Prevent verify callback from blocking ANCV invocation when verify

callback is registered. Reverts behavior to pre-PR#9144
2026-01-28 20:59:57 +01:00 · 2026-01-14 13:31:20 -07:00
parent 16e45f94ae
commit 22a9665e6d
1 changed files with 21 additions and 30 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -16219,23 +16219,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    }
                    #endif

+                    #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
+                    /* If we can't validate the peer cert chain against the CAs
+                     * loaded into wolfSSL, try to validate against the system
+                     * certificates using Apple's native trust APIs BEFORE
+                     * calling the verify callback so the callback sees the
+                     * correct validation result */
+                    if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
+                        (ssl->ctx->doAppleNativeCertValidationFlag)) {
+                        if (DoAppleNativeCertValidation(ssl, args->certs,
+                                                             args->totalCerts)) {
+                            WOLFSSL_MSG("Apple native cert chain validation "
+                                        "SUCCESS");
+                            ret = 0;
+                        }
+                        else {
+                            WOLFSSL_MSG("Apple native cert chain validation "
+                                        "FAIL");
+                        }
+                    }
+                    #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
+
                    /* Do verify callback. */
                    args->leafVerifyErr = ret =
                            DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);

-                    #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
-                    /* Disregard failure to verify peer cert, as we will verify
-                     * the whole chain with the native API later */
-                    if (ssl->ctx->doAppleNativeCertValidationFlag) {
-                        WOLFSSL_MSG("\tApple native CA validation override"
-                                    " available, will continue");
-                        /* check if fatal error */
-                        args->fatal = (args->verifyErr) ? 1 : 0;
-                        if (args->fatal)
-                            DoCertFatalAlert(ssl, ret);
-                    }
-                    else
-                    #endif/*defined(__APPLE__)&& defined(WOLFSSL_SYS_CA_CERTS)*/
                    if (ret != 0) {
                        WOLFSSL_MSG("\tfatal cert error");
                        args->fatal = 1;
@@ -17004,23 +17012,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            }
        #endif

-        #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS)
-            /* If we can't validate the peer cert chain against the CAs loaded
-             * into wolfSSL, try to validate against the system certificates
-             * using Apple's native trust APIs */
-            if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
-                (ssl->ctx->doAppleNativeCertValidationFlag)) {
-                if (DoAppleNativeCertValidation(ssl, args->certs,
-                                                     args->totalCerts)) {
-                    WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
-                    ret = 0;
-                }
-                else {
-                    WOLFSSL_MSG("Apple native cert chain validation FAIL");
-                }
-            }
-        #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
-
            /* Do leaf verify callback when it wasn't called yet */
            if (ret == 0 || ret != args->leafVerifyErr)
                ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);