Frauschi
diff --git a/‎.github/workflows/atecc608-sim.yml‎
Lines changed: 14 additions & 6 deletions b/‎.github/workflows/atecc608-sim.yml‎
Lines changed: 14 additions & 6 deletions
diff --git a/‎.wolfssl_known_macro_extras‎
Lines changed: 7 additions & 0 deletions b/‎.wolfssl_known_macro_extras‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎configure.ac‎
Lines changed: 139 additions & 29 deletions b/‎configure.ac‎
Lines changed: 139 additions & 29 deletions
diff --git a/‎tests/api/test_ecc.c‎
Lines changed: 7 additions & 3 deletions b/‎tests/api/test_ecc.c‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎tests/api/test_ossl_ec.c‎
Lines changed: 3 additions & 0 deletions b/‎tests/api/test_ossl_ec.c‎
Lines changed: 3 additions & 0 deletions
@@ -19,11 +19,11 @@ concurrency:
 #
 # The simulator's own Dockerfile.wolfcrypt clones a pinned wolfSSL release.
 # We patch it to COPY the PR checkout instead so CI reflects the PR's source.
-# We also strip the inline test.c patch RUN block: those guard fixes now live
-# upstream in this tree, so re-applying them would fail with "patch target not
-# found". The remaining sed-based patches in the Dockerfile (atmel.c XMEMSET
-# swap and atmel_set_slot_allocator visibility) are no-ops on pre-patched
-# source and their grep validations still pass, so we leave them alone.
+# We also strip the inline test.c patch RUN block and the older atmel.c config
+# copy hotfix: both now live upstream in this tree, so re-applying them would
+# fail with "patch target not found". The atmel_set_slot_allocator visibility
+# patch remains because the simulator harness still depends on that exported
+# symbol.
 
 env:
   SIMULATORS_REF: 773fe70
@@ -48,7 +48,7 @@ jobs:
       - name: Stage PR wolfSSL into simulator build context
         run: mv wolfssl-src simulators/ATECC608Sim/wolfssl
 
-      - name: Patch Dockerfile to use PR wolfSSL and drop redundant test.c patches
+      - name: Patch Dockerfile to use PR wolfSSL and drop redundant source patches
         working-directory: simulators/ATECC608Sim
         run: |
           # Replace the (multi-line) `RUN git clone ... wolfssl.git /app/wolfssl`
@@ -60,11 +60,19 @@ jobs:
           grep -q '^ *COPY wolfssl /app/wolfssl$' Dockerfile.wolfcrypt
           ! grep -q 'git clone .*wolfssl\.git' Dockerfile.wolfcrypt
 
+          sed -i "/^# wolfSSL's wolfCrypt_ATECC_SetConfig only copies I2C-specific fields from$/,/^    grep -q 'XMEMCPY(&cfg_ateccx08a_i2c_pi, cfg' \\/app\\/wolfssl\\/wolfcrypt\\/src\\/port\\/atmel\\/atmel\\.c$/d" Dockerfile.wolfcrypt
+          ! grep -q "cfg_ateccx08a_i2c_pi" Dockerfile.wolfcrypt
+
           # Strip the inline test.c patch RUN block -- those guard fixes now
           # live upstream in this tree.
           sed -i "/^RUN python3 - <<'PY'$/,/^PY$/d" Dockerfile.wolfcrypt
           ! grep -q "RUN python3 - <<'PY'" Dockerfile.wolfcrypt
 
+          # The simulator Dockerfile predates the new configure contract where
+          # --with-cryptoauthlib must be paired with --enable-microchip=<dev>.
+          sed -i 's/--with-cryptoauthlib=\/usr \\/--enable-microchip=608 \\\n        --with-cryptoauthlib=\/usr \\/' Dockerfile.wolfcrypt
+          grep -q -- '--enable-microchip=608' Dockerfile.wolfcrypt
+
       - uses: docker/setup-buildx-action@v3
 
