diff options
| author | tb <> | 2023-04-14 15:27:13 +0000 |
|---|---|---|
| committer | tb <> | 2023-04-14 15:27:13 +0000 |
| commit | 1a5bd4cb78097710de5283a737286c1b65609dc7 (patch) | |
| tree | 7aed66c51404da4ea67dbb87b6191ab6c0e9a5ee /src/usr.bin/openssl/cms.c | |
| parent | be3f11b57177567c1f951c5428261d6d8d9ee729 (diff) | |
| download | openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.tar.gz openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.tar.bz2 openbsd-1a5bd4cb78097710de5283a737286c1b65609dc7.zip | |
Drop policy printing from openssl
Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.
This removes the only reason the policy tree itself ever leaked out of
the library.
ok jsing
Diffstat (limited to 'src/usr.bin/openssl/cms.c')
| -rw-r--r-- | src/usr.bin/openssl/cms.c | 24 |
1 files changed, 1 insertions, 23 deletions
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c index 0ddf26e5a7..121a413a21 100644 --- a/src/usr.bin/openssl/cms.c +++ b/src/usr.bin/openssl/cms.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: cms.c,v 1.33 2023/03/06 14:32:05 tb Exp $ */ | 1 | /* $OpenBSD: cms.c,v 1.34 2023/04/14 15:27:13 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project. | 3 | * project. |
| 4 | */ | 4 | */ |
| @@ -69,7 +69,6 @@ | |||
| 69 | #include <openssl/cms.h> | 69 | #include <openssl/cms.h> |
| 70 | 70 | ||
| 71 | static int save_certs(char *signerfile, STACK_OF(X509) *signers); | 71 | static int save_certs(char *signerfile, STACK_OF(X509) *signers); |
| 72 | static int cms_cb(int ok, X509_STORE_CTX *ctx); | ||
| 73 | static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); | 72 | static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); |
| 74 | static CMS_ReceiptRequest *make_receipt_request( | 73 | static CMS_ReceiptRequest *make_receipt_request( |
| 75 | STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, | 74 | STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, |
| @@ -1442,7 +1441,6 @@ cms_main(int argc, char **argv) | |||
| 1442 | if ((store = setup_verify(bio_err, cfg.CAfile, | 1441 | if ((store = setup_verify(bio_err, cfg.CAfile, |
| 1443 | cfg.CApath)) == NULL) | 1442 | cfg.CApath)) == NULL) |
| 1444 | goto end; | 1443 | goto end; |
| 1445 | X509_STORE_set_verify_cb(store, cms_cb); | ||
| 1446 | if (cfg.vpm != NULL) { | 1444 | if (cfg.vpm != NULL) { |
| 1447 | if (!X509_STORE_set1_param(store, cfg.vpm)) | 1445 | if (!X509_STORE_set1_param(store, cfg.vpm)) |
| 1448 | goto end; | 1446 | goto end; |
| @@ -1804,26 +1802,6 @@ save_certs(char *signerfile, STACK_OF(X509) *signers) | |||
| 1804 | return 1; | 1802 | return 1; |
| 1805 | } | 1803 | } |
| 1806 | 1804 | ||
| 1807 | /* Minimal callback just to output policy info (if any) */ | ||
| 1808 | |||
| 1809 | static int | ||
| 1810 | cms_cb(int ok, X509_STORE_CTX *ctx) | ||
| 1811 | { | ||
| 1812 | int error; | ||
| 1813 | |||
| 1814 | error = X509_STORE_CTX_get_error(ctx); | ||
| 1815 | |||
| 1816 | verify_err = error; | ||
| 1817 | |||
| 1818 | if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && | ||
| 1819 | ((error != X509_V_OK) || (ok != 2))) | ||
| 1820 | return ok; | ||
| 1821 | |||
| 1822 | policies_print(NULL, ctx); | ||
| 1823 | |||
| 1824 | return ok; | ||
| 1825 | } | ||
| 1826 | |||
| 1827 | static void | 1805 | static void |
| 1828 | gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) | 1806 | gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) |
| 1829 | { | 1807 | { |