Fix send_invalid_sig_alg() test

This commit fixes two problems: 1. In 3.6 the SSL unit test framework ignores option.cipher, we need to enforce it manually 2. In 3.6 we still have RSA key exchange and we need to condition the RSA test on the presence of ECDHE_RSA key exchange modes as well Signed-off-by: Janos Follath <janos.follath@arm.com>
2026-04-24 04:35:40 +02:00 · 2026-03-13 17:38:35 +00:00
parent 5b5e3ba75b
commit 52cf5d884e
2 changed files with 12 additions and 4 deletions
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3529,11 +3529,11 @@ TLS 1.3 - HRR then TLS 1.2 second ClientHello
 tls13_hrr_then_tls12_second_client_hello

 Baseline for: Server using sig_alg not offered by the client - RSA with SHA256
-depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SHA256_C
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0

 Negative Test: Server using sig_alg not offered by the client - RSA with SHA256
-depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C
+depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SHA256_C
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER

 Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -5746,6 +5746,7 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)
    memset(&client, 0, sizeof(client));
    mbedtls_test_handshake_test_options options;
    memset(&options, 0, sizeof(options));
+    int forced_ciphersuite[2] = { 0, 0 };

    uint16_t target_sig_alg = ((hash << 8) | sig);

@@ -5760,10 +5761,13 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)

    // Force a ciphersuite where target_sig_alg is relevant
    if (sig == MBEDTLS_SSL_SIG_ECDSA) {
-        options.cipher = "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256";
+        forced_ciphersuite[0] =
+            mbedtls_ssl_get_ciphersuite_id("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256");
    } else {
-        options.cipher = "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256";
+        forced_ciphersuite[0] =
+            mbedtls_ssl_get_ciphersuite_id("TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256");
    }
+    TEST_ASSERT(forced_ciphersuite[0] != 0);

    // Force TLS 1.2 as this test is a non-regression test for a bug in TLS 1.2 client and TLS 1.3
    // behaviour in this regard is substantially different.
@@ -5792,6 +5796,8 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

+    mbedtls_ssl_conf_ciphersuites(&client.conf, forced_ciphersuite);
+
    // Remove the target signature algorithm from the client's list
    size_t client_sig_algs_len = 0;
    while (client.conf.sig_algs[client_sig_algs_len++] != MBEDTLS_TLS1_3_SIG_NONE) {
@@ -5814,6 +5820,8 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)
                                         &options, NULL, NULL, NULL);
    TEST_EQUAL(ret, 0);

+    mbedtls_ssl_conf_ciphersuites(&server.conf, forced_ciphersuite);
+
    ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket,
                                           BUFFSIZE);
    TEST_EQUAL(ret, 0);