diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c index 040fc68fbb..c39ba8c682 100644 --- a/lib/isc/openssl_shim.c +++ b/lib/isc/openssl_shim.c @@ -196,11 +196,3 @@ SSL_CTX_up_ref(SSL_CTX *ctx) { return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0); } #endif /* !HAVE_SSL_CTX_UP_REF */ - -#if !HAVE_SSL_SESSION_IS_RESUMABLE -int -SSL_SESSION_is_resumable(const SSL_SESSION *sess) { - return (!sess->not_resumable && - (sess->session_id_length > 0 || sess->tlsext_ticklen > 0)); -} -#endif /* HAVE_SSL_SESSION_IS_RESUMABLE */ diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index 6b3a30b288..b2916e20a9 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -135,8 +135,3 @@ SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); int SSL_CTX_up_ref(SSL_CTX *store); #endif /* !HAVE_SSL_CTX_UP_REF */ - -#if !HAVE_SSL_SESSION_IS_RESUMABLE -int -SSL_SESSION_is_resumable(const SSL_SESSION *s); -#endif /* HAVE_SSL_SESSION_IS_RESUMABLE */ diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 84b3330e7b..29cd063246 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -1484,6 +1484,33 @@ isc_tlsctx_client_session_cache_detach( isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); } +static bool +ssl_session_seems_resumable(const SSL_SESSION *sess) { +#ifdef HAVE_SSL_SESSION_IS_RESUMABLE + /* + * If SSL_SESSION_is_resumable() is available, let's use that. It + * is expected to be available on OpenSSL >= 1.1.1 and its modern + * siblings. + */ + return (SSL_SESSION_is_resumable(sess) != 0); +#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) + /* + * Taking into consideration that OpenSSL 1.1.0 uses opaque + * pointers for SSL_SESSION, we cannot implement a replacement for + * SSL_SESSION_is_resumable() manually. Let's use a sensible + * approximation for that, then: if there is an associated session + * ticket or session ID, then, most likely, the session is + * resumable. + */ + unsigned int session_id_len = 0; + (void)SSL_SESSION_get_id(sess, &session_id_len); + return (SSL_SESSION_has_ticket(sess) || session_id_len > 0); +#else + return (!sess->not_resumable && + (sess->session_id_length > 0 || sess->tlsext_ticklen > 0)); +#endif +} + void isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, char *remote_peer_name, isc_tls_t *tls) { @@ -1500,7 +1527,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, sess = SSL_get1_session(tls); if (sess == NULL) { return; - } else if (SSL_SESSION_is_resumable(sess) == 0) { + } else if (!ssl_session_seems_resumable(sess)) { SSL_SESSION_free(sess); return; }