Attachment #177577 for bug #214982

View | Details | Raw Unified | Return to bug 214982
Collapse All | Expand All

Lines 31-37 LICENSE= ISCL Link Here

(-)dns/bind910/Makefile (-1 / +1 lines)
31	# ISC releases things like 9.8.0-P1, which our versioning doesn't like	31	# ISC releases things like 9.8.0-P1, which our versioning doesn't like
32	ISCVERSION= 9.10.4-P4	32	ISCVERSION= 9.10.4-P4
33		33
34	USES= cpe libedit	34	USES= cpe libedit autoreconf libtool
35		35
36	CPE_VENDOR= isc	36	CPE_VENDOR= isc
37	CPE_VERSION= ${ISCVERSION:C/-.*//}	37	CPE_VERSION= ${ISCVERSION:C/-.*//}




From 61399410964d61aec3609a1bc76fd260268b3ade Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 31 Aug 2016 23:00:39 +0200
Subject: [PATCH] Add OpenSSL 1.1.0 support

---
 configure.in                |   6 +-
 lib/dns/openssl_link.c      |  38 ++++---
 lib/dns/openssldh_link.c    | 255 +++++++++++++++++++++++++++++---------------
 lib/dns/openssldsa_link.c   | 170 +++++++++++++++++++++--------
 lib/dns/opensslecdsa_link.c |  31 ++++--
 lib/dns/opensslrsa_link.c   | 246 ++++++++++++++++++++++++++++++------------
 lib/isc/aes.c               |  36 +++----
 8 files changed, 554 insertions(+), 248 deletions(-)

Index: bind9-9.10.3.dfsg.P4/configure.in
===================================================================
--- configure.in.orig
+++ configure.in
@@ -1546,15 +1546,13 @@ shared library configuration (e.g., LD_L
 		AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
 		AC_TRY_LINK([
 #include <openssl/err.h>
-#include <openssl/dso.h>
 ],
-[ DSO_METHOD_dlfcn(); ],
+[ ERR_clear_error(); ],
 		[AC_MSG_RESULT(no)],
 		[LIBS="$LIBS -ldl"
 		AC_TRY_LINK([
 #include <openssl/err.h>
-#include <openssl/dso.h>
-],[ DSO_METHOD_dlfcn(); ],
+],[ ERR_clear_error(); ],
 		[AC_MSG_RESULT(yes)
 		DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl"
 		],
Index: bind9-9.10.3.dfsg.P4/lib/dns/openssl_link.c
===================================================================
--- lib/dns/openssl_link.c.orig	2016-10-21 07:10:54.000000000 +0200
+++ lib/dns/openssl_link.c	2016-12-01 13:49:51.176571694 +0100
@@ -58,8 +58,10 @@
 
 static RAND_METHOD *rm = NULL;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 static isc_mutex_t *locks = NULL;
 static int nlocks;
+#endif
 
 #ifdef USE_ENGINE
 static ENGINE *e = NULL;
@@ -111,6 +113,7 @@
 }
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 static void
 lock_callback(int mode, int type, const char *file, int line) {
 	UNUSED(file);
@@ -120,6 +123,7 @@
 	else
 		UNLOCK(&locks[type]);
 }
+#endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static unsigned long
@@ -129,7 +133,11 @@
 #endif
 
 static void *
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 mem_alloc(size_t size) {
+#else
+mem_alloc(size_t size, const char *file, int line) {
+#endif
 #ifdef OPENSSL_LEAKS
 	void *ptr;
 
@@ -143,14 +151,22 @@
 }
 
 static void
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 mem_free(void *ptr) {
+#else
+mem_free(void *ptr, const char *file, int line) {
+#endif
 	INSIST(dst__memory_pool != NULL);
 	if (ptr != NULL)
 		isc_mem_free(dst__memory_pool, ptr);
 }
 
 static void *
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 mem_realloc(void *ptr, size_t size) {
+#else
+mem_realloc(void *ptr, size_t size, const char *file, int line) {
+#endif
 #ifdef OPENSSL_LEAKS
 	void *rptr;
 
@@ -179,6 +195,7 @@
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 #endif
 	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	nlocks = CRYPTO_num_locks();
 	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
 	if (locks == NULL)
@@ -187,13 +204,12 @@
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mutexalloc;
 	CRYPTO_set_locking_callback(lock_callback);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	CRYPTO_set_id_callback(id_callback);
 #endif
 
 	ERR_load_crypto_strings();
 
-	rm = mem_alloc(sizeof(RAND_METHOD));
+	rm = malloc(sizeof(RAND_METHOD));
 	if (rm == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_mutexinit;
@@ -263,11 +279,13 @@
 	rm = NULL;
 #endif
  cleanup_mutexinit:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
 	mem_free(locks);
 	locks = NULL;
+#endif
 	return (result);
 }
 
@@ -280,7 +298,7 @@
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 		RAND_cleanup();
 #endif
-		mem_free(rm);
+		free(rm);
 		rm = NULL;
 	}
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
@@ -309,21 +327,20 @@
 	CRYPTO_mem_leaks_fp(stderr);
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	if (locks != NULL) {
 		CRYPTO_set_locking_callback(NULL);
 		DESTROYMUTEXBLOCK(locks, nlocks);
 		mem_free(locks);
 		locks = NULL;
 	}
+#endif
 }
 
 static isc_result_t
 toresult(isc_result_t fallback) {
 	isc_result_t result = fallback;
 	unsigned long err = ERR_get_error();
-#ifdef HAVE_OPENSSL_ECDSA
-	int lib = ERR_GET_LIB(err);
-#endif
 	int reason = ERR_GET_REASON(err);
 
 	switch (reason) {
@@ -335,13 +352,6 @@
 		result = ISC_R_NOMEMORY;
 		break;
 	default:
-#ifdef HAVE_OPENSSL_ECDSA
-		if (lib == ERR_R_ECDSA_LIB &&
-		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
-			result = ISC_R_NOENTROPY;
-			break;
-		}
-#endif
 		break;
 	}
 
Index: bind9-9.10.3.dfsg.P4/lib/dns/openssldh_link.c
===================================================================
--- lib/dns/openssldh_link.c.orig
+++ lib/dns/openssldh_link.c
@@ -81,6 +81,7 @@ openssldh_computesecret(const dst_key_t
 	int ret;
 	isc_region_t r;
 	unsigned int len;
+	const BIGNUM *pub_key;
 
 	REQUIRE(pub->keydata.dh != NULL);
 	REQUIRE(priv->keydata.dh != NULL);
@@ -92,7 +93,12 @@ openssldh_computesecret(const dst_key_t
 	isc_buffer_availableregion(secret, &r);
 	if (r.length < len)
 		return (ISC_R_NOSPACE);
-	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	pub_key = dhpub->pub_key;
+#else
+	DH_get0_key(dhpub, &pub_key, NULL);
+#endif
+	ret = DH_compute_key(r.base, pub_key, dhpriv);
 	if (ret <= 0)
 		return (dst__openssl_toresult2("DH_compute_key",
 					       DST_R_COMPUTESECRETFAILURE));
@@ -104,6 +110,9 @@ static isc_boolean_t
 openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
+	const BIGNUM *p1, *p2, *g1, *g2;
+	const BIGNUM *pub_key1, *pub_key2;
+	const BIGNUM *priv_key1, *priv_key2;
 
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
@@ -113,17 +122,33 @@ openssldh_compare(const dst_key_t *key1,
 	else if (dh1 == NULL || dh2 == NULL)
 		return (ISC_FALSE);
 
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g) ||
-		 BN_cmp(dh1->pub_key, dh2->pub_key);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	pub_key1 = dh1->pub_key;
+	pub_key2 = dh2->pub_key;
+	priv_key1 = dh1->priv_key;
+	priv_key2 = dh2->priv_key;
+	p1 = dh1->p;
+	g1 = dh1->g;
+	p2 = dh2->p;
+	g2 = dh2->g;
+#else
+	DH_get0_key(dh1, &pub_key1, &priv_key1);
+	DH_get0_key(dh2, &pub_key2, &priv_key2);
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+#endif
+
+	status = BN_cmp(p1, p2) ||
+		 BN_cmp(g1, g2) ||
+		 BN_cmp(pub_key1, pub_key2);
 
 	if (status != 0)
 		return (ISC_FALSE);
 
-	if (dh1->priv_key != NULL || dh2->priv_key != NULL) {
-		if (dh1->priv_key == NULL || dh2->priv_key == NULL)
+	if (priv_key1 != NULL || priv_key2 != NULL) {
+		if (priv_key1 == NULL || priv_key2 == NULL)
 			return (ISC_FALSE);
-		if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0)
+		if (BN_cmp(priv_key1, priv_key2) != 0)
 			return (ISC_FALSE);
 	}
 	return (ISC_TRUE);
@@ -133,6 +158,7 @@ static isc_boolean_t
 openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
+	const BIGNUM *p1, *p2, *g1, *g2;
 
 	dh1 = key1->keydata.dh;
 	dh2 = key2->keydata.dh;
@@ -142,8 +168,18 @@ openssldh_paramcompare(const dst_key_t *
 	else if (dh1 == NULL || dh2 == NULL)
 		return (ISC_FALSE);
 
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	p1 = dh1->p;
+	g1 = dh1->g;
+	p2 = dh2->p;
+	g2 = dh2->g;
+#else
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+#endif
+
+	status = BN_cmp(p1, p2) ||
+		 BN_cmp(g1, g2);
 
 	if (status != 0)
 		return (ISC_FALSE);
@@ -190,16 +226,29 @@ openssldh_generate(dst_key_t *key, int g
 		    key->key_size == 1024 ||
 		    key->key_size == 1536)
 		{
+			BIGNUM *p = NULL, *g = NULL;
 			dh = DH_new();
 			if (dh == NULL)
 				return (dst__openssl_toresult(ISC_R_NOMEMORY));
 			if (key->key_size == 768)
-				dh->p = bn768;
+				p = BN_dup(bn768);
 			else if (key->key_size == 1024)
-				dh->p = bn1024;
+				p = BN_dup(bn1024);
 			else
-				dh->p = bn1536;
-			dh->g = bn2;
+				p = BN_dup(bn1536);
+			g = BN_dup(bn2);
+			if (p == NULL || g == NULL) {
+				DH_free(dh);
+				BN_free(p);
+				BN_free(g);
+				return (dst__openssl_toresult(ISC_R_NOMEMORY));
+			}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+			dh->p = p;
+			dh->g = g;
+#else
+			DH_set0_pqg(dh, p, NULL, g);
+#endif
 		} else
 			generator = 2;
 	}
@@ -247,7 +296,11 @@ openssldh_generate(dst_key_t *key, int g
 		return (dst__openssl_toresult2("DH_generate_key",
 					       DST_R_OPENSSLFAILURE));
 	}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+#else
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+#endif
 
 	key->keydata.dh = dh;
 
@@ -257,20 +310,23 @@ openssldh_generate(dst_key_t *key, int g
 static isc_boolean_t
 openssldh_isprivate(const dst_key_t *key) {
 	DH *dh = key->keydata.dh;
-	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
+	const BIGNUM *priv_key;
+
+	if (dh == NULL) {
+		return ISC_FALSE;
+	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	priv_key = dh->priv_key;
+#else
+	DH_get0_key(dh, NULL, &priv_key);
+#endif
+	return (ISC_TF(priv_key != NULL));
 }
 
 static void
 openssldh_destroy(dst_key_t *key) {
 	DH *dh = key->keydata.dh;
 
-	if (dh == NULL)
-		return;
-
-	if (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)
-		dh->p = NULL;
-	if (dh->g == bn2)
-		dh->g = NULL;
 	DH_free(dh);
 	key->keydata.dh = NULL;
 }
@@ -301,47 +357,58 @@ openssldh_todns(const dst_key_t *key, is
 	DH *dh;
 	isc_region_t r;
 	isc_uint16_t dnslen, plen, glen, publen;
+	const BIGNUM *p, *g;
+	const BIGNUM *pub_key;
 
 	REQUIRE(key->keydata.dh != NULL);
 
 	dh = key->keydata.dh;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	p = dh->p;
+	g = dh->g;
+	pub_key = dh->pub_key;
+#else
+	DH_get0_pqg(dh, &p, NULL, &g);
+	DH_get0_key(dh, &pub_key, NULL);
+#endif
+
 	isc_buffer_availableregion(data, &r);
 
-	if (dh->g == bn2 &&
-	    (dh->p == bn768 || dh->p == bn1024 || dh->p == bn1536)) {
+	if (BN_cmp(g, bn2) == 0  &&
+	    (BN_cmp(p, bn768) == 0 || BN_cmp(p, bn1024) == 0 || BN_cmp(p, bn1536) == 0)) {
 		plen = 1;
 		glen = 0;
 	}
 	else {
-		plen = BN_num_bytes(dh->p);
-		glen = BN_num_bytes(dh->g);
+		plen = BN_num_bytes(p);
+		glen = BN_num_bytes(g);
 	}
-	publen = BN_num_bytes(dh->pub_key);
+	publen = BN_num_bytes(pub_key);
 	dnslen = plen + glen + publen + 6;
 	if (r.length < (unsigned int) dnslen)
 		return (ISC_R_NOSPACE);
 
 	uint16_toregion(plen, &r);
 	if (plen == 1) {
-		if (dh->p == bn768)
+		if (BN_cmp(p, bn768) == 0)
 			*r.base = 1;
-		else if (dh->p == bn1024)
+		else if (BN_cmp(p, bn1024) == 0)
 			*r.base = 2;
 		else
 			*r.base = 3;
 	}
 	else
-		BN_bn2bin(dh->p, r.base);
+		BN_bn2bin(p, r.base);
 	isc_region_consume(&r, plen);
 
 	uint16_toregion(glen, &r);
 	if (glen > 0)
-		BN_bn2bin(dh->g, r.base);
+		BN_bn2bin(g, r.base);
 	isc_region_consume(&r, glen);
 
 	uint16_toregion(publen, &r);
-	BN_bn2bin(dh->pub_key, r.base);
+	BN_bn2bin(pub_key, r.base);
 	isc_region_consume(&r, publen);
 
 	isc_buffer_add(data, dnslen);
@@ -355,6 +422,8 @@ openssldh_fromdns(dst_key_t *key, isc_bu
 	isc_region_t r;
 	isc_uint16_t plen, glen, publen;
 	int special = 0;
+	BIGNUM *p, *g;
+	BIGNUM *pub_key;
 
 	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
@@ -363,7 +432,11 @@ openssldh_fromdns(dst_key_t *key, isc_bu
 	dh = DH_new();
 	if (dh == NULL)
 		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+#else
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+#endif
 
 	/*
 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
@@ -391,20 +464,20 @@ openssldh_fromdns(dst_key_t *key, isc_bu
 		}
 		switch (special) {
 			case 1:
-				dh->p = bn768;
+				p = BN_dup(bn768);
 				break;
 			case 2:
-				dh->p = bn1024;
+				p = BN_dup(bn1024);
 				break;
 			case 3:
-				dh->p = bn1536;
+				p = BN_dup(bn1536);
 				break;
 			default:
 				DH_free(dh);
 				return (DST_R_INVALIDPUBLICKEY);
 		}
 	} else {
-		dh->p = BN_bin2bn(r.base, plen, NULL);
+		p = BN_bin2bn(r.base, plen, NULL);
 		isc_region_consume(&r, plen);
 	}
 
@@ -414,35 +487,42 @@ openssldh_fromdns(dst_key_t *key, isc_bu
 	 * special, we have a problem.
 	 */
 	if (r.length < 2) {
+		BN_free(p);
 		DH_free(dh);
 		return (DST_R_INVALIDPUBLICKEY);
 	}
 	glen = uint16_fromregion(&r);
 	if (r.length < glen) {
+		BN_free(p);
 		DH_free(dh);
 		return (DST_R_INVALIDPUBLICKEY);
 	}
 	if (special != 0) {
 		if (glen == 0)
-			dh->g = bn2;
+			g = BN_dup(bn2);
 		else {
-			dh->g = BN_bin2bn(r.base, glen, NULL);
-			if (BN_cmp(dh->g, bn2) == 0) {
-				BN_free(dh->g);
-				dh->g = bn2;
-			}
-			else {
+			g = BN_bin2bn(r.base, glen, NULL);
+			if (BN_cmp(g, bn2) != 0) {
+				BN_free(p);
+				BN_free(g);
 				DH_free(dh);
 				return (DST_R_INVALIDPUBLICKEY);
 			}
 		}
 	} else {
 		if (glen == 0) {
+			BN_free(p);
 			DH_free(dh);
 			return (DST_R_INVALIDPUBLICKEY);
 		}
-		dh->g = BN_bin2bn(r.base, glen, NULL);
+		g = BN_bin2bn(r.base, glen, NULL);
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dh->p = p;
+	dh->g = g;
+#else
+	DH_set0_pqg(dh, p, NULL, g);
+#endif
 	isc_region_consume(&r, glen);
 
 	if (r.length < 2) {
@@ -454,10 +534,15 @@ openssldh_fromdns(dst_key_t *key, isc_bu
 		DH_free(dh);
 		return (DST_R_INVALIDPUBLICKEY);
 	}
-	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+	pub_key = BN_bin2bn(r.base, publen, NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dh->pub_key = pub_key;
+#else
+	DH_set0_key(dh, pub_key, NULL);
+#endif
 	isc_region_consume(&r, publen);
 
-	key->key_size = BN_num_bits(dh->p);
+	key->key_size = BN_num_bits(p);
 
 	isc_buffer_forward(data, plen + glen + publen + 6);
 
@@ -473,6 +558,8 @@ openssldh_tofile(const dst_key_t *key, c
 	dst_private_t priv;
 	unsigned char *bufs[4];
 	isc_result_t result;
+	const BIGNUM *p, *g;
+	const BIGNUM *pub_key, *priv_key;
 
 	if (key->keydata.dh == NULL)
 		return (DST_R_NULLKEY);
@@ -481,10 +568,19 @@ openssldh_tofile(const dst_key_t *key, c
 		return (DST_R_EXTERNALKEY);
 
 	dh = key->keydata.dh;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	p = dh->p;
+	g = dh->g;
+	pub_key = dh->pub_key;
+	priv_key = dh->priv_key;
+#else
+	DH_get0_pqg(dh, &p, NULL, &g);
+	DH_get0_key(dh, &pub_key, &priv_key);
+#endif
 
 	memset(bufs, 0, sizeof(bufs));
 	for (i = 0; i < 4; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p));
 		if (bufs[i] == NULL) {
 			result = ISC_R_NOMEMORY;
 			goto fail;
@@ -494,26 +590,26 @@ openssldh_tofile(const dst_key_t *key, c
 	i = 0;
 
 	priv.elements[i].tag = TAG_DH_PRIME;
-	priv.elements[i].length = BN_num_bytes(dh->p);
-	BN_bn2bin(dh->p, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(p);
+	BN_bn2bin(p, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
 	priv.elements[i].tag = TAG_DH_GENERATOR;
-	priv.elements[i].length = BN_num_bytes(dh->g);
-	BN_bn2bin(dh->g, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(g);
+	BN_bn2bin(g, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
 	priv.elements[i].tag = TAG_DH_PRIVATE;
-	priv.elements[i].length = BN_num_bytes(dh->priv_key);
-	BN_bn2bin(dh->priv_key, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(priv_key);
+	BN_bn2bin(priv_key, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
 	priv.elements[i].tag = TAG_DH_PUBLIC;
-	priv.elements[i].length = BN_num_bytes(dh->pub_key);
-	BN_bn2bin(dh->pub_key, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(pub_key);
+	BN_bn2bin(pub_key, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
@@ -523,7 +619,7 @@ openssldh_tofile(const dst_key_t *key, c
 	for (i = 0; i < 4; i++) {
 		if (bufs[i] == NULL)
 			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p));
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p));
 	}
 	return (result);
 }
@@ -536,6 +632,7 @@ openssldh_parse(dst_key_t *key, isc_lex_
 	DH *dh = NULL;
 	isc_mem_t *mctx;
 #define DST_RET(a) {ret = a; goto err;}
+	BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *pub_key = NULL;
 
 	UNUSED(pub);
 	mctx = key->mctx;
@@ -551,7 +648,11 @@ openssldh_parse(dst_key_t *key, isc_lex_
 	dh = DH_new();
 	if (dh == NULL)
 		DST_RET(ISC_R_NOMEMORY);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+#else
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+#endif
 	key->keydata.dh = dh;
 
 	for (i = 0; i < priv.nelements; i++) {
@@ -563,47 +664,31 @@ openssldh_parse(dst_key_t *key, isc_lex_
 
 		switch (priv.elements[i].tag) {
 			case TAG_DH_PRIME:
-				dh->p = bn;
+				p = bn;
 				break;
 			case TAG_DH_GENERATOR:
-				dh->g = bn;
+				g = bn;
 				break;
 			case TAG_DH_PRIVATE:
-				dh->priv_key = bn;
+				priv_key = bn;
 				break;
 			case TAG_DH_PUBLIC:
-				dh->pub_key = bn;
+				pub_key = bn;
 				break;
 		}
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dh->p = p;
+	dh->g = g;
+	dh->priv_key = priv_key;
+	dh->pub_key = pub_key;
+#else
+	DH_set0_pqg(dh, p, NULL, g);
+	DH_set0_key(dh, pub_key, priv_key);
+#endif
 	dst__privstruct_free(&priv, mctx);
 
-	key->key_size = BN_num_bits(dh->p);
-
-	if ((key->key_size == 768 ||
-	     key->key_size == 1024 ||
-	     key->key_size == 1536) &&
-	    BN_cmp(dh->g, bn2) == 0)
-	{
-		if (key->key_size == 768 && BN_cmp(dh->p, bn768) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = bn768;
-			dh->g = bn2;
-		} else if (key->key_size == 1024 &&
-			   BN_cmp(dh->p, bn1024) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = bn1024;
-			dh->g = bn2;
-		} else if (key->key_size == 1536 &&
-			   BN_cmp(dh->p, bn1536) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = bn1536;
-			dh->g = bn2;
-		}
-	}
+	key->key_size = BN_num_bits(p);
 
 	return (ISC_R_SUCCESS);
 
Index: bind9-9.10.3.dfsg.P4/lib/dns/openssldsa_link.c
===================================================================
--- lib/dns/openssldsa_link.c.orig
+++ lib/dns/openssldsa_link.c
@@ -53,6 +53,31 @@
 
 static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static void
+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) {
+	if (p != NULL)
+		*p = d->p;
+	if (q != NULL)
+		*q = d->q;
+	if (g != NULL)
+		*g = d->g;
+}
+
+static void
+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) {
+	if (pub_key != NULL)
+		*pub_key = d->pub_key;
+	if (priv_key != NULL)
+		*priv_key = d->priv_key;
+}
+
+static void
+DSA_clear_flags(DSA *d, int flags) {
+	d->flags &= ~flags;
+}
+#endif
+
 static isc_result_t
 openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 #if USE_EVP
@@ -64,7 +89,7 @@ openssldsa_createctx(dst_key_t *key, dst
 	if (evp_md_ctx == NULL)
 		return (ISC_R_NOMEMORY);
 
-	if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
+	if (!EVP_DigestInit_ex(evp_md_ctx, EVP_sha1(), NULL)) {
 		EVP_MD_CTX_destroy(evp_md_ctx);
 			return (ISC_R_FAILURE);
 	}
@@ -121,7 +146,7 @@ openssldsa_adddata(dst_context_t *dctx,
 }
 
 static int
-BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
 	int bytes = size - BN_num_bytes(bn);
 	while (bytes-- > 0)
 		*buf++ = 0;
@@ -136,6 +161,7 @@ openssldsa_sign(dst_context_t *dctx, isc
 	isc_region_t r;
 	DSA_SIG *dsasig;
 	unsigned int klen;
+	const BIGNUM *sig_r, *sig_s;
 #if USE_EVP
 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 	EVP_PKEY *pkey;
@@ -216,9 +242,15 @@ openssldsa_sign(dst_context_t *dctx, isc
 	*r.base = klen;
 	isc_region_consume(&r, 1);
 
-	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	sig_r = dsasig->r;
+	sig_s = dsasig->s;
+#else
+	DSA_SIG_get0(dsasig, &sig_r, &sig_s);
+#endif
+	BN_bn2bin_fixed(sig_r, r.base, ISC_SHA1_DIGESTLENGTH);
 	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+	BN_bn2bin_fixed(sig_s, r.base, ISC_SHA1_DIGESTLENGTH);
 	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 	DSA_SIG_free(dsasig);
 	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
@@ -233,6 +265,7 @@ openssldsa_verify(dst_context_t *dctx, c
 	int status = 0;
 	unsigned char *cp = sig->base;
 	DSA_SIG *dsasig;
+	BIGNUM *r, *s;
 #if USE_EVP
 	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 #if 0
@@ -265,9 +298,15 @@ openssldsa_verify(dst_context_t *dctx, c
 	dsasig = DSA_SIG_new();
 	if (dsasig == NULL)
 		return (ISC_R_NOMEMORY);
-	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
 	cp += ISC_SHA1_DIGESTLENGTH;
-	dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dsasig->r = r;
+	dsasig->s = s;
+#else
+	DSA_SIG_set0(dsasig, r, s);
+#endif
 
 #if 0
 	pkey = EVP_PKEY_new();
@@ -308,6 +347,8 @@ static isc_boolean_t
 openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DSA *dsa1, *dsa2;
+	const BIGNUM *p1, *q1, *g1, *pub_key1, *priv_key1;
+	const BIGNUM *p2, *q2, *g2, *pub_key2, *priv_key2;
 
 	dsa1 = key1->keydata.dsa;
 	dsa2 = key2->keydata.dsa;
@@ -317,18 +358,23 @@ openssldsa_compare(const dst_key_t *key1
 	else if (dsa1 == NULL || dsa2 == NULL)
 		return (ISC_FALSE);
 
-	status = BN_cmp(dsa1->p, dsa2->p) ||
-		 BN_cmp(dsa1->q, dsa2->q) ||
-		 BN_cmp(dsa1->g, dsa2->g) ||
-		 BN_cmp(dsa1->pub_key, dsa2->pub_key);
+	DSA_get0_pqg(dsa1, &p1, &q1, &g1);
+	DSA_get0_pqg(dsa2, &p2, &q2, &g2);
+	DSA_get0_key(dsa1, &pub_key1, &priv_key1);
+	DSA_get0_key(dsa2, &pub_key2, &priv_key2);
+
+	status = BN_cmp(p1, p2) ||
+		 BN_cmp(q1, q2) ||
+		 BN_cmp(g1, g2) ||
+		 BN_cmp(pub_key1, pub_key2);
 
 	if (status != 0)
 		return (ISC_FALSE);
 
-	if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) {
-		if (dsa1->priv_key == NULL || dsa2->priv_key == NULL)
+	if (priv_key1 != NULL || priv_key2 != NULL) {
+		if (priv_key1 == NULL || priv_key2 == NULL)
 			return (ISC_FALSE);
-		if (BN_cmp(dsa1->priv_key, dsa2->priv_key))
+		if (BN_cmp(priv_key1, priv_key2))
 			return (ISC_FALSE);
 	}
 	return (ISC_TRUE);
@@ -420,7 +466,7 @@ openssldsa_generate(dst_key_t *key, int
 		return (dst__openssl_toresult2("DSA_generate_key",
 					       DST_R_OPENSSLFAILURE));
 	}
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
 
 	key->keydata.dsa = dsa;
 
