[PATCH 30/41] cms_defconfig: fix build

[Stefano Babic]

defconfig and tests are planned to run with just one crypto provider, so
fix it for now.

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
configs/cms_defconfig | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/configs/cms_defconfig b/configs/cms_defconfig
index 887cf138..903289dd 100644
--- a/configs/cms_defconfig
+++ b/configs/cms_defconfig
@@ -4,14 +4,19 @@ CONFIG_HW_COMPATIBILITY=y
# CONFIG_MTD is not set
CONFIG_EXTRA_CFLAGS="-g"
CONFIG_DOWNLOAD=y
+CONFIG_SURICATTA=y
+CONFIG_SURICATTA_SSL=y
CONFIG_WEBSERVER=y
CONFIG_MONGOOSESSL=y
-CONFIG_SIGNED_IMAGES=y
-CONFIG_SIGALG_CMS=y
+CONFIG_HASH_VERIFY=y
CONFIG_ENCRYPTED_IMAGES=y
CONFIG_LUAEXTERNAL=y
CONFIG_ARCHIVE=y
+CONFIG_BOOTLOADERHANDLER=y
CONFIG_LUASCRIPTHANDLER=y
+CONFIG_EMMC_HANDLER=y
CONFIG_RAW=y
CONFIG_REMOTE_HANDLER=y
CONFIG_SHELLSCRIPTHANDLER=y
+CONFIG_SWUFORWARDER_HANDLER=y
+CONFIG_UCFWHANDLER=y
--
2.43.0

[Stefano Babic]

Fix warninings like:

swupdate_decrypt_wolfssl.c:114:13: warning: the comparison will
always evaluate as ‘true’ for the address of ‘pkdev’ will never be NULL [-Waddress]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

crypto/swupdate_decrypt_wolfssl.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/crypto/swupdate_decrypt_wolfssl.c b/crypto/swupdate_decrypt_wolfssl.c
index 8f42fc33..e63eed02 100644
--- a/crypto/swupdate_decrypt_wolfssl.c
+++ b/crypto/swupdate_decrypt_wolfssl.c
@@ -109,10 +109,8 @@ err_msg:
ERROR("PKCS#11 initialization failed: %s", msg);

err_free:
- if (&dgst->pktoken)
- wc_Pkcs11Token_Final(&dgst->pktoken);
- if (&dgst->pkdev)
- wc_Pkcs11_Finalize(&dgst->pkdev);
+ wc_Pkcs11Token_Final(&dgst->pktoken);
+ wc_Pkcs11_Finalize(&dgst->pkdev);

p11_kit_uri_free(dgst->p11uri);
free(dgst);
@@ -188,10 +186,8 @@ static void wolfssl_DECRYPT_cleanup(void *ctx)
{
struct wolfssl_digest *dgst = (struct wolfssl_digest *)ctx;
if (dgst) {
- if (&dgst->pktoken)
- wc_Pkcs11Token_Final(&dgst->pktoken);
- if (&dgst->pkdev)
- wc_Pkcs11_Finalize(&dgst->pkdev);
+ wc_Pkcs11Token_Final(&dgst->pktoken);
+ wc_Pkcs11_Finalize(&dgst->pkdev);
p11_kit_uri_free(dgst->p11uri);

free(dgst);
--
2.43.0

[Stefano Babic]

fix the warnings due to signedness:

crypto/swupdate_decrypt_pkcs11.c: In function ‘wolfssl_DECRYPT_init’:
crypto/swupdate_decrypt_pkcs11.c:51:33: warning: pointer targets in passing argument 1
i of ‘p11_kit_uri_parse’ differ in signedness [-Wpointer-sign]
51 | err = p11_kit_uri_parse(uri, P11_KIT_URI_FOR_ANY, dgst->p11uri);
| ^~~
| |
| unsigned char *

crypto/swupdate_decrypt_pkcs11.c:83:56: warning: pointer targets in passing argument 5
of ‘wc_Pkcs11Token_Init’ differ in signedness [-Wpointer-sign]
83 | "unspecified", pin, strlen(pin));
| ^~~
| |
| const char *

