Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefile

with beck
author: tb <> 2023-04-28 16:30:14 +0000
committer: tb <> 2023-04-28 16:30:14 +0000
commit: 88204d1b49bfe45fc06cace782cd8183e4abc17a (patch)
tree: 9058435a70684a5adbf1febdddf08ce4894fa577
parent: 35858e63d17dad92a6dfe2a71d1da4734e42501d (diff)
download: openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.tar.gz
openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.tar.bz2
openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.zip
5 files changed, 5 insertions, 98 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 110ec3fb97..4238e6df95 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.124 2023/04/28 16:21:57 tb Exp $
+# $OpenBSD: Makefile,v 1.125 2023/04/28 16:30:14 tb Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -19,7 +19,6 @@ CFLAGS+= -Wall -Wundef
 CFLAGS+= -Werror
 .endif
 CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
-CFLAGS+= -DLIBRESSL_HAS_POLICY_DAG
 .ifdef NAMESPACE
 CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
 .endif
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index 5a769abdff..0c10bec4c8 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */
+/* $OpenBSD: x_x509.c,v 1.35 2023/04/28 16:30:14 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -169,10 +169,6 @@ X509_CINF_free(X509_CINF *a)
 }
 /* X509 top level structure needs a bit of customisation */
-#ifndef LIBRESSL_HAS_POLICY_DAG
-extern void policy_cache_free(X509_POLICY_CACHE *cache);
-#endif
 static int
 x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
 {
@@ -207,9 +203,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                ASN1_OCTET_STRING_free(ret->skid);
                AUTHORITY_KEYID_free(ret->akid);
                CRL_DIST_POINTS_free(ret->crldp);
-#ifndef LIBRESSL_HAS_POLICY_DAG
-                policy_cache_free(ret->policy_cache);
-#endif
                GENERAL_NAMES_free(ret->altname);
                NAME_CONSTRAINTS_free(ret->nc);
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 1aa66d2440..374cba3d58 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -69,13 +69,6 @@ __BEGIN_HIDDEN_DECLS
 #define X509_CRL_HASH_EVP       EVP_sha512()
 #define X509_CRL_HASH_LEN       SHA512_DIGEST_LENGTH
-#ifndef LIBRESSL_HAS_POLICY_DAG
-typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
-typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
-typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
-typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
-#endif
 struct X509_pubkey_st {
        X509_ALGOR *algor;
        ASN1_BIT_STRING *public_key;
@@ -178,9 +171,6 @@ struct x509_st {
        unsigned long ex_nscert;
        ASN1_OCTET_STRING *skid;
        AUTHORITY_KEYID *akid;
-#ifndef LIBRESSL_HAS_POLICY_DAG
-        X509_POLICY_CACHE *policy_cache;
-#endif
        STACK_OF(DIST_POINT) *crldp;
        STACK_OF(GENERAL_NAME) *altname;
        NAME_CONSTRAINTS *nc;
@@ -360,9 +350,6 @@ struct x509_store_ctx_st {
        int valid;              /* if 0, rebuild chain */
        int num_untrusted;      /* number of untrusted certs in chain */
        STACK_OF(X509) *chain;          /* chain of X509s - built up and trusted */
-#ifndef LIBRESSL_HAS_POLICY_DAG
-        X509_POLICY_TREE *tree; /* Valid policy tree */
-#endif
        int explicit_policy;    /* Require explicit policy value */
@@ -396,17 +383,9 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
 int name_cmp(const char *name, const char *cmp);
-#ifdef LIBRESSL_HAS_POLICY_DAG
 int X509_policy_check(const STACK_OF(X509) *certs,
    const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,
    X509 **out_current_cert);
-#else
-int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
-    STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
-    unsigned int flags);
-void X509_policy_tree_free(X509_POLICY_TREE *tree);
-#endif
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index e51e193085..73f7154f51 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.24 2023/04/28 15:57:38 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */
 /*
 * Copyright (c) 2022, Google Inc.
 *
@@ -26,8 +26,6 @@
 #include "x509_internal.h"
 #include "x509_local.h"
-#ifdef LIBRESSL_HAS_POLICY_DAG
 /* XXX move to proper place */
 #define X509_R_INVALID_POLICY_EXTENSION 201
@@ -1019,5 +1017,3 @@ err:
        sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
        return ret;
 }
-#endif /* LIBRESSL_HAS_POLICY_DAG */
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 76847e7224..93dc06ed05 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1744,7 +1744,6 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 }
-#ifdef LIBRESSL_HAS_POLICY_DAG
 int
 x509_vfy_check_policy(X509_STORE_CTX *ctx)
 {
@@ -1779,59 +1778,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
        return 1;
 }
-#else
-int
-x509_vfy_check_policy(X509_STORE_CTX *ctx)
-{
-        int ret;
-        if (ctx->parent)
-                return 1;
-        /* X509_policy_check always allocates a new tree. */
-        X509_policy_tree_free(ctx->tree);
-        ctx->tree = NULL;
-        ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
-            ctx->param->policies, ctx->param->flags);
-        if (ret == 0) {
-                X509error(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        /* Invalid or inconsistent extensions */
-        if (ret == -1) {
-                /* Locate certificates with bad extensions and notify
-                 * callback.
-                 */
-                X509 *x;
-                int i;
-                for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-                        x = sk_X509_value(ctx->chain, i);
-                        if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
-                                continue;
-                        ctx->current_cert = x;
-                        ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
-                        if (!ctx->verify_cb(0, ctx))
-                                return 0;
-                }
-                return 1;
-        }
-        if (ret == -2) {
-                ctx->current_cert = NULL;
-                ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
-                return ctx->verify_cb(0, ctx);
-        }
-        if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
-                ctx->current_cert = NULL;
-                ctx->error = X509_V_OK;
-                if (!ctx->verify_cb(2, ctx))
-                        return 0;
-        }
-        return 1;
-}
-#endif
 static int
 check_policy(X509_STORE_CTX *ctx)
@@ -2524,12 +2470,6 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
                        X509_VERIFY_PARAM_free(ctx->param);
                ctx->param = NULL;
        }
-#ifndef LIBRESSL_HAS_POLICY_DAG
-        if (ctx->tree != NULL) {
-                X509_policy_tree_free(ctx->tree);
-                ctx->tree = NULL;
-        }
-#endif
        if (ctx->chain != NULL) {
                sk_X509_pop_free(ctx->chain, X509_free);
                ctx->chain = NULL;
author	tb <>	2023-04-28 16:30:14 +0000
committer	tb <>	2023-04-28 16:30:14 +0000
commit	88204d1b49bfe45fc06cace782cd8183e4abc17a (patch)
tree	9058435a70684a5adbf1febdddf08ce4894fa577
parent	35858e63d17dad92a6dfe2a71d1da4734e42501d (diff)
download	openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.tar.gz openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.tar.bz2 openbsd-88204d1b49bfe45fc06cace782cd8183e4abc17a.zip

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile index 110ec3fb97..4238e6df95 100644 --- a/src/lib/libcrypto/Makefile +++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.124 2023/04/28 16:21:57 tb Exp $	1	# $OpenBSD: Makefile,v 1.125 2023/04/28 16:30:14 tb Exp $
2		2
3	LIB= crypto	3	LIB= crypto
4	LIBREBUILD=y	4	LIBREBUILD=y
@@ -19,7 +19,6 @@ CFLAGS+= -Wall -Wundef
19	CFLAGS+= -Werror	19	CFLAGS+= -Werror
20	.endif	20	.endif
21	CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL	21	CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
22	CFLAGS+= -DLIBRESSL_HAS_POLICY_DAG
23	.ifdef NAMESPACE	22	.ifdef NAMESPACE
24	CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE	23	CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
25	.endif	24	.endif


diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c index 5a769abdff..0c10bec4c8 100644 --- a/src/lib/libcrypto/asn1/x_x509.c +++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x_x509.c,v 1.34 2023/04/26 19:11:32 beck Exp $ */	1	/* $OpenBSD: x_x509.c,v 1.35 2023/04/28 16:30:14 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -169,10 +169,6 @@ X509_CINF_free(X509_CINF *a)
169	}	169	}
170	/* X509 top level structure needs a bit of customisation */	170	/* X509 top level structure needs a bit of customisation */
171		171
172	#ifndef LIBRESSL_HAS_POLICY_DAG
173	extern void policy_cache_free(X509_POLICY_CACHE *cache);
174	#endif
175
176	static int	172	static int
177	x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)	173	x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)
178	{	174	{
@@ -207,9 +203,6 @@ x509_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it, void *exarg)
207	ASN1_OCTET_STRING_free(ret->skid);	203	ASN1_OCTET_STRING_free(ret->skid);
208	AUTHORITY_KEYID_free(ret->akid);	204	AUTHORITY_KEYID_free(ret->akid);
209	CRL_DIST_POINTS_free(ret->crldp);	205	CRL_DIST_POINTS_free(ret->crldp);
210	#ifndef LIBRESSL_HAS_POLICY_DAG
211	policy_cache_free(ret->policy_cache);
212	#endif
213	GENERAL_NAMES_free(ret->altname);	206	GENERAL_NAMES_free(ret->altname);
214	NAME_CONSTRAINTS_free(ret->nc);	207	NAME_CONSTRAINTS_free(ret->nc);
215	#ifndef OPENSSL_NO_RFC3779	208	#ifndef OPENSSL_NO_RFC3779


diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h index 1aa66d2440..374cba3d58 100644 --- a/src/lib/libcrypto/x509/x509_local.h +++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_local.h,v 1.6 2023/04/26 19:11:33 beck Exp $ */	1	/* $OpenBSD: x509_local.h,v 1.7 2023/04/28 16:30:14 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2013.	3	* project 2013.
4	*/	4	*/
@@ -69,13 +69,6 @@ __BEGIN_HIDDEN_DECLS
69	#define X509_CRL_HASH_EVP EVP_sha512()	69	#define X509_CRL_HASH_EVP EVP_sha512()
70	#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH	70	#define X509_CRL_HASH_LEN SHA512_DIGEST_LENGTH
71		71
72	#ifndef LIBRESSL_HAS_POLICY_DAG
73	typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
74	typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
75	typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
76	typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE;
77	#endif
78
79	struct X509_pubkey_st {	72	struct X509_pubkey_st {
80	X509_ALGOR *algor;	73	X509_ALGOR *algor;
81	ASN1_BIT_STRING *public_key;	74	ASN1_BIT_STRING *public_key;
@@ -178,9 +171,6 @@ struct x509_st {
178	unsigned long ex_nscert;	171	unsigned long ex_nscert;
179	ASN1_OCTET_STRING *skid;	172	ASN1_OCTET_STRING *skid;
180	AUTHORITY_KEYID *akid;	173	AUTHORITY_KEYID *akid;
181	#ifndef LIBRESSL_HAS_POLICY_DAG
182	X509_POLICY_CACHE *policy_cache;
183	#endif
184	STACK_OF(DIST_POINT) *crldp;	174	STACK_OF(DIST_POINT) *crldp;
185	STACK_OF(GENERAL_NAME) *altname;	175	STACK_OF(GENERAL_NAME) *altname;
186	NAME_CONSTRAINTS *nc;	176	NAME_CONSTRAINTS *nc;
@@ -360,9 +350,6 @@ struct x509_store_ctx_st {
360	int valid; /* if 0, rebuild chain */	350	int valid; /* if 0, rebuild chain */
361	int num_untrusted; /* number of untrusted certs in chain */	351	int num_untrusted; /* number of untrusted certs in chain */
362	STACK_OF(X509) chain; / chain of X509s - built up and trusted */	352	STACK_OF(X509) chain; / chain of X509s - built up and trusted */
363	#ifndef LIBRESSL_HAS_POLICY_DAG
364	X509_POLICY_TREE tree; / Valid policy tree */
365	#endif
366		353
367	int explicit_policy; /* Require explicit policy value */	354	int explicit_policy; /* Require explicit policy value */
368		355
@@ -396,17 +383,9 @@ int x509_check_cert_time(X509_STORE_CTX ctx, X509 x, int quiet);
396		383
397	int name_cmp(const char name, const char cmp);	384	int name_cmp(const char name, const char cmp);
398		385
399	#ifdef LIBRESSL_HAS_POLICY_DAG
400	int X509_policy_check(const STACK_OF(X509) *certs,	386	int X509_policy_check(const STACK_OF(X509) *certs,
401	const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,	387	const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags,
402	X509 **out_current_cert);	388	X509 **out_current_cert);
403	#else
404	int X509_policy_check(X509_POLICY_TREE *ptree, int pexplicit_policy,
405	STACK_OF(X509) certs, STACK_OF(ASN1_OBJECT) policy_oids,
406	unsigned int flags);
407
408	void X509_policy_tree_free(X509_POLICY_TREE *tree);
409	#endif
410		389
411	__END_HIDDEN_DECLS	390	__END_HIDDEN_DECLS
412		391


diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c index e51e193085..73f7154f51 100644 --- a/src/lib/libcrypto/x509/x509_policy.c +++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_policy.c,v 1.24 2023/04/28 15:57:38 tb Exp $ */	1	/* $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2022, Google Inc.	3	* Copyright (c) 2022, Google Inc.
