diff --git a/SOURCES/ldns-1.7.1-openssl-build.patch b/SOURCES/ldns-1.7.1-openssl-build.patch
new file mode 100644
index 0000000..41834ad
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-openssl-build.patch
@@ -0,0 +1,369 @@
+--- a/ldns-1.7.1/acx_nlnetlabs.m4
++++ b/ldns-1.7.1/acx_nlnetlabs.m4
+@@ -2,7 +2,15 @@
+ # Copyright 2009, Wouter Wijngaards, NLnet Labs.
+ # BSD licensed.
+ #
+-# Version 34
++# Version 41
++# 2021-07-30 fix for openssl use of lib64 directory.
++# 2021-06-14 fix nonblocking test to use host instead of target for mingw test.
++# 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for
++# 64bit compatibility.
++# 2021-03-24 fix ACX_FUNC_DEPRECATED to use CPPFLAGS and CFLAGS.
++# 2021-01-05 fix defun for aclocal
++# 2021-01-05 autoconf 2.70 autoupdate and fixes, no AC_TRY_COMPILE
++# 2020-08-24 Use EVP_sha256 instead of HMAC_Update (for openssl-3.0.0).
+ # 2016-03-21 Check -ldl -pthread for libcrypto for ldns and openssl 1.1.0.
+ # 2016-03-21 Use HMAC_Update instead of HMAC_CTX_Init (for openssl-1.1.0).
+ # 2016-01-04 -D_DEFAULT_SOURCE defined with -D_BSD_SOURCE for Linux glibc 2.20
+@@ -446,15 +454,12 @@
+ AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "format" attribute)
+ AC_CACHE_VAL(ac_cv_c_format_attribute,
+ [ac_cv_c_format_attribute=no
+-AC_TRY_COMPILE(
+-[#include <stdio.h>
++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
+ void f (char *format, ...) __attribute__ ((format (printf, 1, 2)));
+ void (*pf) (char *format, ...) __attribute__ ((format (printf, 1, 2)));
+-], [
++]], [[
+ f ("%s", "str");
+-],
+-[ac_cv_c_format_attribute="yes"],
+-[ac_cv_c_format_attribute="no"])
++]])],[ac_cv_c_format_attribute="yes"],[ac_cv_c_format_attribute="no"])
+ ])
+
+ AC_MSG_RESULT($ac_cv_c_format_attribute)
+@@ -483,14 +488,11 @@
+ AC_MSG_CHECKING(whether the C compiler (${CC-cc}) accepts the "unused" attribute)
+ AC_CACHE_VAL(ac_cv_c_unused_attribute,
+ [ac_cv_c_unused_attribute=no
+-AC_TRY_COMPILE(
+-[#include <stdio.h>
++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <stdio.h>
+ void f (char *u __attribute__((unused)));
+-], [
++]], [[
+ f ("x");
+-],
+-[ac_cv_c_unused_attribute="yes"],
+-[ac_cv_c_unused_attribute="no"])
++]])],[ac_cv_c_unused_attribute="yes"],[ac_cv_c_unused_attribute="no"])
+ ])
+
+ dnl Setup ATTR_UNUSED config.h parts.
+@@ -547,7 +549,7 @@
+ dnl because libtools 'AC_REQUIRE' names are right after this one, before
+ dnl this function contents.
+ AC_REQUIRE([ACX_LIBTOOL_C_PRE])
+-AC_PROG_LIBTOOL
++LT_INIT
+ ])
+
+ dnl Detect if u_char type is defined, otherwise define it.
+@@ -646,7 +648,7 @@
+ if test x_$withval != x_no; then
+ AC_MSG_CHECKING(for SSL)
+ if test x_$withval = x_ -o x_$withval = x_yes; then
+- withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr"
++ withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr"
+ fi
+ for dir in $withval; do
+ ssldir="$dir"
+@@ -668,22 +670,28 @@
+ HAVE_SSL=yes
+ dnl assume /usr is already in the lib and dynlib paths.
+ if test "$ssldir" != "/usr" -a "$ssldir" != ""; then
+- LDFLAGS="$LDFLAGS -L$ssldir/lib"
+- LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
+- ACX_RUNTIME_PATH_ADD([$ssldir/lib])
++ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
++ LDFLAGS="$LDFLAGS -L$ssldir/lib64"
++ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64"
++ ACX_RUNTIME_PATH_ADD([$ssldir/lib64])
++ else
++ LDFLAGS="$LDFLAGS -L$ssldir/lib"
++ LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib"
++ ACX_RUNTIME_PATH_ADD([$ssldir/lib])
++ fi
+ fi
+
+- AC_MSG_CHECKING([for HMAC_Update in -lcrypto])
++ AC_MSG_CHECKING([for EVP_sha256 in -lcrypto])
+ LIBS="$LIBS -lcrypto"
+ LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto"
+- AC_TRY_LINK(, [
+- int HMAC_Update(void);
+- (void)HMAC_Update();
+- ], [
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
++ int EVP_sha256(void);
++ (void)EVP_sha256();
++ ]])],[
+ AC_MSG_RESULT(yes)
+- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
+- [If you have HMAC_Update])
+- ], [
++ AC_DEFINE([HAVE_EVP_SHA256], 1,
++ [If you have EVP_sha256])
++ ],[
+ AC_MSG_RESULT(no)
+ # check if -lwsock32 or -lgdi32 are needed.
