Skip to content

Conversation

davidhorstmann-arm
Copy link
Contributor

Trivial backport of #10442

Guard against a potential API misuse. Currently, when mbedtls_ssl_get_verify_result() is called before attempting a handshake, it returns 0 indicating success.

Change this so that we initialize the result to 0xFFFFFFFF (indicating failure) when we first initialize the session object.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

At initialization, set the verify_result field of the ssl session to
0xFFFFFFFF, indicating failure of the handshake. This prevents
mbedtls_ssl_get_verify_result() from indicating that certificate
verification has passed if it is called prior to the handshake
happening.

Signed-off-by: David Horstmann <[email protected]>
Write a testcase to get verify_result before we have performed a
handshake and make sure that it is initialised to a failure value.

Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm davidhorstmann-arm added needs-ci Needs to pass CI tests size-s Estimated task size: small (~2d) needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review labels Oct 8, 2025
@davidhorstmann-arm davidhorstmann-arm moved this from In Development to In Review in Non-roadmap pull requests Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ci Needs to pass CI tests needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review size-s Estimated task size: small (~2d)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant