Merge branch '3172-libressl-3.5.0-compat' into 'main'

Resolve "BIND is not compatible with LibreSSL 3.5.0"

Closes #3172

See merge request isc-projects/bind9!5906

CHANGES

@@ -1,3 +1,7 @@
+5816.	[bug]		Make BIND compile with LibreSSL 3.5.0, as it was using
+			not very accurate pre-processor checks for using shims.
+			[GL #3172]
+
 5815.	[bug]		If an oversized key name of a specific length was used
 			in the text form of an HTTP or SVBC record, an INSIST
 			could be triggered when parsing it. [GL #3175]

configure.ac

@@ -635,6 +635,7 @@ AC_COMPILE_IFELSE(
 #
 
 AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
+AC_CHECK_FUNCS([BN_GENCB_new])
 AC_CHECK_FUNCS([CRYPTO_zalloc])
 AC_CHECK_FUNCS([ERR_get_error_all])
 AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])

lib/dns/dst_openssl.h

@@ -24,20 +24,19 @@
 #include <isc/log.h>
 #include <isc/result.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !HAVE_BN_GENCB_NEW
 /*
  * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
  * the function like this before the BN_GENCB_new call:
  *
- * #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ * #if !HAVE_BN_GENCB_NEW
  *     	 _cb;
  * #endif
  */
 #define BN_GENCB_free(x)    ((void)0)
 #define BN_GENCB_new()	    (&_cb)
 #define BN_GENCB_get_arg(x) ((x)->arg)
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* !HAVE_BN_GENCB_NEW */
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 /*

lib/dns/openssldh_link.c

@@ -360,10 +360,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	DH *dh = NULL;
 	BN_GENCB *cb = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !HAVE_BN_GENCB_NEW
 	BN_GENCB _cb;
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* !HAVE_BN_GENCB_NEW */
 #else
 	OSSL_PARAM_BLD *bld = NULL;
 	OSSL_PARAM *params = NULL;

lib/dns/opensslrsa_link.c

@@ -383,10 +383,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	RSA *rsa = RSA_new();
 	EVP_PKEY *pkey = EVP_PKEY_new();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if !HAVE_BN_GENCB_NEW
 	BN_GENCB _cb;
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
+#endif /* !HAVE_BN_GENCB_NEW */
 	BN_GENCB *cb = BN_GENCB_new();
 #else
 	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);

lib/isc/aes.c

@@ -22,19 +22,9 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-#define EVP_CIPHER_CTX_new()   &(_context), EVP_CIPHER_CTX_init(&_context)
-#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1)
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
-
 void
 isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-	EVP_CIPHER_CTX _context;
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
 	EVP_CIPHER_CTX *c;
 	int len;
 
@@ -51,10 +41,6 @@ isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
 void
 isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-	EVP_CIPHER_CTX _context;
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
 	EVP_CIPHER_CTX *c;
 	int len;
 
@@ -71,10 +57,6 @@ isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
 void
 isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-	EVP_CIPHER_CTX _context;
-#endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-	* defined(LIBRESSL_VERSION_NUMBER) */
 	EVP_CIPHER_CTX *c;
 	int len;