Addressed copilot's comments

This commit is contained in:
Daniele Lacamera
2026-05-04 13:41:34 +02:00
parent 449d039581
commit fc93bb4a09
7 changed files with 52 additions and 36 deletions
+3 -1
View File
@@ -3013,6 +3013,9 @@ AC_ARG_WITH([cryptoauthlib],
[with_cryptoauthlib=no])
AS_IF([test "x$with_cryptoauthlib" != "xno"], [
AS_IF([test "x$ENABLED_ATMEL" = "xno"], [
AC_MSG_ERROR([--with-cryptoauthlib requires --enable-microchip=<devices>.])
])
AC_MSG_CHECKING([for CryptoAuthLib])
libdir=""
@@ -3029,7 +3032,6 @@ AS_IF([test "x$with_cryptoauthlib" != "xno"], [
PKG_CHECK_MODULES([CRYPTOAUTHLIB], [cryptoauthlib], [
CPPFLAGS="$CRYPTOAUTHLIB_CFLAGS $CPPFLAGS"
CFLAGS="$CRYPTOAUTHLIB_CFLAGS $CFLAGS"
LDFLAGS="$CRYPTOAUTHLIB_LIBS $LDFLAGS"
LIBS="$CRYPTOAUTHLIB_LIBS $LIBS"
cryptoauthlib_found="pkg-config"
], [:])
+4 -2
View File
@@ -287,6 +287,7 @@ ECC Curve Sizes:
!defined(WOLFSSL_MICROCHIP_TA100) && \
!defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
!defined(WOLFSSL_KCAPI_ECC) && !defined(WOLFSSL_SE050) && \
!defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_PSOC6_CRYPTO) && \
!defined(WOLFSSL_XILINX_CRYPT_VERSAL)
#undef HAVE_ECC_VERIFY_HELPER
#define HAVE_ECC_VERIFY_HELPER
@@ -9357,9 +9358,10 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
byte hashIsZero = 0;
word32 zIdx;
#endif
#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
defined(WOLFSSL_MICROCHIP_TA100)
#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
byte sigRS[ATECC_KEY_SIZE*2];
#elif defined(WOLFSSL_MICROCHIP_TA100)
byte sigRS[ECC_MAX_CRYPTO_HW_SIZE*2];
#elif defined(WOLFSSL_CRYPTOCELL)
byte sigRS[ECC_MAX_CRYPTO_HW_SIZE*2];
CRYS_ECDSA_VerifyUserContext_t sigCtxTemp;
+10 -3
View File
@@ -119,9 +119,16 @@ Supported Features:
RSA 2048 keygen/sign/verify
ECC-P256 keygen/sign/verify/shared secret
WOLFSSL_MICROCHIP_AESGCM can be used to enable AES-GCM but
AESGCM support is not yet available for TA100 in both
cryptauthlib-v3.3.3_397871.zip and cryptauthlib-v3.6.0_443271.zip.
WOLFSSL_MICROCHIP_AESGCM can be used to enable AES-GCM for TA100 when
building against CryptoAuthLib v3.6.0_443271 or later. AES-GCM is not
supported for TA100 with cryptauthlib-v3.3.3_397871.zip.
Current TA100 AES-GCM limitations:
- IV size must be 12 bytes.
- Authentication tag size must be 16 bytes for hardware decrypt, with
shorter tags only supported for zero-length decrypt validation.
- The combined AAD + payload size per hardware operation is limited to 996
bytes.
