diff --git a/.gitignore b/.gitignore index c6e3afe..d9ce40c 100644 --- a/.gitignore +++ b/.gitignore @@ -192,3 +192,5 @@ bind-9.7.2b1.tar.gz /bind-9.18.6.tar.xz.asc /bind-9.18.7.tar.xz /bind-9.18.7.tar.xz.asc +/bind-9.18.8.tar.xz +/bind-9.18.8.tar.xz.asc diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index 415a87a..072419f 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001 +From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -428,10 +428,10 @@ index 364f94b..9518f82 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index bbffe07..80da0fe 100644 +index 01a13cf..3711c63 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh -@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2 +@@ -201,7 +201,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 @@ -440,7 +440,7 @@ index bbffe07..80da0fe 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2 +@@ -214,7 +214,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 @@ -449,7 +449,7 @@ index bbffe07..80da0fe 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2 +@@ -228,7 +228,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 @@ -458,7 +458,7 @@ index bbffe07..80da0fe 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2 +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 @@ -467,7 +467,7 @@ index bbffe07..80da0fe 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2 +@@ -380,7 +380,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 @@ -476,7 +476,7 @@ index bbffe07..80da0fe 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2 +@@ -394,7 +394,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 @@ -485,7 +485,7 @@ index bbffe07..80da0fe 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -533,7 +533,7 @@ status=`expr $status + $ret` +@@ -534,7 +534,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key allowed - query allowed" ret=0 @@ -494,7 +494,7 @@ index bbffe07..80da0fe 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -543,7 +543,7 @@ status=`expr $status + $ret` +@@ -544,7 +544,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key not allowed - query refused" ret=0 @@ -503,7 +503,7 @@ index bbffe07..80da0fe 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -554,7 +554,7 @@ status=`expr $status + $ret` +@@ -555,7 +555,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key disallowed - query refused" ret=0 @@ -513,16 +513,18 @@ index bbffe07..80da0fe 100644 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 1421281..424afb8 100644 +index 3a8e401..82e720d 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -122,5 +122,5 @@ view "ch" ch { +@@ -122,7 +122,7 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; - algorithm hmac-md5; + algorithm hmac-sha256; }; + + key next_key. { diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf diff --git a/bind-9.18-doc-arm-rhel9.patch b/bind-9.18-doc-arm-rhel9.patch deleted file mode 100644 index 2778e1e..0000000 --- a/bind-9.18-doc-arm-rhel9.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst -index 0d72000..f4810ae 100644 ---- a/doc/arm/dnssec.inc.rst -+++ b/doc/arm/dnssec.inc.rst -@@ -282,7 +282,7 @@ NSEC3 - - To sign using :ref:`NSEC3 ` instead of :ref:`NSEC - `, add an NSEC3PARAM record to the initial update --request. The :term:`OPTOUT ` bit in the NSEC3 -+request. The :term:`OPTOUT ` bit in the NSEC3 - chain can be set in the flags field of the - NSEC3PARAM record. - -diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst -index ef6c1c7..b59b0ac 100644 ---- a/doc/arm/reference.rst -+++ b/doc/arm/reference.rst -@@ -35,7 +35,7 @@ The file :file:`named.conf` may contain three types of entities: - - Block - :ref:`Blocks ` are containers for :term:`statements -- ` which either have common functionality - for example, -+ ` which either have common functionality - for example, - the definition of a cryptographic key in a :namedconf:ref:`key` block - or which - define the scope of the statement - for example, a statement which appears - in a :namedconf:ref:`zone` block has scope only for that zone. -@@ -68,7 +68,7 @@ The file :file:`named.conf` may contain three types of entities: - more argument/value pairs. The :any:`also-notify` statement may take a number - of such argument/value pairs, such as ``also-notify port 5353;``, - where ``port`` is the argument and ``5353`` is the corresponding value. -- - Statements can appear in a single :term:`block` - for -+ - Statements can appear in a single :term:`block ` - for - example, an :namedconf:ref:`algorithm` statement can appear only in a - :namedconf:ref:`key` block - or in multiple blocks - for example, an - :any:`also-notify` statement can appear in an :namedconf:ref:`options` -@@ -6550,8 +6550,8 @@ The following options can be specified in a :any:`dnssec-policy` statement: - of the indicated length. - - .. warning:: -- Do not use extra :term:`iterations`, :term:`salt`, and -- :term:`opt-out` unless their implications are fully understood. -+ Do not use extra :term:`iterations `, :term:`salt `, and -+ :term:`opt-out ` unless their implications are fully understood. - A higher number of iterations causes interoperability problems and opens - servers to CPU-exhausting DoS attacks. - diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch deleted file mode 100644 index 678d199..0000000 --- a/bind-9.18-pkcs11-engine-compat-api.patch +++ /dev/null @@ -1,1556 +0,0 @@ -From 1ecf072a6a556aa386003d1d5b83fe172320e7ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 8 Sep 2022 17:19:20 +0200 -Subject: [PATCH] Do not use OSSL_PARAM when engine API is compiled - -OpenSSL has