Add CryptoCB-based AES key import support to enable Secure Element
offload without exposing raw AES key material to wolfCrypt.
When WOLF_CRYPTO_CB_AES_SETKEY is defined, wolfCrypt invokes a CryptoCB
callback during AES key setup. Behavior is determined by the callback
return value:
- If callback returns 0: Key is imported to the device (aes->devCtx).
Key is NOT copied to wolfCrypt RAM; GCM H/M tables are NOT generated.
Full hardware offload is assumed.
- If callback returns CRYPTOCB_UNAVAILABLE: Device does not support
SetKey. Normal software path is used; key is copied to devKey for
optional encrypt/decrypt acceleration.
- Any other error: Propagated to the caller.
Key points:
- Add wc_CryptoCb_AesSetKey() callback for AES key import
- Update AES SetKey paths to call CryptoCB and branch on return value
- Skip GCM H/M table generation when callback succeeded (devCtx set)
- Preserve existing behavior when devId is INVALID_DEVID or
WOLF_CRYPTO_CB_AES_SETKEY is not defined
Testing:
- Add unit test for CryptoCB AES SetKey (verifies key isolation when
callback succeeds)
- Add end-to-end AES-GCM offload test (SetKey, Encrypt, Decrypt, Free
via CryptoCB)
- Tests use a mock SE with software AES to validate routing
Enable with: CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
* Minor fixes to the CMakeLists.txt
* Add more options to the CMake infrastructure already present in the
autoconf infrastructure
* An autoconf build now also generates and installs files required to
consume the installed wolfssl library via CMake.
* Added test for autoconf-CMake interworking
Work is mostly done by Codex and Curser.
* change wc_linuxkm_pie_reloc_tab from unsigned int[] to struct wc_linuxkm_pie_reloc_tab_ent[], with dest_segment and reloc_type members;
* add enum wc_reloc_dest_segment and enum wc_reloc_type;
* update GENERATE_RELOC_TAB recipe in Makefile to render the dest segment and reloc type;
* add struct reloc_layout_ent, and reloc_layouts[] fully populated for x86 and ARM relocations;
* refactor find_reloc_tab_offset() and wc_linuxkm_normalize_relocations() to reflect the above;
linuxkm/module_hooks.c: tweak various printf format characters and arguments for compatibility with ARM32;
linuxkm/linuxkm_wc_port.h: include linux/inet.h and define wc_linuxkm_inet_pton() and XINET_PTON(), unless WOLFCRYPT_ONLY.
- Standardize header guards to WOLFSSL_USER_SETTINGS_H across all files
- Add #if 0/1 gates with labels for easy feature toggling
- Fix bugs: typos in eccnonblock (WOLFSL_SHA*), duplicates in fipsv5/all
- Add NO_DES3_TLS_SUITES alongside NO_DES3 where needed
- Update wolfboot_keytools with upstream PQ algorithms (ML-DSA, LMS, XMSS)
- Add settings.h validation rules with descriptive error messages
- Auto-define NO_DES3_TLS_SUITES when NO_DES3 is set (instead of error)
- Update README.md and add missing files to CI tests
Make sure we received a Certificate message before the ClientKeyExchange
when a certificate is requested. (Certificate message will be empty when
client has no valid certificate.)
Mostly combinations of NO_WOLFSSL_CLIENT, NO_WOLFSSL_SERVER and
WOLFSSL_NO_CLIENT_AUTH were failing.
Added configurations to CI loop.
wc_AesGcmDecryptFinal: use WC_AES_BLOCK_SIZE to satisfy compiler.