Merge branch 'bugfix/mbedtls_custom_cert_ut' into 'master'

ci: Fix `custom certificate bundle` UT failure for S3

See merge request espressif/esp-idf!18574

components/mbedtls/port/esp32s3/bignum.c

@@ -16,6 +16,7 @@
 #include "soc/system_reg.h"
 #include "soc/periph_defs.h"
 #include <sys/param.h>
+#include "esp_crypto_lock.h"
 
 size_t esp_mpi_hardware_words(size_t words)
 {
@@ -24,6 +25,8 @@ size_t esp_mpi_hardware_words(size_t words)
 
 void esp_mpi_enable_hardware_hw_op( void )
 {
+    esp_crypto_mpi_lock_acquire();
+
     /* Enable RSA hardware */
     periph_module_enable(PERIPH_RSA_MODULE);
 
@@ -43,6 +46,8 @@ void esp_mpi_disable_hardware_hw_op( void )
 
     /* Disable RSA hardware */
     periph_module_disable(PERIPH_RSA_MODULE);
+
+    esp_crypto_mpi_lock_release();
 }
 
 void esp_mpi_interrupt_enable( bool enable )

components/mbedtls/test/test_esp_crt_bundle.c

@@ -73,9 +73,6 @@ typedef enum {
 
 int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags);
 
-#if !TEMPORARY_DISABLED_FOR_TARGETS(ESP32S3)
-// TODO ESP32-S3 IDF-1878
-
 static const char *TAG = "cert_bundle_test";
 
 static volatile bool exit_flag;
@@ -294,6 +291,12 @@ int client_task(const uint8_t *bundle, size_t bundle_size, esp_crt_validate_res_
 
     *res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
 
+    if (*res == ESP_CRT_VALIDATE_OK) {
+        ESP_LOGI(TAG, "Certificate verification passed!");
+    } else {
+        ESP_LOGE(TAG, "Certificate verification failed!");
+    }
+
 
     // Reset session before new connection
     mbedtls_ssl_close_notify(&client.ssl);
@@ -345,8 +348,6 @@ TEST_CASE("custom certificate bundle", "[mbedtls]")
    vSemaphoreDelete(signal_sem);
 }
 
-#endif //!TEMPORARY_DISABLED_FOR_TARGETS(ESP32S3)
-
 TEST_CASE("custom certificate bundle - weak hash", "[mbedtls]")
 {
     /* A weak signature hash on the trusted certificate should not stop

components/mbedtls/test/test_rsa.c

@@ -423,7 +423,18 @@ static void print_rsa_details(mbedtls_rsa_context *rsa)
 }
 #endif
 
-TEST_CASE("test performance RSA key operations", "[bignum]")
+/** NOTE:
+* For ESP32-S3, CONFIG_ESP_CONSOLE_SECONDARY_USB_SERIAL_JTAG is enabled
+* by default; allocating a lock of 92 bytes, which is never freed.
+*
+* MR !18574 adds the MPI crypto lock for S3 increasing the leakage by
+* 92 bytes. This caused the RSA UT to fail with a leakage more than
+* 1024 bytes.
+*
+* The allocations made by ESP32-S2 (944 bytes) and ESP32-S3 are the same,
+* except for the JTAG lock (92 + 944 > 1024).
+*/
+TEST_CASE("test performance RSA key operations", "[bignum][leaks=1088]")
 {
     for (int keysize = 2048; keysize <= SOC_RSA_MAX_BIT_LEN; keysize += 1024) {
         rsa_key_operations(keysize, true, false);