From 86c40c1b0d442d8fcef4441e8dbf229e184df45a Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 14 Jan 2026 15:49:33 +0000 Subject: [PATCH] Add new X509 verification result for 'not started' Add a new verification result bitflag MBEDTLS_X509_VERIFY_NOT_STARTED to use as a safe initial value for verify_result. This is better than the current initial value which is 0 (indicating success). Signed-off-by: David Horstmann --- include/mbedtls/x509.h | 1 + include/mbedtls/x509_crt.h | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 130c427c4f..b52c988386 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -104,6 +104,7 @@ #define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */ #define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */ #define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */ +#define MBEDTLS_X509_VERIFY_NOT_STARTED 0x100000 /**< No verification has yet been performed (used as a safe initial value). */ /** \} name X509 Verify codes */ /** \} addtogroup x509_module */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 8ee7c464af..90f58ee552 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -207,7 +207,10 @@ mbedtls_x509_crt_profile; "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).") \ X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY, \ "MBEDTLS_X509_BADCRL_BAD_KEY", \ - "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") + "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).") \ + X509_CRT_ERROR_INFO(MBEDTLS_X509_VERIFY_NOT_STARTED, \ + "MBEDTLS_X509_VERIFY_NOT_STARTED", \ + "No verification has yet been performed.") /** * Container for writing a certificate (CRT)