TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 19:21:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Set verify_result in non-verification cases

Browse Source 
When we are using PSK or when authmode == MBEDTLS_SSL_VERIFY_NONE, we
intentionally do not verify the certificate. In these cases, do not keep
verify_result at -1u but set it to MBEDTLS_X509_BADCERT_SKIP_VERIFY to
indicate that no certificate verification took place.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
This commit is contained in:
David Horstmann
2026-02-16 10:57:09 +00:00
parent ff51a1a176
commit 607f725563
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
library/ssl_tls.c
View File

@@ -2018,6 +2018,9 @@ int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
}
/* Since we're not using a certificate, set verify_result to skipped */
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
/* Allow calling psa_destroy_key() on psk remove */
ssl->handshake->psk_opaque_is_internal = 1;
return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
@@ -6980,6 +6983,7 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
ssl->handshake->ciphersuite_info;
if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
return SSL_CERTIFICATE_SKIP;
}
@@ -8695,6 +8699,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
void *rs_ctx)
{
if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
return 0;
}