Skip to content

Commit 7eeb89b

Browse files
committed
STM32 wolfIP: share wolfssl.mk + tls_client across ports, drop bundled self-test, docs, cppcheck fix
1 parent fbb17d2 commit 7eeb89b

24 files changed

Lines changed: 640 additions & 1816 deletions

Makefile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,8 @@ CPPCHECK_FLAGS=--enable=warning,performance,portability,missingInclude \
133133
--suppress=constParameterCallback \
134134
--suppress=toomanyconfigs \
135135
--suppress=unmatchedSuppression --inconclusive \
136+
--suppress=comparePointers:src/port/stm32c5a3/startup.c \
137+
--suppress=comparePointers:src/port/stm32c5a3/syscalls.c \
136138
--suppress=comparePointers:src/port/stm32h563/startup.c \
137139
--suppress=comparePointers:src/port/stm32h563/syscalls.c \
138140
--suppress=comparePointers:src/port/stm32h753/startup.c \
@@ -149,6 +151,7 @@ CPPCHECK_FLAGS=--enable=warning,performance,portability,missingInclude \
149151
--suppress=comparePointers:src/port/rp2350_cyw43439/startup_hazard3.c \
150152
--suppress=comparePointers:src/port/rp2350_cyw43439/syscalls.c \
151153
--suppress=unknownMacro:src/port/stm32h563/dot1x_client.c \
154+
--suppress=unknownMacro:src/port/stm32c5a3/startup.c \
152155
--suppress=preprocessorErrorDirective:src/supplicant/supplicant_features.h \
153156
--disable=style \
154157
--std=c99 --language=c \

