Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing

1 files changed, 1 insertions, 20 deletions

diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index e54c8d0b84..46bfa08679 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -70,7 +70,6 @@
 #include <openssl/x509v3.h>
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int smime_cb(int ok, X509_STORE_CTX *ctx);
 
 #define SMIME_OP        0x10
 #define SMIME_IP        0x20
@@ -933,7 +932,6 @@ smime_main(int argc, char **argv)
                 if ((store = setup_verify(bio_err, cfg.CAfile,
                     cfg.CApath)) == NULL)
                         goto end;
-                X509_STORE_set_verify_cb(store, smime_cb);
                 if (cfg.vpm != NULL) {
                         if (!X509_STORE_set1_param(store, cfg.vpm))
                                 goto end;
@@ -1103,20 +1101,3 @@ save_certs(char *signerfile, STACK_OF(X509) *signers)
 
         return 1;
 }
-
-/* Minimal callback just to output policy info (if any) */
-static int
-smime_cb(int ok, X509_STORE_CTX *ctx)
-{
-        int error;
-
-        error = X509_STORE_CTX_get_error(ctx);
-
-        if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
-            ((error != X509_V_OK) || (ok != 2)))
-                return ok;
-
-        policies_print(NULL, ctx);
-
-        return ok;
-}