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

crypto/swupdate_decrypt_pkcs11.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/swupdate_decrypt_pkcs11.c b/crypto/swupdate_decrypt_pkcs11.c
index 7991286d..8f42fc33 100644
--- a/crypto/swupdate_decrypt_pkcs11.c
+++ b/crypto/swupdate_decrypt_pkcs11.c
@@ -25,7 +25,7 @@ static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *co
}
#endif

-static void *wolfssl_DECRYPT_init(unsigned char *uri,
+static void *wolfssl_DECRYPT_init(unsigned char *key,
char __attribute__ ((__unused__)) keylen, unsigned char *iv)
{
struct wolfssl_digest *dgst;
@@ -37,6 +37,7 @@ static void *wolfssl_DECRYPT_init(unsigned char *uri,
int err = 0;
int dev_id = 1;

+ const char *uri = (const char *)key;
if ((uri == NULL) || (iv == NULL)) {
ERROR("PKCS#11 URI or AES IV missing for decryption!");
return NULL;
@@ -80,7 +81,7 @@ static void *wolfssl_DECRYPT_init(unsigned char *uri,
goto err_msg;

err = wc_Pkcs11Token_Init(&dgst->pktoken, &dgst->pkdev, slot_id,
- "unspecified", pin, strlen(pin));
+ "unspecified", (unsigned char *)pin, strlen(pin));
if (err)
goto err_msg;

--
2.43.0

[Stefano Babic]

With multiple crypto Engines, MG_TLS is defined multiple times. Choose
one implementation for Mongoose, and activate it in the following order:
1. openssl
2. mbedTLS
3. wolfSSL

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

mongoose/Makefile | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/mongoose/Makefile b/mongoose/Makefile
index c42f1e76..691b29c4 100644
--- a/mongoose/Makefile
+++ b/mongoose/Makefile
@@ -16,12 +16,10 @@ endif
ifneq ($(CONFIG_MONGOOSESSL),)
ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
KBUILD_CFLAGS += -DMG_TLS=2
-endif
-ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
-KBUILD_CFLAGS += -DMG_TLS=5
-endif
-ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
+else ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
KBUILD_CFLAGS += -DMG_TLS=1
+else ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
+KBUILD_CFLAGS += -DMG_TLS=5
endif
endif
endif
--
2.43.0

[Stefano Babic]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

configs/crypto_all_defconfig | 42 ++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 configs/crypto_all_defconfig

diff --git a/configs/crypto_all_defconfig b/configs/crypto_all_defconfig
new file mode 100644
index 00000000..ee6064e6
--- /dev/null
+++ b/configs/crypto_all_defconfig
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2021 Stefano Babic <stefan...@swupdate.org>
+# SPDX-License-Identifier: CC0-1.0
+CONFIG_HW_COMPATIBILITY=y
+CONFIG_LUAPKG="lua5.2"
+CONFIG_EXTRA_CFLAGS="-g"
+CONFIG_DOWNLOAD=y
+CONFIG_DOWNLOAD_SSL=y
+CONFIG_SURICATTA=y
+CONFIG_SURICATTA_SSL=y
+CONFIG_WEBSERVER=y
+CONFIG_MONGOOSESSL=y
+CONFIG_SSL_IMPL_WOLFSSL=y
+CONFIG_SSL_IMPL_MBEDTLS=y
+CONFIG_SIGNED_IMAGES=y
+CONFIG_SIGALG_RAWRSA=y
+CONFIG_SIGALG_RSAPSS=y
+CONFIG_SIGALG_CMS=y
+CONFIG_ENCRYPTED_IMAGES=y
+CONFIG_ENCRYPTED_IMAGES_HARDEN_LOGGING=y
+CONFIG_PKCS11=y
+CONFIG_ZSTD=y
+CONFIG_LUAEXTERNAL=y
+CONFIG_ARCHIVE=y
+CONFIG_BOOTLOADERHANDLER=y
+CONFIG_CFI=y
+CONFIG_DELTA=y
+CONFIG_DISKPART=y
+CONFIG_DISKPART_FORMAT=y
+CONFIG_DISKFORMAT_HANDLER=y
+CONFIG_FAT_FILESYSTEM=y
+CONFIG_EXT_FILESYSTEM=y
+CONFIG_LUASCRIPTHANDLER=y
+CONFIG_RAW=y
+CONFIG_RDIFFHANDLER=y
+CONFIG_READBACKHANDLER=y
+CONFIG_REMOTE_HANDLER=y
+CONFIG_SHELLSCRIPTHANDLER=y
+CONFIG_SWUFORWARDER_HANDLER=y
+CONFIG_SSBLSWITCH=y
+CONFIG_UBIVOL=y
+CONFIG_UCFWHANDLER=y
+CONFIG_UNIQUEUUID=y
--
2.43.0