@@ -430,7 +476,12 @@ openssldsa_generate(dst_key_t *key, int
 static isc_boolean_t
 openssldsa_isprivate(const dst_key_t *key) {
 	DSA *dsa = key->keydata.dsa;
-	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
+	const BIGNUM *priv_key;
+
+	if (dsa == NULL)
+		return (ISC_FALSE);
+	DSA_get0_key(dsa, NULL, &priv_key);
+	return (ISC_TF(priv_key != NULL));
 }
 
 static void
@@ -447,14 +498,18 @@ openssldsa_todns(const dst_key_t *key, i
 	isc_region_t r;
 	int dnslen;
 	unsigned int t, p_bytes;
+	const BIGNUM *p, *q, *g, *pub_key;
 
 	REQUIRE(key->keydata.dsa != NULL);
 
 	dsa = key->keydata.dsa;
 
+	DSA_get0_pqg(dsa, &p, &q, &g);
+	DSA_get0_key(dsa, &pub_key, NULL);
+
 	isc_buffer_availableregion(data, &r);
 
-	t = (BN_num_bytes(dsa->p) - 64) / 8;
+	t = (BN_num_bytes(p) - 64) / 8;
 	if (t > 8)
 		return (DST_R_INVALIDPUBLICKEY);
 	p_bytes = 64 + 8 * t;
@@ -465,13 +520,13 @@ openssldsa_todns(const dst_key_t *key, i
 
 	*r.base = t;
 	isc_region_consume(&r, 1);
-	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+	BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH);
 	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+	BN_bn2bin_fixed(p, r.base, key->key_size/8);
 	isc_region_consume(&r, p_bytes);
-	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+	BN_bn2bin_fixed(g, r.base, key->key_size/8);
 	isc_region_consume(&r, p_bytes);
-	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+	BN_bn2bin_fixed(pub_key, r.base, key->key_size/8);
 	isc_region_consume(&r, p_bytes);
 
 	isc_buffer_add(data, dnslen);
@@ -485,6 +540,7 @@ openssldsa_fromdns(dst_key_t *key, isc_b
 	isc_region_t r;
 	unsigned int t, p_bytes;
 	isc_mem_t *mctx = key->mctx;
+	BIGNUM *p, *q, *g, *pub_key;
 
 	UNUSED(mctx);
 
@@ -495,7 +551,7 @@ openssldsa_fromdns(dst_key_t *key, isc_b
 	dsa = DSA_new();
 	if (dsa == NULL)
 		return (ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
 
 	t = (unsigned int) *r.base;
 	isc_region_consume(&r, 1);
@@ -510,18 +566,32 @@ openssldsa_fromdns(dst_key_t *key, isc_b
 		return (DST_R_INVALIDPUBLICKEY);
 	}
 
-	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+	q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
 	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
 
-	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+	p = BN_bin2bn(r.base, p_bytes, NULL);
 	isc_region_consume(&r, p_bytes);
 
-	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+	g = BN_bin2bn(r.base, p_bytes, NULL);
 	isc_region_consume(&r, p_bytes);
 
-	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dsa->p = p;
+	dsa->q = q;
+	dsa->g = g;
+#else
+	DSA_set0_pqg(dsa, p, q, g);
+#endif
+
+	pub_key = BN_bin2bn(r.base, p_bytes, NULL);
 	isc_region_consume(&r, p_bytes);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dsa->pub_key = pub_key;
+#else
+	DSA_set0_key(dsa, pub_key, NULL);
+#endif
+
 	key->key_size = p_bytes * 8;
 
 	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
@@ -538,6 +608,7 @@ openssldsa_tofile(const dst_key_t *key,
 	DSA *dsa;
 	dst_private_t priv;
 	unsigned char bufs[5][128];
+	const BIGNUM *p, *q, *g, *pub_key, *priv_key;
 
 	if (key->keydata.dsa == NULL)
 		return (DST_R_NULLKEY);
@@ -549,33 +620,36 @@ openssldsa_tofile(const dst_key_t *key,
 
 	dsa = key->keydata.dsa;
 
+	DSA_get0_pqg(dsa, &p, &q, &g);
+	DSA_get0_key(dsa, &pub_key, &priv_key);
+
 	priv.elements[cnt].tag = TAG_DSA_PRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->p);
-	BN_bn2bin(dsa->p, bufs[cnt]);
+	priv.elements[cnt].length = BN_num_bytes(p);
+	BN_bn2bin(p, bufs[cnt]);
 	priv.elements[cnt].data = bufs[cnt];
 	cnt++;
 
 	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->q);
-	BN_bn2bin(dsa->q, bufs[cnt]);
+	priv.elements[cnt].length = BN_num_bytes(q);
+	BN_bn2bin(q, bufs[cnt]);
 	priv.elements[cnt].data = bufs[cnt];
 	cnt++;
 
 	priv.elements[cnt].tag = TAG_DSA_BASE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->g);
-	BN_bn2bin(dsa->g, bufs[cnt]);
+	priv.elements[cnt].length = BN_num_bytes(g);
+	BN_bn2bin(g, bufs[cnt]);
 	priv.elements[cnt].data = bufs[cnt];
 	cnt++;
 
 	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->priv_key);
-	BN_bn2bin(dsa->priv_key, bufs[cnt]);
+	priv.elements[cnt].length = BN_num_bytes(priv_key);
+	BN_bn2bin(priv_key, bufs[cnt]);
 	priv.elements[cnt].data = bufs[cnt];
 	cnt++;
 
 	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
-	priv.elements[cnt].length = BN_num_bytes(dsa->pub_key);
-	BN_bn2bin(dsa->pub_key, bufs[cnt]);
+	priv.elements[cnt].length = BN_num_bytes(pub_key);
+	BN_bn2bin(pub_key, bufs[cnt]);
 	priv.elements[cnt].data = bufs[cnt];
 	cnt++;
 
@@ -591,6 +665,7 @@ openssldsa_parse(dst_key_t *key, isc_lex
 	DSA *dsa = NULL;
 	isc_mem_t *mctx = key->mctx;
 #define DST_RET(a) {ret = a; goto err;}
+	BIGNUM *p = NULL, *g = NULL, *q = NULL, *pub_key = NULL, *priv_key = NULL;
 
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
@@ -613,7 +688,7 @@ openssldsa_parse(dst_key_t *key, isc_lex
 	dsa = DSA_new();
 	if (dsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
 	key->keydata.dsa = dsa;
 
 	for (i = 0; i < priv.nelements; i++) {
@@ -625,25 +700,36 @@ openssldsa_parse(dst_key_t *key, isc_lex
 
 		switch (priv.elements[i].tag) {
 			case TAG_DSA_PRIME:
-				dsa->p = bn;
+				p = bn;
 				break;
 			case TAG_DSA_SUBPRIME:
-				dsa->q = bn;
+				q = bn;
 				break;
 			case TAG_DSA_BASE:
-				dsa->g = bn;
+				g = bn;
 				break;
 			case TAG_DSA_PRIVATE:
-				dsa->priv_key = bn;
+				priv_key = bn;
 				break;
 			case TAG_DSA_PUBLIC:
-				dsa->pub_key = bn;
+				pub_key = bn;
 				break;
 		}
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	dsa->p = p;
+	dsa->q = q;
+	dsa->g = g;
+	dsa->pub_key = pub_key;
+	dsa->priv_key = priv_key;
+#else
+	DSA_set0_pqg(dsa, p, q, g);
+	DSA_set0_key(dsa, pub_key, priv_key);
+#endif
+	
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));
-	key->key_size = BN_num_bits(dsa->p);
+	key->key_size = BN_num_bits(p);
 	return (ISC_R_SUCCESS);
 
