ERROR_ACCESS) {
+            res.dmaAddrStatus.badAddr = req.output;
+        }
+    }
+
+    /* Generate random bytes directly into client memory */
+    if (ret == WH_ERROR_OK) {
+#ifdef DEBUG_CRYPTOCB_VERBOSE
+        printf("[server] RNG DMA: generating %llu bytes to addr=%p\n",
+               (long long unsigned int)req.output.sz, outAddr);
+#endif
+        ret = wc_RNG_GenerateBlock(ctx->crypto->rng, outAddr, req.output.sz);
+    }
+
+    /* Process the output address (POST operation) */
+    if (ret == WH_ERROR_OK) {
+        ret = wh_Server_DmaProcessClientAddress(
+            ctx, req.output.addr, &outAddr, req.output.sz,
+            WH_DMA_OPER_CLIENT_WRITE_POST, (whServerDmaFlags){0});
+        if (ret == WH_ERROR_ACCESS) {
+            res.dmaAddrStatus.badAddr = req.output;
+        }
+    }
+
+    /* Translate the response */
+    (void)wh_MessageCrypto_TranslateRngDmaResponse(
+        magic, &res, (whMessageCrypto_RngDmaResponse*)cryptoDataOut);
+    *outSize = sizeof(res);
+
+    /* return value populates rc in response message */
+    return ret;
+}
+#endif /* !WC_NO_RNG */
 
 int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
                                      uint16_t action, uint16_t seq,
@@ -4684,6 +4743,13 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
             break;
 #endif /* WOLFSSL_CMAC */
 
+#ifndef WC_NO_RNG
+        case WC_ALGO_TYPE_RNG:
+            ret = _HandleRngDma(ctx, magic, seq, cryptoDataIn, cryptoInSize,
+                                cryptoDataOut, &cryptoOutSize);
+            break;
+#endif /* !WC_NO_RNG */
+
         case WC_ALGO_TYPE_NONE:
         default:
             ret = NOT_COMPILED_IN;

diff --git a/test/wh_test_crypto.c b/test/wh_test_crypto.c
@@ -134,7 +134,6 @@ static int whTest_CryptoRng(whClientContext* ctx, int devId, WC_RNG* rng)
     uint8_t med[WH_TEST_RNG_MED];
     uint8_t big[WH_TEST_RNG_BIG];
 
-    /* test rng.  Note this rng is used for many tests so is left inited */
     ret = wc_InitRng_ex(rng, NULL, devId);
     if (ret != 0) {
         WH_ERROR_PRINT("Failed to wc_InitRng_ex %d\n", ret);
@@ -152,10 +151,14 @@ static int whTest_CryptoRng(whClientContext* ctx, int devId, WC_RNG* rng)
                     WH_ERROR_PRINT("Failed to wc_RNG_GenerateBlock %d\n", ret);
                 }
             }
+            ret = wc_FreeRng(rng);
+            if (ret != 0) {
+                WH_ERROR_PRINT("Failed to wc_FreeRng %d\n", ret);
+            }
         }
     }
     if (ret == 0) {
-        printf("RNG SUCCESS\n");
+        printf("RNG DEVID=0x%X SUCCESS\n", devId);
     }
     return ret;
 }
@@ -3561,8 +3564,25 @@ int whTest_CryptoClientConfig(whClientConfig* config)
     }
 #endif /* WOLFHSM_CFG_TEST_VERBOSE */
 
+    /* First crypto test should be of RNG so we can iterate over and test all
+     * devIds before choosing one to run the rest of the tests on */
+    i = 0;
+    while ((ret == WH_ERROR_OK) && (i < WH_NUM_DEVIDS)) {
+        ret = whTest_CryptoRng(client, WH_DEV_IDS_ARRAY[i], rng);
+        if (ret == WH_ERROR_OK) {
+            wc_FreeRng(rng);
+            i++;
+        }
+    }
+
+    /* Now that we have tested all RNG devIds, reinitialize the default RNG
+     * devId (non-DMA) that will be used by the remainder of the tests for
+     * random input generation */
     if (ret == 0) {
-        ret = whTest_CryptoRng(client, WH_DEV_ID, rng);
+        ret = wc_InitRng_ex(rng, NULL, WH_DEV_ID);
+        if (ret != 0) {
+            WH_ERROR_PRINT("Failed to reinitialize RNG %d\n", ret);
+        }
     }
 
     if (ret == 0) {

diff --git a/wolfhsm/wh_client_crypto.h b/wolfhsm/wh_client_crypto.h
@@ -64,6 +64,22 @@
  */
 int wh_Client_RngGenerate(whClientContext* ctx, uint8_t* out, uint32_t size);
 
+#ifdef WOLFHSM_CFG_DMA
+/**
+ * @brief Generate random bytes using DMA
+ *
+ * This function requests the server to generate random bytes directly into
+ * client memory using DMA, eliminating the need for chunking and copying
+ * through the communication buffer.
+ *
+ * @param[in] ctx Pointer to the client context
+ * @param[out] out Pointer to where the bytes are to be placed
+ * @param[in] size Number of bytes to generate
+ * @return int Returns 0 on success or a negative error code on failure.
+ */
+int wh_Client_RngGenerateDma(whClientContext* ctx, uint8_t* out, uint32_t size);
+#endif /* WOLFHSM_CFG_DMA */
+
 #ifdef HAVE_CURVE25519
 /**
  * @brief Associates a Curve25519 key with a specific key ID.

diff --git a/wolfhsm/wh_message_crypto.h b/wolfhsm/wh_message_crypto.h
@@ -974,4 +974,23 @@ int wh_MessageCrypto_TranslateMlDsaVerifyDmaResponse(
     uint16_t magic, const whMessageCrypto_MlDsaVerifyDmaResponse* src,
     whMessageCrypto_MlDsaVerifyDmaResponse* dest);
 
+/* RNG DMA Request */
+typedef struct {
+    whMessageCrypto_DmaBuffer output; /* Output buffer for random bytes */
+} whMessageCrypto_RngDmaRequest;
+
+/* RNG DMA Response */
+typedef struct {
+    whMessageCrypto_DmaAddrStatus dmaAddrStatus;
+} whMessageCrypto_RngDmaResponse;
+
+/* RNG DMA translation functions */
+int wh_MessageCrypto_TranslateRngDmaRequest(
+    uint16_t magic, const whMessageCrypto_RngDmaRequest* src,
+    whMessageCrypto_RngDmaRequest* dest);
+
+int wh_MessageCrypto_TranslateRngDmaResponse(
+    uint16_t magic, const whMessageCrypto_RngDmaResponse* src,
+    whMessageCrypto_RngDmaResponse* dest);
+
 #endif /* !WOLFHSM_WH_MESSAGE_CRYPTO_H_ */