Drop policy printing from openssl

Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.

This removes the only reason the policy tree itself ever leaked out of
the library.

ok jsing

diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c
index fd13371..592a689 100644 (file)
--- a/usr.bin/openssl/apps.c
+++ b/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.62 2022/01/10 12:17:49 tb Exp $ */
+/* $OpenBSD: apps.c,v 1.63 2023/04/14 15:27:13 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -1951,47 +1951,6 @@ pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
        return rv;
 }
 
-static void
-nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
-{
-       X509_POLICY_NODE *node;
-       int i;
-
-       BIO_printf(out, "%s Policies:", name);
-       if (nodes) {
-               BIO_puts(out, "\n");
-               for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
-                       node = sk_X509_POLICY_NODE_value(nodes, i);
-                       X509_POLICY_NODE_print(out, node, 2);
-               }
-       } else
-               BIO_puts(out, " <empty>\n");
-}
-
-void
-policies_print(BIO *out, X509_STORE_CTX *ctx)
-{
-       X509_POLICY_TREE *tree;
-       int explicit_policy;
-       int free_out = 0;
-
-       if (out == NULL) {
-               out = BIO_new_fp(stderr, BIO_NOCLOSE);
-               free_out = 1;
-       }
-       tree = X509_STORE_CTX_get0_policy_tree(ctx);
-       explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
-
-       BIO_printf(out, "Require explicit Policy: %s\n",
-           explicit_policy ? "True" : "False");
-
-       nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
-       nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
-
-       if (free_out)
-               BIO_free(out);
-}
-
 /*
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.

diff --git a/usr.bin/openssl/apps.h b/usr.bin/openssl/apps.h
index f4fa536..82e0662 100644 (file)
--- a/usr.bin/openssl/apps.h
+++ b/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.31 2022/01/10 12:17:49 tb Exp $ */
+/* $OpenBSD: apps.h,v 1.32 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -237,7 +237,6 @@ int parse_yesno(const char *str, int def);
 X509_NAME *parse_name(char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
     X509_VERIFY_PARAM **pm);
-void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
 int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname,

diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c
index 0ddf26e..121a413 100644 (file)
--- a/usr.bin/openssl/cms.c
+++ b/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.33 2023/03/06 14:32:05 tb Exp $ */
+/* $OpenBSD: cms.c,v 1.34 2023/04/14 15:27:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -69,7 +69,6 @@
 #include <openssl/cms.h>
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int cms_cb(int ok, X509_STORE_CTX *ctx);
 static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(
     STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
@@ -1442,7 +1441,6 @@ cms_main(int argc, char **argv)
                if ((store = setup_verify(bio_err, cfg.CAfile,
                    cfg.CApath)) == NULL)
                        goto end;
-               X509_STORE_set_verify_cb(store, cms_cb);
                if (cfg.vpm != NULL) {
                        if (!X509_STORE_set1_param(store, cfg.vpm))
                                goto end;
@@ -1804,26 +1802,6 @@ save_certs(char *signerfile, STACK_OF(X509) *signers)
        return 1;
 }
 
-/* Minimal callback just to output policy info (if any) */
-
-static int
-cms_cb(int ok, X509_STORE_CTX *ctx)
-{
-       int error;
-
-       error = X509_STORE_CTX_get_error(ctx);
-
-       verify_err = error;
-
-       if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
-           ((error != X509_V_OK) || (ok != 2)))
-               return ok;
-
-       policies_print(NULL, ctx);
-
-       return ok;
-}
-
 static void
 gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns)
 {

diff --git a/usr.bin/openssl/s_cb.c b/usr.bin/openssl/s_cb.c
index 73f45c2..d503b8c 100644 (file)
--- a/usr.bin/openssl/s_cb.c
+++ b/usr.bin/openssl/s_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_cb.c,v 1.20 2022/08/31 07:12:30 tb Exp $ */
+/* $OpenBSD: s_cb.c,v 1.21 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -189,11 +189,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx)
                BIO_printf(bio_err, "\n");
                break;
        case X509_V_ERR_NO_EXPLICIT_POLICY:
-               policies_print(bio_err, ctx);
                break;
        }
-       if (err == X509_V_OK && ok == 2)
-               policies_print(bio_err, ctx);
 
        BIO_printf(bio_err, "verify return:%d\n", ok);
        return (ok);

diff --git a/usr.bin/openssl/smime.c b/usr.bin/openssl/smime.c
index e54c8d0..46bfa08 100644 (file)
--- a/usr.bin/openssl/smime.c
+++ b/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -70,7 +70,6 @@
 #include <openssl/x509v3.h>
 
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
-static int smime_cb(int ok, X509_STORE_CTX *ctx);
 
 #define SMIME_OP       0x10
 #define SMIME_IP       0x20
@@ -933,7 +932,6 @@ smime_main(int argc, char **argv)
                if ((store = setup_verify(bio_err, cfg.CAfile,
                    cfg.CApath)) == NULL)
                        goto end;
-               X509_STORE_set_verify_cb(store, smime_cb);
                if (cfg.vpm != NULL) {
                        if (!X509_STORE_set1_param(store, cfg.vpm))
                                goto end;
@@ -1103,20 +1101,3 @@ save_certs(char *signerfile, STACK_OF(X509) *signers)
 
        return 1;
 }
-
-/* Minimal callback just to output policy info (if any) */
-static int
-smime_cb(int ok, X509_STORE_CTX *ctx)
-{
-       int error;
-
-       error = X509_STORE_CTX_get_error(ctx);
-
-       if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) &&
-           ((error != X509_V_OK) || (ok != 2)))
-               return ok;
-
-       policies_print(NULL, ctx);
-
-       return ok;
-}

diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c
index b412623..b4e0f33 100644 (file)
--- a/usr.bin/openssl/verify.c
+++ b/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.16 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: verify.c,v 1.17 2023/04/14 15:27:13 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -427,7 +427,6 @@ cb(int ok, X509_STORE_CTX *ctx)
                    X509_verify_cert_error_string(cert_error));
                switch (cert_error) {
                case X509_V_ERR_NO_EXPLICIT_POLICY:
-                       policies_print(NULL, ctx);
                case X509_V_ERR_CERT_HAS_EXPIRED:
 
                        /*
@@ -452,8 +451,6 @@ cb(int ok, X509_STORE_CTX *ctx)
                return ok;
 
        }
-       if (cert_error == X509_V_OK && ok == 2)
-               policies_print(NULL, ctx);
        if (!cfg.verbose)
                ERR_clear_error();
        return (ok);