Move more endpoint configuration into the setup function

Applying SSL configuration settings recorded in the `mbedtls_test_handshake_test_options` structure to an `mbedtls_test_ssl_endpoint` object was split between `mbedtls_test_ssl_endpoint_init()` and `mbedtls_test_ssl_perform_handshake()`. This was surprising, and made it harder to use `mbedtls_test_ssl_endpoint_init()` for custom behavior. It also meant some code duplication in `mbedtls_test_ssl_perform_handshake()`. Move most configuration setup from `mbedtls_test_ssl_perform_handshake()` to `mbedtls_test_ssl_endpoint_init()`. This changes the behavior in two ways: * `mbedtls_test_ssl_endpoint_init()` now takes some options into account that it previously ignored. This is ok because we don't set these options in any of the existing tests. * When calling `mbedtls_test_ssl_perform_handshake()`, some SSL configuration settings are now set (calls to `mbedtls_ssl_conf_xxx()`) before the call to `mbedtls_ssl_setup()` instead of after. This should be ok since it is forbidden to change the configuration after `mbedtls_ssl_setup()`, although the previous test code was getting away with it. This commit does not move all configuration before `mbedtls_ssl_setup()`, that would be out of scope of the current series of patches. Thus there are some internal behavior changes, but they should not affect any relevant aspect of the tests' behavior. Signed-off-by: Gilles Peskine <[email protected]>
Mbed-TLS · gilles-peskine-arm · May 14, 2025 · May 26, 2025 · May 26, 2025 · May 27, 2025
commit 27586d83f016f539dcc27faaae125943533c16af
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
@@ -572,8 +572,60 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx,
     return (msg_len > INT_MAX) ? INT_MAX : (int) msg_len;
 }
 
+
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
+    defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)  && \
+    defined(MBEDTLS_SSL_SRV_C)
+static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
+                              const unsigned char *name, size_t name_len)
+{
+    (void) p_info;
+    (void) ssl;
+    (void) name;
+    (void) name_len;
+
+    return 0;
+}
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
+          MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED  &&
+          MBEDTLS_SSL_SRV_C */
+
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 
+static int set_ciphersuite(mbedtls_test_ssl_endpoint *ep,
+                           const char *cipher)
+{
+    if (cipher == NULL || cipher[0] == 0) {
+        return 1;
+    }
+
+    int ok = 0;
+
+    TEST_CALLOC(ep->ciphersuites, 2);
+    ep->ciphersuites[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
+    ep->ciphersuites[1] = 0;
+
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        mbedtls_ssl_ciphersuite_from_id(ep->ciphersuites[0]);
+
+    TEST_ASSERT(ciphersuite_info != NULL);
+    TEST_ASSERT(ciphersuite_info->min_tls_version <= ep->conf.max_tls_version);
+    TEST_ASSERT(ciphersuite_info->max_tls_version >= ep->conf.min_tls_version);
+
+    if (ep->conf.max_tls_version > ciphersuite_info->max_tls_version) {
+        ep->conf.max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
+    }
+    if (ep->conf.min_tls_version < ciphersuite_info->min_tls_version) {
+        ep->conf.min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
+    }
+
+    mbedtls_ssl_conf_ciphersuites(&ep->conf, ep->ciphersuites);
+    ok = 1;
+
+exit:
+    return ok;
+}
+
 /*
  * Deinitializes certificates from endpoint represented by \p ep.
  */
@@ -740,6 +792,9 @@ int mbedtls_test_ssl_endpoint_init(
 {
     int ret = -1;
     uintptr_t user_data_n;
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+    const char *psk_identity = "foo";
+#endif
 
     if (ep == NULL) {
         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -813,6 +868,10 @@ int mbedtls_test_ssl_endpoint_init(
         }
     }
 
+    if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
+        TEST_ASSERT(set_ciphersuite(ep, options->cipher));
+    }
+
     if (options->group_list != NULL) {
         mbedtls_ssl_conf_groups(&(ep->conf), options->group_list);
     }
@@ -828,6 +887,7 @@ int mbedtls_test_ssl_endpoint_init(
                                              options->max_early_data_size);
     }
 #endif
+
 #if defined(MBEDTLS_SSL_ALPN)
     /* check that alpn_list contains at least one valid entry */
     if (options->alpn_list[0] != NULL) {
@@ -836,6 +896,15 @@ int mbedtls_test_ssl_endpoint_init(
 #endif
 #endif
 
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if (options->renegotiate) {
+        mbedtls_ssl_conf_renegotiation(&ep->conf,
+                                       MBEDTLS_SSL_RENEGOTIATION_ENABLED);
+        mbedtls_ssl_conf_legacy_renegotiation(&ep->conf,
+                                              options->legacy_renegotiation);
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
 #if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C)
     if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL) {
         mbedtls_ssl_conf_session_cache(&(ep->conf), options->cache,
@@ -844,6 +913,14 @@ int mbedtls_test_ssl_endpoint_init(
     }
 #endif
 
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&ep->conf,
+                                             (unsigned char) options->mfl),
+               0);
+#else
+    TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
     ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
     TEST_EQUAL(ret, 0);
 
@@ -881,6 +958,21 @@ int mbedtls_test_ssl_endpoint_init(
                                                      options->opaque_usage);
     TEST_EQUAL(ret, 0);
 
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
+    if (options->psk_str != NULL && options->psk_str->len > 0) {
+        TEST_EQUAL(mbedtls_ssl_conf_psk(
+                       &ep->conf, options->psk_str->x,
+                       options->psk_str->len,
+                       (const unsigned char *) psk_identity,
+                       strlen(psk_identity)), 0);
+#if defined(MBEDTLS_SSL_SRV_C)
+        if (MBEDTLS_SSL_IS_SERVER == endpoint_type) {
+            mbedtls_ssl_conf_psk_cb(&ep->conf, psk_dummy_callback, NULL);
+        }
+#endif
+    }
+#endif
+
     TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), user_data_n);
     mbedtls_ssl_conf_set_user_data_p(&ep->conf, ep);
     TEST_EQUAL(mbedtls_ssl_get_user_data_n(&ep->ssl), user_data_n);
@@ -1060,59 +1152,6 @@ static int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
     return -1;
 }
 
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-static int set_ciphersuite(mbedtls_test_ssl_endpoint *ep,
-                           const char *cipher)
-{
-    if (cipher == NULL || cipher[0] == 0) {
-        return 1;
-    }
-
-    int ok = 0;
-
-    TEST_CALLOC(ep->ciphersuites, 2);
-    ep->ciphersuites[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
-    ep->ciphersuites[1] = 0;
-
-    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
-        mbedtls_ssl_ciphersuite_from_id(ep->ciphersuites[0]);
-
-    TEST_ASSERT(ciphersuite_info != NULL);
-    TEST_ASSERT(ciphersuite_info->min_tls_version <= ep->conf.max_tls_version);
-    TEST_ASSERT(ciphersuite_info->max_tls_version >= ep->conf.min_tls_version);
-
-    if (ep->conf.max_tls_version > ciphersuite_info->max_tls_version) {
-        ep->conf.max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
-    }
-    if (ep->conf.min_tls_version < ciphersuite_info->min_tls_version) {
-        ep->conf.min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
-    }
-
-    mbedtls_ssl_conf_ciphersuites(&ep->conf, ep->ciphersuites);
-    ok = 1;
-
-exit:
-    return ok;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
-    defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)  && \
-    defined(MBEDTLS_SSL_SRV_C)
-static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
-                              const unsigned char *name, size_t name_len)
-{
-    (void) p_info;
-    (void) ssl;
-    (void) name;
-    (void) name_len;
-
-    return 0;
-}
-#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
-          MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED  &&
-          MBEDTLS_SSL_SRV_C */
-
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
     defined(PSA_WANT_ALG_CBC_NO_PADDING) && defined(PSA_WANT_KEY_TYPE_AES)
 int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
@@ -2383,9 +2422,6 @@ void mbedtls_test_ssl_perform_handshake(
     mbedtls_test_ssl_endpoint server_struct;
     memset(&server_struct, 0, sizeof(server_struct));
     mbedtls_test_ssl_endpoint *const server = &server_struct;
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-    const char *psk_identity = "foo";
-#endif
 
     MD_OR_USE_PSA_INIT();
 
@@ -2399,7 +2435,6 @@ void mbedtls_test_ssl_perform_handshake(
     TEST_EQUAL(mbedtls_test_ssl_endpoint_init(client,
                                               MBEDTLS_SSL_IS_CLIENT,
                                               options), 0);
-    TEST_ASSERT(set_ciphersuite(client, options->cipher));
 
     /* Server side */
     TEST_EQUAL(mbedtls_test_ssl_endpoint_init(server,
@@ -2411,49 +2446,6 @@ void mbedtls_test_ssl_perform_handshake(
         TEST_EQUAL(mbedtls_test_ssl_dtls_join_endpoints(client, server), 0);
     }
 
-#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-    TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&(server->conf),
-                                             (unsigned char) options->mfl),
-               0);
-    TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&(client->conf),
-                                             (unsigned char) options->mfl),
-               0);
-#else
-    TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
-#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
-
-#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-    if (options->psk_str != NULL && options->psk_str->len > 0) {
-        TEST_EQUAL(mbedtls_ssl_conf_psk(
-                       &client->conf, options->psk_str->x,
-                       options->psk_str->len,
-                       (const unsigned char *) psk_identity,
-                       strlen(psk_identity)), 0);
-
-        TEST_EQUAL(mbedtls_ssl_conf_psk(
-                       &server->conf, options->psk_str->x,
-                       options->psk_str->len,
-                       (const unsigned char *) psk_identity,
-                       strlen(psk_identity)), 0);
-#if defined(MBEDTLS_SSL_SRV_C)
-        mbedtls_ssl_conf_psk_cb(&server->conf, psk_dummy_callback, NULL);
-#endif
-    }
-#endif
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-    if (options->renegotiate) {
-        mbedtls_ssl_conf_renegotiation(&(server->conf),
-                                       MBEDTLS_SSL_RENEGOTIATION_ENABLED);
-        mbedtls_ssl_conf_renegotiation(&(client->conf),
-                                       MBEDTLS_SSL_RENEGOTIATION_ENABLED);
-
-        mbedtls_ssl_conf_legacy_renegotiation(&(server->conf),
-                                              options->legacy_renegotiation);
-        mbedtls_ssl_conf_legacy_renegotiation(&(client->conf),
-                                              options->legacy_renegotiation);
-    }
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
     TEST_ASSERT(mbedtls_test_ssl_perform_connection(options, client, server));
 
     TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&client->conf) == client);