Fix for TLS HMAC constant timing to ensure final is called for dummy operations. Added devCtx to AES for CryptoCb.

src/tls.c

@@ -1112,6 +1112,9 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
             if (ret != 0)
                 break;
         }
+        /* call final to cleanup */
+        if (ret == 0)
+            ret = wc_HmacFinal(hmac, dummy);
     }
 
     return ret;

wolfcrypt/src/aes.c

@@ -6528,6 +6528,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
 
 #ifdef WOLF_CRYPTO_CB
     aes->devId = devId;
+    aes->devCtx = NULL;
 #else
     (void)devId;
 #endif
@@ -6589,6 +6590,9 @@ void wc_AesFree(Aes* aes)
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
     wc_DevCryptoFree(&aes->ctx);
+#endif
+#if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC)))
     ForceZero((byte*)aes->devKey, AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE);
 #endif
 }

wolfssl/wolfcrypt/aes.h

@@ -152,7 +152,7 @@ typedef struct Aes {
 #endif /* WOLFSSL_AESNI */
 #ifdef WOLF_CRYPTO_CB
     int    devId;
-    word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+    void*  devCtx;
 #endif
 #ifdef HAVE_PKCS11
     byte id[AES_MAX_ID_LEN];
@@ -182,9 +182,12 @@ typedef struct Aes {
                   GCM_NONCE_MID_SZ)];
 #endif
 #endif
+#if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC)))
+    word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+#endif
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
-    word32       devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
     WC_CRYPTODEV ctx;
 #endif
     void*  heap; /* memory hint to use */