Merge pull request #4068 from stevew817/backport/pr-4008
[Backport 2.16] Avoid unreferenced items in ECDSA when ALT is in use
diff --git a/library/ecjpake.c b/library/ecjpake.c
index f6e2458..0532a29 100644
--- a/library/ecjpake.c
+++ b/library/ecjpake.c
@@ -850,6 +850,8 @@
0x65, 0x73, 0x74
};
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
static const unsigned char ecjpake_test_x1[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
@@ -994,6 +996,8 @@
return( ret );
}
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
/* For tests we don't need a secure RNG;
* use the LGC from Numerical Recipes for simplicity */
static int ecjpake_lgc( void *p, unsigned char *out, size_t len )
@@ -1089,6 +1093,12 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+ /* 'reference handshake' tests can only be run against implementations
+ * for which we have 100% control over how the random ephemeral keys
+ * are generated. This is only the case for the internal mbed TLS
+ * implementation, so these tests are skipped in case the internal
+ * implementation is swapped out for an alternative one. */
if( verbose != 0 )
mbedtls_printf( " ECJPAKE test #2 (reference handshake): " );
@@ -1137,6 +1147,7 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
cleanup:
mbedtls_ecjpake_free( &cli );
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a2a26b4..9ce1377 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -890,11 +890,21 @@
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: no HMAC_DRBG"
+ msg "test: Full minus HMAC_DRBG - main suites"
make test
- # No ssl-opt.sh/compat.sh as they never use HMAC_DRBG so far,
- # so there's little value in running those lengthy tests here.
+ # Normally our ECDSA implementation uses deterministic ECDSA. But since
+ # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used
+ # instead.
+ # Test SSL with non-deterministic ECDSA. Only test features that
+ # might be affected by how ECDSA signature is performed.
+ msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)"
+ if_build_succeeded tests/ssl-opt.sh -f 'Default\|SSL async private: sign'
+
+ # To save time, only test one protocol version, since this part of
+ # the protocol is identical in (D)TLS up to 1.2.
+ msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)"
+ if_build_succeeded tests/compat.sh -m tls1_2 -t 'ECDSA'
}
component_test_no_drbg_all_hashes () {