Backport 3.6: Fix insufficient union initialization in contexts

[gilles-peskine-arm]

Fix issues with some PSA operation contexts not being properly initialized to all-bits-zero:

• under compilers such as GCC 15 where union foo x = {0} does not initialize bytes that are not used by the first member of union foo — resolves HMAC-SHA-256 test failures on upcoming gcc-15 (after partial union initialization changes) #9814;
• sometimes, when reusing an operation object and not using the built-in driver — fixes PSA drivers: the setup entry point can receive an operation that isn't all zero #9975.

In this pull request, the practical definition of done is that the unit tests now pass with GCC 15. I don't think this is sufficient non-regression testing for #9814 and #9975. I've added a changelog entry, but I'm open to removing it until we have better testing.

I have written further tests which are feature-complete but may need a little rework to pass the CI, consisting of:

• Fix union initialization in PSA operations for GCC 15 (test helpers) mbedtls-framework#135 — assert that contexts are all-bit zero when entering test drivers' setup entry points. Does not add coverage for cases where we don't have test drivers.
• Backport 3.6: Fix union initialization in PSA operations for GCC 15 #9955 — use deliberately short union initializers in many unit tests, which doesn't really improve coverage but means that revealing bugs does not rely on GCC 15's union initialization optimization.

Beyond that, what we may want to test better — done in Mbed-TLS/mbedtls-framework#168 and #10179:

• Make sure all relevant cases are covered in test drivers. We're at least missing coverage for multipart AEAD.
• Make sure all relevant cases are covered with respect to reusing an operation object. I'm not sure what we're missing, if anything. Where we have test drivers, asserting that the context is all-bits-zero after a short initializer also practically asserts that the context is all-bits-zero when reusing an operation object, because the short initializer doesn't set the driver-specific part of the context to zero.

PR checklist

• changelog provided
• development PR Test with GCC 15 with sloppy union initialization #10177
• TF-PSA-Crypto PR Fix insufficient union initialization in contexts TF-PSA-Crypto#295
• framework PR not required
• 3.6 PR here
• tests provided with GCC 15; more to follow in Check union initialization in test drivers mbedtls-framework#168 and Backport 3.6: Check union initialization portably #10179

[bjwtaylor]

When I build this branch using fc42 as follows:

docker pull fedora:42
docker run -it fedora:42 bash
sudo dnf group install "development-tools"
sudo dnf install cmake
sudo dnf install python3-jinja2
git clone --recurse-submodules -b union-initialization-gcc15-basic-fix-3.6 https://github.com/gilles-peskine-arm/mbedtls.git mbedtls.gilles-peskine-arm.union-initialization-gcc15-basic-fix-3.6
'mkdir mbedtls_build.gilles-peskine-arm.union-initialization-gcc15-basic-fix-3.6 cd mbedtls_build.gilles-peskine-arm.union-initialization-gcc15-basic-fix-3.6 cmake ../mbedtls.gilles-peskine-arm.union-initialization-gcc15-basic-fix-3.6/ cmake --build .`

I get the following build error:

/home/mbedtls.gilles-peskine-arm.union-initialization-gcc15-basic-fix-3.6/framework/tests/src/psa_exercise_key.c:187:36: error: initializer-string for array of ‘unsigned char’ truncates NUL terminator but destination lacks ‘nonstring’ attribute (33 chars into 32 available) [-Werror=unterminated-string-initialization]
187 | unsigned char ciphertext[32] = "(wabblewebblewibblewobblewubble)";
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
gmake[2]: *** [CMakeFiles/mbedtls_test.dir/build.make:317: CMakeFiles/mbedtls_test.dir/framework/tests/src/psa_exercise_key.c.o] Error 1
gmake[1]: *** [CMakeFiles/Makefile2:1150: CMakeFiles/mbedtls_test.dir/all] Error 2
gmake: *** [Makefile:146: all] Error 2

Not sure this is related to the original issue, though also seems an issue with gcc 15. So maybe we fix it here or in another PR? Or is it some issue with my test method? gcc version FYI:

[root@1f02bf6b65be home]# gcc --version
gcc (GCC) 15.1.1 20250425 (Red Hat 15.1.1-1)
Copyright (C) 2025 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Let me know what you think?

[gilles-peskine-arm]

@bjwtaylor That's #9944 which is out of scope here. We currently disable this warning in component_test_gcc15_drivers_opt in all.sh.

[gabor-mezei-arm]

Only minor things found. Otherwise looks good to me.

[gabor-mezei-arm]

LGTM

[gilles-peskine-arm]

@gabor-mezei-arm What do you think about test coverage? Do you think that Mbed-TLS/mbedtls-framework#135 is enough, or do we need more? (Just in terms of what it claims to do, it's not yet ready for a code review.)

[mpg]

LGTM!

More precisely, I think the changes that are here are correct. Regarding the question of whether they're complete, I'm relying on the tests (present and upcoming).

[gilles-peskine-arm]

I've made pull requests for the test follow-ups. For 3.6:

1. Check union initialization in test drivers mbedtls-framework#168
2. Backport 3.6: Check union initialization portably #10179

The crypto and mbedtls pull requests will need a few rebase cycles after their precedessors are merged, but I don't intend to rewrite the existing history otherwise. I'll make new commits to handle review comments and CI failures.

[gabor-mezei-arm]

@gabor-mezei-arm What do you think about test coverage? Do you think that Mbed-TLS/mbedtls-framework#135 is enough, or do we need more? (Just in terms of what it claims to do, it's not yet ready for a code review.)

I think these tests give enough coverage.