commit a6e71f95fbe92da7c68c0eb99908a06d0e1aeeeb
author Gilles Peskine <Gilles.Peskine@arm.com> Sun Jun 01 21:32:05 2025 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Sun Jun 01 21:34:28 2025 +0200
tree 2bfe6e99c9b38835153d61463f087e7d4005c898
parent 6e4d245b0060de4b46c1683f7400e22fc4b471fc

Don't change the configuration after mbedtls_ssl_setup

In `mbedtls_test_ssl_endpoint_init()`, don't change the SSL configuration
object (`mbedtls_ssl_config`) after setting up an SSL context by calling
`mbedtls_ssl_setup()`. This works in practice, but is officially forbidden.

No intended behavior change. The test code calls the library slightly
differently, but this shouldn't make any difference in practice. If it does
make a difference, it fixes a bug in the test code.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

tests/src/test_helpers/ssl_helpers.c

diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 68ac122..a122f35 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -835,24 +835,6 @@
 
     mbedtls_test_mock_socket_init(&(ep->socket));
 
-    /* Non-blocking callbacks without timeout */
-    if (options->dtls) {
-        mbedtls_ssl_set_bio(&(ep->ssl), &ep->dtls_context,
-                            mbedtls_test_mock_tcp_send_msg,
-                            mbedtls_test_mock_tcp_recv_msg,
-                            NULL);
-#if defined(MBEDTLS_TIMING_C)
-        mbedtls_ssl_set_timer_cb(&ep->ssl, &ep->timer,
-                                 mbedtls_timing_set_delay,
-                                 mbedtls_timing_get_delay);
-#endif
-    } else {
-        mbedtls_ssl_set_bio(&(ep->ssl), &(ep->socket),
-                            mbedtls_test_mock_tcp_send_nb,
-                            mbedtls_test_mock_tcp_recv_nb,
-                            NULL);
-    }
-
     ret = mbedtls_ssl_config_defaults(&(ep->conf), endpoint_type,
                                       options->dtls ?
                                       MBEDTLS_SSL_TRANSPORT_DATAGRAM :
@@ -939,14 +921,6 @@
     TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
-    ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
-    TEST_EQUAL(ret, 0);
-
-    if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
-        ret = mbedtls_ssl_set_hostname(&(ep->ssl), "localhost");
-        TEST_EQUAL(ret, 0);
-    }
-
 #if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
     if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->dtls) {
         mbedtls_ssl_conf_dtls_cookies(&(ep->conf), NULL, NULL, NULL);
@@ -993,6 +967,35 @@
 
     TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), user_data_n);
     mbedtls_ssl_conf_set_user_data_p(&ep->conf, ep);
+
+    /* We've finished the configuration. Now set up a context. */
+
+    ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
+    TEST_EQUAL(ret, 0);
+
+    if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
+        ret = mbedtls_ssl_set_hostname(&(ep->ssl), "localhost");
+        TEST_EQUAL(ret, 0);
+    }
+
+    /* Non-blocking callbacks without timeout */
+    if (options->dtls) {
+        mbedtls_ssl_set_bio(&(ep->ssl), &ep->dtls_context,
+                            mbedtls_test_mock_tcp_send_msg,
+                            mbedtls_test_mock_tcp_recv_msg,
+                            NULL);
+#if defined(MBEDTLS_TIMING_C)
+        mbedtls_ssl_set_timer_cb(&ep->ssl, &ep->timer,
+                                 mbedtls_timing_set_delay,
+                                 mbedtls_timing_get_delay);
+#endif
+    } else {
+        mbedtls_ssl_set_bio(&(ep->ssl), &(ep->socket),
+                            mbedtls_test_mock_tcp_send_nb,
+                            mbedtls_test_mock_tcp_recv_nb,
+                            NULL);
+    }
+
     TEST_EQUAL(mbedtls_ssl_get_user_data_n(&ep->ssl), user_data_n);
     mbedtls_ssl_set_user_data_p(&ep->ssl, ep);