[Stefano Babic]

Multiple algorythms and libraries can be built inside the same SWUpdate
binary, as default the first one is chosen. Allow to set at the startup
which provider for the a service should be used.

Allowed services: decrypt, hash, digest

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

core/swupdate.c | 67 ++++++++++++++++++++++++++---
examples/configuration/swupdate.cfg | 14 ++++++
include/swupdate.h | 7 +++
3 files changed, 82 insertions(+), 6 deletions(-)

diff --git a/core/swupdate.c b/core/swupdate.c
index ac22185c..eca29846 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -105,9 +105,14 @@ static struct option long_options[] = {
{"gpg-home-dir", required_argument, NULL, '4'},
{"gpg-protocol", required_argument, NULL, '5'},
#endif
+ {"digest-provider", required_argument, NULL, '6'},
#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
{"key-aes", required_argument, NULL, 'K'},
+ {"decrypt-provider", required_argument, NULL, '8'},
+#endif
+#ifdef CONFIG_HASH_VERIFY
+ {"hash-provider", required_argument, NULL, '7'},
#endif
{"loglevel", required_argument, NULL, 'l'},
{"max-version", required_argument, NULL, '3'},
@@ -159,6 +164,7 @@ static void usage(char *programname)
" -l, --loglevel <level> : logging level\n"
" -L, --syslog : enable syslog logger\n"
#ifdef CONFIG_SIGNED_IMAGES
+ " -6, --digest-provider <string> : the provider used to verify the update\n"
" -k, --key <public key file> : file with public key to verify images\n"
" --cert-purpose <purpose> : set expected certificate purpose\n"
" [emailProtection|codeSigning] (default: emailProtection)\n"
@@ -175,6 +181,10 @@ static void usage(char *programname)
#ifdef CONFIG_ENCRYPTED_IMAGES
" -K, --key-aes <key file> : the file contains the symmetric key to be used\n"
" to decrypt images\n"
+ " -8, --decrypt-provider <string>: the provider used for decryption\n"
+#endif
+#ifdef CONFIG_HASH_VERIFY
+ " -7, --hash-provider <string> : the provider used to perform hashes\n"
#endif
" -n, --dry-run : run SWUpdate without installing the software\n"
" -N, --no-downgrading <version> : not install a release older as <version>\n"
@@ -404,6 +414,16 @@ static int read_globals_settings(void *elem, void *data)

