From 52cf5d884e8d818a54435cc6478a6ad673f65e39 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 13 Mar 2026 17:38:35 +0000 Subject: [PATCH] Fix send_invalid_sig_alg() test This commit fixes two problems: 1. In 3.6 the SSL unit test framework ignores option.cipher, we need to enforce it manually 2. In 3.6 we still have RSA key exchange and we need to condition the RSA test on the presence of ECDHE_RSA key exchange modes as well Signed-off-by: Janos Follath --- tests/suites/test_suite_ssl.data | 4 ++-- tests/suites/test_suite_ssl.function | 12 ++++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 54c0e319fe..f0d3cbdd92 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3529,11 +3529,11 @@ TLS 1.3 - HRR then TLS 1.2 second ClientHello tls13_hrr_then_tls12_second_client_hello Baseline for: Server using sig_alg not offered by the client - RSA with SHA256 -depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C +depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SHA256_C send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0 Negative Test: Server using sig_alg not offered by the client - RSA with SHA256 -depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_SHA256_C +depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SHA256_C send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6eba9c7eed..1e65ab2dce 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5746,6 +5746,7 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) memset(&client, 0, sizeof(client)); mbedtls_test_handshake_test_options options; memset(&options, 0, sizeof(options)); + int forced_ciphersuite[2] = { 0, 0 }; uint16_t target_sig_alg = ((hash << 8) | sig); @@ -5760,10 +5761,13 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) // Force a ciphersuite where target_sig_alg is relevant if (sig == MBEDTLS_SSL_SIG_ECDSA) { - options.cipher = "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"; + forced_ciphersuite[0] = + mbedtls_ssl_get_ciphersuite_id("TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"); } else { - options.cipher = "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"; + forced_ciphersuite[0] = + mbedtls_ssl_get_ciphersuite_id("TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"); } + TEST_ASSERT(forced_ciphersuite[0] != 0); // Force TLS 1.2 as this test is a non-regression test for a bug in TLS 1.2 client and TLS 1.3 // behaviour in this regard is substantially different. @@ -5792,6 +5796,8 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) &options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_ciphersuites(&client.conf, forced_ciphersuite); + // Remove the target signature algorithm from the client's list size_t client_sig_algs_len = 0; while (client.conf.sig_algs[client_sig_algs_len++] != MBEDTLS_TLS1_3_SIG_NONE) { @@ -5814,6 +5820,8 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) &options, NULL, NULL, NULL); TEST_EQUAL(ret, 0); + mbedtls_ssl_conf_ciphersuites(&server.conf, forced_ciphersuite); + ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket, BUFFSIZE); TEST_EQUAL(ret, 0);