[TA-100] Address review feedback (Copilot + Fenrir)

danielinux · danielinux · commit 5618b8a9b97f · 2026-05-07T21:37:50.000+02:00
Copilot fixes:
- atmel.c: ATCA_ENABLE_DEPRECATED I2C path now uses ATECC_I2C_ADDR
  instead of slave_address=1 (matches the non-deprecated path).
- atmel.c: capture and propagate atmel_createHandles() return value;
  abort init via WC_HW_E if handle creation fails.
- atmel.h: include calib_aes_gcm.h with the same &lt;calib/...&gt; form used
  for calib_command.h so a single -I (.../include or
  .../include/cryptoauthlib) resolves both.
- configure.ac: drop the duplicated AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB])
  (kept only in the consolidated section near the end).
- settings.h: remove leftover commented-out '#ifdef WOLFSSL_ATECC508A'.
- benchmark.c: drop the broken TA100 wc_RsaSSL_Verify branch (it passed
  message/enc as if they were sig/out).
- test.c: stop calling atmel_ecc_free() with the slot-TYPE enum
  constants; wc_ecc_free(userA/userB) already releases the allocated
  slots.
- ecc.c (microchip_curve_id_for_key): switch on key-&gt;dp-&gt;id, not size,
  so SECP256K1 / BRAINPOOLP256R1 are not silently mapped to SECP256R1.
  Helper is now defined for ATECC508A/608A as well, fixing the
  TA100-only gating that broke ATECC builds.
- ecc.c (_ecc_make_key_ex): keep ATECC508A/608A's curve check at
  SECP256R1-only (hardware does not support the wider curve set);
  TA100 retains the multi-curve list.

Fenrir fixes:
- ecc.c (wc_ecc_init_ex): under TA100 + ALT_ECC_SIZE the pubkey x/y/z
  pointers must be aimed at key-&gt;pubkey.xyz[] (with alt_fp_init) before
  mp_init_multi - otherwise mp_init_multi dereferenced NULL.
- atmel.c (atmel_get_rev_info): check atcab_wakeup return and bail out
  via atmel_ecc_translate_err before calling atcab_info.
- atmel.c (atmel_ecc_create_pms, TA100+ECDH_ENC): pass
  MAP_TO_HANDLE(slotId) (the ephemeral private-key handle) into
  talib_ecdh_compat instead of MAP_TO_HANDLE(slotIdEnc).
- atmel.c (wc_Microchip_rsa_create_key): on any failure after the first
  talib_create_element succeeds, delete the previously created
  handle(s) and clear rKeyH/uKeyH so device elements are not leaked.
- aes.c (wc_AesGcmEncrypt / wc_AesGcmDecrypt TA100 fast paths): replace
  '(authInSz + sz) &lt;= MAX' with bounds on each operand individually so
  word32 wraparound cannot bypass the 996-byte hardware limit.
- rsa.c (RsaPrivateDecryptEx): drop the TA100 RSA_PUBLIC_DECRYPT
  short-circuit. wc_Microchip_rsa_verify expects (digest, digestLen,
  sig, sigLen, ...) and the verified flag must be honored; the proper
  TA100 fast-path already lives in wc_RsaPSS_CheckPadding_ex2.
diff --git a/configure.ac b/configure.ac
@@ -3128,8 +3128,6 @@ AS_IF([test "x$with_cryptoauthlib" != "xno"], [
     ])
 ])
 
-AM_CONDITIONAL([BUILD_CRYPTOAUTHLIB], [test "x$ENABLED_CRYPTOAUTHLIB" = "xyes"])
-
 # TropicSquare TROPIC01
 # Example: "./configure --with-tropic01=/home/pi/libtropic"
 ENABLED_TROPIC01="no"
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
@@ -10575,13 +10575,8 @@ static void bench_rsa_helper(int useDeviceID,
                                           1, &times, ntimes, &pending)) {
                     #if !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
                         !defined(WOLFSSL_RSA_PUBLIC_ONLY)
-                        #if defined(WOLFSSL_MICROCHIP_TA100)
-                            ret = wc_RsaSSL_Verify(message, len,
-                                enc[i], rsaKeySz/8, rsaKey[i]);
-                        #else
                             ret = wc_RsaSSL_Verify(enc[i], idx, out[i],
                                                       rsaKeySz/8, rsaKey[i]);
-                        #endif
                     #elif defined(USE_CERT_BUFFERS_2048)
                         XMEMCPY(enc[i], rsa_2048_sig, sizeof(rsa_2048_sig));
                         idx = sizeof(rsa_2048_sig);
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
@@ -10162,7 +10162,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         aes->keylen == TA_KEY_TYPE_AES128_SIZE &&
         ivSz == TA_AES_GCM_IV_LENGTH &&
         authTagSz == TA_AES_GCM_TAG_LENGTH &&
-        (authInSz + sz) <= TA_AES_GCM_MAX_DATA_SIZE) {
+        sz <= TA_AES_GCM_MAX_DATA_SIZE &&
+        authInSz <= (word32)(TA_AES_GCM_MAX_DATA_SIZE - sz)) {
         return wc_Microchip_AesGcmEncrypt(
             aes, out, in, sz,
             iv, ivSz,
@@ -10906,7 +10907,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         aes->keylen == TA_KEY_TYPE_AES128_SIZE &&
         ivSz == TA_AES_GCM_IV_LENGTH &&
         authTagSz == TA_AES_GCM_TAG_LENGTH &&
-        (authInSz + sz) <= TA_AES_GCM_MAX_DATA_SIZE) {
+        sz <= TA_AES_GCM_MAX_DATA_SIZE &&
+        authInSz <= (word32)(TA_AES_GCM_MAX_DATA_SIZE - sz)) {
         return wc_Microchip_AesGcmDecrypt(
             aes, out, in, sz, iv, ivSz,
             authTag, authTagSz, authIn, authInSz);
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
@@ -5660,16 +5660,15 @@ int wc_ecc_make_pub_ex(ecc_key* key, ecc_point* pubOut, WC_RNG* rng)
     return err;
 }
 
-#if defined(WOLFSSL_MICROCHIP_TA100)
-static WC_INLINE int ta100_curve_id_for_key(const ecc_key* key)
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
+    defined(WOLFSSL_MICROCHIP_TA100)
+/* Resolve the curve id to pass to the Microchip backend. Keep the curve
+ * distinction by id (not size): SECP256R1, SECP256K1 and BRAINPOOLP256R1 are
+ * all 32 bytes and must NOT be collapsed onto SECP256R1. */
+static WC_INLINE int microchip_curve_id_for_key(const ecc_key* key)
 {
     if (key != NULL && key->dp != NULL) {
-        switch (key->dp->size) {
-            case 28: return ECC_SECP224R1;
-            case 32: return ECC_SECP256R1;
-            case 48: return ECC_SECP384R1;
-            default: return key->dp->id;
-        }
+        return key->dp->id;
     }
     return ECC_CURVE_DEF;
 }
@@ -5764,24 +5763,21 @@ static int _ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key,
 
 #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
     defined(WOLFSSL_MICROCHIP_TA100)
-#if !defined(WOLFSSL_MICROCHIP_TA100)
+#if defined(WOLFSSL_MICROCHIP_TA100)
+    /* TA100 supports multiple curves natively. */
     if (key->dp->id == ECC_SECP256R1 ||
         key->dp->id == ECC_SECP224R1 ||
         key->dp->id == ECC_SECP384R1 ||
         key->dp->id == ECC_SECP256K1 ||
         key->dp->id == ECC_BRAINPOOLP256R1) {
-        /* supports more than ECC256R1 curve */
 #else
-    if (key->dp->id == ECC_SECP256R1 ||
-        key->dp->id == ECC_SECP224R1 ||
-        key->dp->id == ECC_SECP384R1 ||
-        key->dp->id == ECC_SECP256K1 ||
-        key->dp->id == ECC_BRAINPOOLP256R1) {
+    /* ATECC508A/608A hardware only supports SECP256R1. */
+    if (key->dp->id == ECC_SECP256R1) {
 #endif
        key->type = ECC_PRIVATEKEY;
        if (key->slot == ATECC_INVALID_SLOT)
            key->slot = atmel_ecc_alloc(ATMEL_SLOT_ECDHE);
-       err = atmel_ecc_create_key(key->slot, ta100_curve_id_for_key(key),
+       err = atmel_ecc_create_key(key->slot, microchip_curve_id_for_key(key),
            key->pubkey_raw);
 
