From 1a5bd4cb78097710de5283a737286c1b65609dc7 Mon Sep 17 00:00:00 2001 From: tb <> Date: Fri, 14 Apr 2023 15:27:13 +0000 Subject: Drop policy printing from openssl Nothing really uses the policy tree. It's desgined with built-in DoS capabilities directly from the RFC. It will be removed from the attack surface and replaced with something equivalent that doesn't grow exponentially with the depth. This removes the only reason the policy tree itself ever leaked out of the library. ok jsing --- src/usr.bin/openssl/smime.c | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) (limited to 'src/usr.bin/openssl/smime.c') diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c index e54c8d0b84..46bfa08679 100644 --- a/src/usr.bin/openssl/smime.c +++ b/src/usr.bin/openssl/smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smime.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */ +/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -70,7 +70,6 @@ #include static int save_certs(char *signerfile, STACK_OF(X509) *signers); -static int smime_cb(int ok, X509_STORE_CTX *ctx); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -933,7 +932,6 @@ smime_main(int argc, char **argv) if ((store = setup_verify(bio_err, cfg.CAfile, cfg.CApath)) == NULL) goto end; - X509_STORE_set_verify_cb(store, smime_cb); if (cfg.vpm != NULL) { if (!X509_STORE_set1_param(store, cfg.vpm)) goto end; @@ -1103,20 +1101,3 @@ save_certs(char *signerfile, STACK_OF(X509) *signers) return 1; } - -/* Minimal callback just to output policy info (if any) */ -static int -smime_cb(int ok, X509_STORE_CTX *ctx) -{ - int error; - - error = X509_STORE_CTX_get_error(ctx); - - if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && - ((error != X509_V_OK) || (ok != 2))) - return ok; - - policies_print(NULL, ctx); - - return ok; -} -- cgit v1.2.3-55-g6feb