Fix crash in compliance tests

scripts/data_files/psa-arch-tests/fix-aead-stack-buffer-overflow.patch

@@ -0,0 +1,45 @@
+commit 7b89b1c9dfe5f28edb631abb3763e4e12661a505
+Author: Gilles Peskine <[email protected]>
+Date:   2025-10-01 19:05:23 +0200
+
+    Fix stack buffer overflow in AEAD tests
+
+    Pass the remaining buffer length to API functions, not the length of the
+    original buffer.
+
+    Signed-off-by: Gilles Peskine <[email protected]>
+
+diff --git a/api-tests/dev_apis/crypto/test_c061/test_c061.c b/api-tests/dev_apis/crypto/test_c061/test_c061.c
+index df8e3e910..79ff154ac 100644
+--- a/api-tests/dev_apis/crypto/test_c061/test_c061.c
++++ b/api-tests/dev_apis/crypto/test_c061/test_c061.c
+@@ -96,9 +96,11 @@ int32_t psa_aead_finish_test(caller_security_t caller __UNUSED)
+                  BUFFER_SIZE, &length);
+         TEST_ASSERT_EQUAL(status, PSA_SUCCESS, TEST_CHECKPOINT_NUM(8));
+
++        size_t remaining_output_size = check1[i].output_size > length ? check1[i].output_size - length : 0;
++
+         /* Finish encrypting a message in an AEAD operation */
+         status = val->crypto_function(VAL_CRYPTO_AEAD_FINISH, &operation, output + length,
+-                 check1[i].output_size, &finish_length, tag, check1[i].tag_size, &tag_length);
++                 remaining_output_size, &finish_length, tag, check1[i].tag_size, &tag_length);
+         TEST_ASSERT_EQUAL(status, check1[i].expected_status, TEST_CHECKPOINT_NUM(9));
+
+         if (check1[i].expected_status != PSA_SUCCESS)
+diff --git a/api-tests/dev_apis/crypto/test_c063/test_c063.c b/api-tests/dev_apis/crypto/test_c063/test_c063.c
+index cee674155..66211ae8e 100644
+--- a/api-tests/dev_apis/crypto/test_c063/test_c063.c
++++ b/api-tests/dev_apis/crypto/test_c063/test_c063.c
+@@ -95,9 +95,11 @@ int32_t psa_aead_verify_test(caller_security_t caller __UNUSED)
+                  BUFFER_SIZE, &length);
+         TEST_ASSERT_EQUAL(status, PSA_SUCCESS, TEST_CHECKPOINT_NUM(8));
+
++        size_t remaining_output_size = check1[i].output_size > length ? check1[i].output_size - length : 0;
++
+         /* Finish authenticating and decrypting a message in an AEAD operation */
+         status = val->crypto_function(VAL_CRYPTO_AEAD_VERIFY, &operation, output + length,
+-                 check1[i].output_size, &verify_length, check1[i].tag, check1[i].tag_length);
++                 remaining_output_size, &verify_length, check1[i].tag, check1[i].tag_length);
+         TEST_ASSERT_DUAL(status,
+                          check1[i].expected_status[0],
+                          check1[i].expected_status[1],

scripts/data_files/psa-arch-tests/pal_crypto_config.patch

@@ -1,5 +1,5 @@
 diff --git a/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h b/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
-index dad40ec..8d19699 100644
+index dad40ec4b..91072b4fb 100644
 --- a/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
 +++ b/api-tests/platform/targets/tgt_dev_apis_stdc/nspe/pal_crypto_config.h
 @@ -53,7 +53,7 @@
@@ -66,7 +66,15 @@ index dad40ec..8d19699 100644
 
  /**
   * \def ARCH_TEST_ECC_ASYMMETRIC_API_SUPPORT
-@@ -397,10 +397,10 @@
+@@ -390,17 +390,17 @@
+  *
+  * Enable support for balanced PAKE: ECJPAKE algorithm
+ */
+-#define ARCH_TEST_JPAKE
++//#define ARCH_TEST_JPAKE
+
+ /**
+  * \def ARCH_TEST_SPAKE2P
   *
   * Enable support for augmented PAKE: SPAKE2P algorithm
   */

scripts/data_files/psa-arch-tests/test_c078.patch

@@ -0,0 +1,33 @@
+commit 7d7f86a3ac27dff664cc86140dbf69a29da87426
+Author: Gilles Peskine <[email protected]>
+Date:   2025-10-03 22:13:27 +0200
+
+    Fix JPAKE test executed even when JPAKE is disabled
+
+    Partial backport of 232fb5801273dbc97789cb9079f1168499e34a2a,
+    first released in v25.08_API1.9_ADAC_1.0.2 .
+
+    Signed-off-by: Gilles Peskine <[email protected]>
+
+diff --git a/api-tests/dev_apis/crypto/test_c078/test_c078.c b/api-tests/dev_apis/crypto/test_c078/test_c078.c
+index 70b956dd8..7f0c99240 100644
+--- a/api-tests/dev_apis/crypto/test_c078/test_c078.c
++++ b/api-tests/dev_apis/crypto/test_c078/test_c078.c
+@@ -101,6 +101,7 @@ int32_t send_message_jpake(psa_pake_operation_t *from, psa_pake_operation_t *to,
+
+ int32_t psa_pake_jpake_test(caller_security_t caller __UNUSED)
+ {
++#ifdef ARCH_TEST_JPAKE
+     uint8_t i = 0;
+     int32_t status;
+     psa_pake_operation_t user = PSA_PAKE_OPERATION_INIT;
+@@ -307,4 +308,9 @@ int32_t psa_pake_jpake_test(caller_security_t caller __UNUSED)
+   TEST_ASSERT_EQUAL(status, PSA_SUCCESS, TEST_CHECKPOINT_NUM(60));
+
+   return VAL_STATUS_SUCCESS;
++
++#else
++  val->print(PRINT_TEST, "No test available for the selected crypto configuration\n", 0);
++  return RESULT_SKIP(VAL_STATUS_NO_TESTS);
++#endif
+ }

tests/scripts/test_psa_compliance.py

@@ -1,10 +1,14 @@
 #!/usr/bin/env python3
 """Run the PSA Crypto API compliance test suite.
 
-Clone the repo and check out the commit specified by PSA_ARCH_TEST_REPO and PSA_ARCH_TEST_REF,
-then compile and run the test suite. The clone is stored at <repository root>/psa-arch-tests.
-Known defects in either the test suite or Mbed TLS - identified by their test
-number - are ignored, while unexpected failures AND successes are reported as errors, to help
+Clone the psa-arch-tests repo and check out the specified commit.
+The clone is stored at <repository-root>/psa-arch-tests.
+Check out the commit specified in this script and apply patches if needed.
+The patches are located at <repository-root>/scripts/data_files/psa-arch-tests/ .
+Compile the library and the compliance tests and run the test suite.
+
+This script can specify a list of expected failures.
+Unexpected failures and successes are reported as errors, to help
 keep the list of known defects as up to date as possible.
 """
 
@@ -24,6 +28,9 @@
 # Test number 2xx corresponds to the files in the folder
 # psa-arch-tests/api-tests/dev_apis/crypto/test_c0xx
 EXPECTED_FAILURES = [
+    # Tests for psa_key_derivation_verify_bytes() and
+    # psa_key_derivation_verify_key(). We don't implement these functions yet.
+    267, 268,
 ] # type: List[int]
 
 if __name__ == '__main__':