Initialize verify_result in session free

Initialize the verify_result field in mbedtls_ssl_session_free(). Previously we were just zeroising the entire session object, which would yield a default 'success' value if the same object were reused. Test that this initialisation is actually happening by setting verify_result manually to zero and calling mbedtls_ssl_session_free() on the session before checking its value. Signed-off-by: David Horstmann <david.horstmann@arm.com>
2026-03-20 19:21:09 +01:00 · 2026-02-05 14:17:47 +00:00
parent c42f73fe34
commit 01ef42d5fe
2 changed files with 13 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5005,6 +5005,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
 #endif

    mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
+
+    /* Set verify_result to -1u to indicate 'result not available'. */
+    session->verify_result = 0xFFFFFFFF;
 }

 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -6026,6 +6026,16 @@ void verify_result_without_handshake(void)

    TEST_EQUAL(verify_result, 0xFFFFFFFF);

+    /* Set the verify result manually and check that session_free resets it. */
+
+    /* Set the verify result to 0. */
+    ssl.session_negotiate->verify_result = 0;
+
+    mbedtls_ssl_session_free(ssl.session_negotiate);
+
+    verify_result = mbedtls_ssl_get_verify_result(&ssl);
+    TEST_EQUAL(verify_result, 0xFFFFFFFF);
+
 exit:
    mbedtls_ssl_config_free(&conf);
    mbedtls_ssl_free(&ssl);