From 1a5bd4cb78097710de5283a737286c1b65609dc7 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 14 Apr 2023 15:27:13 +0000
Subject: Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing
---
 src/usr.bin/openssl/verify.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'src/usr.bin/openssl/verify.c')

diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index b412623991..b4e0f33f6a 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.16 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.17 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -427,7 +427,6 @@ cb(int ok, X509_STORE_CTX *ctx)
 		    X509_verify_cert_error_string(cert_error));
 		switch (cert_error) {
 		case X509_V_ERR_NO_EXPLICIT_POLICY:
-			policies_print(NULL, ctx);
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 
 			/*
@@ -452,8 +451,6 @@ cb(int ok, X509_STORE_CTX *ctx)
 		return ok;
 
 	}
-	if (cert_error == X509_V_OK && ok == 2)
-		policies_print(NULL, ctx);
 	if (!cfg.verbose)
 		ERR_clear_error();
 	return (ok);
-- 
cgit v1.2.3-55-g6feb