```
+27 -22
View File
@@ -147,7 +147,7 @@ static int ateccx08a_cfg_initialized = 0;
.devtype = MICROCHIP_DEV_TYPE,
.atcai2c = {
#ifdef ATCA_ENABLE_DEPRECATED
.slave_addressus = 1,
.slave_address = 1,
#else
.address = ATECC_I2C_ADDR,
#endif
@@ -451,13 +451,13 @@ int atmel_ecc_alloc(int slotType)
break;
#endif
case ATMEL_SLOT_ECDHE_ALICE:
/* not reserved in mSlotList, so return */
/* reserve the fixed slot through the common allocation path */
slotId = ATECC_SLOT_ECDHE_PRIV_ALICE;
goto exit;
break;
case ATMEL_SLOT_ECDHE_BOB:
/* not reserved in mSlotList, so return */
/* reserve the fixed slot through the common allocation path */
slotId = ATECC_SLOT_ECDHE_PRIV_BOB;
goto exit;
break;
case ATMEL_SLOT_ANY:
for (i=0; i < ATECC_MAX_SLOT; i++) {
/* Find free slotId */
@@ -475,8 +475,7 @@ int atmel_ecc_alloc(int slotType)
}
/* is slot available */
if (mSlotList[slotId] != ATECC_INVALID_SLOT &&
mSlotList[slotId] != slotId ) {
if (mSlotList[slotId] != ATECC_INVALID_SLOT) {
slotId = ATECC_INVALID_SLOT;
}
else {
@@ -894,13 +893,20 @@ int wc_Microchip_rsa_create_key(struct RsaKey* key, int size, long e)
{
ATCA_STATUS ret;
ta_element_attributes_t rKeyA, uKeyA;
size_t uKey_len = TA_KEY_TYPE_RSA2048_SIZE;
size_t uKey_len = WOLFSSL_TA_KEY_TYPE_RSA_SIZE;
(void)size;
(void)e;
if (key == NULL) {
return BAD_FUNC_ARG;
}
if (size != (int)(WOLFSSL_TA_KEY_TYPE_RSA_SIZE * 8U)) {
return BAD_FUNC_ARG;
}
if (e != 0 && e != WC_RSA_EXPONENT) {
return BAD_FUNC_ARG;
}
/* Private key for signing AND decryption */
ret = talib_handle_init_private_key(&rKeyA, TA_KEY_TYPE_RSA2048,
ret = talib_handle_init_private_key(&rKeyA, WOLFSSL_TA_KEY_TYPE_RSA,
TA_ALG_MODE_RSA_SSA_PSS, TA_PROP_SIGN_INT_EXT_DIGEST,
TA_PROP_KEY_AGREEMENT_OUT_BUFF);
if (ret != ATCA_SUCCESS)
@@ -913,7 +919,7 @@ int wc_Microchip_rsa_create_key(struct RsaKey* key, int size, long e)
return WC_HW_E;
/* Public key - use 0, 0 for encryption support! */
ret = talib_handle_init_public_key(&uKeyA, TA_KEY_TYPE_RSA2048,
ret = talib_handle_init_public_key(&uKeyA, WOLFSSL_TA_KEY_TYPE_RSA,
TA_ALG_MODE_RSA_SSA_PSS, 0, 0);
if (ret != ATCA_SUCCESS)
return WC_HW_E;
@@ -952,7 +958,7 @@ int wc_Microchip_rsa_encrypt(const byte* in, word32 inLen, byte* out,
printf("outLen: %u\n", outLen);
printf("out: %p\n", out);
#endif
/* Use the 2048-specific function */
/* The current wolfSSL TA100 backend uses the RSA-2048 RSAEnc path. */
ret = talib_rsaenc_encrypt2048(atcab_get_device(), key->uKeyH,
(uint16_t)inLen, in,
(uint16_t)outLen, out);
@@ -965,7 +971,7 @@ int wc_Microchip_rsa_decrypt(const byte* in, word32 inLen, byte* out,
{
int ret;
/* The current wolfSSL TA100 backend uses the RSA-2048 RSAEnc path. */
ret = talib_rsaenc_decrypt2048(atcab_get_device(), key->rKeyH,
(uint16_t)inLen, in,
(uint16_t)outLen, out);
@@ -1320,7 +1326,7 @@ int atcatls_create_key_cb(WOLFSSL* ssl, ecc_key* key, unsigned int keySz,
return WC_HW_WAIT_E;
/* generate new ephemeral key on device */
ret = atmel_ecc_create_key(MAP_TO_HANDLE(slotId), ecc_curve, peerKey);
ret = atmel_ecc_create_key(slotId, ecc_curve, peerKey);
/* load generated ECC508A public key into key, used by wolfSSL */
if (ret == 0) {
@@ -1397,8 +1403,7 @@ int atcatls_create_pms_cb(WOLFSSL* ssl, ecc_key* otherKey,
tmpKey.slot = slotId;
/* generate new ephemeral key on device */
ret = atmel_ecc_create_key(MAP_TO_HANDLE(slotId), otherKey->dp->id,
peerKey);
ret = atmel_ecc_create_key(slotId, otherKey->dp->id, peerKey);
if (ret != ATCA_SUCCESS) {
atmel_ecc_free(slotId);
goto exit;
@@ -1673,6 +1678,7 @@ static int atcatls_set_certificates(WOLFSSL_CTX *ctx)
#endif
int ret = 0;
ATCA_STATUS status;
size_t signerCertSize = ATCATLS_SIGNER_CERT_MAX_SIZE;
size_t deviceCertSize = ATCATLS_DEVICE_CERT_MAX_SIZE;
uint8_t certBuffer[ATCATLS_CERT_BUFF_MAX_SIZE];
@@ -1682,7 +1688,6 @@ static int atcatls_set_certificates(WOLFSSL_CTX *ctx)
#endif
#ifdef WOLFSSL_ATECC_TNGTLS
ATCA_STATUS status;
ret = tng_atcacert_max_signer_cert_size(&signerCertSize);
if (ret != ATCACERT_E_SUCCESS) {
#ifdef WOLFSSL_ATECC_DEBUG
@@ -1792,7 +1797,6 @@ static int atcatls_set_certificates(WOLFSSL_CTX *ctx)
return ret;
}
#endif /* ATCA_TFLEX_SUPPORT */
#endif /* ATCA_TFLEX_SUPPORT */
int atcatls_set_callbacks(WOLFSSL_CTX* ctx)
{
@@ -1931,11 +1935,12 @@ int wc_Microchip_aes_set_key(Aes* aes, const byte* key, word32 keylen,
status = talib_aes_gcm_keyload(atcab_get_device(), aes->key_id, 0);
CHECK_STATUS(status);
/* Test if data zone is locked */
/* Provisioning must lock setup explicitly; do not lock it as a side
* effect of loading an AES key. */
status = talib_is_setup_locked(atcab_get_device(), &is_locked);
CHECK_STATUS(status);
if (!is_locked) {
status = talib_lock_setup(atcab_get_device());
CHECK_STATUS(status);
return WC_HW_E;
}
return atmel_ecc_translate_err(status);
+4 -2
View File
@@ -128,9 +128,11 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type,
#if defined(WOLFSSL_MICROCHIP_TA100)
if (sig_len <= 0) {
const RsaKey* r = (const RsaKey*)key;
/* TA100 handles imply a 2048-bit RSA key. */
/* TA100 stores hardware-backed RSA public keys outside
* the software mp_int fields, so use the backend's fixed
* public-key buffer size when handles are present. */
if (r->rKeyH != 0 || r->uKeyH != 0) {
sig_len = 256;
sig_len = WOLFSSL_TA_KEY_TYPE_RSA_SIZE;
}
}
#endif
+3 -4
View File
@@ -182,14 +182,13 @@ WOLFSSL_LOCAL int wc_Microchip_rsa_encrypt(const byte* in, word32 inLen,
WOLFSSL_LOCAL int wc_Microchip_rsa_decrypt(const byte* in, word32 inLen,
byte* out, word32 outLen, RsaKey* key);
/* CryptoAuthLib defines larger TA100 RSA key types too, but the current
* wolfSSL TA100 backend only wires up the RSAEnc path for RSA-2048. */
#ifndef WOLFSSL_SP_NO_2048
#define WOLFSSL_TA_KEY_TYPE_RSA TA_KEY_TYPE_RSA2048
#define WOLFSSL_TA_KEY_TYPE_RSA_SIZE TA_KEY_TYPE_RSA2048_SIZE
#elif !defined(WOLFSSL_SP_NO_3072)
#define WOLFSSL_TA_KEY_TYPE_RSA TA_KEY_TYPE_RSA3072
#define WOLFSSL_TA_KEY_TYPE_RSA_SIZE TA_KEY_TYPE_RSA3072_SIZE
#else
#error Microchip requires enabling 2048 or 3072 RSA.
#error Current wolfSSL TA100 RSA backend requires 2048-bit RSA support.
#endif
#endif /* NO_RSA */
+1 -2
View File
@@ -226,7 +226,7 @@ struct RsaKey {
#if defined(WOLFSSL_MICROCHIP_TA100)
uint16_t rKeyH; /* private key handle */
uint16_t uKeyH; /* public key handle */
byte uKey[TA_KEY_TYPE_RSA2048_SIZE]; /* public key */
byte uKey[WOLFSSL_TA_KEY_TYPE_RSA_SIZE]; /* public key */
#endif
#ifdef WOLF_CRYPTO_CB
void* devCtx;
@@ -517,4 +517,3 @@ WOLFSSL_API int wc_RsaPrivateKeyDecodeRaw(const byte* n, word32 nSz,
#endif /* NO_RSA */
#endif /* WOLF_CRYPT_RSA_H */