Add linker warnings in case SSLv3_{,client,server}_method are referenced.

Use of this symbols proves the existence of a code path willingly using SSLv3,
even with OPENSSL_NO_SSL3 being defined, which hints that it needs fixing.

Discussed with the LibreSSL cabal during c2k15; ok deraadt@

5 files changed, 35 insertions, 5 deletions

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 9a5ef826f6..b739711732 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,6 +170,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_client_method,
+    "SSLv3_client_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
 
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index cd5bc2a6cb..7d2ec4d132 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,6 +166,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_server_method,
+    "SSLv3_server_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 const SSL_METHOD SSLv3_server_method_data = {
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 9a5ef826f6..b739711732 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,6 +170,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_client_method,
+    "SSLv3_client_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
 
diff --git a/src/lib/libssl/src/ssl/s3_meth.c b/src/lib/libssl/src/ssl/s3_meth.c
index 8ad4efa7a8..c5f043e944 100644
--- a/src/lib/libssl/src/ssl/s3_meth.c
+++ b/src/lib/libssl/src/ssl/s3_meth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_meth.c,v 1.13 2015/02/06 08:30:23 jsing Exp $ */
+/* $OpenBSD: s3_meth.c,v 1.14 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,12 @@
 
 #include "ssl_locl.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_method,
+    "SSLv3_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_method(int ver);
 
 const SSL_METHOD SSLv3_method_data = {
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index cd5bc2a6cb..7d2ec4d132 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,6 +166,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_server_method,
+    "SSLv3_server_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 const SSL_METHOD SSLv3_server_method_data = {