Skip to content

Hardening: Make mbedtls_ssl_get_verify_result() default to failure #10442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: development
Choose a base branch
from
Open

Hardening: Make mbedtls_ssl_get_verify_result() default to failure #10442

wants to merge 3 commits into from
+35 −0

Conversation

@davidhorstmann-arm
Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm commented Oct 8, 2025
edited
Loading

Guard against a potential API misuse. Currently, when mbedtls_ssl_get_verify_result() is called before attempting a handshake, it returns 0 indicating success.

Change this so that we initialize the result to 0xFFFFFFFF (indicating failure) when we first initialize the session object.

Fixes #10373

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

@davidhorstmann-arm
Set verify_result to failure by default
60d03ed 
At initialization, set the verify_result field of the ssl session to
0xFFFFFFFF, indicating failure of the handshake. This prevents
mbedtls_ssl_get_verify_result() from indicating that certificate
verification has passed if it is called prior to the handshake
happening.

Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm
Add non-regression test for verify_result init
8231701 
Write a testcase to get verify_result before we have performed a
handshake and make sure that it is initialised to a failure value.

Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm
Add ChangeLog entry for verify_result hardening
ae7b6bc 
Signed-off-by: David Horstmann <[email protected]>
@davidhorstmann-arm davidhorstmann-arm mentioned this pull request Oct 8, 2025
Open
5 tasks
@davidhorstmann-arm davidhorstmann-arm added needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review needs-ci Needs to pass CI tests size-s Estimated task size: small (~2d) labels Oct 8, 2025
@davidhorstmann-arm davidhorstmann-arm moved this from In Development to In Review in Non-roadmap pull requests Oct 8, 2025
@irwir
Copy link
Contributor

irwir commented Oct 19, 2025

Change this so that we initialize the result to 0xFFFFFFFF (indicating failure) when we first initialize the session object.

This solution could have been cleaner.
First, it uses magic value without a name.
Second, and more important, verify_result is essentially a collection of bit fields, but checks for individuls bits do not take into account possibility of having all bits set.

There are unused bits in 32-bit integer, it would be more appropriate to take one bit and give it a good name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ci Needs to pass CI tests needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review size-s Estimated task size: small (~2d)

Projects

Non-roadmap pull requests
Status: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

verify_result should default to failure

2 participants

@davidhorstmann-arm @irwir