0e3136
0e3136
https://github.com/apache/httpd/pull/258
0e3136
a42d0f
--- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3
a42d0f
+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c
a42d0f
@@ -91,7 +91,6 @@
0e3136
 
0e3136
     return 1;
0e3136
 }
0e3136
-#endif
0e3136
 
0e3136
 /*
0e3136
  * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc*
a42d0f
@@ -171,6 +170,7 @@
0e3136
         
0e3136
     return NULL; /* impossible to reach. */
0e3136
 }
0e3136
+#endif
0e3136
 
0e3136
 static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
0e3136
                                        server_rec *s)
a42d0f
@@ -440,8 +440,9 @@
0e3136
 
0e3136
     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
0e3136
 
0e3136
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
     init_dh_params();
0e3136
-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
+#else
0e3136
     init_bio_methods();
0e3136
 #endif
0e3136
 
a42d0f
@@ -862,7 +863,11 @@
0e3136
 {
0e3136
     SSL_CTX *ctx = mctx->ssl_ctx;
0e3136
 
0e3136
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
a42d0f
+    /* Note that for OpenSSL>=1.1, auto selection is enabled via
a42d0f
+     * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */
0e3136
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
0e3136
+#endif
0e3136
 
0e3136
     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
0e3136
 
a42d0f
@@ -871,6 +876,23 @@
0e3136
 #endif
0e3136
 }
0e3136
 
0e3136
+static APR_INLINE
0e3136
+int modssl_CTX_load_verify_locations(SSL_CTX *ctx,
0e3136
+                                     const char *file,
0e3136
+                                     const char *path)
0e3136
+{
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+    if (!SSL_CTX_load_verify_locations(ctx, file, path))
0e3136
+        return 0;
0e3136
+#else
0e3136
+    if (file && !SSL_CTX_load_verify_file(ctx, file))
0e3136
+        return 0;
0e3136
+    if (path && !SSL_CTX_load_verify_dir(ctx, path))
0e3136
+        return 0;
0e3136
+#endif
0e3136
+    return 1;
0e3136
+}
0e3136
+
0e3136
 static apr_status_t ssl_init_ctx_verify(server_rec *s,
0e3136
                                         apr_pool_t *p,
0e3136
                                         apr_pool_t *ptemp,
a42d0f
@@ -911,10 +933,8 @@
0e3136
         ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
0e3136
                      "Configuring client authentication");
0e3136
 
0e3136
-        if (!SSL_CTX_load_verify_locations(ctx,
0e3136
-                                           mctx->auth.ca_cert_file,
0e3136
-                                           mctx->auth.ca_cert_path))
0e3136
-        {
0e3136
+        if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file,
0e3136
+                                                   mctx->auth.ca_cert_path)) {
0e3136
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895)
0e3136
                     "Unable to configure verify locations "
0e3136
                     "for client authentication");
a42d0f
@@ -999,6 +1019,23 @@
0e3136
     return APR_SUCCESS;
0e3136
 }
0e3136
 
0e3136
+static APR_INLINE
0e3136
+int modssl_X509_STORE_load_locations(X509_STORE *store,
0e3136
+                                     const char *file,
0e3136
+                                     const char *path)
0e3136
+{
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+    if (!X509_STORE_load_locations(store, file, path))
0e3136
+        return 0;
0e3136
+#else
0e3136
+    if (file && !X509_STORE_load_file(store, file))
0e3136
+        return 0;
0e3136
+    if (path && !X509_STORE_load_path(store, path))
0e3136
+        return 0;
0e3136
+#endif
0e3136
+    return 1;
0e3136
+}
0e3136
+
0e3136
 static apr_status_t ssl_init_ctx_crl(server_rec *s,
0e3136
                                      apr_pool_t *p,
0e3136
                                      apr_pool_t *ptemp,
a42d0f
@@ -1037,8 +1074,8 @@
0e3136
     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900)
0e3136
                  "Configuring certificate revocation facility");
0e3136
 
0e3136
-    if (!store || !X509_STORE_load_locations(store, mctx->crl_file,
0e3136
-                                             mctx->crl_path)) {
0e3136
+    if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file,
0e3136
+                                                           mctx->crl_path)) {
0e3136
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901)
0e3136
                      "Host %s: unable to configure X.509 CRL storage "
0e3136
                      "for certificate revocation", mctx->sc->vhost_id);
a42d0f
@@ -1267,6 +1304,31 @@
0e3136
    return 0;
0e3136
 }
0e3136
 
0e3136
+static APR_INLINE int modssl_DH_bits(DH *dh)
0e3136
+{
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+    return DH_bits(dh);
0e3136
+#else
0e3136
+    return BN_num_bits(DH_get0_p(dh));
0e3136
+#endif
0e3136
+}
0e3136
+
0e3136
+/* SSL_CTX_use_PrivateKey_file() can fail either because the private
0e3136
+ * key was encrypted, or due to a mismatch between an already-loaded
0e3136
+ * cert and the key - a common misconfiguration - from calling
0e3136
+ * X509_check_private_key().  This macro is passed the last error code
0e3136
+ * off the OpenSSL stack and evaluates to true only for the first
0e3136
+ * case.  With OpenSSL < 3 the second case is identifiable by the
0e3136
+ * function code, but function codes are not used from 3.0. */
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY)
0e3136
+#else
0e3136
+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509            \
0e3136
+                                 || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \
0e3136
+                                     && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \
0e3136
+                                     && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE))
0e3136
+#endif
0e3136
+
0e3136
 static apr_status_t ssl_init_server_certs(server_rec *s,
0e3136
                                           apr_pool_t *p,
0e3136
                                           apr_pool_t *ptemp,
a42d0f
@@ -1277,7 +1339,7 @@
0e3136
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
0e3136
     int i;
0e3136
     X509 *cert;
0e3136
-    DH *dhparams;
0e3136
+    DH *dh;
0e3136
 #ifdef HAVE_ECC
0e3136
     EC_GROUP *ecparams = NULL;
0e3136
     int nid;
a42d0f
@@ -1372,8 +1434,7 @@
0e3136
         }
0e3136
         else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
0e3136
                                               SSL_FILETYPE_PEM) < 1)
0e3136
-                 && (ERR_GET_FUNC(ERR_peek_last_error())
0e3136
-                     != X509_F_X509_CHECK_PRIVATE_KEY)) {
0e3136
+                 && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) {
0e3136
             ssl_asn1_t *asn1;
0e3136
             const unsigned char *ptr;
0e3136
 
a42d0f
@@ -1462,13 +1523,22 @@
0e3136
      */
0e3136
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
0e3136
     if (certfile && !modssl_is_engine_id(certfile)
0e3136
-        && (dhparams = ssl_dh_GetParamFromFile(certfile))) {
0e3136
-        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
0e3136
+        && (dh = ssl_dh_GetParamFromFile(certfile))) {
a42d0f
+        /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey()
a42d0f
+         * for OpenSSL 3.0+. */
0e3136
+        SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
0e3136
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
0e3136
                      "Custom DH parameters (%d bits) for %s loaded from %s",
0e3136
-                     DH_bits(dhparams), vhost_id, certfile);
0e3136
-        DH_free(dhparams);
0e3136
+                     modssl_DH_bits(dh), vhost_id, certfile);
0e3136
+        DH_free(dh);
0e3136
     }
a42d0f
+#if !MODSSL_USE_OPENSSL_PRE_1_1_API
a42d0f
+    else {
a42d0f
+        /* If no parameter is manually configured, enable auto
a42d0f
+         * selection. */
a42d0f
+        SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
a42d0f
+    }
a42d0f
+#endif
0e3136
 
0e3136
 #ifdef HAVE_ECC
a42d0f
     /*
a42d0f
@@ -1518,6 +1588,7 @@
0e3136
     char buf[TLSEXT_TICKET_KEY_LEN];
0e3136
     char *path;
0e3136
     modssl_ticket_key_t *ticket_key = mctx->ticket_key;
0e3136
+    int res;
0e3136
 
0e3136
     if (!ticket_key->file_path) {
0e3136
         return APR_SUCCESS;
a42d0f
@@ -1545,11 +1616,22 @@
0e3136
     }
0e3136
 
0e3136
     memcpy(ticket_key->key_name, buf, 16);
0e3136
-    memcpy(ticket_key->hmac_secret, buf + 16, 16);
0e3136
     memcpy(ticket_key->aes_key, buf + 32, 16);
0e3136
-
0e3136
-    if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
0e3136
-                                          ssl_callback_SessionTicket)) {
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+    memcpy(ticket_key->hmac_secret, buf + 16, 16);
0e3136
+    res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx,
0e3136
+                                           ssl_callback_SessionTicket);
0e3136
+#else
0e3136
+    ticket_key->mac_params[0] =
0e3136
+        OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16);
0e3136
+    ticket_key->mac_params[1] =
0e3136
+        OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0);
0e3136
+    ticket_key->mac_params[2] =
0e3136
+        OSSL_PARAM_construct_end();
0e3136
+    res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx,
0e3136
+                                               ssl_callback_SessionTicket);
0e3136
+#endif
0e3136
+    if (!res) {
0e3136
         ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913)
0e3136
                      "Unable to initialize TLS session ticket key callback "
0e3136
                      "(incompatible OpenSSL version?)");
a42d0f
@@ -1680,7 +1762,7 @@
0e3136
         return ssl_die(s);
0e3136
     }
0e3136
 
