From 056fe70b7c59a3bea446993ec80f5ea71042c15c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 14 Sep 2022 20:51:22 +0200 Subject: [PATCH] Sync with rawhide --- .fmf/version | 1 + .gitignore | 100 +- Changes.md | 45 +- bind-9.11-fips-tests.patch | 256 +-- bind-9.16-redhat_doc.patch | 15 +- bind-9.18-pkcs11-engine-compat-api.patch | 1554 +++++++++++++++++ bind-9.18-pkcs11-engine-init.patch | 48 + bind-9.18-pkcs11-engine-remove-deadcode.patch | 245 +++ bind-9.18-unittest-netmgr-unstable.patch | 75 + bind-9.5-PIE.patch | 13 +- bind9-next.spec | 409 +++-- ci.fmf | 1 + gating.yaml | 16 + generate-rndc-key.sh | 18 +- plans/all.fmf | 6 + plans/tier1-public.fmf | 7 + sources | 4 +- 17 files changed, 2444 insertions(+), 369 deletions(-) create mode 100644 .fmf/version create mode 100644 bind-9.18-pkcs11-engine-compat-api.patch create mode 100644 bind-9.18-pkcs11-engine-init.patch create mode 100644 bind-9.18-pkcs11-engine-remove-deadcode.patch create mode 100644 bind-9.18-unittest-netmgr-unstable.patch create mode 100644 ci.fmf create mode 100644 gating.yaml create mode 100644 plans/all.fmf create mode 100644 plans/tier1-public.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 1692d2a..2e6cd23 100644 --- a/.gitignore +++ b/.gitignore @@ -92,7 +92,6 @@ bind-9.7.2b1.tar.gz /bind-9.11.5-P4.tar.gz /bind-9.11.6.tar.gz /bind-9.11.6-P1.tar.gz -/bind-9.14.4.tar.gz /bind-9.11.7.tar.gz /bind-9.11.8.tar.gz /bind-9.11.9.tar.gz @@ -103,18 +102,91 @@ bind-9.7.2b1.tar.gz /bind-9.11.13.tar.gz.asc /bind-9.11.14.tar.gz /bind-9.11.14.tar.gz.asc +/bind-9.11.17.tar.gz +/bind-9.11.17.tar.gz.asc +/bind-9.11.18.tar.gz +/bind-9.11.18.tar.gz.asc +/bind-9.11.19.tar.gz +/bind-9.11.19.tar.gz.asc +/bind-9.11.20.tar.gz +/bind-9.11.20.tar.gz.asc +/bind-9.11.21.tar.gz +/bind-9.11.21.tar.gz.asc +/bind-9.11.22.tar.gz +/bind-9.11.22.tar.gz.asc +/bind-9.11.23.tar.gz +/bind-9.11.23.tar.gz.asc +/bind-9.11.24.tar.gz +/bind-9.11.24.tar.gz.asc +/bind-9.11.25.tar.gz +/bind-9.11.25.tar.gz.asc +/bind-9.11.26.tar.gz +/bind-9.11.26.tar.gz.asc /bind-9.16.1.tar.xz /bind-9.16.1.tar.xz.asc -/bind-9.17.0.tar.xz -/bind-9.17.0.tar.xz.asc -/bind-9.17.4.tar.xz -/bind-9.17.4.tar.xz.asc -/bind-9.17.15.tar.xz -/bind-9.17.15.tar.xz.asc -/bind-9.17.20.tar.xz -/bind-9.17.20.tar.xz.asc -/isc-logo.pdf -/bind-9.17.21.tar.xz -/bind-9.17.21.tar.xz.asc -/bind-9.17.22.tar.xz -/bind-9.17.22.tar.xz.asc +/bind-9.16.2.tar.xz +/bind-9.16.2.tar.xz.asc +/bind-9.16.4.tar.xz +/bind-9.16.4.tar.xz.asc +/bind-9.16.5.tar.xz +/bind-9.16.5.tar.xz.asc +/bind-9.16.6.tar.xz +/bind-9.16.6.tar.xz.asc +/bind-9.16.7.tar.xz +/bind-9.16.7.tar.xz.asc +/bind-9.16.8.tar.xz +/bind-9.16.8.tar.xz.asc +/bind-9.16.9.tar.xz +/bind-9.16.9.tar.xz.asc +/bind-9.16.10.tar.xz +/bind-9.16.10.tar.xz.asc +/bind-9.16.11.tar.xz +/bind-9.16.11.tar.xz.asc +/bind-9.16.13.tar.xz +/bind-9.16.13.tar.xz.asc +/bind-9.16.15.tar.xz +/bind-9.16.15.tar.xz.asc +/bind-9.16.16.tar.xz +/bind-9.16.16.tar.xz.asc +/bind-9.16.17.tar.xz +/bind-9.16.17.tar.xz.asc +/bind-9.16.18.tar.xz +/bind-9.16.18.tar.xz.asc +/bind-9.16.19.tar.xz +/bind-9.16.19.tar.xz.asc +/bind-9.16.20.tar.xz +/bind-9.16.20.tar.xz.asc +/bind-9.16.21.tar.xz +/bind-9.16.21.tar.xz.asc +/bind-9.16.22.tar.xz +/bind-9.16.22.tar.xz.asc +/bind-9.16.23.tar.xz +/bind-9.16.23.tar.xz.asc +/bind-9.16.24.tar.xz +/bind-9.16.24.tar.xz.asc +/bind-9.16.25.tar.xz +/bind-9.16.25.tar.xz.asc +/bind-9.16.26.tar.xz +/bind-9.16.26.tar.xz.asc +/bind-9.16.27.tar.xz +/bind-9.16.27.tar.xz.asc +/bind-9.16.28.tar.xz +/bind-9.16.28.tar.xz.asc +/bind-9.16.29.tar.xz +/bind-9.16.29.tar.xz.asc +/bind-9.16.30.tar.xz +/bind-9.16.30.tar.xz.asc +/bind-9.18.0.tar.xz +/bind-9.18.0.tar.xz.asc +/bind-9.18.1.tar.xz +/bind-9.18.1.tar.xz.asc +/bind-9.18.2.tar.xz +/bind-9.18.2.tar.xz.asc +/bind-9.18.3.tar.xz +/bind-9.18.3.tar.xz.asc +/bind-9.18.4.tar.xz +/bind-9.18.4.tar.xz.asc +/bind-9.18.5.tar.xz +/bind-9.18.5.tar.xz.asc +/bind-9.18.6.tar.xz +/bind-9.18.6.tar.xz.asc diff --git a/Changes.md b/Changes.md index 91e17b4..6661034 100644 --- a/Changes.md +++ b/Changes.md @@ -1,12 +1,43 @@ -= Changes in BIND9 package = +# Significant Changes in BIND9 package -== 9.14 == +## BIND 9.16 -- single thread support removed. Cannot provide bind-export-libs for DHCP -- lwres support completely removed. Both daemon and library -- common parts of daemon moved into libns shared library +### New features + +- *libuv* is used for network subsystem as a mandatory dependency +- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy + ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP))) +- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors* +- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format +- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output + +### Feature changes + +- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together. +- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default +- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default). + Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed. +- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them + +### Features removed + +- *dnssec-enable* option is obsolete, DNSSEC support is always enabled +- *dnssec-lookaside* option is deprecated and support for it removed from all tools +- *cleaning-interval* option is removed + +### Upstream release notes + +- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10) +- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0) + +## BIND 9.14 + +- single thread support removed. Cannot provide *bind-export-libs* for DHCP +- *lwres* support completely removed. Both daemon and library +- common parts of daemon moved into *libns* shared library - introduced plugin for filtering aaaa responses - some SDB utilities no longer supported -=== 9.14.7 === -[notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html) +### Upstream release notes + +- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html) diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch index a91a083..ea38410 100644 --- a/bind-9.11-fips-tests.patch +++ b/bind-9.11-fips-tests.patch @@ -1,4 +1,4 @@ -From 22a56b67a27b0ab63050ce6a287a15df6ac96f94 Mon Sep 17 00:00:00 2001 +From 09030b066846a9b7252b5cb4f483d4a55b4639fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 2 Aug 2018 23:46:45 +0200 Subject: [PATCH] FIPS tests changes @@ -81,21 +81,23 @@ Date: Wed Mar 7 10:44:23 2018 +0100 bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 11 +++- + bin/tests/system/nsupdate/tests.sh | 11 ++- bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 22 ++++--- + bin/tests/system/rndc/tests.sh | 22 +++--- bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/tsig/tests.sh | 67 ++++++++++++------- bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/tests.sh | 2 +- - 31 files changed, 148 insertions(+), 105 deletions(-) + 32 files changed, 159 insertions(+), 106 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 60f22e1..249f672 100644 +index 745048a..93cb411 100644 --- a/bin/tests/system/acl/ns2/named1.conf.in +++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -111,10 +113,10 @@ index 60f22e1..249f672 100644 }; diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index ada97bc..f82d858 100644 +index 21aa991..78e71cc 100644 --- a/bin/tests/system/acl/ns2/named2.conf.in +++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -33,12 +33,12 @@ options { +@@ -35,12 +35,12 @@ options { }; key one { @@ -130,10 +132,10 @@ index ada97bc..f82d858 100644 }; diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 97684e4..de6a2e9 100644 +index 3208c92..bed6325 100644 --- a/bin/tests/system/acl/ns2/named3.conf.in +++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -33,17 +33,17 @@ options { +@@ -35,17 +35,17 @@ options { }; key one { @@ -155,28 +157,9 @@ index 97684e4..de6a2e9 100644 }; diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 462b3fa..994b35c 100644 +index 14e82ed..a22cafe 100644 --- a/bin/tests/system/acl/ns2/named4.conf.in +++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 728da58..8f00d09 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in @@ -35,12 +35,12 @@ options { }; @@ -192,11 +175,30 @@ index 728da58..8f00d09 100644 secret "1234abcd8765"; }; +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index f43f33c..f4a865a 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -37,12 +37,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index a48f868..fab277b 100644 +index ad98fa1..7a7ff4a 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh -@@ -21,14 +21,14 @@ echo_i "testing basic ACL processing" +@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing" # key "one" should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -213,7 +215,7 @@ index a48f868..fab277b 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } copy_setports ns2/named2.conf.in ns2/named.conf -@@ -38,18 +38,18 @@ sleep 5 +@@ -40,18 +40,18 @@ sleep 5 # prefix 10/8 should fail t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -235,7 +237,7 @@ index a48f868..fab277b 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } echo_i "testing nested ACL processing" -@@ -61,31 +61,31 @@ sleep 5 +@@ -63,31 +63,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -272,7 +274,7 @@ index a48f868..fab277b 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } t=`expr $t + 1` -@@ -96,7 +96,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 +@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -281,7 +283,7 @@ index a48f868..fab277b 100644 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -107,31 +107,31 @@ sleep 5 +@@ -109,31 +109,31 @@ sleep 5 # should succeed t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ @@ -319,10 +321,10 @@ index a48f868..fab277b 100644 echo_i "testing allow-query-on ACL processing" diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 7d43e36..f7b25f9 100644 +index b91d19a..7d777c2 100644 --- a/bin/tests/system/allow-query/ns2/named10.conf.in +++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -332,10 +334,10 @@ index 7d43e36..f7b25f9 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 2952518..121557e 100644 +index 308c4ca..00f6f40 100644 --- a/bin/tests/system/allow-query/ns2/named11.conf.in +++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -351,10 +353,10 @@ index 2952518..121557e 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 0c01071..ceabbb5 100644 +index 6b0fe55..491e514 100644 --- a/bin/tests/system/allow-query/ns2/named12.conf.in +++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -364,10 +366,10 @@ index 0c01071..ceabbb5 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 4c17292..9cd9d1f 100644 +index aefc474..7c06596 100644 --- a/bin/tests/system/allow-query/ns2/named30.conf.in +++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -377,10 +379,10 @@ index 4c17292..9cd9d1f 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index a2690a4..f488730 100644 +index 27eccc2..eecb990 100644 --- a/bin/tests/system/allow-query/ns2/named31.conf.in +++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -10,12 +10,12 @@ +@@ -12,12 +12,12 @@ */ key one { @@ -396,10 +398,10 @@ index a2690a4..f488730 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index a0708c8..51fa457 100644 +index adbb203..744d122 100644 --- a/bin/tests/system/allow-query/ns2/named32.conf.in +++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key one { @@ -409,10 +411,10 @@ index a0708c8..51fa457 100644 }; diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 687768e..d24d6d2 100644 +index 364f94b..9518f82 100644 --- a/bin/tests/system/allow-query/ns2/named40.conf.in +++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; +@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; }; acl badaccept { 10.53.0.1; }; key one { @@ -428,10 +430,10 @@ index 687768e..d24d6d2 100644 }; diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index c0398fe..cc1962a 100644 +index bbffe07..80da0fe 100644 --- a/bin/tests/system/allow-query/tests.sh +++ b/bin/tests/system/allow-query/tests.sh -@@ -198,7 +198,7 @@ rndc_reload ns2 10.53.0.2 +@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key allowed - query allowed" ret=0 @@ -440,7 +442,7 @@ index c0398fe..cc1962a 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -211,7 +211,7 @@ rndc_reload ns2 10.53.0.2 +@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key not allowed - query refused" ret=0 @@ -449,7 +451,7 @@ index c0398fe..cc1962a 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -225,7 +225,7 @@ rndc_reload ns2 10.53.0.2 +@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: key disallowed - query refused" ret=0 @@ -458,7 +460,7 @@ index c0398fe..cc1962a 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -364,7 +364,7 @@ rndc_reload ns2 10.53.0.2 +@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key allowed - query allowed" ret=0 @@ -467,7 +469,7 @@ index c0398fe..cc1962a 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -377,7 +377,7 @@ rndc_reload ns2 10.53.0.2 +@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key not allowed - query refused" ret=0 @@ -476,7 +478,7 @@ index c0398fe..cc1962a 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -391,7 +391,7 @@ rndc_reload ns2 10.53.0.2 +@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2 echo_i "test $n: views key disallowed - query refused" ret=0 @@ -485,7 +487,7 @@ index c0398fe..cc1962a 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -531,7 +531,7 @@ status=`expr $status + $ret` +@@ -533,7 +533,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key allowed - query allowed" ret=0 @@ -494,7 +496,7 @@ index c0398fe..cc1962a 100644 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -541,7 +541,7 @@ status=`expr $status + $ret` +@@ -543,7 +543,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key not allowed - query refused" ret=0 @@ -503,7 +505,7 @@ index c0398fe..cc1962a 100644 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 -@@ -552,7 +552,7 @@ status=`expr $status + $ret` +@@ -554,7 +554,7 @@ status=`expr $status + $ret` n=`expr $n + 1` echo_i "test $n: zone key disallowed - query refused" ret=0 @@ -513,10 +515,10 @@ index c0398fe..cc1962a 100644 grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 1218669..e62715e 100644 +index 1421281..424afb8 100644 --- a/bin/tests/system/catz/ns1/named.conf.in +++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -61,5 +61,5 @@ zone "catalog4.example" { +@@ -122,5 +122,5 @@ view "ch" ch { key tsig_key. { secret "LSAnCU+Z"; @@ -524,10 +526,10 @@ index 1218669..e62715e 100644 + algorithm hmac-sha256; }; diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e..e57c308 100644 +index 4af25b0..9f202d5 100644 --- a/bin/tests/system/checkconf/bad-tsig.conf +++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -11,7 +11,7 @@ +@@ -13,7 +13,7 @@ /* Bad secret */ key "badtsig" { @@ -537,10 +539,10 @@ index 21be03e..e57c308 100644 }; diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index 2373425..7b87b04 100644 +index 897dc86..e4b6dc1 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf -@@ -268,6 +268,6 @@ dyndb "name" "library.so" { +@@ -270,6 +270,6 @@ dyndb "name" "library.so" { system; }; key "mykey" { @@ -549,10 +551,10 @@ index 2373425..7b87b04 100644 secret "qwertyuiopasdfgh"; }; diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 72c09ae..4095d92 100644 +index 3435c91..aaaa264 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c -@@ -14,6 +14,7 @@ +@@ -17,6 +17,7 @@ #include #include @@ -560,7 +562,7 @@ index 72c09ae..4095d92 100644 #include #include #include -@@ -129,6 +130,19 @@ main(int argc, char **argv) { +@@ -133,6 +134,19 @@ main(int argc, char **argv) { #endif } @@ -581,10 +583,10 @@ index 72c09ae..4095d92 100644 #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) int s; diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 1ee8df4..2b75d9a 100644 +index 5cab276..d4a7bf3 100644 --- a/bin/tests/system/notify/ns5/named.conf.in +++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -10,17 +10,17 @@ +@@ -12,17 +12,17 @@ */ key "a" { @@ -606,10 +608,10 @@ index 1ee8df4..2b75d9a 100644 }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index e8a00ea..978082c 100644 +index 04fd34b..e5476ea 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh -@@ -211,16 +211,16 @@ ret=0 +@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig" $NSUPDATE << EOF server 10.53.0.5 ${PORT} zone x21 @@ -618,22 +620,23 @@ index e8a00ea..978082c 100644 update add added.x21 0 in txt "test string" send EOF - +@@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n" + fnc="dig.out.c.ns5.test$n" for i in 1 2 3 4 5 6 7 8 9 do -- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && +- dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > "$fnb" || ret=1 +- dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > "$fnc" || ret=1 + grep "test string" "$fnb" > /dev/null && + grep "test string" "$fnc" > /dev/null && diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index b51e700..436c97d 100644 +index 81d0c99..effbe2e 100644 --- a/bin/tests/system/nsupdate/ns1/named.conf.in +++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -37,7 +37,7 @@ controls { +@@ -39,7 +39,7 @@ controls { }; key altkey { @@ -643,10 +646,10 @@ index b51e700..436c97d 100644 }; diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index da6b3b4..c547e47 100644 +index f1a1735..da2b3d1 100644 --- a/bin/tests/system/nsupdate/ns2/named.conf.in +++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -32,7 +32,7 @@ controls { +@@ -34,7 +34,7 @@ controls { }; key altkey { @@ -656,10 +659,10 @@ index da6b3b4..c547e47 100644 }; diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index be8c7f8..e465216 100644 +index 50056dc..a4a1a3f 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh -@@ -70,7 +70,11 @@ EOF +@@ -72,7 +72,11 @@ EOF $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key @@ -673,10 +676,10 @@ index be8c7f8..e465216 100644 $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 7b9c0e6..26e6b01 100755 +index 0863d0a..559def7 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh -@@ -823,7 +823,14 @@ fi +@@ -841,7 +841,14 @@ fi n=`expr $n + 1` ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" @@ -692,7 +695,7 @@ index 7b9c0e6..26e6b01 100755 $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -831,7 +838,7 @@ send +@@ -849,7 +856,7 @@ send END done sleep 2 @@ -702,10 +705,10 @@ index 7b9c0e6..26e6b01 100755 done if [ $ret -ne 0 ]; then diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index b7721a3..0204e4d 100644 +index 4dd6fa7..1b79263 100644 --- a/bin/tests/system/rndc/setup.sh +++ b/bin/tests/system/rndc/setup.sh -@@ -45,7 +45,7 @@ make_key () { +@@ -47,7 +47,7 @@ make_key () { sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf } @@ -715,10 +718,10 @@ index b7721a3..0204e4d 100644 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index df3ef3a..eaaffe6 100644 +index e678153..e7ec855 100644 --- a/bin/tests/system/rndc/tests.sh +++ b/bin/tests/system/rndc/tests.sh -@@ -348,15 +348,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) n=$((n+1)) @@ -731,7 +734,7 @@ index df3ef3a..eaaffe6 100644 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) -+if $FEATURETEST --md5 ++if $FEATURETEST --md5; then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 @@ -748,10 +751,10 @@ index df3ef3a..eaaffe6 100644 n=$((n+1)) echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 3470c4f..cf539cd 100644 +index 76cf970..22637af 100644 --- a/bin/tests/system/tsig/ns1/named.conf.in +++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -21,10 +21,7 @@ options { +@@ -23,10 +23,7 @@ options { notify no; }; @@ -763,7 +766,7 @@ index 3470c4f..cf539cd 100644 key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -51,10 +48,7 @@ key "sha512" { +@@ -53,10 +50,7 @@ key "sha512" { algorithm hmac-sha512; }; @@ -775,11 +778,27 @@ index 3470c4f..cf539cd 100644 key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index 3210f1b..5b5e992 100644 +index 34cc73b..d51ff21 100644 --- a/bin/tests/system/tsig/setup.sh +++ b/bin/tests/system/tsig/setup.sh -@@ -14,3 +14,8 @@ +@@ -16,3 +16,8 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf @@ -789,10 +808,10 @@ index 3210f1b..5b5e992 100644 + cat ns1/rndc5.conf.in >> ns1/named.conf +fi diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index a9bf42b..f95ee09 100644 +index 1067227..ee05e83 100644 --- a/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh -@@ -25,20 +25,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f +@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 @@ -803,6 +822,13 @@ index a9bf42b..f95ee09 100644 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi +- +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" @@ -812,13 +838,7 @@ index a9bf42b..f95ee09 100644 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi - --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 ++ + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 @@ -831,7 +851,7 @@ index a9bf42b..f95ee09 100644 fi echo_i "fetching using hmac-sha1" -@@ -86,12 +91,17 @@ fi +@@ -88,12 +93,17 @@ fi # Truncated TSIG # # @@ -855,7 +875,7 @@ index a9bf42b..f95ee09 100644 fi echo_i "fetching using hmac-sha1 (trunc)" -@@ -140,12 +150,17 @@ fi +@@ -142,12 +152,17 @@ fi # Check for bad truncation. # # @@ -880,10 +900,10 @@ index a9bf42b..f95ee09 100644 echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index 3873c7c..b359a5a 100644 +index c2b57dd..cb13aa1 100644 --- a/bin/tests/system/upforwd/ns1/named.conf.in +++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -10,7 +10,7 @@ +@@ -12,7 +12,7 @@ */ key "update.example." { @@ -893,10 +913,10 @@ index 3873c7c..b359a5a 100644 }; diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index 2011b7f..052170e 100644 +index a6de312..ebcadb1 100644 --- a/bin/tests/system/upforwd/tests.sh +++ b/bin/tests/system/upforwd/tests.sh -@@ -78,7 +78,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi +@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi echo_i "updating zone (signed) ($n)" ret=0 @@ -906,5 +926,5 @@ index 2011b7f..052170e 100644 update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 TXT Foo -- -2.31.1 +2.37.3 diff --git a/bind-9.16-redhat_doc.patch b/bind-9.16-redhat_doc.patch index 28e1280..fe8ed11 100644 --- a/bind-9.16-redhat_doc.patch +++ b/bind-9.16-redhat_doc.patch @@ -1,4 +1,4 @@ -From baec1c0c1822d3ba89cc7e5e530888c865a899f7 Mon Sep 17 00:00:00 2001 +From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001 From: Petr Mensik Date: Wed, 17 Jun 2020 23:17:13 +0200 Subject: [PATCH] Update man named with Red Hat specifics @@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics This is almost unmodified text and requires revalidation. Some of those statements are no longer correct. --- - bin/named/named.rst | 40 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 40 insertions(+) + bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) diff --git a/bin/named/named.rst b/bin/named/named.rst -index 3fa96e0..4390e73 100644 +index ea440b2..fa51984 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst -@@ -236,6 +236,46 @@ Files - ``/var/run/named/named.pid`` +@@ -212,6 +212,47 @@ Files + |named_pid| The default process-id file. +Notes @@ -56,10 +56,11 @@ index 3fa96e0..4390e73 100644 +these directories, named will work normally and no further operator action is +required. Files in these directories are automatically assigned the '*named_cache_t*' +file context, which SELinux allows named to write. ++ + See Also ~~~~~~~~ -- -2.31.1 +2.34.1 diff --git a/bind-9.18-pkcs11-engine-compat-api.patch b/bind-9.18-pkcs11-engine-compat-api.patch new file mode 100644 index 0000000..32126f4 --- /dev/null +++ b/bind-9.18-pkcs11-engine-compat-api.patch @@ -0,0 +1,1554 @@ +From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 8 Sep 2022 17:19:20 +0200 +Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled + +OpenSSL has deprecated many things in version 3.0. If pkcs11 engine +should work then no builder from OpenSSL 3.0 API can be used. + +Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when +OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow +working keys loading from the engine passed on command line. +--- + lib/dns/openssldh_link.c | 136 +++++++++++++++++++----------------- + lib/dns/opensslecdsa_link.c | 119 +++++++++++++++---------------- + lib/dns/opensslrsa_link.c | 118 +++++++++++++++---------------- + 3 files changed, 189 insertions(+), 184 deletions(-) + +diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c +index d5dbc2e889..96c1d523b7 100644 +--- a/lib/dns/openssldh_link.c ++++ b/lib/dns/openssldh_link.c +@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; + static isc_result_t + openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + isc_buffer_t *secret) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dhpub, *dhpriv; + const BIGNUM *pub_key = NULL; + int secret_len = 0; +@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *dhpub, *dhpriv; + size_t secret_len = 0; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + unsigned int len; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + REQUIRE(pub->keydata.dh != NULL); + REQUIRE(priv->keydata.dh != NULL); + +@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + dhpriv = priv->keydata.pkey; + + len = EVP_PKEY_get_size(dhpriv); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(secret, &r); + if (r.length < len) { + return (ISC_R_NOSPACE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH_get0_key(dhpub, &pub_key, NULL); + secret_len = DH_compute_key(r.base, pub_key, dhpriv); + if (secret_len <= 0) { +@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + DST_R_COMPUTESECRETFAILURE)); + } + EVP_PKEY_CTX_free(ctx); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_add(secret, (unsigned int)secret_len); + +@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, + + static bool + openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh1, *dh2; + const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; +@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; + BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; + BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh1 = key1->keydata.dh; + dh2 = key2->keydata.dh; + +@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || + BN_cmp(pub_key1, pub_key2) != 0) +@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p1 != NULL) { + BN_free(p1); + } +@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { + if (priv_key2 != NULL) { + BN_clear_free(priv_key2); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (true); + } + + static bool + openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh1, *dh2; + const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; + #else + EVP_PKEY *pkey1, *pkey2; + BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh1 = key1->keydata.dh; + dh2 = key2->keydata.dh; + +@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p1 != NULL) { + BN_free(p1); + } +@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { + if (g2 != NULL) { + BN_free(g2); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (true); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static int + progress_cb(int p, int n, BN_GENCB *cb) { + union { +@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { + } + return (1); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { +@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + void (*fptr)(int); + } u; + BIGNUM *p = NULL, *g = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = NULL; + BN_GENCB *cb = NULL; + #if !HAVE_BN_GENCB_NEW +@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *param_pkey = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); +@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + if (param_ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (generator == 0) { + /* +@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + if (p == NULL || g == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_pqg(dh, p, NULL, g) != 1) { + DST_RET(dst__openssl_toresult2( + "DH_set0_pqg", DST_R_OPENSSLFAILURE)); +@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + DST_R_OPENSSLFAILURE)); + } + params = OSSL_PARAM_BLD_to_param(bld); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + } else { + /* +@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + } + + if (generator != 0) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + cb = BN_GENCB_new(); + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (cb == NULL) { +@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + DST_R_OPENSSLFAILURE)); + } + params = OSSL_PARAM_BLD_to_param(bld); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_generate_key(dh) == 0) { + DST_RET(dst__openssl_toresult2("DH_generate_key", + DST_R_OPENSSLFAILURE)); +@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -594,14 +596,14 @@ err: + if (g != NULL) { + BN_free(g); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + + static bool + openssldh_isprivate(const dst_key_t *key) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = key->keydata.dh; + const BIGNUM *priv_key = NULL; + +@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) { + } + + return (ret); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + + static void + openssldh_destroy(dst_key_t *key) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = key->keydata.dh; + + if (dh == NULL) { +@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) { + + EVP_PKEY_free(pkey); + key->keydata.pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } + + static void +@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) { + + static isc_result_t + openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + #else + EVP_PKEY *pkey; + BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + uint16_t dnslen, plen, glen, publen; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + REQUIRE(key->keydata.dh != NULL); + + dh = key->keydata.dh; +@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(data, &r); + +@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_add(data, dnslen); + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p != NULL) { + BN_free(p); + } +@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + if (pub_key != NULL) { + BN_free(pub_key); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (ISC_R_SUCCESS); + } +@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { + static isc_result_t + openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; + int key_size; + isc_region_t r; +@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + return (ISC_R_SUCCESS); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); +@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + if (ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + /* + * Read the prime length. 