+ BAKLIBS="$LIBS"
+@@ -691,12 +699,12 @@
+ LIBS="$LIBS -lgdi32 -lws2_32"
+ LIBSSL_LIBS="$LIBSSL_LIBS -lgdi32 -lws2_32"
+ AC_MSG_CHECKING([if -lcrypto needs -lgdi32])
+- AC_TRY_LINK([], [
+- int HMAC_Update(void);
+- (void)HMAC_Update();
+- ],[
+- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
+- [If you have HMAC_Update])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
++ int EVP_sha256(void);
++ (void)EVP_sha256();
++ ]])],[
++ AC_DEFINE([HAVE_EVP_SHA256], 1,
++ [If you have EVP_sha256])
+ AC_MSG_RESULT(yes)
+ ],[
+ AC_MSG_RESULT(no)
+@@ -705,12 +713,12 @@
+ LIBS="$LIBS -ldl"
+ LIBSSL_LIBS="$LIBSSL_LIBS -ldl"
+ AC_MSG_CHECKING([if -lcrypto needs -ldl])
+- AC_TRY_LINK([], [
+- int HMAC_Update(void);
+- (void)HMAC_Update();
+- ],[
+- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
+- [If you have HMAC_Update])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
++ int EVP_sha256(void);
++ (void)EVP_sha256();
++ ]])],[
++ AC_DEFINE([HAVE_EVP_SHA256], 1,
++ [If you have EVP_sha256])
+ AC_MSG_RESULT(yes)
+ ],[
+ AC_MSG_RESULT(no)
+@@ -719,12 +727,12 @@
+ LIBS="$LIBS -ldl -pthread"
+ LIBSSL_LIBS="$LIBSSL_LIBS -ldl -pthread"
+ AC_MSG_CHECKING([if -lcrypto needs -ldl -pthread])
+- AC_TRY_LINK([], [
+- int HMAC_Update(void);
+- (void)HMAC_Update();
+- ],[
+- AC_DEFINE([HAVE_HMAC_UPDATE], 1,
+- [If you have HMAC_Update])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[
++ int EVP_sha256(void);
++ (void)EVP_sha256();
++ ]])],[
++ AC_DEFINE([HAVE_EVP_SHA256], 1,
++ [If you have EVP_sha256])
+ AC_MSG_RESULT(yes)
+ ],[
+ AC_MSG_RESULT(no)
+@@ -749,9 +757,8 @@
+ dnl
+ AC_DEFUN([ACX_WITH_SSL],
+ [
+-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+- [enable SSL (will check /usr/local/ssl
+- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr)]),[
++AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
++ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+ ],[
+ withval="yes"
+ ])
+@@ -768,9 +775,8 @@
+ dnl
+ AC_DEFUN([ACX_WITH_SSL_OPTIONAL],
+ [
+-AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl=pathname],
+- [enable SSL (will check /usr/local/ssl
+- /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/local/opt/openssl /usr/sfw /usr)]),[
++AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl=pathname],[enable SSL (will check /usr/local/ssl
++ /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)]),[
+ ],[
+ withval="yes"
+ ])
+@@ -893,7 +899,7 @@
+ [
+ echo '$3' >conftest.c
+ echo 'void f(){ $2 }' >>conftest.c
+-if test -z "`$CC -c conftest.c 2>&1 | grep deprecated`"; then
++if test -z "`$CC $CPPFLAGS $CFLAGS -c conftest.c 2>&1 | grep -e deprecated -e unavailable`"; then
+ eval "cv_cc_deprecated_$cache=no"
+ else
+ eval "cv_cc_deprecated_$cache=yes"
+@@ -919,7 +925,7 @@
+ AC_DEFUN([ACX_CHECK_NONBLOCKING_BROKEN],
+ [
+ AC_MSG_CHECKING([if nonblocking sockets work])
+-if echo $target | grep mingw32 >/dev/null; then
++if echo $host | grep mingw >/dev/null; then
+ AC_MSG_RESULT([no (windows)])
+ AC_DEFINE([NONBLOCKING_IS_BROKEN], 1, [Define if the network stack does not fully support nonblocking io (causes lower performance).])
