From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 8 Sep 2022 17:19:20 +0200
Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled

OpenSSL has deprecated many things in version 3.0. If pkcs11 engine
should work then no builder from OpenSSL 3.0 API can be used.

Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when
OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow
working keys loading from the engine passed on command line.
---
 lib/dns/openssldh_link.c    | 136 +++++++++++++++++++-----------------
 lib/dns/opensslecdsa_link.c | 119 +++++++++++++++----------------
 lib/dns/opensslrsa_link.c   | 118 +++++++++++++++----------------
 3 files changed, 189 insertions(+), 184 deletions(-)

diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index d5dbc2e889..96c1d523b7 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
 static isc_result_t
 openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 			isc_buffer_t *secret) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dhpub, *dhpriv;
 	const BIGNUM *pub_key = NULL;
 	int secret_len = 0;
@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *dhpub, *dhpriv;
 	size_t secret_len = 0;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	isc_region_t r;
 	unsigned int len;
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	REQUIRE(pub->keydata.dh != NULL);
 	REQUIRE(priv->keydata.dh != NULL);
 
@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	dhpriv = priv->keydata.pkey;
 
 	len = EVP_PKEY_get_size(dhpriv);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_availableregion(secret, &r);
 	if (r.length < len) {
 		return (ISC_R_NOSPACE);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH_get0_key(dhpub, &pub_key, NULL);
 	secret_len = DH_compute_key(r.base, pub_key, dhpriv);
 	if (secret_len <= 0) {
@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 					       DST_R_COMPUTESECRETFAILURE));
 	}
 	EVP_PKEY_CTX_free(ctx);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_add(secret, (unsigned int)secret_len);
 
@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 
 static bool
 openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh1, *dh2;
 	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
 	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
 	BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
 
@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
 
 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
 	    BN_cmp(pub_key1, pub_key2) != 0)
@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		}
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p1 != NULL) {
 		BN_free(p1);
 	}
@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	if (priv_key2 != NULL) {
 		BN_clear_free(priv_key2);
 	}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
+	*/
 
 	return (true);
 }
 
 static bool
 openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh1, *dh2;
 	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
 #else
 	EVP_PKEY *pkey1, *pkey2;
 	BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
 
@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
 		return (false);
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p1 != NULL) {
 		BN_free(p1);
 	}
@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	if (g2 != NULL) {
 		BN_free(g2);
 	}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
+	*/
 
 	return (true);
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
 	union {
@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
 	}
 	return (1);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 		void (*fptr)(int);
 	} u;
 	BIGNUM *p = NULL, *g = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh = NULL;
 	BN_GENCB *cb = NULL;
 #if !HAVE_BN_GENCB_NEW
@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *param_pkey = NULL;
 	EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	if (param_ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (generator == 0) {
 		/*
@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 			if (p == NULL || g == NULL) {
 				DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 			}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 			if (DH_set0_pqg(dh, p, NULL, g) != 1) {
 				DST_RET(dst__openssl_toresult2(
 					"DH_set0_pqg", DST_R_OPENSSLFAILURE));
@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 					DST_R_OPENSSLFAILURE));
 			}
 			params = OSSL_PARAM_BLD_to_param(bld);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 		} else {
 			/*
@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	}
 
 	if (generator != 0) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 		cb = BN_GENCB_new();
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 		if (cb == NULL) {
@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 						       DST_R_OPENSSLFAILURE));
 		}
 		params = OSSL_PARAM_BLD_to_param(bld);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (DH_generate_key(dh) == 0) {
 		DST_RET(dst__openssl_toresult2("DH_generate_key",
 					       DST_R_OPENSSLFAILURE));
@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	ret = ISC_R_SUCCESS;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (dh != NULL) {
 		DH_free(dh);
 	}
@@ -594,14 +596,14 @@ err:
 	if (g != NULL) {
 		BN_free(g);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
 
 static bool
 openssldh_isprivate(const dst_key_t *key) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh = key->keydata.dh;
 	const BIGNUM *priv_key = NULL;
 
@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) {
 	}
 
 	return (ret);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 }
 
 static void
 openssldh_destroy(dst_key_t *key) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh = key->keydata.dh;
 
 	if (dh == NULL) {
@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) {
 
 	EVP_PKEY_free(pkey);
 	key->keydata.pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 }
 
 static void
@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) {
 
 static isc_result_t
 openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh;
 	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
 #else
 	EVP_PKEY *pkey;
 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	isc_region_t r;
 	uint16_t dnslen, plen, glen, publen;
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	REQUIRE(key->keydata.dh != NULL);
 
 	dh = key->keydata.dh;
@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_availableregion(data, &r);
 
@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_add(data, dnslen);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p != NULL) {
 		BN_free(p);
 	}
@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	if (pub_key != NULL) {
 		BN_free(pub_key);
 	}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
+	*/
 
 	return (ISC_R_SUCCESS);
 }
@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	isc_result_t ret;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh;
 #else
 	OSSL_PARAM_BLD *bld = NULL;
 	OSSL_PARAM *params = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
 	int key_size;
 	isc_region_t r;
@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		return (ISC_R_SUCCESS);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	/*
 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	key_size = BN_num_bits(p);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (DH_set0_pqg(dh, p, NULL, g) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_pqg",
 					       DST_R_OPENSSLFAILURE));
@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
 					       DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (r.length < 2) {
 		DST_RET(DST_R_INVALIDPUBLICKEY);
@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, plen + glen + publen + 6);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
 	(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
 	/*
@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	key->key_size = (unsigned int)key_size;
 
 	ret = ISC_R_SUCCESS;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (dh != NULL) {
 		DH_free(dh);
 	}
@@ -975,7 +978,7 @@ err:
 	if (bld != NULL) {
 		OSSL_PARAM_BLD_free(bld);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (p != NULL) {
 		BN_free(p);
 	}
@@ -991,13 +994,13 @@ err:
 
 static isc_result_t
 openssldh_tofile(const dst_key_t *key, const char *directory) {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh;
 	const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
 #else
 	EVP_PKEY *pkey;
 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	dst_private_t priv;
 	unsigned char *bufs[4] = { NULL };
 	unsigned short i = 0;
@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 		return (DST_R_EXTERNALKEY);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (key->keydata.dh == NULL) {
 		return (DST_R_NULLKEY);
 	}
@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	priv.elements[i].tag = TAG_DH_PRIME;
 	priv.elements[i].length = BN_num_bytes(p);
@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 		}
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 	if (p != NULL) {
 		BN_free(p);
 	}
@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	if (priv_key != NULL) {
 		BN_clear_free(priv_key);
 	}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
+	*/
 
 	return (result);
 }
@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	DH *dh = NULL;
 #else
 	OSSL_PARAM_BLD *bld = NULL;
 	OSSL_PARAM *params = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
 	int key_size = 0;
 	isc_mem_t *mctx;
@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(DST_R_EXTERNALKEY);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	dh = DH_new();
 	if (dh == NULL) {
 		DST_RET(ISC_R_NOMEMORY);
@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (DH_set0_key(dh, pub_key, priv_key) != 1) {
 		DST_RET(dst__openssl_toresult2("DH_set0_key",
 					       DST_R_OPENSSLFAILURE));
@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	key->key_size = (unsigned int)key_size;
 	ret = ISC_R_SUCCESS;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (dh != NULL) {
 		DH_free(dh);
 	}
@@ -1225,7 +1229,7 @@ err:
 	if (bld != NULL) {
 		OSSL_PARAM_BLD_free(bld);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (p != NULL) {
 		BN_free(p);
 	}
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 519e88b7e7..04f0d80b5e 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -17,14 +17,14 @@
 
 #include <openssl/bn.h>
 #include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 #include <openssl/core_names.h>
 #endif
 #include <openssl/ecdsa.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 #include <openssl/param_build.h>
 #endif
 #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
@@ -57,7 +57,7 @@
 		goto err; \
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 static isc_result_t
 raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
 		size_t key_len, EVP_PKEY **pkey) {
@@ -159,7 +159,8 @@ err:
 
 	return (ret);
 }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
+	*/
 
 static isc_result_t
 opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	bool ret;
 	EVP_PKEY *pkey1 = key1->keydata.pkey;
 	EVP_PKEY *pkey2 = key2->keydata.pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey1 = NULL;
 	EC_KEY *eckey2 = NULL;
 	const BIGNUM *priv1;
@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 #else
 	BIGNUM *priv1 = NULL;
 	BIGNUM *priv2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (pkey1 == NULL && pkey2 == NULL) {
 		return (true);
@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		DST_RET(false);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
 	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
 	if (eckey1 == NULL && eckey2 == NULL) {
@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 #else
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (priv1 != NULL || priv2 != NULL) {
 		if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0)
@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	ret = true;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (eckey1 != NULL) {
 		EC_KEY_free(eckey1);
 	}
@@ -471,7 +472,7 @@ err:
 	if (priv2 != NULL) {
 		BN_clear_free(priv2);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	isc_result_t ret;
 	int status;
 	EVP_PKEY *pkey = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey = NULL;
 #else
 	EVP_PKEY_CTX *ctx = NULL;
 	EVP_PKEY *params_pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	int group_nid;
 
