From a912dbe98be0f3aafd29e963d2c4ba7c6b865f38 Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Sep 08 2022 20:33:55 +0000 Subject: Return engine implementation but use legacy OpenSSL Engine interface were deprecated in OpenSSL and therefore removed from normal compilation. But it is possible to compile on OpenSSL with compat define. That disables deprecation warnings and use functions same as for OpenSSL 1.1. That is required to keep working engine pkcs11 support. Otherwise loading keys via ENGINE_load_private_key would always fail. Resolves: rhbz:#2122010 --- diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch new file mode 100644 index 0000000..32126f4 --- /dev/null +++ b/bind-9.18-pkcs11-engine-compat-api.patch @@ -0,0 +1,1554 @@ +From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 8 Sep 2022 17:19:20 +0200 +Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled + +OpenSSL has deprecated many things in version 3.0. If pkcs11 engine +should work then no builder from OpenSSL 3.0 API can be used. + +Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when +OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow +working keys loading from the engine passed on command line. +--- + lib/dns/openssldh_link.c | 136 +++++++++++++++++++----------------- + lib/dns/opensslecdsa_link.c | 119 +++++++++++++++---------------- + lib/dns/opensslrsa_link.c | 118 +++++++++++++++---------------- + 3 files changed, 189 insertions(+), 184 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index d5dbc2e889..96c1d523b7 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; + static isc_result_t + openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + isc_buffer_t *secret) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dhpub, *dhpriv; + const BIGNUM *pub_key = NULL; + int secret_len = 0; +@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *dhpub, *dhpriv; + size_t secret_len = 0; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + unsigned int len; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + REQUIRE(pub->keydata.dh != NULL); + REQUIRE(priv->keydata.dh != NULL); + +@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + dhpriv = priv->keydata.pkey; + + len = EVP_PKEY_get_size(dhpriv); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(secret, &r); + if (r.length < len) { + return (ISC_R_NOSPACE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH_get0_key(dhpub, &pub_key, NULL); + secret_len = DH_compute_key(r.base, pub_key, dhpriv); + if (secret_len <= 0) { +@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + DST_R_COMPUTESECRETFAILURE)); + } + EVP_PKEY_CTX_free(ctx); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_add(secret, (unsigned int)secret_len); + +@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; +@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh1 = key1->keydata.dh; + dh2 = key2->keydata.dh; + +@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) +@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p1 != NULL) { + BN_free(p1); + } +@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (priv_key2 != NULL) { + BN_clear_free(priv_key2); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (true); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + #else + EVP_PKEY *pkey1, *pkey2; + BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh1 = key1->keydata.dh; + dh2 = key2->keydata.dh; + +@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p1 != NULL) { + BN_free(p1); + } +@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + if (g2 != NULL) { + BN_free(g2); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (true); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static int + progress_cb(int p, int n, BN_GENCB *cb) { + union { +@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { + } + return (1); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + void (*fptr)(int); + } u; + BIGNUM *p = NULL, *g = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = NULL; + BN_GENCB *cb = NULL; + #if !HAVE_BN_GENCB_NEW +@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *param_pkey = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); +@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + if (param_ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (generator == 0) { + /* +@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + if (p == NULL || g == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_pqg(dh, p, NULL, g) != 1) { + DST_RET(dst__openssl_toresult2( + "DH_set0_pqg", DST_R_OPENSSLFAILURE)); +@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + DST_R_OPENSSLFAILURE)); + } + params = OSSL_PARAM_BLD_to_param(bld); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + } else { + /* +@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + } + + if (generator != 0) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + cb = BN_GENCB_new(); + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (cb == NULL) { +@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + DST_R_OPENSSLFAILURE)); + } + params = OSSL_PARAM_BLD_to_param(bld); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_generate_key(dh) == 0) { + DST_RET(dst__openssl_toresult2("DH_generate_key", + DST_R_OPENSSLFAILURE)); +@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -594,14 +596,14 @@ err: + if (g != NULL) { + BN_free(g); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + + static bool + openssldh_isprivate(const dst_key_t *key) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = key->keydata.dh; + const BIGNUM *priv_key = NULL; + +@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) { + } + + return (ret); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + + static void + openssldh_destroy(dst_key_t *key) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = key->keydata.dh; + + if (dh == NULL) { +@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) { + + EVP_PKEY_free(pkey); + key->keydata.pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + + static void +@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + #else + EVP_PKEY *pkey; + BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + uint16_t dnslen, plen, glen, publen; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + REQUIRE(key->keydata.dh != NULL); + + dh = key->keydata.dh; +@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(data, &r); + +@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p != NULL) { + BN_free(p); + } +@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + if (pub_key != NULL) { + BN_free(pub_key); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (ISC_R_SUCCESS); + } +@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + static isc_result_t + openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + int key_size; + isc_region_t r; +@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + return (ISC_R_SUCCESS); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); +@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + if (ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + /* + * Read the prime length. 1 & 2 are table entries, > 16 means a +@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + key_size = BN_num_bits(p); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_pqg(dh, p, NULL, g) != 1) { + DST_RET(dst__openssl_toresult2("DH_set0_pqg", + DST_R_OPENSSLFAILURE)); +@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (r.length < 2) { + DST_RET(DST_R_INVALIDPUBLICKEY); +@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_forward(data, plen + glen + publen + 6); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ + (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) + /* +@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->key_size = (unsigned int)key_size; + + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -975,7 +978,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (p != NULL) { + BN_free(p); + } +@@ -991,13 +994,13 @@ err: + + static isc_result_t + openssldh_tofile(const dst_key_t *key, const char *directory) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + #else + EVP_PKEY *pkey; + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + dst_private_t priv; + unsigned char *bufs[4] = { NULL }; + unsigned short i = 0; +@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + return (DST_R_EXTERNALKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (key->keydata.dh == NULL) { + return (DST_R_NULLKEY); + } +@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + priv.elements[i].tag = TAG_DH_PRIME; + priv.elements[i].length = BN_num_bytes(p); +@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p != NULL) { + BN_free(p); + } +@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + if (priv_key != NULL) { + BN_clear_free(priv_key); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (result); + } +@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = NULL; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + int key_size = 0; + isc_mem_t *mctx; +@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(DST_R_EXTERNALKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(ISC_R_NOMEMORY); +@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + if (ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + for (i = 0; i < priv.nelements; i++) { + BIGNUM *bn; +@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_key(dh, pub_key, priv_key) != 1) { + DST_RET(dst__openssl_toresult2("DH_set0_key", + DST_R_OPENSSLFAILURE)); +@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->key_size = (unsigned int)key_size; + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -1225,7 +1229,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (p != NULL) { + BN_free(p); + } +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 519e88b7e7..04f0d80b5e 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -17,14 +17,14 @@ + + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #include + #include + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 +@@ -57,7 +57,7 @@ + goto err; \ + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + static isc_result_t + raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key, + size_t key_len, EVP_PKEY **pkey) { +@@ -159,7 +159,8 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + static isc_result_t + opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { +@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret; + EVP_PKEY *pkey1 = key1->keydata.pkey; + EVP_PKEY *pkey2 = key2->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey1 = NULL; + EC_KEY *eckey2 = NULL; + const BIGNUM *priv1; +@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + BIGNUM *priv1 = NULL; + BIGNUM *priv2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (pkey1 == NULL && pkey2 == NULL) { + return (true); +@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey1 = EVP_PKEY_get1_EC_KEY(pkey1); + eckey2 = EVP_PKEY_get1_EC_KEY(pkey2); + if (eckey1 == NULL && eckey2 == NULL) { +@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (priv1 != NULL || priv2 != NULL) { + if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0) +@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + ret = true; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey1 != NULL) { + EC_KEY_free(eckey1); + } +@@ -471,7 +472,7 @@ err: + if (priv2 != NULL) { + BN_clear_free(priv2); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + isc_result_t ret; + int status; + EVP_PKEY *pkey = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + #else + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *params_pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + int group_nid; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || +@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + key->key_size = DNS_KEY_ECDSA384SIZE * 4; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EC_KEY_new_by_curve_name(group_nid); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name", +@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -573,7 +574,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -584,7 +585,7 @@ err: + if (ctx != NULL) { + EVP_PKEY_CTX_free(ctx); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -593,11 +594,11 @@ static bool + opensslecdsa_isprivate(const dst_key_t *key) { + bool ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey; + #else + BIGNUM *priv = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + + ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL); +@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { + if (priv != NULL) { + BN_clear_free(priv); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -640,7 +641,7 @@ static isc_result_t + opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + int len; + unsigned char *cp; +@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + BIGNUM *y = NULL; + size_t keysize = 0; + size_t len = 0; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; + +@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + + pkey = key->keydata.pkey; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); +@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + } + + len = keysize; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(data, &r); + if (r.length < (unsigned int)len) { + DST_RET(ISC_R_NOSPACE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + cp = buf; + if (!i2o_ECPublicKey(eckey, &cp)) { + DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); +@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + BN_bn2bin_fixed(x, &buf[0], keysize / 2); + BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2); + memmove(r.base, buf, len); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_add(data, len); + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -721,7 +722,7 @@ err: + if (y != NULL) { + BN_clear_free(y); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey = NULL; + isc_region_t r; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + const unsigned char *cp; + unsigned int len; +@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + int group_nid; + #else + size_t len; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (key->key_alg == DST_ALG_ECDSA256) { + group_nid = NID_X9_62_prime256v1; + } else { +@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + if (ret != ISC_R_SUCCESS) { + DST_RET(ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_forward(data, len); + key->keydata.pkey = pkey; +@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + return (ret); + } + +@@ -814,13 +815,13 @@ static isc_result_t + opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + const BIGNUM *privkey = NULL; + #else + int status; + BIGNUM *privkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + dst_private_t priv; + unsigned char *buf = NULL; + unsigned short i; +@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + } + + pkey = key->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY", +@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); + +@@ -888,7 +889,7 @@ err: + if (buf != NULL && privkey != NULL) { + isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -896,12 +897,12 @@ err: + if (privkey != NULL) { + BN_clear_free(privkey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) { + const EC_POINT *pubkey; +@@ -1065,9 +1066,9 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv, + int privkey_index) { +@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) { + } + return (ISC_R_SUCCESS); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + finalize_eckey(dst_key_t *key, +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey, + #endif + const char *engine, const char *label) { + isc_result_t result = ISC_R_SUCCESS; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EVP_PKEY *pkey = NULL; + + REQUIRE(eckey != NULL); +@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key, + } + + key->keydata.pkey = pkey; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (label != NULL) { + key->label = isc_mem_strdup(key->mctx, label); +@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key, + return (result); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { + int group_nid; +@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { + + return (ISC_R_SUCCESS); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, +@@ -1173,10 +1174,10 @@ static isc_result_t + opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + EC_KEY *pubeckey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + const char *engine = NULL; + const char *label = NULL; + int i, privkey_index = -1; +@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + goto err; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } else { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + ret = dst__key_to_eckey(key, &eckey); + if (ret != ISC_R_SUCCESS) { + goto err; +@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + priv.elements[privkey_index].data, + priv.elements[privkey_index].length, + &key->keydata.pkey); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (ret != ISC_R_SUCCESS) { + goto err; +@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + finalize_key = true; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pub != NULL && pub->keydata.pkey != NULL) { + pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey); + } +@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + if (finalize_key) { + ret = finalize_eckey(key, engine, label); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pubeckey != NULL) { + EC_KEY_free(pubeckey); + } + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (ret != ISC_R_SUCCESS) { + key->keydata.generic = NULL; + } +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index fc905b7d60..867b486a2f 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -18,7 +18,7 @@ + + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 +@@ -26,7 +26,7 @@ + #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #include +@@ -180,12 +180,12 @@ static isc_result_t + opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + dst_key_t *key = dctx->key; + int status = 0; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *e = NULL; + #else + BIGNUM *e = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey = key->keydata.pkey; + int bits; +@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + dctx->key->key_alg == DST_ALG_RSASHA256 || + dctx->key->key_alg == DST_ALG_RSASHA512); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + } + bits = BN_num_bits(e); + BN_free(e); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (bits > maxbits && maxbits != 0) { + return (DST_R_VERIFYFAILURE); +@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + int status; + EVP_PKEY *pkey1 = key1->keydata.pkey; + EVP_PKEY *pkey2 = key2->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa1 = NULL; + RSA *rsa2 = NULL; + const BIGNUM *d1 = NULL, *d2 = NULL; +@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + BIGNUM *d1 = NULL, *d2 = NULL; + BIGNUM *p1 = NULL, *p2 = NULL; + BIGNUM *q1 = NULL, *q2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (pkey1 == NULL && pkey2 == NULL) { + return (true); +@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa1 = EVP_PKEY_get1_RSA(pkey1); + rsa2 = EVP_PKEY_get1_RSA(pkey2); + if (rsa1 == NULL && rsa2 == NULL) { +@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (d1 != NULL || d2 != NULL) { + if (d1 == NULL || d2 == NULL) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA_get0_factors(rsa1, &p1, &q1); + RSA_get0_factors(rsa2, &p2, &q2); + #else +@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 || + BN_cmp(q1, q2) != 0) { +@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + ret = true; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa1 != NULL) { + RSA_free(rsa1); + } +@@ -332,12 +332,12 @@ err: + if (q2 != NULL) { + BN_clear_free(q2); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static int + progress_cb(int p, int n, BN_GENCB *cb) { + union { +@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { + } + return (1); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { +@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + void (*fptr)(int); + } u; + BIGNUM *e = BN_new(); +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = RSA_new(); + EVP_PKEY *pkey = EVP_PKEY_new(); + #if !HAVE_BN_GENCB_NEW +@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + #else + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + if (e == NULL || ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + /* + * Reject incorrect RSA key lengths. +@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + BN_set_bit(e, 32); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -486,7 +486,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -497,7 +497,7 @@ err: + if (ctx != NULL) { + EVP_PKEY_CTX_free(ctx); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (e != NULL) { + BN_free(e); + } +@@ -508,12 +508,12 @@ static bool + opensslrsa_isprivate(const dst_key_t *key) { + bool ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *d = NULL; + #else + BIGNUM *d = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || + key->key_alg == DST_ALG_NSEC3RSASHA1 || +@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + INSIST(rsa != NULL); + +@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) { + if (d != NULL) { + BN_clear_free(d); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + unsigned int mod_bytes; + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *e = NULL, *n = NULL; + #else + BIGNUM *e = NULL, *n = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->keydata.pkey != NULL); + + pkey = key->keydata.pkey; + isc_buffer_availableregion(data, &r); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + if (e == NULL || n == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + mod_bytes = BN_num_bytes(n); + e_bytes = BN_num_bytes(e); +@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + + ret = ISC_R_SUCCESS; + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -632,7 +632,7 @@ err: + if (n != NULL) { + BN_free(n); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + return (ret); + } + +@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_region_t r; + unsigned int e_bytes; + unsigned int length; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + EVP_PKEY *pkey = NULL; + BIGNUM *e = NULL, *n = NULL; + +@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_forward(data, length); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult2("RSA_new", +@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + err: + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -771,7 +771,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (n != NULL) { + BN_free(n); + } +@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + unsigned char *bufs[8] = { NULL }; + unsigned short i = 0; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + const BIGNUM *n = NULL, *e = NULL, *d = NULL; + const BIGNUM *p = NULL, *q = NULL; +@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + BIGNUM *n = NULL, *e = NULL, *d = NULL; + BIGNUM *p = NULL, *q = NULL; + BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (key->keydata.pkey == NULL) { + DST_RET(DST_R_NULLKEY); +@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + } + + pkey = key->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (n == NULL || e == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -935,7 +935,7 @@ err: + priv.elements[i].length); + } + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA_free(rsa); + #else + if (n != NULL) { +@@ -962,12 +962,12 @@ err: + if (iqmp != NULL) { + BN_clear_free(iqmp); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + rsa_check(RSA *rsa, RSA *pub) { + const BIGNUM *n1 = NULL, *n2 = NULL; +@@ -1079,14 +1079,14 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL, *pubrsa = NULL; + const BIGNUM *ex = NULL; + #else +@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + BIGNUM *ex = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + ENGINE *ep = NULL; + #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ +@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(ISC_R_SUCCESS); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pub != NULL && pub->keydata.pkey != NULL) { + pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + for (i = 0; i < priv.nelements; i++) { + switch (priv.elements[i].tag) { +@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(ISC_R_NOMEMORY); +@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + ISC_R_SUCCESS) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); +@@ -1375,7 +1375,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -1419,7 +1419,7 @@ err: + if (iqmp != NULL) { + BN_clear_free(iqmp); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (ret != ISC_R_SUCCESS) { + key->keydata.generic = NULL; + } +@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) { + int status; + isc_result_t ret = ISC_R_SUCCESS; + size_t len; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + #else + OSSL_PARAM *params = NULL; +@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) { + DST_RET(ISC_R_NOMEMORY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult2("RSA_new", +@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) { + err: + BN_free(e); + BN_free(n); +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +-- +2.37.2 + diff --git a/bind-9.18-pkcs11-engine-init.patch b/bind-9.18-pkcs11-engine-init.patch new file mode 100644 index 0000000..5c0c6c4 --- /dev/null +++ b/bind-9.18-pkcs11-engine-init.patch @@ -0,0 +1,48 @@ +From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 7 Sep 2022 13:46:31 +0200 +Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls + +According to manual page of ENGINE_init, it should be called explicitly +before any key operations happens. Make it active whole lifetime. +--- + lib/dns/openssl_link.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index 333f34cb37..a3f63885fa 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) { + result = DST_R_NOENGINE; + goto cleanup_rm; + } ++ if (!ENGINE_init(e)) { ++ result = DST_R_NOENGINE; ++ goto cleanup_rm; ++ } + /* This will init the engine. */ + if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { + result = DST_R_NOENGINE; +- goto cleanup_rm; ++ goto cleanup_init; + } + } + + return (ISC_R_SUCCESS); ++cleanup_init: ++ ENGINE_finish(e); + cleanup_rm: + if (e != NULL) { + ENGINE_free(e); +@@ -108,6 +114,7 @@ void + dst__openssl_destroy(void) { + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + if (e != NULL) { ++ ENGINE_finish(e); + ENGINE_free(e); + } + e = NULL; +-- +2.37.2 + diff --git a/bind-9.18-pkcs11-engine-remove-deadcode.patch b/bind-9.18-pkcs11-engine-remove-deadcode.patch new file mode 100644 index 0000000..7586395 --- /dev/null +++ b/bind-9.18-pkcs11-engine-remove-deadcode.patch @@ -0,0 +1,245 @@ +From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 8 Sep 2022 16:33:38 +0200 +Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0 + +OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM +builders. But it can be built in legacy mode, where deprecated but still +working API would be used. + +It can work under OpenSSL 3.0, but only if using legacy code paths +matching OpenSSL 1.1 calls and functions. + +Remove fromlabel processing by OpenSSL 3.0 only functions. They can +return later with a proper provider support for pkcs11. +--- + lib/dns/opensslecdsa_link.c | 55 ------------------------------------- + lib/dns/opensslrsa_link.c | 32 --------------------- + 2 files changed, 87 deletions(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 04f0d80b5e..f04f076e42 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + isc_result_t ret = ISC_R_SUCCESS; + ENGINE *e; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + EC_KEY *eckey = NULL; + EC_KEY *pubeckey = NULL; + int group_nid; +-#else +- size_t len; +- const char *curve_name, *nist_curve_name; +- char buf[128]; /* Sufficient for all of the supported curves' names. */ +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + EVP_PKEY *pkey = NULL; + EVP_PKEY *pubpkey = NULL; + +@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(DST_R_NOENGINE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (key->key_alg == DST_ALG_ECDSA256) { + group_nid = NID_X9_62_prime256v1; + } else { + group_nid = NID_secp384r1; + } +-#else +- /* Get the expected curve names */ +- if (key->key_alg == DST_ALG_ECDSA256) { +- curve_name = "prime256v1"; +- nist_curve_name = "P-256"; +- } else { +- curve_name = "secp384r1"; +- nist_curve_name = "P-384"; +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + /* Load private key. */ + pkey = ENGINE_load_private_key(e, label, NULL, NULL); +@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { + DST_RET(DST_R_INVALIDPRIVATEKEY); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) { + DST_RET(DST_R_INVALIDPRIVATEKEY); + } +-#else +- len = 0; +- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, +- buf, sizeof buf, &len) != 1 || +- len == 0 || len >= sizeof buf) +- { +- DST_RET(DST_R_INVALIDPRIVATEKEY); +- } +- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && +- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) +- { +- DST_RET(DST_R_INVALIDPRIVATEKEY); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + /* Load public key. */ + pubpkey = ENGINE_load_public_key(e, label, NULL, NULL); +@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); + if (pubeckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } +-#else +- len = 0; +- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME, +- buf, sizeof buf, &len) != 1 || +- len == 0 || len >= sizeof buf) +- { +- DST_RET(DST_R_INVALIDPUBLICKEY); +- } +- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && +- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) +- { +- DST_RET(DST_R_INVALIDPUBLICKEY); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } +-#else +- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + key->label = isc_mem_strdup(key->mctx, label); + key->engine = isc_mem_strdup(key->mctx, engine); +@@ -1442,14 +1389,12 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (pubeckey != NULL) { + EC_KEY_free(pubeckey); + } + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + return (ret); + #else +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index 867b486a2f..cf350610ba 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + key->engine = isc_mem_strdup(key->mctx, engine); + key->label = isc_mem_strdup(key->mctx, label); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } + RSA_get0_key(rsa, NULL, &ex, NULL); +-#else +- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) != +- ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != +- 1) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (ex == NULL) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + ENGINE *e = NULL; + isc_result_t ret = ISC_R_SUCCESS; + EVP_PKEY *pkey = NULL, *pubpkey = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA *rsa = NULL, *pubrsa = NULL; + const BIGNUM *ex = NULL; +-#else +- BIGNUM *ex = NULL; +-#endif + + UNUSED(pin); + +@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", + DST_R_OPENSSLFAILURE)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + pubrsa = EVP_PKEY_get1_RSA(pubpkey); + if (pubrsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + pkey = ENGINE_load_private_key(e, label, NULL, NULL); + if (pkey == NULL) { +@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + key->engine = isc_mem_strdup(key->mctx, engine); + key->label = isc_mem_strdup(key->mctx, label); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } + RSA_get0_key(rsa, NULL, &ex, NULL); +-#else +- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (ex == NULL) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pkey = NULL; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (rsa != NULL) { + RSA_free(rsa); + } + if (pubrsa != NULL) { + RSA_free(pubrsa); + } +-#else +- if (ex != NULL) { +- BN_free(ex); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-- +2.37.2 + diff --git a/bind.spec b/bind.spec index 860a524..1840c00 100644 --- a/bind.spec +++ b/bind.spec @@ -61,7 +61,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.18.6 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -97,6 +97,11 @@ Source49: named-chroot.files Patch10: bind-9.5-PIE.patch Patch16: bind-9.16-redhat_doc.patch Patch22: bind-9.11-fips-tests.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385 +# https://bugzilla.redhat.com/show_bug.cgi?id=2122841 +Patch23: bind-9.18-pkcs11-engine-init.patch +Patch24: bind-9.18-pkcs11-engine-compat-api.patch +Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch %{?systemd_ordering} Requires: coreutils @@ -349,10 +354,11 @@ done cp -Tuav bin/tests "%{1}/bin/tests/" \ CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100" %if %{with TSAN} CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" %endif -export CFLAGS +export CFLAGS CPPFLAGS export STD_CDEFINES="$CPPFLAGS" @@ -402,6 +408,7 @@ export LIBDIR_SUFFIX %endif --enable-fixed-rrset \ --enable-full-report \ + CPPFLAGS="$CPPFLAGS" \ ; %if %{with DNSTAP} pushd lib @@ -941,6 +948,9 @@ fi; %endif %changelog +* Tue Sep 06 2022 Petr Menšík - 32:9.18.6-3 +- Return OpenSSL engine implementation for pkcs11 interface (#2122841) + * Thu Sep 01 2022 Petr Menšík - 32:9.18.6-2 - Always show error details for failed unittests (#2122010)