  err:
Index: bind9-9.10.3.dfsg.P4/lib/dns/opensslecdsa_link.c
===================================================================
--- lib/dns/opensslecdsa_link.c.orig
+++ lib/dns/opensslecdsa_link.c
@@ -110,7 +110,7 @@ opensslecdsa_adddata(dst_context_t *dctx
 }
 
 static int
-BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
 	int bytes = size - BN_num_bytes(bn);
 
 	while (bytes-- > 0)
@@ -130,6 +130,7 @@ opensslecdsa_sign(dst_context_t *dctx, i
 	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
 	unsigned int dgstlen, siglen;
 	unsigned char digest[EVP_MAX_MD_SIZE];
+	const BIGNUM *sig_r, *sig_s;
 
 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
 		key->key_alg == DST_ALG_ECDSA384);
@@ -156,9 +157,17 @@ opensslecdsa_sign(dst_context_t *dctx, i
 		DST_RET(dst__openssl_toresult3(dctx->category,
 					       "ECDSA_do_sign",
 					       DST_R_SIGNFAILURE));
-	BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	sig_r = ecdsasig->r;
+	sig_s = ecdsasig->s;
+#else
+	ECDSA_SIG_get0(ecdsasig, &sig_r, &sig_s);
+#endif
+
+	BN_bn2bin_fixed(sig_r, r.base, siglen / 2);
 	isc_region_consume(&r, siglen / 2);
-	BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
+	BN_bn2bin_fixed(sig_s, r.base, siglen / 2);
 	isc_region_consume(&r, siglen / 2);
 	ECDSA_SIG_free(ecdsasig);
 	isc_buffer_add(sig, siglen);
@@ -182,6 +191,7 @@ opensslecdsa_verify(dst_context_t *dctx,
 	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
 	unsigned int dgstlen, siglen;
 	unsigned char digest[EVP_MAX_MD_SIZE];
+	BIGNUM *r, *s;
 
 	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
 		key->key_alg == DST_ALG_ECDSA384);
@@ -205,15 +215,18 @@ opensslecdsa_verify(dst_context_t *dctx,
 	ecdsasig = ECDSA_SIG_new();
 	if (ecdsasig == NULL)
 		DST_RET (ISC_R_NOMEMORY);
-	if (ecdsasig->r != NULL)
-		BN_free(ecdsasig->r);
-	ecdsasig->r = BN_bin2bn(cp, siglen / 2, NULL);
+	r = BN_bin2bn(cp, siglen / 2, NULL);
 	cp += siglen / 2;
-	if (ecdsasig->s != NULL)
-		BN_free(ecdsasig->s);
-	ecdsasig->s = BN_bin2bn(cp, siglen / 2, NULL);
+	s = BN_bin2bn(cp, siglen / 2, NULL);
 	/* cp += siglen / 2; */
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	ecdsasig->r = r;
+	ecdsasig->s = s;
+#else
+	ECDSA_SIG_set0(ecdsasig, r, s);
+#endif
+
 	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
 	switch (status) {
 	case 1:
Index: bind9-9.10.3.dfsg.P4/lib/dns/opensslrsa_link.c
===================================================================
--- lib/dns/opensslrsa_link.c.orig
+++ lib/dns/opensslrsa_link.c
@@ -56,6 +56,42 @@
 #include <openssl/engine.h>
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static void
+RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) {
+	if (n != NULL)
+		*n = r->n;
+	if (e != NULL)
+		*e = r->e;
+	if (d != NULL)
+		*d = r->d;
+}
+
+static void
+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
+	if (p != NULL)
+		*p = r->p;
+	if (q != NULL)
+		*q = r->q;
+}
+
+static void
+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp) {
+	if (dmp1 != NULL)
+		*dmp1 = r->dmp1;
+	if (dmq1 != NULL)
+		*dmq1 = r->dmq1;
+	if (iqmp != NULL)
+		*iqmp = r->iqmp;
+}
+
+static int
+RSA_test_flags(const RSA *r, int flags) {
+	return r->flags & flags;
+}
+
+#endif
+
 /*
  * Limit the size of public exponents.
  */
@@ -107,6 +143,7 @@
 	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
 	} while (0)
 #elif defined(RSA_FLAG_NO_BLINDING)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define SET_FLAGS(rsa) \
 	do { \
 		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
@@ -115,6 +152,13 @@
 #else
 #define SET_FLAGS(rsa) \
 	do { \
+		RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \
+		RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \
+	} while (0)
+#endif
+#else
+#define SET_FLAGS(rsa) \
+	do { \
 		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
 	} while (0)
 #endif
@@ -521,6 +565,7 @@ opensslrsa_verify2(dst_context_t *dctx,
 	EVP_PKEY *pkey = key->keydata.pkey;
 	RSA *rsa;
 	int bits;
+	const BIGNUM *e;
 #else
 	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
@@ -543,7 +588,9 @@ opensslrsa_verify2(dst_context_t *dctx,
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	if (rsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	bits = BN_num_bits(rsa->e);
+
+	RSA_get0_key(rsa, NULL, &e, NULL);
+	bits = BN_num_bits(e);
 	RSA_free(rsa);
 	if (bits > maxbits && maxbits != 0)
 		return (DST_R_VERIFYFAILURE);
@@ -687,6 +734,7 @@ opensslrsa_compare(const dst_key_t *key1
 	RSA *rsa1 = NULL, *rsa2 = NULL;
 #if USE_EVP
 	EVP_PKEY *pkey1, *pkey2;
+	const BIGNUM *n1, *n2, *e1, *e2, *d1, *d2, *p1, *p2, *q1, *q2;
 #endif
 
 #if USE_EVP
@@ -714,17 +762,22 @@ opensslrsa_compare(const dst_key_t *key1
 	else if (rsa1 == NULL || rsa2 == NULL)
 		return (ISC_FALSE);
 
-	status = BN_cmp(rsa1->n, rsa2->n) ||
-		 BN_cmp(rsa1->e, rsa2->e);
+	RSA_get0_key(rsa1, &n1, &e1, &d1);
+	RSA_get0_key(rsa2, &n2, &e2, &d2);
+	RSA_get0_factors(rsa1, &p1, &q1);
+	RSA_get0_factors(rsa2, &p2, &q2);
+
+	status = BN_cmp(n1, n2) ||
+		 BN_cmp(e1, e2);
 
 	if (status != 0)
 		return (ISC_FALSE);
 
 #if USE_EVP
-	if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 ||
-	    (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) {
-		if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 ||
-		    (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0)
+	if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
+	    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) {
+		if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
+		    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
 			return (ISC_FALSE);
 		/*
 		 * Can't compare private parameters, BTW does it make sense?
@@ -733,12 +786,12 @@ opensslrsa_compare(const dst_key_t *key1
 	}
 #endif
 
-	if (rsa1->d != NULL || rsa2->d != NULL) {
-		if (rsa1->d == NULL || rsa2->d == NULL)
+	if (d1 != NULL || d2 != NULL) {
+		if (d1 == NULL || d2 == NULL)
 			return (ISC_FALSE);
-		status = BN_cmp(rsa1->d, rsa2->d) ||
-			 BN_cmp(rsa1->p, rsa2->p) ||
-			 BN_cmp(rsa1->q, rsa2->q);
+		status = BN_cmp(d1, d2) ||
+			 BN_cmp(p1, p2) ||
+			 BN_cmp(q1, q2);
 
 		if (status != 0)
 			return (ISC_FALSE);
@@ -889,9 +942,15 @@ opensslrsa_isprivate(const dst_key_t *ke
 #else
 	RSA *rsa = key->keydata.rsa;
 #endif
-	if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0)
+	const BIGNUM *d;
+
+	if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0)
 		return (ISC_TRUE);
-	return (ISC_TF(rsa != NULL && rsa->d != NULL));
+	if (rsa == NULL)
+		return (ISC_FALSE);
+
+	RSA_get0_key(rsa, NULL, NULL, &d);
+	return (ISC_TF(d != NULL));
 }
 
 static void
@@ -918,6 +977,7 @@ opensslrsa_todns(const dst_key_t *key, i
 #if USE_EVP
 	EVP_PKEY *pkey;
 #endif
+	const BIGNUM *n, *e;
 
 #if USE_EVP
 	REQUIRE(key->keydata.pkey != NULL);
@@ -936,8 +996,9 @@ opensslrsa_todns(const dst_key_t *key, i
 
 	isc_buffer_availableregion(data, &r);
 
-	e_bytes = BN_num_bytes(rsa->e);
-	mod_bytes = BN_num_bytes(rsa->n);
+	RSA_get0_key(rsa, &n, &e, NULL);
+	e_bytes = BN_num_bytes(e);
+	mod_bytes = BN_num_bytes(n);
 
 	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
 		if (r.length < 1)
@@ -955,9 +1016,9 @@ opensslrsa_todns(const dst_key_t *key, i
 	if (r.length < e_bytes + mod_bytes)
 		DST_RET(ISC_R_NOSPACE);
 
-	BN_bn2bin(rsa->e, r.base);
+	BN_bn2bin(e, r.base);
 	isc_region_consume(&r, e_bytes);
-	BN_bn2bin(rsa->n, r.base);
+	BN_bn2bin(n, r.base);
 
 	isc_buffer_add(data, e_bytes + mod_bytes);
 
@@ -979,6 +1040,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
 #if USE_EVP
 	EVP_PKEY *pkey;
 #endif
+	BIGNUM *n, *e;
 
 	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
@@ -1012,12 +1074,19 @@ opensslrsa_fromdns(dst_key_t *key, isc_b
 		RSA_free(rsa);
 		return (DST_R_INVALIDPUBLICKEY);
 	}
-	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+	e = BN_bin2bn(r.base, e_bytes, NULL);
 	isc_region_consume(&r, e_bytes);
 
-	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+	n = BN_bin2bn(r.base, r.length, NULL);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	rsa->n = n;
+	rsa->e = e;
+#else
+	RSA_set0_key(rsa, n, e, NULL);
+#endif
 
-	key->key_size = BN_num_bits(rsa->n);
+	key->key_size = BN_num_bits(n);
 
 	isc_buffer_forward(data, length);
 
@@ -1048,6 +1117,8 @@ opensslrsa_tofile(const dst_key_t *key,
 	dst_private_t priv;
 	unsigned char *bufs[8];
 	isc_result_t result;
+	const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp;
+
 
 #if USE_EVP
 	if (key->keydata.pkey == NULL)
@@ -1068,8 +1139,12 @@ opensslrsa_tofile(const dst_key_t *key,
 		goto fail;
 	}
 
+	RSA_get0_key(rsa, &n, &e, &d);
+	RSA_get0_factors(rsa, &p, &q);
+	RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+
 	for (i = 0; i < 8; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
 		if (bufs[i] == NULL) {
 			result = ISC_R_NOMEMORY;
 			goto fail;
@@ -1079,61 +1154,61 @@ opensslrsa_tofile(const dst_key_t *key,
 	i = 0;
 
 	priv.elements[i].tag = TAG_RSA_MODULUS;
-	priv.elements[i].length = BN_num_bytes(rsa->n);
-	BN_bn2bin(rsa->n, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(n);
+	BN_bn2bin(n, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
 	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
-	priv.elements[i].length = BN_num_bytes(rsa->e);
-	BN_bn2bin(rsa->e, bufs[i]);
+	priv.elements[i].length = BN_num_bytes(e);
+	BN_bn2bin(e, bufs[i]);
 	priv.elements[i].data = bufs[i];
 	i++;
 
-	if (rsa->d != NULL) {
+	if (d != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
-		priv.elements[i].length = BN_num_bytes(rsa->d);
-		BN_bn2bin(rsa->d, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(d);
+		BN_bn2bin(d, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
 
-	if (rsa->p != NULL) {
+	if (p != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIME1;
-		priv.elements[i].length = BN_num_bytes(rsa->p);
-		BN_bn2bin(rsa->p, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(p);
+		BN_bn2bin(p, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
 
-	if (rsa->q != NULL) {
+	if (q != NULL) {
 		priv.elements[i].tag = TAG_RSA_PRIME2;
-		priv.elements[i].length = BN_num_bytes(rsa->q);
-		BN_bn2bin(rsa->q, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(q);
+		BN_bn2bin(q, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
 
-	if (rsa->dmp1 != NULL) {
+	if (dmp1 != NULL) {
 		priv.elements[i].tag = TAG_RSA_EXPONENT1;
-		priv.elements[i].length = BN_num_bytes(rsa->dmp1);
-		BN_bn2bin(rsa->dmp1, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(dmp1);
+		BN_bn2bin(dmp1, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
 
-	if (rsa->dmq1 != NULL) {
+	if (dmq1 != NULL) {
 		priv.elements[i].tag = TAG_RSA_EXPONENT2;
-		priv.elements[i].length = BN_num_bytes(rsa->dmq1);
-		BN_bn2bin(rsa->dmq1, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(dmq1);
+		BN_bn2bin(dmq1, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
 