src/port/stm32/PORTING.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
# Porting wolfIP to a new STM32
2+
3+
This tree is layered so a new STM32 wolfIP port is a small set of per-chip
4+
files plus shared infrastructure. Existing ports: `stm32c5a3` (M33, TLS 1.3 +
5+
DHUK), `stm32h753` (M7, TLS + HTTPS), `stm32h563` (M33, TLS + SSH + MQTT +
6+
dot1x + FreeRTOS), `stm32f439` (M4, network only), `stm32n6` (M55, network
7+
only).
8+
9+
## Shared -- reuse as-is
10+
11+
| File | What it gives you |
12+
|------|-------------------|
13+
| `src/port/stm32/stm32_eth.c` / `.h` | Synopsys DWC GMAC MAC+DMA+PHY driver for H5/H7/N6 (and C5, via a one-line `STM32C5 -> STM32H5` alias). ETH1 at `0x40028000` on H5/C5. |
14+
| `src/port/stm32/wolfssl.mk` | `WOLFSSL_ROOT`/`WOLFMQTT_ROOT` defaults, the `WOLFSSL_SRCS` TLS-1.3 source list, the optional `WOLFSSL_LOG_SRCS` (logging/error/wc_encrypt) group, and the `$(WOLFSSL_ROOT)/%.o` relaxed-warning rule. `include` it from a port Makefile. |
15+
| `src/port/wolfssl_io.c` | wolfIP <-> wolfSSL I/O callbacks (EAGAIN -> WANT_READ/WRITE, `-1` -> CONN_CLOSE). |
16+
| `src/port/tls_client.c` / `.h` | Shared TLS 1.3 client state machine. Build knobs (per-port `-D`): `TLS_CLIENT_MUTUAL_AUTH` (present a client cert from the port's `tls_certs.h`), `ENABLE_DHUK_KEY` (sign CertificateVerify via the DHUK PK callback), `TLS_CLIENT_CIPHER` (force one suite), `TLS_CLIENT_SETTLE_POLLS` (post-connect settle, default 10). Without `MUTUAL_AUTH` it is a plain one-way client (SNI via `tls_client_set_sni()`). |
17+
| `src/port/certs.h` | Embedded test certificates (for the HTTPS/server ports). |
18+
| `src/wolfip.c` | The stack itself. |
19+
20+
## Per-chip -- supply these
21+
22+
| File | Notes |
23+
|------|-------|
24+
| `startup.c` (+ `ivt.c`) | Vendor vector table + reset. Genuinely per-silicon (different peripheral IRQ set). C5A3 folds the full M33 vector table into `startup.c` (no separate `ivt.c`). |
25+
| `target.ld` | Memory map (flash/RAM addresses + sizes). Add an `.eth_buffers` output section in RAM for the GMAC descriptors + RX/TX buffers. |
26+
| `main.c` | The per-chip register sequences: `clock_init`, `uart_init`, `eth_gpio_init` (RMII pinmux + SYSCFG/SBS PHY-interface select + RCC ETH gates), `rng_init`. Plus the wolfIP init + poll loop (mostly copyable between ports). |
27+
| `config.h` | wolfIP sizing (sockets, buffers, static IP). |
28+
| `user_settings.h` | wolfSSL config: the shared TLS-1.3 base + a per-chip HW-crypto arm (`STM32_HASH` / `STM32_CRYPTO` / `WOLFSSL_STM32_PKA` / RNG, gated on the chip define). |
29+
| `Makefile` | Thin: CPU flags, device `-D`, includes, `include ../stm32/wolfssl.mk`, board sources, feature source lists, flash command. |
30+
31+
## Makefile pattern
32+
33+
```make
34+
CFLAGS := -mcpu=cortex-mXX ... -D<CHIP>
35+
CFLAGS_WOLFSSL := $(filter-out -Werror,$(CFLAGS)) -Wno-unused-variable -Wno-unused-function
36+
include $(ROOT)/src/port/stm32/wolfssl.mk # WOLFSSL_SRCS + %.o rule + defaults
37+
...
38+
ifeq ($(ENABLE_TLS),1)
39+
WOLFSSL_SRCS += $(WOLFSSL_LOG_SRCS) # unless you strip logging/error to save flash
40+
SRCS += $(WOLFSSL_SRCS)
41+
endif
42+
```
43+
44+
- A port that needs feature defines on the wolfSSL objects (e.g. SSH/dot1x) sets `WOLFSSL_EXTRA_DEFS` -- the shared `%.o` rule appends it (see `stm32h563/Makefile`).
45+
- Keep `all:`/`clean:`/`size:`/`flash:` in the port; `wolfssl.mk` intentionally defines only variables and the `%.o` pattern rule so it never hijacks the default goal.
46+
47+
## New-port checklist (things that bite)
48+
49+
- **`_sbrk` must use the linker `.heap` region**, not `_ebss.._estack`. On a port whose linker places `.eth_buffers` after `.bss`, an `_ebss`-based heap hands out malloc memory that overlaps the Ethernet DMA buffers, and packet DMA silently corrupts heap objects (seen on C5A3: garbage `WOLFSSL_CTX->method` -> bus fault deep in TLS).
50+
- **Add the port to the root `Makefile` cppcheck suppression list** (`comparePointers` for `startup.c`/`syscalls.c`, and `unknownMacro` for a CMSIS vendor `startup.c`). A cleaner alternative for new code: cast the `_sbrk` bounds compare to `uintptr_t` so no `comparePointers` suppression is needed.
51+
- **RMII alternate-function numbers are not uniform** -- check each pin against the CubeMX/HAL board example (on C5A3, RXD0/RXD1 are AF12/AF13 while the rest are AF10). A wrong AF on an RX pin leaves the link up (MDIO works) but drops all RX.
52+
- **DMA buffers must be in DMA-reachable RAM** (not DTCM on H7); place them via the `.eth_buffers` section.
53+
- **Wire MSPLIM** to the linker's real stack-limit symbol (`PROVIDE(__STACK_LIMIT = __StackLimit)` if the CMSIS startup uses `__STACK_LIMIT`) so a stack overflow faults cleanly instead of corrupting the heap.
54+
- The `../wolfssl` object tree is shared: ports at different FP ABIs (hard vs soft float) clobber each other's `.o` files. `make clean` (or delete `$(WOLFSSL_ROOT)/**/*.o`) between such builds.
55+
56+
## Shared TLS client
57+
58+
`tls_client.c`/`.h` moved to `src/port/` (see the shared table above). The three
59+
TLS ports now compile the single `$(ROOT)/src/port/tls_client.c` and select
60+
behavior with `-D` knobs: `stm32c5a3` sets `TLS_CLIENT_MUTUAL_AUTH` +
61+
`TLS_CLIENT_CIPHER` (+ `ENABLE_DHUK_KEY`) for its mutual-auth DHUK demo, while
62+
`stm32h753`/`stm32h563` build it as a plain one-way client (H753 keeps its
63+
historical `TLS_CLIENT_SETTLE_POLLS=100`). C5A3's mutual-auth + DHUK build is
64+
verified on hardware; H753/H563 are build-verified (boards not testable here --
65+
no H753 on the bench, H563 is provisioned TZEN=1).

