sig_algs: Add non-regression test

Signed-off-by: Janos Follath <janos.follath@arm.com>
2026-04-02 18:46:06 +02:00 · 2026-01-23 16:18:01 +00:00
parent bab37f69d9
commit 475ac34e1f
3 changed files with 150 additions and 0 deletions
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -68,12 +68,40 @@
 #define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
 #endif

+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
+    defined(PSA_WANT_ECC_SECP_R1_384) && \
+    defined(PSA_WANT_ALG_SHA_384)
+#define MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY
+#endif
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)        || \
+    defined(PSA_WANT_ECC_SECP_R1_256)           || \
+    defined(PSA_WANT_ECC_SECP_R1_384)           || \
+    defined(PSA_WANT_ECC_MONTGOMERY_448)        || \
+    defined(PSA_WANT_ECC_SECP_R1_521)           || \
+    defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)    || \
+    defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)    || \
+    defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define MBEDTLS_TEST_HAS_DEFAULT_EC_GROUP
+#endif
+
 #if defined(PSA_WANT_ALG_GCM) || \
    defined(PSA_WANT_ALG_CCM) || \
    defined(PSA_WANT_ALG_CHACHA20_POLY1305)
 #define MBEDTLS_TEST_HAS_AEAD_ALG
 #endif

+/*
+ * To use the test keys we need PSA_WANT_ALG_SHA_256. Some test cases need an additional hash that
+ * can be used in modern TLS, but it doesn't matter which one.
+ */
+#if defined(PSA_WANT_ALG_SHA_512) || \
+    defined(PSA_WANT_ALG_SHA_384) || \
+    defined(PSA_WANT_ALG_SHA_224) || \
+    defined(PSA_WANT_ALG_SHA_1)
+#define MBEDTLS_TEST_HAS_ADDITIONAL_HASH
+#endif
+
 enum {
 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string)          \
    tls13_label_ ## name,
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3530,3 +3530,11 @@ ssl_get_alert_after_fatal

 TLS 1.3 - HRR then TLS 1.2 second ClientHello
 tls13_hrr_then_tls12_second_client_hello
+
+Negative Test: Server using sig_alg not offered by the client #1
+depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
+
+Negative Test: Server using sig_alg not offered by the client #2
+depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_512
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -5725,6 +5725,120 @@ exit:
 }
 /* END_CASE */

+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_ALG_SHA_256:MBEDTLS_TEST_HAS_ADDITIONAL_HASH:MBEDTLS_TEST_HAS_DEFAULT_EC_GROUP*/
+void send_invalid_sig_alg(int sig, int hash, int expected_ret)
+{
+    // This is a test about the client behaviour in case it receives a key exchange signed with a
+    // sig_alg it didn't specify in the client hello. The input specifies a target_sig_alg, which we
+    // make sure that the client does not offer but the server does. Then we make the server beleive
+    // that target_sig_alg is the only one the client offered.
+
+    // Remark: We need an additional hash algorithm offered, because if we don't have it, the server
+    // realises too early that there is no common ground and we don't get the chance to manipulate
+    // it. This is why we need MBEDTLS_TEST_HAS_ADDITIONAL_HASH in the requirements.
+
+    enum { BUFFSIZE = 16384 };
+    uint16_t *client_sig_algs = NULL;
+    mbedtls_test_ssl_endpoint server, client;
+    memset(&server, 0, sizeof(server));
+    memset(&client, 0, sizeof(client));
+    mbedtls_test_handshake_test_options options;
+    memset(&options, 0, sizeof(options));
+
+    uint16_t target_sig_alg = ((hash << 8) | sig);
+
+    mbedtls_test_init_handshake_options(&options);
+
+    // Make sure the server has credentals for target_sig_alg
+    if (sig == MBEDTLS_SSL_SIG_ECDSA) {
+        options.pk_alg = MBEDTLS_PK_ECDSA;
+    } else {
+        options.pk_alg = MBEDTLS_PK_RSA;
+    }
+
+    // Force a ciphersuite where target_sig_alg is relevant
+    if (sig == MBEDTLS_SSL_SIG_ECDSA) {
+        options.cipher = "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256";
+    } else {
+        options.cipher = "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256";
+    }
+
+    // Force TLS 1.2 as this test is a non-regression test for a bug in TLS 1.2 client and TLS 1.3
+    // behaviour in this regard is substantially different.
+    options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
+    options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
+
+    // Add loggers for easier debugging - we are not looking for any patterns.
+    // To turn on debug output, uncomment the threshold line and set the macro in
+    // the definition of mbedtls_test_ssl_log_analyzer().
+#if defined(MBEDTLS_DEBUG_C)
+    options.srv_log_obj = NULL;
+    options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
+    options.cli_log_obj = NULL;
+    options.cli_log_fun = mbedtls_test_ssl_log_analyzer;
+    mbedtls_debug_set_threshold(3);
+#endif
+
+    int ret = -1;
+
+    PSA_INIT();
+
+    ret = mbedtls_test_ssl_endpoint_init_conf(&client, MBEDTLS_SSL_IS_CLIENT, &options);
+    TEST_EQUAL(ret, 0);
+
+    // Remove the target signature algorithm from the client's list
+    size_t client_sig_algs_len = 0;
+    while (client.conf.sig_algs[client_sig_algs_len++] != MBEDTLS_TLS1_3_SIG_NONE) {
+        ;
+    }
+    client_sig_algs_len--;
+
+    TEST_CALLOC(client_sig_algs, client_sig_algs_len);
+    size_t j = 0;
+    for (size_t i = 0; client.conf.sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++) {
+        if (client.conf.sig_algs[i] != target_sig_alg) {
+            client_sig_algs[j++] = client.conf.sig_algs[i];
+        }
+    }
+    TEST_ASSERT(j < client_sig_algs_len);
+    client_sig_algs[j] = MBEDTLS_TLS1_3_SIG_NONE;
+    client.conf.sig_algs = client_sig_algs;
+
+    ret = mbedtls_test_ssl_endpoint_init_ssl(&client, &options);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
+                                         &options);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket,
+                                           BUFFSIZE);
+    TEST_EQUAL(ret, 0);
+
+    // Move the connection to the point before the server sending the key exchange message
+    ret = mbedtls_test_move_handshake_to_state(&server.ssl, &client.ssl,
+                                               MBEDTLS_SSL_SERVER_KEY_EXCHANGE);
+    TEST_EQUAL(ret, 0);
+
+    // Make the server beleive that the only sig_alg the client accepts is target_sig_alg
+    server.ssl.handshake->received_sig_algs[0] = target_sig_alg;
+    server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE;
+
+    // Move the connection to a state where it is certain that the client has parsed the server key
+    // exchange
+    ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl,
+                                               MBEDTLS_SSL_CERTIFICATE_REQUEST);
+    TEST_EQUAL(ret, expected_ret);
+
+exit:
+    mbedtls_test_free_handshake_options(&options);
+    mbedtls_test_ssl_endpoint_free(&server);
+    mbedtls_test_ssl_endpoint_free(&client);
+    mbedtls_free(client_sig_algs);
+    PSA_DONE();
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
 void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context)
 {