Set verify_result to failure by default

At initialization, set the verify_result field of the ssl session to MBEDTLS_X509_VERIFY_NOT_STARTED, rather than 0 as it is by default currently. This prevents mbedtls_ssl_get_verify_result() from indicating that certificate verification has passed if it is called prior to the handshake happening. Signed-off-by: David Horstmann <david.horstmann@arm.com>
2026-03-20 19:21:09 +01:00 · 2025-09-03 11:21:00 +01:00
parent 86c40c1b0d
commit dea75cbb88
1 changed files with 2 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -954,6 +954,8 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
 {
    memset(session, 0, sizeof(mbedtls_ssl_session));
+    /* Set verify_result to indicate failure by default. */
+    session->verify_result = MBEDTLS_X509_VERIFY_NOT_STARTED;
 }

 MBEDTLS_CHECK_RETURN_CRITICAL