src/port/stm32/wolfssl.mk

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
# wolfssl.mk -- shared wolfSSL/wolfCrypt build plumbing for the STM32 bare-metal
2+
# wolfIP ports (stm32c5a3, stm32h753, stm32h563, ...).
3+
#
4+
# Copyright (C) 2026 wolfSSL Inc.
5+
#
6+
# `include $(ROOT)/src/port/stm32/wolfssl.mk` from a port Makefile. Provides:
7+
# - WOLFSSL_ROOT / WOLFMQTT_ROOT sibling defaults (a port may set WOLFSSL_ROOT
8+
# earlier with ?= to point at a worktree; that still wins).
9+
# - WOLFSSL_SRCS: the minimal wolfSSL/wolfCrypt source set for a TLS 1.3 client
10+
# (ECC + AES-GCM) plus the ChaCha20-Poly1305 / RSA-verify / logging groups
11+
# the ports share. Add to SRCS from inside the port's ENABLE_TLS block.
12+
# - the $(WOLFSSL_ROOT)/%.o relaxed-warning compile rule (uses the port's
13+
# CFLAGS_WOLFSSL, which the port defines and appends its own -D flags to).
14+
#
15+
# Only variables and a pattern rule live here -- no explicit targets -- so the
16+
# including Makefile keeps ownership of the default goal and of all/clean/size/
17+
# flash. Include it AFTER the port has set CFLAGS (and, if used, its own
18+
# WOLFSSL_ROOT ?= override); the port defines CFLAGS_WOLFSSL itself.
19+
20+
WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
21+
WOLFMQTT_ROOT ?= $(ROOT)/../wolfmqtt
22+
23+
# Minimal wolfSSL/wolfCrypt source set for a TLS 1.3 client with ECC + AES-GCM.
24+
WOLFSSL_SRCS := \
25+
$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c \
26+
$(WOLFSSL_ROOT)/wolfcrypt/src/sha.c \
27+
$(WOLFSSL_ROOT)/wolfcrypt/src/sha256.c \
28+
$(WOLFSSL_ROOT)/wolfcrypt/src/sha512.c \
29+
$(WOLFSSL_ROOT)/wolfcrypt/src/hmac.c \
30+
$(WOLFSSL_ROOT)/wolfcrypt/src/hash.c \
31+
$(WOLFSSL_ROOT)/wolfcrypt/src/kdf.c \
32+
$(WOLFSSL_ROOT)/wolfcrypt/src/random.c \
33+
$(WOLFSSL_ROOT)/wolfcrypt/src/ecc.c \
34+
$(WOLFSSL_ROOT)/wolfcrypt/src/asn.c \
35+
$(WOLFSSL_ROOT)/wolfcrypt/src/coding.c \
36+
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.c \
37+
$(WOLFSSL_ROOT)/wolfcrypt/src/memory.c \
38+
$(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.c \
39+
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_int.c \
40+
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.c \
41+
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_cortexm.c \
42+
$(WOLFSSL_ROOT)/src/ssl.c \
43+
$(WOLFSSL_ROOT)/src/tls.c \
44+
$(WOLFSSL_ROOT)/src/tls13.c \
45+
$(WOLFSSL_ROOT)/src/internal.c \
46+
$(WOLFSSL_ROOT)/src/keys.c \
47+
$(WOLFSSL_ROOT)/src/wolfio.c
48+
49+
# ChaCha20-Poly1305 (fallback suite).
50+
WOLFSSL_SRCS += \
51+
$(WOLFSSL_ROOT)/wolfcrypt/src/chacha.c \
52+
$(WOLFSSL_ROOT)/wolfcrypt/src/chacha20_poly1305.c \
53+
$(WOLFSSL_ROOT)/wolfcrypt/src/poly1305.c
54+
55+
# RSA for peer certificate verification.
56+
WOLFSSL_SRCS += \
57+
$(WOLFSSL_ROOT)/wolfcrypt/src/rsa.c \
58+
$(WOLFSSL_ROOT)/wolfcrypt/src/signature.c
59+
60+
# Logging / error-strings / encrypt-helpers group. Kept separate because a
61+
# size-tight port may omit it (e.g. with NO_ERROR_STRINGS + logging off). Ports
62+
# that want it do: WOLFSSL_SRCS += $(WOLFSSL_LOG_SRCS)
63+
WOLFSSL_LOG_SRCS := \
64+
$(WOLFSSL_ROOT)/wolfcrypt/src/logging.c \
65+
$(WOLFSSL_ROOT)/wolfcrypt/src/error.c \
66+
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.c
67+
68+
# wolfSSL objects build with relaxed warnings (third-party, heavily #ifdef'd).
69+
# CFLAGS_WOLFSSL is defined by the including port Makefile. WOLFSSL_EXTRA_DEFS
70+
# lets a port add feature defines that the wolfSSL objects need (e.g. H563's
71+
# -DWOLFSSL_WOLFSSH / -DHAVE_PBKDF2 for its SSH / dot1x builds); it is empty by
72+
# default.
73+
$(WOLFSSL_ROOT)/%.o: $(WOLFSSL_ROOT)/%.c
74+
$(CC) $(CFLAGS_WOLFSSL) -DWOLFSSL_USER_SETTINGS $(WOLFSSL_EXTRA_DEFS) -I$(WOLFSSL_ROOT) -c $< -o $@

