From 495cf18c75433eadbb6e02d8c8e34381df441918 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 6 Aug 2024 11:20:23 +0200
Subject: [PATCH] Remove checks for OPENSSL_API_LEVEL define

Since the support for OpenSSL Engines has been removed, we can now also
remove the checks for OPENSSL_API_LEVEL; The OpenSSL 3.x APIs will be
used when compiling with OpenSSL 3.x, and OpenSSL 1.1.xx APIs will be
used only when OpenSSL 1.1.x is used.
---
 bin/dnssec/dnssec-keygen.c      |  8 ++--
 bin/dnssec/dnssec-ksr.c         |  4 +-
 bin/dnssec/dnssec-signzone.c    |  8 ++--
 bin/named/main.c                |  8 ++--
 bin/tests/system/feature-test.c |  8 ++--
 lib/dns/opensslecdsa_link.c     |  8 ++--
 lib/dns/opensslrsa_link.c       | 66 +++++++++++++++------------------
 lib/isc/iterated_hash.c         |  2 +-
 8 files changed, 52 insertions(+), 60 deletions(-)

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 6f738e96d8..8dd1b07ae9 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -56,7 +56,7 @@
 
 #include <dst/dst.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
@@ -843,7 +843,7 @@ main(int argc, char **argv) {
 	unsigned char c;
 	int ch;
 	bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	OSSL_PROVIDER *fips = NULL, *base = NULL;
 #endif
 
@@ -1117,7 +1117,7 @@ main(int argc, char **argv) {
 	}
 
 	if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips == NULL) {
 			ERR_clear_error();
@@ -1293,7 +1293,7 @@ main(int argc, char **argv) {
 	}
 	isc_mem_destroy(&mctx);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	if (base != NULL) {
 		OSSL_PROVIDER_unload(base);
 	}
diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c
index f9f7bcedf9..51e6e8dbfd 100644
--- a/bin/dnssec/dnssec-ksr.c
+++ b/bin/dnssec/dnssec-ksr.c
@@ -1195,7 +1195,7 @@ main(int argc, char *argv[]) {
 	int ch;
 	char *endp;
 	bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	OSSL_PROVIDER *fips = NULL, *base = NULL;
 #endif
 	ksr_ctx_t ksr = {
@@ -1280,7 +1280,7 @@ main(int argc, char *argv[]) {
 	setup_logging(mctx, &lctx);
 
 	if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips == NULL) {
 			fatal("Failed to load FIPS provider");
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 3d1908a1ae..90423d418f 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -88,7 +88,7 @@
 #include <dns/zoneverify.h>
 
 #include <dst/dst.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
@@ -3361,7 +3361,7 @@ main(int argc, char *argv[]) {
 	bool set_iter = false;
 	bool nonsecify = false;
 	bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	OSSL_PROVIDER *fips = NULL, *base = NULL;
 #endif
 
@@ -3725,7 +3725,7 @@ main(int argc, char *argv[]) {
 	isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
 
 	if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips == NULL) {
 			ERR_clear_error();
@@ -4128,7 +4128,7 @@ main(int argc, char *argv[]) {
 		isc_mem_stats(mctx, stdout);
 	}
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	if (base != NULL) {
 		OSSL_PROVIDER_unload(base);
 	}
diff --git a/bin/named/main.c b/bin/named/main.c
index 12d5705137..50cbda8e8f 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -88,7 +88,7 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
@@ -152,7 +152,7 @@ static bool transferstuck = false;
 static bool disable6 = false;
 static bool disable4 = false;
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static OSSL_PROVIDER *fips = NULL, *base = NULL;
 #endif
 
@@ -961,7 +961,7 @@ parse_command_line(int argc, char *argv[]) {
 			named_main_earlyfatal("option '-X' has been removed");
 			break;
 		case 'F':
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 			fips = OSSL_PROVIDER_load(NULL, "fips");
 			if (fips == NULL) {
 				ERR_clear_error();
@@ -1616,7 +1616,7 @@ main(int argc, char *argv[]) {
 
 	named_os_shutdown();
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	if (base != NULL) {
 		OSSL_PROVIDER_unload(base);
 	}
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 63017c9143..2d17e1e8a2 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -19,7 +19,7 @@
 
 #include <openssl/crypto.h>
 #include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/provider.h>
 #endif
 
@@ -101,7 +101,7 @@ main(int argc, char **argv) {
 	}
 
 	if (strcasecmp(argv[1], "--fips-provider") == 0) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		OSSL_PROVIDER *fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips != NULL) {
 			OSSL_PROVIDER_unload(fips);
@@ -135,14 +135,14 @@ main(int argc, char **argv) {
 
 	if (strcmp(argv[1], "--have-fips-dh") == 0) {
 #if defined(ENABLE_FIPS_MODE)
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 		return (0);
 #else
 		return (1);
 #endif
 #else
 		if (isc_fips_mode()) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
 			return (0);
 #else
 			return (1);
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 6f71a72a2a..c072ae27d6 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -273,7 +273,7 @@ opensslecdsa_extract_public_key_params(const dst_key_t *key, unsigned char *dst,
 
