From a6e71f95fbe92da7c68c0eb99908a06d0e1aeeeb Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Sun, 1 Jun 2025 21:32:05 +0200
Subject: [PATCH] Don't change the configuration after mbedtls_ssl_setup

In `mbedtls_test_ssl_endpoint_init()`, don't change the SSL configuration
object (`mbedtls_ssl_config`) after setting up an SSL context by calling
`mbedtls_ssl_setup()`. This works in practice, but is officially forbidden.

No intended behavior change. The test code calls the library slightly
differently, but this shouldn't make any difference in practice. If it does
make a difference, it fixes a bug in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/src/test_helpers/ssl_helpers.c | 55 +++++++++++++++-------------
 1 file changed, 29 insertions(+), 26 deletions(-)

diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 68ac122f8..a122f356c 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -835,24 +835,6 @@ int mbedtls_test_ssl_endpoint_init(
 
     mbedtls_test_mock_socket_init(&(ep->socket));
 
-    /* Non-blocking callbacks without timeout */
-    if (options->dtls) {
-        mbedtls_ssl_set_bio(&(ep->ssl), &ep->dtls_context,
-                            mbedtls_test_mock_tcp_send_msg,
-                            mbedtls_test_mock_tcp_recv_msg,
-                            NULL);
-#if defined(MBEDTLS_TIMING_C)
-        mbedtls_ssl_set_timer_cb(&ep->ssl, &ep->timer,
-                                 mbedtls_timing_set_delay,
-                                 mbedtls_timing_get_delay);
-#endif
-    } else {
-        mbedtls_ssl_set_bio(&(ep->ssl), &(ep->socket),
-                            mbedtls_test_mock_tcp_send_nb,
-                            mbedtls_test_mock_tcp_recv_nb,
-                            NULL);
-    }
-
     ret = mbedtls_ssl_config_defaults(&(ep->conf), endpoint_type,
                                       options->dtls ?
                                       MBEDTLS_SSL_TRANSPORT_DATAGRAM :
@@ -939,14 +921,6 @@ int mbedtls_test_ssl_endpoint_init(
     TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
-    ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
-    TEST_EQUAL(ret, 0);
-
-    if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
-        ret = mbedtls_ssl_set_hostname(&(ep->ssl), "localhost");
-        TEST_EQUAL(ret, 0);
-    }
-
 #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
     if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->dtls) {
         mbedtls_ssl_conf_dtls_cookies(&(ep->conf), NULL, NULL, NULL);
@@ -993,6 +967,35 @@ int mbedtls_test_ssl_endpoint_init(
 
     TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), user_data_n);
     mbedtls_ssl_conf_set_user_data_p(&ep->conf, ep);
+
+    /* We've finished the configuration. Now set up a context. */
+
+    ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
+    TEST_EQUAL(ret, 0);
+
+    if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
+        ret = mbedtls_ssl_set_hostname(&(ep->ssl), "localhost");
+        TEST_EQUAL(ret, 0);
+    }
+
+    /* Non-blocking callbacks without timeout */
+    if (options->dtls) {
+        mbedtls_ssl_set_bio(&(ep->ssl), &ep->dtls_context,
+                            mbedtls_test_mock_tcp_send_msg,
+                            mbedtls_test_mock_tcp_recv_msg,
+                            NULL);
+#if defined(MBEDTLS_TIMING_C)
+        mbedtls_ssl_set_timer_cb(&ep->ssl, &ep->timer,
+                                 mbedtls_timing_set_delay,
+                                 mbedtls_timing_get_delay);
+#endif
+    } else {
+        mbedtls_ssl_set_bio(&(ep->ssl), &(ep->socket),
+                            mbedtls_test_mock_tcp_send_nb,
+                            mbedtls_test_mock_tcp_recv_nb,
+                            NULL);
+    }
+
     TEST_EQUAL(mbedtls_ssl_get_user_data_n(&ep->ssl), user_data_n);
     mbedtls_ssl_set_user_data_p(&ep->ssl, ep);