char software_select[SWUPDATE_GENERAL_STRING_SIZE] = "";
GET_FIELD_STRING(LIBCFG_PARSER, elem, "select", software_select);
+ GET_FIELD_STRING(LIBCFG_PARSER, elem,
+ "gpg-home-dir", sw->gpg_home_directory);
+ GET_FIELD_STRING(LIBCFG_PARSER, elem,
+ "gpgme-protocol", sw->gpgme_protocol);
+ GET_FIELD_STRING(LIBCFG_PARSER, elem,
+ "hash-provider", sw->hash_provider);
+ GET_FIELD_STRING(LIBCFG_PARSER, elem,
+ "decrypt-provider", sw->decrypt_provider);
+ GET_FIELD_STRING(LIBCFG_PARSER, elem,
+ "digest-provider", sw->digest_provider);
if (software_select[0] != '\0') {
/* by convention, errors in a configuration section are ignored */
(void)parse_image_selector(software_select, sw);
@@ -803,6 +823,21 @@ int main(int argc, char **argv)
optarg,
sizeof(swcfg.gpgme_protocol));
break;
+ case '6':
+ strlcpy(swcfg.digest_provider,
+ optarg,
+ sizeof(swcfg.digest_provider));
+ break;
+ case '7':
+ strlcpy(swcfg.hash_provider,
+ optarg,
+ sizeof(swcfg.hash_provider));
+ break;
+ case '8':
+ strlcpy(swcfg.decrypt_provider,
+ optarg,
+ sizeof(swcfg.decrypt_provider));
+ break;
#ifdef CONFIG_ENCRYPTED_IMAGES
case 'K':
if (optarg) strlcpy(swcfg.aeskeyfname,
@@ -955,15 +990,26 @@ int main(int argc, char **argv)

swupdate_crypto_init();

-#ifdef CONFIG_SIGNED_IMAGES
- if (strlen(swcfg.publickeyfname) || strlen(swcfg.gpg_home_directory)) {
- if (swupdate_dgst_init(&swcfg, swcfg.publickeyfname)) {
- fprintf(stderr,
- "Error: Crypto cannot be initialized.\n");
+ if (strlen(swcfg.hash_provider)) {
+ if (set_HASHlib(swcfg.hash_provider)) {
+ ERROR("HASH provider %s cannot be set", swcfg.hash_provider);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (strlen(swcfg.decrypt_provider)) {
+ if (set_cryptolib(swcfg.decrypt_provider)) {
+ ERROR("Decrypt provider %s cannot be set", swcfg.decrypt_provider);
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (strlen(swcfg.digest_provider)) {
+ if (set_dgstlib(swcfg.digest_provider)) {
+ ERROR("Verification provider %s cannot be set", swcfg.digest_provider);
exit(EXIT_FAILURE);
}
}
-#endif

printf("%s\n\n", BANNER);
printf("Licensed under GPLv2. See source distribution for detailed "
@@ -986,6 +1032,15 @@ int main(int argc, char **argv)
print_registered_updatetypes(&swcfg);
print_registered_cryptolib();

+#ifdef CONFIG_SIGNED_IMAGES
+ if (strlen(swcfg.publickeyfname) || strlen(swcfg.gpg_home_directory)) {
+ if (swupdate_dgst_init(&swcfg, swcfg.publickeyfname)) {
+ ERROR("Error: Crypto cannot be initialized.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+#endif
+
/*
* Install a child handler to check if a subprocess
* dies
diff --git a/examples/configuration/swupdate.cfg b/examples/configuration/swupdate.cfg
index 7497a8cf..578a47a8 100644
--- a/examples/configuration/swupdate.cfg
+++ b/examples/configuration/swupdate.cfg
@@ -12,6 +12,20 @@
#
# verbose : boolean
# set verbose mode (Default: false)
+#
+# decrypt-provider : string
+# if multiple algos are regitered
+# choose which one should be used (mbedTLS, openssl,wolfssl)
+#
+# hash-provider : string
+# if multiple algos are regitered
+# choose which one should be used (mbedTLS, openssl,wolfssl)
+#
+# digest-provider : string
+# if multiple algos are regitered
+# choose which one should be used
+# (opensslCMS, GPG, pkcs#7WolfSSL, mbedTLSRSA, opensslRSA)
+#
# loglevel : integer
# level for logging from 1 (no log) to 6
# syslog : boolean
diff --git a/include/swupdate.h b/include/swupdate.h
index 4e186bef..59b085b6 100644
--- a/include/swupdate.h
+++ b/include/swupdate.h
@@ -112,6 +112,13 @@ struct swupdate_cfg {
char gpg_home_directory[SWUPDATE_GENERAL_STRING_SIZE];
char gpgme_protocol[SWUPDATE_GENERAL_STRING_SIZE];
int swdesc_max_size;
+ /*
+ * Select which provider is used in case of multiple
+ * crypto libraries
+ */
+ char hash_provider[SWUPDATE_GENERAL_STRING_SIZE];
+ char decrypt_provider[SWUPDATE_GENERAL_STRING_SIZE];
+ char digest_provider[SWUPDATE_GENERAL_STRING_SIZE];
};

