Ensure that we call the server_cert_cb, if present, for server certificates

[mech_eap.git] / libeap / src / crypto / tls_openssl.c

diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c
index 491182b..fab1865 100644 (file)
--- a/libeap/src/crypto/tls_openssl.c
+++ b/libeap/src/crypto/tls_openssl.c
@@ -1627,12 +1627,12 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
        err_str = X509_verify_cert_error_string(err);
 
 #ifdef CONFIG_SHA256
-       if (depth == 0 && conn->server_cert_only) {
-        if (depth == 0 && conn->server_cert_cb) {
+       if (depth == 0) {
+        if (conn->server_cert_cb) {
             preverify_ok = conn->server_cert_cb(preverify_ok, err_cert, conn->server_cert_ctx);
             wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb: server_cert_cb returned %d", preverify_ok);
         }
-        else {
+        if (conn->server_cert_only) {
             /*
              * Do not require preverify_ok so we can explicity allow otherwise
              * invalid pinned server certificates.