From 75092c82620cb6d9ecda5dbda32ca3bda80b435f Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 11 Mar 2026 09:57:04 +0000 Subject: [PATCH] send_invalid_sig_alg: add baseline test Add a test case with a successful handshake for each test case that causes the desired handshake failure, with minimal differences between the two. The reason is to have more assurance that the handshake is failing for the desired reason (as opposed to not having done something correctly in the test code). Signed-off-by: Janos Follath --- tests/suites/test_suite_ssl.data | 12 ++++++++++-- tests/suites/test_suite_ssl.function | 13 +++++++++---- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 7a6999687f..15b986a805 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3531,10 +3531,18 @@ ssl_get_alert_after_fatal TLS 1.3 - HRR then TLS 1.2 second ClientHello tls13_hrr_then_tls12_second_client_hello -Negative Test: Server using sig_alg not offered by the client #1 +Baseline for: Server using sig_alg not offered by the client - RSA with SHA256 +depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256 +send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:0 + +Negative Test: Server using sig_alg not offered by the client - RSA with SHA256 depends_on:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY:PSA_WANT_ALG_SHA_256 send_invalid_sig_alg:MBEDTLS_SSL_SIG_RSA:MBEDTLS_SSL_HASH_SHA256:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER -Negative Test: Server using sig_alg not offered by the client #2 +Baseline for: Server using sig_alg not offered by the client - ECDSA with SHA512 +depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ALG_SHA_512 +send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:0 + +Negative Test: Server using sig_alg not offered by the client - ECDSA with SHA512 depends_on:MBEDTLS_CAN_HANDLE_ECDSA_TEST_KEY:PSA_WANT_ALG_SHA_512 send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index c00acd755b..6d37b908c4 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5821,16 +5821,21 @@ void send_invalid_sig_alg(int sig, int hash, int expected_ret) MBEDTLS_SSL_SERVER_KEY_EXCHANGE); TEST_EQUAL(ret, 0); - // Make the server believe that the only sig_alg the client accepts is target_sig_alg - server.ssl.handshake->received_sig_algs[0] = target_sig_alg; - server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE; + if (expected_ret != 0) { + // Make the server believe that the only sig_alg the client accepts is target_sig_alg + server.ssl.handshake->received_sig_algs[0] = target_sig_alg; + server.ssl.handshake->received_sig_algs[1] = MBEDTLS_TLS1_3_SIG_NONE; + } // Move the connection to a state where it is certain that the client has parsed the server key // exchange ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST); TEST_EQUAL(ret, expected_ret); - TEST_EQUAL(cli_pattern.counter, 1); + + if (expected_ret != 0) { + TEST_EQUAL(cli_pattern.counter, 1); + } exit: mbedtls_debug_set_threshold(0);