From c62816f0000efa6671594eaf26ec94fcb331e2b2 Mon Sep 17 00:00:00 2001
From: beck <beck@openbsd.org>
Date: Tue, 17 Jan 2023 23:49:28 +0000
Subject: [PATCH] Don't do policy checking unless we were asked to do so.

ok tb@
---
 lib/libcrypto/x509/x509_verify.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/libcrypto/x509/x509_verify.c b/lib/libcrypto/x509/x509_verify.c
index e85c3a64d6f..5891bd8df38 100644
--- a/lib/libcrypto/x509/x509_verify.c
+++ b/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.61 2022/10/17 18:56:54 jsing Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.62 2023/01/17 23:49:28 beck Exp $ */
 /*
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
  *
@@ -447,7 +447,8 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx,
 	if (!x509_vfy_check_revocation(ctx->xsc))
 		goto err;
 
-	if (!x509_vfy_check_policy(ctx->xsc))
+	if (ctx->xsc->param->flags & X509_V_FLAG_POLICY_CHECK &&
+	    !x509_vfy_check_policy(ctx->xsc))
 		goto err;
 
 	ret = 1;
-- 
2.20.1