send_invalid_sig_alg: add baseline test

Add a test case with a successful handshake for each test case that causes the desired handshake failure, with minimal differences between the two. The reason is to have more assurance that the handshake is failing for the desired reason (as opposed to not having done something correctly in the test code). Signed-off-by: Janos Follath <janos.follath@arm.com>
2026-04-24 20:49:44 +02:00 · 2026-03-11 09:57:04 +00:00
parent 4d2027b271
commit 03a9c87895
2 changed files with 19 additions and 6 deletions
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3528,10 +3528,18 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI
 TLS 1.3 - HRR then TLS 1.2 second ClientHello
 tls13_hrr_then_tls12_second_client_hello

-Negative Test: Server using sig_alg not offered by the client #1
+Baseline for: Server using sig_alg not offered by the client - RSA with SHA256
+depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0
+
+Negative Test: Server using sig_alg not offered by the client - RSA with SHA256
 depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER

-Negative Test: Server using sig_alg not offered by the client #2
+Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512
+depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:MBEDTLS_SHA512_C
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:0
+
+Negative Test: Server using sig_alg not offered by the client - ECDSA with SHA512
 depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:MBEDTLS_SHA512_C
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -5821,16 +5821,21 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)
                                               MBEDTLS_SSL_SERVER_KEY_EXCHANGE);
    TEST_EQUAL(ret, 0);

-    // Make the server believe that the only sig_alg the client accepts is target_sig_alg
-    server.ssl.handshake->received_sig_algs[0] = target_sig_alg;
-    server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE;
+    if (expected_ret != 0) {
+        // Make the server believe that the only sig_alg the client accepts is target_sig_alg
+        server.ssl.handshake->received_sig_algs[0] = target_sig_alg;
+        server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE;
+    }

    // Move the connection to a state where it is certain that the client has parsed the server key
    // exchange
    ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl,
                                               MBEDTLS_SSL_CERTIFICATE_REQUEST);
    TEST_EQUAL(ret, expected_ret);
-    TEST_EQUAL(cli_pattern.counter, 1);
+
+    if (expected_ret != 0) {
+        TEST_EQUAL(cli_pattern.counter, 1);
+    }

 exit:
    mbedtls_debug_set_threshold(0);