Merge branch '3376-fix-openssl-1.1.0-unimplementable-SSL-SESSION-is-resumable' into 'main'

Resolve #3376: Do not provide a shim for SSL_SESSION_is_resumable() Closes #3376 See merge request isc-projects/bind9!6346
2022-05-24 10:52:06 +00:00
parent 31f937cb05 40be3c9263
commit 9da576c2ba
3 changed files with 28 additions and 14 deletions
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -196,11 +196,3 @@ SSL_CTX_up_ref(SSL_CTX *ctx) {
 	return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
 }
 #endif /* !HAVE_SSL_CTX_UP_REF */
-
-#if !HAVE_SSL_SESSION_IS_RESUMABLE
-int
-SSL_SESSION_is_resumable(const SSL_SESSION *sess) {
-	return (!sess->not_resumable &&
-		(sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
-}
-#endif /* HAVE_SSL_SESSION_IS_RESUMABLE */
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -135,8 +135,3 @@ SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 int
 SSL_CTX_up_ref(SSL_CTX *store);
 #endif /* !HAVE_SSL_CTX_UP_REF */
-
-#if !HAVE_SSL_SESSION_IS_RESUMABLE
-int
-SSL_SESSION_is_resumable(const SSL_SESSION *s);
-#endif /* HAVE_SSL_SESSION_IS_RESUMABLE */
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -1484,6 +1484,33 @@ isc_tlsctx_client_session_cache_detach(
 	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
 }

+static bool
+ssl_session_seems_resumable(const SSL_SESSION *sess) {
+#ifdef HAVE_SSL_SESSION_IS_RESUMABLE
+	/*
+	 * If SSL_SESSION_is_resumable() is available, let's use that. It
+	 * is expected to be available on OpenSSL >= 1.1.1 and its modern
+	 * siblings.
+	 */
+	return (SSL_SESSION_is_resumable(sess) != 0);
+#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+	/*
+	 * Taking into consideration that OpenSSL 1.1.0 uses opaque
+	 * pointers for SSL_SESSION, we cannot implement a replacement for
+	 * SSL_SESSION_is_resumable() manually. Let's use a sensible
+	 * approximation for that, then: if there is an associated session
+	 * ticket or session ID, then, most likely, the session is
+	 * resumable.
+	 */
+	unsigned int session_id_len = 0;
+	(void)SSL_SESSION_get_id(sess, &session_id_len);
+	return (SSL_SESSION_has_ticket(sess) || session_id_len > 0);
+#else
+	return (!sess->not_resumable &&
+		(sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
+#endif
+}
+
 void
 isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
 				     char *remote_peer_name, isc_tls_t *tls) {
@@ -1500,7 +1527,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
 	sess = SSL_get1_session(tls);
 	if (sess == NULL) {
 		return;
-	} else if (SSL_SESSION_is_resumable(sess) == 0) {
+	} else if (!ssl_session_seems_resumable(sess)) {
 		SSL_SESSION_free(sess);
 		return;
 	}