From 624fc2e0de8e28f687cb3de0ebfb3f830db02ee9 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Tue, 10 Mar 2026 15:08:04 +0000
Subject: [PATCH] Move TLS 1.3 verify-result setting for PSK

When we are doing PSK, we'd like to set verify_result to
MBEDTLS_X509_BADCERT_SKIP_VERIFY. Previously this was done in
mbedtls_ssl_set_hs_psk() but this is inadequate since this function may
be called for early data (where certificate verification happens later
in the handshake.

Instead, set this value after writing / processing the encrypted
extensions on the server / client respectively, so that we know whether
we are doing certificate verification or not for sure. This change is
effective only for TLS 1.3 as TLS 1.2 sets verify_result for PSK in
ssl_parse_certificate_coordinate().

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 library/ssl_tls.c          | 3 ---
 library/ssl_tls13_client.c | 3 +++
 library/ssl_tls13_server.c | 3 +++
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 09e1ebf574..bf459b473e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2018,9 +2018,6 @@ int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
         return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
     }
 
-    /* Since we're not using a certificate, set verify_result to skipped */
-    ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
-
     /* Allow calling psa_destroy_key() on psk remove */
     ssl->handshake->psk_opaque_is_internal = 1;
     return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index b7b075cc97..9b7ca82f91 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2264,6 +2264,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
     if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+
+        /* Since we're not using a certificate, set verify_result to skipped */
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
     } else {
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
     }
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 982e6f8c3b..270dcd0e6e 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -2616,6 +2616,9 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
     if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_FINISHED);
+
+        /* Since we're not using a certificate, set verify_result to skipped */
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
     } else {
         mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST);
     }