From c3fe74f302625d23e8ee8d10b32c864ff1ef2df8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 1 Dec 2025 14:14:05 +0100 Subject: [PATCH 1/3] Use short initializers in PAKE tests When initializing a PAKE operation structure, use an auxiliary function that doesn't initialize union members to all-bits-zero. Context: on most compilers, initializing a union to `{0}` initializes it to all bits zero; but on some compilers, the trailing part of members other than the first is left uninitialized. This way, we can run the tests on any platform and validate that the code would work correctly on platforms where union initialization is short, such as GCC 15. This commit extends 93dd99571b46f012a462c7a2494ccfe9ec0603a1 to `test_suite_psa_crypto_pake.function`. Signed-off-by: Gilles Peskine --- .../suites/test_suite_psa_crypto_pake.function | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 08c88a1d6e..2225959cfc 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -593,7 +593,7 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, int expected_error_arg) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t operation = psa_pake_operation_init_short(); psa_algorithm_t alg = alg_arg; psa_pake_primitive_t primitive = primitive_arg; psa_key_type_t key_type_pw = key_type_pw_arg; @@ -779,8 +779,8 @@ void ecjpake_rounds_inject(int alg_arg, int primitive_arg, int hash_arg, int inject_in_second_round) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t server = psa_pake_operation_init(); - psa_pake_operation_t client = psa_pake_operation_init(); + psa_pake_operation_t server = psa_pake_operation_init_short(); + psa_pake_operation_t client = psa_pake_operation_init_short(); psa_algorithm_t alg = alg_arg; psa_algorithm_t hash_alg = hash_arg; mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; @@ -839,8 +839,8 @@ void ecjpake_rounds(int alg_arg, int primitive_arg, int hash_arg, int err_stage_arg) { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t server = psa_pake_operation_init(); - psa_pake_operation_t client = psa_pake_operation_init(); + psa_pake_operation_t server = psa_pake_operation_init_short(); + psa_pake_operation_t client = psa_pake_operation_init_short(); psa_algorithm_t alg = alg_arg; psa_algorithm_t hash_alg = hash_arg; psa_algorithm_t derive_alg = derive_alg_arg; @@ -980,7 +980,7 @@ void ecjpake_size_macros() void pake_input_getters_password() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t operation = psa_pake_operation_init_short(); mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; const char *password = "password"; @@ -1045,7 +1045,7 @@ exit: void pake_input_getters_cipher_suite() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t operation = psa_pake_operation_init_short(); psa_pake_cipher_suite_t cipher_suite_ret = psa_pake_cipher_suite_init(); psa_pake_primitive_t primitive = PSA_PAKE_PRIMITIVE( @@ -1079,7 +1079,7 @@ exit: void pake_input_getters_user() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t operation = psa_pake_operation_init_short(); const char *users[] = { "client", "server", "other" }; uint8_t user_ret[20] = { 0 }; // max user length is 20 bytes size_t user_len_ret = 0; @@ -1142,7 +1142,7 @@ exit: void pake_input_getters_peer() { psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_operation_t operation = psa_pake_operation_init(); + psa_pake_operation_t operation = psa_pake_operation_init_short(); const char *peers[] = { "client", "server", "other" }; uint8_t peer_ret[20] = { 0 }; // max peer length is 20 bytes size_t peer_len_ret = 0; From dd921414d3f8c126bb5924f151e3dbfd15c3f9b2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Apr 2026 11:39:09 +0200 Subject: [PATCH 2/3] Don't assert anything about uninitialized parts of structures In a PAKE operation that has been initialized with `PSA_PAKE_OPERATION_INIT` or `psa_pake_operation_init()`, the content of the driver-specific part is indeterminate. It is actually all-bits-zero on most platforms, but not all, e.g. not with GCC 15 or CompCert. So don't assert anything about it. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_psa_crypto_pake.function | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 2225959cfc..125c9e1245 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -1058,9 +1058,6 @@ void pake_input_getters_cipher_suite() psa_pake_cs_set_primitive(&cipher_suite, primitive); psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); - TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), - PSA_ERROR_BAD_STATE); - PSA_ASSERT(psa_pake_setup(&operation, &cipher_suite)); TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), @@ -1069,6 +1066,10 @@ void pake_input_getters_cipher_suite() TEST_MEMORY_COMPARE(&cipher_suite_ret, sizeof(cipher_suite_ret), &cipher_suite, sizeof(cipher_suite)); + PSA_ASSERT(psa_pake_abort(&operation)); + TEST_EQUAL(psa_crypto_driver_pake_get_cipher_suite(&operation.data.inputs, &cipher_suite_ret), + PSA_ERROR_BAD_STATE); + exit: PSA_ASSERT(psa_pake_abort(&operation)); PSA_DONE(); From 