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 
 static isc_result_t
 opensslecdsa_create_pkey_legacy(unsigned int key_alg, bool private,
@@ -376,8 +376,7 @@ opensslecdsa_extract_public_key(const dst_key_t *key, unsigned char *dst,
 	if (opensslecdsa_extract_public_key_params(key, dst, dstlen)) {
 		return (true);
 	}
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#else
 	if (opensslecdsa_extract_public_key_legacy(key, dst, dstlen)) {
 		return (true);
 	}
@@ -396,8 +395,7 @@ opensslecdsa_create_pkey(unsigned int key_alg, bool private,
 	if (ret != ISC_R_FAILURE) {
 		return (ret);
 	}
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#else
 	ret = opensslecdsa_create_pkey_legacy(key_alg, private, key, key_len,
 					      retkey);
 	if (ret == ISC_R_SUCCESS) {
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 661632484b..ea71f2e2e2 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -73,37 +73,35 @@ opensslrsa_components_get(const dst_key_t *key, rsa_components_t *c,
 	 */
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_E,
-				  (BIGNUM **)&c->e) == 1)
+				  (BIGNUM **)&c->e) != 1)
 	{
-		c->bnfree = true;
-		if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
-					  (BIGNUM **)&c->n) != 1)
-		{
-			return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-		}
-		if (!private) {
-			return (ISC_R_SUCCESS);
-		}
-		(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_D,
-					    (BIGNUM **)&c->d);
-		(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_FACTOR1,
-					    (BIGNUM **)&c->p);
-		(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_FACTOR2,
-					    (BIGNUM **)&c->q);
-		(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_EXPONENT1,
-					    (BIGNUM **)&c->dmp1);
-		(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_EXPONENT2,
-					    (BIGNUM **)&c->dmq1);
-		(void)EVP_PKEY_get_bn_param(priv,
-					    OSSL_PKEY_PARAM_RSA_COEFFICIENT1,
-					    (BIGNUM **)&c->iqmp);
-		ERR_clear_error();
-		return (ISC_R_SUCCESS);
-	} else {
-		ERR_clear_error();
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+
+	c->bnfree = true;
+	if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
+				  (BIGNUM **)&c->n) != 1)
+	{
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	if (!private) {
+		return (ISC_R_SUCCESS);
+	}
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_D,
+				    (BIGNUM **)&c->d);
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_FACTOR1,
+				    (BIGNUM **)&c->p);
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_FACTOR2,
+				    (BIGNUM **)&c->q);
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_EXPONENT1,
+				    (BIGNUM **)&c->dmp1);
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_EXPONENT2,
+				    (BIGNUM **)&c->dmq1);
+	(void)EVP_PKEY_get_bn_param(priv, OSSL_PKEY_PARAM_RSA_COEFFICIENT1,
+				    (BIGNUM **)&c->iqmp);
+	ERR_clear_error();
+	return (ISC_R_SUCCESS);
+#else
 	const RSA *rsa = EVP_PKEY_get0_RSA(pub);
 	if (rsa == NULL) {
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -122,8 +120,6 @@ opensslrsa_components_get(const dst_key_t *key, rsa_components_t *c,
 	RSA_get0_factors(rsa, &c->p, &c->q);
 	RSA_get0_crt_params(rsa, &c->dmp1, &c->dmq1, &c->iqmp);
 	return (ISC_R_SUCCESS);
-#else
-	return (DST_R_OPENSSLFAILURE);
 #endif
 }
 
@@ -300,9 +296,7 @@ opensslrsa_check_exponent_bits(EVP_PKEY *pkey, int maxbits) {
 		BN_free(e);
 		return (bits < maxbits);
 	}
-#endif
-	/* Use old API for the OpenSSL ENGINE support, even with OpenSSL 3.x */
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#else
 	const RSA *rsa = EVP_PKEY_get0_RSA(pkey);
 	if (rsa != NULL) {
 		const BIGNUM *ce = NULL;
@@ -351,7 +345,7 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	return (opensslrsa_verify2(dctx, 0, sig));
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
 	void (*fptr)(int);
@@ -675,7 +669,7 @@ err:
 	OSSL_PARAM_BLD_free(bld);
 	return (ret);
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
index 119c300050..3f936bfae6 100644
--- a/lib/isc/iterated_hash.c
+++ b/lib/isc/iterated_hash.c
@@ -21,7 +21,7 @@
 #include <isc/thread.h>
 #include <isc/util.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 
 #include <openssl/sha.h>