From f22ed632b43d4b4eba495cefcb040c836889579d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 3 Mar 2026 12:08:58 +0100
Subject: [PATCH] FFDH: also test peer key 1 byte too long
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 tests/suites/test_suite_psa_crypto.function | 38 +++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index a0c2da07f6..4fc1a515b4 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -9918,11 +9918,45 @@ void key_agreement(int alg_arg,
                                      bad_peer_key, bad_peer_key_len,
                                      output, expected_output->len,
                                      &output_length));
-    mbedtls_free(bad_peer_key);
-    bad_peer_key = NULL;
     mbedtls_free(output);
     output = NULL;
     output_length = ~0;
+    mbedtls_free(bad_peer_key);
+    bad_peer_key = NULL;
+
+    /* Input buffer (peer key) too large (leading 0) */
+    bad_peer_key_len = peer_key_data->len + 1;
+    TEST_CALLOC(bad_peer_key, bad_peer_key_len);
+    bad_peer_key[0] = 0x00;
+    memcpy(bad_peer_key + 1, peer_key_data->x, peer_key_data->len);
+    TEST_CALLOC(output, expected_output->len);
+    TEST_EQUAL(PSA_ERROR_INVALID_ARGUMENT,
+               psa_raw_key_agreement(alg, our_key,
+                                     bad_peer_key, bad_peer_key_len,
+                                     output, expected_output->len,
+                                     &output_length));
+    mbedtls_free(output);
+    output = NULL;
+    output_length = ~0;
+    mbedtls_free(bad_peer_key);
+    bad_peer_key = NULL;
+
+    /* Input buffer (peer key) too large (larger value) */
+    bad_peer_key_len = peer_key_data->len + 1;
+    TEST_CALLOC(bad_peer_key, bad_peer_key_len);
+    bad_peer_key[0] = 0x01;
+    memcpy(bad_peer_key + 1, peer_key_data->x, peer_key_data->len);
+    TEST_CALLOC(output, expected_output->len);
+    TEST_EQUAL(PSA_ERROR_INVALID_ARGUMENT,
+               psa_raw_key_agreement(alg, our_key,
+                                     bad_peer_key, bad_peer_key_len,
+                                     output, expected_output->len,
+                                     &output_length));
+    mbedtls_free(output);
+    output = NULL;
+    output_length = ~0;
+    mbedtls_free(bad_peer_key);
+    bad_peer_key = NULL;
 
     /* Output buffer too small */
     TEST_CALLOC(output, expected_output->len - 1);