wolfProvider Layers Refactor

classes/wolfssl-helper.bbclass

@@ -26,6 +26,131 @@ def wolfssl_conditional_require(d, package_name, inc_path):
         bb.parse.mark_dependency(d, inc_file)
         bb.parse.handle(inc_file, d, True)
 
+
+def wolfssl_conditional_require_mode(d, package_name, mode, inc_file):
+    """
+    Conditionally include an .inc file based on a mode variable and WOLFSSL_FEATURES.
+    Supports space-separated modes (e.g., "replace-default enable-tests").
+
+    Args:
+        d: BitBake datastore
+        package_name: Name of the package to check for (e.g., 'wolfprovider')
+        mode: The expected mode (e.g., 'standalone' or 'replace-default')
+        inc_file: Relative path from layer root to the .inc file
+
+    Returns:
+        True if configuration was included, False otherwise
+
+    Example:
+        wolfssl_conditional_require_mode(
+            d,
+            package_name='wolfprovider',
+            mode='standalone',
+            inc_file='inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc'
+        )
+
+        # Supports multiple modes in WOLFPROVIDER_MODE:
+        # WOLFPROVIDER_MODE = "replace-default enable-tests"
+    """
+    import os
+    import bb.parse
+
+    # Check if package is enabled
+    if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \
+            bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)):
+        bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping")
+        return False
+
+    # Build the mode variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_MODE')
+    mode_var_name = f"{package_name.upper()}_MODE"
+    current_mode_str = d.getVar(mode_var_name) or 'standalone'  # Default to standalone
+
+    # Support space-separated modes: split into list and check if expected mode is in the list
+    current_modes = [m.strip() for m in current_mode_str.split() if m.strip()]
+
+    # Check if expected mode is in the current modes list
+    if mode not in current_modes:
+        bb.debug(2, f"{package_name}: {mode_var_name}='{current_mode_str}' does not contain '{mode}' - skipping")
+        return False
+
+    # Mode found in list - include the configuration
+    # Show all detected modes for clarity
+    bb.note(f"{package_name}: {mode_var_name}='{current_mode_str}' contains '{mode}' mode - including {inc_file}")
+
+    layerdir = d.getVar('WOLFSSL_LAYERDIR')
+    if not layerdir:
+        bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured")
+
+    full_inc_file = os.path.join(layerdir, inc_file)
+    bb.parse.mark_dependency(d, full_inc_file)
+    try:
+        bb.parse.handle(full_inc_file, d, True)
+        return True
+    except Exception as e:
+        bb.fatal(f"Failed to include {full_inc_file}: {e}")
+
+
+def wolfssl_conditional_require_flag(d, package_name, flag_name, inc_file):
+    """
+    Conditionally include an .inc file based on a flags variable and WOLFSSL_FEATURES.
+    Flags are separate from modes - use for features like tests, not OpenSSL configuration.
+
+    Args:
+        d: BitBake datastore
+        package_name: Name of the package to check for (e.g., 'wolfprovider')
+        flag_name: The flag to check for (e.g., 'enable-tests')
+        inc_file: Relative path from layer root to the .inc file
+
+    Returns:
+        True if configuration was included, False otherwise
+
+    Example:
+        wolfssl_conditional_require_flag(
+            d,
+            package_name='wolfprovider',
+            flag_name='enable-tests',
+            inc_file='inc/wolfprovider/wolfprovider-enable-test.inc'
+        )
+
+        # Usage in local.conf:
+        # WOLFPROVIDER_FLAGS = "enable-tests"  # Can be space-separated: "enable-tests other-flag"
+    """
+    import os
+    import bb.parse
+
+    # Check if package is enabled
+    if not (bb.utils.contains('WOLFSSL_FEATURES', package_name, True, False, d) or \
+            bb.utils.contains('IMAGE_INSTALL', package_name, True, False, d)):
+        bb.debug(2, f"{package_name} not in WOLFSSL_FEATURES or IMAGE_INSTALL - skipping")
+        return False
+
+    # Build the flags variable name from package name (e.g., 'wolfprovider' -> 'WOLFPROVIDER_FLAGS')
+    flags_var_name = f"{package_name.upper()}_FLAGS"
+    current_flags_str = d.getVar(flags_var_name) or ''
+
+    # Support space-separated flags: split into list and check if expected flag is in the list
+    current_flags = [f.strip() for f in current_flags_str.split() if f.strip()]
+
+    # Check if expected flag is in the current flags list
+    if flag_name not in current_flags:
+        bb.debug(2, f"{package_name}: {flags_var_name}='{current_flags_str}' does not contain '{flag_name}' - skipping")
+        return False
+
+    # Flag found in list - include the configuration
+    bb.note(f"{package_name}: {flags_var_name}='{current_flags_str}' contains '{flag_name}' flag - including {inc_file}")
+
+    layerdir = d.getVar('WOLFSSL_LAYERDIR')
+    if not layerdir:
+        bb.fatal("WOLFSSL_LAYERDIR not set - ensure meta-wolfssl layer is properly configured")
+
+    full_inc_file = os.path.join(layerdir, inc_file)
+    bb.parse.mark_dependency(d, full_inc_file)
+    try:
+        bb.parse.handle(full_inc_file, d, True)
+        return True
+    except Exception as e:
+        bb.fatal(f"Failed to include {full_inc_file}: {e}")
+
 python do_wolfssl_check_package() {
     """
     Task to check if package is enabled via IMAGE_INSTALL or WOLFSSL_FEATURES

