From 01ef42d5fec4639f9d720e182cf0a1fd746d918a Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 5 Feb 2026 14:17:47 +0000 Subject: [PATCH] Initialize verify_result in session free Initialize the verify_result field in mbedtls_ssl_session_free(). Previously we were just zeroising the entire session object, which would yield a default 'success' value if the same object were reused. Test that this initialisation is actually happening by setting verify_result manually to zero and calling mbedtls_ssl_session_free() on the session before checking its value. Signed-off-by: David Horstmann --- library/ssl_tls.c | 3 +++ tests/suites/test_suite_ssl.function | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eb015d20da..a65740463c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5005,6 +5005,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session) #endif mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); + + /* Set verify_result to -1u to indicate 'result not available'. */ + session->verify_result = 0xFFFFFFFF; } #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 276f08f42c..552c06a7b9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6026,6 +6026,16 @@ void verify_result_without_handshake(void) TEST_EQUAL(verify_result, 0xFFFFFFFF); + /* Set the verify result manually and check that session_free resets it. */ + + /* Set the verify result to 0. */ + ssl.session_negotiate->verify_result = 0; + + mbedtls_ssl_session_free(ssl.session_negotiate); + + verify_result = mbedtls_ssl_get_verify_result(&ssl); + TEST_EQUAL(verify_result, 0xFFFFFFFF); + exit: mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl);