From dbf4aaa5bedb0f78ce49dfedbb1d47cd73f97c33 Mon Sep 17 00:00:00 2001 From: Tesfa Mae Date: Wed, 14 Jan 2026 12:00:51 -0800 Subject: [PATCH] TA100: follow-up changes (squash after 4e64cb56) --- configure.ac | 136 ++++++++++--- tests/api/test_ossl_ec.c | 3 + wolfcrypt/benchmark/benchmark.c | 6 +- wolfcrypt/src/ecc.c | 3 - wolfcrypt/src/port/atmel/README.md | 15 ++ wolfcrypt/src/port/atmel/atmel.c | 294 ++++++++++++++++++--------- wolfcrypt/test/test.c | 16 +- wolfssl/wolfcrypt/ecc.h | 3 +- wolfssl/wolfcrypt/port/atmel/atmel.h | 4 +- 9 files changed, 348 insertions(+), 132 deletions(-) diff --git a/configure.ac b/configure.ac index 9761841611..5ed7c1b70a 100644 --- a/configure.ac +++ b/configure.ac @@ -3002,45 +3002,127 @@ then esac done fi + + # Microchip/Atmel CryptoAuthLib ENABLED_CRYPTOAUTHLIB="no" -trylibatcadir="" AC_ARG_WITH([cryptoauthlib], - [AS_HELP_STRING([--with-cryptoauthlib=PATH],[PATH to CryptoAuthLib install (default /usr)])], - [ - AC_MSG_CHECKING([for cryptoauthlib]) - LIBS="$LIBS -lcryptoauth -lwolfssl -lpthread -lrt" + [AS_HELP_STRING([--with-cryptoauthlib=PATH], + [PATH to CryptoAuthLib install (default: system paths)])], + [with_cryptoauthlib=$withval], + [with_cryptoauthlib=no]) - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ atcab_init(0); ]])],[ libatca_linked=yes ],[ libatca_linked=no ]) +AS_IF([test "x$with_cryptoauthlib" != "xno"], [ + AC_MSG_CHECKING([for CryptoAuthLib]) - if test "x$libatca_linked" = "xno" ; then - if test "x$withval" != "xno" ; then - trylibatcadir=$withval - fi - if test "x$withval" = "xyes" ; then - trylibatcadir="/usr" + libdir="" + incdir="" + cryptoauthlib_found="no" + + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + saved_CFLAGS="$CFLAGS" + + # Method 1: Try pkg-config first (most reliable) + PKG_CHECK_MODULES([CRYPTOAUTHLIB], [cryptoauthlib], [ + CPPFLAGS="$CRYPTOAUTHLIB_CFLAGS $CPPFLAGS" + CFLAGS="$CRYPTOAUTHLIB_CFLAGS $CFLAGS" + LDFLAGS="$CRYPTOAUTHLIB_LIBS $LDFLAGS" + LIBS="$CRYPTOAUTHLIB_LIBS $LIBS" + cryptoauthlib_found="pkg-config" + ], [ + # Method 2: Manual search + AS_IF([test "x$with_cryptoauthlib" = "xyes"], [ + search_dirs="/usr /usr/local" + ], [ + search_dirs="$with_cryptoauthlib" + ]) + + for trylibatcadir in $search_dirs; do + for try_libdir in "$trylibatcadir/lib" "$trylibatcadir/lib64"; do + if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then + libdir="$try_libdir" + break + fi + done + + if test -z "$libdir"; then + if test -x /usr/bin/dpkg-architecture; then + DEB_HOST_MULTIARCH=`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null` + if test -n "$DEB_HOST_MULTIARCH"; then + try_libdir="$trylibatcadir/lib/$DEB_HOST_MULTIARCH" + if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then + libdir="$try_libdir" + fi + fi + fi fi - if test "$host_cpu" = "aarch64" ; then - LIB_SUFFIX="/aarch64-linux-gnu" - else - LIB_SUFFIX="" + for try_incdir in "$trylibatcadir/include/cryptoauthlib" "$trylibatcadir/include"; do + if test -f "$try_incdir/cryptoauthlib.h"; then + incdir="$try_incdir" + break + fi + done + + if test -n "$libdir" && test -n "$incdir"; then + break fi + libdir="" + incdir="" + done - LDFLAGS="$LDFLAGS -L$trylibatcadir/lib$LIB_SUFFIX" - CPPFLAGS="$CPPFLAGS -I$trylibatcadir/include/cryptoauthlib" - AM_LDFLAGS="$AM_LDFLAGS -L$trylibatcadir/lib$LIB_SUFFIX" - AM_CFLAGS="$AM_CFLAGS -I$trylibatcadir/include/cryptoauthlib" - - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([yes]) + if test -n "$libdir" && test -n "$incdir"; then + CPPFLAGS="-I$incdir $CPPFLAGS" + CFLAGS="-I$incdir $CFLAGS" + LDFLAGS="-L$libdir $LDFLAGS" + LIBS="-lcryptoauth $LIBS" + cryptoauthlib_found="$libdir" fi + ]) - ENABLED_CRYPTOAUTHLIB="yes" - ] -) + AS_IF([test "x$cryptoauthlib_found" != "xno"], [ + wolfssl_include="" + AS_IF([test -f "${srcdir}/wolfssl/wolfcrypt/types.h"], [ + wolfssl_include="-I${srcdir}" + ], [test -f "${srcdir}/wolfssl.h"], [ + wolfssl_include="-I${srcdir}" + ]) + test_CPPFLAGS="$wolfssl_include $CPPFLAGS" + test_CFLAGS="$wolfssl_include $CFLAGS" + + saved_test_CPPFLAGS="$CPPFLAGS" + saved_test_CFLAGS="$CFLAGS" + CPPFLAGS="$test_CPPFLAGS" + CFLAGS="$test_CFLAGS" + + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[#include ]], + [[atcab_init(0); return 0;]])], + [ + ENABLED_CRYPTOAUTHLIB="yes" + AC_MSG_RESULT([yes ($cryptoauthlib_found)]) + AC_DEFINE([HAVE_CRYPTOAUTHLIB], [1], [CryptoAuthLib support]) + CPPFLAGS="$saved_test_CPPFLAGS" + CFLAGS="$saved_test_CFLAGS" + ], + [ + LIBS="$saved_LIBS" + LDFLAGS="$saved_LDFLAGS" + CPPFLAGS="$saved_CPPFLAGS" + CFLAGS="$saved_CFLAGS" + AC_MSG_RESULT([no - compilation failed]) + AC_MSG_ERROR([CryptoAuthLib found but test compilation failed. Check config.log for details.]) + ]) + ], [ + AC_MSG_RESULT([no - library not found]) + AC_MSG_ERROR([CryptoAuthLib not found. Install it or specify path with --with-cryptoauthlib=/path]) + ]) +]) + +AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB], [test "x$ENABLED_CRYPTOAUTHLIB" = "xyes"]) # TropicSquare TROPIC01 # Example: "./configure --with-tropic01=/home/pi/libtropic" diff --git a/tests/api/test_ossl_ec.c b/tests/api/test_ossl_ec.c index 5411c46130..2423f4e9f4 100644 --- a/tests/api/test_ossl_ec.c +++ b/tests/api/test_ossl_ec.c @@ -429,6 +429,7 @@ int test_wolfSSL_EC_POINT(void) X, Y, ctx), 0); #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ + !defined(WOLFSSL_MICROCHIP_TA100) && \ !defined(HAVE_SELFTEST) && !defined(WOLFSSL_SP_MATH) && \ !defined(WOLF_CRYPTO_CB_ONLY_ECC) ExpectIntEQ(EC_POINT_add(NULL, NULL, NULL, NULL, ctx), 0); @@ -520,6 +521,7 @@ int test_wolfSSL_EC_POINT(void) ExpectIntEQ(EC_POINT_invert(group, new_point, ctx), 1); #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ + !defined(WOLFSSL_MICROCHIP_TA100) && \ !defined(HAVE_SELFTEST) && !defined(WOLFSSL_SP_MATH) && \ !defined(WOLF_CRYPTO_CB_ONLY_ECC) { @@ -801,6 +803,7 @@ int test_wolfSSL_SPAKE(void) #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(WOLFSSL_ATECC508A) \ && !defined(WOLFSSL_ATECC608A) && !defined(HAVE_SELFTEST) && \ + !defined(WOLFSSL_MICROCHIP_TA100) && \ !defined(WOLFSSL_SP_MATH) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) BIGNUM* x = NULL; /* kdc priv */ BIGNUM* y = NULL; /* client priv */ diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 1307722c0c..66bb72fef0 