Merge remote-tracking branch 'development' into development-restricted
diff --git a/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
new file mode 100644
index 0000000..079cd74
--- /dev/null
+++ b/ChangeLog.d/MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.txt
@@ -0,0 +1,4 @@
+Security
+ * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
+ not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
+ MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
diff --git a/ChangeLog.d/ecdsa-conversion-overflow.txt b/ChangeLog.d/ecdsa-conversion-overflow.txt
new file mode 100644
index 0000000..83b7f2f
--- /dev/null
+++ b/ChangeLog.d/ecdsa-conversion-overflow.txt
@@ -0,0 +1,6 @@
+Security
+ * Fix a stack buffer overflow in mbedtls_ecdsa_der_to_raw() and
+ mbedtls_ecdsa_raw_to_der() when the bits parameter is larger than the
+ largest supported curve. In some configurations with PSA disabled,
+ all values of bits are affected. This never happens in internal library
+ calls, but can affect applications that call these functions directly.
diff --git a/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt
new file mode 100644
index 0000000..dba25af
--- /dev/null
+++ b/ChangeLog.d/mbedtls_psa_rsa_load_representation-memory_leak.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix a memory leak that could occur when failing to process an RSA
+ key through some PSA functions due to low memory conditions.
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index e3589ea..c4c211e 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -3815,11 +3815,18 @@
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
* PSA crypto subsystem.
*
- * If this option is unset:
- * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
- * - Otherwise, the PSA subsystem uses HMAC_DRBG with either
- * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
- * on unspecified heuristics.
+ * If this option is unset, the library chooses a hash (currently between
+ * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
+ * unspecified heuristics.
+ *
+ * \note The PSA crypto subsystem uses the first available mechanism amongst
+ * the following:
+ * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
+ * if #MBEDTLS_CTR_DRBG_C is enabled;
+ * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
+ *
+ * A future version may reevaluate the prioritization of DRBG mechanisms.
*/
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh
index 31aae31..2eb2b0f 100644
--- a/tests/scripts/components-sanitizers.sh
+++ b/tests/scripts/components-sanitizers.sh
@@ -49,6 +49,7 @@
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
+ scripts/config.py unset MBEDTLS_HAVE_ASM
CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
make
@@ -67,6 +68,7 @@
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm
+ scripts/config.py unset MBEDTLS_HAVE_ASM
CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
make
diff --git a/tf-psa-crypto/core/psa_crypto_random_impl.h b/tf-psa-crypto/core/psa_crypto_random_impl.h
index 9049822..1d9c02a 100644
--- a/tf-psa-crypto/core/psa_crypto_random_impl.h
+++ b/tf-psa-crypto/core/psa_crypto_random_impl.h
@@ -21,13 +21,10 @@
#include "mbedtls/entropy.h"
/* Choose a DRBG based on configuration and availability */
-#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
-
-#include "mbedtls/hmac_drbg.h"
-
-#elif defined(MBEDTLS_CTR_DRBG_C)
+#if defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/ctr_drbg.h"
+#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
#elif defined(MBEDTLS_HMAC_DRBG_C)
@@ -49,17 +46,11 @@
#error "No hash algorithm available for HMAC_DBRG."
#endif
-#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
+#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
#error "No DRBG module available for the psa_crypto module."
