wolfSSL
diff --git a/‎.github/workflows/os-check.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/os-check.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 5 additions & 0 deletions b/‎.wolfssl_known_macro_extras‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎CMakeLists.txt‎
Lines changed: 9 additions & 3 deletions b/‎CMakeLists.txt‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎configure.ac‎
Lines changed: 14 additions & 4 deletions b/‎configure.ac‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎tests/api.c‎
Lines changed: 3 additions & 0 deletions b/‎tests/api.c‎
Lines changed: 3 additions & 0 deletions
@@ -42,8 +42,11 @@ jobs:
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
             --enable-psk --enable-aesccm --enable-nullcipher
             CPPFLAGS=-DWOLFSSL_STATIC_RSA',
-          '--enable-she --enable-cmac',
-          '--enable-she --enable-cmac --enable-cryptocb --enable-cryptocbutils',
+          '--enable-she=standard --enable-cmac',
+          '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils',
+          '--enable-she=standard --enable-cmac CPPFLAGS=''-DNO_WC_SHE_IMPORT_M123'' ',
+          '--enable-she=extended --enable-cmac --enable-cryptocb --enable-cryptocbutils
+            CPPFLAGS=''-DNO_WC_SHE_GETUID -DNO_WC_SHE_GETCOUNTER -DNO_WC_SHE_EXPORTKEY'' ',
           '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
           '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
             CPPFLAGS=-DWOLFSSL_DH_EXTRA',
 
@@ -446,6 +446,10 @@ NO_TKERNEL_MEM_POOL
 NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
 NO_VERIFY_OID
 NO_WC_DHGENERATEPUBLIC
+NO_WC_SHE_EXPORTKEY
+NO_WC_SHE_GETCOUNTER
+NO_WC_SHE_GETUID
+NO_WC_SHE_IMPORT_M123
 NO_WC_SSIZE_TYPE
 NO_WOLFSSL_ALLOC_ALIGN
 NO_WOLFSSL_AUTOSAR_CRYIF
@@ -889,6 +893,7 @@ WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
 WOLFSSL_SERVER_EXAMPLE
 WOLFSSL_SETTINGS_FILE
 WOLFSSL_SHE
+WOLFSSL_SHE_EXTENDED
 WOLFSSL_SH224
 WOLFSSL_SHA256_ALT_CH_MAJ
 WOLFSSL_SHA512_HASHTYPE
 
@@ -1641,11 +1641,12 @@ if(WOLFSSL_CMAC)
 endif()
 
 # SHE (Secure Hardware Extension) key update message generation
+# standard: core SHE support, extended: adds custom KDF/header overrides
 add_option("WOLFSSL_SHE"
-    "Enable SHE key update support (default: disabled)"
-    "no" "yes;no")
+    "Enable SHE key update support (standard|extended|no)"
+    "no" "standard;extended;no")
 
-if(WOLFSSL_SHE)
+if(WOLFSSL_SHE STREQUAL "standard" OR WOLFSSL_SHE STREQUAL "extended")
     if (NOT WOLFSSL_AES)
         message(FATAL_ERROR "Cannot use SHE without AES.")
     else()
@@ -1654,6 +1655,11 @@ if(WOLFSSL_SHE)
     endif()
 endif()
 
+if(WOLFSSL_SHE STREQUAL "extended")
+    list(APPEND WOLFSSL_DEFINITIONS
+        "-DWOLFSSL_SHE_EXTENDED")
+endif()
+
 # TODO: - RC2
 #       - FIPS, again (there's more logic for FIPS in configure.ac)
 #       - Selftest
 
@@ -5946,14 +5946,24 @@ AS_IF([test "x$ENABLED_CMAC" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CMAC -DWOLFSSL_AES_DIRECT"])
 
 # SHE (Secure Hardware Extension) key update message generation
+# --enable-she=standard: standard SHE support
+# --enable-she=extended: standard + extended overrides (custom KDF/headers)
 AC_ARG_ENABLE([she],
-    [AS_HELP_STRING([--enable-she],[Enable SHE key update support (default: disabled)])],
+    [AS_HELP_STRING([--enable-she@<:@=standard|extended@:>@],
+                    [Enable SHE key update support (default: disabled)])],
     [ ENABLED_SHE=$enableval ],
     [ ENABLED_SHE=no ]
     )
 
-AS_IF([test "x$ENABLED_SHE" = "xyes"],
-      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE"])
+if test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE"
+fi
+
+if test "x$ENABLED_SHE" = "xextended"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHE_EXTENDED"
+fi
 
 # AES-XTS
 AC_ARG_ENABLE([aesxts],
@@ -11564,7 +11574,7 @@ AM_CONDITIONAL([BUILD_FIPS_V6],[test $HAVE_FIPS_VERSION = 6])
 AM_CONDITIONAL([BUILD_FIPS_V6_PLUS],[test $HAVE_FIPS_VERSION -ge 6])
 AM_CONDITIONAL([BUILD_SIPHASH],[test "x$ENABLED_SIPHASH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
-AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
+AM_CONDITIONAL([BUILD_SHE],[test "x$ENABLED_SHE" = "xstandard" || test "x$ENABLED_SHE" = "xextended" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
 AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_SHA3],[test "x$ENABLED_SHA3" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 
@@ -35638,6 +35638,9 @@ TEST_CASE testCases[] = {
     TEST_CMAC_DECLS,
     /* SHE */
     TEST_SHE_DECLS,
+#ifdef WOLFSSL_SHE_EXTENDED
+    TEST_SHE_EXT_DECLS,
+#endif
 #if defined(WOLF_CRYPTO_CB) && defined(WOLFSSL_SHE)
     TEST_SHE_CB_DECLS,
 #endif