conf/layer.conf

@@ -22,6 +22,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \
             ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bb \
             ${LAYERDIR}/recipes-wolfssl/wolfcrypt-py/*.bbappend \
             ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bb \
+            ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfprovider*.bbappend \
             ${LAYERDIR}/recipes-wolfssl/wolfprovider/wolfssl*.bbappend \
             ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfengine*.bb \
             ${LAYERDIR}/recipes-wolfssl/wolfengine/wolfssl*.bbappend \
@@ -35,6 +36,10 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \
             ${LAYERDIR}/recipes-examples/wolfssl-py/wolf-py-tests/*.bbappend \
             ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bb \
             ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/*.bbappend \
+            ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bb \
+            ${LAYERDIR}/recipes-examples/wolfprovider/wolfprovidercmd/*.bbappend \
+            ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bb \
+            ${LAYERDIR}/recipes-examples/wolfprovider/wolfproviderenv/*.bbappend \
             ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bb \
             ${LAYERDIR}/recipes-examples/wolfengine/wolfenginetest/*.bbappend \
             ${LAYERDIR}/recipes-support/gnutls/*.bbappend \
@@ -78,6 +83,7 @@ BBFILES += "${LAYERDIR}/recipes-wolfssl/wolfssl/*.bb \
 
 BBFILE_COLLECTIONS += "wolfssl"
 BBFILE_PATTERN_wolfssl := "^${LAYERDIR}/"
+# When doing a build with replace default mode enabled, we need to prioritize the wolfssl layer
 BBFILE_PRIORITY_wolfssl = "5"
 
 # Weak default preferred providers for wolf libraries
@@ -156,7 +162,10 @@ BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-image-minimal', '${LA
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-image-minimal/*.bbappend', '', d)}"
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolftpm-image-minimal', '${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolftpm-image-minimal/*.bbappend', '', d)}"
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-py-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-py-image-minimal/*.bbappend', '', d)}"
-BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/*.bbappend', '', d)}"
+BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}"
+BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-image-minimal/*.bbappend', '', d)}"
+BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-image-minimal/*.bbappend', '', d)}"
+BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfprovider-replace-default-fips-image-minimal', '${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfprovider-image-minimal/wolfprovider-replace-default-fips-image-minimal/*.bbappend', '', d)}"
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfssl-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfssl-combined-image-minimal/*.bbappend', '', d)}"
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'wolfclu-combined-image-minimal', '${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/wolfclu-combined-image-minimal/*.bbappend', '', d)}"
 BBFILES += "${@bb.utils.contains('WOLFSSL_DEMOS', 'libgcrypt-image-minimal', '${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bb ${LAYERDIR}/recipes-core/images/libgcrypt-image-minimal/*.bbappend', '', d)}"