-#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
-
-#if defined(MBEDTLS_CTR_DRBG_C)
-#include "mbedtls/ctr_drbg.h"
-#elif defined(MBEDTLS_HMAC_DRBG_C)
-#include "mbedtls/hmac_drbg.h"
-#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C */
+#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
#if defined(MBEDTLS_CTR_DRBG_C)
diff --git a/tf-psa-crypto/core/psa_crypto_rsa.c b/tf-psa-crypto/core/psa_crypto_rsa.c
index f8e36d8..5fe26ec 100644
--- a/tf-psa-crypto/core/psa_crypto_rsa.c
+++ b/tf-psa-crypto/core/psa_crypto_rsa.c
@@ -197,16 +197,13 @@
status = mbedtls_psa_rsa_load_representation(
attributes->type, key_buffer, key_buffer_size, &rsa);
- if (status != PSA_SUCCESS) {
- return status;
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
+ rsa,
+ data,
+ data_size,
+ data_length);
}
-
- status = mbedtls_psa_rsa_export_key(PSA_KEY_TYPE_RSA_PUBLIC_KEY,
- rsa,
- data,
- data_size,
- data_length);
-
mbedtls_rsa_free(rsa);
mbedtls_free(rsa);
@@ -264,6 +261,7 @@
(unsigned int) attributes->bits,
exponent);
if (ret != 0) {
+ mbedtls_rsa_free(&rsa);
return mbedtls_to_psa_error(ret);
}
@@ -330,7 +328,7 @@
key_buffer_size,
&rsa);
if (status != PSA_SUCCESS) {
- return status;
+ goto exit;
}
status = psa_rsa_decode_md_type(alg, hash_length, &md_alg);
diff --git a/tf-psa-crypto/core/psa_util.c b/tf-psa-crypto/core/psa_util.c
index 7db8bd1..779a852 100644
--- a/tf-psa-crypto/core/psa_util.c
+++ b/tf-psa-crypto/core/psa_util.c
@@ -443,6 +443,9 @@
if (raw_len != (2 * coordinate_len)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
+ if (coordinate_len > sizeof(r)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
/* Since raw and der buffers might overlap, dump r and s before starting
* the conversion. */
@@ -561,6 +564,9 @@
if (raw_size < coordinate_size * 2) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
+ if (2 * coordinate_size > sizeof(raw_tmp)) {
+ return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+ }
/* Check that the provided input DER buffer has the right header. */
ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.c b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
index 1a3e0b9..39ab6e9 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.c
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.c
@@ -449,9 +449,10 @@
mbedtls_mpi_uint c = 0;
for (size_t i = 0; i < limbs; i++) {
- mbedtls_mpi_uint z = (A[i] < c);
+ mbedtls_mpi_uint z = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(A[i], c),
+ 1, 0);
mbedtls_mpi_uint t = A[i] - c;
- c = (t < B[i]) + z;
+ c = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(t, B[i]), 1, 0) + z;
X[i] = t - B[i];
}
@@ -489,7 +490,7 @@
while (excess_len--) {
*d += c;
- c = (*d < c);
+ c = mbedtls_ct_mpi_uint_if(mbedtls_ct_uint_lt(*d, c), 1, 0);
d++;
}
diff --git a/tf-psa-crypto/drivers/builtin/src/bignum_core.h b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
index 92c8d47..51ecca5 100644
--- a/tf-psa-crypto/drivers/builtin/src/bignum_core.h
+++ b/tf-psa-crypto/drivers/builtin/src/bignum_core.h
@@ -376,6 +376,9 @@
* \p X may be aliased to \p A or \p B, or even both, but may not overlap
* either otherwise.
*
+ * This function operates in constant time with respect to the values
+ * of \p A and \p B.
+ *
* \param[out] X The result of the subtraction.
* \param[in] A Little-endian presentation of left operand.
* \param[in] B Little-endian presentation of right operand.
@@ -397,6 +400,9 @@
*
* This function operates modulo `2^(biL*X_limbs)`.
*
+ * This function operates in constant time with respect to the values
+ * of \p X and \p A and \p b.
+ *
* \param[in,out] X The pointer to the (little-endian) array
* representing the bignum to accumulate onto.
* \param X_limbs The number of limbs of \p X. This must be
@@ -456,6 +462,10 @@
* \p A and \p B may alias each other, if \p AN_limbs == \p B_limbs. They may
* not alias \p N (since they must be in canonical form, they cannot == \p N).
*
+ * This function operates in constant time with respect
+ * to the values of \p A, \p B and \p N.
+ *
+ *
* \param[out] X The destination MPI, as a little-endian array of
* length \p AN_limbs.
* On successful completion, X contains the result of
@@ -611,6 +621,9 @@
* \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
* \p AN_limbs.
*
+ * This function operates in constant time with respect
+ * to the values of \p A, \p N and \p E.
+ *
* \param[out] X The destination MPI, as a little endian array of length
* \p AN_limbs.
