From owner-svn-src-head@freebsd.org  Wed Jul  1 00:59:29 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3963A359BD4;
 Wed,  1 Jul 2020 00:59:29 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49xND10TG6z48yD;
 Wed,  1 Jul 2020 00:59:29 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E435720B6E;
 Wed,  1 Jul 2020 00:59:28 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0610xSnJ050329;
 Wed, 1 Jul 2020 00:59:28 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0610xSZL050327;
 Wed, 1 Jul 2020 00:59:28 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <202007010059.0610xSZL050327@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: Conrad Meyer <cem@FreeBSD.org>
Date: Wed, 1 Jul 2020 00:59:28 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r362818 - in head/secure/lib: libcrypto libssl
X-SVN-Group: head
X-SVN-Commit-Author: cem
X-SVN-Commit-Paths: in head/secure/lib: libcrypto libssl
X-SVN-Commit-Revision: 362818
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 00:59:29 -0000

Author: cem
Date: Wed Jul  1 00:59:28 2020
New Revision: 362818
URL: https://svnweb.freebsd.org/changeset/base/362818

Log:
  Replace OPENSSL_NO_SSL3_METHODs with dummies
  
  SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
  should not have shipped in FreeBSD 11 (2016) or 12 (2018).  No one should use
  it, and if they must, they can use some implementation outside of base.
  
  There are three symbols removed with OPENSSL_NO_SSL3_METHOD:
  
  SSLv3_client_method
  SSLv3_method
  SSLv3_server_method
  
  These symbols exist to request an explicit SSLv3 connection to a server.
  There is no good reason for an application to link or invoke these symbols
  instead of TLS_method(), et al (née SSLv23_method, et al).  Applications
  that do so have broken cryptography.
  
  Define these symbols for some pedantic definition of ABI stability, but
  remove the functionality again (r361392) after r362620.
  
  Reviewed by:	gordon, jhb (earlier-but-equivalent version both)
  Discussed with:	bjk, kib
  Differential Revision:	https://reviews.freebsd.org/D25493

Added:
  head/secure/lib/libssl/dummy_abi.c   (contents, props changed)
Modified:
  head/secure/lib/libcrypto/opensslconf.h.in
  head/secure/lib/libssl/Makefile

Modified: head/secure/lib/libcrypto/opensslconf.h.in
==============================================================================
--- head/secure/lib/libcrypto/opensslconf.h.in	Wed Jul  1 00:33:16 2020	(r362817)
+++ head/secure/lib/libcrypto/opensslconf.h.in	Wed Jul  1 00:59:28 2020	(r362818)
@@ -79,6 +79,9 @@ extern "C" {
 #ifndef OPENSSL_NO_SSL3
 # define OPENSSL_NO_SSL3
 #endif
+#ifndef OPENSSL_NO_SSL3_METHOD
+# define OPENSSL_NO_SSL3_METHOD
+#endif
 #ifndef OPENSSL_NO_UBSAN
 # define OPENSSL_NO_UBSAN
 #endif

Modified: head/secure/lib/libssl/Makefile
==============================================================================
--- head/secure/lib/libssl/Makefile	Wed Jul  1 00:33:16 2020	(r362817)
+++ head/secure/lib/libssl/Makefile	Wed Jul  1 00:59:28 2020	(r362818)
@@ -22,6 +22,8 @@ SRCS+=	ssl3_record.c ssl3_record_tls13.c
 SRCS+=	extensions.c extensions_clnt.c extensions_cust.c extensions_srvr.c
 SRCS+=	statem.c statem_clnt.c statem_dtls.c statem_lib.c statem_srvr.c
 
+SRCS+=	dummy_abi.c
+
 LIBADD=	crypto
 
 CFLAGS+=	-I${LCRYPTO_SRC}/ssl

Added: head/secure/lib/libssl/dummy_abi.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/secure/lib/libssl/dummy_abi.c	Wed Jul  1 00:59:28 2020	(r362818)
@@ -0,0 +1,46 @@
+/* This file is in the public domain. */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <openssl/ssl.h>
+
+static inline void
+__SSLv3_dummy_method_impl(void)
+{
+	static const char warning[] = "SSLv3 use is deprecated.\n";
+	static bool once = false;
+
+	if (once)
+		return;
+
+	once = true;
+	write(STDERR_FILENO, warning, sizeof(warning) - 1);
+}
+
+const SSL_METHOD *
+__SSLv3_method_fbsd12(void)
+{
+	__SSLv3_dummy_method_impl();
+	return (NULL);
+}
+__sym_compat(SSLv3_method, __SSLv3_method_fbsd12, OPENSSL_1_1_0);
+
+const SSL_METHOD *
+__SSLv3_client_method_fbsd12(void)
+{
+	__SSLv3_dummy_method_impl();
+	return (NULL);
+}
+__sym_compat(SSLv3_client_method, __SSLv3_client_method_fbsd12, OPENSSL_1_1_0);
+
+const SSL_METHOD *
+__SSLv3_server_method_fbsd12(void)
+{
+	__SSLv3_dummy_method_impl();
+	return (NULL);
+}
+__sym_compat(SSLv3_server_method, __SSLv3_server_method_fbsd12, OPENSSL_1_1_0);