chg: usr: require at least OpenSSL 1.1.1

OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now required to compile BIND 9.

Closes #2806

Merge branch '2806-remove-ax_check_openssl' into 'main'

Closes #2806

See merge request isc-projects/bind9!9110

bin/named/main.c

@@ -590,16 +590,8 @@ printversion(bool verbose) {
 	printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
 #endif /* ifdef __SUNPRO_C */
 	printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT);
-#if !defined(LIBRESSL_VERSION_NUMBER) && \
-	OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
 	printf("linked to OpenSSL version: %s\n",
 	       OpenSSL_version(OPENSSL_VERSION));
-
-#else  /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
-	* 0x10100000L */
-	printf("linked to OpenSSL version: %s\n",
-	       SSLeay_version(SSLEAY_VERSION));
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
 	       UV_VERSION_MINOR, UV_VERSION_PATCH);
 	printf("linked to libuv version: %s\n", uv_version_string());

bin/tests/system/checkconf/tests.sh

@@ -89,7 +89,7 @@ for good in good-*.conf; do
       good-proxy-*doh*.conf) continue ;;
       bad-proxy-*doh*.conf) continue ;;
     esac
-  elif ! $FEATURETEST --have-openssl-cipher-suites; then
+  else
     case $good in
       good-tls-cipher-suites-*.conf) continue ;;
     esac

bin/tests/system/cipher-suites/prereq.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-$FEATURETEST --have-openssl-cipher-suites || {
-  echo_i "SSL_CTX_set_ciphersuites() is required for the test."
-  exit 255
-}
-
-exit 0

bin/tests/system/feature-test.c

@@ -49,7 +49,6 @@ usage(void) {
 	fprintf(stderr, "\t--have-geoip2\n");
 	fprintf(stderr, "\t--have-json-c\n");
 	fprintf(stderr, "\t--have-libxml2\n");
-	fprintf(stderr, "\t--have-openssl-cipher-suites\n");
 	fprintf(stderr, "\t--ipv6only=no\n");
 	fprintf(stderr, "\t--md5\n");
 	fprintf(stderr, "\t--rsasha1\n");
@@ -185,14 +184,6 @@ main(int argc, char **argv) {
 #endif /* ifdef HAVE_LIBXML2 */
 	}
 
-	if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
-		return (0);
-#else  /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
-		return (1);
-#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
-	}
-
 	if (strcmp(argv[1], "--tsan") == 0) {
 #if defined(__has_feature)
 #if __has_feature(thread_sanitizer)

configure.ac

@@ -653,75 +653,17 @@ CRYPTO=OpenSSL
 #
 # OpenSSL/LibreSSL is mandatory
 #
-PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [PKG_CHECK_VERSION([OPENSSL_VERSION], [openssl])],
-		  [AX_CHECK_OPENSSL([:], [AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])])
+PKG_CHECK_MODULES([OPENSSL], [libssl >= 1.1.1 libcrypto >= 1.1.1])
+PKG_CHECK_VERSION([OPENSSL_VERSION], [openssl])
 
 AX_SAVE_FLAGS([openssl])
 
 CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
 LIBS="$OPENSSL_LIBS $LIBS"
 
-AC_MSG_CHECKING([for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/opensslv.h>]],
-		     [[#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)) || \\
-			   (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x02070000fL))
-		       #error OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0 required
-		       #endif
-		      ]])],
-    [AC_MSG_RESULT([yes])],
-    [AC_MSG_FAILURE([not found])])
-
 #
 # Check for functions added in OpenSSL or LibreSSL
 #
-
-AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
-AC_CHECK_FUNCS([BN_GENCB_new])
-AC_CHECK_FUNCS([CRYPTO_zalloc])
-AC_CHECK_FUNCS([ERR_get_error_all])
-AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
-AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md])
-AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
-AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
-AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
-AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
-AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
-AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
-AC_CHECK_FUNCS([SSL_SESSION_is_resumable])
-AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites])
-
-#
-# Check for algorithm support in OpenSSL
-#
-
-AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:],
-	       [AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for ECDSA P-256 support])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
-		     [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])],
-    [AC_MSG_RESULT([yes])],
-    [AC_MSG_FAILURE([not found.  ECDSA P-256 support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for ECDSA P-384 support])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
-		     [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])],
-    [AC_MSG_RESULT([yes])],
-    [AC_MSG_FAILURE([not found.  ECDSA P-384 support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for Ed25519 support])
-AC_COMPILE_IFELSE(
-    [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
-		     [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])],
-    [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
-     AC_MSG_RESULT([yes])],
-    [AC_MSG_RESULT([no])])
-
 AC_MSG_CHECKING([for Ed448 support])
 AC_COMPILE_IFELSE(
     [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
@@ -730,25 +672,11 @@ AC_COMPILE_IFELSE(
      AC_MSG_RESULT([yes])],
     [AC_MSG_RESULT([no])])
 
-#
-# Check for OpenSSL SHA-1 support
-#
-AC_CHECK_FUNCS([EVP_sha1], [:],
-	       [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])])
-
-#
-# Check for OpenSSL SHA-2 support
-#
-AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
-	       [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
-
-#
-# Check for OpenSSL 1.1.x/LibreSSL functions
-#
-AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
-AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
-
-AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
+AC_CHECK_FUNCS([ERR_get_error_all])
+AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
+AC_CHECK_FUNCS([EVP_MD_CTX_get0_md])
+AC_CHECK_FUNCS([EVP_PKEY_eq])
+AC_CHECK_FUNCS([SSL_CTX_set1_cert_store])
 
 #
 # Check whether FIPS mode is available and whether we should enable it

doc/arm/platforms.inc.rst

@@ -99,7 +99,7 @@ Unsupported Platforms
 
 These are platforms on which current versions of BIND 9 are known *not* to build or run:
 
--  Platforms without at least OpenSSL 1.0.2
+-  Platforms without at least OpenSSL 1.1.1
 -  Windows
 -  Solaris 10 and older
 -  Platforms that do not support IPv6 Advanced Socket API (:rfc:`3542`)

lib/dns/dst_api.c

@@ -217,14 +217,12 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 				    DST_ALG_RSASHA512));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#ifdef HAVE_OPENSSL_ED25519
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
 				      DST_ALG_ED25519));
-#endif /* ifdef HAVE_OPENSSL_ED25519 */
 #ifdef HAVE_OPENSSL_ED448
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
 				      DST_ALG_ED448));
-#endif /* ifdef HAVE_OPENSSL_ED448 */
+#endif /* HAVE_OPENSSL_ED448 */
 
 #if HAVE_GSSAPI
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));

lib/dns/dst_internal.h

@@ -214,10 +214,8 @@ isc_result_t
 dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
 isc_result_t
 dst__opensslecdsa_init(struct dst_func **funcp);
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
 isc_result_t
 dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm);
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
 #if HAVE_GSSAPI
 isc_result_t
 dst__gssapi_init(struct dst_func **funcp);

lib/dns/openssl_shim.c

@@ -15,137 +15,6 @@
 
 #include <isc/util.h>
 
-#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
-/* From OpenSSL 1.1.0 */
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-	/*
-	 * If the fields n and e in r are NULL, the corresponding input
-	 * parameters MUST be non-NULL for n and e.  d may be
-	 * left NULL (in case only the public key is used).
-	 */
-	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
-		return (0);
-	}
-
-	if (n != NULL) {
-		BN_free(r->n);
-		r->n = n;
-	}
-	if (e != NULL) {
-		BN_free(r->e);
-		r->e = e;
-	}
-	if (d != NULL) {
-		BN_clear_free(r->d);
-		r->d = d;
-	}
-
-	return (1);
-}
-
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
-	/*
-	 * If the fields p and q in r are NULL, the corresponding input
-	 * parameters MUST be non-NULL.
-	 */
-	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
-		return (0);
-	}
-
-	if (p != NULL) {
-		BN_clear_free(r->p);
-		r->p = p;
-	}
-	if (q != NULL) {
-		BN_clear_free(r->q);
-		r->q = q;
-	}
-
-	return (1);
-}
-
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
-	/*
-	 * If the fields dmp1, dmq1 and iqmp in r are NULL, the
-	 * corresponding input parameters MUST be non-NULL.
-	 */
-	if ((r->dmp1 == NULL && dmp1 == NULL) ||
-	    (r->dmq1 == NULL && dmq1 == NULL) ||
-	    (r->iqmp == NULL && iqmp == NULL))
-	{
-		return (0);
-	}
-
-	if (dmp1 != NULL) {
-		BN_clear_free(r->dmp1);
-		r->dmp1 = dmp1;
-	}
-	if (dmq1 != NULL) {
-		BN_clear_free(r->dmq1);
-		r->dmq1 = dmq1;
-	}
-	if (iqmp != NULL) {
-		BN_clear_free(r->iqmp);
-		r->iqmp = iqmp;
-	}
-
-	return (1);
-}
-
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
-	     const BIGNUM **d) {
-	SET_IF_NOT_NULL(n, r->n);
-	SET_IF_NOT_NULL(e, r->e);
-	SET_IF_NOT_NULL(d, r->d);
-}
-
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
-	SET_IF_NOT_NULL(p, r->p);
-	SET_IF_NOT_NULL(q, r->q);
-}
-
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-		    const BIGNUM **iqmp) {
-	SET_IF_NOT_NULL(dmp1, r->dmp1);
-	SET_IF_NOT_NULL(dmq1, r->dmq1);
-	SET_IF_NOT_NULL(iqmp, r->iqmp);
-}
-
-int
-RSA_test_flags(const RSA *r, int flags) {
-	return (r->flags & flags);
-}
-#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
-
-#if !HAVE_ECDSA_SIG_GET0
-/* From OpenSSL 1.1 */
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
-	SET_IF_NOT_NULL(pr, sig->r);
-	SET_IF_NOT_NULL(ps, sig->s);
-}
-
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-	if (r == NULL || s == NULL) {
-		return (0);
-	}
-
-	BN_clear_free(sig->r);
-	BN_clear_free(sig->s);
-	sig->r = r;
-	sig->s = s;
-
-	return (1);
-}
-#endif /* !HAVE_ECDSA_SIG_GET0 */
-
 #if !HAVE_ERR_GET_ERROR_ALL
 static const char err_empty_string = '\0';
 

lib/dns/openssl_shim.h

@@ -28,74 +28,6 @@
 #define RSA_MAX_PUBEXP_BITS 35
 #endif /* ifndef RSA_MAX_PUBEXP_BITS */
 
-#if !HAVE_BN_GENCB_NEW
-/* These are new in OpenSSL 1.1.0. */
-static inline BN_GENCB *
-BN_GENCB_new(void) {
-	return (OPENSSL_malloc(sizeof(BN_GENCB)));
-}
-
-static inline void
-BN_GENCB_free(BN_GENCB *cb) {
-	if (cb == NULL) {
-		return;
-	}
-	OPENSSL_free(cb);
-}
-
-static inline void *
-BN_GENCB_get_arg(BN_GENCB *cb) {
-	return cb->arg;
-}
-#endif /* !HAVE_BN_GENCB_NEW */
-
-#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L
-static inline const RSA *
-EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
-	return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL);
-}
-#endif
-
-#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L
-static inline const EC_KEY *
-EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) {
-	return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL);
-}
-#endif
-
-#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
-	     const BIGNUM **d);
-
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-		    const BIGNUM **iqmp);
-
-int
-RSA_test_flags(const RSA *r, int flags);
-#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
-
-#if !HAVE_ECDSA_SIG_GET0
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* !HAVE_ECDSA_SIG_GET0 */
-
 #if !HAVE_ERR_GET_ERROR_ALL
 unsigned long
 ERR_get_error_all(const char **file, int *line, const char **func,

lib/dns/openssleddsa_link.c

@@ -13,8 +13,6 @@
 
 /*! \file */
 
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
-
 #include <stdbool.h>
 
 #include <openssl/err.h>
@@ -41,11 +39,9 @@
 		goto err; \
 	}
 
-#if HAVE_OPENSSL_ED25519
 #ifndef NID_ED25519
 #error "Ed25519 group is not known (NID_ED25519)"
 #endif /* ifndef NID_ED25519 */
-#endif /* HAVE_OPENSSL_ED25519 */
 
 #if HAVE_OPENSSL_ED448
 #ifndef NID_ED448
@@ -60,7 +56,6 @@ typedef struct eddsa_alginfo {
 
 static const eddsa_alginfo_t *
 openssleddsa_alg_info(unsigned int key_alg) {
-#if HAVE_OPENSSL_ED25519
 	if (key_alg == DST_ALG_ED25519) {
 		static const eddsa_alginfo_t ed25519_alginfo = {
 			.pkey_type = EVP_PKEY_ED25519,
@@ -70,7 +65,6 @@ openssleddsa_alg_info(unsigned int key_alg) {
 		};
 		return &ed25519_alginfo;
 	}
-#endif /* HAVE_OPENSSL_ED25519 */
 #if HAVE_OPENSSL_ED448
 	if (key_alg == DST_ALG_ED448) {
 		static const eddsa_alginfo_t ed448_alginfo = {
@@ -586,7 +580,6 @@ static unsigned char ed448_sig[] =
 	"\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00";
 #endif
 
