Add CryptoCB-based AES key import support to enable Secure Element
offload without exposing raw AES key material to wolfCrypt.
When WOLF_CRYPTO_CB_AES_SETKEY is defined, wolfCrypt invokes a CryptoCB
callback during AES key setup. Behavior is determined by the callback
return value:
- If callback returns 0: Key is imported to the device (aes->devCtx).
Key is NOT copied to wolfCrypt RAM; GCM H/M tables are NOT generated.
Full hardware offload is assumed.
- If callback returns CRYPTOCB_UNAVAILABLE: Device does not support
SetKey. Normal software path is used; key is copied to devKey for
optional encrypt/decrypt acceleration.
- Any other error: Propagated to the caller.
Key points:
- Add wc_CryptoCb_AesSetKey() callback for AES key import
- Update AES SetKey paths to call CryptoCB and branch on return value
- Skip GCM H/M table generation when callback succeeded (devCtx set)
- Preserve existing behavior when devId is INVALID_DEVID or
WOLF_CRYPTO_CB_AES_SETKEY is not defined
Testing:
- Add unit test for CryptoCB AES SetKey (verifies key isolation when
callback succeeds)
- Add end-to-end AES-GCM offload test (SetKey, Encrypt, Decrypt, Free
via CryptoCB)
- Tests use a mock SE with software AES to validate routing
Enable with: CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Implementations of AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-XTS with base
instructions and NEON but not using crypto instructions.
Benchmark of AES-ECB added.
Updated AES tests.
wolfcrypt/src/port/af_alg/afalg_aes.c: check for null key arg;
configure.ac: rename BUILD_FIPS_CURRENT to BUILD_FIPS_V2_PLUS (no functional change), and remove unused ARMASM_DIST_SOURCES set up code added in #9332;
src/include.am:
* set up $(ARMASM_SHA256_C), and use it to properly include wolfcrypt/src/sha256.c alongside armasm when appropriate;
* fix gating on Curved25519 armasm (BUILD_FIPS_V6_PLUS, not BUILD_FIPS_V6);
tests/api/test_aes.c and wolfcrypt/test/test.c: gate out incompatible coverage for WOLFSSL_AFALG and WOLFSSL_KCAPI (test_wc_AesCbcEncryptDecrypt_MultiBlocks(), test_wc_AesCtrSetKey*(), test_wc_AesCtrEncrypt*(), test_wc_AesGcmEncryptDecrypt_Sizes()).
Improve performance of CFB and OFB.
Only have one implementation that is used by OFB encrypt and decrypt.
Update AES testing in unit.test.
Update benchmarking of CFB and OFb to include decrypt.
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
sources to include them at the top.
wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
conditionally, config.h. settings.h and wc_port.h are unconditionally
included at the top of types.h.
wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.
Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
files.
Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
wolfssl/wolfcrypt/settings.h to allow coverage testing.
In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.
Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.
Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
for clarity.