4	*	4	*
@@ -26,8 +26,6 @@
26	#include "x509_internal.h"	26	#include "x509_internal.h"
27	#include "x509_local.h"	27	#include "x509_local.h"
28		28
29	#ifdef LIBRESSL_HAS_POLICY_DAG
30
31	/* XXX move to proper place */	29	/* XXX move to proper place */
32	#define X509_R_INVALID_POLICY_EXTENSION 201	30	#define X509_R_INVALID_POLICY_EXTENSION 201
33		31
@@ -1019,5 +1017,3 @@ err:
1019	sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);	1017	sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);
1020	return ret;	1018	return ret;
1021	}	1019	}
1022
1023	#endif /* LIBRESSL_HAS_POLICY_DAG */


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 76847e7224..93dc06ed05 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.116 2023/04/26 19:11:33 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.117 2023/04/28 16:30:14 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1744,7 +1744,6 @@ cert_crl(X509_STORE_CTX ctx, X509_CRL crl, X509 *x)
1744	}	1744	}
1745		1745
1746		1746
1747	#ifdef LIBRESSL_HAS_POLICY_DAG
1748	int	1747	int
1749	x509_vfy_check_policy(X509_STORE_CTX *ctx)	1748	x509_vfy_check_policy(X509_STORE_CTX *ctx)
1750	{	1749	{
@@ -1779,59 +1778,6 @@ x509_vfy_check_policy(X509_STORE_CTX *ctx)
1779		1778
1780	return 1;	1779	return 1;
1781	}	1780	}
1782	#else
1783	int
1784	x509_vfy_check_policy(X509_STORE_CTX *ctx)
1785	{
1786	int ret;
1787
1788	if (ctx->parent)
1789	return 1;
1790
1791	/* X509_policy_check always allocates a new tree. */
1792	X509_policy_tree_free(ctx->tree);
1793	ctx->tree = NULL;
1794
1795	ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1796	ctx->param->policies, ctx->param->flags);
1797	if (ret == 0) {
1798	X509error(ERR_R_MALLOC_FAILURE);
1799	return 0;
1800	}
1801	/* Invalid or inconsistent extensions */
1802	if (ret == -1) {
1803	/* Locate certificates with bad extensions and notify
1804	* callback.
1805	*/
1806	X509 *x;
1807	int i;
1808	for (i = 1; i < sk_X509_num(ctx->chain); i++) {
1809	x = sk_X509_value(ctx->chain, i);
1810	if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1811	continue;
1812	ctx->current_cert = x;
1813	ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1814	if (!ctx->verify_cb(0, ctx))
1815	return 0;
1816	}
1817	return 1;
1818	}
1819	if (ret == -2) {
1820	ctx->current_cert = NULL;
1821	ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1822	return ctx->verify_cb(0, ctx);
1823	}
1824
1825	if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
1826	ctx->current_cert = NULL;
1827	ctx->error = X509_V_OK;
1828	if (!ctx->verify_cb(2, ctx))
1829	return 0;
1830	}
1831
1832	return 1;
1833	}
1834	#endif
1835		1781
1836	static int	1782	static int
1837	check_policy(X509_STORE_CTX *ctx)	1783	check_policy(X509_STORE_CTX *ctx)
@@ -2524,12 +2470,6 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2524	X509_VERIFY_PARAM_free(ctx->param);	2470	X509_VERIFY_PARAM_free(ctx->param);
2525	ctx->param = NULL;	2471	ctx->param = NULL;
2526	}	2472	}
2527	#ifndef LIBRESSL_HAS_POLICY_DAG
2528	if (ctx->tree != NULL) {
2529	X509_policy_tree_free(ctx->tree);
2530	ctx->tree = NULL;
2531	}
2532	#endif
2533	if (ctx->chain != NULL) {	2473	if (ctx->chain != NULL) {
2534	sk_X509_pop_free(ctx->chain, X509_free);	2474	sk_X509_pop_free(ctx->chain, X509_free);
2535	ctx->chain = NULL;	2475	ctx->chain = NULL;