From 710aaa7ae762b69c9b31592e5f80d885a8d7b32d Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Wed, 3 Sep 2025 11:21:00 +0100
Subject: [PATCH] Set verify_result to failure by default

At initialization, set the verify_result field of the ssl session to
MBEDTLS_X509_VERIFY_NOT_STARTED, rather than 0 as it is by default
currently. This prevents mbedtls_ssl_get_verify_result() from indicating
that certificate verification has passed if it is called prior to the
handshake happening.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 library/ssl_tls.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 30cde27923..0585a53ef0 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1048,6 +1048,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
 {
     memset(session, 0, sizeof(mbedtls_ssl_session));
+    /* Set verify_result to indicate failure by default. */
+    session->verify_result = MBEDTLS_X509_VERIFY_NOT_STARTED;
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL