From 60535fc5f7ccee58c641a96fe52d9b15c192698b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 8 Oct 2021 12:10:56 +1100
Subject: [PATCH] The OpenSSL engine API is deprecated in OpenSSL 3.0.0

don't use the engine API unless the OpenSSL API is less
than 3.0.0 (OPENSSL_API_LEVEL < 30000)
---
 lib/dns/dst_openssl.h       |  6 ++----
 lib/dns/openssl_link.c      | 20 ++++++++++----------
 lib/dns/opensslecdsa_link.c |  6 +++---
 lib/dns/openssleddsa_link.c | 10 +++++-----
 lib/dns/opensslrsa_link.c   | 21 +++++++++++----------
 lib/isc/tls.c               |  4 ++--
 6 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index e0ba4cdb41..809002dbd2 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -58,11 +58,9 @@ isc_result_t
 dst__openssl_toresult3(isc_logcategory_t *category, const char *funcname,
 		       isc_result_t fallback);
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine);
-#else /* if !defined(OPENSSL_NO_ENGINE) */
-#define dst__openssl_getengine(x) NULL
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index ff3c92b25f..9f5359d7e2 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -37,15 +37,15 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include "openssl_shim.h"
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 static ENGINE *e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 static void
 enable_fips_mode(void) {
@@ -70,7 +70,7 @@ dst__openssl_init(const char *engine) {
 
 	enable_fips_mode();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if (engine != NULL && *engine == '\0') {
 		engine = NULL;
 	}
@@ -96,18 +96,18 @@ cleanup_rm:
 	e = NULL;
 #else
 	UNUSED(engine);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	return (result);
 }
 
 void
 dst__openssl_destroy(void) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if (e != NULL) {
 		ENGINE_free(e);
 	}
 	e = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static isc_result_t
@@ -191,7 +191,7 @@ done:
 	return (result);
 }
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 ENGINE *
 dst__openssl_getengine(const char *engine) {
 	if (engine == NULL) {
@@ -205,6 +205,6 @@ dst__openssl_getengine(const char *engine) {
 	}
 	return (NULL);
 }
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 /*! \file */
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index bb47db5ab5..4dee158b31 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -25,7 +25,7 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/param_build.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
 #endif
 
@@ -1322,7 +1322,7 @@ err:
 static isc_result_t
 opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	isc_result_t ret = ISC_R_SUCCESS;
 	ENGINE *e;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
@@ -1472,7 +1472,7 @@ err:
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* !defined(OPENSSL_NO_ENGINE) */
+#endif /* !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslecdsa_functions = {
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index 2fc5d7358c..df6c946e68 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -19,9 +19,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 
 #include <isc/mem.h>
 #include <isc/result.h>
@@ -589,7 +589,7 @@ err:
 static isc_result_t
 openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	isc_result_t ret;
 	ENGINE *e;
 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -650,13 +650,13 @@ err:
 		EVP_PKEY_free(pkey);
 	}
 	return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	UNUSED(key);
 	UNUSED(engine);
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t openssleddsa_functions = {
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 2ab041cfac..7ac50e765b 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -19,9 +19,9 @@
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/core_names.h>
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 #include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1092,9 +1092,9 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	EVP_PKEY_CTX *ctx = NULL;
 	BIGNUM *ex = NULL;
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *ep = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	isc_mem_t *mctx = key->mctx;
 	const char *engine = NULL, *label = NULL;
 	EVP_PKEY *pkey = NULL;
@@ -1147,7 +1147,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	 * See if we can fetch it.
 	 */
 	if (label != NULL) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 		if (engine == NULL) {
 			DST_RET(DST_R_NOENGINE);
 		}
@@ -1195,10 +1195,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->keydata.pkey = pkey;
 		pkey = NULL;
 		DST_RET(ISC_R_SUCCESS);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+		UNUSED(engine);
 		UNUSED(ex);
 		DST_RET(DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	}
 
 	for (i = 0; i < priv.nelements; i++) {
@@ -1429,7 +1430,7 @@ err:
 static isc_result_t
 opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		     const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *e = NULL;
 	isc_result_t ret = ISC_R_SUCCESS;
 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
@@ -1520,13 +1521,13 @@ err:
 		EVP_PKEY_free(pubpkey);
 	}
 	return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
+#else  /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 	UNUSED(key);
 	UNUSED(engine);
 	UNUSED(label);
 	UNUSED(pin);
 	return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
+#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
 }
 
 static dst_func_t opensslrsa_functions = {
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index c1d2b4c4fd..cc63e2e9cd 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -93,7 +93,7 @@ tls_initialize(void) {
 	SSL_load_error_strings();
 	SSL_library_init();
 
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_load_builtin_engines();
 #endif
 	OpenSSL_add_all_algorithms();
@@ -133,7 +133,7 @@ tls_shutdown(void) {
 	CONF_modules_unload(1);
 	OBJ_cleanup();
 	EVP_cleanup();
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_cleanup();
 #endif
 	CRYPTO_cleanup_all_ex_data();