Don't call verify twice on the same error

julek-wolfssl · julek-wolfssl · commit 56702388ed00 · 2025-09-24T19:55:30.000+02:00
diff --git a/src/internal.c b/src/internal.c
@@ -16048,8 +16048,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
                 /* Do verify callback. Don't call it on error as the callback
                  * will still be called later. */
-                if (ret != 0)
-                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+                if (ret != 0) {
+                    args->leafVerifyErr = ret =
+                            DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+                }
 
                 if (ret == 0) {
                     WOLFSSL_MSG("Verified Peer's cert");
@@ -16938,8 +16940,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             }
         #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
-            /* Do verify callback */
-            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+            /* Do leaf verify callback when it wasn't called yet */
+            if (ret == 0 || ret != args->leafVerifyErr)
+                ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
 
             if (ssl->options.verifyNone &&
                               (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
@@ -2764,6 +2764,7 @@ typedef struct ProcPeerCertArgs {
     int    count;
     int    certIdx;
     int    lastErr;
+    int    leafVerifyErr;
 #ifdef WOLFSSL_TLS13
     byte   ctxSz;
 #endif