1 & 2 are table entries, > 16 means a +@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + key_size = BN_num_bits(p); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_pqg(dh, p, NULL, g) != 1) { + DST_RET(dst__openssl_toresult2("DH_set0_pqg", + DST_R_OPENSSLFAILURE)); +@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (r.length < 2) { + DST_RET(DST_R_INVALIDPUBLICKEY); +@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_forward(data, plen + glen + publen + 6); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ + (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) + /* +@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->key_size = (unsigned int)key_size; + + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -975,7 +978,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (p != NULL) { + BN_free(p); + } +@@ -991,13 +994,13 @@ err: + + static isc_result_t + openssldh_tofile(const dst_key_t *key, const char *directory) { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh; + const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + #else + EVP_PKEY *pkey; + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + dst_private_t priv; + unsigned char *bufs[4] = { NULL }; + unsigned short i = 0; +@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + return (DST_R_EXTERNALKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (key->keydata.dh == NULL) { + return (DST_R_NULLKEY); + } +@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + priv.elements[i].tag = TAG_DH_PRIME; + priv.elements[i].length = BN_num_bytes(p); +@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + } + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + if (p != NULL) { + BN_free(p); + } +@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { + if (priv_key != NULL) { + BN_clear_free(priv_key); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + return (result); + } +@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + DH *dh = NULL; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; + int key_size = 0; + isc_mem_t *mctx; +@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(DST_R_EXTERNALKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + dh = DH_new(); + if (dh == NULL) { + DST_RET(ISC_R_NOMEMORY); +@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + if (ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + for (i = 0; i < priv.nelements; i++) { + BIGNUM *bn; +@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (DH_set0_key(dh, pub_key, priv_key) != 1) { + DST_RET(dst__openssl_toresult2("DH_set0_key", + DST_R_OPENSSLFAILURE)); +@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + key->keydata.pkey = pkey; + pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->key_size = (unsigned int)key_size; + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (dh != NULL) { + DH_free(dh); + } +@@ -1225,7 +1229,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (p != NULL) { + BN_free(p); + } +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 519e88b7e7..04f0d80b5e 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -17,14 +17,14 @@ + + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #include + #include + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 +@@ -57,7 +57,7 @@ + goto err; \ + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + static isc_result_t + raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key, + size_t key_len, EVP_PKEY **pkey) { +@@ -159,7 +159,8 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ ++ */ + + static isc_result_t + opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { +@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + bool ret; + EVP_PKEY *pkey1 = key1->keydata.pkey; + EVP_PKEY *pkey2 = key2->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey1 = NULL; + EC_KEY *eckey2 = NULL; + const BIGNUM *priv1; +@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + BIGNUM *priv1 = NULL; + BIGNUM *priv2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (pkey1 == NULL && pkey2 == NULL) { + return (true); +@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey1 = EVP_PKEY_get1_EC_KEY(pkey1); + eckey2 = EVP_PKEY_get1_EC_KEY(pkey2); + if (eckey1 == NULL && eckey2 == NULL) { +@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (priv1 != NULL || priv2 != NULL) { + if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0) +@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + ret = true; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey1 != NULL) { + EC_KEY_free(eckey1); + } +@@ -471,7 +472,7 @@ err: + if (priv2 != NULL) { + BN_clear_free(priv2); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + isc_result_t ret; + int status; + EVP_PKEY *pkey = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + #else + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *params_pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + int group_nid; + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || +@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + key->key_size = DNS_KEY_ECDSA384SIZE * 4; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EC_KEY_new_by_curve_name(group_nid); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name", +@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -573,7 +574,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -584,7 +585,7 @@ err: + if (ctx != NULL) { + EVP_PKEY_CTX_free(ctx); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -593,11 +594,11 @@ static bool + opensslecdsa_isprivate(const dst_key_t *key) { + bool ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey; + #else + BIGNUM *priv = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + + ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL); +@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { + if (priv != NULL) { + BN_clear_free(priv); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -640,7 +641,7 @@ static isc_result_t + opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + int len; + unsigned char *cp; +@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + BIGNUM *y = NULL; + size_t keysize = 0; + size_t len = 0; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + isc_region_t r; + unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; + +@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + + pkey = key->keydata.pkey; + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); +@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + } + + len = keysize; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_availableregion(data, &r); + if (r.length < (unsigned int)len) { + DST_RET(ISC_R_NOSPACE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + cp = buf; + if (!i2o_ECPublicKey(eckey, &cp)) { + DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); +@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { + BN_bn2bin_fixed(x, &buf[0], keysize / 2); + BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2); + memmove(r.base, buf, len); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_add(data, len); + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -721,7 +722,7 @@ err: + if (y != NULL) { + BN_clear_free(y); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_result_t ret; + EVP_PKEY *pkey = NULL; + isc_region_t r; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + const unsigned char *cp; + unsigned int len; +@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + int group_nid; + #else + size_t len; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_ECDSA256 || + key->key_alg == DST_ALG_ECDSA384); +@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (key->key_alg == DST_ALG_ECDSA256) { + group_nid = NID_X9_62_prime256v1; + } else { +@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + if (ret != ISC_R_SUCCESS) { + DST_RET(ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + isc_buffer_forward(data, len); + key->keydata.pkey = pkey; +@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + ret = ISC_R_SUCCESS; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + return (ret); + } + +@@ -814,13 +815,13 @@ static isc_result_t + opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + const BIGNUM *privkey = NULL; + #else + int status; + BIGNUM *privkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + dst_private_t priv; + unsigned char *buf = NULL; + unsigned short i; +@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + } + + pkey = key->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY", +@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); + +@@ -888,7 +889,7 @@ err: + if (buf != NULL && privkey != NULL) { + isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (eckey != NULL) { + EC_KEY_free(eckey); + } +@@ -896,12 +897,12 @@ err: + if (privkey != NULL) { + BN_clear_free(privkey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) { + const EC_POINT *pubkey; +@@ -1065,9 +1066,9 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv, + int privkey_index) { +@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) { + } + return (ISC_R_SUCCESS); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + finalize_eckey(dst_key_t *key, +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey, + #endif + const char *engine, const char *label) { + isc_result_t result = ISC_R_SUCCESS; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EVP_PKEY *pkey = NULL; + + REQUIRE(eckey != NULL); +@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key, + } + + key->keydata.pkey = pkey; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (label != NULL) { + key->label = isc_mem_strdup(key->mctx, label); +@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key, + return (result); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { + int group_nid; +@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { + + return (ISC_R_SUCCESS); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, +@@ -1173,10 +1174,10 @@ static isc_result_t + opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + EC_KEY *eckey = NULL; + EC_KEY *pubeckey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + const char *engine = NULL; + const char *label = NULL; + int i, privkey_index = -1; +@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + goto err; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + } else { +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + ret = dst__key_to_eckey(key, &eckey); + if (ret != ISC_R_SUCCESS) { + goto err; +@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + priv.elements[privkey_index].data, + priv.elements[privkey_index].length, + &key->keydata.pkey); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (ret != ISC_R_SUCCESS) { + goto err; +@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + finalize_key = true; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pub != NULL && pub->keydata.pkey != NULL) { + pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey); + } +@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + if (finalize_key) { + ret = finalize_eckey(key, engine, label); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pubeckey != NULL) { + EC_KEY_free(pubeckey); + } + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (ret != ISC_R_SUCCESS) { + key->keydata.generic = NULL; + } +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index fc905b7d60..867b486a2f 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -18,7 +18,7 @@ + + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 +@@ -26,7 +26,7 @@ + #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ + #include + #include +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 + #include + #endif + #include +@@ -180,12 +180,12 @@ static isc_result_t + opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + dst_key_t *key = dctx->key; + int status = 0; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *e = NULL; + #else + BIGNUM *e = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; + EVP_PKEY *pkey = key->keydata.pkey; + int bits; +@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + dctx->key->key_alg == DST_ALG_RSASHA256 || + dctx->key->key_alg == DST_ALG_RSASHA512); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { + } + bits = BN_num_bits(e); + BN_free(e); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (bits > maxbits && maxbits != 0) { + return (DST_R_VERIFYFAILURE); +@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + int status; + EVP_PKEY *pkey1 = key1->keydata.pkey; + EVP_PKEY *pkey2 = key2->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa1 = NULL; + RSA *rsa2 = NULL; + const BIGNUM *d1 = NULL, *d2 = NULL; +@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + BIGNUM *d1 = NULL, *d2 = NULL; + BIGNUM *p1 = NULL, *p2 = NULL; + BIGNUM *q1 = NULL, *q2 = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (pkey1 == NULL && pkey2 == NULL) { + return (true); +@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa1 = EVP_PKEY_get1_RSA(pkey1); + rsa2 = EVP_PKEY_get1_RSA(pkey2); + if (rsa1 == NULL && rsa2 == NULL) { +@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + #else + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (d1 != NULL || d2 != NULL) { + if (d1 == NULL || d2 == NULL) { + DST_RET(false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA_get0_factors(rsa1, &p1, &q1); + RSA_get0_factors(rsa2, &p2, &q2); + #else +@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2); + EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 || + BN_cmp(q1, q2) != 0) { +@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { + ret = true; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa1 != NULL) { + RSA_free(rsa1); + } +@@ -332,12 +332,12 @@ err: + if (q2 != NULL) { + BN_clear_free(q2); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static int + progress_cb(int p, int n, BN_GENCB *cb) { + union { +@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { + } + return (1); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { +@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + void (*fptr)(int); + } u; + BIGNUM *e = BN_new(); +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = RSA_new(); + EVP_PKEY *pkey = EVP_PKEY_new(); + #if !HAVE_BN_GENCB_NEW +@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + #else + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + if (e == NULL || ctx == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + /* + * Reject incorrect RSA key lengths. +@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + BN_set_bit(e, 32); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -486,7 +486,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -497,7 +497,7 @@ err: + if (ctx != NULL) { + EVP_PKEY_CTX_free(ctx); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (e != NULL) { + BN_free(e); + } +@@ -508,12 +508,12 @@ static bool + opensslrsa_isprivate(const dst_key_t *key) { + bool ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *d = NULL; + #else + BIGNUM *d = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->key_alg == DST_ALG_RSASHA1 || + key->key_alg == DST_ALG_NSEC3RSASHA1 || +@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) { + return (false); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + INSIST(rsa != NULL); + +@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) { + if (d != NULL) { + BN_clear_free(d); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } +@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + unsigned int mod_bytes; + isc_result_t ret; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa; + const BIGNUM *e = NULL, *n = NULL; + #else + BIGNUM *e = NULL, *n = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + REQUIRE(key->keydata.pkey != NULL); + + pkey = key->keydata.pkey; + isc_buffer_availableregion(data, &r); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + if (e == NULL || n == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + mod_bytes = BN_num_bytes(n); + e_bytes = BN_num_bytes(e); +@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { + + ret = ISC_R_SUCCESS; + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -632,7 +632,7 @@ err: + if (n != NULL) { + BN_free(n); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + return (ret); + } + +@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + isc_region_t r; + unsigned int e_bytes; + unsigned int length; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + #else + OSSL_PARAM_BLD *bld = NULL; + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + EVP_PKEY *pkey = NULL; + BIGNUM *e = NULL, *n = NULL; + +@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + isc_buffer_forward(data, length); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult2("RSA_new", +@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", + DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + key->keydata.pkey = pkey; + pkey = NULL; +@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + err: + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -771,7 +771,7 @@ err: + if (bld != NULL) { + OSSL_PARAM_BLD_free(bld); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (n != NULL) { + BN_free(n); + } +@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + unsigned char *bufs[8] = { NULL }; + unsigned short i = 0; + EVP_PKEY *pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + const BIGNUM *n = NULL, *e = NULL, *d = NULL; + const BIGNUM *p = NULL, *q = NULL; +@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + BIGNUM *n = NULL, *e = NULL, *d = NULL; + BIGNUM *p = NULL, *q = NULL; + BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (key->keydata.pkey == NULL) { + DST_RET(DST_R_NULLKEY); +@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + } + + pkey = key->keydata.pkey; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp); +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (n == NULL || e == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -935,7 +935,7 @@ err: + priv.elements[i].length); + } + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA_free(rsa); + #else + if (n != NULL) { +@@ -962,12 +962,12 @@ err: + if (iqmp != NULL) { + BN_clear_free(iqmp); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + return (ret); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + static isc_result_t + rsa_check(RSA *rsa, RSA *pub) { + const BIGNUM *n1 = NULL, *n2 = NULL; +@@ -1079,14 +1079,14 @@ err: + + return (ret); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + static isc_result_t + opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL, *pubrsa = NULL; + const BIGNUM *ex = NULL; + #else +@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + OSSL_PARAM *params = NULL; + EVP_PKEY_CTX *ctx = NULL; + BIGNUM *ex = NULL; +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + ENGINE *ep = NULL; + #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ +@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(ISC_R_SUCCESS); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (pub != NULL && pub->keydata.pkey != NULL) { + pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + for (i = 0; i < priv.nelements; i++) { + switch (priv.elements[i].tag) { +@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(ISC_R_NOMEMORY); +@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + ISC_R_SUCCESS) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + + if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); +@@ -1375,7 +1375,7 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +@@ -1419,7 +1419,7 @@ err: + if (iqmp != NULL) { + BN_clear_free(iqmp); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ ++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ + if (ret != ISC_R_SUCCESS) { + key->keydata.generic = NULL; + } +@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) { + int status; + isc_result_t ret = ISC_R_SUCCESS; + size_t len; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + RSA *rsa = NULL; + #else + OSSL_PARAM *params = NULL; +@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) { + DST_RET(ISC_R_NOMEMORY); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult2("RSA_new", +@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) { + err: + BN_free(e); + BN_free(n); +-#if OPENSSL_VERSION_NUMBER < 0x30000000L ++#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 + if (rsa != NULL) { + RSA_free(rsa); + } +-- +2.37.2 + diff --git a/bind-9.18-pkcs11-engine-init.patch b/bind-9.18-pkcs11-engine-init.patch new file mode 100644 index 0000000..5c0c6c4 --- /dev/null +++ b/bind-9.18-pkcs11-engine-init.patch @@ -0,0 +1,48 @@ +From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 7 Sep 2022 13:46:31 +0200 +Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls + +According to manual page of ENGINE_init, it should be called explicitly +before any key operations happens. Make it active whole lifetime. +--- + lib/dns/openssl_link.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c +index 333f34cb37..a3f63885fa 100644 +--- a/lib/dns/openssl_link.c ++++ b/lib/dns/openssl_link.c +@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) { + result = DST_R_NOENGINE; + goto cleanup_rm; + } ++ if (!ENGINE_init(e)) { ++ result = DST_R_NOENGINE; ++ goto cleanup_rm; ++ } + /* This will init the engine. */ + if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { + result = DST_R_NOENGINE; +- goto cleanup_rm; ++ goto cleanup_init; + } + } + + return (ISC_R_SUCCESS); ++cleanup_init: ++ ENGINE_finish(e); + cleanup_rm: + if (e != NULL) { + ENGINE_free(e); +@@ -108,6 +114,7 @@ void + dst__openssl_destroy(void) { + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + if (e != NULL) { ++ ENGINE_finish(e); + ENGINE_free(e); + } + e = NULL; +-- +2.37.2 + diff --git a/bind-9.18-pkcs11-engine-remove-deadcode.patch b/bind-9.18-pkcs11-engine-remove-deadcode.patch new file mode 100644 index 0000000..7586395 --- /dev/null +++ b/bind-9.18-pkcs11-engine-remove-deadcode.patch @@ -0,0 +1,245 @@ +From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 8 Sep 2022 16:33:38 +0200 +Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0 + +OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM +builders. But it can be built in legacy mode, where deprecated but still +working API would be used. + +It can work under OpenSSL 3.0, but only if using legacy code paths +matching OpenSSL 1.1 calls and functions. + +Remove fromlabel processing by OpenSSL 3.0 only functions. They can +return later with a proper provider support for pkcs11. +--- + lib/dns/opensslecdsa_link.c | 55 ------------------------------------- + lib/dns/opensslrsa_link.c | 32 --------------------- + 2 files changed, 87 deletions(-) + +diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c +index 04f0d80b5e..f04f076e42 100644 +--- a/lib/dns/opensslecdsa_link.c ++++ b/lib/dns/opensslecdsa_link.c +@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + isc_result_t ret = ISC_R_SUCCESS; + ENGINE *e; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + EC_KEY *eckey = NULL; + EC_KEY *pubeckey = NULL; + int group_nid; +-#else +- size_t len; +- const char *curve_name, *nist_curve_name; +- char buf[128]; /* Sufficient for all of the supported curves' names. */ +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + EVP_PKEY *pkey = NULL; + EVP_PKEY *pubpkey = NULL; + +@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(DST_R_NOENGINE); + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (key->key_alg == DST_ALG_ECDSA256) { + group_nid = NID_X9_62_prime256v1; + } else { + group_nid = NID_secp384r1; + } +-#else +- /* Get the expected curve names */ +- if (key->key_alg == DST_ALG_ECDSA256) { +- curve_name = "prime256v1"; +- nist_curve_name = "P-256"; +- } else { +- curve_name = "secp384r1"; +- nist_curve_name = "P-384"; +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + /* Load private key. */ + pkey = ENGINE_load_private_key(e, label, NULL, NULL); +@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { + DST_RET(DST_R_INVALIDPRIVATEKEY); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + eckey = EVP_PKEY_get1_EC_KEY(pkey); + if (eckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) { + DST_RET(DST_R_INVALIDPRIVATEKEY); + } +-#else +- len = 0; +- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, +- buf, sizeof buf, &len) != 1 || +- len == 0 || len >= sizeof buf) +- { +- DST_RET(DST_R_INVALIDPRIVATEKEY); +- } +- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && +- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) +- { +- DST_RET(DST_R_INVALIDPRIVATEKEY); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + /* Load public key. */ + pubpkey = ENGINE_load_public_key(e, label, NULL, NULL); +@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); + if (pubeckey == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) { + DST_RET(DST_R_INVALIDPUBLICKEY); + } +-#else +- len = 0; +- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME, +- buf, sizeof buf, &len) != 1 || +- len == 0 || len >= sizeof buf) +- { +- DST_RET(DST_R_INVALIDPUBLICKEY); +- } +- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && +- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) +- { +- DST_RET(DST_R_INVALIDPUBLICKEY); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } +-#else +- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + key->label = isc_mem_strdup(key->mctx, label); + key->engine = isc_mem_strdup(key->mctx, engine); +@@ -1442,14 +1389,12 @@ err: + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (pubeckey != NULL) { + EC_KEY_free(pubeckey); + } + if (eckey != NULL) { + EC_KEY_free(eckey); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + return (ret); + #else +diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c +index 867b486a2f..cf350610ba 100644 +--- a/lib/dns/opensslrsa_link.c ++++ b/lib/dns/opensslrsa_link.c +@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + key->engine = isc_mem_strdup(key->mctx, engine); + key->label = isc_mem_strdup(key->mctx, label); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } + RSA_get0_key(rsa, NULL, &ex, NULL); +-#else +- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) != +- ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != +- 1) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (ex == NULL) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + ENGINE *e = NULL; + isc_result_t ret = ISC_R_SUCCESS; + EVP_PKEY *pkey = NULL, *pubpkey = NULL; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA *rsa = NULL, *pubrsa = NULL; + const BIGNUM *ex = NULL; +-#else +- BIGNUM *ex = NULL; +-#endif + + UNUSED(pin); + +@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", + DST_R_OPENSSLFAILURE)); + } +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + pubrsa = EVP_PKEY_get1_RSA(pubpkey); + if (pubrsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + pkey = ENGINE_load_private_key(e, label, NULL, NULL); + if (pkey == NULL) { +@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + key->engine = isc_mem_strdup(key->mctx, engine); + key->label = isc_mem_strdup(key->mctx, label); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + rsa = EVP_PKEY_get1_RSA(pkey); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); +@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); + } + RSA_get0_key(rsa, NULL, &ex, NULL); +-#else +- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) { +- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + + if (ex == NULL) { + DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); +@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pkey = NULL; + + err: +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (rsa != NULL) { + RSA_free(rsa); + } + if (pubrsa != NULL) { + RSA_free(pubrsa); + } +-#else +- if (ex != NULL) { +- BN_free(ex); +- } +-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } +-- +2.37.2 + diff --git a/bind-9.18-unittest-netmgr-unstable.patch b/bind-9.18-unittest-netmgr-unstable.patch new file mode 100644 index 0000000..992758d --- /dev/null +++ b/bind-9.18-unittest-netmgr-unstable.patch @@ -0,0 +1,75 @@ +From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Wed, 14 Sep 2022 13:06:24 +0200 +Subject: [PATCH] Disable some often failing tests + +Make those tests skipped in default build, when CI=true environment is +set. It is not clear why they fail mostly on COPR, but they do fail +often. +--- + tests/isc/netmgr_test.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c +index 94e4bf7..7f9629c 100644 +--- a/tests/isc/netmgr_test.c ++++ b/tests/isc/netmgr_test.c +@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) { + /* TCP */ + ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); } + +-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); } ++ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); } + + ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); } + + ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); } + +-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); } ++ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); } + + ISC_RUN_TEST_IMPL(tcp_recv_send) { + SKIP_IN_CI; +@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) { + } + + ISC_RUN_TEST_IMPL(tcp_recv_two_quota) { ++ SKIP_IN_CI; + atomic_store(&check_listener_quota, true); + stream_recv_two(state); + } +@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) { + isc_result_t result = ISC_R_SUCCESS; + isc_nmsocket_t *listen_sock = NULL; + ++ SKIP_IN_CI; + atomic_store(&nsends, 2); + + result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr, +@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) { + } + + ISC_RUN_TEST_IMPL(tls_recv_two) { ++ SKIP_IN_CI; + stream_use_TLS = true; + stream_recv_two(state); + } +@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) { + } + + ISC_RUN_TEST_IMPL(tls_recv_two_quota) { ++ SKIP_IN_CI; + stream_use_TLS = true; + atomic_store(&check_listener_quota, true); + stream_recv_two(state); +@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) { + isc_result_t result = ISC_R_SUCCESS; + isc_nmsocket_t *listen_sock = NULL; + ++ SKIP_IN_CI; + atomic_store(&nsends, 2); + + result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr, +-- +2.37.2 + diff --git a/bind-9.5-PIE.patch b/bind-9.5-PIE.patch index 3f47a0a..1420cf3 100644 --- a/bind-9.5-PIE.patch +++ b/bind-9.5-PIE.patch @@ -1,8 +1,8 @@ diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am -index 7065a90..e2e485b 100644 +index 57a023b..085f2f7 100644 --- a/bin/named/Makefile.am +++ b/bin/named/Makefile.am -@@ -32,6 +32,7 @@ AM_CPPFLAGS += \ +@@ -32,9 +32,12 @@ AM_CPPFLAGS += \ endif HAVE_LIBXML2 AM_CPPFLAGS += \ @@ -10,11 +10,8 @@ index 7065a90..e2e485b 100644 -DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \ -DNAMED_SYSCONFDIR=\"${sysconfdir}\" -@@ -122,5 +123,7 @@ named_LDADD += \ - $(LIBNGHTTP2_LIBS) - endif HAVE_LIBNGHTTP2 - +AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack + - MAINTAINERCLEANFILES = \ - named.conf.rst + sbin_PROGRAMS = named + + nodist_named_SOURCES = xsl.c diff --git a/bind9-next.spec b/bind9-next.spec index d4a12df..cc93e82 100644 --- a/bind9-next.spec +++ b/bind9-next.spec @@ -1,5 +1,5 @@ # -# Red Hat BIND package .spec file +# Red Hat BIND9 package .spec file # # vim:expandtab ts=2: @@ -7,16 +7,15 @@ # bcond_with is built only when --with X is passed to build %bcond_with SYSTEMTEST %bcond_without GSSTSIG -# it is not possible to build the package without PKCS11 sub-package -# due to extensive changes to Makefiles -%bcond_with PKCS11 # TODO: Remove %bcond_without JSON # FIXME: Not ready. Should it be worked on? -%bcond_with DLZ +%bcond_without DLZ # New MaxMind GeoLite support %bcond_without GEOIP2 # Disabled temporarily until kyua is fixed on rawhide, bug #1926779 %bcond_without UNITTEST +# Do not set CI environment, include more unit tests, even less stable +%bcond_with UNITTEST_ALL %bcond_without DNSTAP %bcond_without LMDB %bcond_without DOC @@ -55,16 +54,17 @@ %global upname bind %define upname_compat() \ %if "%{name}" != "%{upname}" \ -Provides: %1 = %{version}-%{release} \ +Provides: %1 = %{epoch}:%{version}-%{release} \ Obsoletes: %1 < 32:9.17.0 \ Conflicts: %1 \ %endif Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server -Name: bind9-next +Name: bind License: MPLv2.0 -Version: 9.17.22 -Release: 2%{?dist} +Version: 9.18.6 +Release: 4%{?dist} +Epoch: 32 Url: https://www.isc.org/downloads/bind/ # Source0: https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz @@ -91,16 +91,21 @@ Source42: generate-rndc-key.sh Source43: named.rwtab Source44: named-chroot-setup.service Source46: named-setup-rndc.service -Source47: named-pkcs11.service Source48: setup-named-softhsm.sh Source49: named-chroot.files -# https://gitlab.isc.org/isc-projects/bind9/-/issues/3032 -Source50: https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/isc-logo.pdf # Common patches -Patch18: bind-9.5-PIE.patch -Patch19: bind-9.16-redhat_doc.patch +# FIXME: Is this still required? +Patch10: bind-9.5-PIE.patch +Patch16: bind-9.16-redhat_doc.patch Patch22: bind-9.11-fips-tests.patch +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385 +# https://bugzilla.redhat.com/show_bug.cgi?id=2122841 +Patch23: bind-9.18-pkcs11-engine-init.patch +Patch24: bind-9.18-pkcs11-engine-compat-api.patch +Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2122010 +Patch26: bind-9.18-unittest-netmgr-unstable.patch %{?systemd_ordering} Requires: coreutils @@ -108,13 +113,10 @@ Requires(pre): shadow-utils Requires(post): shadow-utils Requires(post): glibc-common Requires(post): grep -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# This wild require should satisfy %%selinux_set_boolean macro only -# in case it needs to be used -Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls)) -Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls)) +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils %{name}-dnssec-utils %upname_compat %{upname} +Obsoletes: %{name}-pkcs11 < 32:9.18.4-2 BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel @@ -123,8 +125,8 @@ BuildRequires: systemd-rpm-macros BuildRequires: selinux-policy BuildRequires: findutils sed BuildRequires: libnghttp2-devel -BuildRequires: jemalloc-devel %if 0%{?fedora} +BuildRequires: jemalloc-devel BuildRequires: gnupg2 %endif BuildRequires: libuv-devel @@ -135,7 +137,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d # make unit dependencies BuildRequires: libcmocka-devel %endif -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} BuildRequires: softhsm %endif %if %{with SYSTEMTEST} @@ -179,60 +181,12 @@ which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. -%if %{with PKCS11} -%package pkcs11 -Summary: Bind with native PKCS#11 functionality for crypto -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release} -Recommends: softhsm - -%description pkcs11 -This is a version of BIND server built with native PKCS#11 functionality. -It is important to have SoftHSM v2+ installed and some token initialized. -For other supported HSM modules please check the BIND documentation. - -# TODO: Those utils can be used also without pkcs11 variant, but are not? -%package pkcs11-utils -Summary: Bind tools with native PKCS#11 for using DNSSEC -Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2 -Requires: %{name}-dnssec-doc = %{version}-%{release} -%if %{with PKCS11} -Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release} -%endif - -%description pkcs11-utils -This is a set of PKCS#11 utilities that when used together create rsa -keys in a PKCS11 keystore. -%if %{with PKCS11} -Also utilities for working with DNSSEC -compiled with native PKCS#11 functionality are included. -%endif - -%package pkcs11-libs -Summary: Bind libraries compiled with native PKCS#11 -Requires: %{name}-license = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} - -%description pkcs11-libs -This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 -functionality. - -%package pkcs11-devel -Summary: Development files for Bind libraries compiled with native PKCS#11 -Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-devel%{?_isa} = %{version}-%{release} - -%description pkcs11-devel -This a set of development files for BIND libraries (dns, isc) compiled -with native PKCS#11 functionality. -%endif - %package libs Summary: Libraries used by the BIND DNS packages -Requires: %{name}-license = %{version}-%{release} -Provides: %{name}-libs-lite = %{version}-%{release} +Requires: %{name}-license = %{epoch}:%{version}-%{release} +Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release} Obsoletes: %{name}-libs-lite < 32:9.16.13 +Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -247,9 +201,10 @@ Contains license of the BIND DNS suite. %package utils Summary: Utilities for querying DNS name servers -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package -Provides: dnsutils = %{version}-%{release} +Provides: dnsutils = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2 %upname_compat %{upname}-utils %description utils @@ -264,9 +219,10 @@ servers. %package dnssec-utils Summary: DNSSEC keys and zones management utilities -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils -Requires: %{name}-dnssec-doc = %{version}-%{release} +Obsoletes: python3-%{name} < 32:9.18.0 +Obsoletes: %{name}-dnssec-doc < 32:9.18.4-2 %upname_compat %{upname}-dnssec-utils %description dnssec-utils @@ -277,19 +233,11 @@ revocation and verification of keys and DNSSEC signatures in zone files. You should install %{name}-dnssec-utils if you need to sign a DNS zone or maintain keys for it. -%package dnssec-doc -Summary: Manual pages of DNSSEC utilities -Requires: %{name}-license = %{version}-%{release} -BuildArch:noarch - -%description dnssec-doc -%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils. - %package devel Summary: Header files and libraries needed for bind-dyndb-ldap -Provides: %{name}-lite-devel = %{version}-%{release} +Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release} Obsoletes: %{name}-lite-devel < 32:9.16.6-3 -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa} Requires: libcap-devel%{?_isa} %if %{with GSSTSIG} @@ -318,7 +266,7 @@ Summary: A chroot runtime environment for the ISC BIND DNS server, named( Prefix: %{chroot_prefix} # grep is required due to setup-named-chroot.sh script Requires: grep -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description chroot This package contains a tree of files which can be used as a @@ -329,22 +277,22 @@ Based on the code from Jan "Yenya" Kasprzak %if %{with DLZ} %package dlz-filesystem Summary: BIND server filesystem DLZ module -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-filesystem Dynamic Loadable Zones filesystem module for BIND server. %package dlz-ldap Summary: BIND server ldap DLZ module -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-ldap Dynamic Loadable Zones LDAP module for BIND server. %package dlz-mysql Summary: BIND server mysql and mysqldyn DLZ modules -Requires: %{name}%{?_isa} = %{version}-%{release} -Provides: %{name}-dlz-mysqldyn = %{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} +Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release} Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3 %description dlz-mysql @@ -353,7 +301,7 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support. %package dlz-sqlite3 Summary: BIND server sqlite3 DLZ module -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} %description dlz-sqlite3 Dynamic Loadable Zones sqlite3 module for BIND server. @@ -362,7 +310,7 @@ Dynamic Loadable Zones sqlite3 module for BIND server. %if %{with DOC} %package doc Summary: BIND 9 Administrator Reference Manual -Requires: %{name}-license = %{version}-%{release} +Requires: %{name}-license = %{epoch}:%{version}-%{release} Requires: python3-sphinx_rtd_theme BuildArch: noarch @@ -384,8 +332,7 @@ in HTML and PDF format. # RHEL does not yet support this verification %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}' %endif -%autosetup -n %{upname}-%{version} -p1 -N -%autopatch -p1 -m 18 +%autosetup -n %{upname}-%{version} -p1 # Sparc and s390 arches need to use -fPIE %ifarch sparcv9 sparc64 s390 s390x @@ -394,9 +341,6 @@ for i in bin/named/Makefile.am; do done %endif -%if %{with DOCPDF} -install -pD %{SOURCE50} doc/arm/isc-logo.pdf -%endif :; @@ -414,10 +358,11 @@ install -pD %{SOURCE50} doc/arm/isc-logo.pdf cp -Tuav bin/tests "%{1}/bin/tests/" \ CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100" %if %{with TSAN} CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" %endif -export CFLAGS +export CFLAGS CPPFLAGS export STD_CDEFINES="$CPPFLAGS" @@ -448,10 +393,6 @@ export LIBDIR_SUFFIX %if %{with GEOIP2} --with-maxminddb \ %endif -%if %{with PKCS11} - --enable-native-pkcs11 \ - --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ -%endif %if %{with GSSTSIG} --with-gssapi=yes \ %endif @@ -471,6 +412,7 @@ export LIBDIR_SUFFIX %endif --enable-fixed-rrset \ --enable-full-report \ + CPPFLAGS="$CPPFLAGS" \ ; %if %{with DNSTAP} pushd lib @@ -495,13 +437,8 @@ fmtutil-user --missing || : %if %{with DLZ} pushd contrib/dlz/modules - for DIR in mysql mysqldyn; do - sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \ - -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \ - $DIR/Makefile.in > $DIR/Makefile - done for DIR in filesystem ldap mysql mysqldyn sqlite3; do - make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS" + make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS" done popd %endif @@ -511,7 +448,7 @@ popd # build %systemtest_prepare_build build %check -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} # Tests require initialization of pkcs11 token eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" %endif @@ -523,12 +460,19 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0" %if %{with UNITTEST} pushd build CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l) + THREADS="$CPUS" +%if %{without UNITTEST_ALL} + export CI=true +%endif if [ "$CPUS" -gt 16 ]; then ORIGFILES=$(ulimit -n) - ulimit -n 4096 || : # Requires on some machines with many cores + THREADS=16 + ulimit -n 8092 || : # Requires on some machines with many cores fi - make unit - e=$? + e=0 + make unit -j${THREADS} || e=$? + # Display details of failure + cat tests/*/test-suite.log if [ "$e" -ne 0 ]; then echo "ERROR: this build of BIND failed 'make unit'. Aborting." exit $e; @@ -606,17 +550,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} -%if %{with PKCS11} -install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} -%endif - mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh -%if %{with PKCS11} install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh -%endif install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig @@ -651,22 +589,6 @@ popd # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; -# PKCS11 versions manpages -%if %{with PKCS11} -pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 -ln -s named.8.gz named-pkcs11.8.gz -ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz -ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz -ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz -ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz -ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz -ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz -ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz -ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz -ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz -popd -%endif - # 9.16.4 installs even manual pages for tools not generated %if %{without DNSTAP} rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true @@ -686,6 +608,8 @@ popd mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir} cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir} rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees} +# Backward compatible link to 