summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiod Vallat <miod@cvs.openbsd.org>2015-07-29 19:16:10 +0000
committerMiod Vallat <miod@cvs.openbsd.org>2015-07-29 19:16:10 +0000
commit767e654bceceda3af78edd6ddb2f19d41eb51697 (patch)
treeed93b0190f2eae44b5d38aff262231802807a1af
parent1f08bbb269484ed8c45fedf76d73c71fc83a8080 (diff)
Add linker warnings in case SSLv3_{,client,server}_method are referenced.
Use of this symbols proves the existence of a code path willingly using SSLv3, even with OPENSSL_NO_SSL3 being defined, which hints that it needs fixing. Discussed with the LibreSSL cabal during c2k15; ok deraadt@
-rw-r--r--lib/libssl/s3_clnt.c8
-rw-r--r--lib/libssl/s3_srvr.c8
2 files changed, 14 insertions, 2 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 9a5ef826f6a..b739711732b 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -170,6 +170,12 @@
#include "bytestring.h"
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_client_method,
+ "SSLv3_client_method() enables the use of insecure protocols");
+#endif
+
static const SSL_METHOD *ssl3_get_client_method(int ver);
static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index cd5bc2a6cbc..7d2ec4d1328 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -166,6 +166,12 @@
#include "bytestring.h"
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_server_method,
+ "SSLv3_server_method() enables the use of insecure protocols");
+#endif
+
static const SSL_METHOD *ssl3_get_server_method(int ver);
const SSL_METHOD SSLv3_server_method_data = {