Remove wolfCrypt patches

ATECC608Sim/Dockerfile.wolfcrypt

@@ -50,126 +50,7 @@ RUN cp -r /usr/include/cryptoauthlib/* /usr/include/ && \
 # ---- Build wolfSSL with --enable-cryptauthlib / WOLFSSL_ATECC608A ----
 # No circular dependency: cryptoauthlib doesn't depend on wolfSSL, so a
 # single-pass wolfSSL build against the installed cryptoauthlib is enough.
-RUN git clone --branch v5.9.1-stable --depth 1 \
-    https://github.com/wolfSSL/wolfssl.git /app/wolfssl
-
-# wolfSSL's wolfCrypt_ATECC_SetConfig only copies I2C-specific fields from
-# the passed cfg; when iface_type=ATCA_CUSTOM_IFACE the atcacustom function
-# pointers are silently dropped. Swap the opening XMEMSET for an XMEMCPY so
-# the full struct (including the atcacustom union) is preserved. The
-# subsequent field-by-field assignments are harmless — they overwrite with
-# the same values.
-RUN sed -i '/\/\* copy configuration into our local struct \*\//,/cfg_ateccx08a_i2c_pi\.cfg_data/{s|XMEMSET(&cfg_ateccx08a_i2c_pi, 0, sizeof(cfg_ateccx08a_i2c_pi));|XMEMCPY(\&cfg_ateccx08a_i2c_pi, cfg, sizeof(cfg_ateccx08a_i2c_pi));|}' \
-    /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c && \
-    grep -q 'XMEMCPY(&cfg_ateccx08a_i2c_pi, cfg' /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c
-
-# atmel_set_slot_allocator is declared without WOLFSSL_API, so wolfSSL's
-# default -fvisibility=hidden hides it from libwolfssl.so. Expose it so our
-# test harness can install a round-robin slot allocator (wolfcrypt_test's
-# ECC suite needs multiple concurrent hardware keys).
-RUN sed -i 's|^int atmel_set_slot_allocator|WOLFSSL_API int atmel_set_slot_allocator|' \
-    /app/wolfssl/wolfssl/wolfcrypt/port/atmel/atmel.h \
-    /app/wolfssl/wolfcrypt/src/port/atmel/atmel.c && \
-    grep -q 'WOLFSSL_API int atmel_set_slot_allocator' /app/wolfssl/wolfssl/wolfcrypt/port/atmel/atmel.h
-
-# Fix two guard-mismatch bugs in wolfcrypt/test/test.c that surface with
-# -DWOLFSSL_ATECC608A + --enable-crypttests + -Werror=nested-externs:
-#
-#   1. `ecc_ssh_test` is #if'd out on ATECC at definition time but its
-#      call site only guards on HAVE_ECC_DHE/CRYPTOCELL/CB_ONLY. Extend
-#      the call-site #if so it matches the definition.
-#
-#   2. `ecc_mulmod_test` is compiled on ATECC builds even though it calls
-#      `wc_ecc_mulmod`, whose declaration in wolfssl/wolfcrypt/ecc.h is
-#      hidden behind `!WOLFSSL_ATECC5/608A`. Exclude ATECC from both the
-#      test's definition guard and its call site.
-#
-# These are upstream bugs, worth sending back to wolfSSL.
-RUN python3 - <<'PY'
-import pathlib, sys
-path = pathlib.Path('/app/wolfssl/wolfcrypt/test/test.c')
-src = path.read_text()
-
-def sub(old, new, label):
-    global src
-    if old not in src:
-        sys.exit('patch target not found: ' + label)
-    src = src.replace(old, new, 1)
-
-sub(
-    '    #if defined(HAVE_ECC_DHE) && !defined(WOLFSSL_CRYPTOCELL) && \\\n'
-    '       !defined(WOLF_CRYPTO_CB_ONLY_ECC)\n'
-    '    ret = ecc_ssh_test(key, rng);\n',
-    '    #if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \\\n'
-    '       !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_ATECC508A) && \\\n'
-    '       !defined(WOLFSSL_ATECC608A) && !defined(PLUTON_CRYPTO_ECC) && \\\n'
-    '       !defined(WOLFSSL_CRYPTOCELL)\n'
-    '    ret = ecc_ssh_test(key, rng);\n',
-    'ecc_ssh_test call site',
-)
-
-sub(
-    '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n'
-    '    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)\n'
-    'static wc_test_ret_t ecc_mulmod_test(ecc_key* key1)\n',
-    '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n'
-    '    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \\\n'
-    '    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n'
-    'static wc_test_ret_t ecc_mulmod_test(ecc_key* key1)\n',
-    'ecc_mulmod_test definition',
-)
-
-sub(
-    '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n'
-    '    !defined(WOLFSSL_CRYPTOCELL)\n'
-    '    ret = ecc_mulmod_test(key);\n',
-    '#if defined(HAVE_ECC_KEY_IMPORT) && !defined(WOLFSSL_VALIDATE_ECC_IMPORT) && \\\n'
-    '    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_ATECC508A) && \\\n'
-    '    !defined(WOLFSSL_ATECC608A)\n'
-    '    ret = ecc_mulmod_test(key);\n',
-    'ecc_mulmod_test call site',
-)
-
-# ecc_test_key_decode / ecc_test_key_gen load fixed private-key test
-# material that ATECC hardware cannot import (only GenKey-produced or
-# explicitly-written keys work). Skip on ATECC builds; genkey/sign/verify
-# coverage elsewhere in wolfcrypt_test picks up the slack.
-# (ecc_test_vector is similarly skipped but via -DNO_ECC_VECTOR_TEST below,
-# which is wolfSSL's own documented off-switch.)
-sub(
-    '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n'
-    '    !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)\n'
-    '    ret = ecc_test_key_decode(rng, keySize);\n',
-    '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n'
-    '    !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) && \\\n'
-    '    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n'
-    '    ret = ecc_test_key_decode(rng, keySize);\n',
-    'ecc_test_key_decode call site',
-)
-
-sub(
-    '#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG)\n'
-    '    ret = ecc_test_key_gen(rng, keySize);\n',
-    '#if defined(HAVE_ECC_KEY_EXPORT) && !defined(NO_ASN_CRYPT) && !defined(WC_NO_RNG) && \\\n'
-    '    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n'
-    '    ret = ecc_test_key_gen(rng, keySize);\n',
-    'ecc_test_key_gen call site',
-)
-
-# ecc_exp_imp_test exports the device-resident private key, which ATECC
-# hardware doesn't expose. Skip on ATECC builds.
-sub(
-    '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT)\n'
-    '    ret = ecc_exp_imp_test(key);\n',
-    '#if defined(HAVE_ECC_KEY_IMPORT) && defined(HAVE_ECC_KEY_EXPORT) && \\\n'
-    '    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)\n'
-    '    ret = ecc_exp_imp_test(key);\n',
-    'ecc_exp_imp_test call site',
-)
-
-path.write_text(src)
-print('patched test.c')
-PY
+RUN git clone --depth 1 https://github.com/wolfSSL/wolfssl.git /app/wolfssl
 