+ else
+@@ -1061,7 +1067,7 @@
+ AC_DEFUN([ACX_MKDIR_ONE_ARG],
+ [
+ AC_MSG_CHECKING([whether mkdir has one arg])
+-AC_TRY_COMPILE([
++AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdio.h>
+ #include <unistd.h>
+ #ifdef HAVE_WINSOCK2_H
+@@ -1070,14 +1076,12 @@
+ #ifdef HAVE_SYS_STAT_H
+ #include <sys/stat.h>
+ #endif
+-], [
++]], [[
+ (void)mkdir("directory");
+-],
+-AC_MSG_RESULT(yes)
++]])],[AC_MSG_RESULT(yes)
+ AC_DEFINE(MKDIR_HAS_ONE_ARG, 1, [Define if mkdir has one argument.])
+-,
+-AC_MSG_RESULT(no)
+-)
++],[AC_MSG_RESULT(no)
++])
+ ])dnl end of ACX_MKDIR_ONE_ARG
+
+ dnl Check for ioctlsocket function. works on mingw32 too.
+
+--- a/ldns-1.7.1/dnssec_sign.c
++++ b/ldns-1.7.1/dnssec_sign.c
+
+@@ -413,11 +416,14 @@
+ {
+ EC_KEY* ec;
+ const EC_GROUP* g;
+-#ifdef HAVE_EVP_PKEY_BASE_ID
++#ifdef HAVE_EVP_PKEY_GET_BASE_ID
++ if(EVP_PKEY_get_base_id(pkey) != EVP_PKEY_EC)
++ return 0;
++#elif defined(HAVE_EVP_PKEY_BASE_ID)
+ if(EVP_PKEY_base_id(pkey) != EVP_PKEY_EC)
+ return 0;
+ #else
+- if(EVP_PKEY_type(key->type) != EVP_PKEY_EC)
++ if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC)
+ return 0;
+ #endif
+ ec = EVP_PKEY_get1_EC_KEY(pkey);
+@@ -529,7 +535,9 @@
+ #ifdef USE_DSA
+ #ifndef S_SPLINT_S
+ /* unfortunately, OpenSSL output is different from DNS DSA format */
+-# ifdef HAVE_EVP_PKEY_BASE_ID
++# ifdef HAVE_EVP_PKEY_GET_BASE_ID
++ if (EVP_PKEY_get_base_id(key) == EVP_PKEY_DSA) {
++# elif defined(HAVE_EVP_PKEY_BASE_ID)
+ if (EVP_PKEY_base_id(key) == EVP_PKEY_DSA) {
+ # else
+ if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) {
+@@ -541,7 +549,9 @@
+ #endif
+ #if defined(USE_ECDSA)
+ if(
+-# ifdef HAVE_EVP_PKEY_BASE_ID
++# ifdef HAVE_EVP_PKEY_GET_BASE_ID
++ EVP_PKEY_get_base_id(key)
++# elif defined(HAVE_EVP_PKEY_BASE_ID)
+ EVP_PKEY_base_id(key)
+ # else
+ EVP_PKEY_type(key->type)
+
+--- a/ldns-1.7.1/configure.ac
++++ b/ldns-1.7.1/configure.ac
+@@ -332,7 +356,8 @@
+ else
+ AC_MSG_RESULT([no])
+ fi
+-AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings])
++AC_CHECK_HEADERS([openssl/ssl.h openssl/evp.h openssl/engine.h openssl/conf.h])
++AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id DSA_SIG_set0 DSA_SIG_get0 EVP_dss1 DSA_get0_pqg DSA_get0_key EVP_cleanup ENGINE_cleanup ENGINE_free CRYPTO_cleanup_all_ex_data ERR_free_strings CONF_modules_unload OPENSSL_init_ssl OPENSSL_init_crypto ERR_load_crypto_strings CRYPTO_memcmp EVP_PKEY_get_base_id])
+
+ # for macosx, see if glibtool exists and use that
+ # BSD's need to know the version...
+@@ -355,21 +380,33 @@
+ ;;
+ esac
+
+-# check wether gost also works
++# check whether gost also works
+ AC_DEFUN([AC_CHECK_GOST_WORKS],
+ [AC_REQUIRE([AC_PROG_CC])
+ AC_MSG_CHECKING([if GOST works])
+ if test c${cross_compiling} = cno; then
+ BAKCFLAGS="$CFLAGS"
+ if test -n "$ssldir"; then
++ if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then
++ CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib64"
++ else
+ CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib"
++ fi
+ fi
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[
+ #include <string.h>
++#ifdef HAVE_OPENSSL_SSL_H
+ #include <openssl/ssl.h>
++#endif
++#ifdef HAVE_OPENSSL_EVP_H
+ #include <openssl/evp.h>
++#endif
++#ifdef HAVE_OPENSSL_ENGINE_H
+ #include <openssl/engine.h>
++#endif
++#ifdef HAVE_OPENSSL_CONF_H
+ #include <openssl/conf.h>
++#endif
+ /* routine to load gost (from sldns) */
+ int load_gost_id(void)
+ {
+@@ -464,7 +501,7 @@
+ AC_CHECK_FUNC(EVP_PKEY_set_type_str, [],[AC_MSG_ERROR([OpenSSL >= 1.0.0 is needed for GOST support or rerun with --disable-gost])])
+ AC_CHECK_FUNC(EC_KEY_new, [], [AC_MSG_ERROR([No ECC functions found in OpenSSL: please upgrade OpenSSL or rerun with --disable-gost])])
+ AC_CHECK_GOST_WORKS
+- AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even whithout a GOST engine installed]))
++ AC_ARG_ENABLE(gost-anyway, AC_HELP_STRING([--enable-gost-anyway], [Enable GOST even without a GOST engine installed]))
+ if test "$ac_cv_c_gost_works" != "no" -o "$enable_gost_anyway" = "yes"; then
+ if test "$ac_cv_c_gost_works" = "no"; then
+ AC_MSG_RESULT([no, but compiling with GOST support anyway])
+@@ -584,9 +621,11 @@
+ AC_SUBST(ldns_build_config_use_dane_ta_usage, 0)
+ ;;
+ *) dnl default
+- LIBS="-lssl $LIBS"
++ danetmpLIBS="$LIBS"
++ LIBS="-lssl -lcrypto $LIBS"
+ AC_CHECK_FUNC(SSL_get0_dane, [], [AC_MSG_ERROR([OpenSSL does not support offline DANE verification (Needed for the DANE-TA usage type). Please upgrade OpenSSL to version >= 1.1.0 or rerun with --disable-dane-verify or --disable-dane-ta-usage])])
+ LIBSSL_LIBS="-lssl $LIBSSL_LIBS"
++ LIBS="$danetmpLIBS"
+ AC_SUBST(ldns_build_config_use_dane_ta_usage, 1)
+ AC_DEFINE_UNQUOTED([USE_DANE_TA_USAGE], [1], [Define this to enable DANE-TA usage type support.])
+ ;;
+@@ -658,7 +697,12 @@
+ AC_SUBST(LIBSSL_LDFLAGS)
+ AC_SUBST(LIBSSL_LIBS)
+ if test "x$HAVE_SSL" = "xyes"; then
+-AC_SUBST(LIBSSL_SSL_LIBS, ["-lssl $LIBSSL_LIBS"])
++ if echo "$LIBSSL_LIBS" | grep -- "-lssl" >/dev/null 2>&1; then
++ LIBSSL_SSL_LIBS="$LIBSSL_LIBS"
++ else
++ LIBSSL_SSL_LIBS="-lssl $LIBSSL_LIBS"
++ fi
++ AC_SUBST(LIBSSL_SSL_LIBS, "$LIBSSL_SSL_LIBS")
+ fi
+ CPPFLAGS=$tmp_CPPFLAGS
+ LDFLAGS=$tmp_LDFLAGS
+
diff --git a/SPECS/ldns.spec b/SPECS/ldns.spec
index d868052..25a1579 100644
--- a/SPECS/ldns.spec
+++ b/SPECS/ldns.spec
@@ -18,7 +18,7 @@
# GOST is not allowed in Fedora/RHEL due to legal reasons (not NIST ECC)
%bcond_with gost
-%{?!snapshot: %global snapshot 0}
+%{?!snapshot: %global snapshot 1}
%if %{with python2} || %{with python3}
%{?filter_setup:
@@ -39,7 +39,7 @@
Summary: Low-level DNS(SEC) library with API
Name: ldns
Version: 1.7.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: BSD
Url: https://www.nlnetlabs.nl/%{name}/
@@ -48,6 +48,8 @@ Source1: https://www.nlnetlabs.nl/downloads/%{name}/%{name}-%{version}.tar.gz.as
# Willem Toorop, https://www.nlnetlabs.nl/people/
Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100E5F8F8212F77A498#/wtoorop.asc
Patch1: ldns-1.7.0-multilib.patch
+# 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e
+Patch2: ldns-1.7.1-openssl-build.patch
# Only needed for builds from svn snapshot
%if 0%{snapshot}
@@ -349,6 +351,9 @@ rm -rf doc/man
%doc doc
%changelog
+* Wed Oct 13 2021 Richard Lescak <rlescak@redhat.com> - 1.7.1-8
+- Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445)
+
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.1-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688