From 333e85f22a7062c12e00760b7132cbfb9da0bada Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 6 May 2026 07:21:12 +0100 Subject: [PATCH] Remove wolfCrypt patches The fixes are now in wolfCrypt, so the patches in Dockerfiles need to be removed. --- ATECC608Sim/Dockerfile.wolfcrypt | 121 +---------------------------- ATECC608Sim/README.md | 10 +-- SE050Sim/README.md | 2 - STSAFEA120Sim/Dockerfile.wolfcrypt | 36 +-------- 4 files changed, 6 insertions(+), 163 deletions(-) diff --git a/ATECC608Sim/Dockerfile.wolfcrypt b/ATECC608Sim/Dockerfile.wolfcrypt index 5ba6513..55e05fb 100644 --- a/ATECC608Sim/Dockerfile.wolfcrypt +++ b/ATECC608Sim/Dockerfile.wolfcrypt @@ -50,126 +50,7 @@ RUN cp -r /usr/include/cryptoauthlib/* /usr/include/ && \ # ---- Build wolfSSL with --enable-cryptauthlib / WOLFSSL_ATECC608A ---- # No circular dependency: cryptoauthlib doesn't depend on wolfSSL, so a # single-pass wolfSSL build against the installed cryptoauthlib is enough. -RUN git clone --branch v5.9.1-stable --depth 1 \ - https://github.com/wolfSSL/wolfssl.git /app/wolfssl - -# wolfSSL's wolfCrypt_ATECC_SetConfig only copies I2C-specific fields from -# the passed cfg; when iface_type=ATCA_CUSTOM_IFACE the atcacustom function -# pointers are silently dropped. Swap the opening XMEMSET for an XMEMCPY so -# the full struct (including the atcacustom union) is preserved. The -# subsequent field-by-field assignments are harmless — they overwrite with -# the same values. -RUN sed -i '/\/\* copy configuration into our local struct \*\//,/cfg_ateccx08a_i2c_pi\.cfg_data/{s|XMEMSET(&cfg_ateccx08a_i2c_pi, 0, sizeof(cfg_ateccx08a_i2c_pi));|XMEMCPY(\&cfg_ateccx08a_i2c_pi, cfg, sizeof(cfg_ateccx08a_i2c_pi));|}' \ - /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c && \ - grep -q 'XMEMCPY(&cfg_ateccx08a_i2c_pi, cfg' /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c - -# atmel_set_slot_allocator is declared without WOLFSSL_API, so wolfSSL's -# default -fvisibility=hidden hides it from libwolfssl.so. Expose it so our -# test harness can install a round-robin slot allocator (wolfcrypt_test's -# ECC suite needs multiple concurrent hardware keys). -RUN sed -i 's|^int atmel_set_slot_allocator|WOLFSSL_API int atmel_set_slot_allocator|' \ - /app/wolfssl/wolfssl/wolfcrypt/port/atmel/atmel.h \ - /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c && \ - grep -q 'WOLFSSL_API int atmel_set_slot_allocator' /app/wolfssl/wolfssl/wolfcrypt/port/atmel/atmel.h - -# Fix two guard-mismatch bugs in wolfcrypt/test/test.c that surface with -# -DWOLFSSL_ATECC608A + --enable-crypttests + -Werror=nested-externs: -# -# 1. `ecc_ssh_test` is #if'd out on ATECC at definition time but its -# call site only guards on HAVE_ECC_DHE/CRYPTOCELL/CB_ONLY. Extend -# the call-site #if so it matches the definition. -# -# 2. `ecc_mulmod_test` is compiled on ATECC builds even though it calls -# `wc_ecc_mulmod`, whose declaration in wolfssl/wolfcrypt/ecc.h is -# hidden behind `!WOLFSSL_ATECC5/608A`. Exclude ATECC from both the -# test's definition guard and its call site. -# -# These are upstream bugs, worth sending back to wolfSSL. -RUN python3 - <<'PY' -import pathlib, sys -path = pathlib.Path('/app/wolfssl/wolfcrypt/test/test.c') -src = path.read_text() - -def sub(old, new, label): - global src - if old not in src: - sys.exit('patch target not found: ' + label) - src = src.replace(old, new, 1) - -sub( - ' #if defined(HAVE_ECC_DHE) && !defined(WOLFSSL_CRYPTOCELL) && \\\n' - ' !defined(WOLF_CRYPTO_CB_ONLY_ECC)\n' - ' ret = ecc_ssh_test(key, rng);\n', - ' #if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \\\n' - ' !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_ATECC508A) && \\\n' - ' !defined(WOLFSSL_ATECC608A) && !defined(PLUTON_CRYPTO_ECC) && \\\n' - ' !defined(WOLFSSL_CRYPTOCELL)\n' - ' ret = ecc_ssh_test(key, rng);\n', - 'ecc_ssh_test call site', -) - -sub( - '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n' - ' !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)\n' - 'static wc_test_ret_t ecc_mulmod_test(ecc_key* key1)\n', - '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n' - ' !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \\\n' - ' !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n' - 'static wc_test_ret_t ecc_mulmod_test(ecc_key* key1)\n', - 'ecc_mulmod_test definition', -) - -sub( - '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n' - ' !defined(WOLFSSL_CRYPTOCELL)\n' - ' ret = ecc_mulmod_test(key);\n', - '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n' - ' !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A) && \\\n' - ' !defined(WOLFSSL_ATECC608A)\n' - ' ret = ecc_mulmod_test(key);\n', - 'ecc_mulmod_test call site', -) - -# ecc_test_key_decode / ecc_test_key_gen load fixed private-key test -# material that ATECC hardware cannot import (only GenKey-produced or -# explicitly-written keys work). Skip on ATECC builds; genkey/sign/verify -# coverage elsewhere in wolfcrypt_test picks up the slack. -# (ecc_test_vector is similarly skipped but via -DNO_ECC_VECTOR_TEST below, -# which is wolfSSL's own documented off-switch.) -sub( - '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n' - ' !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)\n' - ' ret = ecc_test_key_decode(rng, keySize);\n', - '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n' - ' !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) && \\\n' - ' !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n' - ' ret = ecc_test_key_decode(rng, keySize);\n', - 'ecc_test_key_decode call site', -) - -sub( - '#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)\n' - ' ret = ecc_test_key_gen(rng, keySize);\n', - '#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) && \\\n' - ' !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n' - ' ret = ecc_test_key_gen(rng, keySize);\n', - 'ecc_test_key_gen call site', -) - -# ecc_exp_imp_test exports the device-resident private key, which ATECC -# hardware doesn't expose. Skip on ATECC builds. -sub( - '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)\n' - ' ret = ecc_exp_imp_test(key);\n', - '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n' - ' !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n' - ' ret = ecc_exp_imp_test(key);\n', - 'ecc_exp_imp_test call site', -) - -path.write_text(src) -print('patched test.c') -PY +RUN git clone --depth 1 https://github.com/wolfSSL/wolfssl.git /app/wolfssl # Build wolfSSL as a library only; the test binary has its own curated # wolfCrypt-API exercise in main.c. diff --git a/ATECC608Sim/README.md b/ATECC608Sim/README.md index 6593838..6e72b9d 100644 --- a/ATECC608Sim/README.md +++ b/ATECC608Sim/README.md @@ -105,17 +105,11 @@ cryptoauthlib. `Dockerfile.wolfcrypt` builds: 1. cryptoauthlib with `ATCA_HAL_CUSTOM=ON`, no built-in HALs (our test binary links in `hal_tcp.c` directly). -2. wolfSSL pinned to `v5.9.1-stable` with `--with-cryptoauthlib=/usr`, +2. wolfSSL `master` with `--with-cryptoauthlib=/usr`, `-DWOLFSSL_ATECC608A`, and `-DWOLFSSL_ATECC_NO_ECDH_ENC` (the default encrypted-ECDH path still calls a 5-arg `atcab_ecdh_enc` signature that newer cryptoauthlib renamed; the plain path works fine). -3. A small patch to `wolfssl/wolfcrypt/src/port/atmel/atmel.c`: the - upstream `wolfCrypt_ATECC_SetConfig()` only copies I2C-specific fields - from the passed cfg, silently dropping the `atcacustom` function - pointers when `iface_type=ATCA_CUSTOM_IFACE`. The Dockerfile replaces - the opening `XMEMSET` with an `XMEMCPY` so the full struct (including - the function-pointer union) is preserved. -4. `--enable-fastmath` is required — the default sp-math backend returns +3. `--enable-fastmath` is required -- the default sp-math backend returns `MP_VAL` on the `mp_read_unsigned_bin(key->pubkey.x, ...)