0e3136
-    X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
0e3136
+    modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL);
0e3136
 
0e3136
     for (n = 0; n < ncerts; n++) {
0e3136
         int i;
a42d0f
@@ -2277,10 +2359,11 @@
0e3136
 
0e3136
     }
0e3136
 
0e3136
-#if !MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
+    free_dh_params();
0e3136
+#else
0e3136
     free_bio_methods();
0e3136
 #endif
0e3136
-    free_dh_params();
0e3136
 
0e3136
     return APR_SUCCESS;
0e3136
 }
a42d0f
--- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3
a42d0f
+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c
a42d0f
@@ -194,6 +194,10 @@
0e3136
 static int bio_filter_out_read(BIO *bio, char *out, int outl)
0e3136
 {
0e3136
     /* this is never called */
0e3136
+    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_out_read");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
a42d0f
@@ -293,12 +297,20 @@
0e3136
 static int bio_filter_out_gets(BIO *bio, char *buf, int size)
0e3136
 {
0e3136
     /* this is never called */
0e3136
+    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_out_gets");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
0e3136
 static int bio_filter_out_puts(BIO *bio, const char *str)
0e3136
 {
0e3136
     /* this is never called */
0e3136
+    bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_out_puts");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
a42d0f
@@ -533,22 +545,47 @@
0e3136
 
0e3136
 static int bio_filter_in_write(BIO *bio, const char *in, int inl)
0e3136
 {
0e3136
+    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_in_write");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
0e3136
 static int bio_filter_in_puts(BIO *bio, const char *str)
0e3136
 {
0e3136
+    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_in_puts");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
0e3136
 static int bio_filter_in_gets(BIO *bio, char *buf, int size)
0e3136
 {
0e3136
+    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
0e3136
+                  "BUG: %s() should not be called", "bio_filter_in_gets");
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
     return -1;
0e3136
 }
0e3136
 
0e3136
 static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr)
0e3136
 {
0e3136
-    return -1;
0e3136
+    bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio);
0e3136
+    switch (cmd) {
0e3136
+#ifdef BIO_CTRL_EOF
0e3136
+    case BIO_CTRL_EOF:
0e3136
+        return inctx->rc == APR_EOF;
0e3136
+#endif
0e3136
+    default:
0e3136
+        break;
0e3136
+    }
0e3136
+    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c,
0e3136
+                  "BUG: bio_filter_in_ctrl() should not be called with cmd=%i",
0e3136
+                  cmd);
0e3136
+    AP_DEBUG_ASSERT(0);
0e3136
+    return 0;
0e3136
 }
0e3136
 
0e3136
 #if MODSSL_USE_OPENSSL_PRE_1_1_API
a42d0f
@@ -573,7 +610,7 @@
0e3136
     bio_filter_in_read,
0e3136
     bio_filter_in_puts,         /* puts is never called */
0e3136
     bio_filter_in_gets,         /* gets is never called */
0e3136
-    bio_filter_in_ctrl,         /* ctrl is never called */
0e3136
+    bio_filter_in_ctrl,         /* ctrl is called for EOF check */
0e3136
     bio_filter_create,
0e3136
     bio_filter_destroy,
0e3136
     NULL
a42d0f
--- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3
a42d0f
+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c
a42d0f
@@ -1685,6 +1685,7 @@
0e3136
 **  _________________________________________________________________
0e3136
 */
0e3136
 
0e3136
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
 /*
0e3136
  * Hand out standard DH parameters, based on the authentication strength
0e3136
  */
a42d0f
@@ -1730,6 +1731,7 @@
0e3136
 
0e3136
     return modssl_get_dh_params(keylen);
0e3136
 }
0e3136
+#endif
0e3136
 
0e3136
 /*
0e3136
  * This OpenSSL callback function is called when OpenSSL
a42d0f
@@ -2614,7 +2616,11 @@
0e3136
                                unsigned char *keyname,
0e3136
                                unsigned char *iv,
0e3136
                                EVP_CIPHER_CTX *cipher_ctx,
0e3136
-                               HMAC_CTX *hctx,
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+                               HMAC_CTX *hmac_ctx,
0e3136
+#else
0e3136
+                               EVP_MAC_CTX *mac_ctx,
0e3136
+#endif
0e3136
                                int mode)
0e3136
 {
0e3136
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
a42d0f
@@ -2640,7 +2646,13 @@
0e3136
         }
0e3136
         EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
0e3136
                            ticket_key->aes_key, iv);
0e3136
-        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
0e3136
+
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+        HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
0e3136
+                     tlsext_tick_md(), NULL);
0e3136
+#else
0e3136
+        EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
0e3136
+#endif
0e3136
 
