Add linker warnings in case SSLv3_{,client,server}_method are referenced.

Use of this symbols proves the existence of a code path willingly using SSLv3,
even with OPENSSL_NO_SSL3 being defined, which hints that it needs fixing.

Discussed with the LibreSSL cabal during c2k15; ok deraadt@

2 files changed, 14 insertions, 2 deletions

diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c
index 9a5ef826f6a..b739711732b 100644
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.120 2015/07/19 07:34:52 doug Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.121 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -170,6 +170,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_client_method,
+    "SSLv3_client_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b);
 
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index cd5bc2a6cbc..7d2ec4d1328 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.111 2015/07/18 01:42:26 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.112 2015/07/29 19:16:09 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -166,6 +166,12 @@
 
 #include "bytestring.h"
 
+#ifdef __OpenBSD__
+#include <sys/cdefs.h>
+__warn_references(SSLv3_server_method,
+    "SSLv3_server_method() enables the use of insecure protocols");
+#endif
+
 static const SSL_METHOD *ssl3_get_server_method(int ver);
 
 const SSL_METHOD SSLv3_server_method_data = {