* \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
diff --git a/tf-psa-crypto/tests/suites/test_suite_bignum_core.function b/tf-psa-crypto/tests/suites/test_suite_bignum_core.function
index db84d62..6c0bd1e 100644
--- a/tf-psa-crypto/tests/suites/test_suite_bignum_core.function
+++ b/tf-psa-crypto/tests/suites/test_suite_bignum_core.function
@@ -660,31 +660,48 @@
memcpy(b, B.p, B.n * sizeof(mbedtls_mpi_uint));
memcpy(x, X.p, X.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(a, bytes);
+ TEST_CF_SECRET(b, bytes);
+
/* 1a) r = a - b => we should get the correct carry */
TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, a, b, limbs));
+ TEST_CF_PUBLIC(r, bytes);
+
/* 1b) r = a - b => we should get the correct result */
TEST_MEMORY_COMPARE(r, bytes, x, bytes);
/* 2 and 3 test "r may be aliased to a or b" */
/* 2a) r = a; r -= b => we should get the correct carry (use r to avoid clobbering a) */
memcpy(r, a, bytes);
+
+ TEST_CF_SECRET(r, bytes);
+
TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, r, b, limbs));
+ TEST_CF_PUBLIC(r, bytes);
+
/* 2b) r -= b => we should get the correct result */
TEST_MEMORY_COMPARE(r, bytes, x, bytes);
/* 3a) r = b; r = a - r => we should get the correct carry (use r to avoid clobbering b) */
memcpy(r, b, bytes);
+
+ TEST_CF_SECRET(r, bytes);
+
TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, a, r, limbs));
+ TEST_CF_PUBLIC(r, bytes);
+
/* 3b) r = a - b => we should get the correct result */
TEST_MEMORY_COMPARE(r, bytes, x, bytes);
/* 4 tests "r may be aliased to [...] both" */
if (A.n == B.n && memcmp(A.p, B.p, bytes) == 0) {
memcpy(r, b, bytes);
+ TEST_CF_SECRET(r, bytes);
TEST_EQUAL(carry, mbedtls_mpi_core_sub(r, r, r, limbs));
+ TEST_CF_PUBLIC(r, bytes);
TEST_MEMORY_COMPARE(r, bytes, x, bytes);
}
@@ -770,16 +787,32 @@
memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint));
memcpy(x, X->p, X->n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(a, bytes);
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint));
+
/* 1a) A += B * s => we should get the correct carry */
TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, B.p, B.n, *S.p), *cy->p);
+ TEST_CF_PUBLIC(a, bytes);
+ TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint));
+
/* 1b) A += B * s => we should get the correct result */
TEST_MEMORY_COMPARE(a, bytes, x, bytes);
if (A.n == B.n && memcmp(A.p, B.p, bytes) == 0) {
/* Check when A and B are aliased */
memcpy(a, A.p, A.n * sizeof(mbedtls_mpi_uint));
+
+ TEST_CF_SECRET(a, bytes);
+ TEST_CF_SECRET(S.p, sizeof(mbedtls_mpi_uint));
+
TEST_EQUAL(mbedtls_mpi_core_mla(a, limbs, a, limbs, *S.p), *cy->p);
+
+ TEST_CF_PUBLIC(a, bytes);
+ TEST_CF_PUBLIC(S.p, sizeof(mbedtls_mpi_uint));
+
TEST_MEMORY_COMPARE(a, bytes, x, bytes);
}
@@ -883,12 +916,20 @@
TEST_EQUAL(working_limbs, limbs_AN * 2 + 1);
TEST_EQUAL(0, mbedtls_mpi_grow(&T, working_limbs));
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+
/* Calculate the Montgomery constant (this is unit tested separately) */
mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N.p);
TEST_EQUAL(0, mbedtls_mpi_grow(&R, limbs_AN)); /* ensure it's got the right number of limbs */
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_montmul(R.p, A.p, B.p, B.n, N.p, N.n, mm, T.p);
+
+ TEST_CF_PUBLIC(R.p, R.n * sizeof(mbedtls_mpi_uint));
size_t bytes = N.n * sizeof(mbedtls_mpi_uint);
TEST_MEMORY_COMPARE(R.p, bytes, X->p, bytes);
@@ -896,7 +937,13 @@
memcpy(R.p, A.p, bytes);
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_montmul(A.p, A.p, B.p, B.n, N.p, N.n, mm, T.p);
+
+ TEST_CF_PUBLIC(A.p, A.n * sizeof(mbedtls_mpi_uint));
TEST_MEMORY_COMPARE(A.p, bytes, X->p, bytes);
memcpy(A.p, R.p, bytes); /* restore A */
@@ -905,18 +952,33 @@
memcpy(R.p, N.p, bytes);
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_montmul(N.p, A.p, B.p, B.n, N.p, N.n, mm, T.p);
+
+ TEST_CF_PUBLIC(N.p, N.n * sizeof(mbedtls_mpi_uint));
TEST_MEMORY_COMPARE(N.p, bytes, X->p, bytes);
memcpy(N.p, R.p, bytes);
+ TEST_CF_PUBLIC(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
if (limbs_AN == limbs_B) {
/* Test when A aliased to B (requires A == B on input values) */
if (memcmp(A.p, B.p, bytes) == 0) {
