From 475ac34e1fac035792d0a49c514d34f993f368bc Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 23 Jan 2026 16:18:01 +0000 Subject: [PATCH] sig_algs: Add non-regression test Signed-off-by: Janos Follath --- tests/include/test/ssl_helpers.h | 28 +++++++ tests/suites/test_suite_ssl.data | 8 ++ tests/suites/test_suite_ssl.function | 114 +++++++++++++++++++++++++++ 3 files changed, 150 insertions(+) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index d019c5065e..70e4bbaae1 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -68,12 +68,40 @@ #define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY #endif +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ + defined(PSA_WANT_ECC_SECP_R1_384) && \ + defined(PSA_WANT_ALG_SHA_384) +#define MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY +#endif + +#if defined(PSA_WANT_ECC_MONTGOMERY_255) || \ + defined(PSA_WANT_ECC_SECP_R1_256) || \ + defined(PSA_WANT_ECC_SECP_R1_384) || \ + defined(PSA_WANT_ECC_MONTGOMERY_448) || \ + defined(PSA_WANT_ECC_SECP_R1_521) || \ + defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) || \ + defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) || \ + defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) +#define MBEDTLS_TEST_HAS_DEFAULT_EC_GROUP +#endif + #if defined(PSA_WANT_ALG_GCM) || \ defined(PSA_WANT_ALG_CCM) || \ defined(PSA_WANT_ALG_CHACHA20_POLY1305) #define MBEDTLS_TEST_HAS_AEAD_ALG #endif +/* + * To use the test keys we need PSA_WANT_ALG_SHA_256. Some test cases need an additional hash that + * can be used in modern TLS, but it doesn't matter which one. + */ +#if defined(PSA_WANT_ALG_SHA_512) || \ + defined(PSA_WANT_ALG_SHA_384) || \ + defined(PSA_WANT_ALG_SHA_224) || \ + defined(PSA_WANT_ALG_SHA_1) +#define MBEDTLS_TEST_HAS_ADDITIONAL_HASH +#endif + enum { #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ tls13_label_ ## name, diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 99856e304b..da9a5e738e 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3530,3 +3530,11 @@ ssl_get_alert_after_fatal TLS 1.3 - HRR then TLS 1.2 second ClientHello tls13_hrr_then_tls12_second_client_hello + +Negative Test: Server using sig_alg not offered by the client #1 +depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256 +send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER + +Negative Test: Server using sig_alg not offered by the client #2 +depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_SHA_512 +send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ca59346cc8..b447773f12 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5725,6 +5725,120 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_ALG_SHA_256:MBEDTLS_TEST_HAS_ADDITIONAL_HASH:MBEDTLS_TEST_HAS_DEFAULT_EC_GROUP*/ +void send_invalid_sig_alg(int sig, int hash, int expected_ret) +{ + // This is a test about the client behaviour in case it receives a key exchange signed with a + // sig_alg it didn't specify in the client hello. The input specifies a target_sig_alg, which we + // make sure that the client does not offer but the server does. Then we make the server beleive + // that target_sig_alg is the only one the client offered. + + // Remark: We need an additional hash algorithm offered, because if we don't have it, the server + // realises too early that there is no common ground and we don't get the chance to manipulate + // it. This is why we need MBEDTLS_TEST_HAS_ADDITIONAL_HASH in the requirements. + + enum { BUFFSIZE = 16384 }; + uint16_t *client_sig_algs = NULL; + mbedtls_test_ssl_endpoint server, client; + memset(&server, 0, sizeof(server)); + memset(&client, 0, sizeof(client)); + mbedtls_test_handshake_test_options options; + memset(&options, 0, sizeof(options)); + + uint16_t target_sig_alg = ((hash << 8) | sig); + + mbedtls_test_init_handshake_options(&options); + + // Make sure the server has credentals for target_sig_alg + if (sig == MBEDTLS_SSL_SIG_ECDSA) { + options.pk_alg = MBEDTLS_PK_ECDSA; + } else { + options.pk_alg = MBEDTLS_PK_RSA; + } + + // Force a ciphersuite where target_sig_alg is relevant + if (sig == MBEDTLS_SSL_SIG_ECDSA) { + options.cipher = "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"; + } else { + options.cipher = "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; + } + + // Force TLS 1.2 as this test is a non-regression test for a bug in TLS 1.2 client and TLS 1.3 + // behaviour in this regard is substantially different. + options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; + options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; + + // Add loggers for easier debugging - we are not looking for any patterns. + // To turn on debug output, uncomment the threshold line and set the macro in + // the definition of mbedtls_test_ssl_log_analyzer(). +#if defined(MBEDTLS_DEBUG_C) + options.srv_log_obj = NULL; + options.srv_log_fun = mbedtls_test_ssl_log_analyzer; + options.cli_log_obj = NULL; + options.cli_log_fun = mbedtls_test_ssl_log_analyzer; + mbedtls_debug_set_threshold(3); +#endif + + int ret = -1; + + PSA_INIT(); + + ret = mbedtls_test_ssl_endpoint_init_conf(&client, MBEDTLS_SSL_IS_CLIENT, &options); + TEST_EQUAL(ret, 0); + + // Remove the target signature algorithm from the client's list + size_t client_sig_algs_len = 0; + while (client.conf.sig_algs[client_sig_algs_len++] != MBEDTLS_TLS1_3_SIG_NONE) { + ; + } + client_sig_algs_len--; + + TEST_CALLOC(client_sig_algs, client_sig_algs_len); + size_t j = 0; + for (size_t i = 0; client.conf.sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++) { + if (client.conf.sig_algs[i] != target_sig_alg) { + client_sig_algs[j++] = client.conf.sig_algs[i]; + } + } + TEST_ASSERT(j < client_sig_algs_len); + client_sig_algs[j] = MBEDTLS_TLS1_3_SIG_NONE; + client.conf.sig_algs = client_sig_algs; + + ret = mbedtls_test_ssl_endpoint_init_ssl(&client, &options); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, + &options); + TEST_EQUAL(ret, 0); + + ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket, + BUFFSIZE); + TEST_EQUAL(ret, 0); + + // Move the connection to the point before the server sending the key exchange message + ret = mbedtls_test_move_handshake_to_state(&server.ssl, &client.ssl, + MBEDTLS_SSL_SERVER_KEY_EXCHANGE); + TEST_EQUAL(ret, 0); + + // Make the server beleive that the only sig_alg the client accepts is target_sig_alg + server.ssl.handshake->received_sig_algs[0] = target_sig_alg; + server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE; + + // Move the connection to a state where it is certain that the client has parsed the server key + // exchange + ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, + MBEDTLS_SSL_CERTIFICATE_REQUEST); + TEST_EQUAL(ret, expected_ret); + +exit: + mbedtls_test_free_handshake_options(&options); + mbedtls_test_ssl_endpoint_free(&server); + mbedtls_test_ssl_endpoint_free(&client); + mbedtls_free(client_sig_algs); + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context) {