inc/wolfprovider/openssl/openssl-enable-wolfprovider-replace-default.inc

@@ -0,0 +1,82 @@
+# OpenSSL wolfProvider REPLACE-DEFAULT mode configuration
+# This file is included when wolfProvider is configured to replace OpenSSL's default crypto provider
+# It should be included from the image recipe when replace-default mode is desired
+
+# Build OpenSSL as plain, non-FIPS OpenSSL
+# wolfProvider will provide FIPS functionality using wolfSSL FIPS
+
+PACKAGECONFIG:class-target = ""
+EXTRA_OECONF:append:class-target = " no-fips shared "
+
+# OpenSSL target-only tweaks for replace-default mode
+do_configure:prepend:class-target () {
+    set -eu
+
+    # Be explicit about where we are
+    echo "TARGET do_configure prepend: S='${S}', B='${B}'"
+
+    vfile="${S}/VERSION.dat"
+
+    # Sanity check: VERSION.dat must exist at the top of the OpenSSL tree
+    if [ ! -f $vfile ]; then
+        echo "ERROR: $vfile not found in ${S}" >&2
+        exit 1
+    fi
+
+    echo "Injecting BUILD_METADATA into VERSION.dat (target only)"
+    sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider/' $vfile
+
+    # Optional FIPS tag based on image features
+    if echo "${IMAGE_FEATURES}" | grep -qw "fips"; then
+        sed -i 's/^BUILD_METADATA=.*/BUILD_METADATA=wolfProvider-fips/' $vfile
+    fi
+
+}
+
+# Override do_configure to filter enable-fips from the actual configure command
+do_configure:append:class-target () {
+    # The base do_configure uses ${PACKAGECONFIG_CONFARGS} which still has enable-fips
+    # We need to regenerate it without enable-fips
+    # Re-run configure with enable-fips explicitly removed
+    if [ -f "${B}/configdata.pm" ] && grep -q "enable-fips" "${B}/configdata.pm" 2>/dev/null; then
+        bbwarn "REPLACE-DEFAULT MODE: FIPS detected in config, forcing reconfigure without FIPS"
+        cd "${B}"
+        # Get the target from the original config
+        target=$(grep "our \$config{target}" "${B}/configdata.pm" 2>/dev/null | sed "s/.*'\(.*\)'.*/\1/" || echo "linux-x86_64")
+        # Reconfigure without enable-fips
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
+        perl "${S}/Configure" no-fips shared ${EXTRA_OECONF} ${DEPRECATED_CRYPTO_FLAGS} \
+            --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${libdir} "$target"
+        perl "${B}/configdata.pm" --dump
+    fi
+}
+
+# Ensure provider is present on TARGET runtime (doesn't touch -native/-nativesdk)
+RDEPENDS:libcrypto3:append:class-target = " wolfprovider"
+
+# Bring in the replace-default patch (target only)
+SRC_URI:append:class-target = " \
+    git://github.com/wolfSSL/wolfProvider.git;protocol=https;nobranch=1;rev=v1.1.0;destsuffix=git/wolfProvider \
+"
+
+python do_patch:append:class-target () {
+    import os, subprocess
+    s = d.getVar("S")
+    patch_path = os.path.join(d.getVar("WORKDIR"), "git/wolfProvider/patches/openssl3-replace-default.patch")
+    bb.note("REPLACE-DEFAULT MODE: Checking if patch needs to be applied")
+    # Try to apply patch; if it fails with "already applied", log it and continue
+    try:
+        # First check with --dry-run to see if patch can be applied
+        result = subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path, "--dry-run"], 
+                              capture_output=True, text=True, check=False)
+        if result.returncode == 0:
+            bb.note("REPLACE-DEFAULT MODE: Patch can be applied, applying now...")
+            subprocess.run(["patch", "-d", s, "-p1", "-i", patch_path], check=True)
+        else:
+            bb.note("REPLACE-DEFAULT MODE: Patch already applied or cannot apply, skipping")
+            bb.debug(1, f"Patch check output: {result.stderr}")
+    except Exception as e:
+        bb.warn(f"REPLACE-DEFAULT MODE: Error applying patch: {e}")
+}
+
+

inc/wolfprovider/openssl/openssl-enable-wolfprovider.inc

@@ -1,2 +1,6 @@
+# OpenSSL standalone wolfProvider mode configuration
+# Include this file for standard wolfProvider integration as a provider plugin
+
 EXTRA_OECONF += " no-fips shared "
 