` call inside wolfSSL's ATECC keygen path. diff --git a/SE050Sim/README.md b/SE050Sim/README.md index bee4533..8dc5509 100644 --- a/SE050Sim/README.md +++ b/SE050Sim/README.md @@ -100,8 +100,6 @@ SE050Sim/ ├── Dockerfile Rust driver integration tests ├── Dockerfile.sdk-test SDK test suite (OpenSSL verification) ├── Dockerfile.wolfcrypt wolfCrypt test suite integration -├── patches/ -│ └── apply.sh Driver bug patches for nxp-se050 ├── se050-sim/ │ ├── Cargo.toml │ ├── src/ diff --git a/STSAFEA120Sim/Dockerfile.wolfcrypt b/STSAFEA120Sim/Dockerfile.wolfcrypt index e856225..217abba 100644 --- a/STSAFEA120Sim/Dockerfile.wolfcrypt +++ b/STSAFEA120Sim/Dockerfile.wolfcrypt @@ -61,41 +61,10 @@ RUN set -eux; \ ldconfig # ---- wolfSSL with STSAFE-A120 support ---- -ARG WOLFSSL_REF=v5.9.1-stable +ARG WOLFSSL_REF=master RUN git clone --branch ${WOLFSSL_REF} --depth 1 \ https://github.com/wolfSSL/wolfssl.git /app/wolfssl -# wolfSSL's stsafe.c does `#include "stselib.h"`, which pulls in -# `stse_conf.h` and `stse_platform_generic.h` from the same directory. -# Inject our paths via CFLAGS so the compile finds them. We also link -# libstse.so so the stse_* references resolve. -# Two upstream gaps need patching before STSAFE-A120 will build cleanly: -# -# 1. `wolfcrypt/src/port/st/stsafe.c` is in EXTRA_DIST only -- there is -# no `if BUILD_STSAFE` clause that adds it to -# `src_libwolfssl_la_SOURCES`. As a result, libwolfssl is built -# without `stsafe_interface_init`, but wc_port.c references it -# under `#ifdef WOLFSSL_STSAFE`, leaving an undefined symbol at -# link time. -# -# 2. STSELib's `stselib.h` includes `core/stse_platform.h` *before* -# `stse_platform_generic.h`, so types like `PLAT_UI8` used inside -# `stse_device.h` are undefined when wolfSSL's stsafe.c includes -# stselib.h. Force-include the platform header at the top of -# stsafe.c to unbreak the include chain. -# -# Both worth upstreaming -- one as a build-system fix in include.am, -# the other as a header-ordering fix in STSELib. -RUN sed -i \ - '/^if BUILD_CRYPTOCB$/i \ -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/st/stsafe.c\n' \ - /app/wolfssl/wolfcrypt/src/include.am && \ - grep -q 'src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/st/stsafe.c' \ - /app/wolfssl/wolfcrypt/src/include.am && \ - sed -i '1i #include "stse_platform_generic.h"' \ - /app/wolfssl/wolfcrypt/src/port/st/stsafe.c && \ - head -2 /app/wolfssl/wolfcrypt/src/port/st/stsafe.c - # wolfSSL's stsafe.c does `#include "stselib.h"`, which is the master # header that drags in stse_platform_generic.h itself, so we only need # the include path -- not a -include directive (the latter trips @@ -103,6 +72,7 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/st/stsafe.c\n' \ # AC_CHECK_DECLS). RUN cd /app/wolfssl && ./autogen.sh && \ ./configure \ + --enable-stsafe=a120 \ --enable-pkcallbacks \ --enable-cryptocb \ --enable-ecc \ @@ -110,7 +80,7 @@ RUN cd /app/wolfssl && ./autogen.sh && \ --enable-sha384 \ --enable-keygen \ --disable-examples \ - CFLAGS="-DWOLFSSL_STSAFEA120 -DHAVE_PK_CALLBACKS -DWOLF_CRYPTO_CB \ + CFLAGS="-DHAVE_PK_CALLBACKS -DWOLF_CRYPTO_CB \ -I/app/STSELib -I/app/sdk-test \ -Wno-unused-parameter -Wno-error \ -Wno-error=strict-prototypes -Wno-error=nested-externs \