Release v3.7.3 (20240131)

MicrochipTech · Feb 1, 2024 · 8ee1d99 · 8ee1d99
1 parent 77cd260
commit 8ee1d99
Show file tree

Hide file tree

Showing 26 changed files with 339 additions and 85 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2,10 +2,10 @@ cmake_minimum_required(VERSION 3.1.0)
 project (cryptoauthlib C)
 
 # Set the current release version
-set(VERSION "3.7.0")
+set(VERSION "3.7.3")
 set(VERSION_MAJOR 3)
 set(VERSION_MINOR 7)
-set(VERSION_PATCH 0)
+set(VERSION_PATCH 3)
 
 # Build Options
 option(BUILD_TESTS "Create Test Application with library" OFF)

diff --git a/harmony/config/cryptoauthlib.py b/harmony/config/cryptoauthlib.py
@@ -35,7 +35,7 @@
 _HAL_FILES = ["atca_hal.c", "atca_hal.h"]
 _CORE_PATHS = ['crypto/**/*', 'crypto/*', 'jwt/*', '*']
 _CA_PATHS = ['atcacert/*', 'calib/*', 'host/*']
-_TA_PATHS = ['talib/*']
+_TA_PATHS = ['atcacert/*', 'talib/*']
 _SHA206_PATHS = ['api_206a/*']
 _EXCL_FILES = ['atca_utils_sizes.c']
 

diff --git a/harmony/config/pkcs11.py b/harmony/config/pkcs11.py
@@ -135,6 +135,10 @@ def instantiateComponent(calPkcs11Component):
     calPkcs11MaxCertsCache.setLabel('Maximum number of certificates cached')
     calPkcs11MaxCertsCache.setDefaultValue(5)
 
+    calPkcs11MaxKeyIDsCache = calPkcs11Component.createIntegerSymbol('PKCS11_MAX_KEYS_CACHED', None)
+    calPkcs11MaxKeyIDsCache.setLabel('Maximum number of Key IDs cached')
+    calPkcs11MaxKeyIDsCache.setDefaultValue(5)
+
     calPkcs11MaxConfig = calPkcs11Component.createIntegerSymbol('CAL_PKCS11_MAX_CONFIG', None)
     calPkcs11MaxConfig.setLabel('Maximum number of PKCS11 Config Options')
     calPkcs11MaxConfig.setDefaultValue(7)

diff --git a/harmony/templates/pkcs11_config.h.ftl b/harmony/templates/pkcs11_config.h.ftl
@@ -79,6 +79,11 @@
 #define PKCS11_MAX_CERTS_CACHED      ${CAL_PKCS11_MAX_CERTS_CACHED}
 #endif
 
+/** Maximum number of Key ID's allowed to be cached*/
+#ifndef PKCS11_MAX_KEYS_CACHED
+#define PKCS11_MAX_KEYS_CACHED       ${PKCS11_MAX_KEYS_CACHED}
+#endif
+
 /** Maximum number of cryptographic objects allowed to be cached */
 #ifndef PKCS11_MAX_OBJECTS_ALLOWED
 #define PKCS11_MAX_OBJECTS_ALLOWED      ${CAL_PKCS11_MAX_OBJECTS}

diff --git a/lib/atca_basic.c b/lib/atca_basic.c
@@ -3548,7 +3548,7 @@ ATCA_STATUS atcab_sha_hmac_init(atca_hmac_sha256_ctx_t* ctx, uint16_t key_slot)
     ATCA_STATUS status = ATCA_UNIMPLEMENTED;
     ATCADeviceType dev_type = atcab_get_device_type();
 
-    if (atcab_is_ca_device(dev_type))
+    if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type))
     {
 #if CALIB_SHA_HMAC_EN
         status = calib_sha_hmac_init(g_atcab_device_ptr, ctx, key_slot);
@@ -3579,7 +3579,7 @@ ATCA_STATUS atcab_sha_hmac_update(atca_hmac_sha256_ctx_t* ctx, const uint8_t* da
     ATCA_STATUS status = ATCA_UNIMPLEMENTED;
     ATCADeviceType dev_type = atcab_get_device_type();
 
-    if (atcab_is_ca_device(dev_type))
+    if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type))
     {
 #if CALIB_SHA_HMAC_EN
         status = calib_sha_hmac_update(g_atcab_device_ptr, ctx, data, data_size);
@@ -3613,7 +3613,7 @@ ATCA_STATUS atcab_sha_hmac_finish(atca_hmac_sha256_ctx_t* ctx, uint8_t* digest,
     ATCA_STATUS status = ATCA_UNIMPLEMENTED;
     ATCADeviceType dev_type = atcab_get_device_type();
 
