From 6edb76cba4655bc007e51c7f58e69631d0e4eba3 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sun, 1 Jun 2025 21:53:52 +0200
Subject: [PATCH] mbedtls_test_ssl_endpoint_init: split configuration and setup

Split `mbedtls_test_ssl_endpoint_init()` into two separate stages:
constructing the SSL configuration, and setting up an SSL session context
with that configuration.

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/include/test/ssl_helpers.h     | 61 +++++++++++++++++++++++-----
 tests/src/test_helpers/ssl_helpers.c | 31 +++++++++++++-
 2 files changed, 80 insertions(+), 12 deletions(-)

diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 276b165c6..5bfdedaaf 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -447,18 +447,59 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
                                                int opaque_alg, int opaque_alg2,
                                                int opaque_usage);
 
-/*
- * Initializes \p ep structure. It is important to call
- * `mbedtls_test_ssl_endpoint_free()` after calling this function
- * even if it fails.
+/** Initialize the configuration in an SSL endpoint structure.
  *
- * \note For DTLS, after calling this function on both endpoints,
- *       call mbedtls_test_ssl_dtls_join_endpoints().
+ * \note You must call `mbedtls_test_ssl_endpoint_free()` after
+ * calling this function, even if it fails. This is necessary to
+ * free data that may have been stored in the endpoint structure.
  *
- * \p endpoint_type must be set as MBEDTLS_SSL_IS_SERVER or
- * MBEDTLS_SSL_IS_CLIENT.
- * \p pk_alg the algorithm to use, currently only MBEDTLS_PK_RSA and
- * MBEDTLS_PK_ECDSA are supported.
+ * \param[out] ep       The endpoint structure to configure.
+ * \param endpoint_type #MBEDTLS_SSL_IS_SERVER or #MBEDTLS_SSL_IS_CLIENT.
+ * \param[in] options   The options to use for configuring the endpoint
+ *                      structure.
+ *
+ * \retval  0 on success, otherwise error code.
+ */
+int mbedtls_test_ssl_endpoint_init_conf(
+    mbedtls_test_ssl_endpoint *ep, int endpoint_type,
+    const mbedtls_test_handshake_test_options *options);
+
+/** Initialize the session context in an endpoint structure.
+ *
+ * \note The endpoint structure must have been set up with
+ *       mbedtls_test_ssl_endpoint_init_conf() with the same \p options.
+ *       Between calling mbedtls_test_ssl_endpoint_init_conf() and
+ *       mbedtls_test_ssl_endpoint_init_ssl(), you may configure `ep->ssl`
+ *       further if you know what you're doing.
+ *
+ * \note You must call `mbedtls_test_ssl_endpoint_free()` after
+ * calling this function, even if it fails. This is necessary to
+ * free data that may have been stored in the endpoint structure.
+ *
+ * \param[out] ep       The endpoint structure to set up.
+ * \param[in] options   The options used for configuring the endpoint
+ *                      structure.
+ *
+ * \retval  0 on success, otherwise error code.
+ */
+int mbedtls_test_ssl_endpoint_init_ssl(
+    mbedtls_test_ssl_endpoint *ep,
+    const mbedtls_test_handshake_test_options *options);
+
+/** Initialize the configuration and a context in an SSL endpoint structure.
+ *
+ * This function is equivalent to calling
+ * mbedtls_test_ssl_endpoint_init_conf() followed by
+ * mbedtls_test_ssl_endpoint_init_ssl().
+ *
+ * \note You must call `mbedtls_test_ssl_endpoint_free()` after
+ * calling this function, even if it fails. This is necessary to
+ * free data that may have been stored in the endpoint structure.
+ *
+ * \param[out] ep       The endpoint structure to configure.
+ * \param endpoint_type #MBEDTLS_SSL_IS_SERVER or #MBEDTLS_SSL_IS_CLIENT.
+ * \param[in] options   The options to use for configuring the endpoint
+ *                      structure.
  *
  * \retval  0 on success, otherwise error code.
  */
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index f92b93b24..e6c082eac 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -800,7 +800,7 @@ exit:
     return ret;
 }
 
-int mbedtls_test_ssl_endpoint_init(
+int mbedtls_test_ssl_endpoint_init_conf(
     mbedtls_test_ssl_endpoint *ep, int endpoint_type,
     const mbedtls_test_handshake_test_options *options)
 {
@@ -968,7 +968,22 @@ int mbedtls_test_ssl_endpoint_init(
                ep->user_data_cookie);
     mbedtls_ssl_conf_set_user_data_p(&ep->conf, ep);
 
-    /* We've finished the configuration. Now set up a context. */
+    return 0;
+
+exit:
+    if (ret == 0) {
+        /* Exiting due to a test assertion that isn't ret == 0 */
+        ret = -1;
+    }
+    return ret;
+}
+
+int mbedtls_test_ssl_endpoint_init_ssl(
+    mbedtls_test_ssl_endpoint *ep,
+    const mbedtls_test_handshake_test_options *options)
+{
+    int endpoint_type = mbedtls_ssl_conf_get_endpoint(&ep->conf);
+    int ret = -1;
 
     ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
     TEST_EQUAL(ret, 0);
@@ -1009,6 +1024,18 @@ exit:
     return ret;
 }
 
+int mbedtls_test_ssl_endpoint_init(
+    mbedtls_test_ssl_endpoint *ep, int endpoint_type,
+    const mbedtls_test_handshake_test_options *options)
+{
+    int ret = mbedtls_test_ssl_endpoint_init_conf(ep, endpoint_type, options);
+    if (ret != 0) {
+        return ret;
+    }
+    ret = mbedtls_test_ssl_endpoint_init_ssl(ep, options);
+    return ret;
+}
+
 void mbedtls_test_ssl_endpoint_free(
     mbedtls_test_ssl_endpoint *ep)
 {