deprecated many things in version 3.0. If pkcs11 engine -should work then no builder from OpenSSL 3.0 API can be used. - -Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when -OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow -working keys loading from the engine passed on command line. ---- - lib/dns/openssldh_link.c | 136 +++++++++++++++++++----------------- - lib/dns/opensslecdsa_link.c | 119 +++++++++++++++---------------- - lib/dns/opensslrsa_link.c | 118 +++++++++++++++---------------- - 3 files changed, 189 insertions(+), 184 deletions(-) - -diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c -index 1a01c2b..7df483f 100644 ---- a/lib/dns/openssldh_link.c -+++ b/lib/dns/openssldh_link.c -@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; - static isc_result_t - openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dhpub, *dhpriv; - const BIGNUM *pub_key = NULL; - int secret_len = 0; -@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *dhpub, *dhpriv; - size_t secret_len = 0; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - unsigned int len; - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(pub->keydata.dh != NULL); - REQUIRE(priv->keydata.dh != NULL); - -@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - dhpriv = priv->keydata.pkey; - - len = EVP_PKEY_get_size(dhpriv); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(secret, &r); - if (r.length < len) { - return (ISC_R_NOSPACE); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH_get0_key(dhpub, &pub_key, NULL); - secret_len = DH_compute_key(r.base, pub_key, dhpriv); - if (secret_len <= 0) { -@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - DST_R_COMPUTESECRETFAILURE)); - } - EVP_PKEY_CTX_free(ctx); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_add(secret, (unsigned int)secret_len); - -@@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - static bool - openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; -@@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - -@@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || - BN_cmp(pub_key1, pub_key2) != 0) -@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - } - - err: --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } -@@ -251,7 +251,8 @@ err: - if (priv_key2 != NULL) { - BN_clear_free(priv_key2); - } --#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ -+ */ - - return (ret); - } -@@ -259,15 +260,15 @@ err: - static bool - openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret = true; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh1, *dh2; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - #else - EVP_PKEY *pkey1, *pkey2; - BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - -@@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { - DST_RET(false); - } - - err: --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p1 != NULL) { - BN_free(p1); - } -@@ -313,12 +314,13 @@ err: - if (g2 != NULL) { - BN_free(g2); - } --#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ -+ */ - - return (ret); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static int - progress_cb(int p, int n, BN_GENCB *cb) { - union { -@@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { - } - return (1); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - static isc_result_t - openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { -@@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - void (*fptr)(int); - } u; - BIGNUM *p = NULL, *g = NULL; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; - BN_GENCB *cb = NULL; - #if !HAVE_BN_GENCB_NEW -@@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *param_pkey = NULL; - EVP_PKEY *pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); -@@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - if (param_ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (generator == 0) { - /* -@@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - if (p == NULL || g == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2( - "DH_set0_pqg", DST_R_OPENSSLFAILURE)); -@@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - } else { - /* -@@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - } - - if (generator != 0) { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - cb = BN_GENCB_new(); - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (cb == NULL) { -@@ -488,10 +490,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - DST_R_OPENSSLFAILURE)); - } - params = OSSL_PARAM_BLD_to_param(bld); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_generate_key(dh) == 0) { - DST_RET(dst__openssl_toresult2("DH_generate_key", - DST_R_OPENSSLFAILURE)); -@@ -559,12 +561,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - - key->keydata.pkey = pkey; - pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - ret = ISC_R_SUCCESS; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -@@ -596,14 +598,14 @@ err: - if (g != NULL) { - BN_free(g); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } - - static bool - openssldh_isprivate(const dst_key_t *key) { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - const BIGNUM *priv_key = NULL; - -@@ -628,12 +630,12 @@ openssldh_isprivate(const dst_key_t *key) { - } - - return (ret); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } - - static void - openssldh_destroy(dst_key_t *key) { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = key->keydata.dh; - - if (dh == NULL) { -@@ -651,7 +653,7 @@ openssldh_destroy(dst_key_t *key) { - - EVP_PKEY_free(pkey); - key->keydata.pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } - - static void -@@ -678,17 +680,17 @@ uint16_fromregion(isc_region_t *region) { - static isc_result_t - openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret = ISC_R_SUCCESS; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - #else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - uint16_t dnslen, plen, glen, publen; - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - REQUIRE(key->keydata.dh != NULL); - - dh = key->keydata.dh; -@@ -701,7 +703,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(data, &r); - -@@ -749,7 +751,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_buffer_add(data, dnslen); - - err: --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } -@@ -759,7 +761,8 @@ err: - if (pub_key != NULL) { - BN_free(pub_key); - } --#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ -+ */ - - return (ret); - } -@@ -767,14 +770,14 @@ err: - static isc_result_t - openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - #else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - int key_size; - isc_region_t r; -@@ -786,7 +789,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - return (ISC_R_SUCCESS); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); -@@ -801,7 +804,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a -@@ -877,7 +880,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - - key_size = BN_num_bits(p); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_pqg(dh, p, NULL, g) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_pqg", - DST_R_OPENSSLFAILURE)); -@@ -893,7 +896,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", - DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (r.length < 2) { - DST_RET(DST_R_INVALIDPUBLICKEY); -@@ -911,7 +914,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - - isc_buffer_forward(data, plen + glen + publen + 6); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ - (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) - /* -@@ -955,14 +958,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - - key->keydata.pkey = pkey; - pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - - ret = ISC_R_SUCCESS; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -@@ -979,7 +982,7 @@ err: - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } -@@ -995,13 +998,13 @@ err: - - static isc_result_t - openssldh_tofile(const dst_key_t *key, const char *directory) { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh; - const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - #else - EVP_PKEY *pkey; - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - dst_private_t priv; - unsigned char *bufs[4] = { NULL }; - unsigned short i = 0; -@@ -1011,7 +1014,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { - return (DST_R_EXTERNALKEY); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (key->keydata.dh == NULL) { - return (DST_R_NULLKEY); - } -@@ -1029,7 +1032,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - priv.elements[i].tag = TAG_DH_PRIME; - priv.elements[i].length = BN_num_bytes(p); -@@ -1069,7 +1072,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { - } - } - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - if (p != NULL) { - BN_free(p); - } -@@ -1082,7 +1085,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { - if (priv_key != NULL) { - BN_clear_free(priv_key); - } --#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ -+ */ - - return (result); - } -@@ -1092,14 +1096,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - DH *dh = NULL; - #else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - int key_size = 0; - isc_mem_t *mctx; -@@ -1117,7 +1121,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - DST_RET(DST_R_EXTERNALKEY); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - dh = DH_new(); - if (dh == NULL) { - DST_RET(ISC_R_NOMEMORY); -@@ -1132,7 +1136,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - if (ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; -@@ -1159,7 +1163,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - } - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (DH_set0_key(dh, pub_key, priv_key) != 1) { - DST_RET(dst__openssl_toresult2("DH_set0_key", - DST_R_OPENSSLFAILURE)); -@@ -1206,13 +1210,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - - key->keydata.pkey = pkey; - pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->key_size = (unsigned int)key_size; - ret = ISC_R_SUCCESS; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (dh != NULL) { - DH_free(dh); - } -@@ -1229,7 +1233,7 @@ err: - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (p != NULL) { - BN_free(p); - } -diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c -index 519e88b..04f0d80 100644 ---- a/lib/dns/opensslecdsa_link.c -+++ b/lib/dns/opensslecdsa_link.c -@@ -17,14 +17,14 @@ - - #include - #include --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - #include - #endif - #include - #include - #include - #include --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - #include - #endif - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -@@ -57,7 +57,7 @@ - goto err; \ - } - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - static isc_result_t - raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key, - size_t key_len, EVP_PKEY **pkey) { -@@ -159,7 +159,8 @@ err: - - return (ret); - } --#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ -+ */ - - static isc_result_t - opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { -@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - bool