From 99fd53a10661f8de99fb9d335c37f8e891d4455a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Sat, 22 Oct 2022 20:16:47 +0200
Subject: [PATCH] Update to 9.18.8 (#2136100)

https://downloads.isc.org/isc/bind9/9.18.8/doc/arm/html/notes.html#notes-for-bind-9-18-8
---
 .gitignore                                    |    2 +
 bind-9.11-fips-tests.patch                    |   28 +-
 bind-9.18-doc-arm-rhel9.patch                 |   46 -
 bind-9.18-pkcs11-engine-compat-api.patch      | 1556 -----------------
 bind-9.18-pkcs11-engine-init.patch            |   48 -
 bind-9.18-pkcs11-engine-remove-deadcode.patch |  245 ---
 bind.spec                                     |   15 +-
 sources                                       |    4 +-
 8 files changed, 24 insertions(+), 1920 deletions(-)
 delete mode 100644 bind-9.18-doc-arm-rhel9.patch
 delete mode 100644 bind-9.18-pkcs11-engine-compat-api.patch
 delete mode 100644 bind-9.18-pkcs11-engine-init.patch
 delete mode 100644 bind-9.18-pkcs11-engine-remove-deadcode.patch

diff --git a/.gitignore b/.gitignore
index c6e3afe..d9ce40c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -192,3 +192,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.18.6.tar.xz.asc
 /bind-9.18.7.tar.xz
 /bind-9.18.7.tar.xz.asc
+/bind-9.18.8.tar.xz
+/bind-9.18.8.tar.xz.asc
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch
index 415a87a..072419f 100644
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@@ -1,4 +1,4 @@
-From b1e27453fadcf8ce453beed5b896ad995dfb5534 Mon Sep 17 00:00:00 2001
+From 2ad42c7c23858f12d977526d6ebc3465907d7b1b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@@ -428,10 +428,10 @@ index 364f94b..9518f82 100644
  };
  
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index bbffe07..80da0fe 100644
+index 01a13cf..3711c63 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
+@@ -201,7 +201,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key allowed - query allowed"
  ret=0
@@ -440,7 +440,7 @@ index bbffe07..80da0fe 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
+@@ -214,7 +214,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key not allowed - query refused"
  ret=0
@@ -449,7 +449,7 @@ index bbffe07..80da0fe 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
+@@ -228,7 +228,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key disallowed - query refused"
  ret=0
@@ -458,7 +458,7 @@ index bbffe07..80da0fe 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
+@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key allowed - query allowed"
  ret=0
@@ -467,7 +467,7 @@ index bbffe07..80da0fe 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
+@@ -380,7 +380,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key not allowed - query refused"
  ret=0
@@ -476,7 +476,7 @@ index bbffe07..80da0fe 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
+@@ -394,7 +394,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key disallowed - query refused"
  ret=0
@@ -485,7 +485,7 @@ index bbffe07..80da0fe 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -533,7 +533,7 @@ status=`expr $status + $ret`
+@@ -534,7 +534,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key allowed - query allowed"
  ret=0
@@ -494,7 +494,7 @@ index bbffe07..80da0fe 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -543,7 +543,7 @@ status=`expr $status + $ret`
+@@ -544,7 +544,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key not allowed - query refused"
  ret=0
@@ -503,7 +503,7 @@ index bbffe07..80da0fe 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -554,7 +554,7 @@ status=`expr $status + $ret`
+@@ -555,7 +555,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key disallowed - query refused"
  ret=0
@@ -513,16 +513,18 @@ index bbffe07..80da0fe 100644
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
-index 1421281..424afb8 100644
+index 3a8e401..82e720d 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
-@@ -122,5 +122,5 @@ view "ch" ch {
+@@ -122,7 +122,7 @@ view "ch" ch {
  
  key tsig_key. {
  	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
  };
+ 
+ key next_key. {
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
 index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
diff --git a/bind-9.18-doc-arm-rhel9.patch b/bind-9.18-doc-arm-rhel9.patch
deleted file mode 100644
index 2778e1e..0000000
--- a/bind-9.18-doc-arm-rhel9.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
-index 0d72000..f4810ae 100644
---- a/doc/arm/dnssec.inc.rst
-+++ b/doc/arm/dnssec.inc.rst
-@@ -282,7 +282,7 @@ NSEC3
- 
- To sign using :ref:`NSEC3 <advanced_discussions_nsec3>` instead of :ref:`NSEC
- <advanced_discussions_nsec>`, add an NSEC3PARAM record to the initial update
--request. The :term:`OPTOUT <opt-out>` bit in the NSEC3
-+request. The :term:`OPTOUT <Opt-out>` bit in the NSEC3
- chain can be set in the flags field of the
- NSEC3PARAM record.
- 
-diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
-index ef6c1c7..b59b0ac 100644
---- a/doc/arm/reference.rst
-+++ b/doc/arm/reference.rst
-@@ -35,7 +35,7 @@ The file :file:`named.conf` may contain three types of entities:
- 
-    Block
-       :ref:`Blocks <configuration_blocks>` are containers for :term:`statements
--      <statement>` which either have common functionality - for example,
-+      <Statement>` which either have common functionality - for example,
-       the definition of a cryptographic key in a :namedconf:ref:`key` block - or which
-       define the scope of the statement - for example, a statement which appears
-       in a :namedconf:ref:`zone` block has scope only for that zone.
-@@ -68,7 +68,7 @@ The file :file:`named.conf` may contain three types of entities:
-         more argument/value pairs. The :any:`also-notify` statement may take a number
-         of such argument/value pairs, such as ``also-notify port 5353;``,
-         where ``port`` is the argument and ``5353`` is the corresponding value.
--      - Statements can appear in a single :term:`block` - for
-+      - Statements can appear in a single :term:`block <Block>` - for
-         example, an :namedconf:ref:`algorithm` statement can appear only in a
-         :namedconf:ref:`key` block - or in multiple blocks - for example, an
-         :any:`also-notify` statement can appear in an :namedconf:ref:`options`
-@@ -6550,8 +6550,8 @@ The following options can be specified in a :any:`dnssec-policy` statement:
-     of the indicated length.
- 
-     .. warning::
--       Do not use extra :term:`iterations`, :term:`salt`, and
--       :term:`opt-out` unless their implications are fully understood.
-+       Do not use extra :term:`iterations <Iterations>`, :term:`salt <Salt>`, and
-+       :term:`opt-out <Opt-out>` unless their implications are fully understood.
-        A higher number of iterations causes interoperability problems and opens
-        servers to CPU-exhausting DoS attacks.
- 
diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch
deleted file mode 100644
index 678d199..0000000
--- a/bind-9.18-pkcs11-engine-compat-api.patch
+++ /dev/null
@@ -1,1556 +0,0 @@
-From 1ecf072a6a556aa386003d1d5b83fe172320e7ed Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Thu, 8 Sep 2022 17:19:20 +0200
-Subject: [PATCH] Do not use OSSL_PARAM when engine API is compiled
-
-OpenSSL has deprecated many things in version 3.0. If pkcs11 engine
-should work then no builder from OpenSSL 3.0 API can be used.
-
-Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when
-OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow
-working keys loading from the engine passed on command line.
----
- lib/dns/openssldh_link.c    | 136 +++++++++++++++++++-----------------
- lib/dns/opensslecdsa_link.c | 119 +++++++++++++++----------------
- lib/dns/opensslrsa_link.c   | 118 +++++++++++++++----------------
- 3 files changed, 189 insertions(+), 184 deletions(-)
-
-diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
-index 1a01c2b..7df483f 100644
---- a/lib/dns/openssldh_link.c
-+++ b/lib/dns/openssldh_link.c
-@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
- static isc_result_t
- openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- 			isc_buffer_t *secret) {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dhpub, *dhpriv;
- 	const BIGNUM *pub_key = NULL;
- 	int secret_len = 0;
-@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- 	EVP_PKEY_CTX *ctx = NULL;
- 	EVP_PKEY *dhpub, *dhpriv;
- 	size_t secret_len = 0;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	isc_region_t r;
- 	unsigned int len;
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	REQUIRE(pub->keydata.dh != NULL);
- 	REQUIRE(priv->keydata.dh != NULL);
- 
-@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- 	dhpriv = priv->keydata.pkey;
- 
- 	len = EVP_PKEY_get_size(dhpriv);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_availableregion(secret, &r);
- 	if (r.length < len) {
- 		return (ISC_R_NOSPACE);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH_get0_key(dhpub, &pub_key, NULL);
- 	secret_len = DH_compute_key(r.base, pub_key, dhpriv);
- 	if (secret_len <= 0) {
-@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- 					       DST_R_COMPUTESECRETFAILURE));
- 	}
- 	EVP_PKEY_CTX_free(ctx);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_add(secret, (unsigned int)secret_len);
- 
-@@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
- static bool
- openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	bool ret = true;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh1, *dh2;
- 	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
- 	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
-@@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
- 	BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
- 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	dh1 = key1->keydata.dh;
- 	dh2 = key2->keydata.dh;
- 
-@@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
- 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
- 
- 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
- 	    BN_cmp(pub_key1, pub_key2) != 0)
-@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	}
- 
- err:
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- 	if (p1 != NULL) {
- 		BN_free(p1);
- 	}
-@@ -251,7 +251,8 @@ err:
- 	if (priv_key2 != NULL) {
- 		BN_clear_free(priv_key2);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
-+	*/
- 
- 	return (ret);
- }
-@@ -259,15 +260,15 @@ err:
- static bool
- openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- 	bool ret = true;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh1, *dh2;
- 	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
- #else
- 	EVP_PKEY *pkey1, *pkey2;
- 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	dh1 = key1->keydata.dh;
- 	dh2 = key2->keydata.dh;
- 
-@@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
- 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
- 		DST_RET(false);
- 	}
- 
- err:
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- 	if (p1 != NULL) {
- 		BN_free(p1);
- 	}
-@@ -313,12 +314,13 @@ err:
- 	if (g2 != NULL) {
- 		BN_free(g2);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
-+	*/
- 
- 	return (ret);
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static int
- progress_cb(int p, int n, BN_GENCB *cb) {
- 	union {
-@@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
- 	}
- 	return (1);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- static isc_result_t
- openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
-@@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 		void (*fptr)(int);
- 	} u;
- 	BIGNUM *p = NULL, *g = NULL;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh = NULL;
- 	BN_GENCB *cb = NULL;
- #if !HAVE_BN_GENCB_NEW
-@@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 	EVP_PKEY_CTX *ctx = NULL;
- 	EVP_PKEY *param_pkey = NULL;
- 	EVP_PKEY *pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	dh = DH_new();
- 	if (dh == NULL) {
- 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
-@@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 	if (param_ctx == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (generator == 0) {
- 		/*
-@@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 			if (p == NULL || g == NULL) {
- 				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
- 			}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 			if (DH_set0_pqg(dh, p, NULL, g) != 1) {
- 				DST_RET(dst__openssl_toresult2(
- 					"DH_set0_pqg", DST_R_OPENSSLFAILURE));
-@@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 					DST_R_OPENSSLFAILURE));
- 			}
- 			params = OSSL_PARAM_BLD_to_param(bld);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 		} else {
- 			/*
-@@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 	}
- 
- 	if (generator != 0) {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 		cb = BN_GENCB_new();
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- 		if (cb == NULL) {
-@@ -488,10 +490,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 						       DST_R_OPENSSLFAILURE));
- 		}
- 		params = OSSL_PARAM_BLD_to_param(bld);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (DH_generate_key(dh) == 0) {
- 		DST_RET(dst__openssl_toresult2("DH_generate_key",
- 					       DST_R_OPENSSLFAILURE));
-@@ -559,12 +561,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	ret = ISC_R_SUCCESS;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (dh != NULL) {
- 		DH_free(dh);
- 	}
-@@ -596,14 +598,14 @@ err:
- 	if (g != NULL) {
- 		BN_free(g);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
- 
- static bool
- openssldh_isprivate(const dst_key_t *key) {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh = key->keydata.dh;
- 	const BIGNUM *priv_key = NULL;
- 
-@@ -628,12 +630,12 @@ openssldh_isprivate(const dst_key_t *key) {
- 	}
- 
- 	return (ret);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- }
- 
- static void
- openssldh_destroy(dst_key_t *key) {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh = key->keydata.dh;
- 
- 	if (dh == NULL) {
-@@ -651,7 +653,7 @@ openssldh_destroy(dst_key_t *key) {
- 
- 	EVP_PKEY_free(pkey);
- 	key->keydata.pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- }
- 
- static void
-@@ -678,17 +680,17 @@ uint16_fromregion(isc_region_t *region) {
- static isc_result_t
- openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	isc_result_t ret = ISC_R_SUCCESS;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh;
- 	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
- #else
- 	EVP_PKEY *pkey;
- 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	isc_region_t r;
- 	uint16_t dnslen, plen, glen, publen;
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	REQUIRE(key->keydata.dh != NULL);
- 
- 	dh = key->keydata.dh;
-@@ -701,7 +703,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_availableregion(data, &r);
- 
-@@ -749,7 +751,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	isc_buffer_add(data, dnslen);
- 
- err:
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- 	if (p != NULL) {
- 		BN_free(p);
- 	}
-@@ -759,7 +761,8 @@ err:
- 	if (pub_key != NULL) {
- 		BN_free(pub_key);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
-+	*/
- 
- 	return (ret);
- }
-@@ -767,14 +770,14 @@ err:
- static isc_result_t
- openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	isc_result_t ret;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh;
- #else
- 	OSSL_PARAM_BLD *bld = NULL;
- 	OSSL_PARAM *params = NULL;
- 	EVP_PKEY_CTX *ctx = NULL;
- 	EVP_PKEY *pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
- 	int key_size;
- 	isc_region_t r;
-@@ -786,7 +789,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		return (ISC_R_SUCCESS);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	dh = DH_new();
- 	if (dh == NULL) {
- 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
-@@ -801,7 +804,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	if (ctx == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	/*
- 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
-@@ -877,7 +880,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- 	key_size = BN_num_bits(p);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (DH_set0_pqg(dh, p, NULL, g) != 1) {
- 		DST_RET(dst__openssl_toresult2("DH_set0_pqg",
- 					       DST_R_OPENSSLFAILURE));
-@@ -893,7 +896,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (r.length < 2) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
-@@ -911,7 +914,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- 	isc_buffer_forward(data, plen + glen + publen + 6);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
- 	(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
- 	/*
-@@ -955,14 +958,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	key->key_size = (unsigned int)key_size;
- 
- 	ret = ISC_R_SUCCESS;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (dh != NULL) {
- 		DH_free(dh);
- 	}
-@@ -979,7 +982,7 @@ err:
- 	if (bld != NULL) {
- 		OSSL_PARAM_BLD_free(bld);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (p != NULL) {
- 		BN_free(p);
- 	}
-@@ -995,13 +998,13 @@ err:
- 
- static isc_result_t
- openssldh_tofile(const dst_key_t *key, const char *directory) {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh;
- 	const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
- #else
- 	EVP_PKEY *pkey;
- 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	dst_private_t priv;
- 	unsigned char *bufs[4] = { NULL };
- 	unsigned short i = 0;
-@@ -1011,7 +1014,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- 		return (DST_R_EXTERNALKEY);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (key->keydata.dh == NULL) {
- 		return (DST_R_NULLKEY);
- 	}
-@@ -1029,7 +1032,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	priv.elements[i].tag = TAG_DH_PRIME;
- 	priv.elements[i].length = BN_num_bytes(p);
-@@ -1069,7 +1072,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- 		}
- 	}
- 
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- 	if (p != NULL) {
- 		BN_free(p);
- 	}
-@@ -1082,7 +1085,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
- 	if (priv_key != NULL) {
- 		BN_clear_free(priv_key);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
-+	*/
- 
- 	return (result);
- }
-@@ -1092,14 +1096,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	dst_private_t priv;
- 	isc_result_t ret;
- 	int i;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	DH *dh = NULL;
- #else
- 	OSSL_PARAM_BLD *bld = NULL;
- 	OSSL_PARAM *params = NULL;
- 	EVP_PKEY_CTX *ctx = NULL;
- 	EVP_PKEY *pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
- 	int key_size = 0;
- 	isc_mem_t *mctx;
-@@ -1117,7 +1121,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		DST_RET(DST_R_EXTERNALKEY);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	dh = DH_new();
- 	if (dh == NULL) {
- 		DST_RET(ISC_R_NOMEMORY);
-@@ -1132,7 +1136,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	if (ctx == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	for (i = 0; i < priv.nelements; i++) {
- 		BIGNUM *bn;
-@@ -1159,7 +1163,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		}
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (DH_set0_key(dh, pub_key, priv_key) != 1) {
- 		DST_RET(dst__openssl_toresult2("DH_set0_key",
- 					       DST_R_OPENSSLFAILURE));
-@@ -1206,13 +1210,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	key->key_size = (unsigned int)key_size;
- 	ret = ISC_R_SUCCESS;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (dh != NULL) {
- 		DH_free(dh);
- 	}
-@@ -1229,7 +1233,7 @@ err:
- 	if (bld != NULL) {
- 		OSSL_PARAM_BLD_free(bld);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (p != NULL) {
- 		BN_free(p);
- 	}
-diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index 519e88b..04f0d80 100644
---- a/lib/dns/opensslecdsa_link.c
-+++ b/lib/dns/opensslecdsa_link.c
-@@ -17,14 +17,14 @@
- 
- #include <openssl/bn.h>
- #include <openssl/opensslv.h>
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- #include <openssl/core_names.h>
- #endif
- #include <openssl/ecdsa.h>
- #include <openssl/err.h>
- #include <openssl/evp.h>
- #include <openssl/objects.h>
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- #include <openssl/param_build.h>
- #endif
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-@@ -57,7 +57,7 @@
- 		goto err; \
- 	}
- 
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- static isc_result_t
- raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
- 		size_t key_len, EVP_PKEY **pkey) {
-@@ -159,7 +159,8 @@ err:
- 
- 	return (ret);
- }
--#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
-+	*/
- 
- static isc_result_t
- opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	bool ret;
- 	EVP_PKEY *pkey1 = key1->keydata.pkey;
- 	EVP_PKEY *pkey2 = key2->keydata.pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey1 = NULL;
- 	EC_KEY *eckey2 = NULL;
- 	const BIGNUM *priv1;
-@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- #else
- 	BIGNUM *priv1 = NULL;
- 	BIGNUM *priv2 = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (pkey1 == NULL && pkey2 == NULL) {
- 		return (true);
-@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 		DST_RET(false);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
- 	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
- 	if (eckey1 == NULL && eckey2 == NULL) {
-@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- #else
- 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1);
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (priv1 != NULL || priv2 != NULL) {
- 		if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0)
-@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	ret = true;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (eckey1 != NULL) {
- 		EC_KEY_free(eckey1);
- 	}
-@@ -471,7 +472,7 @@ err:
- 	if (priv2 != NULL) {
- 		BN_clear_free(priv2);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
-@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- 	isc_result_t ret;
- 	int status;
- 	EVP_PKEY *pkey = NULL;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey = NULL;
- #else
- 	EVP_PKEY_CTX *ctx = NULL;
- 	EVP_PKEY *params_pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	int group_nid;
- 
- 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- 		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	eckey = EC_KEY_new_by_curve_name(group_nid);
- 	if (eckey == NULL) {
- 		DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name",
-@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
-@@ -573,7 +574,7 @@ err:
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
-@@ -584,7 +585,7 @@ err:
- 	if (ctx != NULL) {
- 		EVP_PKEY_CTX_free(ctx);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
-@@ -593,11 +594,11 @@ static bool
- opensslecdsa_isprivate(const dst_key_t *key) {
- 	bool ret;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey;
- #else
- 	BIGNUM *priv = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- 		key->key_alg == DST_ALG_ECDSA384);
-@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
- 		return (false);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
- 
- 	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
-@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
- 	if (priv != NULL) {
- 		BN_clear_free(priv);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
-@@ -640,7 +641,7 @@ static isc_result_t
- opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	isc_result_t ret;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey = NULL;
- 	int len;
- 	unsigned char *cp;
-@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	BIGNUM *y = NULL;
- 	size_t keysize = 0;
- 	size_t len = 0;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	isc_region_t r;
- 	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
- 
-@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 
- 	pkey = key->keydata.pkey;
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
- 	if (eckey == NULL) {
- 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
-@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	}
- 
- 	len = keysize;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_availableregion(data, &r);
- 	if (r.length < (unsigned int)len) {
- 		DST_RET(ISC_R_NOSPACE);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	cp = buf;
- 	if (!i2o_ECPublicKey(eckey, &cp)) {
- 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
-@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	BN_bn2bin_fixed(x, &buf[0], keysize / 2);
- 	BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2);
- 	memmove(r.base, buf, len);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_add(data, len);
- 	ret = ISC_R_SUCCESS;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
-@@ -721,7 +722,7 @@ err:
- 	if (y != NULL) {
- 		BN_clear_free(y);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
-@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	isc_result_t ret;
- 	EVP_PKEY *pkey = NULL;
- 	isc_region_t r;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey = NULL;
- 	const unsigned char *cp;
- 	unsigned int len;
-@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	int group_nid;
- #else
- 	size_t len;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
- 		key->key_alg == DST_ALG_ECDSA384);
-@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (key->key_alg == DST_ALG_ECDSA256) {
- 		group_nid = NID_X9_62_prime256v1;
- 	} else {
-@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	if (ret != ISC_R_SUCCESS) {
- 		DST_RET(ret);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	isc_buffer_forward(data, len);
- 	key->keydata.pkey = pkey;
-@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	ret = ISC_R_SUCCESS;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	return (ret);
- }
- 
-@@ -814,13 +815,13 @@ static isc_result_t
- opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
- 	isc_result_t ret;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey = NULL;
- 	const BIGNUM *privkey = NULL;
- #else
- 	int status;
- 	BIGNUM *privkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	dst_private_t priv;
- 	unsigned char *buf = NULL;
- 	unsigned short i;
-@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
- 	}
- 
- 	pkey = key->keydata.pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
- 	if (eckey == NULL) {
- 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY",
-@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
- 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
- 
-@@ -888,7 +889,7 @@ err:
- 	if (buf != NULL && privkey != NULL) {
- 		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
-@@ -896,12 +897,12 @@ err:
- 	if (privkey != NULL) {
- 		BN_clear_free(privkey);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static isc_result_t
- ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
- 	const EC_POINT *pubkey;
-@@ -1065,9 +1066,9 @@ err:
- 
- 	return (ret);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static isc_result_t
- load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv,
- 			     int privkey_index) {
-@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
- 	}
- 	return (ISC_R_SUCCESS);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- static isc_result_t
- finalize_eckey(dst_key_t *key,
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	       EC_KEY *eckey,
- #endif
- 	       const char *engine, const char *label) {
- 	isc_result_t result = ISC_R_SUCCESS;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EVP_PKEY *pkey = NULL;
- 
- 	REQUIRE(eckey != NULL);
-@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key,
- 	}
- 
- 	key->keydata.pkey = pkey;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (label != NULL) {
- 		key->label = isc_mem_strdup(key->mctx, label);
-@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key,
- 	return (result);
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static isc_result_t
- dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
- 	int group_nid;
-@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
- 
- 	return (ISC_R_SUCCESS);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- static isc_result_t
- opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
-@@ -1173,10 +1174,10 @@ static isc_result_t
- opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	dst_private_t priv;
- 	isc_result_t ret;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	EC_KEY *eckey = NULL;
- 	EC_KEY *pubeckey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	const char *engine = NULL;
- 	const char *label = NULL;
- 	int i, privkey_index = -1;
-@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 			goto err;
- 		}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 		eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
- 		if (eckey == NULL) {
- 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 		}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	} else {
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 		ret = dst__key_to_eckey(key, &eckey);
- 		if (ret != ISC_R_SUCCESS) {
- 			goto err;
-@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 				      priv.elements[privkey_index].data,
- 				      priv.elements[privkey_index].length,
- 				      &key->keydata.pkey);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 		if (ret != ISC_R_SUCCESS) {
- 			goto err;
-@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		finalize_key = true;
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (pub != NULL && pub->keydata.pkey != NULL) {
- 		pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
- 	}
-@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	if (finalize_key) {
- 		ret = finalize_eckey(key, engine, label);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (pubeckey != NULL) {
- 		EC_KEY_free(pubeckey);
- 	}
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (ret != ISC_R_SUCCESS) {
- 		key->keydata.generic = NULL;
- 	}
-diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index fc905b7..867b486 100644
---- a/lib/dns/opensslrsa_link.c
-+++ b/lib/dns/opensslrsa_link.c
-@@ -18,7 +18,7 @@
- 
- #include <openssl/bn.h>
- #include <openssl/opensslv.h>
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- #include <openssl/core_names.h>
- #endif
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-@@ -26,7 +26,7 @@
- #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
- #include <openssl/err.h>
- #include <openssl/objects.h>
--#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
- #include <openssl/param_build.h>
- #endif
- #include <openssl/rsa.h>
-@@ -180,12 +180,12 @@ static isc_result_t
- opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- 	dst_key_t *key = dctx->key;
- 	int status = 0;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa;
- 	const BIGNUM *e = NULL;
- #else
- 	BIGNUM *e = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- 	EVP_PKEY *pkey = key->keydata.pkey;
- 	int bits;
-@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- 		dctx->key->key_alg == DST_ALG_RSASHA256 ||
- 		dctx->key->key_alg == DST_ALG_RSASHA512);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	if (rsa == NULL) {
- 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
- 	}
- 	bits = BN_num_bits(e);
- 	BN_free(e);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (bits > maxbits && maxbits != 0) {
- 		return (DST_R_VERIFYFAILURE);
-@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	int status;
- 	EVP_PKEY *pkey1 = key1->keydata.pkey;
- 	EVP_PKEY *pkey2 = key2->keydata.pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa1 = NULL;
- 	RSA *rsa2 = NULL;
- 	const BIGNUM *d1 = NULL, *d2 = NULL;
-@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	BIGNUM *d1 = NULL, *d2 = NULL;
- 	BIGNUM *p1 = NULL, *p2 = NULL;
- 	BIGNUM *q1 = NULL, *q2 = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (pkey1 == NULL && pkey2 == NULL) {
- 		return (true);
-@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 		DST_RET(false);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa1 = EVP_PKEY_get1_RSA(pkey1);
- 	rsa2 = EVP_PKEY_get1_RSA(pkey2);
- 	if (rsa1 == NULL && rsa2 == NULL) {
-@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- #else
- 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1);
- 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (d1 != NULL || d2 != NULL) {
- 		if (d1 == NULL || d2 == NULL) {
- 			DST_RET(false);
- 		}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 		RSA_get0_factors(rsa1, &p1, &q1);
- 		RSA_get0_factors(rsa2, &p2, &q2);
- #else
-@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 		EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1);
- 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2);
- 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 		if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 ||
- 		    BN_cmp(q1, q2) != 0) {
-@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- 	ret = true;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa1 != NULL) {
- 		RSA_free(rsa1);
- 	}
-@@ -332,12 +332,12 @@ err:
- 	if (q2 != NULL) {
- 		BN_clear_free(q2);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static int
- progress_cb(int p, int n, BN_GENCB *cb) {
- 	union {
-@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
- 	}
- 	return (1);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- static isc_result_t
- opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
-@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- 		void (*fptr)(int);
- 	} u;
- 	BIGNUM *e = BN_new();
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa = RSA_new();
- 	EVP_PKEY *pkey = EVP_PKEY_new();
- #if !HAVE_BN_GENCB_NEW
-@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- #else
- 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
- 	EVP_PKEY *pkey = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
-@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- 	if (e == NULL || ctx == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	/*
- 	 * Reject incorrect RSA key lengths.
-@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- 		BN_set_bit(e, 32);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
-@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
- 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
-@@ -486,7 +486,7 @@ err:
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
-@@ -497,7 +497,7 @@ err:
- 	if (ctx != NULL) {
- 		EVP_PKEY_CTX_free(ctx);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (e != NULL) {
- 		BN_free(e);
- 	}
-@@ -508,12 +508,12 @@ static bool
- opensslrsa_isprivate(const dst_key_t *key) {
- 	bool ret;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa;
- 	const BIGNUM *d = NULL;
- #else
- 	BIGNUM *d = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- 		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
-@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
- 		return (false);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	INSIST(rsa != NULL);
- 
-@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
- 	if (d != NULL) {
- 		BN_clear_free(d);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
-@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	unsigned int mod_bytes;
- 	isc_result_t ret;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa;
- 	const BIGNUM *e = NULL, *n = NULL;
- #else
- 	BIGNUM *e = NULL, *n = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	REQUIRE(key->keydata.pkey != NULL);
- 
- 	pkey = key->keydata.pkey;
- 	isc_buffer_availableregion(data, &r);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 	if (e == NULL || n == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	mod_bytes = BN_num_bytes(n);
- 	e_bytes = BN_num_bytes(e);
-@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- 
- 	ret = ISC_R_SUCCESS;
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
-@@ -632,7 +632,7 @@ err:
- 	if (n != NULL) {
- 		BN_free(n);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	return (ret);
- }
- 
-@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 	isc_region_t r;
- 	unsigned int e_bytes;
- 	unsigned int length;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa = NULL;
- #else
- 	OSSL_PARAM_BLD *bld = NULL;
- 	OSSL_PARAM *params = NULL;
- 	EVP_PKEY_CTX *ctx = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	EVP_PKEY *pkey = NULL;
- 	BIGNUM *e = NULL, *n = NULL;
- 
-@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- 	isc_buffer_forward(data, length);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = RSA_new();
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult2("RSA_new",
-@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 		DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	key->keydata.pkey = pkey;
- 	pkey = NULL;
-@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- 
- err:
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
-@@ -771,7 +771,7 @@ err:
- 	if (bld != NULL) {
- 		OSSL_PARAM_BLD_free(bld);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (n != NULL) {
- 		BN_free(n);
- 	}
-@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- 	unsigned char *bufs[8] = { NULL };
- 	unsigned short i = 0;
- 	EVP_PKEY *pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa = NULL;
- 	const BIGNUM *n = NULL, *e = NULL, *d = NULL;
- 	const BIGNUM *p = NULL, *q = NULL;
-@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- 	BIGNUM *n = NULL, *e = NULL, *d = NULL;
- 	BIGNUM *p = NULL, *q = NULL;
- 	BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (key->keydata.pkey == NULL) {
- 		DST_RET(DST_R_NULLKEY);
-@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- 	}
- 
- 	pkey = key->keydata.pkey;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
- 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (n == NULL || e == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -935,7 +935,7 @@ err:
- 				    priv.elements[i].length);
- 		}
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA_free(rsa);
- #else
- 	if (n != NULL) {
-@@ -962,12 +962,12 @@ err:
- 	if (iqmp != NULL) {
- 		BN_clear_free(iqmp);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	return (ret);
- }
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- static isc_result_t
- rsa_check(RSA *rsa, RSA *pub) {
- 	const BIGNUM *n1 = NULL, *n2 = NULL;
-@@ -1079,14 +1079,14 @@ err:
- 
- 	return (ret);
- }
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- static isc_result_t
- opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	dst_private_t priv;
- 	isc_result_t ret;
- 	int i;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa = NULL, *pubrsa = NULL;
- 	const BIGNUM *ex = NULL;
- #else
-@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	OSSL_PARAM *params = NULL;
- 	EVP_PKEY_CTX *ctx = NULL;
- 	BIGNUM *ex = NULL;
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- 	ENGINE *ep = NULL;
- #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		DST_RET(ISC_R_SUCCESS);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (pub != NULL && pub->keydata.pkey != NULL) {
- 		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	for (i = 0; i < priv.nelements; i++) {
- 		switch (priv.elements[i].tag) {
-@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		}
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = RSA_new();
- 	if (rsa == NULL) {
- 		DST_RET(ISC_R_NOMEMORY);
-@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 	    ISC_R_SUCCESS) {
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 
- 	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
- 		DST_RET(ISC_R_RANGE);
-@@ -1375,7 +1375,7 @@ err:
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
-@@ -1419,7 +1419,7 @@ err:
- 	if (iqmp != NULL) {
- 		BN_clear_free(iqmp);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
- 	if (ret != ISC_R_SUCCESS) {
- 		key->keydata.generic = NULL;
- 	}
-@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) {
- 	int status;
- 	isc_result_t ret = ISC_R_SUCCESS;
- 	size_t len;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	RSA *rsa = NULL;
- #else
- 	OSSL_PARAM *params = NULL;
-@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) {
- 		DST_RET(ISC_R_NOMEMORY);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	rsa = RSA_new();
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult2("RSA_new",
-@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) {
- err:
- 	BN_free(e);
- 	BN_free(n);
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
--- 
-2.37.3
-
diff --git a/bind-9.18-pkcs11-engine-init.patch b/bind-9.18-pkcs11-engine-init.patch
deleted file mode 100644
index 5c0c6c4..0000000
--- a/bind-9.18-pkcs11-engine-init.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Wed, 7 Sep 2022 13:46:31 +0200
-Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
-
-According to manual page of ENGINE_init, it should be called explicitly
-before any key operations happens. Make it active whole lifetime.
----
- lib/dns/openssl_link.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 333f34cb37..a3f63885fa 100644
---- a/lib/dns/openssl_link.c
-+++ b/lib/dns/openssl_link.c
-@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
- 			result = DST_R_NOENGINE;
- 			goto cleanup_rm;
- 		}
-+		if (!ENGINE_init(e)) {
-+			result = DST_R_NOENGINE;
-+			goto cleanup_rm;
-+		}
- 		/* This will init the engine. */
- 		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
- 			result = DST_R_NOENGINE;
--			goto cleanup_rm;
-+			goto cleanup_init;
- 		}
- 	}
- 
- 	return (ISC_R_SUCCESS);
-+cleanup_init:
-+	ENGINE_finish(e);
- cleanup_rm:
- 	if (e != NULL) {
- 		ENGINE_free(e);
-@@ -108,6 +114,7 @@ void
- dst__openssl_destroy(void) {
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- 	if (e != NULL) {
-+		ENGINE_finish(e);
- 		ENGINE_free(e);
- 	}
- 	e = NULL;
--- 
-2.37.2
-
diff --git a/bind-9.18-pkcs11-engine-remove-deadcode.patch b/bind-9.18-pkcs11-engine-remove-deadcode.patch
deleted file mode 100644
index 7586395..0000000
--- a/bind-9.18-pkcs11-engine-remove-deadcode.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Thu, 8 Sep 2022 16:33:38 +0200
-Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
-
-OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
-builders. But it can be built in legacy mode, where deprecated but still
-working API would be used.
-
-It can work under OpenSSL 3.0, but only if using legacy code paths
-matching OpenSSL 1.1 calls and functions.
-
-Remove fromlabel processing by OpenSSL 3.0 only functions. They can
-return later with a proper provider support for pkcs11.
----
- lib/dns/opensslecdsa_link.c | 55 -------------------------------------
- lib/dns/opensslrsa_link.c   | 32 ---------------------
- 2 files changed, 87 deletions(-)
-
-diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
-index 04f0d80b5e..f04f076e42 100644
---- a/lib/dns/opensslecdsa_link.c
-+++ b/lib/dns/opensslecdsa_link.c
-@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- 	isc_result_t ret = ISC_R_SUCCESS;
- 	ENGINE *e;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	EC_KEY *eckey = NULL;
- 	EC_KEY *pubeckey = NULL;
- 	int group_nid;
--#else
--	size_t len;
--	const char *curve_name, *nist_curve_name;
--	char buf[128]; /* Sufficient for all of the supported curves' names. */
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 	EVP_PKEY *pkey = NULL;
- 	EVP_PKEY *pubpkey = NULL;
- 
-@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(DST_R_NOENGINE);
- 	}
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (key->key_alg == DST_ALG_ECDSA256) {
- 		group_nid = NID_X9_62_prime256v1;
- 	} else {
- 		group_nid = NID_secp384r1;
- 	}
--#else
--	/* Get the expected curve names */
--	if (key->key_alg == DST_ALG_ECDSA256) {
--		curve_name = "prime256v1";
--		nist_curve_name = "P-256";
--	} else {
--		curve_name = "secp384r1";
--		nist_curve_name = "P-384";
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	/* Load private key. */
- 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
- 		DST_RET(DST_R_INVALIDPRIVATEKEY);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
- 	if (eckey == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
- 		DST_RET(DST_R_INVALIDPRIVATEKEY);
- 	}
--#else
--	len = 0;
--	if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
--					   buf, sizeof buf, &len) != 1 ||
--	    len == 0 || len >= sizeof buf)
--	{
--		DST_RET(DST_R_INVALIDPRIVATEKEY);
--	}
--	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
--	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
--	{
--		DST_RET(DST_R_INVALIDPRIVATEKEY);
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	/* Load public key. */
- 	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
-@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
- 	if (pubeckey == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
- 		DST_RET(DST_R_INVALIDPUBLICKEY);
- 	}
--#else
--	len = 0;
--	if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
--					   buf, sizeof buf, &len) != 1 ||
--	    len == 0 || len >= sizeof buf)
--	{
--		DST_RET(DST_R_INVALIDPUBLICKEY);
--	}
--	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
--	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
--	{
--		DST_RET(DST_R_INVALIDPUBLICKEY);
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 	}
--#else
--	if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
--		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	key->label = isc_mem_strdup(key->mctx, label);
- 	key->engine = isc_mem_strdup(key->mctx, engine);
-@@ -1442,14 +1389,12 @@ err:
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (pubeckey != NULL) {
- 		EC_KEY_free(pubeckey);
- 	}
- 	if (eckey != NULL) {
- 		EC_KEY_free(eckey);
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	return (ret);
- #else
-diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
-index 867b486a2f..cf350610ba 100644
---- a/lib/dns/opensslrsa_link.c
-+++ b/lib/dns/opensslrsa_link.c
-@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 		key->engine = isc_mem_strdup(key->mctx, engine);
- 		key->label = isc_mem_strdup(key->mctx, label);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 		rsa = EVP_PKEY_get1_RSA(pkey);
- 		if (rsa == NULL) {
- 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 		}
- 		RSA_get0_key(rsa, NULL, &ex, NULL);
--#else
--		if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
--		    ISC_R_SUCCESS) {
--			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
--		}
--		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
--		    1) {
--			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
--		}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 		if (ex == NULL) {
- 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	ENGINE *e = NULL;
- 	isc_result_t ret = ISC_R_SUCCESS;
- 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	RSA *rsa = NULL, *pubrsa = NULL;
- 	const BIGNUM *ex = NULL;
--#else
--	BIGNUM *ex = NULL;
--#endif
- 
- 	UNUSED(pin);
- 
-@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
- 					       DST_R_OPENSSLFAILURE));
- 	}
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	pubrsa = EVP_PKEY_get1_RSA(pubpkey);
- 	if (pubrsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- 	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
- 	if (pkey == NULL) {
-@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	key->engine = isc_mem_strdup(key->mctx, engine);
- 	key->label = isc_mem_strdup(key->mctx, label);
- 
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	rsa = EVP_PKEY_get1_RSA(pkey);
- 	if (rsa == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- 	}
- 	RSA_get0_key(rsa, NULL, &ex, NULL);
--#else
--	if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
--		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
--	}
--	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
--		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 
- 	if (ex == NULL) {
- 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- 	pkey = NULL;
- 
- err:
--#if OPENSSL_VERSION_NUMBER < 0x30000000L
- 	if (rsa != NULL) {
- 		RSA_free(rsa);
- 	}
- 	if (pubrsa != NULL) {
- 		RSA_free(pubrsa);
- 	}
--#else
--	if (ex != NULL) {
--		BN_free(ex);
--	}
--#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
- 	if (pkey != NULL) {
- 		EVP_PKEY_free(pkey);
- 	}
--- 
-2.37.2
-
diff --git a/bind.spec b/bind.spec
index 20bb29e..ef86ef1 100644
--- a/bind.spec
+++ b/bind.spec
@@ -62,8 +62,8 @@ Conflicts: %1 \
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPL-2.0
-Version:  9.18.7
-Release:  3%{?dist}
+Version:  9.18.8
+Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -99,16 +99,8 @@ Source49: named-chroot.files
 Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 Patch22: bind-9.11-fips-tests.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
-# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
-Patch23: bind-9.18-pkcs11-engine-init.patch
-Patch24: bind-9.18-pkcs11-engine-compat-api.patch
-Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
-# Fix building ARM docs in EPEL9
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6815
-Patch27: bind-9.18-doc-arm-rhel9.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -957,6 +949,9 @@ fi;
 %endif
 
 %changelog
+* Sat Oct 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.8-1
+- Update to 9.18.8 (#2136100)
+
 * Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.7-3
 - Update License to SPDX identifier
 - Enable automatic restart on crashes
diff --git a/sources b/sources
index 25459e0..10c60a2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (bind-9.18.7.tar.xz) = 2cdceb4125b8759f5225296c6ffecdbb895b0a27dfcfcd98b04b9ad78552d16c16b0452fb823dc47d11cec21d2c6ecb05a107dd3094f8e7419bb9717d68820c5
-SHA512 (bind-9.18.7.tar.xz.asc) = 40030c2259858f1ba7ce4fbcd523025631ed78687ca87863d0f0bcd0fd530d96052e0601808ffa37e59d574a9a9c84bb2ededc66f730b9eaf560a00a6ef29c48
+SHA512 (bind-9.18.8.tar.xz) = ea6cad5276269a320fa1e666544888ed88b9d058ecab56c82aebff24e841a4ad221ce9c1209b1258884d71f7c03eed4d1c6a7e1922780073644344bc939a0e89
+SHA512 (bind-9.18.8.tar.xz.asc) = 06a880eb3af14e760f52ab5bd666b6512487d724a16a0fdf646ad9a07f17249e68a9a59ddf902f9111aee6450d96ed8dfe36d6fb433808f993d9bbc6dd4e665c