       - name: Build wolfCrypt-ATECC608 test image
 
@@ -30,7 +30,10 @@ ARDUINO_UNOR4_WIFI
 ASN_DUMP_OID
 ASN_TEMPLATE_SKIP_ISCA_CHECK
 ATCAPRINTF
+ATCA_HAL_I2C
 ATCA_ENABLE_DEPRECATED
+ATCA_TFLEX_SUPPORT
+ATECC_DEV_TYPE
 AVR
 BASE64_NO_TABLE
 BLAKE2B_SELFTEST
@@ -580,6 +583,7 @@ STSAFE_I2C_BUS
 STSE_CONF_ECC_BRAINPOOL_P_256
 STSE_CONF_ECC_BRAINPOOL_P_384
 SYS_CLOCK_REALTIME
+TA100_ECC_TRACE
 TASK_EXTRA_STACK_SIZE
 TCP_NODELAY
 TFM_ALREADY_SET
@@ -813,8 +817,10 @@ WOLFSSL_LMS_ROOT_LEVELS
 WOLFSSL_LPC43xx
 WOLFSSL_MAKE_SYSTEM_NAME_LINUX
 WOLFSSL_MAKE_SYSTEM_NAME_WSL
+WOLFSSL_MANUALLY_SELECT_DEVICE_CONFIG
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
+WOLFSSL_MICROCHIP_AESGCM
 WOLFSSL_MLKEM_INVNTT_UNROLL
 WOLFSSL_MLKEM_NO_MALLOC
 WOLFSSL_MLKEM_NTT_UNROLL
@@ -834,6 +840,7 @@ WOLFSSL_NO_CRL_NEXT_DATE
 WOLFSSL_NO_CT_MAX_MIN
 WOLFSSL_NO_DEBUG_CERTS
 WOLFSSL_NO_DECODE_EXTRA
+WOLFSSL_NO_DEL_HANDLE
 WOLFSSL_NO_DER_TO_PEM
 WOLFSSL_NO_DH186
 WOLFSSL_NO_DTLS_SIZE_CHECK
 
@@ -2975,48 +2975,158 @@ AC_ARG_WITH([maxq10xx],
     ]
 )
 
+AC_ARG_ENABLE([microchip],
+    [AS_HELP_STRING([--enable-microchip],[Enable wolfSSL support for microchip/atmel 508/608/100 (default: disabled)])],
+    [ ENABLED_ATMEL=$enableval ],
+    [ ENABLED_ATMEL=no ]
+    )
+
+if test "$ENABLED_ATMEL" != "no"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP"
+
+    for v in `echo $ENABLED_ATMEL | tr "," " "`
+    do
+      case $v in
+        508)
+            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC508A"
+            ;;
+
+        608)
+            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC608A"
+            ;;
+
+        100)
+            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MICROCHIP_TA100 -DMICROCHIP_DEV_TYPE=TA100"
+            ;;
+      esac
+    done
+fi
+
+
 # Microchip/Atmel CryptoAuthLib
 ENABLED_CRYPTOAUTHLIB="no"
-trylibatcadir=""
 AC_ARG_WITH([cryptoauthlib],
-    [AS_HELP_STRING([--with-cryptoauthlib=PATH],[PATH to CryptoAuthLib install (default /usr/)])],
-    [
-        AC_MSG_CHECKING([for cryptoauthlib])
-        CPPFLAGS="$CPPFLAGS -DWOLFSSL_ATECC508A"
-        LIBS="$LIBS -lcryptoauth"
+    [AS_HELP_STRING([--with-cryptoauthlib=PATH],
+                    [PATH to CryptoAuthLib install (default: system paths)])],
+    [with_cryptoauthlib=$withval],
+    [with_cryptoauthlib=no])
+
+AS_IF([test "x$with_cryptoauthlib" != "xno"], [
+    AS_IF([test "x$ENABLED_ATMEL" = "xno"], [
+        AC_MSG_ERROR([--with-cryptoauthlib requires --enable-microchip=<devices>.])
+    ])
+    AC_MSG_CHECKING([for CryptoAuthLib])
+
+    libdir=""
+    incdir=""
+    cryptoauthlib_found="no"
+
+    saved_LIBS="$LIBS"
+    saved_LDFLAGS="$LDFLAGS"
+    saved_CPPFLAGS="$CPPFLAGS"
+    saved_CFLAGS="$CFLAGS"
+
+    # Method 1: Try pkg-config first (most reliable)
+    m4_ifdef([PKG_CHECK_MODULES], [
+        PKG_CHECK_MODULES([CRYPTOAUTHLIB], [cryptoauthlib], [
+            CPPFLAGS="$CRYPTOAUTHLIB_CFLAGS $CPPFLAGS"
+            CFLAGS="$CRYPTOAUTHLIB_CFLAGS $CFLAGS"
+            LIBS="$CRYPTOAUTHLIB_LIBS $LIBS"
+            cryptoauthlib_found="pkg-config"
+        ], [:])
+    ])
 