src/port/stm32c5a3/.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,7 @@
22
*.o
33
app.elf
44
app.bin
5+
6+
# Generated TLS test host material (contains a throwaway test private key).
7+
# Regenerate with: python3 gen_certs.py (also rewrites tls_certs.h)
8+
tls-certs/

src/port/stm32c5a3/Makefile

Lines changed: 20 additions & 136 deletions
Original file line numberDiff line numberDiff line change
@@ -18,15 +18,6 @@ ENABLE_HTTPS ?= 0
1818
# MQTT Broker: set ENABLE_MQTT_BROKER=1 to include wolfMQTT broker (requires TLS)
1919
ENABLE_MQTT_BROKER ?= 0
2020

21-
# DHUK crypto-callback self-test: set ENABLE_CB_SELFTEST=1 to build the
22-
# wolfCrypt DHUK crypto-callback primitive self-test (ECDSA sign via HW PKA,
23-
# AES-GCM via SAES device-bound key, HMAC-SHA256, HW TRNG). Additive to the
24-
# Phase-1 network baseline: it does NOT enable ENABLE_TLS and does NOT link
25-
# ssl.c/tls.c/internal.c -- just wolfcrypt + the DHUK port. Requires the
26-
# wolfSSL worktree that carries the STM32C5 DHUK code (default sibling
27-
# wolfssl-c5tls; override with WOLFSSL_ROOT=...).
28-
ENABLE_CB_SELFTEST ?= 0
29-
3021
# Auto-enable TLS when any feature that requires it is enabled
3122
ifeq ($(ENABLE_TLS_CLIENT),1)
3223
ENABLE_TLS = 1
@@ -38,20 +29,14 @@ ifeq ($(ENABLE_MQTT_BROKER),1)
3829
ENABLE_TLS = 1
3930
endif
4031

41-
# Library paths - default to sibling directories.
42-
# The DHUK self-test needs the wolfSSL worktree that carries the STM32C5 DHUK
43-
# code, so it defaults to wolfssl-c5tls; the network/TLS builds default to the
44-
# plain wolfssl sibling. (?= means an explicit WOLFSSL_ROOT= still wins.)
45-
ifeq ($(ENABLE_CB_SELFTEST),1)
46-
WOLFSSL_ROOT ?= $(ROOT)/../wolfssl-c5tls
47-
endif
48-
# The TLS client (3A.0) uses the STM32C5 HW-crypto arm, so it needs the same
49-
# stm32_bare worktree that carries the STM32C5 DHUK/BARE port.
32+
# Library paths - default to sibling directories. The TLS client uses the
33+
# STM32C5 HW-crypto arm, so it needs the wolfSSL worktree that carries the
34+
# STM32C5 DHUK/BARE port. (?= means an explicit WOLFSSL_ROOT= still wins.)
5035
ifeq ($(ENABLE_TLS_CLIENT),1)
5136
WOLFSSL_ROOT ?= $(ROOT)/../wolfssl-c5tls
5237
endif
53-
WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
54-
WOLFMQTT_ROOT ?= $(ROOT)/../wolfmqtt
38+
# Sibling WOLFSSL_ROOT/WOLFMQTT_ROOT fallbacks + the shared wolfSSL source list
39+
# and $(WOLFSSL_ROOT)/%.o rule come from the shared fragment (included below).
5540