ret; - EVP_PKEY *pkey1 = key1->keydata.pkey; - EVP_PKEY *pkey2 = key2->keydata.pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey1 = NULL; - EC_KEY *eckey2 = NULL; - const BIGNUM *priv1; -@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - #else - BIGNUM *priv1 = NULL; - BIGNUM *priv2 = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); -@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - DST_RET(false); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey1 = EVP_PKEY_get1_EC_KEY(pkey1); - eckey2 = EVP_PKEY_get1_EC_KEY(pkey2); - if (eckey1 == NULL && eckey2 == NULL) { -@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - #else - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (priv1 != NULL || priv2 != NULL) { - if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0) -@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - ret = true; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (eckey1 != NULL) { - EC_KEY_free(eckey1); - } -@@ -471,7 +472,7 @@ err: - if (priv2 != NULL) { - BN_clear_free(priv2); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } -@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - isc_result_t ret; - int status; - EVP_PKEY *pkey = NULL; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey = NULL; - #else - EVP_PKEY_CTX *ctx = NULL; - EVP_PKEY *params_pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - int group_nid; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey = EC_KEY_new_by_curve_name(group_nid); - if (eckey == NULL) { - DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name", -@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", - DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->keydata.pkey = pkey; - pkey = NULL; -@@ -573,7 +574,7 @@ err: - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (eckey != NULL) { - EC_KEY_free(eckey); - } -@@ -584,7 +585,7 @@ err: - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } -@@ -593,11 +594,11 @@ static bool - opensslecdsa_isprivate(const dst_key_t *key) { - bool ret; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey; - #else - BIGNUM *priv = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); -@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { - return (false); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey = EVP_PKEY_get1_EC_KEY(pkey); - - ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL); -@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { - if (priv != NULL) { - BN_clear_free(priv); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } -@@ -640,7 +641,7 @@ static isc_result_t - opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey = NULL; - int len; - unsigned char *cp; -@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - BIGNUM *y = NULL; - size_t keysize = 0; - size_t len = 0; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - isc_region_t r; - unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; - -@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - - pkey = key->keydata.pkey; - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey = EVP_PKEY_get1_EC_KEY(pkey); - if (eckey == NULL) { - DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); -@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - } - - len = keysize; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_availableregion(data, &r); - if (r.length < (unsigned int)len) { - DST_RET(ISC_R_NOSPACE); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - cp = buf; - if (!i2o_ECPublicKey(eckey, &cp)) { - DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); -@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - BN_bn2bin_fixed(x, &buf[0], keysize / 2); - BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2); - memmove(r.base, buf, len); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_add(data, len); - ret = ISC_R_SUCCESS; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (eckey != NULL) { - EC_KEY_free(eckey); - } -@@ -721,7 +722,7 @@ err: - if (y != NULL) { - BN_clear_free(y); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } -@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_result_t ret; - EVP_PKEY *pkey = NULL; - isc_region_t r; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey = NULL; - const unsigned char *cp; - unsigned int len; -@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - int group_nid; - #else - size_t len; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); -@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (key->key_alg == DST_ALG_ECDSA256) { - group_nid = NID_X9_62_prime256v1; - } else { -@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - if (ret != ISC_R_SUCCESS) { - DST_RET(ret); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - isc_buffer_forward(data, len); - key->keydata.pkey = pkey; -@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - ret = ISC_R_SUCCESS; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (eckey != NULL) { - EC_KEY_free(eckey); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - return (ret); - } - -@@ -814,13 +815,13 @@ static isc_result_t - opensslecdsa_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey = NULL; - const BIGNUM *privkey = NULL; - #else - int status; - BIGNUM *privkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - dst_private_t priv; - unsigned char *buf = NULL; - unsigned short i; -@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { - } - - pkey = key->keydata.pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey = EVP_PKEY_get1_EC_KEY(pkey); - if (eckey == NULL) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY", -@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param", - DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); - -@@ -888,7 +889,7 @@ err: - if (buf != NULL && privkey != NULL) { - isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (eckey != NULL) { - EC_KEY_free(eckey); - } -@@ -896,12 +897,12 @@ err: - if (privkey != NULL) { - BN_clear_free(privkey); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static isc_result_t - ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) { - const EC_POINT *pubkey; -@@ -1065,9 +1066,9 @@ err: - - return (ret); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static isc_result_t - load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv, - int privkey_index) { -@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) { - } - return (ISC_R_SUCCESS); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - static isc_result_t - finalize_eckey(dst_key_t *key, --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey, - #endif - const char *engine, const char *label) { - isc_result_t result = ISC_R_SUCCESS; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EVP_PKEY *pkey = NULL; - - REQUIRE(eckey != NULL); -@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key, - } - - key->keydata.pkey = pkey; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (label != NULL) { - key->label = isc_mem_strdup(key->mctx, label); -@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key, - return (result); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static isc_result_t - dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { - int group_nid; -@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { - - return (ISC_R_SUCCESS); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - static isc_result_t - opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, -@@ -1173,10 +1174,10 @@ static isc_result_t - opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - EC_KEY *eckey = NULL; - EC_KEY *pubeckey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - const char *engine = NULL; - const char *label = NULL; - int i, privkey_index = -1; -@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - goto err; - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey); - if (eckey == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - } else { --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - ret = dst__key_to_eckey(key, &eckey); - if (ret != ISC_R_SUCCESS) { - goto err; -@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - priv.elements[privkey_index].data, - priv.elements[privkey_index].length, - &key->keydata.pkey); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (ret != ISC_R_SUCCESS) { - goto err; -@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - finalize_key = true; - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (pub != NULL && pub->keydata.pkey != NULL) { - pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey); - } -@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - if (finalize_key) { - ret = finalize_eckey(key, engine, label); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (pubeckey != NULL) { - EC_KEY_free(pubeckey); - } - if (eckey != NULL) { - EC_KEY_free(eckey); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (ret != ISC_R_SUCCESS) { - key->keydata.generic = NULL; - } -diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index fc905b7..867b486 100644 ---- a/lib/dns/opensslrsa_link.c -+++ b/lib/dns/opensslrsa_link.c -@@ -18,7 +18,7 @@ - - #include - #include --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - #include - #endif - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -@@ -26,7 +26,7 @@ - #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - #include - #include --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 - #include - #endif - #include -@@ -180,12 +180,12 @@ static isc_result_t - opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { - dst_key_t *key = dctx->key; - int status = 0; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa; - const BIGNUM *e = NULL; - #else - BIGNUM *e = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey = key->keydata.pkey; - int bits; -@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) { - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { - } - bits = BN_num_bits(e); - BN_free(e); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (bits > maxbits && maxbits != 0) { - return (DST_R_VERIFYFAILURE); -@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - int status; - EVP_PKEY *pkey1 = key1->keydata.pkey; - EVP_PKEY *pkey2 = key2->keydata.pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa1 = NULL; - RSA *rsa2 = NULL; - const BIGNUM *d1 = NULL, *d2 = NULL; -@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - BIGNUM *d1 = NULL, *d2 = NULL; - BIGNUM *p1 = NULL, *p2 = NULL; - BIGNUM *q1 = NULL, *q2 = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (pkey1 == NULL && pkey2 == NULL) { - return (true); -@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - DST_RET(false); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa1 = EVP_PKEY_get1_RSA(pkey1); - rsa2 = EVP_PKEY_get1_RSA(pkey2); - if (rsa1 == NULL && rsa2 == NULL) { -@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - #else - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (d1 != NULL || d2 != NULL) { - if (d1 == NULL || d2 == NULL) { - DST_RET(false); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA_get0_factors(rsa1, &p1, &q1); - RSA_get0_factors(rsa2, &p2, &q2); - #else -@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2); - EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 || - BN_cmp(q1, q2) != 0) { -@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - ret = true; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa1 != NULL) { - RSA_free(rsa1); - } -@@ -332,12 +332,12 @@ err: - if (q2 != NULL) { - BN_clear_free(q2); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static int - progress_cb(int p, int n, BN_GENCB *cb) { - union { -@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { - } - return (1); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - static isc_result_t - opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { -@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - void (*fptr)(int); - } u; - BIGNUM *e = BN_new(); --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa = RSA_new(); - EVP_PKEY *pkey = EVP_PKEY_new(); - #if !HAVE_BN_GENCB_NEW -@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - #else - EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); - EVP_PKEY *pkey = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - if (e == NULL || ctx == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - /* - * Reject incorrect RSA key lengths. -@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - BN_set_bit(e, 32); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", - DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->keydata.pkey = pkey; - pkey = NULL; -@@ -486,7 +486,7 @@ err: - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa != NULL) { - RSA_free(rsa); - } -@@ -497,7 +497,7 @@ err: - if (ctx != NULL) { - EVP_PKEY_CTX_free(ctx); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (e != NULL) { - BN_free(e); - } -@@ -508,12 +508,12 @@ static bool - opensslrsa_isprivate(const dst_key_t *key) { - bool ret; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa; - const BIGNUM *d = NULL; - #else - BIGNUM *d = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || -@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) { - return (false); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = EVP_PKEY_get1_RSA(pkey); - INSIST(rsa != NULL); - -@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) { - if (d != NULL) { - BN_clear_free(d); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } -@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { - unsigned int mod_bytes; - isc_result_t ret; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa; - const BIGNUM *e = NULL, *n = NULL; - #else - BIGNUM *e = NULL, *n = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - REQUIRE(key->keydata.pkey != NULL); - - pkey = key->keydata.pkey; - isc_buffer_availableregion(data, &r); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { - if (e == NULL || n == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - mod_bytes = BN_num_bytes(n); - e_bytes = BN_num_bytes(e); -@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { - - ret = ISC_R_SUCCESS; - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa != NULL) { - RSA_free(rsa); - } -@@ -632,7 +632,7 @@ err: - if (n != NULL) { - BN_free(n); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - return (ret); - } - -@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - isc_region_t r; - unsigned int e_bytes; - unsigned int length; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa = NULL; - #else - OSSL_PARAM_BLD *bld = NULL; - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - EVP_PKEY *pkey = NULL; - BIGNUM *e = NULL, *n = NULL; - -@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - - isc_buffer_forward(data, length); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = RSA_new(); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult2("RSA_new", -@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", - DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - key->keydata.pkey = pkey; - pkey = NULL; -@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - - err: - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa != NULL) { - RSA_free(rsa); - } -@@ -771,7 +771,7 @@ err: - if (bld != NULL) { - OSSL_PARAM_BLD_free(bld); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (n != NULL) { - BN_free(n); - } -@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { - unsigned char *bufs[8] = { NULL }; - unsigned short i = 0; - EVP_PKEY *pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa = NULL; - const BIGNUM *n = NULL, *e = NULL, *d = NULL; - const BIGNUM *p = NULL, *q = NULL; -@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { - BIGNUM *n = NULL, *e = NULL, *d = NULL; - BIGNUM *p = NULL, *q = NULL; - BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (key->keydata.pkey == NULL) { - DST_RET(DST_R_NULLKEY); -@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { - } - - pkey = key->keydata.pkey; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp); --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (n == NULL || e == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -935,7 +935,7 @@ err: - priv.elements[i].length); - } - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA_free(rsa); - #else - if (n != NULL) { -@@ -962,12 +962,12 @@ err: - if (iqmp != NULL) { - BN_clear_free(iqmp); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - return (ret); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - static isc_result_t - rsa_check(RSA *rsa, RSA *pub) { - const BIGNUM *n1 = NULL, *n2 = NULL; -@@ -1079,14 +1079,14 @@ err: - - return (ret); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - static isc_result_t - opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa = NULL, *pubrsa = NULL; - const BIGNUM *ex = NULL; - #else -@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - OSSL_PARAM *params = NULL; - EVP_PKEY_CTX *ctx = NULL; - BIGNUM *ex = NULL; --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - ENGINE *ep = NULL; - #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ -@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - DST_RET(ISC_R_SUCCESS); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (pub != NULL && pub->keydata.pkey != NULL) { - pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { -@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - } - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = RSA_new(); - if (rsa == NULL) { - DST_RET(ISC_R_NOMEMORY); -@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - - if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { - DST_RET(ISC_R_RANGE); -@@ -1375,7 +1375,7 @@ err: - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa != NULL) { - RSA_free(rsa); - } -@@ -1419,7 +1419,7 @@ err: - if (iqmp != NULL) { - BN_clear_free(iqmp); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ - if (ret != ISC_R_SUCCESS) { - key->keydata.generic = NULL; - } -@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) { - int status; - isc_result_t ret = ISC_R_SUCCESS; - size_t len; --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - RSA *rsa = NULL; - #else - OSSL_PARAM *params = NULL; -@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) { - DST_RET(ISC_R_NOMEMORY); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - rsa = RSA_new(); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult2("RSA_new", -@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) { - err: - BN_free(e); - BN_free(n); --#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 - if (rsa != NULL) { - RSA_free(rsa); - } --- -2.37.3 - diff --git a/bind-9.18-pkcs11-engine-init.patch b/bind-9.18-pkcs11-engine-init.patch deleted file mode 100644 index 5c0c6c4..0000000 --- a/bind-9.18-pkcs11-engine-init.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 7 Sep 2022 13:46:31 +0200 -Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls - -According to manual page of ENGINE_init, it should be called explicitly -before any key operations happens. Make it active whole lifetime. ---- - lib/dns/openssl_link.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c -index 333f34cb37..a3f63885fa 100644 ---- a/lib/dns/openssl_link.c -+++ b/lib/dns/openssl_link.c -@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) { - result = DST_R_NOENGINE; - goto cleanup_rm; - } -+ if (!ENGINE_init(e)) { -+ result = DST_R_NOENGINE; -+ goto cleanup_rm; -+ } - /* This will init the engine. */ - if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { - result = DST_R_NOENGINE; -- goto cleanup_rm; -+ goto cleanup_init; - } - } - - return (ISC_R_SUCCESS); -+cleanup_init: -+ ENGINE_finish(e); - cleanup_rm: - if (e != NULL) { - ENGINE_free(e); -@@ -108,6 +114,7 @@ void - dst__openssl_destroy(void) { - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - if (e != NULL) { -+ ENGINE_finish(e); - ENGINE_free(e); - } - e = NULL; --- -2.37.2 - diff --git a/bind-9.18-pkcs11-engine-remove-deadcode.patch b/bind-9.18-pkcs11-engine-remove-deadcode.patch deleted file mode 100644 index 7586395..0000000 --- a/bind-9.18-pkcs11-engine-remove-deadcode.patch +++ /dev/null @@ -1,245 +0,0 @@ -From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 8 Sep 2022 16:33:38 +0200 -Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0 - -OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM -builders. But it can be built in legacy mode, where deprecated but still -working API would be used. - -It can work under OpenSSL 3.0, but only if using legacy code paths -matching OpenSSL 1.1 calls and functions. - -Remove fromlabel processing by OpenSSL 3.0 only functions. They can -return later with a proper provider support for pkcs11. ---- - lib/dns/opensslecdsa_link.c | 55 ------------------------------------- - lib/dns/opensslrsa_link.c | 32 --------------------- - 2 files changed, 87 deletions(-) - -diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c -index 04f0d80b5e..f04f076e42 100644 ---- a/lib/dns/opensslecdsa_link.c -+++ b/lib/dns/opensslecdsa_link.c -@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - isc_result_t ret = ISC_R_SUCCESS; - ENGINE *e; --#if OPENSSL_VERSION_NUMBER < 0x30000000L - EC_KEY *eckey = NULL; - EC_KEY *pubeckey = NULL; - int group_nid; --#else -- size_t len; -- const char *curve_name, *nist_curve_name; -- char buf[128]; /* Sufficient for all of the supported curves' names. */ --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - EVP_PKEY *pkey = NULL; - EVP_PKEY *pubpkey = NULL; - -@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - DST_RET(DST_R_NOENGINE); - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (key->key_alg == DST_ALG_ECDSA256) { - group_nid = NID_X9_62_prime256v1; - } else { - group_nid = NID_secp384r1; - } --#else -- /* Get the expected curve names */ -- if (key->key_alg == DST_ALG_ECDSA256) { -- curve_name = "prime256v1"; -- nist_curve_name = "P-256"; -- } else { -- curve_name = "secp384r1"; -- nist_curve_name = "P-384"; -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - /* Load private key. */ - pkey = ENGINE_load_private_key(e, label, NULL, NULL); -@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L - eckey = EVP_PKEY_get1_EC_KEY(pkey); - if (eckey == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } --#else -- len = 0; -- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, -- buf, sizeof buf, &len) != 1 || -- len == 0 || len >= sizeof buf) -- { -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- } -- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && -- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) -- { -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - /* Load public key. */ - pubpkey = ENGINE_load_public_key(e, label, NULL, NULL); -@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L - pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); - if (pubeckey == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) { - DST_RET(DST_R_INVALIDPUBLICKEY); - } --#else -- len = 0; -- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME, -- buf, sizeof buf, &len) != 1 || -- len == 0 || len >= sizeof buf) -- { -- DST_RET(DST_R_INVALIDPUBLICKEY); -- } -- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && -- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) -- { -- DST_RET(DST_R_INVALIDPUBLICKEY); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } --#else -- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) { -- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - key->label = isc_mem_strdup(key->mctx, label); - key->engine = isc_mem_strdup(key->mctx, engine); -@@ -1442,14 +1389,12 @@ err: - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (pubeckey != NULL) { - EC_KEY_free(pubeckey); - } - if (eckey != NULL) { - EC_KEY_free(eckey); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - return (ret); - #else -diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c -index 867b486a2f..cf350610ba 100644 ---- a/lib/dns/opensslrsa_link.c -+++ b/lib/dns/opensslrsa_link.c -@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - key->engine = isc_mem_strdup(key->mctx, engine); - key->label = isc_mem_strdup(key->mctx, label); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - RSA_get0_key(rsa, NULL, &ex, NULL); --#else -- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) != -- ISC_R_SUCCESS) { -- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -- } -- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != -- 1) { -- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - if (ex == NULL) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - ENGINE *e = NULL; - isc_result_t ret = ISC_R_SUCCESS; - EVP_PKEY *pkey = NULL, *pubpkey = NULL; --#if OPENSSL_VERSION_NUMBER < 0x30000000L - RSA *rsa = NULL, *pubrsa = NULL; - const BIGNUM *ex = NULL; --#else -- BIGNUM *ex = NULL; --#endif - - UNUSED(pin); - -@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", - DST_R_OPENSSLFAILURE)); - } --#if OPENSSL_VERSION_NUMBER < 0x30000000L - pubrsa = EVP_PKEY_get1_RSA(pubpkey); - if (pubrsa == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - pkey = ENGINE_load_private_key(e, label, NULL, NULL); - if (pkey == NULL) { -@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - key->engine = isc_mem_strdup(key->mctx, engine); - key->label = isc_mem_strdup(key->mctx, label); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) { - DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - RSA_get0_key(rsa, NULL, &ex, NULL); --#else -- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) { -- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -- } -- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) { -- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - - if (ex == NULL) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); -@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - pkey = NULL; - - err: --#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (rsa != NULL) { - RSA_free(rsa); - } - if (pubrsa != NULL) { - RSA_free(pubrsa); - } --#else -- if (ex != NULL) { -- BN_free(ex); -- } --#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - if (pkey != NULL) { - EVP_PKEY_free(pkey); - } --- -2.37.2 - diff --git a/bind.spec b/bind.spec index 20bb29e..ef86ef1 100644 --- a/bind.spec +++ b/bind.spec @@ -62,8 +62,8 @@ Conflicts: %1 \ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: MPL-2.0 -Version: 9.18.7 -Release: 3%{?dist} +Version: 9.18.8 +Release: 1%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -99,16 +99,8 @@ Source49: named-chroot.files Patch10: bind-9.5-PIE.patch Patch16: bind-9.16-redhat_doc.patch Patch22: bind-9.11-fips-tests.patch -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385 -# https://bugzilla.redhat.com/show_bug.cgi?id=2122841 -Patch23: bind-9.18-pkcs11-engine-init.patch -Patch24: bind-9.18-pkcs11-engine-compat-api.patch -Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2122010 Patch26: bind-9.18-unittest-netmgr-unstable.patch -# Fix building ARM docs in EPEL9 -# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6815 -Patch27: bind-9.18-doc-arm-rhel9.patch %{?systemd_ordering} Requires: coreutils @@ -957,6 +949,9 @@ fi; %endif %changelog +* Sat Oct 22 2022 Petr Menšík - 32:9.18.8-1 +- Update to 9.18.8 (#2136100) + * Fri Sep 30 2022 Petr Menšík - 32:9.18.7-3 - Update License to SPDX identifier - Enable automatic restart on crashes diff --git a/sources b/sources index 25459e0..10c60a2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5 -SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48 +SHA512 (bind-9.18.8.tar.xz) = ea6cad5276269a320fa1e666544888ed88b9d058ecab56c82aebff24e841a4ad221ce9c1209b1258884d71f7c03eed4d1c6a7e1922780073644344bc939a0e89 +SHA512 (bind-9.18.8.tar.xz.asc) = 06a880eb3af14e760f52ab5bd666b6512487d724a16a0fdf646ad9a07f17249e68a9a59ddf902f9111aee6450d96ed8dfe36d6fb433808f993d9bbc6dd4e665c