The OpenSSL engine API is deprecated in OpenSSL 3.0.0

don't use the engine API unless the OpenSSL API is less
than 3.0.0 (OPENSSL_API_LEVEL < 30000)

diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index e0ba4cdb4108893b770bb6b2af0893fa449c2443..809002dbd2f08b25cf3958efd3429957c5cc144e 100644 (file)
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -58,11 +58,9 @@ isc_result_t
 dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname,
                       isc_result_t fallback);
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine);
-#else /* if !defined(OPENSSL_NO_ENGINE) */
-#define dst__openssl_getengine(x) NULL
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 ISC_LANG_ENDDECLS

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index ff3c92b25f8a06015609bcd1adc6b0aeeea1f301..9f5359d7e2ab5e829374065d23dee0dcf4ef2f2b 100644 (file)
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -37,15 +37,15 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include "openssl_shim.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 static ENGINE *e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 static void
 enable_fips_mode(void) {
@@ -70,7 +70,7 @@ dst__openssl_init(const char *engine) {
 
        enable_fips_mode();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        if (engine != NULL && *engine == '\0') {
                engine = NULL;
        }
@@ -96,18 +96,18 @@ cleanup_rm:
        e = NULL;
 #else
        UNUSED(engine);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
        return (result);
 }
 
 void
 dst__openssl_destroy(void) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        if (e != NULL) {
                ENGINE_free(e);
        }
        e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static isc_result_t
@@ -191,7 +191,7 @@ done:
        return (result);
 }
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine) {
        if (engine == NULL) {
@@ -205,6 +205,6 @@ dst__openssl_getengine(const char *engine) {
        }
        return (NULL);
 }
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 /*! \file */

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index bb47db5ab5227057a545326863f60b22966a672a..4dee158b319283cca2bd88f138849d708b4a49ee 100644 (file)
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -25,7 +25,7 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/param_build.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
 #endif
 
@@ -1322,7 +1322,7 @@ err:
 static isc_result_t
 opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        isc_result_t ret = ISC_R_SUCCESS;
        ENGINE *e;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -1472,7 +1472,7 @@ err:
        UNUSED(label);
        UNUSED(pin);
        return (DST_R_NOENGINE);
-#endif /* !defined(OPENSSL_NO_ENGINE) */
+#endif /* !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslecdsa_functions = {

diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index 2fc5d7358c547589c99819a3f1d30aa422eb7385..df6c946e68c20fed24b28a2e90e2b754fee50365 100644 (file)
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -19,9 +19,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include <isc/mem.h>
 #include <isc/result.h>
@@ -589,7 +589,7 @@ err:
 static isc_result_t
 openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        isc_result_t ret;
        ENGINE *e;
        EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -650,13 +650,13 @@ err:
                EVP_PKEY_free(pkey);
        }
        return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
        UNUSED(key);
        UNUSED(engine);
        UNUSED(label);
        UNUSED(pin);
        return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t openssleddsa_functions = {

diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 2ab041cfacbbae6b130d27fd246b1d5093225629..7ac50e765bbf32d9790ce9e187b790aca27ec09b 100644 (file)
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -19,9 +19,9 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/core_names.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1092,9 +1092,9 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        EVP_PKEY_CTX *ctx = NULL;
        BIGNUM *ex = NULL;
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        ENGINE *ep = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
        isc_mem_t *mctx = key->mctx;
        const char *engine = NULL, *label = NULL;
        EVP_PKEY *pkey = NULL;
@@ -1147,7 +1147,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
         * See if we can fetch it.
         */
        if (label != NULL) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
                if (engine == NULL) {
                        DST_RET(DST_R_NOENGINE);
                }
@@ -1195,10 +1195,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                key->keydata.pkey = pkey;
                pkey = NULL;
                DST_RET(ISC_R_SUCCESS);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+               UNUSED(engine);
                UNUSED(ex);
                DST_RET(DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
        }
 
        for (i = 0; i < priv.nelements; i++) {
@@ -1429,7 +1430,7 @@ err:
 static isc_result_t
 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                     const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        ENGINE *e = NULL;
        isc_result_t ret = ISC_R_SUCCESS;
        EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -1520,13 +1521,13 @@ err:
                EVP_PKEY_free(pubpkey);
        }
        return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
        UNUSED(key);
        UNUSED(engine);
        UNUSED(label);
        UNUSED(pin);
        return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslrsa_functions = {

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index c1d2b4c4fd78a854d49771fb6ac77e4a07933209..cc63e2e9cd2371d903a76ccc42a8da2f8a817a46 100644 (file)
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -93,7 +93,7 @@ tls_initialize(void) {
        SSL_load_error_strings();
        SSL_library_init();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        ENGINE_load_builtin_engines();
 #endif
        OpenSSL_add_all_algorithms();
@@ -133,7 +133,7 @@ tls_shutdown(void) {
        CONF_modules_unload(1);
        OBJ_cleanup();
        EVP_cleanup();
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        ENGINE_cleanup();
 #endif
        CRYPTO_cleanup_all_ex_data();