From 52722100e717bb0bc05455878755efbc90d5a4df Mon Sep 17 00:00:00 2001
From: beck <>
Date: Tue, 17 Jan 2023 23:49:28 +0000
Subject: Don't do policy checking unless we were asked to do so.

ok tb@
---
 src/lib/libcrypto/x509/x509_verify.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index e85c3a64d6..5891bd8df3 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.61 2022/10/17 18:56:54 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.62 2023/01/17 23:49:28 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -447,7 +447,8 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	if (!x509_vfy_check_revocation(ctx->xsc))
 		goto err;
 
-	if (!x509_vfy_check_policy(ctx->xsc))
+	if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK &&
+	    !x509_vfy_check_policy(ctx->xsc))
 		goto err;
 
 	ret = 1;
-- 
cgit v1.2.3-55-g6feb