From 3907de98cad2c9d1d5a3345d08c437b2e737d257 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 9 Aug 2023 11:43:18 +1000
Subject: [PATCH 1/4] Fix line wrap

---
 CHANGES | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 9bdd9a7776..2dc43056c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,8 @@
 			OpenSSL Provider API will now require engine to not be
 			set. [GL #8153]
 
-6222.	[func]		Fixes to provider/engine based ECDSA key handling. [GL !8152]
+6222.	[func]		Fixes to provider/engine based ECDSA key handling.
+			[GL !8152]
 
 6221.	[cleanup]	Refactor dns_rdataset internals, move rdatasetheader
 			declarations out of rbtdb.c so they can be used by other

From d527ae11c9b3af9fa31991d4c4fcadfd84cf4930 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 9 Aug 2023 11:43:36 +1000
Subject: [PATCH 2/4] Fix clang formatting

---
 lib/dns/dst_parse.c    | 6 ++----
 lib/dns/openssl_link.c | 9 +++++----
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 4998879248..0778d90795 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -233,8 +233,7 @@ check_ecdsa(const dst_private_t *priv, bool external) {
 
 	mask = (1ULL << TAG_SHIFT) - 1;
 
-	ok = have[TAG_ECDSA_LABEL & mask] ||
-	     have[TAG_ECDSA_PRIVATEKEY & mask];
+	ok = have[TAG_ECDSA_LABEL & mask] || have[TAG_ECDSA_PRIVATEKEY & mask];
 
 	return (ok ? 0 : -1);
 }
@@ -267,8 +266,7 @@ check_eddsa(const dst_private_t *priv, bool external) {
 
 	mask = (1ULL << TAG_SHIFT) - 1;
 
-	ok = have[TAG_EDDSA_LABEL & mask] ||
-	     have[TAG_EDDSA_PRIVATEKEY & mask];
+	ok = have[TAG_EDDSA_LABEL & mask] || have[TAG_EDDSA_PRIVATEKEY & mask];
 
 	return (ok ? 0 : -1);
 }
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 2aef28b930..005e7832d3 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -272,8 +272,9 @@ err:
 }
 
 static isc_result_t
-dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin,
-				EVP_PKEY **ppub, EVP_PKEY **ppriv) {
+dst__openssl_fromlabel_provider(int key_base_id, const char *label,
+				const char *pin, EVP_PKEY **ppub,
+				EVP_PKEY **ppriv) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	isc_result_t ret = DST_R_OPENSSLFAILURE;
 	OSSL_STORE_CTX *ctx = NULL;
@@ -336,8 +337,8 @@ isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
 		       const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) {
 	if (engine == NULL) {
-		return (dst__openssl_fromlabel_provider(key_base_id, label,
-						        pin, ppub, ppriv));
+		return (dst__openssl_fromlabel_provider(key_base_id, label, pin,
+							ppub, ppriv));
 	}
 
 	return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin,

From 00a09e0d35b2da327b178baf9864a96e469062e2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 9 Aug 2023 15:20:36 +1000
Subject: [PATCH 3/4] Only set key->engine if engine != NULL

---
 lib/dns/openssleddsa_link.c | 2 +-
 lib/dns/opensslrsa_link.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index f6d1fa3a14..7e976a7756 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -527,7 +527,7 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		goto err;
 	}
 
-	if (key->engine != NULL) {
+	if (engine != NULL) {
 		key->engine = isc_mem_strdup(key->mctx, engine);
 	}
 	key->label = isc_mem_strdup(key->mctx, label);
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 54ab04dcf7..79cae64add 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1051,7 +1051,7 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(ISC_R_RANGE);
 	}
 
-	if (key->engine != NULL) {
+	if (engine != NULL) {
 		key->engine = isc_mem_strdup(key->mctx, engine);
 	}
 	key->label = isc_mem_strdup(key->mctx, label);

From fa108db27909fcb8a71ea33f56d75550f3690a94 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 9 Aug 2023 14:16:11 +0200
Subject: [PATCH 4/4] Revert a337dbef

Revert commit that always uses OpenSSL 3.0 API when available,
the new APIs should work always, but OpenSSL has non-obvious
omissions in the automatic mappings it provides.
---
 lib/dns/opensslecdsa_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index f133fe64e8..d63ff1642c 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -119,7 +119,7 @@ BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
 	return (size);
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 
 static const char *
 opensslecdsa_key_alg_to_group_name(unsigned int key_alg) {