-	if (rsa->iqmp != NULL) {
+	if (iqmp != NULL) {
 		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
-		priv.elements[i].length = BN_num_bytes(rsa->iqmp);
-		BN_bn2bin(rsa->iqmp, bufs[i]);
+		priv.elements[i].length = BN_num_bytes(iqmp);
+		BN_bn2bin(iqmp, bufs[i]);
 		priv.elements[i].data = bufs[i];
 		i++;
 	}
@@ -1162,7 +1237,7 @@ opensslrsa_tofile(const dst_key_t *key,
 	for (i = 0; i < 8; i++) {
 		if (bufs[i] == NULL)
 			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n));
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
 	}
 	return (result);
 }
@@ -1170,25 +1245,37 @@ opensslrsa_tofile(const dst_key_t *key,
 static isc_result_t
 rsa_check(RSA *rsa, RSA *pub)
 {
+	const BIGNUM *rsa_n, *rsa_e, *pub_n, *pub_e;
+
 	/* Public parameters should be the same but if they are not set
 	 * copy them from the public key. */
+
+	RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
+
 	if (pub != NULL) {
-		if (rsa->n != NULL) {
-			if (BN_cmp(rsa->n, pub->n) != 0)
+		RSA_get0_key(pub, &pub_n, &pub_e, NULL);
+
+		if (rsa_n != NULL && pub_n != NULL) {
+			if (BN_cmp(rsa_n, pub_n) != 0)
 				return (DST_R_INVALIDPRIVATEKEY);
-		} else {
-			rsa->n = pub->n;
-			pub->n = NULL;
-		}
-		if (rsa->e != NULL) {
-			if (BN_cmp(rsa->e, pub->e) != 0)
+		} else if (rsa_e != NULL && pub_e != NULL) {
+			if (BN_cmp(rsa_e, pub_e) != 0)
 				return (DST_R_INVALIDPRIVATEKEY);
-		} else {
-			rsa->e = pub->e;
-			pub->e = NULL;
+		} else if (rsa_e == NULL || rsa_n == NULL) {
+			BIGNUM *new_n, *new_e;
+			if (pub_e == NULL || pub_n == NULL)
+				return (DST_R_INVALIDPRIVATEKEY);
+			rsa_n = new_n = BN_dup(pub_n);
+			rsa_e = new_e = BN_dup(pub_e);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+			rsa->n = new_n;
+			rsa->e = new_e;
+#else
+			RSA_set0_key(rsa, new_n, new_e, NULL);
+#endif
 		}
 	}
-	if (rsa->n == NULL || rsa->e == NULL)
+	if (rsa_n == NULL || rsa_e == NULL)
 		return (DST_R_INVALIDPRIVATEKEY);
 	return (ISC_R_SUCCESS);
 }
@@ -1200,13 +1287,14 @@ opensslrsa_parse(dst_key_t *key, isc_lex
 	int i;
 	RSA *rsa = NULL, *pubrsa = NULL;
 #ifdef USE_ENGINE
-	ENGINE *e = NULL;
+	ENGINE *eng = NULL;
 #endif
 	isc_mem_t *mctx = key->mctx;
 	const char *engine = NULL, *label = NULL;
 #if defined(USE_ENGINE) || USE_EVP
 	EVP_PKEY *pkey = NULL;
 #endif
+	BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
 
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
@@ -1257,10 +1345,10 @@ opensslrsa_parse(dst_key_t *key, isc_lex
 #ifdef USE_ENGINE
 		if (engine == NULL)
 			DST_RET(DST_R_NOENGINE);
-		e = dst__openssl_getengine(engine);
-		if (e == NULL)
+		eng = dst__openssl_getengine(engine);
+		if (eng == NULL)
 			DST_RET(DST_R_NOENGINE);
-		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+		pkey = ENGINE_load_private_key(eng, label, NULL, NULL);
 		if (pkey == NULL)
 			DST_RET(dst__openssl_toresult2(
 					"ENGINE_load_private_key",
@@ -1328,39 +1416,55 @@ opensslrsa_parse(dst_key_t *key, isc_lex
 
 		switch (priv.elements[i].tag) {
 			case TAG_RSA_MODULUS:
-				rsa->n = bn;
+				n = bn;
 				break;
 			case TAG_RSA_PUBLICEXPONENT:
-				rsa->e = bn;
+				e = bn;
 				break;
 			case TAG_RSA_PRIVATEEXPONENT:
-				rsa->d = bn;
+				d = bn;
 				break;
 			case TAG_RSA_PRIME1:
-				rsa->p = bn;
+				p = bn;
 				break;
 			case TAG_RSA_PRIME2:
-				rsa->q = bn;
+				q = bn;
 				break;
 			case TAG_RSA_EXPONENT1:
-				rsa->dmp1 = bn;
+				dmp1 = bn;
 				break;
 			case TAG_RSA_EXPONENT2:
-				rsa->dmq1 = bn;
+				dmq1 = bn;
 				break;
 			case TAG_RSA_COEFFICIENT:
-				rsa->iqmp = bn;
+				iqmp = bn;
 				break;
 		}
 	}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	rsa->n = n;
+	rsa->e = e;
+	rsa->d = d;
+	rsa->p = p;
+	rsa->q = q;
+	rsa->dmp1 = dmp1;
+	rsa->dmq1 = dmq1;
+	rsa->iqmp = iqmp;
+#else
+	RSA_set0_key(rsa, n, e, d);
+	RSA_set0_factors(rsa, p, q);
+	RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
+#endif
+
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));
 
 	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS)
+	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS)
 		DST_RET(ISC_R_RANGE);
-	key->key_size = BN_num_bits(rsa->n);
+	key->key_size = BN_num_bits(n);
 	if (pubrsa != NULL)
 		RSA_free(pubrsa);
 #if USE_EVP
Index: bind9-9.10.3.dfsg.P4/lib/isc/aes.c
===================================================================
--- lib/isc/aes.c.orig
+++ lib/isc/aes.c
@@ -36,48 +36,48 @@ void
 isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-	EVP_CIPHER_CTX c;
+	EVP_CIPHER_CTX *c = EVP_CIPHER_CTX_new();
 	int len;
 
-	EVP_CIPHER_CTX_init(&c);
-	RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_128_ecb(), key, NULL) == 1);
-	EVP_CIPHER_CTX_set_padding(&c, 0);
-	RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
 					ISC_AES_BLOCK_LENGTH) == 1);
 	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-	RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
+	EVP_CIPHER_CTX_free(c);
 }
 
 void
 isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-	EVP_CIPHER_CTX c;
+	EVP_CIPHER_CTX *c = EVP_CIPHER_CTX_new();
 	int len;
 
-	EVP_CIPHER_CTX_init(&c);
-	RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_192_ecb(), key, NULL) == 1);
-	EVP_CIPHER_CTX_set_padding(&c, 0);
-	RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
 					ISC_AES_BLOCK_LENGTH) == 1);
 	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-	RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
+	EVP_CIPHER_CTX_free(c);
 }
 
 void
 isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-	EVP_CIPHER_CTX c;
+	EVP_CIPHER_CTX *c = EVP_CIPHER_CTX_new();
 	int len;
 
-	EVP_CIPHER_CTX_init(&c);
-	RUNTIME_CHECK(EVP_EncryptInit(&c, EVP_aes_256_ecb(), key, NULL) == 1);
-	EVP_CIPHER_CTX_set_padding(&c, 0);
-	RUNTIME_CHECK(EVP_EncryptUpdate(&c, out, &len, in,
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
 					ISC_AES_BLOCK_LENGTH) == 1);
 	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
-	RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(&c) == 1);
+	EVP_CIPHER_CTX_free(c);
 }
 
 #elif HAVE_OPENSSL_AES

Return to bug 214982