/* Test with A aliased to B and output, since this is permitted -
* don't bother with yet another test with only A and B aliased */
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_montmul(B.p, B.p, B.p, B.n, N.p, N.n, mm, T.p);
+
+ TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint));
TEST_MEMORY_COMPARE(B.p, bytes, X->p, bytes);
memcpy(B.p, A.p, bytes); /* restore B from equal value A */
@@ -924,7 +986,13 @@
/* The output may be aliased to B - last test, so we don't save B */
+ TEST_CF_SECRET(N.p, N.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(A.p, A.n * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(B.p, B.n * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_montmul(B.p, A.p, B.p, B.n, N.p, N.n, mm, T.p);
+
+ TEST_CF_PUBLIC(B.p, B.n * sizeof(mbedtls_mpi_uint));
TEST_MEMORY_COMPARE(B.p, bytes, X->p, bytes);
}
@@ -1229,14 +1297,24 @@
TEST_CALLOC(T, working_limbs);
+ TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint));
+
mbedtls_mpi_core_exp_mod(Y, A, N, N_limbs, E, E_limbs, R2, T);
+ TEST_CF_PUBLIC(Y, N_limbs * sizeof(mbedtls_mpi_uint));
+
TEST_EQUAL(0, memcmp(X, Y, N_limbs * sizeof(mbedtls_mpi_uint)));
- /* Check when output aliased to input */
+ TEST_CF_SECRET(A, A_limbs * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(N, N_limbs * sizeof(mbedtls_mpi_uint));
+ TEST_CF_SECRET(E, E_limbs * sizeof(mbedtls_mpi_uint));
+ /* Check when output aliased to input */
mbedtls_mpi_core_exp_mod(A, A, N, N_limbs, E, E_limbs, R2, T);
+ TEST_CF_PUBLIC(A, A_limbs * sizeof(mbedtls_mpi_uint));
TEST_EQUAL(0, memcmp(X, A, N_limbs * sizeof(mbedtls_mpi_uint)));
exit:
diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
index 807007b..c84a836 100644
--- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
+++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto_util.data
@@ -6,6 +6,16 @@
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_raw_to_der:256:"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":"304402201111111111111111111111111111111111111111111111111111111111111111022022222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+# Check coordinates one byte larger than the largest supported curve.
+# If we add an even larger curve, this test case will fail in the full
+# configuration because mbedtls_ecdsa_raw_to_der() will return 0, and we'll
+# need to use larger data for this test case.
+ECDSA Raw -> DER, very large input (536-bit)
+ecdsa_raw_to_der:536:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA Raw -> DER, very large input (1016-bit)
+ecdsa_raw_to_der:1016:"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
ECDSA Raw -> DER, 256bit, Null r
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_raw_to_der:256:"00000000000000000000000000000000000000000000000000000000000000002222222222222222222222222222222222222222222222222222222222222222":"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_INVALID_DATA
@@ -58,6 +68,16 @@
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_der_to_raw:256:"30440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+# Check coordinates one byte larger than the largest supported curve.
+# If we add an even larger curve, this test case will fail in the full
+# configuration because mbedtls_ecdsa_der_to_raw() will return 0, and we'll
+# need to use larger data for this test case.
+ECDSA DER -> Raw, very large input (536-bit)
+ecdsa_der_to_raw:536:"30818a024311111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111024322222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
+ECDSA DER -> Raw, very large input (1016-bit)
+ecdsa_der_to_raw:1016:"30820102027f11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111027f22222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":"1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+
ECDSA DER -> Raw, 256bit, Wrong sequence tag
depends_on:PSA_VENDOR_ECC_MAX_CURVE_BITS >= 256
ecdsa_der_to_raw:256:"40440220111111111111111111111111111111111111111111111111111111111111111102202222222222222222222222222222222222222222222222222222222222222222":"11111111111111111111111111111111111111111111111111111111111111112222222222222222222222222222222222222222222222222222222222222222":MBEDTLS_ERR_ASN1_UNEXPECTED_TAG