Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing

6 files changed, 6 insertions, 95 deletions

diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c
index fd13371f5d..592a68980a 100644
--- a/src/usr.bin/openssl/apps.c
+++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.62 2022/01/10 12:17:49 tb Exp $ */
+/* $OpenBSD: apps.c,v 1.63 2023/04/14 15:27:13 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -1951,47 +1951,6 @@ pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
         return rv;
 }
 
-static void
-nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
-{
-        X509_POLICY_NODE *node;
-        int i;
-
-        BIO_printf(out, "%s Policies:", name);
-        if (nodes) {
-                BIO_puts(out, "\n");
-                for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
-                        node = sk_X509_POLICY_NODE_value(nodes, i);
-                        X509_POLICY_NODE_print(out, node, 2);
-                }
-        } else
-                BIO_puts(out, " <empty>\n");
-}
-
-void
-policies_print(BIO *out, X509_STORE_CTX *ctx)
-{
-        X509_POLICY_TREE *tree;
-        int explicit_policy;
-        int free_out = 0;
-
-        if (out == NULL) {
-                out = BIO_new_fp(stderr, BIO_NOCLOSE);
-                free_out = 1;
-        }
-        tree = X509_STORE_CTX_get0_policy_tree(ctx);
-        explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
-
-        BIO_printf(out, "Require explicit Policy: %s\n",
-            explicit_policy ? "True" : "False");
-
-        nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
-        nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
-
-        if (free_out)
-                BIO_free(out);
-}
-
 /*
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index f4fa5361a7..82e0662c88 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.31 2022/01/10 12:17:49 tb Exp $ */
+/* $OpenBSD: apps.h,v 1.32 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -237,7 +237,6 @@ int parse_yesno(const char *str, int def);
 X509_NAME *parse_name(char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
     X509_VERIFY_PARAM **pm);
-void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname,
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index 0ddf26e5a7..121a413a21 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.33 2023/03/06 14:32:05 tb Exp $ */
+/* $OpenBSD: cms.c,v 1.34 2023/04/14 15:27:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -69,7 +69,6 @@
 #include <openssl/cms.h>
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int cms_cb(int ok, X509_STORE_CTX *ctx);
 static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(
     STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
@@ -1442,7 +1441,6 @@ cms_main(int argc, char **argv)
                 if ((store = setup_verify(bio_err, cfg.CAfile,
                     cfg.CApath)) == NULL)
                         goto end;
-                X509_STORE_set_verify_cb(store, cms_cb);
                 if (cfg.vpm != NULL) {
                         if (!X509_STORE_set1_param(store, cfg.vpm))
                                 goto end;
@@ -1804,26 +1802,6 @@ save_certs(char *signerfile, STACK_OF(X509) *signers)
         return 1;
 }
 
-/* Minimal callback just to output policy info (if any) */
-
-static int
-cms_cb(int ok, X509_STORE_CTX *ctx)
-{
-        int error;
-
-        error = X509_STORE_CTX_get_error(ctx);
-
-        verify_err = error;
-
-        if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
-            ((error != X509_V_OK) || (ok != 2)))
-                return ok;
-
-        policies_print(NULL, ctx);
-
-        return ok;
-}
-
 static void
 gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
 {
diff --git a/src/usr.bin/openssl/s_cb.c b/src/usr.bin/openssl/s_cb.c
index 73f45c25c5..d503b8cf27 100644
--- a/src/usr.bin/openssl/s_cb.c
+++ b/src/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.20 2022/08/31 07:12:30 tb Exp $ */
+/* $OpenBSD: s_cb.c,v 1.21 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -189,11 +189,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx)
                 BIO_printf(bio_err, "\n");
                 break;
         case X509_V_ERR_NO_EXPLICIT_POLICY:
-                policies_print(bio_err, ctx);
                 break;
         }
-        if (err == X509_V_OK && ok == 2)
-                policies_print(bio_err, ctx);
 
         BIO_printf(bio_err, "verify return:%d\n", ok);
         return (ok);
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index e54c8d0b84..46bfa08679 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -70,7 +70,6 @@
 #include <openssl/x509v3.h>
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int smime_cb(int ok, X509_STORE_CTX *ctx);
 
 #define SMIME_OP        0x10
 #define SMIME_IP        0x20
@@ -933,7 +932,6 @@ smime_main(int argc, char **argv)
                 if ((store = setup_verify(bio_err, cfg.CAfile,
                     cfg.CApath)) == NULL)
                         goto end;
-                X509_STORE_set_verify_cb(store, smime_cb);
                 if (cfg.vpm != NULL) {
                         if (!X509_STORE_set1_param(store, cfg.vpm))
                                 goto end;
@@ -1103,20 +1101,3 @@ save_certs(char *signerfile, STACK_OF(X509) *signers)
 
         return 1;
 }
-
-/* Minimal callback just to output policy info (if any) */
-static int
-smime_cb(int ok, X509_STORE_CTX *ctx)
-{
-        int error;
-
-        error = X509_STORE_CTX_get_error(ctx);
-
-        if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
-            ((error != X509_V_OK) || (ok != 2)))
-                return ok;
-
-        policies_print(NULL, ctx);
-
-        return ok;
-}
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index b412623991..b4e0f33f6a 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.16 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.17 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -427,7 +427,6 @@ cb(int ok, X509_STORE_CTX *ctx)
                     X509_verify_cert_error_string(cert_error));
                 switch (cert_error) {
                 case X509_V_ERR_NO_EXPLICIT_POLICY:
-                        policies_print(NULL, ctx);
                 case X509_V_ERR_CERT_HAS_EXPIRED:
 
                         /*
@@ -452,8 +451,6 @@ cb(int ok, X509_STORE_CTX *ctx)
                 return ok;
 
         }
-        if (cert_error == X509_V_OK && ok == 2)
-                policies_print(NULL, ctx);
         if (!cfg.verbose)
                 ERR_clear_error();
         return (ok);