Add initial support of the crypto callback API to the two PQC signature
algorithms Dilithium and Falcon. This ultimatelly enables the usage of
external hardware modules (e.g. secure elements) for these algorithms.
Signed-off-by: Tobias Frauenschläger <t.frauenschlaeger@me.com>
Prevent memory access before clientSession->serverRow and clientSession->serverIdx are sanitized.
Fixes ZD17219
Co-authored-by: Daniele Lacamera <dan@danielinux.net>
* in wolfssl/ssl.h, add missing arg names to wolfSSL_CTX_set_tlsext_use_srtp(), wolfSSL_set_tlsext_use_srtp(), and wolfSSL_export_dtls_srtp_keying_material();
* in wolfcrypt/src/kdf.c, call wc_AesFree if and only if wc_AesInit() succeeded;
* in src/ssl.c:DtlsSrtpSelProfiles(), fix bugprone-inc-dec-in-conditions;
* in tests/suites.c:execute_test_case(), fix several -Wdeclaration-after-statement and -Wmissing-field-initializers;
* in wolfcrypt/test/test.c, fix a shiftTooManyBitsSigned warning in srtpkdf_test(), and fix a typo (kaSz/ksSz).
src/ssl.c: refactor dynamics of count_mutex, count_mutex_valid, and initRefCount, to be intrinsically race-free on pthreads builds, and to be always race-free for callers that call wolfSSL_Init() first, then wait for return before any other wolfSSL calls, and call wolfSSL_Cleanup() at most as many times as wolfSSL_Init().
also, in AddSessionToClientCache(), move final access to ClientCache inside the lock-protected span, to mollify Coverity.
* followup to https://github.com/wolfSSL/wolfssl/pull/7009 "20231128-misc-fixes" and https://github.com/wolfSSL/wolfssl/pull/7011 "Add missing wc_AesInit calls."
* adds WC_DEBUG_CIPHER_LIFECYCLE, which embeds asserts in low-level AES implementations for proper usage of wc_AesInit() and wc_AesFree().
* fixes native CMAC, AES-EAX, and AES-XTS implementations to assure resource release.
* adds missing wc_AesXtsInit() API, and adds a new wc_AesXtsSetKey_NoInit().
* fixes misspellings in EVP that unconditionally gated out AES-OFB and AES-XTS.
* fixes misspellings in EVP that unconditionally gated out AES-CBC and AES-CFB code in wolfSSL_EVP_CIPHER_CTX_cleanup_cipher().
* openssl compat AES low level cipher API has no counterpart to wc_AesFree(), so these compat APIs will now be gated out in configurations where they would otherwise leak memory or file descriptors (WOLFSSL_AFALG, WOLFSSL_DEVCRYPTO, WOLF_CRYPTO_CB, etc.). A new macro, WC_AESFREE_IS_MANDATORY, is defined in wolfcrypt/aes.h to streamline this dependency.
* fixes 40 missing EVP_CIPHER_CTX_cleanup()s and 11 wc_AesFree()s in src/ssl.c, src/ssl_crypto.c, tests/api.c, and wolfcrypt/test/test.c.
