const pointer (awslabs#456)

Support PKCS#11 for mutual TLS on Unix platforms (awslabs#451)

Merging the `pkcs11` feature branch to `main`. Previous Pull Requests can be found here:

- awslabs#410 - Add PKCS#11 headers
- awslabs#408 - Public API first pass
- awslabs#412 - Implement library load/unload
- awslabs#413 - Get tests running in CI
- awslabs#425 - Find private key / begin s2n integration
- awslabs#428 - Finish integration with s2n
- awslabs#430 - Add tests. Each test now sets up its own tokendir.
- awslabs#431 - Misc fixes
- awslabs#432 - Add TLS test
- awslabs#434 - Handle connection failure during PKCS#11 operations
- awslabs#439 - Support multiple digest types for RSA
- awslabs#440 - Misc fixes
- awslabs#445 - Each CKR_ return value has its own AWS error-code
- awslabs#443 - Add license for PKCS#11 headers
- awslabs#442 - Behavior enum controls how C_Initialize() and C_Finalize() are called.
- awslabs#450 - Misc fixes

Co-authored-by: Prateek Yadav <[email protected]>

Moved aws_path_exist checks over to the safe variant. (awslabs#448)

Add Round 3 Cipher Pref List to Allowlist (awslabs#447)

Replace tls double channel (awslabs#441)

* Remove test first
* Add codebuild job spec that will run downstream integration tests (aws-c-http) that exercise double tls
* Add channel API to read from initial handler

Use standardized SDK cipher preferences from s2n (awslabs#407)

Ephemeral secure channel credentials on Windows (awslabs#421)

* Client-side secure channel to use ephemeral credentials
* Branch key import based on client/server mode

Co-authored-by: Bret Ambrose <[email protected]>
Co-authored-by: Mike Dombrowski

Fix aws_sanitize_pem() bug (awslabs#415)

We were using the wrong append function, it was failing when PEM file was missing trailing newline.

Part 2 of aws_thread_clean_up fix and contract clarification (awslabs…

…#400)

Validate hostname on Mac when custom root-CA is used. (awslabs#396)

**Issue:** When custom root-CA was specified, we were not validating hostname.

**Solution:** Use `SecPolicyCreateSSL()` instead of `SecPolicyCreateBasicX509()` in this scenario.

**Also:**
1) The lifetime of `unittests.crt` had to be shortened to 2.25 years to meet the [stricter standards](https://support.apple.com/en-us/HT210176) of `SecPolicyCreateSSL()`. Added `unittests.readme` with instructions on how to update these files again in the future.

2) Simplify code that logs the server name. (The code we had didn't actually do what we thought it did. As far as I can tell SecureChannel API doesn't offer a function to query the server name)

Credit: Adapted from patch submitted by F-Secure