The OpenSSL engine API is deprecated in OpenSSL 3.0.0

don't use the engine API unless the OpenSSL API is less
than 3.0.0 (OPENSSL_API_LEVEL < 30000)

lib/dns/dst_openssl.h

@@ -58,11 +58,9 @@ isc_result_t
 dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname,
 		       isc_result_t fallback);
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine);
-#else /* if !defined(OPENSSL_NO_ENGINE) */
-#define dst__openssl_getengine(x) NULL
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 ISC_LANG_ENDDECLS

lib/dns/openssl_link.c

@@ -37,15 +37,15 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include "openssl_shim.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 static ENGINE *e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 static void
 enable_fips_mode(void) {
@@ -70,7 +70,7 @@ dst__openssl_init(const char *engine) {
 
 	enable_fips_mode();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if (engine != NULL && *engine == '\0') {
 		engine = NULL;
 	}
@@ -96,18 +96,18 @@ cleanup_rm:
 	e = NULL;
 #else
 	UNUSED(engine);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	return (result);
 }
 
 void
 dst__openssl_destroy(void) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if (e != NULL) {
 		ENGINE_free(e);
 	}
 	e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static isc_result_t
@@ -191,7 +191,7 @@ done:
 	return (result);
 }
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine) {
 	if (engine == NULL) {
@@ -205,6 +205,6 @@ dst__openssl_getengine(const char *engine) {
 	}
 	return (NULL);
 }
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 /*! \file */

lib/dns/opensslecdsa_link.c

@@ -25,7 +25,7 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/param_build.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
 #endif
 
@@ -1322,7 +1322,7 @@ err:
 static isc_result_t
 opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	isc_result_t ret = ISC_R_SUCCESS;
 	ENGINE *e;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -1472,7 +1472,7 @@ err:
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* !defined(OPENSSL_NO_ENGINE) */
+#endif /* !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslecdsa_functions = {

lib/dns/openssleddsa_link.c

@@ -19,9 +19,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include <isc/mem.h>
 #include <isc/result.h>
@@ -589,7 +589,7 @@ err:
 static isc_result_t
 openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	isc_result_t ret;
 	ENGINE *e;
 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -650,13 +650,13 @@ err:
 		EVP_PKEY_free(pkey);
 	}
 	return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	UNUSED(key);
 	UNUSED(engine);
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t openssleddsa_functions = {

lib/dns/opensslrsa_link.c

@@ -19,9 +19,9 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/core_names.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1092,9 +1092,9 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	EVP_PKEY_CTX *ctx = NULL;
 	BIGNUM *ex = NULL;
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *ep = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	isc_mem_t *mctx = key->mctx;
 	const char *engine = NULL, *label = NULL;
 	EVP_PKEY *pkey = NULL;
@@ -1147,7 +1147,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	 * See if we can fetch it.
 	 */
 	if (label != NULL) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 		if (engine == NULL) {
 			DST_RET(DST_R_NOENGINE);
 		}
@@ -1195,10 +1195,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->keydata.pkey = pkey;
 		pkey = NULL;
 		DST_RET(ISC_R_SUCCESS);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+		UNUSED(engine);
 		UNUSED(ex);
 		DST_RET(DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	}
 
 	for (i = 0; i < priv.nelements; i++) {
@@ -1429,7 +1430,7 @@ err:
 static isc_result_t
 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		     const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *e = NULL;
 	isc_result_t ret = ISC_R_SUCCESS;
 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -1520,13 +1521,13 @@ err:
 		EVP_PKEY_free(pubpkey);
 	}
 	return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	UNUSED(key);
 	UNUSED(engine);
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslrsa_functions = {

lib/isc/tls.c

@@ -93,7 +93,7 @@ tls_initialize(void) {
 	SSL_load_error_strings();
 	SSL_library_init();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_load_builtin_engines();
 #endif
 	OpenSSL_add_all_algorithms();
@@ -133,7 +133,7 @@ tls_shutdown(void) {
 	CONF_modules_unload(1);
 	OBJ_cleanup();
 	EVP_cleanup();
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_cleanup();
 #endif
 	CRYPTO_cleanup_all_ex_data();