-        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <cryptoauthlib.h>]], [[ atcab_init(0); ]])],[ libatca_linked=yes ],[ libatca_linked=no ])
+    # Method 2: Manual search if pkg-config failed
+    AS_IF([test "x$cryptoauthlib_found" = "xno"], [
+        AS_IF([test "x$with_cryptoauthlib" = "xyes"], [
+            search_dirs="/usr /usr/local"
+        ], [
+            search_dirs="$with_cryptoauthlib"
+        ])
 
-        if test "x$libatca_linked" = "xno" ; then
-            if test "x$withval" != "xno" ; then
-                trylibatcadir=$withval
-            fi
-            if test "x$withval" = "xyes" ; then
-                trylibatcadir="/usr"
+        for trylibatcadir in $search_dirs; do
+            for try_libdir in "$trylibatcadir/lib" "$trylibatcadir/lib64"; do
+                if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
+                    libdir="$try_libdir"
+                    break
+                fi
+            done
+
+            if test -z "$libdir"; then
+                if test -x /usr/bin/dpkg-architecture; then
+                    DEB_HOST_MULTIARCH=`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`
+                    if test -n "$DEB_HOST_MULTIARCH"; then
+                        try_libdir="$trylibatcadir/lib/$DEB_HOST_MULTIARCH"
+                        if test -f "$try_libdir/libcryptoauth.so" || test -f "$try_libdir/libcryptoauth.a"; then
+                            libdir="$try_libdir"
+                        fi
+                    fi
+                fi
             fi
 
-            LDFLAGS="$LDFLAGS -L$trylibatcadir/lib"
-            CPPFLAGS="$CPPFLAGS -I$trylibatcadir/lib"
-
-            AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <cryptoauthlib.h>]], [[ atcab_init(0); ]])],[ libatca_linked=yes ],[ libatca_linked=no ])
+            for try_incdir in "$trylibatcadir/include/cryptoauthlib" "$trylibatcadir/include"; do
+                if test -f "$try_incdir/cryptoauthlib.h"; then
+                    incdir="$try_incdir"
+                    break
+                fi
+            done
 
-            if test "x$libatca_linked" = "xno" ; then
-                AC_MSG_ERROR([cryptoauthlib isn't found.
-                If it's already installed, specify its path using --with-cryptoauthlib=/dir/])
+            if test -n "$libdir" && test -n "$incdir"; then
+                break
             fi
+            libdir=""
+            incdir=""
+        done
 
-            AM_LDFLAGS="$AM_LDFLAGS -L$trylibatcadir/lib"
-            AM_CFLAGS="$AM_CFLAGS -I$trylibatcadir/lib"
-            AC_MSG_RESULT([yes])
-        else
-            AC_MSG_RESULT([yes])
+        if test -n "$libdir" && test -n "$incdir"; then
+            CPPFLAGS="-I$incdir $CPPFLAGS"
+            CFLAGS="-I$incdir $CFLAGS"
+            LDFLAGS="-L$libdir $LDFLAGS"
+            LIBS="-lcryptoauth $LIBS"
+            cryptoauthlib_found="$libdir"
         fi
+    ])
 
-        ENABLED_CRYPTOAUTHLIB="yes"
-        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ATECC508A"
-    ]
-)
+    AS_IF([test "x$cryptoauthlib_found" != "xno"], [
+        wolfssl_include=""
+        AS_IF([test -f "${srcdir}/wolfssl/wolfcrypt/types.h"], [
+            wolfssl_include="-I${srcdir}"
+        ], [test -f "${srcdir}/wolfssl.h"], [
+            wolfssl_include="-I${srcdir}"
+        ])
 
