From ff51a1a1769ee1ec2f56b18aca5f34075c21552c Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 5 Feb 2026 14:17:47 +0000 Subject: [PATCH] Initialize verify_result in session free Initialize the verify_result field in mbedtls_ssl_session_free(). Previously we were just zeroising the entire session object, which would yield a default 'success' value if the same object were reused. Test that this initialisation is actually happening by setting verify_result manually to zero and calling mbedtls_ssl_session_free() on the session before checking its value. Signed-off-by: David Horstmann --- library/ssl_tls.c | 3 +++ tests/suites/test_suite_ssl.function | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ce93417d73..ceae9b9a3e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4571,6 +4571,9 @@ void mbedtls_ssl_session_free(mbedtls_ssl_session *session) #endif mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); + + /* Set verify_result to -1u to indicate 'result not available'. */ + session->verify_result = 0xFFFFFFFF; } #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f002f468e9..06fc4b3032 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6067,6 +6067,16 @@ void verify_result_without_handshake(void) TEST_EQUAL(verify_result, 0xFFFFFFFF); + /* Set the verify result manually and check that session_free resets it. */ + + /* Set the verify result to 0. */ + ssl.session_negotiate->verify_result = 0; + + mbedtls_ssl_session_free(ssl.session_negotiate); + + verify_result = mbedtls_ssl_get_verify_result(&ssl); + TEST_EQUAL(verify_result, 0xFFFFFFFF); + exit: mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl);