From d8c45d2137234a476f4bce17bdca3ae5ca8b133b Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 14 Apr 2023 15:27:13 +0000 Subject: [PATCH] Drop policy printing from openssl Nothing really uses the policy tree. It's desgined with built-in DoS capabilities directly from the RFC. It will be removed from the attack surface and replaced with something equivalent that doesn't grow exponentially with the depth. This removes the only reason the policy tree itself ever leaked out of the library. ok jsing --- usr.bin/openssl/apps.c | 43 +--------------------------------------- usr.bin/openssl/apps.h | 3 +-- usr.bin/openssl/cms.c | 24 +--------------------- usr.bin/openssl/s_cb.c | 5 +---- usr.bin/openssl/smime.c | 21 +------------------- usr.bin/openssl/verify.c | 5 +---- 6 files changed, 6 insertions(+), 95 deletions(-) diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c index fd13371f5d3..592a68980a2 100644 --- a/usr.bin/openssl/apps.c +++ b/usr.bin/openssl/apps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.c,v 1.62 2022/01/10 12:17:49 tb Exp $ */ +/* $OpenBSD: apps.c,v 1.63 2023/04/14 15:27:13 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -1951,47 +1951,6 @@ pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) return rv; } -static void -nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes) -{ - X509_POLICY_NODE *node; - int i; - - BIO_printf(out, "%s Policies:", name); - if (nodes) { - BIO_puts(out, "\n"); - for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { - node = sk_X509_POLICY_NODE_value(nodes, i); - X509_POLICY_NODE_print(out, node, 2); - } - } else - BIO_puts(out, " \n"); -} - -void -policies_print(BIO *out, X509_STORE_CTX *ctx) -{ - X509_POLICY_TREE *tree; - int explicit_policy; - int free_out = 0; - - if (out == NULL) { - out = BIO_new_fp(stderr, BIO_NOCLOSE); - free_out = 1; - } - tree = X509_STORE_CTX_get0_policy_tree(ctx); - explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); - - BIO_printf(out, "Require explicit Policy: %s\n", - explicit_policy ? "True" : "False"); - - nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree)); - nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree)); - - if (free_out) - BIO_free(out); -} - /* * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. diff --git a/usr.bin/openssl/apps.h b/usr.bin/openssl/apps.h index f4fa5361a79..82e0662c886 100644 --- a/usr.bin/openssl/apps.h +++ b/usr.bin/openssl/apps.h @@ -1,4 +1,4 @@ -/* $OpenBSD: apps.h,v 1.31 2022/01/10 12:17:49 tb Exp $ */ +/* $OpenBSD: apps.h,v 1.32 2023/04/14 15:27:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -237,7 +237,6 @@ int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm); -void policies_print(BIO *out, X509_STORE_CTX *ctx); int bio_to_mem(unsigned char **out, int maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c index 0ddf26e5a7f..121a413a213 100644 --- a/usr.bin/openssl/cms.c +++ b/usr.bin/openssl/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.33 2023/03/06 14:32:05 tb Exp $ */ +/* $OpenBSD: cms.c,v 1.34 2023/04/14 15:27:13 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -69,7 +69,6 @@ #include static int save_certs(char *signerfile, STACK_OF(X509) *signers); -static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); static CMS_ReceiptRequest *make_receipt_request( STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, @@ -1442,7 +1441,6 @@ cms_main(int argc, char **argv) if ((store = setup_verify(bio_err, cfg.CAfile, cfg.CApath)) == NULL) goto end; - X509_STORE_set_verify_cb(store, cms_cb); if (cfg.vpm != NULL) { if (!X509_STORE_set1_param(store, cfg.vpm)) goto end; @@ -1804,26 +1802,6 @@ save_certs(char *signerfile, STACK_OF(X509) *signers) return 1; } -/* Minimal callback just to output policy info (if any) */ - -static int -cms_cb(int ok, X509_STORE_CTX *ctx) -{ - int error; - - error = X509_STORE_CTX_get_error(ctx); - - verify_err = error; - - if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && - ((error != X509_V_OK) || (ok != 2))) - return ok; - - policies_print(NULL, ctx); - - return ok; -} - static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) { diff --git a/usr.bin/openssl/s_cb.c b/usr.bin/openssl/s_cb.c index 73f45c25c5e..d503b8cf27f 100644 --- a/usr.bin/openssl/s_cb.c +++ b/usr.bin/openssl/s_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_cb.c,v 1.20 2022/08/31 07:12:30 tb Exp $ */ +/* $OpenBSD: s_cb.c,v 1.21 2023/04/14 15:27:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -189,11 +189,8 @@ verify_callback(int ok, X509_STORE_CTX * ctx) BIO_printf(bio_err, "\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); break; } - if (err == X509_V_OK && ok == 2) - policies_print(bio_err, ctx); BIO_printf(bio_err, "verify return:%d\n", ok); return (ok); diff --git a/usr.bin/openssl/smime.c b/usr.bin/openssl/smime.c index e54c8d0b846..46bfa08679c 100644 --- a/usr.bin/openssl/smime.c +++ b/usr.bin/openssl/smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smime.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */ +/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -70,7 +70,6 @@ #include static int save_certs(char *signerfile, STACK_OF(X509) *signers); -static int smime_cb(int ok, X509_STORE_CTX *ctx); #define SMIME_OP 0x10 #define SMIME_IP 0x20 @@ -933,7 +932,6 @@ smime_main(int argc, char **argv) if ((store = setup_verify(bio_err, cfg.CAfile, cfg.CApath)) == NULL) goto end; - X509_STORE_set_verify_cb(store, smime_cb); if (cfg.vpm != NULL) { if (!X509_STORE_set1_param(store, cfg.vpm)) goto end; @@ -1103,20 +1101,3 @@ save_certs(char *signerfile, STACK_OF(X509) *signers) return 1; } - -/* Minimal callback just to output policy info (if any) */ -static int -smime_cb(int ok, X509_STORE_CTX *ctx) -{ - int error; - - error = X509_STORE_CTX_get_error(ctx); - - if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) && - ((error != X509_V_OK) || (ok != 2))) - return ok; - - policies_print(NULL, ctx); - - return ok; -} diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c index b4126239911..b4e0f33f6a7 100644 --- a/usr.bin/openssl/verify.c +++ b/usr.bin/openssl/verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: verify.c,v 1.16 2023/03/06 14:32:06 tb Exp $ */ +/* $OpenBSD: verify.c,v 1.17 2023/04/14 15:27:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -427,7 +427,6 @@ cb(int ok, X509_STORE_CTX *ctx) X509_verify_cert_error_string(cert_error)); switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(NULL, ctx); case X509_V_ERR_CERT_HAS_EXPIRED: /* @@ -452,8 +451,6 @@ cb(int ok, X509_STORE_CTX *ctx) return ok; } - if (cert_error == X509_V_OK && ok == 2) - policies_print(NULL, ctx); if (!cfg.verbose) ERR_clear_error(); return (ok); -- 2.20.1