-    if (atcab_is_ca_device(dev_type))
+    if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type))
     {
 #if CALIB_SHA_HMAC_EN
         status = calib_sha_hmac_finish(g_atcab_device_ptr, ctx, digest, target);
@@ -3650,7 +3650,7 @@ ATCA_STATUS atcab_sha_hmac_ext(ATCADevice device, const uint8_t* data, size_t da
     ATCA_STATUS status = ATCA_UNIMPLEMENTED;
     ATCADeviceType dev_type = atcab_get_device_type_ext(device);
 
-    if (atcab_is_ca_device(dev_type))
+    if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type))
     {
 #if CALIB_SHA_HMAC_EN
         status = calib_sha_hmac(device, data, data_size, key_slot, digest, target);

diff --git a/lib/atca_config_check.h b/lib/atca_config_check.h
@@ -124,6 +124,10 @@
 #define ATCACERT_EN             (DEFAULT_ENABLED)
 #endif
 
+#ifndef ATCA_NO_HEAP
+#define ATCA_HEAP
+#endif 
+
 /**** AES command ****/
 
 /** \def ATCAB_AES

diff --git a/lib/atca_version.h b/lib/atca_version.h
@@ -30,9 +30,9 @@
 #define ATCA_VERSION_H
 
 // Version format yyyymmdd
-#define ATCA_LIBRARY_VERSION_DATE   "20231222"
+#define ATCA_LIBRARY_VERSION_DATE   "20240131"
 #define ATCA_LIBRARY_VERSION_MAJOR  3
 #define ATCA_LIBRARY_VERSION_MINOR  7
-#define ATCA_LIBRARY_VERSION_BUILD  2
+#define ATCA_LIBRARY_VERSION_BUILD  3
 
 #endif /* ATCA_VERSION_H */
diff --git a/lib/atcacert/atcacert_client.c b/lib/atcacert/atcacert_client.c
@@ -33,7 +33,10 @@
 #include "atcacert_der.h"
 #include "atcacert_pem.h"
 #include "cryptoauthlib.h"
+
+#if ATCA_CA_SUPPORT
 #include "calib/calib_basic.h"
+#endif
 
 #if ATCACERT_COMPCERT_EN
 
@@ -146,10 +149,12 @@ ATCA_STATUS atcacert_read_cert_ext(ATCADevice            device,
                                    size_t*               cert_size)
 {
     ATCA_STATUS ret = ATCACERT_E_BAD_PARAMS;
+#if ATCACERT_COMPCERT_EN
     atcacert_device_loc_t device_locs[16];
     size_t device_locs_count = 0;
     size_t i = 0;
     atcacert_build_state_t build_state;
+#endif
 
     if (cert_def == NULL || cert_size == NULL)
     {
@@ -245,9 +250,11 @@ ATCA_STATUS atcacert_write_cert_ext(ATCADevice            device,
                                     size_t                cert_size)
 {
     ATCA_STATUS ret = 0;
+#if ATCACERT_COMPCERT_EN
     atcacert_device_loc_t device_locs[16];
     size_t device_locs_count = 0;
     size_t i = 0;
+#endif
 
     if (cert_def == NULL || cert == NULL)
     {
@@ -511,9 +518,11 @@ ATCA_STATUS atcacert_read_cert_size_ext(ATCADevice            device,
                                         const atcacert_def_t* cert_def,
                                         size_t*               cert_size)
 {
+    ATCA_STATUS ret = ATCACERT_E_SUCCESS;
+#if ATCACERT_COMPCERT_EN
     uint8_t buffer[75];
     size_t buflen = sizeof(buffer);
-    ATCA_STATUS ret = ATCACERT_E_SUCCESS;
+#endif
 
     if ((NULL == cert_def) || (NULL == cert_size))
     {

diff --git a/lib/atcacert/atcacert_def.c b/lib/atcacert/atcacert_def.c
@@ -1131,6 +1131,7 @@ ATCA_STATUS atcacert_get_expire_date(const atcacert_def_t* cert_def,
     return status;
 }
 
+#if ATCACERT_COMPCERT_EN
 static void uint8_to_hex(uint8_t num, uint8_t* hex_str)
 {
     uint8_t nibble = (num >> 4) & 0x0Fu;
@@ -1154,7 +1155,6 @@ static void uint8_to_hex(uint8_t num, uint8_t* hex_str)
     }
 }
 
