Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing

1 files changed, 1 insertions, 4 deletions

diff --git a/src/usr.bin/openssl/s_cb.c b/src/usr.bin/openssl/s_cb.c
index 73f45c25c5..d503b8cf27 100644
--- a/src/usr.bin/openssl/s_cb.c
+++ b/src/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.20 2022/08/31 07:12:30 tb Exp $ */
+/* $OpenBSD: s_cb.c,v 1.21 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -189,11 +189,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx)
                 BIO_printf(bio_err, "\n");
                 break;
         case X509_V_ERR_NO_EXPLICIT_POLICY:
-                policies_print(bio_err, ctx);
                 break;
         }
-        if (err == X509_V_OK && ok == 2)
-                policies_print(bio_err, ctx);
 
         BIO_printf(bio_err, "verify return:%d\n", ok);
         return (ok);