        /* populate key->pubkey */
@@ -6282,13 +6278,24 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
     defined(WOLFSSL_MICROCHIP_TA100)
     key->slot = ATECC_INVALID_SLOT;
 #ifdef WOLFSSL_MICROCHIP_TA100
-    /* TA100 needs pubkey initialized to populate after genkey */
+    /* TA100 needs pubkey initialized to populate after genkey. With
+     * ALT_ECC_SIZE the x/y/z pointers must first be aimed at the inline
+     * xyz[] storage; mp_init_multi otherwise dereferences NULL. */
+#ifdef ALT_ECC_SIZE
+    key->pubkey.x = (mp_int*)&key->pubkey.xyz[0];
+    key->pubkey.y = (mp_int*)&key->pubkey.xyz[1];
+    key->pubkey.z = (mp_int*)&key->pubkey.xyz[2];
+    alt_fp_init(key->pubkey.x);
+    alt_fp_init(key->pubkey.y);
+    alt_fp_init(key->pubkey.z);
+#else
     ret = mp_init_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z,
                         NULL, NULL, NULL);
     if (ret != MP_OKAY) {
         return MEMORY_E;
     }
 #endif
+#endif
 #else
 #if defined(WOLFSSL_KCAPI_ECC)
     key->handle = NULL;
@@ -6531,14 +6538,14 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
     #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
          defined(WOLFSSL_MICROCHIP_TA100)
 #if defined(WOLFSSL_MICROCHIP_TA100)
-        if (ta100_curve_id_for_key(key) == ECC_SECP256R1) {
+        if (microchip_curve_id_for_key(key) == ECC_SECP256R1) {
             (void)inlen;
             /* Sign: Result is 32-bytes of R then 32-bytes of S */
             err = atmel_ecc_sign(key->slot, in, out);
         }
         else {
             /* Sign: Result is raw R||S */
-            err = atmel_ecc_sign_ex(key->slot, ta100_curve_id_for_key(key),
+            err = atmel_ecc_sign_ex(key->slot, microchip_curve_id_for_key(key),
                 in, inlen, out);
         }
 #else
@@ -9422,7 +9429,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
 #endif /* WOLFSSL_SE050 */
 
 #if defined(WOLFSSL_MICROCHIP_TA100)
-    if (ta100_curve_id_for_key(key) == ECC_SECP256R1) {
+    if (microchip_curve_id_for_key(key) == ECC_SECP256R1) {
         err = atmel_ecc_verify(hash, sigRS, key->pubkey_raw, res);
         if (err != 0) {
             return err;
@@ -9431,7 +9438,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
     }
     else {
         err = atmel_ecc_verify_ex(hash, hashlen, sigRS, key->pubkey_raw,
-            keySz * 2, ta100_curve_id_for_key(key), res);
+            keySz * 2, microchip_curve_id_for_key(key), res);
         if (err != 0) {
            return err;
         }
diff --git a/wolfcrypt/src/port/atmel/atmel.c b/wolfcrypt/src/port/atmel/atmel.c
@@ -147,7 +147,7 @@ static int ateccx08a_cfg_initialized = 0;
         .devtype    = MICROCHIP_DEV_TYPE,
         .atcai2c = {
             #ifdef ATCA_ENABLE_DEPRECATED
-                .slave_address = 1,
+                .slave_address = ATECC_I2C_ADDR,
             #else
                 .address = ATECC_I2C_ADDR,
             #endif
@@ -578,11 +578,12 @@ int atmel_get_rev_info(word32* revision)
     WOLFSSL_MSG("Waking device...");
 #endif
     ret = atcab_wakeup();
+    if (ret != ATCA_SUCCESS) {
 #ifdef WOLFSSL_ATECC_DEBUG
-    if (ret != 0) {
         WOLFSSL_MSG("atcab_wakeup failed");
-    }
 #endif
+        return atmel_ecc_translate_err(ret);
+    }
     ret = atcab_info((uint8_t*)revision);
     ret = atmel_ecc_translate_err(ret);
     return ret;
@@ -616,8 +617,11 @@ int atmel_ecc_create_pms(int slotId, const uint8_t* peerKey, uint8_t* pms)
 
 #ifdef WOLFSSL_ATECC_ECDH_ENC
     #ifdef WOLFSSL_MICROCHIP_TA100
-        (void)slotId;
-        ret = talib_ecdh_compat(atcab_get_device(), MAP_TO_HANDLE(slotIdEnc),
+        /* TA100 ECDH uses the ephemeral private-key slot; the encryption
+         * parent slot is allocated above only for parity with the
+         * non-TA100 atcab_ecdh_enc path and is not consumed here. */
+        (void)slotIdEnc;
+        ret = talib_ecdh_compat(atcab_get_device(), MAP_TO_HANDLE(slotId),
                                 peerKey, pms);
     #else
         /* send the encrypted version of the ECDH command */
@@ -912,24 +916,34 @@ int wc_Microchip_rsa_create_key(struct RsaKey* key, int size, long e)
     ret = talib_handle_init_public_key(&uKeyA, WOLFSSL_TA_KEY_TYPE_RSA,
             TA_ALG_MODE_RSA_SSA_PSS, 0, 0);
     if (ret != ATCA_SUCCESS)
-        return WC_HW_E;
+        goto err_free_r;
 
     ta100_fix_property_endian(&uKeyA);
 
     ret = talib_create_element(atcab_get_device(), &uKeyA, &key->uKeyH);
     if (ret != ATCA_SUCCESS)
-        return WC_HW_E;
+        goto err_free_r;
 
     ret = talib_genkey_base(atcab_get_device(), TA_KEYGEN_MODE_NEWKEY,
             (uint32_t)key->rKeyH, key->uKey, &uKey_len);
     if (ret != ATCA_SUCCESS)
-        return WC_HW_E;
+        goto err_free_ru;
 