+        test_CPPFLAGS="$wolfssl_include $CPPFLAGS"
+        test_CFLAGS="$wolfssl_include $CFLAGS"
+
+        saved_test_CPPFLAGS="$CPPFLAGS"
+        saved_test_CFLAGS="$CFLAGS"
+        CPPFLAGS="$test_CPPFLAGS"
+        CFLAGS="$test_CFLAGS"
+
+        AC_LINK_IFELSE([AC_LANG_PROGRAM(
+            [[#include <cryptoauthlib.h>]],
+            [[atcab_init(0); return 0;]])],
+            [
+                ENABLED_CRYPTOAUTHLIB="yes"
+                AC_MSG_RESULT([yes ($cryptoauthlib_found)])
+                AC_DEFINE([HAVE_CRYPTOAUTHLIB], [1], [CryptoAuthLib support])
+                CPPFLAGS="$saved_test_CPPFLAGS"
+                CFLAGS="$saved_test_CFLAGS"
+            ],
+            [
+                LIBS="$saved_LIBS"
+                LDFLAGS="$saved_LDFLAGS"
+                CPPFLAGS="$saved_CPPFLAGS"
+                CFLAGS="$saved_CFLAGS"
+                AC_MSG_RESULT([no - compilation failed])
+                AC_MSG_ERROR([CryptoAuthLib found but compilation check failed. Check config.log for details.])
+            ])
+    ], [
+        AC_MSG_RESULT([no - library not found])
+        AC_MSG_ERROR([CryptoAuthLib not found. Install it or specify path with --with-cryptoauthlib=/path])
+    ])
+])
 
 # TropicSquare TROPIC01
 # Example: "./configure --with-tropic01=/home/pi/libtropic"
 
@@ -1422,7 +1422,8 @@ int test_wc_ecc_pointFns(void)
     EXPECT_DECLS;
 #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && \
     !defined(WC_NO_RNG) && !defined(WOLFSSL_ATECC508A) && \
-    !defined(WOLFSSL_ATECC608A) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLFSSL_ATECC608A) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
+    !defined(WOLFSSL_MICROCHIP_TA100)
     ecc_key    key;
     WC_RNG     rng;
     int        ret;
@@ -1525,7 +1526,8 @@ int test_wc_ecc_shared_secret_ssh(void)
 #if defined(HAVE_ECC) && defined(HAVE_ECC_DHE) && \
     !defined(WC_NO_RNG) && !defined(WOLFSSL_ATECC508A) && \
     !defined(WOLFSSL_ATECC608A) && !defined(PLUTON_CRYPTO_ECC) && \
-    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+    !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \
+    !defined(WOLFSSL_MICROCHIP_TA100)
     ecc_key key;
     ecc_key key2;
     WC_RNG  rng;
@@ -1605,7 +1607,8 @@ int test_wc_ecc_verify_hash_ex(void)
     EXPECT_DECLS;
 #if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN) && defined(WOLFSSL_PUBLIC_MP) \
     && !defined(WC_NO_RNG) && !defined(WOLFSSL_ATECC508A) && \
-       !defined(WOLFSSL_ATECC608A) && !defined(WOLFSSL_KCAPI_ECC)
+       !defined(WOLFSSL_ATECC608A) && !defined(WOLFSSL_KCAPI_ECC) && \
+       !defined(WOLFSSL_MICROCHIP_TA100)
     ecc_key       key;
     WC_RNG        rng;
     int           ret;
@@ -1699,6 +1702,7 @@ int test_wc_ecc_mulmod(void)
     EXPECT_DECLS;
 #if defined(HAVE_ECC) && !defined(WC_NO_RNG) && \
     !(defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
+      defined(WOLFSSL_MICROCHIP_TA100) || \
       defined(WOLFSSL_VALIDATE_ECC_IMPORT)) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC)
     ecc_key     key1;
 
@@ -429,6 +429,7 @@ int test_wolfSSL_EC_POINT(void)
         X, Y, ctx), 0);
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
+    !defined(WOLFSSL_MICROCHIP_TA100) && \
     !defined(HAVE_SELFTEST) && !defined(WOLFSSL_SP_MATH) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC)
     ExpectIntEQ(EC_POINT_add(NULL, NULL, NULL, NULL, ctx), 0);
@@ -520,6 +521,7 @@ int test_wolfSSL_EC_POINT(void)
     ExpectIntEQ(EC_POINT_invert(group, new_point, ctx), 1);
 
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
+    !defined(WOLFSSL_MICROCHIP_TA100) && \
     !defined(HAVE_SELFTEST) && !defined(WOLFSSL_SP_MATH) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC)
     {
@@ -801,6 +803,7 @@ int test_wolfSSL_SPAKE(void)
 
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && !defined(WOLFSSL_ATECC508A) \
     && !defined(WOLFSSL_ATECC608A) && !defined(HAVE_SELFTEST) && \
+       !defined(WOLFSSL_MICROCHIP_TA100) && \
        !defined(WOLFSSL_SP_MATH) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
     BIGNUM* x = NULL; /* kdc priv */
     BIGNUM* y = NULL; /* client priv */