4877c0838d8f44633bff742240776105074a3d05 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 10 Apr 2026 11:45:26 +0200 Subject: [PATCH 3/3] Fix an infinite loop if cleanup fails in some tests Don't call a macro that does `goto exit` on failure after the `exit:` label: that would cause an infinite loop if something does go wrong. Generally, cleanup functions don't error out, so it is unlikely to be a problem in practice. If an error does happen during cleanup, it's probably due to memory corruption caused by a bug that happened earlier, and that is likely to have been detected in an earlier function. So we don't really need to assert the return code of functions called during cleanup, and normally we don't. Only a few places did so, wrongly. I found the problematic places with ``` ag 'exit:[^}]*(PSA_ASSERT|TEST_ASSERT|TEST_EQUAL)' tests/suites/*.function ``` Signed-off-by: Gilles Peskine --- tests/suites/test_suite_pk.function | 2 +- tests/suites/test_suite_psa_crypto.function | 14 +++++++------- ...est_suite_psa_crypto_driver_wrappers.function | 4 ++-- tests/suites/test_suite_psa_crypto_pake.function | 16 +++++++++------- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index a8cf711098..9bfbb37bc9 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -781,7 +781,7 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg, exit: psa_reset_key_attributes(&attributes); - PSA_ASSERT(psa_destroy_key(key)); + psa_destroy_key(key); mbedtls_pk_free(&pk); USE_PSA_DONE(); } diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index fb278ddbda..6d560928b9 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -2411,7 +2411,7 @@ void aead_key_policy(int policy_usage_arg, } exit: - PSA_ASSERT(psa_aead_abort(&operation)); + psa_aead_abort(&operation); psa_destroy_key(key); PSA_DONE(); } @@ -3030,7 +3030,7 @@ void hash_compute_fail(int alg_arg, data_t *input, } exit: - PSA_ASSERT(psa_hash_abort(&operation)); + psa_hash_abort(&operation); mbedtls_free(output); PSA_DONE(); } @@ -3069,7 +3069,7 @@ void hash_compare_fail(int alg_arg, data_t *input, } exit: - PSA_ASSERT(psa_hash_abort(&operation)); + psa_hash_abort(&operation); PSA_DONE(); } /* END_CASE */ @@ -3173,7 +3173,7 @@ void hash_compute_compare(int alg_arg, data_t *input, } exit: - PSA_ASSERT(psa_hash_abort(&operation)); + psa_hash_abort(&operation); PSA_DONE(); } /* END_CASE */ @@ -4345,7 +4345,7 @@ void cipher_alg_without_iv(int alg_arg, int key_type_arg, data_t *key_data, output, output_length); exit: - PSA_ASSERT(psa_cipher_abort(&operation)); + psa_cipher_abort(&operation); mbedtls_free(output); psa_cipher_abort(&operation); psa_destroy_key(key); @@ -10967,8 +10967,8 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, } exit: - PSA_ASSERT(psa_destroy_key(key)); - PSA_ASSERT(psa_pake_abort(&operation)); + psa_destroy_key(key); + psa_pake_abort(&operation); mbedtls_free(output_buffer); PSA_DONE(); } diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index f5bed37c85..91b1ff60e5 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -2899,7 +2899,7 @@ void aead_encrypt_setup(int key_type_arg, data_t *key_data, exit: /* Cleanup */ - PSA_ASSERT(psa_destroy_key(key)); + psa_destroy_key(key); mbedtls_free(output_data); PSA_DONE(); mbedtls_test_driver_aead_hooks = mbedtls_test_driver_aead_hooks_init(); @@ -3001,7 +3001,7 @@ void aead_decrypt_setup(int key_type_arg, data_t *key_data, } exit: - PSA_ASSERT(psa_destroy_key(key)); + psa_destroy_key(key); mbedtls_free(output_data); PSA_DONE(); } diff --git a/tests/suites/test_suite_psa_crypto_pake.function b/tests/suites/test_suite_psa_crypto_pake.function index 125c9e1245..303ef0deaf 100644 --- a/tests/suites/test_suite_psa_crypto_pake.function +++ b/tests/suites/test_suite_psa_crypto_pake.function @@ -763,8 +763,8 @@ void ecjpake_setup(int alg_arg, int key_type_pw_arg, int key_usage_pw_arg, } exit: - PSA_ASSERT(psa_destroy_key(key)); - PSA_ASSERT(psa_pake_abort(&operation)); + psa_destroy_key(key); + psa_pake_abort(&operation); mbedtls_free(output_buffer); PSA_DONE(); } @@ -1035,8 +1035,8 @@ void pake_input_getters_password() TEST_MEMORY_COMPARE(password_ret, buffer_len_ret, password, strlen(password)); exit: - PSA_ASSERT(psa_destroy_key(key)); - PSA_ASSERT(psa_pake_abort(&operation)); + psa_destroy_key(key); + psa_pake_abort(&operation); PSA_DONE(); } /* END_CASE */ @@ -1071,7 +1071,7 @@ void pake_input_getters_cipher_suite() PSA_ERROR_BAD_STATE); exit: - PSA_ASSERT(psa_pake_abort(&operation)); + psa_pake_abort(&operation); PSA_DONE(); } /* END_CASE */ @@ -1133,8 +1133,9 @@ void pake_input_getters_user() TEST_MEMORY_COMPARE(user_ret, buffer_len_ret, user, user_len); } + exit: - PSA_ASSERT(psa_pake_abort(&operation)); + psa_pake_abort(&operation); PSA_DONE(); } /* END_CASE */ @@ -1196,8 +1197,9 @@ void pake_input_getters_peer() TEST_MEMORY_COMPARE(peer_ret, buffer_len_ret, peer, peer_len); } + exit: - PSA_ASSERT(psa_pake_abort(&operation)); + psa_pake_abort(&operation); PSA_DONE(); } /* END_CASE */