     /* Use talib_write_element, not talib_write_pub_key */
     ret = talib_write_element(atcab_get_device(), key->uKeyH,
             (uint16_t)uKey_len, key->uKey);
+    if (ret != ATCA_SUCCESS)
+        goto err_free_ru;
 
     return atmel_ecc_translate_err(ret);
+
+err_free_ru:
+    (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->uKeyH);
+    key->uKeyH = 0;
+err_free_r:
+    (void)talib_delete_handle(atcab_get_device(), (uint32_t)key->rKeyH);
+    key->rKeyH = 0;
+    return WC_HW_E;
 }
 
 int wc_Microchip_rsa_encrypt(const byte* in, word32 inLen, byte* out,
@@ -1245,7 +1259,10 @@ int atmel_init(void)
             }
             #ifdef WOLFSSL_MICROCHIP_TA100
                 /* create handles for TA100 */
-                atmel_createHandles();
+                if (atmel_createHandles() != 0) {
+                    WOLFSSL_MSG("atmel_createHandles failed");
+                    return WC_HW_E;
+                }
             #endif
         }
 
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
@@ -3833,18 +3833,11 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
             }
             return WC_HW_E;
         }
-        else if (rsa_type == RSA_PUBLIC_DECRYPT &&
-                                         pad_value == RSA_BLOCK_TYPE_1) {
-            if (key->uKeyH != 0) {
-                int tmp;
-                if (pad_type != WC_RSA_PSS_PAD) {
-                    return WC_HW_E;
-                }
-                return wc_Microchip_rsa_verify(in, inLen,
-                    out, outLen, key, &tmp);
-            }
-            return WC_HW_E;
-        }
+        /* Note: RSA_PUBLIC_DECRYPT (verify) is intentionally not intercepted
+         * here. wc_Microchip_rsa_verify takes a digest as input, not a raw
+         * signature blob; the proper TA100 short-circuit lives in the
+         * wc_RsaPSS_CheckPadding / wc_RsaPSS_VerifyCheck path which has the
+         * digest available. */
     #elif defined(WOLFSSL_SE050) && !defined(WOLFSSL_SE050_NO_RSA)
         if (rsa_type == RSA_PRIVATE_DECRYPT && pad_value == RSA_BLOCK_TYPE_2) {
             ret = se050_rsa_private_decrypt(in, inLen, out, outLen, key,
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -37101,10 +37101,8 @@ static wc_test_ret_t ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerif
     WC_FREE_VAR(sig, HEAP_HINT);
     WC_FREE_VAR(digest, HEAP_HINT);
 #endif
-#if defined(WOLFSSL_MICROCHIP_TA100)
-    atmel_ecc_free(ATMEL_SLOT_ECDHE_ALICE);
-    atmel_ecc_free(ATMEL_SLOT_ECDHE_BOB);
-#endif
+    /* Slot cleanup happens via wc_ecc_free(userA/userB) above; do not call
+     * atmel_ecc_free with the slot-type enum constants. */
     (void)keySize;
     (void)curve_id;
     (void)rng;
diff --git a/wolfssl/wolfcrypt/port/atmel/atmel.h b/wolfssl/wolfcrypt/port/atmel/atmel.h
@@ -39,7 +39,10 @@
     #include <calib/calib_command.h>
 #endif
 #if defined(WOLFSSL_MICROCHIP_TA100) && defined(HAVE_AESGCM)
-    #include <cryptoauthlib/calib/calib_aes_gcm.h>
+    /* Use the same include style as <calib/calib_command.h> above so the
+     * single -I added by configure.ac (either .../include or
+     * .../include/cryptoauthlib) resolves both. */
+    #include <calib/calib_aes_gcm.h>
 #endif
 #ifndef ATECC_MAX_SLOT
 #define ATECC_MAX_SLOT      (0x8) /* Only use 0-7 */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -1227,7 +1227,6 @@
     #endif
 #endif
 
-/*#ifdef WOLFSSL_ATECC508A*/
 #if defined(WOLFSSL_ATECC508A) || \
     defined(WOLFSSL_MICROCHIP_TA100)
     /* backwards compatibility */
