From f3224687ab558194d7b63a73a4ab054a35b695fb Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 3 Sep 2025 11:21:00 +0100 Subject: [PATCH 1/3] Set verify_result to failure by default At initialization, set the verify_result field of the ssl session to 0xFFFFFFFF, indicating failure of the handshake. This prevents mbedtls_ssl_get_verify_result() from indicating that certificate verification has passed if it is called prior to the handshake happening. Signed-off-by: David Horstmann --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 30cde279239..468cc0afb48 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1048,6 +1048,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) void mbedtls_ssl_session_init(mbedtls_ssl_session *session) { memset(session, 0, sizeof(mbedtls_ssl_session)); + /* Set verify_result to indicate failure by default. */ + session->verify_result = 0xFFFFFFFF; } MBEDTLS_CHECK_RETURN_CRITICAL From 5b36bd8d1c2f0ef433818170c170f93e10077163 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Tue, 7 Oct 2025 16:07:57 +0100 Subject: [PATCH 2/3] Add non-regression test for verify_result init Write a testcase to get verify_result before we have performed a handshake and make sure that it is initialised to a failure value. Signed-off-by: David Horstmann --- tests/suites/test_suite_ssl.data | 3 +++ tests/suites/test_suite_ssl.function | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 92bda3efd1a..53cf1a07964 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3524,3 +3524,6 @@ ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10 TLS 1.3 Keying Material Exporter: Handshake not done depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE + +Default verify_result before doing a handshake +verify_result_without_handshake diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6797a4dd7e4..d5076e9c44a 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5999,3 +5999,28 @@ exit: MD_OR_USE_PSA_DONE(); } /* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +void verify_result_without_handshake(void) +{ + /* Test the result of verification before we perform a handshake. */ + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + + mbedtls_ssl_init(&ssl); + + TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT), 0); + + mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_ca_chain(&conf, NULL, NULL); + + TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); + + uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl); + + TEST_EQUAL(verify_result, 0xFFFFFFFF); +} +/* END_CASE */ From 4f36f662415cc8a4ffb9d7706a6438f9560d2d2c Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 8 Oct 2025 10:49:24 +0100 Subject: [PATCH 3/3] Add ChangeLog entry for verify_result hardening Signed-off-by: David Horstmann --- ChangeLog.d/verify-result-default-value.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/verify-result-default-value.txt diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt new file mode 100644 index 00000000000..d85dfe2670d --- /dev/null +++ b/ChangeLog.d/verify-result-default-value.txt @@ -0,0 +1,5 @@ +Changes + * Harden mbedtls_ssl_get_verify_result() against misuse. + Return failure if the handshake has not yet been attempted. Previously + the result of verification was zero-initialized so the function would + return 0 (indicating success).