Make sure stdio functions don't end up in the library, from miod@

ok doug@ bcook@

4 files changed, 22 insertions, 8 deletions

diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c
index 448bd76fd0d..bce084f1eef 100644
--- a/lib/libssl/src/ssl/d1_both.c
+++ b/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.38 2015/09/11 18:08:21 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.39 2016/03/06 14:52:15 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1014,8 +1014,10 @@ int
 dtls1_read_failed(SSL *s, int code)
 {
 	if (code > 0) {
+#ifdef DEBUG
 		fprintf(stderr, "invalid state reached %s:%d",
 		    __FILE__, __LINE__);
+#endif
 		return 1;
 	}
 
@@ -1071,7 +1073,9 @@ dtls1_retransmit_buffered_messages(SSL *s)
 		    (unsigned short)dtls1_get_queue_priority(
 		    frag->msg_header.seq, frag->msg_header.is_ccs), 0,
 		    &found) <= 0 && found) {
+#ifdef DEBUG
 			fprintf(stderr, "dtls1_retransmit_message() failed\n");
+#endif
 			return -1;
 		}
 	}
@@ -1163,7 +1167,9 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 
 	item = pqueue_find(s->d1->sent_messages, seq64be);
 	if (item == NULL) {
+#ifdef DEBUG
 		fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
+#endif
 		*found = 0;
 		return 0;
 	}
diff --git a/lib/libssl/src/ssl/d1_enc.c b/lib/libssl/src/ssl/d1_enc.c
index c58e109ae57..8445ceb10f7 100644
--- a/lib/libssl/src/ssl/d1_enc.c
+++ b/lib/libssl/src/ssl/d1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_enc.c,v 1.10 2015/07/17 07:04:40 doug Exp $ */
+/* $OpenBSD: d1_enc.c,v 1.11 2016/03/06 14:52:15 beck Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -150,11 +150,13 @@ dtls1_enc(SSL *s, int send)
 			enc = NULL;
 		else {
 			enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
-			if (rec->data != rec->input)
+			if (rec->data != rec->input) {
+#ifdef DEBUG
 				/* we can't write into the input stream */
 				fprintf(stderr, "%s:%d: rec->data != rec->input\n",
 				    __FILE__, __LINE__);
-			else if (EVP_CIPHER_block_size(ds->cipher) > 1) {
+#endif
+			} else if (EVP_CIPHER_block_size(ds->cipher) > 1) {
 				arc4random_buf(rec->input,
 				    EVP_CIPHER_block_size(ds->cipher));
 			}
diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c
index 1c96abb3780..5d95419e7e8 100644
--- a/lib/libssl/src/ssl/t1_enc.c
+++ b/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.83 2015/09/11 18:08:21 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.84 2016/03/06 14:52:15 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -936,14 +936,16 @@ tls1_enc(SSL *s, int send)
 			    EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
 				ivlen = EVP_CIPHER_iv_length(enc);
 			if (ivlen > 1) {
-				if (rec->data != rec->input)
+				if (rec->data != rec->input) {
+#ifdef DEBUG
 					/* we can't write into the input stream:
 					 * Can this ever happen?? (steve)
 					 */
 					fprintf(stderr,
 					    "%s:%d: rec->data != rec->input\n",
 					    __FILE__, __LINE__);
-				else
+#endif
+				} else
 					arc4random_buf(rec->input, ivlen);
 			}
 		}
diff --git a/lib/libssl/ssl/Makefile b/lib/libssl/ssl/Makefile
index e7303be03ba..1e70f47a3e5 100644
--- a/lib/libssl/ssl/Makefile
+++ b/lib/libssl/ssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.56 2015/09/11 17:54:23 jsing Exp $
+# $OpenBSD: Makefile,v 1.57 2016/03/06 14:52:15 beck Exp $
 
 LIB=	ssl
 
@@ -45,3 +45,7 @@ includes:
 	done;
 
 .include <bsd.lib.mk>
+
+beforeinstall:
+	nm -o lib${LIB}.a | egrep -w 'printf|fprintf' && \
+	    (echo please fix stdio usage in this library; false) || true