Don't do policy checking unless we were asked to do so.

ok tb@
author: beck <> 2023-01-17 23:49:28 +0000
committer: beck <> 2023-01-17 23:49:28 +0000
commit: 52722100e717bb0bc05455878755efbc90d5a4df (patch)
tree: 3ad0284cf7f991b450bb7cc25691bc1c2b77db87 /src
parent: 21a2d4cbfbe44f35adc4655aee0378ef3d06b022 (diff)
download: openbsd-52722100e717bb0bc05455878755efbc90d5a4df.tar.gz
openbsd-52722100e717bb0bc05455878755efbc90d5a4df.tar.bz2
openbsd-52722100e717bb0bc05455878755efbc90d5a4df.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index e85c3a64d6..5891bd8df3 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.61 2022/10/17 18:56:54 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.62 2023/01/17 23:49:28 beck Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -447,7 +447,8 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
        if (!x509_vfy_check_revocation(ctx->xsc))
                goto err;
-        if (!x509_vfy_check_policy(ctx->xsc))
+        if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK &&
+            !x509_vfy_check_policy(ctx->xsc))
                goto err;
        ret = 1;
author	beck <>	2023-01-17 23:49:28 +0000
committer	beck <>	2023-01-17 23:49:28 +0000
commit	52722100e717bb0bc05455878755efbc90d5a4df (patch)
tree	3ad0284cf7f991b450bb7cc25691bc1c2b77db87 /src
parent	21a2d4cbfbe44f35adc4655aee0378ef3d06b022 (diff)
download	openbsd-52722100e717bb0bc05455878755efbc90d5a4df.tar.gz openbsd-52722100e717bb0bc05455878755efbc90d5a4df.tar.bz2 openbsd-52722100e717bb0bc05455878755efbc90d5a4df.zip