+

inc/wolfprovider/wolfssl-enable-wolfprovider-fips.inc

@@ -0,0 +1,22 @@
+# Configuration to enable wolfprovider FIPS support in wolfssl
+# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF
+
+EXTRA_OECONF += " --enable-fips=v5 --enable-opensslcoexist --enable-debug --enable-keylog-export"
+TARGET_CFLAGS += " -DWOLFSSL_OLD_OID_SUM -DWOLFSSL_DH_EXTRA"
+
+# Use a marker file to signal we are a FIPS build
+WOLFSSL_ISFIPS = "1"
+
+# commercial bundle missing stamp-h.in required by automake with 5.2.1
+do_configure:prepend() {
+    if [ ! -f ${S}/stamp-h.in ]; then
+        touch ${S}/stamp-h.in
+    fi
+}
+
+do_install:append() {
+    install -d ${D}${sysconfdir}/wolfssl
+    echo "1" > ${D}${sysconfdir}/wolfssl/fips-enabled
+}
+
+

inc/wolfprovider/wolfssl-enable-wolfprovider.inc

@@ -1,5 +1,15 @@
 # Configuration to enable wolfprovider support in wolfssl
-EXTRA_OECONF += " --enable-opensslcoexist --enable-cmac --enable-keygen --enable-sha --enable-des3 --enable-aesctr --enable-aesccm --enable-x963kdf --enable-compkey --enable-certgen --enable-aeskeywrap --enable-enckeys --enable-base16 "
-TARGET_CFLAGS += " -DHAVE_AES_ECB -DWOLFSSL_AES_DIRECT -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DECC_MIN_KEY_SZ=192 -DHAVE_PUBLIC_FFDHE -DWOLFSSL_DH_EXTRA -DRSA_MIN_SIZE=1024"
-TARGET_CFLAGS += " ${@'-DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER' if d.getVar('WOLFSSL_TYPE') not in ("fips", "fips-ready") else ''}"
+# To enable debug add `--enable-debug --enable-keylog-export` to EXTRA_OECONF
+
+EXTRA_OECONF += " --enable-all-crypto --with-eccminsz=192 --with-max-ecc-bits=1024 --enable-opensslcoexist --enable-sha --enable-debug --enable-keylog-export"
+TARGET_CFLAGS += " -DWC_RSA_NO_PADDING -DWOLFSSL_PUBLIC_MP -DHAVE_PUBLIC_FFDHE -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_PSS_LONG_SALT -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DRSA_MIN_SIZE=1024 -DWOLFSSL_OLD_OID_SUM"
+
+# Use a marker file to signal we are a non-FIPS build
+WOLFSSL_ISFIPS = "0"
+
+do_install:append() {
+    install -d ${D}${sysconfdir}/wolfssl
+    echo "0" > ${D}${sysconfdir}/wolfssl/fips-enabled
+}
+
 

