Merge pull request #6526 from daverodgman/psalinks-2.28
Update PSA links in README.md - 2.28 backport
diff --git a/ChangeLog.d/fix_zeroization.txt b/ChangeLog.d/fix_zeroization.txt
new file mode 100644
index 0000000..ad74d9c
--- /dev/null
+++ b/ChangeLog.d/fix_zeroization.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix possible crash in TLS PRF code, if a failure to allocate memory occurs.
+ Reported by Michael Madsen in #6516.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7a4d437..c752d59 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -760,7 +760,9 @@
exit:
mbedtls_md_free( &md_ctx );
- mbedtls_platform_zeroize( tmp, tmp_len );
+ if ( tmp != NULL )
+ mbedtls_platform_zeroize( tmp, tmp_len );
+
mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
mbedtls_free( tmp );
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a20dd92..21f415b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1533,12 +1533,15 @@
component_test_full_cmake_clang () {
msg "build: cmake, full config, clang" # ~ 50s
scripts/config.py full
- CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On .
+ CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 .
make
msg "test: main suites (full config, clang)" # ~ 5s
make test
+ msg "test: cpp_dummy_build (full config, clang)" # ~ 1s
+ programs/test/cpp_dummy_build
+
msg "test: psa_constant_names (full config, clang)" # ~ 1s
tests/scripts/test_psa_constant_names.py
@@ -1756,15 +1759,6 @@
tests/scripts/key-exchanges.pl
}
-component_test_make_cxx () {
- msg "build: Unix make, full, gcc + g++"
- scripts/config.py full
- make TEST_CPP=1 lib programs
-
- msg "test: cpp_dummy_build"
- programs/test/cpp_dummy_build
-}
-
component_test_no_use_psa_crypto_full_cmake_asan() {
# full minus MBEDTLS_USE_PSA_CRYPTO: run the same set of tests as basic-build-test.sh
msg "build: cmake, full config minus MBEDTLS_USE_PSA_CRYPTO, ASan"
@@ -2053,24 +2047,6 @@
make test
}
-# This should be renamed to test and updated once the accelerator ECDSA code is in place and ready to test.
-component_build_psa_accel_alg_ecdsa() {
- # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA
- # without MBEDTLS_ECDSA_C
- # PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA are already
- # set in include/psa/crypto_config.h
- msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C"
- scripts/config.py full
- scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
- scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
- scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
- scripts/config.py unset MBEDTLS_ECDSA_C
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
- scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
- # Need to define the correct symbol and include the test driver header path in order to build with the test driver
- make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
-}
-
# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
component_build_psa_accel_alg_ecdh() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH