send_invalid_sig_alg: add baseline test

Add a test case with a successful handshake for each test case that causes the desired handshake failure, with minimal differences between the two. The reason is to have more assurance that the handshake is failing for the desired reason (as opposed to not having done something correctly in the test code). Signed-off-by: Janos Follath <janos.follath@arm.com>
2026-04-02 18:46:06 +02:00 · 2026-03-11 09:57:04 +00:00
parent 6394676a74
commit 75092c8262
2 changed files with 19 additions and 6 deletions
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3531,10 +3531,18 @@ ssl_get_alert_after_fatal
 TLS 1.3 - HRR then TLS 1.2 second ClientHello
 tls13_hrr_then_tls12_second_client_hello

-Negative Test: Server using sig_alg not offered by the client #1
+Baseline for: Server using sig_alg not offered by the client - RSA with SHA256
+depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0
+
+Negative Test: Server using sig_alg not offered by the client - RSA with SHA256
 depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER

-Negative Test: Server using sig_alg not offered by the client #2
+Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512
+depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ALG_SHA_512
+send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:0
+
+Negative Test: Server using sig_alg not offered by the client - ECDSA with SHA512
 depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ALG_SHA_512
 send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -5821,16 +5821,21 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret)
                                               MBEDTLS_SSL_SERVER_KEY_EXCHANGE);
    TEST_EQUAL(ret, 0);

-    // Make the server believe that the only sig_alg the client accepts is target_sig_alg
-    server.ssl.handshake->received_sig_algs[0] = target_sig_alg;
-    server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE;
+    if (expected_ret != 0) {
+        // Make the server believe that the only sig_alg the client accepts is target_sig_alg
+        server.ssl.handshake->received_sig_algs[0] = target_sig_alg;
+        server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE;
+    }

    // Move the connection to a state where it is certain that the client has parsed the server key
    // exchange
    ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl,
                                               MBEDTLS_SSL_CERTIFICATE_REQUEST);
    TEST_EQUAL(ret, expected_ret);
-    TEST_EQUAL(cli_pattern.counter, 1);
+
+    if (expected_ret != 0) {
+        TEST_EQUAL(cli_pattern.counter, 1);
+    }

 exit:
    mbedtls_debug_set_threshold(0);