-#if ATCACERT_COMPCERT_EN
 ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def,
                                    uint8_t*              cert,
                                    size_t                cert_size,
@@ -1172,7 +1172,6 @@ ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def,
 
     return atcacert_set_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_SIGNER_ID], cert, cert_size, hex_str, 4);
 }
-#endif
 
 static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num)
 {
@@ -1215,7 +1214,6 @@ static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num)
     return ATCACERT_E_SUCCESS;
 }
 
-#if ATCACERT_COMPCERT_EN
 ATCA_STATUS atcacert_get_signer_id(const atcacert_def_t* cert_def,
                                    const uint8_t*        cert,
                                    size_t                cert_size,

diff --git a/lib/calib/calib_sha.c b/lib/calib/calib_sha.c
@@ -489,25 +489,30 @@ ATCA_STATUS calib_sha_hmac_update(ATCADevice device, atca_hmac_sha256_ctx_t* ctx
  */
 ATCA_STATUS calib_sha_hmac_finish(ATCADevice device, atca_hmac_sha256_ctx_t *ctx, uint8_t* digest, uint8_t target)
 {
-    uint8_t mode = SHA_MODE_HMAC_END;
+    uint8_t mode;
     uint16_t digest_size = 32;
+    ATCADeviceType dev_type = device->mIface.mIfaceCFG->devtype;
 
     if (device == NULL)
     {
         return ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer received");
     }
 
-    if (ATECC608A == device->mIface.mIfaceCFG->devtype)
+    switch (dev_type)
     {
-        mode = SHA_MODE_608_HMAC_END;
-    }
-    if (atcab_is_ca2_device(device->mIface.mIfaceCFG->devtype))
-    {
-        mode = SHA_MODE_ECC204_HMAC_END;
-    }
-    if (target != SHA_MODE_TARGET_TEMPKEY)
-    {
-        return ATCA_TRACE(ATCA_BAD_PARAM, "Invalid target received");
+        case ATECC608:
+            mode = SHA_MODE_608_HMAC_END;
+            break;
+#if ATCA_CA2_SUPPORT
+        case ECC204:
+        /* fallthrough */
+        case TA010:
+            mode = SHA_MODE_ECC204_HMAC_END;
+            break;
+#endif
+        default:
+            mode = SHA_MODE_HMAC_END;
+            break;
     }
 
     mode |= target;

diff --git a/lib/cmake/pkcs11.cmake b/lib/cmake/pkcs11.cmake
@@ -17,6 +17,7 @@ option(PKCS11_AUTH_TERMINATE_BEFORE_LOGIN    "Enable auth terminate before c_log
 set(PKCS11_MAX_SLOTS_ALLOWED    1   CACHE STRING "Maximum number of slots allowed in the system")
 set(PKCS11_MAX_SESSIONS_ALLOWED 10  CACHE STRING "Maximum number of total sessions allowed in the system")
 set(PKCS11_MAX_CERTS_CACHED     5   CACHE STRING "Maximum number of x509 certificates allowed to be cached")
+set(PKCS11_MAX_KEYS_CACHED      5   CACHE STRING "Maximum number of key IDs allowed to be cached")
 set(PKCS11_MAX_OBJECTS_ALLOWED  16  CACHE STRING "Maximum number of cryptographic objects allowed to be cached")
 set(PKCS11_MAX_LABEL_SIZE       30  CACHE STRING "Maximum label size in characters")
 set(PKCS11_MAX_CONFIG_ALLOWED 7 CACHE STRING "Maximum depth to configuration options")

diff --git a/lib/cryptoauthlib.h b/lib/cryptoauthlib.h
@@ -69,6 +69,8 @@
 #define ATCA_ECCP256_PUBKEY_SIZE            (64u)
 #define ATCA_ECCP256_SIG_SIZE               (64u)
 
+#define ATCA_ECC_UNCOMPRESSED_TYPE          ((uint8_t)0x04)
+
 #define ATCA_ZONE_CONFIG                    ((uint8_t)0x00)
 #define ATCA_ZONE_OTP                       ((uint8_t)0x01)
 #define ATCA_ZONE_DATA                      ((uint8_t)0x02)

diff --git a/lib/mbedtls/atca_mbedtls_wrap.c b/lib/mbedtls/atca_mbedtls_wrap.c
@@ -773,13 +773,12 @@ ATCA_STATUS atcac_pk_free(
     struct atcac_pk_ctx* ctx /**< [in] pointer to a pk context */
     )
 {
-    ATCA_STATUS status = ATCA_BAD_PARAM;
+    ATCA_STATUS status = ATCA_SUCCESS;
 
     if (NULL != ctx)
     {
         void* tmp_ptr = ctx;
-        mbedtls_pk_init((mbedtls_pk_context*)tmp_ptr);
-        status = ATCA_SUCCESS;
+        mbedtls_pk_free((mbedtls_pk_context*)tmp_ptr);
     }
     return status;
 }

diff --git a/lib/pkcs11/pkcs11_cert.c b/lib/pkcs11/pkcs11_cert.c
@@ -1087,7 +1087,7 @@ CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, p
 }
 