struct swupdate_cfg *get_swupdate_cfg(void);
--
2.43.0

[Stefano Babic]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

ci/setup.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/setup.sh b/ci/setup.sh
index bd6ded17..067d49d9 100755
--- a/ci/setup.sh
+++ b/ci/setup.sh
@@ -49,6 +49,7 @@ $_SUDO apt-get -qq update && apt-get install --yes --no-install-recommends \
liburiparser-dev \
libwebsockets-dev \
liblzma-dev \
+ libwolfssl-dev \
libzstd-dev \
make \
npm \
@@ -56,7 +57,6 @@ $_SUDO apt-get -qq update && apt-get install --yes --no-install-recommends \
uuid-dev \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/*
-
# packages are too old in Ubuntu Jammy and Debian Bookworm
if ! grep -qP "VERSION_CODENAME=(jammy|bookworm)" /etc/os-release; then
$_SUDO apt-get -qq update && apt-get install --yes --no-install-recommends \
--
2.43.0

[Stefano Babic]

The rule for modules is :

swupdate_<HASH|decrypt|verify>_<crypto library>

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

crypto/Makefile | 4 +++-
.../{swupdate_decrypt_pkcs11.c => swupdate_decrypt_wolfssl.c} | 0
2 files changed, 3 insertions(+), 1 deletion(-)
rename crypto/{swupdate_decrypt_pkcs11.c => swupdate_decrypt_wolfssl.c} (100%)

diff --git a/crypto/Makefile b/crypto/Makefile
index 62775a50..4d06bec0 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -13,7 +13,9 @@ endif
ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_wolfssl.o
obj-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify_wolfssl.o
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+ifeq ($(CONFIG_PKCS11),y)
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_wolfssl.o
+endif
endif

ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
diff --git a/crypto/swupdate_decrypt_pkcs11.c b/crypto/swupdate_decrypt_wolfssl.c
similarity index 100%
rename from crypto/swupdate_decrypt_pkcs11.c
rename to crypto/swupdate_decrypt_wolfssl.c
--
2.43.0

[Stefano Babic]

CMS test is currently supported only with openSSL. Select CMS to run the
test case. Tests should be extended to support the other providers.

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

scripts/acceptance-tests/CheckImage.mk | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index e29fef52..fdd96af5 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -6,7 +6,7 @@
#
# test commands for --check command-line option
#
-SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGALG_CMS),-k $(obj)/cacert.pem) $(if $(strip $(filter %.cfg, $^)), -f $(filter %.cfg, $^))
+SWU_CHECK_BASE = ./swupdate -l 5 -c $(if $(CONFIG_SIGALG_CMS),-k $(obj)/cacert.pem --digest-provider opensslCMS) $(if $(strip $(filter %.cfg, $^)), -f $(filter %.cfg, $^))
SWU_CHECK = $(SWU_CHECK_BASE) $(if $(CONFIG_HW_COMPATIBILITY),-H test:1) $(if $(strip $(filter-out FORCE,$<)),-i $<) $(if $(strip $(KBUILD_VERBOSE:0=)),,>/dev/null 2>&1)

quiet_cmd_swu_check_assert_false = RUN $@
--
2.43.0

[Stefano Babic]

Having multiple crypto engines with different structures, the user
cannot know which is the chosen engine and it should not reference to a
fix structure.