5641
# -----------------------------------------------------------------------------
5742
# Device headers / CMSIS
@@ -77,6 +62,10 @@ CFLAGS_WOLFSSL := $(CFLAGS)
7762
CFLAGS_WOLFSSL := $(filter-out -Werror,$(CFLAGS_WOLFSSL))
7863
CFLAGS_WOLFSSL += -Wno-unused-variable -Wno-unused-function
7964

65+
# Shared wolfSSL build plumbing: WOLFSSL_ROOT/WOLFMQTT_ROOT defaults, the base
66+
# WOLFSSL_SRCS list, and the $(WOLFSSL_ROOT)/%.o relaxed-warning rule.
67+
include $(ROOT)/src/port/stm32/wolfssl.mk
68+
8069
LDSCRIPT := target.ld
8170
# The vendor startup (startup.c) uses the CMSIS __PROGRAM_START flow:
8271
# __cmsis_start runs the .copy.table/.zero.table init then calls newlib's
@@ -118,7 +107,7 @@ SRCS += $(ROOT)/src/port/wolfssl_io.c
118107
# TLS client (3A.0 mutual-auth against openssl s_server)
119108
ifeq ($(ENABLE_TLS_CLIENT),1)
120109
CFLAGS += -DENABLE_TLS_CLIENT
121-
SRCS += tls_client.c
110+
SRCS += $(ROOT)/src/port/tls_client.c
122111

123112
# Milestone 3A.1: set ENABLE_DHUK_KEY=1 to sign CertificateVerify with the
124113
# DHUK-wrapped identity key via a PK callback (identity scalar never in SW).
@@ -127,9 +116,9 @@ ifeq ($(ENABLE_DHUK_KEY),1)
127116
TLS_WOLFSSL_DEFS += -DENABLE_DHUK_KEY
128117
endif
129118

130-
# STM32C5 HW-crypto arm for the TLS client. Same defines the ENABLE_CB_SELFTEST
131-
# build uses; WOLFSSL_STM32C5 also gates the C5 arm in user_settings.h. These
132-
# join the wolfSSL-facing flags so only wolfSSL/glue objects see them.
119+
# STM32C5 HW-crypto arm for the TLS client. WOLFSSL_STM32C5 also gates the C5
120+
# arm in user_settings.h. These join the wolfSSL-facing flags so only the
121+
# wolfSSL/glue objects see them.
133122
TLS_WOLFSSL_DEFS += -DWOLFSSL_STM32C5 -DWOLFSSL_DHUK -DWOLF_CRYPTO_CB
134123

135124
# STM32 DHUK/BARE port + crypto-callback dispatcher for the C5 arm.
@@ -145,113 +134,13 @@ endif
145134
# rules here (before "all:") would hijack the default goal.
146135
CFLAGS_WOLFSSL += $(TLS_WOLFSSL_DEFS)
147136

148-
# wolfSSL source files (minimal set for TLS 1.3 client with ECC)
149-
WOLFSSL_SRCS := \
150-
$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c \
151-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha.c \
152-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha256.c \
153-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha512.c \
154-
$(WOLFSSL_ROOT)/wolfcrypt/src/hmac.c \
155-
$(WOLFSSL_ROOT)/wolfcrypt/src/hash.c \
156-
$(WOLFSSL_ROOT)/wolfcrypt/src/kdf.c \
157-
$(WOLFSSL_ROOT)/wolfcrypt/src/random.c \
158-
$(WOLFSSL_ROOT)/wolfcrypt/src/ecc.c \
159-
$(WOLFSSL_ROOT)/wolfcrypt/src/asn.c \
160-
$(WOLFSSL_ROOT)/wolfcrypt/src/coding.c \
161-
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.c \
162-
$(WOLFSSL_ROOT)/wolfcrypt/src/memory.c \
163-
$(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.c \
164-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_int.c \
165-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.c \
166-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_cortexm.c \
167-
$(WOLFSSL_ROOT)/src/ssl.c \
168-
$(WOLFSSL_ROOT)/src/tls.c \
169-
$(WOLFSSL_ROOT)/src/tls13.c \
170-
$(WOLFSSL_ROOT)/src/internal.c \
171-
$(WOLFSSL_ROOT)/src/keys.c \
172-
$(WOLFSSL_ROOT)/src/wolfio.c
173-
174-
# ChaCha20-Poly1305 (optional)
175-
WOLFSSL_SRCS += \
176-
$(WOLFSSL_ROOT)/wolfcrypt/src/chacha.c \
177-
$(WOLFSSL_ROOT)/wolfcrypt/src/chacha20_poly1305.c \
178-
$(WOLFSSL_ROOT)/wolfcrypt/src/poly1305.c
179-
180-
# RSA for certificate verification
181-
WOLFSSL_SRCS += \
182-
$(WOLFSSL_ROOT)/wolfcrypt/src/rsa.c \
183-
$(WOLFSSL_ROOT)/wolfcrypt/src/signature.c
184-
185-
# Support sources (logging, error strings, encrypt helpers)
186-
WOLFSSL_SRCS += \
187-
$(WOLFSSL_ROOT)/wolfcrypt/src/logging.c \
188-
$(WOLFSSL_ROOT)/wolfcrypt/src/error.c \
189-
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.c
190-
137+
# wolfSSL/wolfCrypt source set comes from the shared wolfssl.mk (included above),
138+
# plus the logging/error/encrypt group.
139+
WOLFSSL_SRCS += $(WOLFSSL_LOG_SRCS)
191140
SRCS += $(WOLFSSL_SRCS)
192141

193142
endif # ENABLE_TLS
194143

195-
# -----------------------------------------------------------------------------
196-
# DHUK crypto-callback self-test (wolfSSL, no TLS)
197-
#
198-
# Additive build: registers the STM32 DHUK crypto callback and runs the ECDSA /
199-
# AES-GCM / HMAC-SHA256 / TRNG primitives on hardware. Compiles the wolfcrypt
200-
# subset the self-test needs (no ssl.c/tls.c/internal.c) plus the ported
201-
# cb_selftest.c. The C5 crypto arm (WOLFSSL_STM32C5, STM32_CRYPTO/HASH/RNG,
202-
# WOLFSSL_STM32_PKA, WOLFSSL_STM32_BARE) is enabled in user_settings.h under the
203-
# ENABLE_CB_SELFTEST gate; WOLFSSL_DHUK + WOLF_CRYPTO_CB come from here. The
204-
# defines go into the shared CFLAGS so both the app and the wolfcrypt objects
205-
# (CFLAGS_WOLFSSL is derived from CFLAGS) see them.
206-
# -----------------------------------------------------------------------------
207-
ifeq ($(ENABLE_CB_SELFTEST),1)
208-
209-
# Validate wolfSSL (with DHUK) exists
210-
ifeq ($(wildcard $(WOLFSSL_ROOT)/wolfcrypt/src/port/st/stm32.c),)
211-
$(error wolfSSL (with STM32C5 DHUK) not found at $(WOLFSSL_ROOT). Set WOLFSSL_ROOT to the stm32_bare worktree, e.g. WOLFSSL_ROOT=$(ROOT)/../wolfssl-c5tls)
212-
endif
213-
214-
CB_SELFTEST_DEFS := -DENABLE_CB_SELFTEST -DWOLFSSL_USER_SETTINGS \
215-
-DWOLFSSL_DHUK -DWOLF_CRYPTO_CB -DWOLFSSL_STM32C5
216-
CFLAGS += $(CB_SELFTEST_DEFS)
217-
CFLAGS += -I$(WOLFSSL_ROOT)
218-
219-
# CFLAGS_WOLFSSL is captured (:=) before this block, so it lacks the self-test
220-
# defines. Append them so the wolfcrypt objects activate the C5 DHUK config.
221-
CFLAGS_WOLFSSL += $(CB_SELFTEST_DEFS) -I$(WOLFSSL_ROOT)
222-
223-
# Ported self-test entry point
224-
SRCS += cb_selftest.c
225-
226-
# wolfcrypt subset for the four primitives + the STM32 DHUK port. No
227-
# ssl.c/tls.c/internal.c -- the self-test is wolfcrypt-only.
228-
CB_WOLFSSL_SRCS := \
229-
$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c \
230-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha.c \
231-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha256.c \
232-
$(WOLFSSL_ROOT)/wolfcrypt/src/sha512.c \
233-
$(WOLFSSL_ROOT)/wolfcrypt/src/hmac.c \
234-
$(WOLFSSL_ROOT)/wolfcrypt/src/hash.c \
235-
$(WOLFSSL_ROOT)/wolfcrypt/src/random.c \
236-
$(WOLFSSL_ROOT)/wolfcrypt/src/ecc.c \
237-
$(WOLFSSL_ROOT)/wolfcrypt/src/asn.c \
238-
$(WOLFSSL_ROOT)/wolfcrypt/src/coding.c \
239-
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.c \
240-
$(WOLFSSL_ROOT)/wolfcrypt/src/memory.c \
241-
$(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.c \
242-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_int.c \
243-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.c \
244-
$(WOLFSSL_ROOT)/wolfcrypt/src/sp_cortexm.c \
245-
$(WOLFSSL_ROOT)/wolfcrypt/src/logging.c \
246-
$(WOLFSSL_ROOT)/wolfcrypt/src/error.c \
247-
$(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.c \
248-
$(WOLFSSL_ROOT)/wolfcrypt/src/cryptocb.c \
249-
$(WOLFSSL_ROOT)/wolfcrypt/src/port/st/stm32.c
250-
251-
SRCS += $(CB_WOLFSSL_SRCS)
252-
253-
endif # ENABLE_CB_SELFTEST
254-
255144
# -----------------------------------------------------------------------------
256145
# HTTPS web server (requires TLS) - uses existing wolfIP httpd
257146
# -----------------------------------------------------------------------------
@@ -322,18 +211,17 @@ app.bin: app.elf
322211
%.o: %.c
323212
$(CC) $(CFLAGS) -c $< -o $@
324213

