Take X509_POLICY_NODE_print() behind the barn

This used to be public API but is now only used for debug code that has
certainly never been used since it was released to the public. It drags
that debug nonsense with it.

ok beck

4 files changed, 3 insertions, 100 deletions

diff --git a/lib/libcrypto/Symbols.namespace b/lib/libcrypto/Symbols.namespace
index f477c4d6cec..4320731af38 100644
--- a/lib/libcrypto/Symbols.namespace
+++ b/lib/libcrypto/Symbols.namespace
@@ -837,7 +837,6 @@ _libre_a2i_IPADDRESS
 _libre_a2i_IPADDRESS_NC
 _libre_a2i_ipadd
 _libre_X509V3_NAME_from_section
-_libre_X509_POLICY_NODE_print
 _libre_ASRange_new
 _libre_ASRange_free
 _libre_d2i_ASRange
diff --git a/lib/libcrypto/hidden/openssl/x509v3.h b/lib/libcrypto/hidden/openssl/x509v3.h
index 044b55334d7..e63b91afdbf 100644
--- a/lib/libcrypto/hidden/openssl/x509v3.h
+++ b/lib/libcrypto/hidden/openssl/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.2 2023/04/25 18:48:32 tb Exp $ */
+/* $OpenBSD: x509v3.h,v 1.3 2023/04/26 20:43:32 tb Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -213,7 +213,6 @@ LCRYPTO_USED(a2i_IPADDRESS);
 LCRYPTO_USED(a2i_IPADDRESS_NC);
 LCRYPTO_USED(a2i_ipadd);
 LCRYPTO_USED(X509V3_NAME_from_section);
-LCRYPTO_USED(X509_POLICY_NODE_print);
 LCRYPTO_USED(ASRange_new);
 LCRYPTO_USED(ASRange_free);
 LCRYPTO_USED(d2i_ASRange);
diff --git a/lib/libcrypto/x509/pcy_tree.c b/lib/libcrypto/x509/pcy_tree.c
index eb3c427a3a1..4f253e3cd15 100644
--- a/lib/libcrypto/x509/pcy_tree.c
+++ b/lib/libcrypto/x509/pcy_tree.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_tree.c,v 1.7 2023/04/26 19:11:33 beck Exp $ */
+/* $OpenBSD: pcy_tree.c,v 1.8 2023/04/26 20:43:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -64,74 +64,6 @@
 #include "pcy_int.h"
 #include "x509_local.h"
 
-/* Enable this to print out the complete policy tree at various point during
- * evaluation.
- */
-
-/*#define OPENSSL_POLICY_DEBUG*/
-
-#ifdef OPENSSL_POLICY_DEBUG
-
-static void
-expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
-    int indent)
-{
-	if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
-	    !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
-		BIO_puts(err, "  Not Mapped\n");
-	else {
-		int i;
-		STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
-		ASN1_OBJECT *oid;
-		BIO_puts(err, "  Expected: ");
-		for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
-			oid = sk_ASN1_OBJECT_value(pset, i);
-			if (i)
-				BIO_puts(err, ", ");
-			i2a_ASN1_OBJECT(err, oid);
-		}
-		BIO_puts(err, "\n");
-	}
-}
-
-static void
-tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
-{
-	X509_POLICY_LEVEL *plev;
-	X509_POLICY_NODE *node;
-	int i;
-	BIO *err;
-
-	if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL)
-		return;
-
-	if (!curr)
-		curr = tree->levels + tree->nlevel;
-	else
-		curr++;
-	BIO_printf(err, "Level print after %s\n", str);
-	BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
-	for (plev = tree->levels; plev != curr; plev++) {
-		BIO_printf(err, "Level %ld, flags = %x\n",
-		    plev - tree->levels, plev->flags);
-		for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
-			node = sk_X509_POLICY_NODE_value(plev->nodes, i);
-			X509_POLICY_NODE_print(err, node, 2);
-			expected_print(err, plev, node, 2);
-			BIO_printf(err, "  Flags: %x\n", node->data->flags);
-		}
-		if (plev->anyPolicy)
-			X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
-	}
-
-	BIO_free(err);
-}
-#else
-
-#define tree_print(a,b,c) /* */
-
-#endif
-
 /* Initialize policy tree. Return values:
  *  0 Some internal error occurred.
  * -1 Inconsistent or invalid extensions in certificates.
@@ -615,7 +547,6 @@ tree_evaluate(X509_POLICY_TREE *tree)
 		if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
 		    !tree_link_any(curr, cache, tree))
 			return 0;
-		tree_print("before tree_prune()", tree, curr);
 		ret = tree_prune(tree, curr);
 		if (ret != 1)
 			return ret;
@@ -726,9 +657,6 @@ X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
 	if (!tree)
 		goto error;
 	ret = tree_evaluate(tree);
-
-	tree_print("tree_evaluate()", tree, NULL);
-
 	if (ret <= 0)
 		goto error;
 
diff --git a/lib/libcrypto/x509/x509_cpols.c b/lib/libcrypto/x509/x509_cpols.c
index bac02093710..bb09034ce0a 100644
--- a/lib/libcrypto/x509/x509_cpols.c
+++ b/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.9 2023/04/26 19:11:33 beck Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.10 2023/04/26 20:43:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,9 +65,6 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
-#ifndef LIBRESSL_HAS_POLICY_DAG
-#include "pcy_int.h"
-#endif
 #include "x509_local.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
@@ -767,23 +764,3 @@ print_notice(BIO *out, USERNOTICE *notice, int indent)
 		BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
 		    notice->exptext->length, notice->exptext->data);
 }
-
-#ifndef LIBRESSL_HAS_POLICY_DAG
-void
-X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
-{
-	const X509_POLICY_DATA *dat = node->data;
-
-	BIO_printf(out, "%*sPolicy: ", indent, "");
-
-	i2a_ASN1_OBJECT(out, dat->valid_policy);
-	BIO_puts(out, "\n");
-	BIO_printf(out, "%*s%s\n", indent + 2, "",
-	    node_data_critical(dat) ? "Critical" : "Non Critical");
-	if (dat->qualifier_set)
-		print_qualifiers(out, dat->qualifier_set, indent + 2);
-	else
-		BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
-}
-LCRYPTO_ALIAS(X509_POLICY_NODE_print);
-#endif