From adefe78939cff00515e5ea3cca7a71a0e599ef53 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 7 Mar 2025 20:37:49 +0100
Subject: [PATCH] Document gotcha of move_handshake_to_state

A single call to move_handshake_to_state() can't do a full handshake.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/include/test/ssl_helpers.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h
index 77f85c4966..f817366105 100644
--- a/tests/include/test/ssl_helpers.h
+++ b/tests/include/test/ssl_helpers.h
@@ -471,6 +471,18 @@ void mbedtls_test_ssl_endpoint_free(
  * /p second_ssl is used as second endpoint and their sockets have to be
  * connected before calling this function.
  *
+ * For example, to perform a full handshake:
+ * ```
+ * mbedtls_test_move_handshake_to_state(
+ *                       &server.ssl, &client.ssl,
+ *                       MBEDTLS_SSL_HANDSHAKE_OVER);
+ * mbedtls_test_move_handshake_to_state(
+ *                       &client.ssl, &client.ssl,
+ *                       MBEDTLS_SSL_HANDSHAKE_OVER);
+ * ```
+ * Note that you need both calls to reach the handshake-over state on
+ * both sides.
+ *
  * \retval  0 on success, otherwise error code.
  */
 int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,