From: Aydın Mercan Date: Mon, 2 Feb 2026 09:43:48 +0000 (+0300) Subject: chg: dev: initial openssl version splitting X-Git-Tag: v9.21.18~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe9fee63c66a4b028d1a319c1ecb747d65e16485;p=thirdparty%2Fbind9.git chg: dev: initial openssl version splitting Dealing with OpenSSL has been rapidly turning into an unwieldy situation as post-3.0 changes turn the library into a different beast. Start treating pre and post-3.0 versions differently for easier maintenance. To help with this Sisyphean task, this MR had to shift things around. `OPENSSL_NO_DEPRECATED` is now declared in BIND alongside an appropriate `OPENSSL_API_COMPAT` value. The former value will set to declare either OpenSSL 1.1.0 or 3.0 as the bare minimum version. Instead of splitting `md.c` and `hmac.c` into separate version-specific files, they now live inside `crypto/ossl1_1.c` and `crypto/ossl3.c`. This way, these functions will be able to utilize the same static `OSSL_PARAM` tables, removing redundant reconstruction for HMAC. For pre-3.0, `isc_hmac` has been reverted back to using the `HMAC_` interface. Using `EVP_MD_CTX`-based functions for HMAC will end up libcrypto calling the same `HMAC_` functions in the end, giving no advantage while confusingly using the digest functions. A new API, `isc_ossl_wrap` has been added. This family of functions aim to provide a common interface for libcrypto version specific code while not abstracting away OpenSSL's structures such as `EVP_PKEY`. Currently the main user of this API is the `dst` family of functions where some ECDSA and RSA opeations need to use the new `OSSL_PARAM` functionality by requirement or to avoid speed penalties. Furthermore OpenSSL based logging has been moved from `isc_tls` to `isc_ossl_wrap` as its a more appropriate place for such functionality. Merge branch 'aydin/openssl-version-split' into 'main' See merge request isc-projects/bind9!11094 --- fe9fee63c66a4b028d1a319c1ecb747d65e16485