diff options
| author | tb <> | 2023-04-14 15:27:13 +0000 |
|---|---|---|
| committer | tb <> | 2023-04-14 15:27:13 +0000 |
| commit | 1a5bd4cb78097710de5283a737286c1b65609dc7 (patch) | |
| tree | 7aed66c51404da4ea67dbb87b6191ab6c0e9a5ee /src/usr.bin/openssl/apps.c | |
| parent | be3f11b57177567c1f951c5428261d6d8d9ee729 (diff) | |
| download | openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.tar.gz openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.tar.bz2 openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.zip | |
Drop policy printing from openssl
Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.
This removes the only reason the policy tree itself ever leaked out of
the library.
ok jsing
Diffstat (limited to 'src/usr.bin/openssl/apps.c')
| -rw-r--r-- | src/usr.bin/openssl/apps.c | 43 |
1 files changed, 1 insertions, 42 deletions
diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c index fd13371f5d..592a68980a 100644 --- a/src/usr.bin/openssl/apps.c +++ b/src/usr.bin/openssl/apps.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: apps.c,v 1.62 2022/01/10 12:17:49 tb Exp $ */ | 1 | /* $OpenBSD: apps.c,v 1.63 2023/04/14 15:27:13 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -1951,47 +1951,6 @@ pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) | |||
| 1951 | return rv; | 1951 | return rv; |
| 1952 | } | 1952 | } |
| 1953 | 1953 | ||
| 1954 | static void | ||
| 1955 | nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes) | ||
| 1956 | { | ||
| 1957 | X509_POLICY_NODE *node; | ||
| 1958 | int i; | ||
| 1959 | |||
| 1960 | BIO_printf(out, "%s Policies:", name); | ||
| 1961 | if (nodes) { | ||
| 1962 | BIO_puts(out, "\n"); | ||
| 1963 | for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { | ||
| 1964 | node = sk_X509_POLICY_NODE_value(nodes, i); | ||
| 1965 | X509_POLICY_NODE_print(out, node, 2); | ||
| 1966 | } | ||
| 1967 | } else | ||
| 1968 | BIO_puts(out, " <empty>\n"); | ||
| 1969 | } | ||
| 1970 | |||
| 1971 | void | ||
| 1972 | policies_print(BIO *out, X509_STORE_CTX *ctx) | ||
| 1973 | { | ||
| 1974 | X509_POLICY_TREE *tree; | ||
| 1975 | int explicit_policy; | ||
| 1976 | int free_out = 0; | ||
| 1977 | |||
| 1978 | if (out == NULL) { | ||
| 1979 | out = BIO_new_fp(stderr, BIO_NOCLOSE); | ||
| 1980 | free_out = 1; | ||
| 1981 | } | ||
| 1982 | tree = X509_STORE_CTX_get0_policy_tree(ctx); | ||
| 1983 | explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); | ||
| 1984 | |||
| 1985 | BIO_printf(out, "Require explicit Policy: %s\n", | ||
| 1986 | explicit_policy ? "True" : "False"); | ||
| 1987 | |||
| 1988 | nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree)); | ||
| 1989 | nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree)); | ||
| 1990 | |||
| 1991 | if (free_out) | ||
| 1992 | BIO_free(out); | ||
| 1993 | } | ||
| 1994 | |||
| 1995 | /* | 1954 | /* |
| 1996 | * next_protos_parse parses a comma separated list of strings into a string | 1955 | * next_protos_parse parses a comma separated list of strings into a string |
| 1997 | * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. | 1956 | * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. |