 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	eckey = EC_KEY_new_by_curve_name(group_nid);
 	if (eckey == NULL) {
 		DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name",
@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
 					       DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@@ -573,7 +574,7 @@ err:
 	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
@@ -584,7 +585,7 @@ err:
 	if (ctx != NULL) {
 		EVP_PKEY_CTX_free(ctx);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
@@ -593,11 +594,11 @@ static bool
 opensslecdsa_isprivate(const dst_key_t *key) {
 	bool ret;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey;
 #else
 	BIGNUM *priv = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
 		key->key_alg == DST_ALG_ECDSA384);
@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
 		return (false);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
 
 	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
 	if (priv != NULL) {
 		BN_clear_free(priv);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
@@ -640,7 +641,7 @@ static isc_result_t
 opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	isc_result_t ret;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey = NULL;
 	int len;
 	unsigned char *cp;
@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	BIGNUM *y = NULL;
 	size_t keysize = 0;
 	size_t len = 0;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	isc_region_t r;
 	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
 
@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	pkey = key->keydata.pkey;
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
 	if (eckey == NULL) {
 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	len = keysize;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_availableregion(data, &r);
 	if (r.length < (unsigned int)len) {
 		DST_RET(ISC_R_NOSPACE);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	cp = buf;
 	if (!i2o_ECPublicKey(eckey, &cp)) {
 		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	BN_bn2bin_fixed(x, &buf[0], keysize / 2);
 	BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2);
 	memmove(r.base, buf, len);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_add(data, len);
 	ret = ISC_R_SUCCESS;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
@@ -721,7 +722,7 @@ err:
 	if (y != NULL) {
 		BN_clear_free(y);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	isc_result_t ret;
 	EVP_PKEY *pkey = NULL;
 	isc_region_t r;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey = NULL;
 	const unsigned char *cp;
 	unsigned int len;
@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	int group_nid;
 #else
 	size_t len;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
 		key->key_alg == DST_ALG_ECDSA384);
@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		DST_RET(DST_R_INVALIDPUBLICKEY);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (key->key_alg == DST_ALG_ECDSA256) {
 		group_nid = NID_X9_62_prime256v1;
 	} else {
@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (ret != ISC_R_SUCCESS) {
 		DST_RET(ret);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	isc_buffer_forward(data, len);
 	key->keydata.pkey = pkey;
@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	ret = ISC_R_SUCCESS;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	return (ret);
 }
 
@@ -814,13 +815,13 @@ static isc_result_t
 opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
 	isc_result_t ret;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey = NULL;
 	const BIGNUM *privkey = NULL;
 #else
 	int status;
 	BIGNUM *privkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	dst_private_t priv;
 	unsigned char *buf = NULL;
 	unsigned short i;
@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
 	}
 
 	pkey = key->keydata.pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
 	if (eckey == NULL) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY",
@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param",
 					       DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
 
@@ -888,7 +889,7 @@ err:
 	if (buf != NULL && privkey != NULL) {
 		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
@@ -896,12 +897,12 @@ err:
 	if (privkey != NULL) {
 		BN_clear_free(privkey);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static isc_result_t
 ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
 	const EC_POINT *pubkey;
@@ -1065,9 +1066,9 @@ err:
 
 	return (ret);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static isc_result_t
 load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv,
 			     int privkey_index) {
@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
 	}
 	return (ISC_R_SUCCESS);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
 finalize_eckey(dst_key_t *key,
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	       EC_KEY *eckey,
 #endif
 	       const char *engine, const char *label) {
 	isc_result_t result = ISC_R_SUCCESS;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EVP_PKEY *pkey = NULL;
 
 	REQUIRE(eckey != NULL);
@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key,
 	}
 
 	key->keydata.pkey = pkey;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (label != NULL) {
 		key->label = isc_mem_strdup(key->mctx, label);
@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key,
 	return (result);
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static isc_result_t
 dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
 	int group_nid;
@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
 
 	return (ISC_R_SUCCESS);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
 opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
@@ -1173,10 +1174,10 @@ static isc_result_t
 opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	EC_KEY *eckey = NULL;
 	EC_KEY *pubeckey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	const char *engine = NULL;
 	const char *label = NULL;
 	int i, privkey_index = -1;
@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 			goto err;
 		}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 		eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
 		if (eckey == NULL) {
 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 		}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	} else {
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 		ret = dst__key_to_eckey(key, &eckey);
 		if (ret != ISC_R_SUCCESS) {
 			goto err;
@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 				      priv.elements[privkey_index].data,
 				      priv.elements[privkey_index].length,
 				      &key->keydata.pkey);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 		if (ret != ISC_R_SUCCESS) {
 			goto err;
@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		finalize_key = true;
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (pub != NULL && pub->keydata.pkey != NULL) {
 		pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
 	}
@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (finalize_key) {
 		ret = finalize_eckey(key, engine, label);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (pubeckey != NULL) {
 		EC_KEY_free(pubeckey);
 	}
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (ret != ISC_R_SUCCESS) {
 		key->keydata.generic = NULL;
 	}
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index fc905b7d60..867b486a2f 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -18,7 +18,7 @@
 
 #include <openssl/bn.h>
 #include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 #include <openssl/core_names.h>
 #endif
 #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
@@ -26,7 +26,7 @@
 #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 #include <openssl/err.h>
 #include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 #include <openssl/param_build.h>
 #endif
 #include <openssl/rsa.h>
@@ -180,12 +180,12 @@ static isc_result_t
 opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 	dst_key_t *key = dctx->key;
 	int status = 0;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa;
 	const BIGNUM *e = NULL;
 #else
 	BIGNUM *e = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 	EVP_PKEY *pkey = key->keydata.pkey;
 	int bits;
@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 		dctx->key->key_alg == DST_ALG_RSASHA256 ||
 		dctx->key->key_alg == DST_ALG_RSASHA512);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	if (rsa == NULL) {
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 	}
 	bits = BN_num_bits(e);
 	BN_free(e);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (bits > maxbits && maxbits != 0) {
 		return (DST_R_VERIFYFAILURE);
@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	EVP_PKEY *pkey1 = key1->keydata.pkey;
 	EVP_PKEY *pkey2 = key2->keydata.pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa1 = NULL;
 	RSA *rsa2 = NULL;
 	const BIGNUM *d1 = NULL, *d2 = NULL;
@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	BIGNUM *d1 = NULL, *d2 = NULL;
 	BIGNUM *p1 = NULL, *p2 = NULL;
 	BIGNUM *q1 = NULL, *q2 = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (pkey1 == NULL && pkey2 == NULL) {
 		return (true);
@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		DST_RET(false);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa1 = EVP_PKEY_get1_RSA(pkey1);
 	rsa2 = EVP_PKEY_get1_RSA(pkey2);
 	if (rsa1 == NULL && rsa2 == NULL) {
@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 #else
 	EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1);
 	EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (d1 != NULL || d2 != NULL) {
 		if (d1 == NULL || d2 == NULL) {
 			DST_RET(false);
 		}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 		RSA_get0_factors(rsa1, &p1, &q1);
 		RSA_get0_factors(rsa2, &p2, &q2);
 #else
@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1);
 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2);
 		EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 		if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 ||
 		    BN_cmp(q1, q2) != 0) {
@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	ret = true;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa1 != NULL) {
 		RSA_free(rsa1);
 	}
@@ -332,12 +332,12 @@ err:
 	if (q2 != NULL) {
 		BN_clear_free(q2);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
 	union {
@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
 	}
 	return (1);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		void (*fptr)(int);
 	} u;
 	BIGNUM *e = BN_new();
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = RSA_new();
 	EVP_PKEY *pkey = EVP_PKEY_new();
 #if !HAVE_BN_GENCB_NEW
@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #else
 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
 	EVP_PKEY *pkey = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	if (e == NULL || ctx == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	/*
 	 * Reject incorrect RSA key lengths.
@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		BN_set_bit(e, 32);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
 					       DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@@ -486,7 +486,7 @@ err:
 	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
@@ -497,7 +497,7 @@ err:
 	if (ctx != NULL) {
 		EVP_PKEY_CTX_free(ctx);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (e != NULL) {
 		BN_free(e);
 	}
@@ -508,12 +508,12 @@ static bool
 opensslrsa_isprivate(const dst_key_t *key) {
 	bool ret;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa;
 	const BIGNUM *d = NULL;
 #else
 	BIGNUM *d = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
 		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
 		return (false);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	INSIST(rsa != NULL);
 
@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
 	if (d != NULL) {
 		BN_clear_free(d);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	unsigned int mod_bytes;
 	isc_result_t ret;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa;
 	const BIGNUM *e = NULL, *n = NULL;
 #else
 	BIGNUM *e = NULL, *n = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	REQUIRE(key->keydata.pkey != NULL);
 
 	pkey = key->keydata.pkey;
 	isc_buffer_availableregion(data, &r);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	if (e == NULL || n == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	mod_bytes = BN_num_bytes(n);
 	e_bytes = BN_num_bytes(e);
@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	ret = ISC_R_SUCCESS;
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
@@ -632,7 +632,7 @@ err:
 	if (n != NULL) {
 		BN_free(n);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	return (ret);
 }
 
@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	isc_region_t r;
 	unsigned int e_bytes;
 	unsigned int length;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = NULL;
 #else
 	OSSL_PARAM_BLD *bld = NULL;
 	OSSL_PARAM *params = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	EVP_PKEY *pkey = NULL;
 	BIGNUM *e = NULL, *n = NULL;
 
@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, length);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = RSA_new();
 	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult2("RSA_new",
@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
 					       DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	key->keydata.pkey = pkey;
 	pkey = NULL;
@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 err:
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
@@ -771,7 +771,7 @@ err:
 	if (bld != NULL) {
 		OSSL_PARAM_BLD_free(bld);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (n != NULL) {
 		BN_free(n);
 	}
@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	unsigned char *bufs[8] = { NULL };
 	unsigned short i = 0;
 	EVP_PKEY *pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = NULL;
 	const BIGNUM *n = NULL, *e = NULL, *d = NULL;
 	const BIGNUM *p = NULL, *q = NULL;
@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	BIGNUM *n = NULL, *e = NULL, *d = NULL;
 	BIGNUM *p = NULL, *q = NULL;
 	BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (key->keydata.pkey == NULL) {
 		DST_RET(DST_R_NULLKEY);
@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	}
 
 	pkey = key->keydata.pkey;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (n == NULL || e == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -935,7 +935,7 @@ err:
 				    priv.elements[i].length);
 		}
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA_free(rsa);
 #else
 	if (n != NULL) {
@@ -962,12 +962,12 @@ err:
 	if (iqmp != NULL) {
 		BN_clear_free(iqmp);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	return (ret);
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 static isc_result_t
 rsa_check(RSA *rsa, RSA *pub) {
 	const BIGNUM *n1 = NULL, *n2 = NULL;
@@ -1079,14 +1079,14 @@ err:
 
 	return (ret);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
 opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	dst_private_t priv;
 	isc_result_t ret;
 	int i;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = NULL, *pubrsa = NULL;
 	const BIGNUM *ex = NULL;
 #else
@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	OSSL_PARAM *params = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	BIGNUM *ex = NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *ep = NULL;
 #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(ISC_R_SUCCESS);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (pub != NULL && pub->keydata.pkey != NULL) {
 		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	for (i = 0; i < priv.nelements; i++) {
 		switch (priv.elements[i].tag) {
@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = RSA_new();
 	if (rsa == NULL) {
 		DST_RET(ISC_R_NOMEMORY);
@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	    ISC_R_SUCCESS) {
 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
 		DST_RET(ISC_R_RANGE);
@@ -1375,7 +1375,7 @@ err:
 	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
@@ -1419,7 +1419,7 @@ err:
 	if (iqmp != NULL) {
 		BN_clear_free(iqmp);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 	if (ret != ISC_R_SUCCESS) {
 		key->keydata.generic = NULL;
 	}
@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) {
 	int status;
 	isc_result_t ret = ISC_R_SUCCESS;
 	size_t len;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	RSA *rsa = NULL;
 #else
 	OSSL_PARAM *params = NULL;
@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) {
 		DST_RET(ISC_R_NOMEMORY);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	rsa = RSA_new();
 	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult2("RSA_new",
@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) {
 err:
 	BN_free(e);
 	BN_free(n);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
-- 
2.37.2