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -2081,6 +2081,10 @@ static const char* bench_result_words2[][6] = { #endif }; #endif /* !WC_NO_RNG || WOLFSSL_HAVE_MLKEM */ +#endif +#if defined(WOLFSSL_MICROCHIP_TA100) + #include +#endif #ifdef WOLFSSL_CAAM #include @@ -10713,7 +10717,7 @@ void bench_rsa(int useDeviceID) /* Note: To benchmark public only define WOLFSSL_PUBLIC_MP */ rsaKeySz = 0; #endif -#if defined(WOLFSSL_MICROCHIP_TA100) +#if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_MICROCHIP_TA100) /* Create new keys since you cannot import a private key to TA100 */ ret = wc_MakeRsaKey(rsaKey[i], rsaKeySz, WC_RSA_EXPONENT, &gRng); if (ret) { diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 96f063752f..97b064cd25 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -1979,7 +1979,6 @@ static void alt_fp_init(mp_int* a) #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ - !defined(WOLFSSL_MICROCHIP_TA100) && \ !defined(WOLFSSL_CRYPTOCELL) && \ (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \ defined(WOLFSSL_IMXRT1170_CAAM)) @@ -8099,11 +8098,9 @@ int wc_ecc_free(ecc_key* key) } #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ - !defined(WOLFSSL_MICROCHIP_TA100) && \ !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SP_MATH) && \ (!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \ defined(WOLFSSL_IMXRT1170_CAAM)) - /* Handles add failure cases: * * Before add: diff --git a/wolfcrypt/src/port/atmel/README.md b/wolfcrypt/src/port/atmel/README.md index 37f2307f23..f35e6ef3aa 100644 --- a/wolfcrypt/src/port/atmel/README.md +++ b/wolfcrypt/src/port/atmel/README.md @@ -98,6 +98,21 @@ ATECC508A HW accelerated implementation: ### Microchip Trust Anchor TA100 ECC/RSA +rm -rf build-shared +cmake -S . -B build-shared \ + -DCMAKE_BUILD_TYPE=Debug \ + -DATCA_BUILD_SHARED_LIBS=ON \ + -DATCA_HAL_SPI=ON \ + -DATCA_PRINTF=ON \ + -DATCA_TA100_SUPPORT=ON \ + -DATCA_TA100_AES_AUTH_SUPPORT=ON \ + -DATCA_TA100_FCE_SUPPORT=ON \ + -DATCA_WOLFSSL=ON \ + -DBUILD_TESTS=ON +cmake --build build-shared -j +sudo cmake --install build-shared +sudo ldconfig + `./configure CFLAGS="-DWOLFSSL_CMAC -DHAVE_PK_CALLBACKS -DWOLFSSL_ATECC508A_NOIDLE -DECC_USER_CURVES -DWOLFSSL_ATECC_NO_ECDH_ENC -DWOLFSSL_ATECC_DEBUG" --enable-cmac --enable-microchip=100 --with-cryptoauthlib` Supported Features: diff --git a/wolfcrypt/src/port/atmel/atmel.c b/wolfcrypt/src/port/atmel/atmel.c index 619ca882c9..f4668dcf1c 100644 --- a/wolfcrypt/src/port/atmel/atmel.c +++ b/wolfcrypt/src/port/atmel/atmel.c @@ -161,6 +161,52 @@ static int ateccx08a_cfg_initialized = 0; static ATCAIfaceCfg* gCfg = &config_atmel_device[WOLFSSL_ATCA_DEVICE_NO]; #if defined(WOLFSSL_MICROCHIP_TA100) + + + /* TA100 device expects little-endian data for the property field. + * On big-endian hosts, we need to byte-swap the uint16_t property value. + * Use ATCA_UINT16_HOST_TO_LE if available from cryptoauthlib, otherwise + * define our own based on wolfSSL's endianness detection. + */ + #ifndef ATCA_UINT16_HOST_TO_LE + #ifdef BIG_ENDIAN_ORDER + #define ATCA_UINT16_HOST_TO_LE(x) \ + ((uint16_t)(((x) >> 8) | (((x) & 0xFF) << 8))) + #else + #define ATCA_UINT16_HOST_TO_LE(x) (x) + #endif + #endif + + /* Helper function to fix property field endianness after talib_handle_init_* + * functions populate the ta_element_attributes_t structure. + * The talib functions build the property value in host byte order, but + * the TA100 device expects little-endian format. + */ + static WC_INLINE void ta100_fix_property_endian(ta_element_attributes_t* attr) + { + #ifdef BIG_ENDIAN_ORDER + if (attr != NULL) { + attr->property = ATCA_UINT16_HOST_TO_LE(attr->property); + } + #else + (void)attr; /* Suppress unused warning on little-endian */ + #endif + } + + /* The sharedData_attr property values need to be in LE format. + * On little-endian: 0x1600 stays as 0x1600 (bytes: 00 16) + * On big-endian: 0x1600 becomes 0x0016 (bytes: 00 16) + * + * Since we cannot use function calls in static initializers, + * we define the values directly for each endianness: + */ + #ifdef BIG_ENDIAN_ORDER + /* Big-endian: swap bytes so wire format is correct */ + #define TA100_PROP_SHARED_DATA 0x0016 + #else + /* Little-endian: use value as-is */ + #define TA100_PROP_SHARED_DATA 0x1600 + #endif #ifndef SHARED_DATA_ADDR #define SHARED_DATA_ADDR 0x8006 #endif @@ -190,14 +236,14 @@ typedef struct See Shared Data Element Attributes in the programming specifications */ static ta_element_attributes_t sharedData_attr[ATECC_MAX_SLOT] = { - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, - {0x81, 0x1600, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, + {0x81, TA100_PROP_SHARED_DATA, 0x00, 0x00, 0x00, 0x41, 0x10}, }; static ta_element_attributes_t* gSharedDataAttr = sharedData_attr; @@ -524,6 +570,9 @@ static int atmel_init_enc_key(void) int atmel_get_rev_info(word32* revision) { int ret; + printf("Waking device...\n"); + ret = atcab_wakeup(); + printf("atcab_wakeup: %d\n", ret); ret = atcab_info((uint8_t*)revision); ret = atmel_ecc_translate_err(ret); return ret; @@ -656,115 +705,171 @@ int atmel_ecc_verify(const byte* message, const byte* signature, #ifdef WOLFSSL_MICROCHIP_TA100 #ifndef NO_RSA +/* + * TA100 RSA Support - Sign/Verify AND Encrypt/Decrypt + * +*/ + int wc_Microchip_rsa_create_key(struct RsaKey* key, int size, long e) { ATCA_STATUS ret; ta_element_attributes_t rKeyA, uKeyA; - size_t uKey_len = WOLFSSL_TA_KEY_TYPE_RSA_SIZE; + size_t uKey_len = TA_KEY_TYPE_RSA2048_SIZE; (void)size; (void)e; - ret = talib_handle_init_private_key(&rKeyA, WOLFSSL_TA_KEY_TYPE_RSA, - TA_ALG_MODE_RSA_SSA_PSS,TA_PROP_SIGN_INT_EXT_DIGEST, + /* Private key for signing AND decryption */ + ret = talib_handle_init_private_key(&rKeyA, TA_KEY_TYPE_RSA2048, + TA_ALG_MODE_RSA_SSA_1_5, TA_PROP_SIGN_INT_EXT_DIGEST, TA_PROP_KEY_AGREEMENT_OUT_BUFF); - if (ret != ATCA_SUCCESS) return WC_HW_E; + if (ret != ATCA_SUCCESS) + return WC_HW_E; + + ta100_fix_property_endian(&rKeyA); ret = talib_create_element(atcab_get_device(), &rKeyA, &key->rKeyH); - if (ret != ATCA_SUCCESS) return WC_HW_E; + if (ret != ATCA_SUCCESS) + return WC_HW_E; - ret = talib_handle_init_public_key(&uKeyA, WOLFSSL_TA_KEY_TYPE_RSA, - TA_ALG_MODE_RSA_SSA_PSS, TA_PROP_VAL_NO_SECURE_BOOT_SIGN, - TA_PROP_ROOT_PUB_KEY_VERIFY); - if (ret != ATCA_SUCCESS) return WC_HW_E; + /* Public key - use 0, 0 for encryption support! */ + ret = talib_handle_init_public_key(&uKeyA, TA_KEY_TYPE_RSA2048, + TA_ALG_MODE_RSA_SSA_1_5, 0, 0); + if (ret != ATCA_SUCCESS) + return WC_HW_E; + + ta100_fix_property_endian(&uKeyA); ret = talib_create_element(atcab_get_device(), &uKeyA, &key->uKeyH); - if (ret != ATCA_SUCCESS) return WC_HW_E; + if (ret != ATCA_SUCCESS) + return WC_HW_E; ret = talib_genkey_base(atcab_get_device(), TA_KEYGEN_MODE_NEWKEY, (uint32_t)key->rKeyH, key->uKey, &uKey_len); - if (ret != ATCA_SUCCESS) return WC_HW_E; + if (ret != ATCA_SUCCESS) + return WC_HW_E; - /* Write the RSA public key to the handle. */ - ret = talib_write_pub_key(atcab_get_device(), key->uKeyH, (uint16_t)uKey_len, - key->uKey); - - ret = atmel_ecc_translate_err(ret); - - return ret; + /* Use talib_write_element, not talib_write_pub_key */ + ret = talib_write_element(atcab_get_device(), key->uKeyH, + (uint16_t)uKey_len, key->uKey); + return atmel_ecc_translate_err(ret); } -int wc_Microchip_rsa_sign(const byte* in, word32 inLen, byte* out, word32 outLen, - RsaKey* key) + +int wc_Microchip_rsa_encrypt(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key) { int ret; - uint16_t sign_size = outLen; /* WOLFSSL_TA_KEY_TYPE_RSA_SIZE */ + +#ifdef WOLFSSL_ATECC_DEBUG + printf("WOLFSSL_TA_KEY_TYPE_RSA = %d\n", WOLFSSL_TA_KEY_TYPE_RSA); + printf("TA_KEY_TYPE_RSA2048 = %d\n", TA_KEY_TYPE_RSA2048); + printf("=== talib_rsaenc_encrypt debug ===\n"); + printf("device: %p\n", atcab_get_device()); + printf("uKeyH: 0x%08X (%u)\n", key->uKeyH, key->uKeyH); + printf("inLen: %u\n", inLen); + printf("in: %p\n", in); + printf("outLen: %u\n", outLen); + printf("out: %p\n", out); +#endif + /* Use the 2048-specific function */ + ret = talib_rsaenc_encrypt2048(atcab_get_device(), key->uKeyH, + (uint16_t)inLen, in, + (uint16_t)outLen, out); + + return atmel_ecc_translate_err(ret); +} + +int wc_Microchip_rsa_decrypt(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key) +{ + int ret; + + + ret = talib_rsaenc_decrypt2048(atcab_get_device(), key->rKeyH, + (uint16_t)inLen, in, + (uint16_t)outLen, out); + + return atmel_ecc_translate_err(ret); +} + + +int wc_Microchip_rsa_sign(const byte* in, word32 inLen, byte* out, word32 outLen, + RsaKey* key) +{ + int ret; + uint16_t sign_size = (uint16_t)outLen; byte hash_data[WC_SHA256_DIGEST_SIZE]; - if ((ret = wc_Sha256Hash(in, inLen, hash_data)) != 0) { - return ret; + if (in == NULL || out == NULL || key == NULL) { + return BAD_FUNC_ARG; } + /* Hash the input message */ + ret = wc_Sha256Hash(in, inLen, hash_data); + if (ret != 0) { + return ret; + } + + /* Sign using the signing private key handle */ ret = talib_sign_external(atcab_get_device(), WOLFSSL_TA_KEY_TYPE_RSA, key->rKeyH, TA_HANDLE_INPUT_BUFFER, hash_data, WC_SHA256_DIGEST_SIZE, out, &sign_size); - ret = atmel_ecc_translate_err(ret); - return ret; + + return atmel_ecc_translate_err(ret); } + int wc_Microchip_rsa_verify(const byte* in, word32 inLen, byte* sig, word32 sigLen, - RsaKey* key, int* pVerified) + RsaKey* key, int* pVerified) { int ret; bool verified = false; byte hash_data[WC_SHA256_DIGEST_SIZE]; - if ((ret = wc_Sha256Hash(in, inLen, hash_data)) != 0) { - return ret; + if (in == NULL || sig == NULL || key == NULL) { + return BAD_FUNC_ARG; } + + /* Hash the input message */ + ret = wc_Sha256Hash(in, inLen, hash_data); + if (ret != 0) { + return ret; + } + + /* Verify using the verification public key handle */ ret = talib_verify(atcab_get_device(), WOLFSSL_TA_KEY_TYPE_RSA, - TA_HANDLE_INPUT_BUFFER, key->uKeyH, sig, - sigLen, hash_data, WC_SHA256_DIGEST_SIZE, NULL, - sigLen, &verified); + TA_HANDLE_INPUT_BUFFER, key->uKeyH, sig, + sigLen, hash_data, WC_SHA256_DIGEST_SIZE, NULL, + sigLen, &verified); ret = atmel_ecc_translate_err(ret); - if (pVerified) + + if (pVerified != NULL) { *pVerified = (int)verified; + } return ret; } -int wc_Microchip_rsa_encrypt(const byte* in, word32 inLen, byte* out, word32 outLen, - RsaKey* key) -{ - int ret; - - /* Encrypt the plaintext with the rsa public key in handle */ - ret = talib_rsaenc_encrypt(atcab_get_device(), key->uKeyH, - inLen, in, outLen, out); - ret = atmel_ecc_translate_err(ret); - return ret; -} - -int wc_Microchip_rsa_decrypt(const byte* in, word32 inLen, byte* out, - word32 outLen, RsaKey* key) -{ - int ret; - /* Decrypt the ciphertext with the rsa private key in handle */ - ret = talib_rsaenc_decrypt(atcab_get_device(), key->rKeyH, - inLen, in, outLen, out); - ret = atmel_ecc_translate_err(ret); - return ret; -} void wc_Microchip_rsa_free(struct RsaKey* key) { - if (key->rKeyH) - (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->rKeyH); - if (key->uKeyH) - (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->uKeyH); + if (key == NULL) { + return; + } + /* Free signing/encryption key handles */ + if (key->rKeyH) { + (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->rKeyH); + key->rKeyH = 0; + } + if (key->uKeyH) { + (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->uKeyH); + key->uKeyH = 0; + } } + #endif /* NO_RSA */ #ifdef WOLFSSL_ATECC_DEBUG @@ -854,14 +959,20 @@ static void atmel_Handle_Attributes(void) } #endif -#define CHECK_STATUS(s) \ - if (s != ATCA_SUCCESS) \ - { \ - printf("Error: Line %d in File %s\r\n", __LINE__, __FILE__); \ - printf("STATUS = %X\r\n", s); \ - printf("See atca_status.h for error code \r\n"); \ - return atmel_ecc_translate_err(s); \ - } +#ifdef WOLFSSL_ATECC_DEBUG + #define CHECK_STATUS(s) \ + if ((s) != ATCA_SUCCESS) { \ + WOLFSSL_MSG("TA100 Error"); \ + printf("Error: Line %d in File %s\r\n", __LINE__, __FILE__); \ + printf("STATUS = %X\r\n", (unsigned int)(s)); \ + return atmel_ecc_translate_err(s); \ + } +#else + #define CHECK_STATUS(s) \ + if ((s) != ATCA_SUCCESS) { \ + return atmel_ecc_translate_err(s); \ + } +#endif static int atmel_createHandles(void) { ATCA_STATUS status; @@ -1577,50 +1688,41 @@ void wc_Microchip_aes_free(Aes* aes) (void)aes; } + static int wc_Microchip_AesGcmCommon(Aes* aes, byte* out, const byte* in, word32 sz, const byte* iv, word32 ivSz, byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz, int dir) { ATCA_STATUS status; - atca_aes_gcm_ctx_t ctx; - (void)out; - (void)in; - (void)sz; - (void)iv; + (void)aes; (void)ivSz; - (void)authTag; (void)authTagSz; - (void)authIn; - (void)authInSz; - (void)dir; - - (void)ctx; if (aes == NULL) { return BAD_FUNC_ARG; } - if (dir != AES_ENCRYPTION && - dir != AES_DECRYPTION) { + if (dir != AES_ENCRYPTION && dir != AES_DECRYPTION) { return BAD_FUNC_ARG; } - if (dir == AES_ENCRYPTION) { + /* Note: talib API takes non-const iv */ status = talib_aes_gcm_encrypt(atcab_get_device(), authIn, - authInSz, iv, in, sz, out, authTag); - CHECK_STATUS(status); + authInSz, (uint8_t*)iv, in, sz, out, authTag); } else { status = talib_aes_gcm_decrypt(atcab_get_device(), authIn, - authInSz, iv, authTag, in, sz, out); - - /* Add cipher to gcm */ - status = atcab_aes_gcm_decrypt_update(&ctx, in, sz, out); - CHECK_STATUS(status); + authInSz, (uint8_t*)iv, authTag, in, sz, out); } - return atmel_ecc_translate_err(status); + + if (status != ATCA_SUCCESS) { + return atmel_ecc_translate_err(status); + } + + return 0; } + int wc_Microchip_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, const byte* iv, word32 ivSz, byte* authTag, word32 authTagSz, diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index af670abeb9..13cee878f1 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -445,6 +445,10 @@ static const byte const_byte_array[] = "A+Gd\0\0\0"; #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) #include #endif +#if defined(WOLFSSL_MICROCHIP_TA100) + #include +#endif + #ifdef WOLFSSL_CAAM #include #endif @@ -26747,7 +26751,17 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void) ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); #endif if (ret >= 0) { - ret = wc_RsaPublicEncrypt(in, inLen, out, outSz, key, &rng); +#if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_MICROCHIP_TA100) + /* Create new keys for TA100 */ + ret = wc_MakeRsaKey(key, 2048, WC_RSA_EXPONENT, &rng); + if (ret) { + goto exit_rsa; + } + ret = wc_RsaPublicEncrypt(in, inLen, out, 256, key, &rng); +#else + ret = wc_RsaPublicEncrypt(in, inLen, out, outSz, key, &rng); + +#endif } } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E)); if (ret < 0) diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index d3ab68e41d..2e18b74777 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -832,8 +832,7 @@ int wc_ecc_point_is_at_infinity(ecc_point *p); WOLFSSL_API int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx); -#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ - !defined(WOLFSSL_MICROCHIP_TA100) +#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) WOLFSSL_API int wc_ecc_mulmod(const mp_int* k, ecc_point *G, ecc_point *R, mp_int* a, mp_int* modulus, int map); diff --git a/wolfssl/wolfcrypt/port/atmel/atmel.h b/wolfssl/wolfcrypt/port/atmel/atmel.h index 09b43e60e9..14f3461b84 100644 --- a/wolfssl/wolfcrypt/port/atmel/atmel.h +++ b/wolfssl/wolfcrypt/port/atmel/atmel.h @@ -109,8 +109,8 @@ enum atmelSlotType { ATMEL_SLOT_ECDHE_BOB, }; -int atmel_ecc_alloc(int slotType); -void atmel_ecc_free(int slotId); +WOLFSSL_API int atmel_ecc_alloc(int slotType); +WOLFSSL_API void atmel_ecc_free(int slotId); typedef int (*atmel_slot_alloc_cb)(int); typedef void (*atmel_slot_dealloc_cb)(int);