inc/wolfprovider/wolfssl-enable-wolfprovidertest.inc

@@ -0,0 +1,81 @@
+# Configuration to enable wolfProvider unit tests
+# Modeled exactly after wolfcrypttest approach - simple and clean
+
+FILESEXTRAPATHS:prepend := "${WOLFSSL_LAYERDIR}/recipes-examples/wolfprovider/wolfprovidertest/files:"
+SRC_URI += "file://wolfprovidertest.sh"
+
+# Unit test directory and binary names
+WOLFPROVIDER_TEST_DIR = "${B}/test/.libs"
+WOLFPROVIDER_TEST = "unit.test"
+WOLFPROVIDER_TEST_YOCTO = "unit.test"
+WOLFPROVIDER_INSTALL_DIR = "${D}${bindir}"
+WOLFPROVIDER_CERTS_DIR = "${S}/certs"
+WOLFPROVIDER_CERTS_INSTALL_DIR = "${D}${datadir}/wolfprovider-test/certs"
+
+# Override CERTS_DIR to point to the installed location instead of build directory
+CFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"'
+CXXFLAGS:append = ' -DCERTS_DIR=\\"/usr/share/wolfprovider-test/certs\\"'
+
+# Simple installation using Python function, exactly like wolfcrypttest
+python () {
+    # Get the environment variables
+    test_dir = d.getVar('WOLFPROVIDER_TEST_DIR', True)
+    test_bin = d.getVar('WOLFPROVIDER_TEST', True)
+    test_yocto = d.getVar('WOLFPROVIDER_TEST_YOCTO', True)
+    install_dir = d.getVar('WOLFPROVIDER_INSTALL_DIR', True)
+    certs_dir = d.getVar('WOLFPROVIDER_CERTS_DIR', True)
+    certs_install_dir = d.getVar('WOLFPROVIDER_CERTS_INSTALL_DIR', True)
+
+    bbnote = 'bbnote "Installing wolfProvider Tests"\n'
+    installDir = 'install -m 0755 -d "%s"\n' % (install_dir)
+
+    # Try multiple locations for the test binary (exactly like wolfcrypttest)
+    cpTest = 'if [ -f "%s/%s" ]; then cp "%s/%s" "%s/%s"; ' % (test_dir, test_bin, test_dir, test_bin, install_dir, test_yocto)
+    cpTest += 'elif [ -f "${B}/test/%s" ]; then cp "${B}/test/%s" "%s/%s"; ' % (test_bin, test_bin, install_dir, test_yocto)
+    cpTest += 'elif [ -f "${B}/%s" ]; then cp "${B}/%s" "%s/%s"; fi\n' % (test_bin, test_bin, install_dir, test_yocto)
+
+    # Install wrapper script
+    installScript = 'cp "${WORKDIR}/wolfprovidertest.sh" "%s/wolfprovidertest"\n' % (install_dir)
+    installScript += 'chmod 755 "%s/wolfprovidertest"\n' % (install_dir)
+
+    # Install certificates
+    installCerts = 'bbnote "Installing wolfProvider Certificates"\n'
+    installCerts += 'install -m 0755 -d "%s"\n' % (certs_install_dir)
+    installCerts += 'if [ -d "%s" ]; then cp -r %s/*.pem %s/ 2>/dev/null || true; fi\n' % (certs_dir, certs_dir, certs_install_dir)
+
+    d.appendVar('do_install', bbnote)
+    d.appendVar('do_install', installDir)
+    d.appendVar('do_install', cpTest)
+    d.appendVar('do_install', installScript)
+    d.appendVar('do_install', installCerts)
+}
+
+# Append test files and library files to FILES using Python
+python __anonymous() {
+    pn = d.getVar('PN')
+
+    # Get existing FILES value (set by autotools class and base recipe)
+    existing_files = d.getVar('FILES:' + pn) or ''
+
+    # Append our test files (don't re-add library files - they're in base recipe FILES)
+    new_files = existing_files + ' ' + ' '.join([
+        '${bindir}/wolfprovidertest',
+        '${bindir}/unit.test',
+        '${datadir}/wolfprovider-test/certs/*'
+    ])
+
+    # Set the combined value (this avoids the "replaces original key" warning)
+    d.setVar('FILES:' + pn, new_files)
+
+    # Same approach for RDEPENDS
+    existing_rdepends = d.getVar('RDEPENDS:' + pn) or ''
+    new_rdepends = existing_rdepends + ' bash wolfproviderenv'
+    d.setVar('RDEPENDS:' + pn, new_rdepends)
+
+    # Same approach for INSANE_SKIP
+    existing_skip = d.getVar('INSANE_SKIP:' + pn) or ''
+    new_skip = existing_skip + ' dev-so build-deps'
+    d.setVar('INSANE_SKIP:' + pn, new_skip)
+}
+
+