From 03a9c87895749a8d8da53ade567e336d5e986f72 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 11 Mar 2026 09:57:04 +0000 Subject: [PATCH] send_invalid_sig_alg: add baseline test Add a test case with a successful handshake for each test case that causes the desired handshake failure, with minimal differences between the two. The reason is to have more assurance that the handshake is failing for the desired reason (as opposed to not having done something correctly in the test code). Signed-off-by: Janos Follath --- tests/suites/test_suite_ssl.data | 12 ++++++++++-- tests/suites/test_suite_ssl.function | 13 +++++++++---- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index f26a211799..f1d53a74eb 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3528,10 +3528,18 @@ ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTI TLS 1.3 - HRR then TLS 1.2 second ClientHello tls13_hrr_then_tls12_second_client_hello -Negative Test: Server using sig_alg not offered by the client #1 +Baseline for: Server using sig_alg not offered by the client - RSA with SHA256 +depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C +send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0 + +Negative Test: Server using sig_alg not offered by the client - RSA with SHA256 depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER -Negative Test: Server using sig_alg not offered by the client #2 +Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512 +depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:MBEDTLS_SHA512_C +send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:0 + +Negative Test: Server using sig_alg not offered by the client - ECDSA with SHA512 depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:MBEDTLS_SHA512_C send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d6c16b3ad2..0cd8c1cfbc 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5821,16 +5821,21 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) MBEDTLS_SSL_SERVER_KEY_EXCHANGE); TEST_EQUAL(ret, 0); - // Make the server believe that the only sig_alg the client accepts is target_sig_alg - server.ssl.handshake->received_sig_algs[0] = target_sig_alg; - server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE; + if (expected_ret != 0) { + // Make the server believe that the only sig_alg the client accepts is target_sig_alg + server.ssl.handshake->received_sig_algs[0] = target_sig_alg; + server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE; + } // Move the connection to a state where it is certain that the client has parsed the server key // exchange ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); TEST_EQUAL(ret, expected_ret); - TEST_EQUAL(cli_pattern.counter, 1); + + if (expected_ret != 0) { + TEST_EQUAL(cli_pattern.counter, 1); + } exit: mbedtls_debug_set_threshold(0);