From 59503017405b852872fdc6d38f542692a4bc4660 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 24 Aug 2024 11:05:47 +0200 Subject: [PATCH] Don't call psa_crypto_init in unit tests when not required for TLS 1.3 For backward compatibility with Mbed TLS <=3.5.x, applications must be able to make a TLS connection with a peer that supports both TLS 1.2 and TLS 1.3, regardless of whether they call psa_crypto_init(). Since Mbed TLS 3.6.0, we enable TLS 1.3 in the default configuration, so we must take care of calling psa_crypto_init() if needed. This is a change from TLS 1.3 in previous versions, where enabling MBEDTLS_SSL_PROTO_TLS1_3 was a user choice and could have additional requirement. This commit changes our unit tests to validate that the library does not have the compatibility-breaking requirement. Signed-off-by: Gilles Peskine --- tests/include/test/psa_crypto_helpers.h | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tests/include/test/psa_crypto_helpers.h b/tests/include/test/psa_crypto_helpers.h index 71ba0fc021..1039712aef 100644 --- a/tests/include/test/psa_crypto_helpers.h +++ b/tests/include/test/psa_crypto_helpers.h @@ -334,9 +334,18 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string); * This is like #PSA_DONE except it does nothing under the same conditions as * #USE_PSA_INIT. */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USE_PSA_INIT() PSA_INIT() #define USE_PSA_DONE() PSA_DONE() +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* TLS 1.3 must work without having called psa_crypto_init(), for backward + * compatibility with Mbed TLS <= 3.5 when connecting with a peer that + * supports both TLS 1.2 and TLS 1.3. See mbedtls_ssl_tls13_crypto_init() + * and https://github.com/Mbed-TLS/mbedtls/issues/9072 . */ +#define USE_PSA_INIT() ((void) 0) +/* TLS 1.3 may have initialized the PSA subsystem. Shut it down cleanly, + * otherwise Asan and Valgrind would notice a resource leak. */ +#define USE_PSA_DONE() PSA_DONE() #else /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* Define empty macros so that we can use them in the preamble and teardown * of every test function that uses PSA conditionally based on @@ -408,13 +417,12 @@ uint64_t mbedtls_test_parse_binary_string(data_t *bin_string); * This is like #PSA_DONE except it does nothing under the same conditions as * #MD_OR_USE_PSA_INIT. */ -#if defined(MBEDTLS_MD_SOME_PSA) || \ - defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +#if defined(MBEDTLS_MD_SOME_PSA) #define MD_OR_USE_PSA_INIT() PSA_INIT() #define MD_OR_USE_PSA_DONE() PSA_DONE() #else -#define MD_OR_USE_PSA_INIT() ((void) 0) -#define MD_OR_USE_PSA_DONE() ((void) 0) +#define MD_OR_USE_PSA_INIT() USE_PSA_INIT() +#define MD_OR_USE_PSA_DONE() USE_PSA_DONE() #endif /** \def AES_PSA_INIT