From 2744a439778cb748b05a0dd981f992f25d938cf4 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 27 May 2025 13:27:22 +0200
Subject: [PATCH] Refactor set_ciphersuites to work on the endpoint structure

Link the ciphersuite list that's passed to mbedtls_ssl_conf_ciphersuites(),
and needs to survive in memory as long as the configuration object is live,
in the endpoint structure. This way it doesn't have to be a local variable
in mbedtls_test_ssl_do_handshake_with_endpoints().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/include/test/ssl_helpers.h     |  1 +
 tests/src/test_helpers/ssl_helpers.c | 49 +++++++++++++++-------------
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index a7bc065bf3..c198bc30c3 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -199,6 +199,7 @@ typedef struct mbedtls_test_ssl_endpoint {
 #endif
 
     /* Objects owned by the endpoint */
+    int *ciphersuites;
     mbedtls_x509_crt *ca_chain;
     mbedtls_x509_crt *cert;
     mbedtls_pk_context *pkey;
diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c
index 90810c55e9..ac1f1cbdb2 100644
--- a/tests/src/test_helpers/ssl_helpers.c
+++ b/tests/src/test_helpers/ssl_helpers.c
@@ -914,11 +914,13 @@ void mbedtls_test_ssl_endpoint_free(
     mbedtls_test_ssl_endpoint *ep,
     mbedtls_test_message_socket_context *context)
 {
-    test_ssl_endpoint_certificate_free(ep);
-
     mbedtls_ssl_free(&(ep->ssl));
     mbedtls_ssl_config_free(&(ep->conf));
 
+    mbedtls_free(ep->ciphersuites);
+    ep->ciphersuites = NULL;
+    test_ssl_endpoint_certificate_free(ep);
+
     if (context != NULL) {
         mbedtls_test_message_socket_close(context);
     } else {
@@ -1053,31 +1055,38 @@ exit:
 }
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-static void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
-                            int *forced_ciphersuite)
+static int set_ciphersuite(mbedtls_test_ssl_endpoint *ep,
+                           const char *cipher)
 {
-    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-    forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
-    forced_ciphersuite[1] = 0;
+    if (cipher == NULL || cipher[0] == 0) {
+        return 1;
+    }
 
-    ciphersuite_info =
-        mbedtls_ssl_ciphersuite_from_id(forced_ciphersuite[0]);
+    int ok = 0;
+
+    TEST_CALLOC(ep->ciphersuites, 2);
+    ep->ciphersuites[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
+    ep->ciphersuites[1] = 0;
+
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        mbedtls_ssl_ciphersuite_from_id(ep->ciphersuites[0]);
 
     TEST_ASSERT(ciphersuite_info != NULL);
-    TEST_ASSERT(ciphersuite_info->min_tls_version <= conf->max_tls_version);
-    TEST_ASSERT(ciphersuite_info->max_tls_version >= conf->min_tls_version);
+    TEST_ASSERT(ciphersuite_info->min_tls_version <= ep->conf.max_tls_version);
+    TEST_ASSERT(ciphersuite_info->max_tls_version >= ep->conf.min_tls_version);
 
-    if (conf->max_tls_version > ciphersuite_info->max_tls_version) {
-        conf->max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
+    if (ep->conf.max_tls_version > ciphersuite_info->max_tls_version) {
+        ep->conf.max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
     }
-    if (conf->min_tls_version < ciphersuite_info->min_tls_version) {
-        conf->min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
+    if (ep->conf.min_tls_version < ciphersuite_info->min_tls_version) {
+        ep->conf.min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
     }
 
-    mbedtls_ssl_conf_ciphersuites(conf, forced_ciphersuite);
+    mbedtls_ssl_conf_ciphersuites(&ep->conf, ep->ciphersuites);
+    ok = 1;
 
 exit:
-    return;
+    return ok;
 }
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
@@ -2098,8 +2107,6 @@ int mbedtls_test_ssl_do_handshake_with_endpoints(
 void mbedtls_test_ssl_perform_handshake(
     mbedtls_test_handshake_test_options *options)
 {
-    /* forced_ciphersuite needs to last until the end of the handshake */
-    int forced_ciphersuite[2];
     enum { BUFFSIZE = 17000 };
     mbedtls_test_ssl_endpoint client, server;
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
@@ -2142,9 +2149,7 @@ void mbedtls_test_ssl_perform_handshake(
                                                   NULL), 0);
     }
 
-    if (strlen(options->cipher) > 0) {
-        set_ciphersuite(&client.conf, options->cipher, forced_ciphersuite);
-    }
+    TEST_ASSERT(set_ciphersuite(&client, options->cipher));
 
     /* Server side */
     if (options->dtls != 0) {