 /* Called from auth session to clear the certificate */
-CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx)
+CK_RV pkcs11_cert_clear_session_cache(pkcs11_session_ctx_ptr session_ctx)
 {
     CK_RV rv = CKR_GENERAL_ERROR;
 
@@ -1133,7 +1133,7 @@ CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx)
 }
 
 /* Called to free certificate object */
-CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject)
+CK_RV pkcs11_cert_clear_object_cache(pkcs11_object_ptr pObject)
 {
     CK_RV rv = CKR_GENERAL_ERROR;
 

diff --git a/lib/pkcs11/pkcs11_cert.h b/lib/pkcs11/pkcs11_cert.h
@@ -45,8 +45,8 @@ extern const CK_ULONG pkcs11_cert_x509_attributes_count;
 
 CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr pSession);
 CK_RV pkcs11_cert_load(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device);
-CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx);
-CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject);
+CK_RV pkcs11_cert_clear_session_cache(pkcs11_session_ctx_ptr session_ctx);
+CK_RV pkcs11_cert_clear_object_cache(pkcs11_object_ptr pObject);
 
 #ifdef __cplusplus
 }

diff --git a/lib/pkcs11/pkcs11_config.c b/lib/pkcs11/pkcs11_config.c
@@ -68,6 +68,7 @@ void pkcs11_config_init_private(pkcs11_object_ptr pObject, const char * label, s
     pObject->class_type = CKK_EC;
     pObject->attributes = pkcs11_key_private_attributes;
     pObject->count = pkcs11_key_private_attributes_count;
+    pObject->flags = PKCS11_OBJECT_FLAG_KEY_CACHE;
 #if ATCA_CA_SUPPORT
     pObject->data = NULL;
 #endif
@@ -86,6 +87,7 @@ void pkcs11_config_init_public(pkcs11_object_ptr pObject, const char * label, si
     pObject->class_type = CKK_EC;
     pObject->attributes = pkcs11_key_public_attributes;
     pObject->count = pkcs11_key_public_attributes_count;
+    pObject->flags = PKCS11_OBJECT_FLAG_KEY_CACHE;
 #if ATCA_CA_SUPPORT
     pObject->data = NULL;
 #endif
@@ -636,7 +638,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
         {
             pkcs11_config_init_private(pObject, argv[1], strlen(argv[1]));
             pObject->slot = slot;
-            pObject->flags = 0;
 #if ATCA_CA_SUPPORT
             pObject->config = &slot_ctx->cfg_zone;
 #endif
@@ -651,7 +652,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
         {
             pkcs11_config_init_public(pPubkey, argv[1], strlen(argv[1]));
             pPubkey->slot = slot;
-            pPubkey->flags = 0;
 #if ATCA_CA_SUPPORT
             pPubkey->config = &slot_ctx->cfg_zone;
 #endif
@@ -679,7 +679,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs
                 pObject->slot = (uint16_t)l_tmp;
             }
 
-            pObject->flags = 0;
 #if ATCA_CA_SUPPORT
             pObject->config = &slot_ctx->cfg_zone;
 #endif

diff --git a/lib/pkcs11/pkcs11_config.h.in b/lib/pkcs11/pkcs11_config.h.in
@@ -75,6 +75,11 @@
 #define PKCS11_MAX_CERTS_CACHED         (@PKCS11_MAX_CERTS_CACHED@U)
 #endif
 
+/** Maximum number of Key ID's allowed to be cached */
+#ifndef PKCS11_MAX_KEYS_CACHED
+#define PKCS11_MAX_KEYS_CACHED          (@PKCS11_MAX_KEYS_CACHED@U)
+#endif
+
 /** Maximum number of cryptographic objects allowed to be cached */
 #ifndef PKCS11_MAX_OBJECTS_ALLOWED
 #define PKCS11_MAX_OBJECTS_ALLOWED      (@PKCS11_MAX_OBJECTS_ALLOWED@U)