From e2a6bdce4ccbbc673d16acb8bd87d6b1b8fc4f36 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 26 Apr 2023 20:43:32 +0000 Subject: [PATCH] Take X509_POLICY_NODE_print() behind the barn This used to be public API but is now only used for debug code that has certainly never been used since it was released to the public. It drags that debug nonsense with it. ok beck --- lib/libcrypto/Symbols.namespace | 1 - lib/libcrypto/hidden/openssl/x509v3.h | 3 +- lib/libcrypto/x509/pcy_tree.c | 74 +-------------------------- lib/libcrypto/x509/x509_cpols.c | 25 +-------- 4 files changed, 3 insertions(+), 100 deletions(-) diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace index f477c4d6cec..4320731af38 100644 --- a/lib/libcrypto/Symbols.namespace +++ b/lib/libcrypto/Symbols.namespace @@ -837,7 +837,6 @@ _libre_a2i_IPADDRESS _libre_a2i_IPADDRESS_NC _libre_a2i_ipadd _libre_X509V3_NAME_from_section -_libre_X509_POLICY_NODE_print _libre_ASRange_new _libre_ASRange_free _libre_d2i_ASRange diff --git a/lib/libcrypto/hidden/openssl/x509v3.h b/lib/libcrypto/hidden/openssl/x509v3.h index 044b55334d7..e63b91afdbf 100644 --- a/lib/libcrypto/hidden/openssl/x509v3.h +++ b/lib/libcrypto/hidden/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.2 2023/04/25 18:48:32 tb Exp $ */ +/* $OpenBSD: x509v3.h,v 1.3 2023/04/26 20:43:32 tb Exp $ */ /* * Copyright (c) 2022 Bob Beck * @@ -213,7 +213,6 @@ LCRYPTO_USED(a2i_IPADDRESS); LCRYPTO_USED(a2i_IPADDRESS_NC); LCRYPTO_USED(a2i_ipadd); LCRYPTO_USED(X509V3_NAME_from_section); -LCRYPTO_USED(X509_POLICY_NODE_print); LCRYPTO_USED(ASRange_new); LCRYPTO_USED(ASRange_free); LCRYPTO_USED(d2i_ASRange); diff --git a/lib/libcrypto/x509/pcy_tree.c b/lib/libcrypto/x509/pcy_tree.c index eb3c427a3a1..4f253e3cd15 100644 --- a/lib/libcrypto/x509/pcy_tree.c +++ b/lib/libcrypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.8 2023/04/26 20:43:32 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -64,74 +64,6 @@ #include "pcy_int.h" #include "x509_local.h" -/* Enable this to print out the complete policy tree at various point during - * evaluation. - */ - -/*#define OPENSSL_POLICY_DEBUG*/ - -#ifdef OPENSSL_POLICY_DEBUG - -static void -expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -{ - if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) || - !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) - BIO_puts(err, " Not Mapped\n"); - else { - int i; - STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; - ASN1_OBJECT *oid; - BIO_puts(err, " Expected: "); - for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) { - oid = sk_ASN1_OBJECT_value(pset, i); - if (i) - BIO_puts(err, ", "); - i2a_ASN1_OBJECT(err, oid); - } - BIO_puts(err, "\n"); - } -} - -static void -tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) -{ - X509_POLICY_LEVEL *plev; - X509_POLICY_NODE *node; - int i; - BIO *err; - - if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL) - return; - - if (!curr) - curr = tree->levels + tree->nlevel; - else - curr++; - BIO_printf(err, "Level print after %s\n", str); - BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); - for (plev = tree->levels; plev != curr; plev++) { - BIO_printf(err, "Level %ld, flags = %x\n", - plev - tree->levels, plev->flags); - for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) { - node = sk_X509_POLICY_NODE_value(plev->nodes, i); - X509_POLICY_NODE_print(err, node, 2); - expected_print(err, plev, node, 2); - BIO_printf(err, " Flags: %x\n", node->data->flags); - } - if (plev->anyPolicy) - X509_POLICY_NODE_print(err, plev->anyPolicy, 2); - } - - BIO_free(err); -} -#else - -#define tree_print(a,b,c) /* */ - -#endif - /* Initialize policy tree. Return values: * 0 Some internal error occurred. * -1 Inconsistent or invalid extensions in certificates. @@ -615,7 +547,6 @@ tree_evaluate(X509_POLICY_TREE *tree) if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) && !tree_link_any(curr, cache, tree)) return 0; - tree_print("before tree_prune()", tree, curr); ret = tree_prune(tree, curr); if (ret != 1) return ret; @@ -726,9 +657,6 @@ X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, if (!tree) goto error; ret = tree_evaluate(tree); - - tree_print("tree_evaluate()", tree, NULL); - if (ret <= 0) goto error; diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c index bac02093710..bb09034ce0a 100644 --- a/lib/libcrypto/x509/x509_cpols.c +++ b/lib/libcrypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.10 2023/04/26 20:43:32 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,9 +65,6 @@ #include #include -#ifndef LIBRESSL_HAS_POLICY_DAG -#include "pcy_int.h" -#endif #include "x509_local.h" /* Certificate policies extension support: this one is a bit complex... */ @@ -767,23 +764,3 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", notice->exptext->length, notice->exptext->data); } - -#ifndef LIBRESSL_HAS_POLICY_DAG -void -X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) -{ - const X509_POLICY_DATA *dat = node->data; - - BIO_printf(out, "%*sPolicy: ", indent, ""); - - i2a_ASN1_OBJECT(out, dat->valid_policy); - BIO_puts(out, "\n"); - BIO_printf(out, "%*s%s\n", indent + 2, "", - node_data_critical(dat) ? "Critical" : "Non Critical"); - if (dat->qualifier_set) - print_qualifiers(out, dat->qualifier_set, indent + 2); - else - BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); -} -LCRYPTO_ALIAS(X509_POLICY_NODE_print); -#endif -- 2.20.1