From cd34f144c4a2d42634a5548001b3ea5245866156 Mon Sep 17 00:00:00 2001
From: John Lee <john@expensify.com>
Date: Tue, 9 Jul 2024 17:02:47 -0400
Subject: [PATCH] Don't use 3.6.0 since it fails

---
 Makefile               | 2 +-
 libstuff/SSSLState.cpp | 9 ++++++---
 mbedtls                | 2 +-
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 69107c2b0..ed9511513 100644
--- a/Makefile
+++ b/Makefile
@@ -63,7 +63,7 @@ clean:
 mbedtls/library/libmbedcrypto.a mbedtls/library/libmbedtls.a mbedtls/library/libmbedx509.a:
 	git submodule init
 	git submodule update
-	cd mbedtls && git checkout -q v3.6.0
+	cd mbedtls && git checkout -q v3.5.2
 	cd mbedtls && git submodule update --init
 	cd mbedtls && $(MAKE) no_test
 
diff --git a/libstuff/SSSLState.cpp b/libstuff/SSSLState.cpp
index 58545533b..8b811a8ca 100644
--- a/libstuff/SSSLState.cpp
+++ b/libstuff/SSSLState.cpp
@@ -30,11 +30,9 @@ SSSLState* SSSLOpen(int s, SX509* x509) {
 
     mbedtls_ctr_drbg_seed(&state->ctr_drbg, mbedtls_entropy_func, &state->ec, 0, 0);
     mbedtls_ssl_config_defaults(&state->conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, 0);
-
-    mbedtls_ssl_setup(&state->ssl, &state->conf);
-
     mbedtls_ssl_conf_authmode(&state->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
     mbedtls_ssl_conf_rng(&state->conf, mbedtls_ctr_drbg_random, &state->ctr_drbg);
+
     mbedtls_ssl_set_bio(&state->ssl, &state->s, mbedtls_net_send, mbedtls_net_recv, 0);
 
     if (x509) {
@@ -42,6 +40,10 @@ SSSLState* SSSLOpen(int s, SX509* x509) {
         mbedtls_ssl_conf_ca_chain(&state->conf, x509->srvcert.next, 0);
         SASSERT(mbedtls_ssl_conf_own_cert(&state->conf, &x509->srvcert, &x509->pk) == 0);
     }
+
+    // Do this at the end, since we don't want to modify the conf context after we've initialized it with our ssl context.
+    mbedtls_ssl_setup(&state->ssl, &state->conf);
+
     return state;
 }
 
@@ -49,6 +51,7 @@ SSSLState* SSSLOpen(int s, SX509* x509) {
 int SSSLSend(SSSLState* sslState, const char* buffer, int length) {
     // Send as much as possible and report what happened
     SASSERT(sslState && buffer);
+
     const int numSent = mbedtls_ssl_write(&sslState->ssl, (unsigned char*)buffer, length);
     if (numSent > 0) {
         return numSent;
diff --git a/mbedtls b/mbedtls
index 2ca6c285a..daca7a397 160000
--- a/mbedtls
+++ b/mbedtls
@@ -1 +1 @@
-Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206
+Subproject commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9