-#if HAVE_OPENSSL_ED25519
 static unsigned char ed25519_pub[] =
 	"\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1"
 	"\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25";
@@ -595,7 +588,6 @@ static unsigned char ed25519_sig[] =
 	"\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab"
 	"\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93"
 	"\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04";
-#endif
 
 static isc_result_t
 check_algorithm(unsigned char algorithm) {
@@ -621,8 +613,7 @@ check_algorithm(unsigned char algorithm) {
 		key_len = sizeof(ed448_pub) - 1;
 		alginfo = openssleddsa_alg_info(algorithm);
 		break;
-#endif
-#if HAVE_OPENSSL_ED25519
+#endif /* HAVE_OPENSSL_ED448 */
 	case DST_ALG_ED25519:
 		sig = ed25519_sig;
 		sig_len = sizeof(ed25519_sig) - 1;
@@ -630,7 +621,6 @@ check_algorithm(unsigned char algorithm) {
 		key_len = sizeof(ed25519_pub) - 1;
 		alginfo = openssleddsa_alg_info(algorithm);
 		break;
-#endif
 	default:
 		DST_RET(ISC_R_NOTIMPLEMENTED);
 	}
@@ -673,5 +663,3 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) {
 	}
 	return (ISC_R_SUCCESS);
 }
-
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */

lib/isc/openssl_shim.c

@@ -24,81 +24,6 @@
 
 #include "openssl_shim.h"
 
-#if !HAVE_CRYPTO_ZALLOC
-void *
-CRYPTO_zalloc(size_t num, const char *file, int line) {
-	void *ret = CRYPTO_malloc(num, file, line);
-	if (ret != NULL) {
-		memset(ret, 0, num);
-	}
-	return (ret);
-}
-#endif /* if !HAVE_CRYPTO_ZALLOC */
-
-#if !HAVE_EVP_CIPHER_CTX_NEW
-EVP_CIPHER_CTX *
-EVP_CIPHER_CTX_new(void) {
-	EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-	return (ctx);
-}
-#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
-
-#if !HAVE_EVP_CIPHER_CTX_FREE
-void
-EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {
-	if (ctx != NULL) {
-		EVP_CIPHER_CTX_cleanup(ctx);
-		OPENSSL_free(ctx);
-	}
-}
-#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_RESET
-int
-EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
-	return (EVP_MD_CTX_cleanup(ctx));
-}
-#endif /* if !HAVE_EVP_MD_CTX_RESET */
-
-#if !HAVE_SSL_READ_EX
-int
-SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
-	int rv = SSL_read(ssl, buf, num);
-	if (rv > 0) {
-		*readbytes = rv;
-		rv = 1;
-	}
-
-	return (rv);
-}
-#endif
-
-#if !HAVE_SSL_PEEK_EX
-int
-SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
-	int rv = SSL_peek(ssl, buf, num);
-	if (rv > 0) {
-		*readbytes = rv;
-		rv = 1;
-	}
-
-	return (rv);
-}
-#endif
-
-#if !HAVE_SSL_WRITE_EX
-int
-SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) {
-	int rv = SSL_write(ssl, buf, num);
-	if (rv > 0) {
-		*written = rv;
-		rv = 1;
-	}
-
-	return (rv);
-}
-#endif
-
 #if !HAVE_BIO_READ_EX
 int
 BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
@@ -110,7 +35,7 @@ BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
 
 	return (rv);
 }
-#endif
+#endif /* !HAVE_BIO_READ_EX */
 
 #if !HAVE_BIO_WRITE_EX
 int
@@ -123,76 +48,13 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) {
 
 	return (rv);
 }
-#endif
-
-#if !HAVE_OPENSSL_INIT_CRYPTO
-int
-OPENSSL_init_crypto(uint64_t opts, const void *settings) {
-	(void)settings;
-
-	if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) {
-		ERR_load_crypto_strings();
-	}
-
-	if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS |
-		     OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0)
-	{
-		OpenSSL_add_all_algorithms();
-	} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
-		OpenSSL_add_all_digests();
-	} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
-		OpenSSL_add_all_ciphers();
-	}
-
-	return (1);
-}
-#endif
-
-#if !HAVE_OPENSSL_INIT_SSL
-int
-OPENSSL_init_ssl(uint64_t opts, const void *settings) {
-	OPENSSL_init_crypto(opts, settings);
-
-	SSL_library_init();
-
-	if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) {
-		SSL_load_error_strings();
-	}
-
-	return (1);
-}
-#endif
-
-#if !HAVE_OPENSSL_CLEANUP
-void
-OPENSSL_cleanup(void) {
-	return;
-}
-#endif
-
-#if !HAVE_X509_STORE_UP_REF
-
-int
-X509_STORE_up_ref(X509_STORE *store) {
-	return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0);
-}
-
-#endif /* !HAVE_OPENSSL_CLEANUP */
+#endif /* !HAVE_BIO_WRITE_EX */
 
