From b095c3c5a1f9e1ca6df4f040af58aa1e778537bf Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 26 Apr 2023 20:43:32 +0000 Subject: Take X509_POLICY_NODE_print() behind the barn This used to be public API but is now only used for debug code that has certainly never been used since it was released to the public. It drags that debug nonsense with it. ok beck --- src/lib/libcrypto/Symbols.namespace | 1 - src/lib/libcrypto/hidden/openssl/x509v3.h | 3 +- src/lib/libcrypto/x509/pcy_tree.c | 74 +------------------------------ src/lib/libcrypto/x509/x509_cpols.c | 25 +---------- 4 files changed, 3 insertions(+), 100 deletions(-) (limited to 'src') diff --git a/src/lib/libcrypto/Symbols.namespace b/src/lib/libcrypto/Symbols.namespace index f477c4d6ce..4320731af3 100644 --- a/src/lib/libcrypto/Symbols.namespace +++ b/src/lib/libcrypto/Symbols.namespace @@ -837,7 +837,6 @@ _libre_a2i_IPADDRESS _libre_a2i_IPADDRESS_NC _libre_a2i_ipadd _libre_X509V3_NAME_from_section -_libre_X509_POLICY_NODE_print _libre_ASRange_new _libre_ASRange_free _libre_d2i_ASRange diff --git a/src/lib/libcrypto/hidden/openssl/x509v3.h b/src/lib/libcrypto/hidden/openssl/x509v3.h index 044b55334d..e63b91afdb 100644 --- a/src/lib/libcrypto/hidden/openssl/x509v3.h +++ b/src/lib/libcrypto/hidden/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.2 2023/04/25 18:48:32 tb Exp $ */ +/* $OpenBSD: x509v3.h,v 1.3 2023/04/26 20:43:32 tb Exp $ */ /* * Copyright (c) 2022 Bob Beck * @@ -213,7 +213,6 @@ LCRYPTO_USED(a2i_IPADDRESS); LCRYPTO_USED(a2i_IPADDRESS_NC); LCRYPTO_USED(a2i_ipadd); LCRYPTO_USED(X509V3_NAME_from_section); -LCRYPTO_USED(X509_POLICY_NODE_print); LCRYPTO_USED(ASRange_new); LCRYPTO_USED(ASRange_free); LCRYPTO_USED(d2i_ASRange); diff --git a/src/lib/libcrypto/x509/pcy_tree.c b/src/lib/libcrypto/x509/pcy_tree.c index eb3c427a3a..4f253e3cd1 100644 --- a/src/lib/libcrypto/x509/pcy_tree.c +++ b/src/lib/libcrypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.8 2023/04/26 20:43:32 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -64,74 +64,6 @@ #include "pcy_int.h" #include "x509_local.h" -/* Enable this to print out the complete policy tree at various point during - * evaluation. - */ - -/*#define OPENSSL_POLICY_DEBUG*/ - -#ifdef OPENSSL_POLICY_DEBUG - -static void -expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -{ - if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) || - !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) - BIO_puts(err, " Not Mapped\n"); - else { - int i; - STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; - ASN1_OBJECT *oid; - BIO_puts(err, " Expected: "); - for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) { - oid = sk_ASN1_OBJECT_value(pset, i); - if (i) - BIO_puts(err, ", "); - i2a_ASN1_OBJECT(err, oid); - } - BIO_puts(err, "\n"); - } -} - -static void -tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) -{ - X509_POLICY_LEVEL *plev; - X509_POLICY_NODE *node; - int i; - BIO *err; - - if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL) - return; - - if (!curr) - curr = tree->levels + tree->nlevel; - else - curr++; - BIO_printf(err, "Level print after %s\n", str); - BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); - for (plev = tree->levels; plev != curr; plev++) { - BIO_printf(err, "Level %ld, flags = %x\n", - plev - tree->levels, plev->flags); - for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) { - node = sk_X509_POLICY_NODE_value(plev->nodes, i); - X509_POLICY_NODE_print(err, node, 2); - expected_print(err, plev, node, 2); - BIO_printf(err, " Flags: %x\n", node->data->flags); - } - if (plev->anyPolicy) - X509_POLICY_NODE_print(err, plev->anyPolicy, 2); - } - - BIO_free(err); -} -#else - -#define tree_print(a,b,c) /* */ - -#endif - /* Initialize policy tree. Return values: * 0 Some internal error occurred. * -1 Inconsistent or invalid extensions in certificates. @@ -615,7 +547,6 @@ tree_evaluate(X509_POLICY_TREE *tree) if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) && !tree_link_any(curr, cache, tree)) return 0; - tree_print("before tree_prune()", tree, curr); ret = tree_prune(tree, curr); if (ret != 1) return ret; @@ -726,9 +657,6 @@ X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, if (!tree) goto error; ret = tree_evaluate(tree); - - tree_print("tree_evaluate()", tree, NULL); - if (ret <= 0) goto error; diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c index bac0209371..bb09034ce0 100644 --- a/src/lib/libcrypto/x509/x509_cpols.c +++ b/src/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.10 2023/04/26 20:43:32 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,9 +65,6 @@ #include #include -#ifndef LIBRESSL_HAS_POLICY_DAG -#include "pcy_int.h" -#endif #include "x509_local.h" /* Certificate policies extension support: this one is a bit complex... */ @@ -767,23 +764,3 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", notice->exptext->length, notice->exptext->data); } - -#ifndef LIBRESSL_HAS_POLICY_DAG -void -X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) -{ - const X509_POLICY_DATA *dat = node->data; - - BIO_printf(out, "%*sPolicy: ", indent, ""); - - i2a_ASN1_OBJECT(out, dat->valid_policy); - BIO_puts(out, "\n"); - BIO_printf(out, "%*s%s\n", indent + 2, "", - node_data_critical(dat) ? "Critical" : "Non Critical"); - if (dat->qualifier_set) - print_qualifiers(out, dat->qualifier_set, indent + 2); - else - BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); -} -LCRYPTO_ALIAS(X509_POLICY_NODE_print); -#endif -- cgit v1.2.3-55-g6feb