Merge pull request #8067 from paul-elliott-arm/fix_bignum_test_leak
Fix resource leak in bignum test failure case
diff --git a/ChangeLog.d/fix-aes-cbc-iv-corruption b/ChangeLog.d/fix-aes-cbc-iv-corruption
new file mode 100644
index 0000000..11eb946
--- /dev/null
+++ b/ChangeLog.d/fix-aes-cbc-iv-corruption
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
+ is called with zero length and padlock is not enabled.
diff --git a/library/aes.c b/library/aes.c
index 592ca64..b55c08a 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -1094,6 +1094,11 @@
return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
}
+ /* Nothing to do if length is zero. */
+ if (length == 0) {
+ return 0;
+ }
+
if (length % 16) {
return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
}
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a063084..20cecdb 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1521,6 +1521,7 @@
return 0;
}
+#if defined(PSA_WANT_ALG_FFDH)
static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
{
@@ -1549,6 +1550,7 @@
return PSA_ERROR_NOT_SUPPORTED;
}
}
+#endif /* PSA_WANT_ALG_FFDH */
int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
mbedtls_ssl_context *ssl,
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index ed62b96..ef3345e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2632,10 +2632,8 @@
# - component_test_psa_crypto_config_reference_ecc_no_bignum
config_psa_crypto_config_accel_ecc_no_bignum() {
DRIVER_ONLY="$1"
- # start with full config for maximum coverage (also enables USE_PSA),
- # but keep TLS and key exchanges disabled
+ # start with full config for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
- scripts/config.py unset MBEDTLS_SSL_TLS_C
if [ "$DRIVER_ONLY" -eq 1 ]; then
# Disable modules that are accelerated
@@ -2688,7 +2686,7 @@
#
# Keep in sync with component_test_psa_crypto_config_reference_ecc_no_bignum()
component_test_psa_crypto_config_accel_ecc_no_bignum () {
- msg "build: full + accelerated EC algs + USE_PSA - ECP"
+ msg "build: full + accelerated EC algs + USE_PSA - ECP - BIGNUM"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -2730,12 +2728,12 @@
# Run the tests
# -------------
- msg "test suites: full + accelerated EC algs + USE_PSA - ECP"
+ msg "test suites: full + accelerated EC algs + USE_PSA - ECP - BIGNUM"
make test
# The following will be enabled in #7756
- #msg "ssl-opt: full + accelerated EC algs + USE_PSA - ECP"
- #tests/ssl-opt.sh
+ msg "ssl-opt: full + accelerated EC algs + USE_PSA - ECP - BIGNUM"
+ tests/ssl-opt.sh
}
# Reference function used for driver's coverage analysis in analyze_outcomes.py
@@ -2752,8 +2750,8 @@
make test
# The following will be enabled in #7756
- #msg "ssl-opt: full + non accelerated EC algs + USE_PSA"
- #tests/ssl-opt.sh
+ msg "ssl-opt: full + non accelerated EC algs + USE_PSA"
+ tests/ssl-opt.sh
}
# Helper function used in:
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index ee51513..c6891bb 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -390,6 +390,16 @@
'ASN.1 Write mpi, 255*8-1 bits',
'ASN.1 Write mpi, 256*8-1 bits',
],
+ 'test_suite_debug': [
+ # Following tests depends on BIGNUM_C
+ 'Debug print mbedtls_mpi #2: 3 bits',
+ 'Debug print mbedtls_mpi: 0 (empty representation)',
+ 'Debug print mbedtls_mpi: 0 (non-empty representation)',
+ 'Debug print mbedtls_mpi: 49 bits',
+ 'Debug print mbedtls_mpi: 759 bits',
+ 'Debug print mbedtls_mpi: 764 bits #1',
+ 'Debug print mbedtls_mpi: 764 bits #2',
+ ],
}
}
},
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6113eeb..0164b45 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -435,6 +435,13 @@
;;
esac
+ case "$CMD_LINE" in
+ *server2*|\
+ *server7*)
+ # server2 and server7 certificates use RSA encryption
+ requires_config_enabled "MBEDTLS_RSA_C"
+ esac
+
unset tmp
}