 #if !HAVE_SSL_CTX_SET1_CERT_STORE
-
 void
 SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
 	(void)X509_STORE_up_ref(store);
 
 	SSL_CTX_set_cert_store(ctx, store);
 }
-
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
-
-#if !HAVE_SSL_CTX_UP_REF
-int
-SSL_CTX_up_ref(SSL_CTX *ctx) {
-	return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
-}
-#endif /* !HAVE_SSL_CTX_UP_REF */

lib/isc/openssl_shim.h

@@ -20,118 +20,21 @@
 #include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 
-#if !HAVE_CRYPTO_ZALLOC
-void *
-CRYPTO_zalloc(size_t num, const char *file, int line);
-#endif /* if !HAVE_CRYPTO_ZALLOC */
-
-#if !defined(OPENSSL_zalloc)
-#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__)
-#endif
-
-#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
-#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \
-	EVP_PKEY_new_mac_key(type, e, key, (int)(keylen))
-#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */
-
-#if !HAVE_EVP_CIPHER_CTX_NEW
-EVP_CIPHER_CTX *
-EVP_CIPHER_CTX_new(void);
-#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
-
-#if !HAVE_EVP_CIPHER_CTX_FREE
-void
-EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
-#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_NEW
-#define EVP_MD_CTX_new EVP_MD_CTX_create
-#endif /* if !HAVE_EVP_MD_CTX_NEW */
-
-#if !HAVE_EVP_MD_CTX_FREE
-#define EVP_MD_CTX_free EVP_MD_CTX_destroy
-#endif /* if !HAVE_EVP_MD_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_RESET
-int
-EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
-#endif /* if !HAVE_EVP_MD_CTX_RESET */
-
 #if !HAVE_EVP_MD_CTX_GET0_MD
 #define EVP_MD_CTX_get0_md EVP_MD_CTX_md
 #endif /* if !HAVE_EVP_MD_CTX_GET0_MD */
 
-#if !HAVE_SSL_READ_EX
-int
-SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-#endif
-
-#if !HAVE_SSL_PEEK_EX
-int
-SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-#endif
-
-#if !HAVE_SSL_WRITE_EX
-int
-SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written);
-#endif
-
 #if !HAVE_BIO_READ_EX
 int
 BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
-#endif
+#endif /* !HAVE_BIO_READ_EX */
 
 #if !HAVE_BIO_WRITE_EX
 int
 BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
-#endif
-
-#if !HAVE_OPENSSL_INIT_CRYPTO
-
-#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L
-#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS    0x00000002L
-#define OPENSSL_INIT_ADD_ALL_CIPHERS	    0x00000004L
-#define OPENSSL_INIT_ADD_ALL_DIGESTS	    0x00000008L
-#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS	    0x00000010L
-#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS	    0x00000020L
-
-int
-OPENSSL_init_crypto(uint64_t opts, const void *settings);
-#endif
-
-#if !HAVE_OPENSSL_INIT_SSL
-#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
-#define OPENSSL_INIT_LOAD_SSL_STRINGS	 0x00200000L
-
-int
-OPENSSL_init_ssl(uint64_t opts, const void *settings);
-
-#endif
-
-#if !HAVE_OPENSSL_CLEANUP
-void
-OPENSSL_cleanup(void);
-#endif
-
-#if !HAVE_TLS_SERVER_METHOD
-#define TLS_server_method SSLv23_server_method
-#endif
-
-#if !HAVE_TLS_CLIENT_METHOD
-#define TLS_client_method SSLv23_client_method
-#endif
-
-#if !HAVE_X509_STORE_UP_REF
-int
-X509_STORE_up_ref(X509_STORE *v);
-#endif /* !HAVE_OPENSSL_CLEANUP */
+#endif /* !HAVE_BIO_WRITE_EX */
 
 #if !HAVE_SSL_CTX_SET1_CERT_STORE
 void
 SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
-
-#if !HAVE_SSL_CTX_UP_REF
-int
-SSL_CTX_up_ref(SSL_CTX *store);
-#endif /* !HAVE_SSL_CTX_UP_REF */

lib/isc/tls.c

@@ -56,27 +56,6 @@
 
 static isc_mem_t *isc__tls_mctx = NULL;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static isc_mutex_t *locks = NULL;
-static int nlocks;
-
-static void
-isc__tls_lock_callback(int mode, int type, const char *file, int line) {
-	UNUSED(file);
-	UNUSED(line);
-	if ((mode & CRYPTO_LOCK) != 0) {
-		LOCK(&locks[type]);
-	} else {
-		UNLOCK(&locks[type]);
-	}
-}
-
-static void
-isc__tls_set_thread_id(CRYPTO_THREADID *id) {
-	CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
-}
-#endif
-
 #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
 /*
  * This was crippled with LibreSSL, so just skip it:
@@ -163,7 +142,6 @@ isc__tls_initialize(void) {
 #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
 	  0x30000000L  */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
 			OPENSSL_INIT_LOAD_CONFIG;
 #if defined(OPENSSL_INIT_NO_ATEXIT)
@@ -175,28 +153,6 @@ isc__tls_initialize(void) {
 #endif
 