This remove warning:

core/cpio_utils.c:437:32: warning: ‘struct swupdate_digest’ declared
inside parameter list will not be visible outside of this definition or
declaration

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---

core/cpio_utils.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/cpio_utils.c b/core/cpio_utils.c
index df08dd32..0b4d385f 100644
--- a/core/cpio_utils.c
+++ b/core/cpio_utils.c
@@ -488,7 +488,7 @@ static int zstd_step(void* state, void* buffer, size_t size)

#endif

-static int hash_compare(struct swupdate_digest *dgst, unsigned char *hash)
+static int hash_compare(void *dgst, unsigned char *hash)
{
/*
* SHA256_HASH_LENGTH should be enough but openssl might write
--
2.43.0

[Stefano Babic]

defconfig and tests are planned to run with just one crypto provider, so
fix it for now.

Signed-off-by: Stefano Babic <stefan...@swupdate.org>

Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>

[Stefano Babic]

Multiple algorythms and libraries can be built inside the same SWUpdate
binary, as default the first one is chosen. Allow to set at the startup
which provider for the a service should be used.

Allowed services: decrypt, hash, digest

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

index 4e186bef..59b085b6 100644
--- a/include/swupdate.h

[Stefano Babic]

fix the warnings due to signedness:

crypto/swupdate_decrypt_pkcs11.c: In function ‘wolfssl_DECRYPT_init’:
crypto/swupdate_decrypt_pkcs11.c:51:33: warning: pointer targets in passing argument 1
i of ‘p11_kit_uri_parse’ differ in signedness [-Wpointer-sign]
51 | err = p11_kit_uri_parse(uri, P11_KIT_URI_FOR_ANY, dgst->p11uri);
| ^~~
| |
| unsigned char *

crypto/swupdate_decrypt_pkcs11.c:83:56: warning: pointer targets in passing argument 5
of ‘wc_Pkcs11Token_Init’ differ in signedness [-Wpointer-sign]
83 | "unspecified", pin, strlen(pin));
| ^~~
| |
| const char *

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

[Stefano Babic]

The rule for modules is :

swupdate_<HASH|decrypt|verify>_<crypto library>

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

[Stefano Babic]

Fix warninings like:

swupdate_decrypt_wolfssl.c:114:13: warning: the comparison will
always evaluate as ‘true’ for the address of ‘pkdev’ will never be NULL [-Waddress]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

[Stefano Babic]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

[Stefano Babic]

CMS test is currently supported only with openSSL. Select CMS to run the
test case. Tests should be extended to support the other providers.

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

scripts/acceptance-tests/CheckImage.mk | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

[Stefano Babic]

With multiple crypto Engines, MG_TLS is defined multiple times. Choose
one implementation for Mongoose, and activate it in the following order:
1. openssl
2. mbedTLS
3. wolfSSL

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

[Stefano Babic]

Having multiple crypto engines with different structures, the user
cannot know which is the chosen engine and it should not reference to a
fix structure.

This remove warning:

core/cpio_utils.c:437:32: warning: ‘struct swupdate_digest’ declared
inside parameter list will not be visible outside of this definition or
declaration

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

core/cpio_utils.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

[Stefano Babic]

Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
---

ci/setup.sh | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/setup.sh b/ci/setup.sh
index bd6ded17..067d49d9 100755
--- a/ci/setup.sh
+++ b/ci/setup.sh
@@ -49,6 +49,7 @@ $_SUDO apt-get -qq update && apt-get install --yes --no-install-recommends \
liburiparser-dev \
libwebsockets-dev \
liblzma-dev \
+ libwolfssl-dev \
libzstd-dev \
make \
npm \

@@ -56,7 +57,6 @@ $_SUDO apt-get -qq update && apt-get install --yes --no-install-recommends \
uuid-dev \
zlib1g-dev \