From 1a5bd4cb78097710de5283a737286c1b65609dc7 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 14 Apr 2023 15:27:13 +0000
Subject: Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing
---
 src/usr.bin/openssl/apps.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src/usr.bin/openssl/apps.h')

diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index f4fa5361a7..82e0662c88 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.31 2022/01/10 12:17:49 tb Exp $ */
+/* $OpenBSD: apps.h,v 1.32 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -237,7 +237,6 @@ int parse_yesno(const char *str, int def);
 X509_NAME *parse_name(char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
     X509_VERIFY_PARAM **pm);
-void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname,
-- 
cgit v1.2.3-55-g6feb