Skip to content

[Backport 3.6] Hardening: Make mbedtls_ssl_get_verify_result() default to failure #10443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davidhorstmann-arm wants to merge 3 commits into
base: mbedtls-3.6
Choose a base branch
from
Open

[Backport 3.6] Hardening: Make mbedtls_ssl_get_verify_result() default to failure #10443

davidhorstmann-arm wants to merge 3 commits into from
+35 −0

Conversation

@davidhorstmann-arm
Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm commented Oct 8, 2025

Trivial backport of #10442

Guard against a potential API misuse. Currently, when mbedtls_ssl_get_verify_result() is called before attempting a handshake, it returns 0 indicating success.

Change this so that we initialize the result to 0xFFFFFFFF (indicating failure) when we first initialize the session object.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

@davidhorstmann-arm
Set verify_result to failure by default
f322468 
At initialization, set the verify_result field of the ssl session to
0xFFFFFFFF, indicating failure of the handshake. This prevents
mbedtls_ssl_get_verify_result() from indicating that certificate
verification has passed if it is called prior to the handshake
happening.

Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm
Add non-regression test for verify_result init
5b36bd8 
Write a testcase to get verify_result before we have performed a
handshake and make sure that it is initialised to a failure value.

Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm
Add ChangeLog entry for verify_result hardening
4f36f66 
Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm davidhorstmann-arm mentioned this pull request Oct 8, 2025
Open
5 tasks
@davidhorstmann-arm davidhorstmann-arm added needs-ci Needs to pass CI tests size-s Estimated task size: small (~2d) needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review labels Oct 8, 2025
@davidhorstmann-arm davidhorstmann-arm mentioned this pull request Oct 8, 2025
Open
@davidhorstmann-arm davidhorstmann-arm moved this from In Development to In Review in Non-roadmap pull requests Oct 8, 2025
@mpg mpg added the priority-medium Medium priority - this can be reviewed as time permits label Dec 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ci Needs to pass CI tests needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review priority-medium Medium priority - this can be reviewed as time permits size-s Estimated task size: small (~2d)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidhorstmann-arm @mpg