 # Build wolfSSL as a library only; the test binary has its own curated
 # wolfCrypt-API exercise in main.c.

ATECC608Sim/README.md

@@ -105,17 +105,11 @@ cryptoauthlib. `Dockerfile.wolfcrypt` builds:
 
 1. cryptoauthlib with `ATCA_HAL_CUSTOM=ON`, no built-in HALs (our test
    binary links in `hal_tcp.c` directly).
-2. wolfSSL pinned to `v5.9.1-stable` with `--with-cryptoauthlib=/usr`,
+2. wolfSSL `master` with `--with-cryptoauthlib=/usr`,
    `-DWOLFSSL_ATECC608A`, and `-DWOLFSSL_ATECC_NO_ECDH_ENC` (the default
    encrypted-ECDH path still calls a 5-arg `atcab_ecdh_enc` signature
    that newer cryptoauthlib renamed; the plain path works fine).
-3. A small patch to `wolfssl/wolfcrypt/src/port/atmel/atmel.c`: the
-   upstream `wolfCrypt_ATECC_SetConfig()` only copies I2C-specific fields
-   from the passed cfg, silently dropping the `atcacustom` function
-   pointers when `iface_type=ATCA_CUSTOM_IFACE`. The Dockerfile replaces
-   the opening `XMEMSET` with an `XMEMCPY` so the full struct (including
-   the function-pointer union) is preserved.
-4. `--enable-fastmath` is required — the default sp-math backend returns
+3. `--enable-fastmath` is required -- the default sp-math backend returns
    `MP_VAL` on the `mp_read_unsigned_bin(key->pubkey.x, ...)` call inside
    wolfSSL's ATECC keygen path.
 

SE050Sim/README.md

@@ -100,8 +100,6 @@ SE050Sim/
 ├── Dockerfile                 Rust driver integration tests
 ├── Dockerfile.sdk-test        SDK test suite (OpenSSL verification)
 ├── Dockerfile.wolfcrypt       wolfCrypt test suite integration
-├── patches/
-│   └── apply.sh               Driver bug patches for nxp-se050
 ├── se050-sim/
 │   ├── Cargo.toml
 │   ├── src/

STSAFEA120Sim/Dockerfile.wolfcrypt

@@ -61,56 +61,26 @@ RUN set -eux; \
     ldconfig
 
 # ---- wolfSSL with STSAFE-A120 support ----
-ARG WOLFSSL_REF=v5.9.1-stable
+ARG WOLFSSL_REF=master
 RUN git clone --branch ${WOLFSSL_REF} --depth 1 \
     https://github.com/wolfSSL/wolfssl.git /app/wolfssl
 
-# wolfSSL's stsafe.c does `#include "stselib.h"`, which pulls in
-# `stse_conf.h` and `stse_platform_generic.h` from the same directory.
-# Inject our paths via CFLAGS so the compile finds them. We also link
-# libstse.so so the stse_* references resolve.
-# Two upstream gaps need patching before STSAFE-A120 will build cleanly:
-#
-#   1. `wolfcrypt/src/port/st/stsafe.c` is in EXTRA_DIST only -- there is
-#      no `if BUILD_STSAFE` clause that adds it to
-#      `src_libwolfssl_la_SOURCES`. As a result, libwolfssl is built
-#      without `stsafe_interface_init`, but wc_port.c references it
-#      under `#ifdef WOLFSSL_STSAFE`, leaving an undefined symbol at
-#      link time.
-#
-#   2. STSELib's `stselib.h` includes `core/stse_platform.h` *before*
-#      `stse_platform_generic.h`, so types like `PLAT_UI8` used inside
-#      `stse_device.h` are undefined when wolfSSL's stsafe.c includes
-#      stselib.h. Force-include the platform header at the top of
-#      stsafe.c to unbreak the include chain.
-#
-# Both worth upstreaming -- one as a build-system fix in include.am,
-# the other as a header-ordering fix in STSELib.
-RUN sed -i \
-    '/^if BUILD_CRYPTOCB$/i \
-src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/st/stsafe.c\n' \
-    /app/wolfssl/wolfcrypt/src/include.am && \
-    grep -q 'src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/st/stsafe.c' \
-        /app/wolfssl/wolfcrypt/src/include.am && \
-    sed -i '1i #include "stse_platform_generic.h"' \
-        /app/wolfssl/wolfcrypt/src/port/st/stsafe.c && \
-    head -2 /app/wolfssl/wolfcrypt/src/port/st/stsafe.c
-
 # wolfSSL's stsafe.c does `#include "stselib.h"`, which is the master
 # header that drags in stse_platform_generic.h itself, so we only need
 # the include path -- not a -include directive (the latter trips
 # autoconf's `cannot make gcc report undeclared builtins` check during
 # AC_CHECK_DECLS).
 RUN cd /app/wolfssl && ./autogen.sh && \
     ./configure \
+        --enable-stsafe=a120 \
         --enable-pkcallbacks \
         --enable-cryptocb \
         --enable-ecc \
         --enable-sha256 \
         --enable-sha384 \
         --enable-keygen \
         --disable-examples \
-        CFLAGS="-DWOLFSSL_STSAFEA120 -DHAVE_PK_CALLBACKS -DWOLF_CRYPTO_CB \
+        CFLAGS="-DHAVE_PK_CALLBACKS -DWOLF_CRYPTO_CB \
                 -I/app/STSELib -I/app/sdk-test \
                 -Wno-unused-parameter -Wno-error \
                 -Wno-error=strict-prototypes -Wno-error=nested-externs \