From 629fd9362c0d3ab01f19d92d22269a1c5fae8783 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Nov 2020 22:14:34 +0100 Subject: [PATCH] Test SSL with non-deterministic ECDSA In component_test_no_hmac_drbg, the fact that HMAC_DRBG is disabled doesn't affect the SSL code, but the fact that deterministic ECDSA is disabled does. So run some ECDSA-related SSL tests. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a2a26b45b..9ce1377b2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -890,11 +890,21 @@ component_test_no_hmac_drbg () { CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: no HMAC_DRBG" + msg "test: Full minus HMAC_DRBG - main suites" make test - # No ssl-opt.sh/compat.sh as they never use HMAC_DRBG so far, - # so there's little value in running those lengthy tests here. + # Normally our ECDSA implementation uses deterministic ECDSA. But since + # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used + # instead. + # Test SSL with non-deterministic ECDSA. Only test features that + # might be affected by how ECDSA signature is performed. + msg "test: Full minus HMAC_DRBG - ssl-opt.sh (subset)" + if_build_succeeded tests/ssl-opt.sh -f 'Default\|SSL async private: sign' + + # To save time, only test one protocol version, since this part of + # the protocol is identical in (D)TLS up to 1.2. + msg "test: Full minus HMAC_DRBG - compat.sh (ECDSA)" + if_build_succeeded tests/compat.sh -m tls1_2 -t 'ECDSA' } component_test_no_drbg_all_hashes () {