 	RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
-#else
-	nlocks = CRYPTO_num_locks();
-	locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0]));
-	isc_mutexblock_init(locks, nlocks);
-	CRYPTO_set_locking_callback(isc__tls_lock_callback);
-	CRYPTO_THREADID_set_callback(isc__tls_set_thread_id);
-
-	CRYPTO_malloc_init();
-	ERR_load_crypto_strings();
-	SSL_load_error_strings();
-	SSL_library_init();
-
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-	ENGINE_load_builtin_engines();
-#endif
-	OpenSSL_add_all_algorithms();
-	OPENSSL_load_builtin_modules();
-
-	CONF_modules_load_file(NULL, NULL,
-			       CONF_MFLAGS_DEFAULT_SECTION |
-				       CONF_MFLAGS_IGNORE_MISSING_FILE);
-#endif
 
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
@@ -208,28 +164,7 @@ isc__tls_initialize(void) {
 
 void
 isc__tls_shutdown(void) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	OPENSSL_cleanup();
-#else
-	CONF_modules_unload(1);
-	OBJ_cleanup();
-	EVP_cleanup();
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-	ENGINE_cleanup();
-#endif
-	CRYPTO_cleanup_all_ex_data();
-	ERR_remove_thread_state(NULL);
-	RAND_cleanup();
-	ERR_free_strings();
-
-	CRYPTO_set_locking_callback(NULL);
-
-	if (locks != NULL) {
-		isc_mutexblock_destroy(locks, nlocks);
-		isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0]));
-		locks = NULL;
-	}
-#endif
 
 	isc_mem_destroy(&isc__tls_mctx);
 }
@@ -260,15 +195,12 @@ isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) {
 	*ptarget = src;
 }
 
-#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
 /*
  * Callback invoked by the SSL library whenever a new TLS pre-master secret
  * needs to be logged.
  */
 static void
-sslkeylogfile_append(const SSL *ssl, const char *line) {
-	UNUSED(ssl);
-
+sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) {
 	isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR,
 		      ISC_LOG_INFO, "%s", line);
 }
@@ -284,9 +216,6 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) {
 		SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
 	}
 }
-#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
-#define sslkeylogfile_init(ctx)
-#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
 
 isc_result_t
 isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
@@ -308,12 +237,7 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
 
 	SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
 
-#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
 	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-#else
-	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-					 SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-#endif
 
 	sslkeylogfile_init(ctx);
 
@@ -384,12 +308,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 
 	SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
 
-#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
 	SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-#else
-	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-					 SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-#endif
 
 	if (ephemeral) {
 		const int group_nid = NID_X9_62_prime256v1;
@@ -415,27 +334,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		}
 
 		/* Use a named curve and uncompressed point conversion form. */
-#if HAVE_EVP_PKEY_GET0_EC_KEY
 		EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
 				     OPENSSL_EC_NAMED_CURVE);
 		EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
 				     POINT_CONVERSION_UNCOMPRESSED);
-#else
-		EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
-		EC_KEY_set_conv_form(pkey->pkey.ec,
-				     POINT_CONVERSION_UNCOMPRESSED);
-#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */
-
-#if defined(SSL_CTX_set_ecdh_auto)
-		/*
-		 * Using this macro is required for older versions of OpenSSL to
-		 * automatically enable ECDH support.
-		 *
-		 * On later versions this function is no longer needed and is
-		 * deprecated.
-		 */
-		(void)SSL_CTX_set_ecdh_auto(ctx, 1);
-#endif /* defined(SSL_CTX_set_ecdh_auto) */
 
 		/* Cleanup */
 		EC_KEY_free(eckey);
@@ -494,20 +396,12 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 		 * Set the "not before" property 5 minutes into the past to
 		 * accommodate with some possible clock skew across systems.
 		 */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-		X509_gmtime_adj(X509_get_notBefore(cert), -300);
-#else
 		X509_gmtime_adj(X509_getm_notBefore(cert), -300);
-#endif
 
 		/*
 		 * We set the vailidy for 10 years.
 		 */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-		X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600);
-#else
 		X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
-#endif
 
 		X509_set_pubkey(cert, pkey);
 
@@ -784,7 +678,6 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
 
 bool
 isc_tls_cipher_suites_valid(const char *cipher_suites) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	isc_tlsctx_t *tmp_ctx = NULL;
 	const SSL_METHOD *method = NULL;
 	bool result;
@@ -808,27 +701,15 @@ isc_tls_cipher_suites_valid(const char *cipher_suites) {
 	isc_tlsctx_free(&tmp_ctx);
 
 	return (result);
-#else
-	UNUSED(cipher_suites);
-
-	UNREACHABLE();
-#endif
 }
 
 void
 isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	REQUIRE(ctx != NULL);
 	REQUIRE(cipher_suites != NULL);
 	REQUIRE(*cipher_suites != '\0');
 
 	RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1);
-#else
-	UNUSED(ctx);
-	UNUSED(cipher_suites);
-
-	UNREACHABLE();
-#endif
 }
 
 void
@@ -916,10 +797,8 @@ isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) {
 	SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL);
 #endif /* !OPENSSL_NO_NEXTPROTONEG */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN,
 				NGHTTP2_PROTO_ALPN_LEN);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 }
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
@@ -935,7 +814,6 @@ next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len,
 }
 #endif /* !OPENSSL_NO_NEXTPROTONEG */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 static int
 alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
 		     const unsigned char *in, unsigned int inlen, void *arg) {
@@ -953,7 +831,6 @@ alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
 
 	return (SSL_TLSEXT_ERR_OK);
 }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
 void
 isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
@@ -962,9 +839,7 @@ isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL);
 #endif // OPENSSL_NO_NEXTPROTONEG
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 }
 #endif /* HAVE_LIBNGHTTP2 */
 
@@ -978,11 +853,9 @@ isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn,
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	SSL_get0_next_proto_negotiated(tls, alpn, alpnlen);
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	if (*alpn == NULL) {
 		SSL_get0_alpn_selected(tls, alpn, alpnlen);
 	}
-#endif
 }
 
 static bool
@@ -1015,13 +888,10 @@ void
 isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) {
 	REQUIRE(ctx != NULL);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN,
 				DOT_PROTO_ALPN_LEN);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 static int
 dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
 			 unsigned char *outlen, const unsigned char *in,
@@ -1039,15 +909,12 @@ dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
 
 	return (SSL_TLSEXT_ERR_OK);
 }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
 void
 isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) {
 	REQUIRE(tls != NULL);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 }
 
 isc_result_t
@@ -1608,33 +1475,6 @@ isc_tlsctx_client_session_cache_detach(
 	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
 }
 
-static bool
-ssl_session_seems_resumable(const SSL_SESSION *sess) {
-#ifdef HAVE_SSL_SESSION_IS_RESUMABLE
-	/*
-	 * If SSL_SESSION_is_resumable() is available, let's use that. It
-	 * is expected to be available on OpenSSL >= 1.1.1 and its modern
-	 * siblings.
-	 */
-	return (SSL_SESSION_is_resumable(sess) != 0);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-	/*
-	 * Taking into consideration that OpenSSL 1.1.0 uses opaque
-	 * pointers for SSL_SESSION, we cannot implement a replacement for
-	 * SSL_SESSION_is_resumable() manually. Let's use a sensible
-	 * approximation for that, then: if there is an associated session
-	 * ticket or session ID, then, most likely, the session is
-	 * resumable.
-	 */
-	unsigned int session_id_len = 0;
-	(void)SSL_SESSION_get_id(sess, &session_id_len);
-	return (SSL_SESSION_has_ticket(sess) || session_id_len > 0);
-#else
-	return (!sess->not_resumable &&
-		(sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
-#endif
-}
-
 void
 isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
 				     char *remote_peer_name, isc_tls_t *tls) {
@@ -1652,7 +1492,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
 	if (sess == NULL) {
 		ERR_clear_error();
 		return;
-	} else if (!ssl_session_seems_resumable(sess)) {
+	} else if (SSL_SESSION_is_resumable(sess) == 0) {
 		SSL_SESSION_free(sess);
 		return;
 	}

lib/isccfg/namedconf.c

@@ -4058,11 +4058,7 @@ static cfg_clausedef_t tls_clauses[] = {
 	{ "dhparam-file", &cfg_type_qstring, 0 },
 	{ "protocols", &cfg_type_tlsprotos, 0 },
 	{ "ciphers", &cfg_type_astring, 0 },
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	{ "cipher-suites", &cfg_type_astring, 0 },
-#else
-	{ "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
 	{ "prefer-server-ciphers", &cfg_type_boolean, 0 },
 	{ "session-tickets", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }

m4/ax_check_openssl.m4

@@ -1,133 +0,0 @@
-# SPDX-License-Identifier: FSFAP
-#
-# ===========================================================================
-#     https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
-#
-# DESCRIPTION
-#
-#   Look for OpenSSL in a number of default spots, or in a user-selected
-#   spot (via --with-openssl).  Sets
-#
-#     OPENSSL_CFLAGS to the include directives required
-#     OPENSSL_LIBS to the -l directives required
-#     OPENSSL_LDFLAGS to the -L or -R flags required
-#
-#   and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
-#
-#   This macro sets OPENSSL_CFLAGS such that source files should use the
-#   openssl/ directory in include directives:
-#
-#     #include <openssl/hmac.h>
-#
-# LICENSE
-#
-#   Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
-#   Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
-#
-#   Copying and distribution of this file, with or without modification, are
-#   permitted in any medium without royalty provided the copyright notice
-#   and this notice are preserved. This file is offered as-is, without any
-#   warranty.
-
-#serial 11
-
-AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
-AC_DEFUN([AX_CHECK_OPENSSL], [
-    found=false
-    AC_PROG_SED
-    AC_ARG_WITH([openssl],
-        [AS_HELP_STRING([--with-openssl=DIR],
-            [root of the OpenSSL directory])],
-        [
-            case "$withval" in
-            "" | y | ye | yes | n | no)
-            AC_MSG_ERROR([Invalid --with-openssl value])
-              ;;
-            *) ssldirs="$withval"
-              ;;
-            esac
-        ], [
-            # if pkg-config is installed and openssl has installed a .pc file,
-            # then use that information and don't search ssldirs
-            AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
-            if test x"$PKG_CONFIG" != x""; then
-                OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
-                if test $? = 0; then
-                    OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
-                    OPENSSL_CFLAGS=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
-                    OPENSSL_VERSION=`$PKG_CONFIG openssl --modversion 2>/dev/null`
-                    found=true
-                fi
-            fi
-
-            # no such luck; use some default ssldirs
-            if ! $found; then
-                ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
-            fi
-        ]
-        )
-
-
-    # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
-    # an 'openssl' subdirectory
-
-    if ! $found; then
-        OPENSSL_CFLAGS=
-        for ssldir in $ssldirs; do
-            AC_MSG_CHECKING([for include/openssl/ssl.h in $ssldir])
-            if test -f "$ssldir/include/openssl/ssl.h"; then
-                OPENSSL_CFLAGS="-I$ssldir/include"
-                OPENSSL_LDFLAGS="-L$ssldir/lib"
-                OPENSSL_LIBS="-lssl -lcrypto"
-                OPENSSL_VERSION=`$SED -ne 's/.*OPENSSL_VERSION_STR[^"]*"\([^"]*\)".*/\1/p;' $ssldir/include/openssl/opensslv.h`
-                if test -z "$OPENSSL_VERSION"; then
-                  OPENSSL_VERSION=`$SED -ne 's/.*OPENSSL_VERSION_TEXT[^"]*"\([^"]*\)".*/\1/p;' $ssldir/include/openssl/opensslv.h`
-                fi
-                found=true
-                AC_MSG_RESULT([yes])
-                break
-            else
-                AC_MSG_RESULT([no])
-            fi
-        done
-
-        # if the file wasn't found, well, go ahead and try the link anyway -- maybe
-        # it will just work!
-    fi
-
-    # try the preprocessor and linker with our new flags,
-    # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
-
-    AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
-    echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
-        "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_CFLAGS=$OPENSSL_CFLAGS" >&AS_MESSAGE_LOG_FD
-
-    save_LIBS="$LIBS"
-    save_LDFLAGS="$LDFLAGS"
-    save_CPPFLAGS="$CPPFLAGS"
-    LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
-    LIBS="$OPENSSL_LIBS $LIBS"
-    CPPFLAGS="$OPENSSL_CFLAGS $CPPFLAGS"
-    AC_LINK_IFELSE(
-        [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
-        [
-            AC_MSG_RESULT([yes])
-            $1
-        ], [
-            AC_MSG_RESULT([no])
-            $2
-        ])
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-
-    AC_SUBST([OPENSSL_CFLAGS])
-    AC_SUBST([OPENSSL_LIBS])
-    AC_SUBST([OPENSSL_LDFLAGS])
-    AC_SUBST([OPENSSL_VERSION])
-])