diff --git a/components/mbedtls/port/esp32s3/bignum.c b/components/mbedtls/port/esp32s3/bignum.c index 768646d331..fe33dea2f0 100644 --- a/components/mbedtls/port/esp32s3/bignum.c +++ b/components/mbedtls/port/esp32s3/bignum.c @@ -16,6 +16,7 @@ #include "soc/system_reg.h" #include "soc/periph_defs.h" #include +#include "esp_crypto_lock.h" size_t esp_mpi_hardware_words(size_t words) { @@ -24,6 +25,8 @@ size_t esp_mpi_hardware_words(size_t words) void esp_mpi_enable_hardware_hw_op( void ) { + esp_crypto_mpi_lock_acquire(); + /* Enable RSA hardware */ periph_module_enable(PERIPH_RSA_MODULE); @@ -43,6 +46,8 @@ void esp_mpi_disable_hardware_hw_op( void ) /* Disable RSA hardware */ periph_module_disable(PERIPH_RSA_MODULE); + + esp_crypto_mpi_lock_release(); } void esp_mpi_interrupt_enable( bool enable ) diff --git a/components/mbedtls/test/test_esp_crt_bundle.c b/components/mbedtls/test/test_esp_crt_bundle.c index b8ea822435..1c0e3e57a2 100644 --- a/components/mbedtls/test/test_esp_crt_bundle.c +++ b/components/mbedtls/test/test_esp_crt_bundle.c @@ -73,9 +73,6 @@ typedef enum { int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags); -#if !TEMPORARY_DISABLED_FOR_TARGETS(ESP32S3) -// TODO ESP32-S3 IDF-1878 - static const char *TAG = "cert_bundle_test"; static volatile bool exit_flag; @@ -294,6 +291,12 @@ int client_task(const uint8_t *bundle, size_t bundle_size, esp_crt_validate_res_ *res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL; + if (*res == ESP_CRT_VALIDATE_OK) { + ESP_LOGI(TAG, "Certificate verification passed!"); + } else { + ESP_LOGE(TAG, "Certificate verification failed!"); + } + // Reset session before new connection mbedtls_ssl_close_notify(&client.ssl); @@ -345,8 +348,6 @@ TEST_CASE("custom certificate bundle", "[mbedtls]") vSemaphoreDelete(signal_sem); } -#endif //!TEMPORARY_DISABLED_FOR_TARGETS(ESP32S3) - TEST_CASE("custom certificate bundle - weak hash", "[mbedtls]") { /* A weak signature hash on the trusted certificate should not stop diff --git a/components/mbedtls/test/test_rsa.c b/components/mbedtls/test/test_rsa.c index c69c60b07f..ef3f9c2c6f 100644 --- a/components/mbedtls/test/test_rsa.c +++ b/components/mbedtls/test/test_rsa.c @@ -423,7 +423,18 @@ static void print_rsa_details(mbedtls_rsa_context *rsa) } #endif -TEST_CASE("test performance RSA key operations", "[bignum]") +/** NOTE: +* For ESP32-S3, CONFIG_ESP_CONSOLE_SECONDARY_USB_SERIAL_JTAG is enabled +* by default; allocating a lock of 92 bytes, which is never freed. +* +* MR !18574 adds the MPI crypto lock for S3 increasing the leakage by +* 92 bytes. This caused the RSA UT to fail with a leakage more than +* 1024 bytes. +* +* The allocations made by ESP32-S2 (944 bytes) and ESP32-S3 are the same, +* except for the JTAG lock (92 + 944 > 1024). +*/ +TEST_CASE("test performance RSA key operations", "[bignum][leaks=1088]") { for (int keysize = 2048; keysize <= SOC_RSA_MAX_BIT_LEN; keysize += 1024) { rsa_key_operations(keysize, true, false);