TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fb2ce055a3303efd37895df48a2b11e0cb5adbab^! / . / tests / suites / test_suite_ssl.function
commitfb2ce055a3303efd37895df48a2b11e0cb5adbab[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Wed May 28 17:36:12 2025 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Wed May 28 21:36:28 2025 +0200
treeb4e3b66b81023b00772a805a1e286a168a1ba818
parent27586d83f016f539dcc27faaae125943533c16af [diff] [blame]
SSL tests: make client authentication more uniform, defaulting on

There was a discrepancy between how `mbedtls_test_ssl_endpoint_init()` and
`mbedtls_test_ssl_perform_handshake()` handled client authentication:
`mbedtls_test_ssl_endpoint_init()` defaulted to
`MBEDTLS_SSL_VERIFY_REQUIRED` on both sides, whereas
`mbedtls_test_ssl_perform_handshake()` obeyed `options->srv_auth_mode` which
defaulted to no verification of the client certificate.

Make this more uniform. Now `mbedtls_test_ssl_endpoint_init()` obeys
`options->srv_auth_mode` on servers (still forcing verification on clients,
which is the library default anyway). Also, `options->srv_auth_mode` is now
enabled by default. Thus:

* Tests that call `mbedtls_test_ssl_perform_handshake()` now perform client
  certificate verification, unless they disable it explicitly.
* Tests that call `mbedtls_test_ssl_endpoint_init()` on a server are
  unchanged. (They would change if they were setting
  `options->srv_auth_mode` explicitly, which previously was ignored, but
  no test function did this.)

This means that a few test functions now perform client certificate
verification whereas they previously don't. This is harmless except in
`handshake_ciphersuite_select`, where one test case
`Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque` fails with
client authentication because the test code doesn't deal with the weirdness
of static ECDH correctly with respect to client authentication. So keep
the previous behavior in `handshake_ciphersuite_select`, by explicitly
turning off client authentication.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 052a9d8..652576b 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function

@@ -3043,6 +3043,7 @@
     options.opaque_alg = psa_alg;
     options.opaque_alg2 = psa_alg2;
     options.opaque_usage = psa_usage;
+    options.srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE;
     options.expected_handshake_result = expected_handshake_result;
     options.expected_ciphersuite = expected_ciphersuite;