From c42f73fe34a6f833fbfd76b165ed23541ae28d71 Mon Sep 17 00:00:00 2001
From: David Horstmann <david.horstmann@arm.com>
Date: Wed, 28 Jan 2026 17:49:19 +0000
Subject: [PATCH] Switch to a default value of -1u

Since we explicitly document the value 0xFFFFFFFF or -1u as representing
'result not available', we can use it as a sensible default value
without creating an API change. Use this value instead of introducing a
new verification result value.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
---
 include/mbedtls/x509.h               | 1 -
 include/mbedtls/x509_crt.h           | 5 +----
 library/ssl_tls.c                    | 4 ++--
 tests/suites/test_suite_ssl.function | 2 +-
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index ac324fddf6..6b104613d7 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -108,7 +108,6 @@
 #define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
 #define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
 #define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
-#define MBEDTLS_X509_VERIFY_NOT_STARTED      0x100000  /**< No verification has yet been performed (used as a safe initial value). */
 
 /** \} name X509 Verify codes */
 /** \} addtogroup x509_module */
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 6ac17af67d..6b96039597 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -209,10 +209,7 @@ mbedtls_x509_crt_profile;
                         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).")   \
     X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY,                                                    \
                         "MBEDTLS_X509_BADCRL_BAD_KEY",                                                  \
-                        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")    \
-    X509_CRT_ERROR_INFO(MBEDTLS_X509_VERIFY_NOT_STARTED,                                                \
-                        "MBEDTLS_X509_VERIFY_NOT_STARTED",                                              \
-                        "No verification has yet been performed.")
+                        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")
 
 /**
  * Container for writing a certificate (CRT)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0585a53ef0..eb015d20da 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1048,8 +1048,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
 {
     memset(session, 0, sizeof(mbedtls_ssl_session));
-    /* Set verify_result to indicate failure by default. */
-    session->verify_result = MBEDTLS_X509_VERIFY_NOT_STARTED;
+    /* Set verify_result to -1u to indicate 'result not available'. */
+    session->verify_result = 0xFFFFFFFF;
 }
 
 MBEDTLS_CHECK_RETURN_CRITICAL
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 86fac0078b..276f08f42c 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -6024,7 +6024,7 @@ void verify_result_without_handshake(void)
 
     uint32_t verify_result = mbedtls_ssl_get_verify_result(&ssl);
 
-    TEST_EQUAL(verify_result, MBEDTLS_X509_VERIFY_NOT_STARTED);
+    TEST_EQUAL(verify_result, 0xFFFFFFFF);
 
 exit:
     mbedtls_ssl_config_free(&conf);