9.11 documentation +(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html) # Share static data from original sphinx package for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/* do @@ -748,10 +672,6 @@ fi; %post %?ldconfig -if [ -e "%{_sysconfdir}/selinux/config" ]; then - %selinux_set_booleans -s targeted %{selinuxbooleans} - %selinux_set_booleans -s mls %{selinuxbooleans} -fi if [ "$1" -eq 1 ]; then # Initial installation [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; @@ -785,24 +705,6 @@ fi %?ldconfig # Package upgrade, not uninstall %systemd_postun_with_restart named.service -if [ -e "%{_sysconfdir}/selinux/config" ]; then - %selinux_unset_booleans -s targeted %{selinuxbooleans} - %selinux_unset_booleans -s mls %{selinuxbooleans} -fi - -%if %{with PKCS11} -%post pkcs11 -# Initial installation -%systemd_post named-pkcs11.service - -%preun pkcs11 -# Package removal, not upgrade -%systemd_preun named-pkcs11.service - -%postun pkcs11 -# Package upgrade, not uninstall -%systemd_postun_with_restart named-pkcs11.service -%endif # Fix permissions on existing device files on upgrade %define chroot_fix_devices() \ @@ -820,11 +722,18 @@ fi /sbin/chkconfig --del named >/dev/null 2>&1 || : /bin/systemctl try-restart named.service >/dev/null 2>&1 || : -%ldconfig_scriptlets libs +%triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils +if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \ + && %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then + # Return master zones after upgrade from selinux_booleans version + WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)" + if [ "echo ${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then + echo "Restoring new sebool default of named_write_master_zones..." + %{_sbindir}/setsebool -P named_write_master_zones=1 || : + fi +fi -%if %{with PKCS11} -%ldconfig_scriptlets pkcs11-libs -%endif +%ldconfig_scriptlets libs %post chroot %systemd_post named-chroot.service @@ -868,6 +777,7 @@ fi; %{_sbindir}/rndc* %{_sbindir}/named-checkconf %{_libexecdir}/generate-rndc-key.sh +%{_libexecdir}/setup-named-softhsm.sh %{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* @@ -956,15 +866,7 @@ fi; %files dnssec-utils %{_bindir}/dnssec* -%if %{with PKCS11} -%exclude %{_sbindir}/dnssec*pkcs11 -%endif - -%files dnssec-doc %{_mandir}/man1/dnssec*.1* -%if %{with PKCS11} -%exclude %{_mandir}/man1/dnssec*-pkcs11.1* -%endif %files devel %{_libdir}/libbind9.so @@ -1021,33 +923,6 @@ fi; %dir %{chroot_prefix}/run/named %{chroot_prefix}%{_localstatedir}/run -%if %{with PKCS11} -%files pkcs11 -%{_sbindir}/named-pkcs11 -%{_unitdir}/named-pkcs11.service -%{_mandir}/man8/named-pkcs11.8* -%{_libexecdir}/setup-named-softhsm.sh - -%files pkcs11-utils -%{_bindir}/pkcs11-destroy -%{_bindir}/pkcs11-keygen -%{_bindir}/pkcs11-list -%{_bindir}/pkcs11-tokens -%{_mandir}/man1/pkcs11-*.1* -%if %{with PKCS11} -%{_bindir}/dnssec*pkcs11 -%{_mandir}/man1/dnssec*-pkcs11.1* -%endif - -%files pkcs11-libs -%{_libdir}/libdns-pkcs11-%{version}*.so -%{_libdir}/libns-pkcs11-%{version}*.so - -%files pkcs11-devel -%{_libdir}/libdns-pkcs11.so -%{_libdir}/libns-pkcs11.so -%endif - %if %{with DLZ} %files dlz-filesystem %{_libdir}/{named,bind}/dlz_filesystem_dynamic.so @@ -1072,32 +947,146 @@ fi; %files doc %dir %{_pkgdocdir} %doc %{_pkgdocdir}/html +%doc %{_pkgdocdir}/Bv9ARM.html %endif %if %{with DOCPDF} %doc %{_pkgdocdir}/Bv9ARM.pdf %endif %changelog -* Tue Jan 25 2022 Petr Menšík - 9.17.22-2 +* Wed Sep 14 2022 Petr Menšík - 32:9.18.6-4 +- Disable yet another test (##2122010) + +* Tue Sep 06 2022 Petr Menšík - 32:9.18.6-3 +- Return OpenSSL engine implementation for pkcs11 interface (#2122841) +- Skip problematic netmgr unit tests (#2122010) +- Properly obsolete bind-dnssec-doc + +* Thu Sep 01 2022 Petr Menšík - 32:9.18.6-2 +- Always show error details for failed unittests (#2122010) + +* Tue Aug 30 2022 Petr Menšík - 32:9.18.6-1 +- Update to 9.18.6 (#2119132) +- Report unit tests detailed results + +* Thu Aug 04 2022 Petr Menšík - 32:9.18.5-2 +- Use multiple threads on unit tests, but 16 at most + +* Wed Aug 03 2022 Petr Menšík - 32:9.18.5-1 +- Update to 9.18.5 (#2109170) +- Return doc symlink to main page + +* Wed Jul 20 2022 Petr Menšík - 32:9.18.4-2 +- Stop enabling selinux booleans on every upgrade +- Deprecate python3-bind for smooth upgrade +- Remove PKCS1111 native utilities, libs and daemon + +* Wed Jul 20 2022 Petr Menšík - 32:9.18.4-1 +- Update to 9.18.4 (#2057493) + +* Wed Jul 20 2022 Fedora Release Engineering - 32:9.16.30-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 20 2022 Petr Menšík - 32:9.16.30-1 +- Update to 9.16.30 (#2097312) + +* Mon Jun 13 2022 Python Maint - 32:9.16.29-2 +- Rebuilt for Python 3.11 + +* Thu May 26 2022 Petr Menšík - 32:9.16.29-1 +- Update to 9.16.29 (#2087920) +- Fix netmgr_test fails on s390x (#2088125) + +* Tue May 17 2022 Petr Menšík - 32:9.16.28-2 +- Parse again timeout and attempts from resolv.conf (#2087156) +- Reenable unit tests during build + +* Wed Apr 20 2022 Petr Menšík - 32:9.16.28-1 +- Update to 9.16.28 (#2076941) + +* Thu Mar 17 2022 Petr Menšík - 32:9.16.27-1 +- Upgrade to 9.16.27 (#2055120) + +* Tue Mar 01 2022 Petr Menšík - 32:9.16.26-2 +- Switch to locked queue (#2048235) + +* Thu Feb 17 2022 Petr Menšík - 32:9.16.26-1 +- Update to 9.16.26 (#2055120) + +* Fri Feb 11 2022 Petr Menšík - 32:9.16.25-3 +- Allow reservation of extra hp threads (#2048235) + +* Tue Jan 25 2022 Petr Menšík - 32:9.16.25-2 - Replace master with primary in configuration -* Fri Jan 21 2022 Petr Menšík - 9.17.22-1 -- Update to 9.17.22 +* Fri Jan 21 2022 Petr Menšík - 32:9.16.25-1 +- Update to 9.16.25 (#2042504) -* Mon Dec 20 2021 Petr Menšík - 9.17.21-1 -- Update to 9.17.21, enable jemalloc support +* Wed Jan 19 2022 Fedora Release Engineering - 32:9.16.24-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Mon Nov 29 2021 Petr Menšík - 32:9.17.20-1 -- Update to 9.17.20 -- Propagate ephemeral port ranges to chroot (#2013597) +* Wed Dec 22 2021 Petr Menšík - 32:9.16.24-2 +- Build with OpenLDAP 2.6 (#2032704) + +* Wed Dec 15 2021 Petr Menšík - 32:9.16.24-1 +- Update to 9.16.24 (#2032934) + +* Fri Nov 26 2021 Petr Menšík - 32:9.16.23-2 - Correct with GEOIP2 condition (#2026823) -- Import changes for simple rename (#1873486) -- Do not depend on systemd package -- Move backward compatibility to shared define -* Fri Jun 25 2021 Petr Menšík - 32:9.17.15-1 -- Update to 9.17.15 -- Moved some utilities from /usr/sbin to /usr/bin +* Fri Nov 19 2021 Petr Menšík - 32:9.16.23-1 +- Update to 9.16.23 (#2024210) + +* Sat Nov 06 2021 Adrian Reber - 32:9.16.22-2 +- Rebuilt for protobuf 3.19.0 + +* Wed Oct 27 2021 Petr Menšík - 32:9.16.22-1 +- Update to 9.16.22 + +* Sun Oct 24 2021 Adrian Reber - 32:9.16.21-3 +- Rebuilt for protobuf 3.18.1 + +* Wed Oct 13 2021 Petr Menšík - 32:9.16.21-2 +- Propagate ephemeral port ranges to chroot (#2013597) + +* Wed Sep 15 2021 Petr Menšík - 32:9.16.21-1 +- Update to 9.16.21 + +* Tue Sep 14 2021 Sahana Prasad - 32:9.16.20-4 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Aug 25 2021 Petr Menšík - 32:9.16.20-3 +- Increase map format version, lower memory consuption a bit (#1997504) +- Remove unneeded test variants changes +- Include documentation of dig return codes + +* Thu Aug 19 2021 Petr Menšík - 32:9.16.20-2 +- Fix map file format regression + +* Tue Aug 17 2021 Petr Menšík - 32:9.16.20-1 +- Update to 9.16.20 + +* Thu Aug 05 2021 Petr Menšík - 32:9.16.19-4 +- Do not depend on systemd package + +* Tue Aug 03 2021 Petr Menšík - 32:9.16.19-3 +- Reenable PDF building again (#1984687) + +* Fri Jul 23 2021 Petr Menšík - 32:9.16.19-2 +- Include backward compatible html symlink in doc subpackage + +* Wed Jul 21 2021 Petr Menšík - 32:9.16.19-1 +- Update to 9.16.19 (#1984627) +- Disable PDF rebuild on Rawhide (#1984687) + +* Wed Jul 21 2021 Fedora Release Engineering - 32:9.16.18-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sat Jul 10 2021 Petr Menšík - 32:9.16.18-4 +- Disable PDF building on ELN + +* Sat Jul 10 2021 Björn Esser - 32:9.16.18-3 +- Rebuild for versioned symbols in json-c * Tue Jun 22 2021 Petr Menšík - 32:9.16.18-2 - Re-enable building of PDF ARM documentation diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..e4c04e7 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_testing] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} + +#gating rawhide +--- !Policy +product_versions: + - fedora-* +decision_contexts: [bodhi_update_push_stable] +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} diff --git a/generate-rndc-key.sh b/generate-rndc-key.sh index 1ba0004..df0604a 100755 --- a/generate-rndc-key.sh +++ b/generate-rndc-key.sh @@ -1,10 +1,21 @@ #!/bin/bash -. /etc/rc.d/init.d/functions +if [ -r /etc/rc.d/init.d/functions ]; then + . /etc/rc.d/init.d/functions +else +success() { + echo $" OK " +} + +failure() { + echo -n " " + echo $"FAILED" +} +fi # This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf -if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then +if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then echo -n $"Generating /etc/rndc.key:" if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1 then @@ -14,8 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then success $"/etc/rndc.key generation" echo else + rc=$? failure $"/etc/rndc.key generation" echo - exit 1 + exit $rc fi fi diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..1afeb5d --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,6 @@ +summary: Test plan with all beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/bind.git +execute: + how: tmt diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf new file mode 100644 index 0000000..35808fd --- /dev/null +++ b/plans/tier1-public.fmf @@ -0,0 +1,7 @@ +summary: Public (Fedora) Tier1 beakerlib tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/bind.git + filter: 'tier: 1' +execute: + how: tmt diff --git a/sources b/sources index f4aaa01..9d5923f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (bind-9.17.22.tar.xz) = 61dafd317cf10a73961c885b6d0bf75dc0c06df6163708c4fd2a60d6bf72bd2628bb0d1c111ceb725bc4ac9d5229f39f63a36ef7c05dc20a1b9b25acabfe8b92 -SHA512 (bind-9.17.22.tar.xz.asc) = f75a2361a5ffea8f85ae3053841a0c618217c7bbe3428d3ffaba900c9692f5f315f572b4c48f8d219e2293a3dc0df0085d425da0bc4a9598fced4b712efa8fd2 +SHA512 (bind-9.18.6.tar.xz) = 6b31eb56cf25b2cb1d8af0f76f9cac0e0985c78cbe3ba80164d773cb0bf77116dd98b5c4b84e3c74fd35b5da501ee6ba2dc0fae12267104edde2cb2daa1e1ba7 +SHA512 (bind-9.18.6.tar.xz.asc) = 13629b56acb02ca1fe861e6a17e949fee276de83624d972174893e48cc5de650a2a0081262e5e0d6913360861e2c91fed6b808ed8ae702e5cb2e2380eacf163b