325-
# wolfSSL objects use relaxed warnings
326-
$(WOLFSSL_ROOT)/%.o: $(WOLFSSL_ROOT)/%.c
327-
$(CC) $(CFLAGS_WOLFSSL) -DWOLFSSL_USER_SETTINGS -I$(WOLFSSL_ROOT) -c $< -o $@
214+
# The $(WOLFSSL_ROOT)/%.o relaxed-warning rule comes from wolfssl.mk.
328215

329216
# The two wolfIP<->wolfSSL glue files live in the app/port tree but include
330217
# wolfssl/ssl.h, so they need the wolfSSL-facing defines (WOLFSSL_WOLFIP /
331218
# WOLFSSL_STM32C5 / -I$(WOLFSSL_ROOT)). Keep -Werror (our code). These are
332219
# defined only when ENABLE_TLS is on, and sit after "all:" so they do not
333220
# hijack the default goal.
334221
ifeq ($(ENABLE_TLS),1)
335-
tls_client.o: tls_client.c
336-
$(CC) $(CFLAGS) $(TLS_WOLFSSL_DEFS) -c $< -o $@
222+
# Shared TLS client: mutual auth (client cert from tls_certs.h) + forced suite.
223+
$(ROOT)/src/port/tls_client.o: $(ROOT)/src/port/tls_client.c
224+
$(CC) $(CFLAGS) $(TLS_WOLFSSL_DEFS) -DTLS_CLIENT_MUTUAL_AUTH -DTLS_CLIENT_CIPHER='"TLS_AES_128_GCM_SHA256"' -c $< -o $@
337225

338226
$(ROOT)/src/port/wolfssl_io.o: $(ROOT)/src/port/wolfssl_io.c
339227
$(CC) $(CFLAGS) $(TLS_WOLFSSL_DEFS) -c $< -o $@
@@ -351,10 +239,6 @@ ifeq ($(ENABLE_TLS),1)
351239
rm -f $(WOLFSSL_ROOT)/wolfcrypt/test/*.o
352240
rm -f $(WOLFSSL_ROOT)/src/*.o
353241
endif
354-
ifeq ($(ENABLE_CB_SELFTEST),1)
355-
rm -f $(WOLFSSL_ROOT)/wolfcrypt/src/*.o
356-
rm -f $(WOLFSSL_ROOT)/wolfcrypt/src/port/st/*.o
357-
endif
358242
ifeq ($(ENABLE_MQTT_BROKER),1)
359243
rm -f $(WOLFMQTT_ROOT)/src/*.o
360244
endif

0 commit comments

Comments
 (0)