0e3136
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289)
0e3136
                       "TLS session ticket key for %s successfully set, "
a42d0f
@@ -2661,7 +2673,13 @@
0e3136
 
0e3136
         EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL,
0e3136
                            ticket_key->aes_key, iv);
0e3136
-        HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL);
0e3136
+
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+        HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16,
0e3136
+                     tlsext_tick_md(), NULL);
0e3136
+#else
0e3136
+        EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params);
0e3136
+#endif
0e3136
 
0e3136
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290)
0e3136
                       "TLS session ticket key for %s successfully set, "
a42d0f
--- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3
a42d0f
+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c
a42d0f
@@ -78,6 +78,16 @@
0e3136
     return APR_EGENERAL;
0e3136
 }
0e3136
 
0e3136
+static APR_INLINE
0e3136
+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags)
0e3136
+{
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+    return ERR_peek_error_line_data(NULL, NULL, data, flags);
0e3136
+#else
0e3136
+    return ERR_peek_error_data(data, flags);
0e3136
+#endif
0e3136
+}
0e3136
+
0e3136
 /*
0e3136
  * Prints the SSL library error information.
0e3136
  */
a42d0f
@@ -87,7 +97,7 @@
0e3136
     const char *data;
0e3136
     int flags;
0e3136
 
0e3136
-    while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) {
0e3136
+    while ((e = modssl_ERR_peek_error_data(&data, &flags))) {
0e3136
         const char *annotation;
0e3136
         char err[256];
0e3136
 
a42d0f
--- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3
a42d0f
+++ httpd-2.4.51/modules/ssl/ssl_private.h
0e3136
@@ -89,6 +89,9 @@
0e3136
 /* must be defined before including ssl.h */
0e3136
 #define OPENSSL_NO_SSL_INTERN
0e3136
 #endif
0e3136
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
0e3136
+#include <openssl/core_names.h>
0e3136
+#endif
0e3136
 #include <openssl/ssl.h>
0e3136
 #include <openssl/err.h>
0e3136
 #include <openssl/x509.h>
0e3136
@@ -134,13 +137,12 @@
0e3136
         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
0e3136
 #define SSL_CTX_set_max_proto_version(ctx, version) \
0e3136
         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
0e3136
-#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
0e3136
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
0e3136
 /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
0e3136
  * include most changes from OpenSSL >= 1.1 (new functions, macros, 
0e3136
  * deprecations, ...), so we have to work around this...
0e3136
  */
0e3136
-#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
0e3136
-#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
0e3136
+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
0e3136
 #else /* defined(LIBRESSL_VERSION_NUMBER) */
0e3136
 #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
0e3136
 #endif
a42d0f
@@ -681,7 +683,11 @@
0e3136
 typedef struct {
0e3136
     const char *file_path;
0e3136
     unsigned char key_name[16];
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
     unsigned char hmac_secret[16];
0e3136
+#else
0e3136
+    OSSL_PARAM mac_params[3];
0e3136
+#endif
0e3136
     unsigned char aes_key[16];
0e3136
 } modssl_ticket_key_t;
0e3136
 #endif
a42d0f
@@ -945,8 +951,16 @@
0e3136
 int          ssl_callback_ClientHello(SSL *, int *, void *);
0e3136
 #endif
0e3136
 #ifdef HAVE_TLS_SESSION_TICKETS
0e3136
-int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
0e3136
-                                       EVP_CIPHER_CTX *, HMAC_CTX *, int);
0e3136
+int ssl_callback_SessionTicket(SSL *ssl,
0e3136
+                               unsigned char *keyname,
0e3136
+                               unsigned char *iv,
0e3136
+                               EVP_CIPHER_CTX *cipher_ctx,
0e3136
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
0e3136
+                               HMAC_CTX *hmac_ctx,
0e3136
+#else
0e3136
+                               EVP_MAC_CTX *mac_ctx,
0e3136
+#endif
0e3136
+                               int mode);
0e3136
 #endif
0e3136
 
0e3136
 #ifdef HAVE_TLS_ALPN
a42d0f
@@ -1124,10 +1138,12 @@
0e3136
 
0e3136
 #endif
0e3136
 
0e3136
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
0e3136
 /* Retrieve DH parameters for given key length.  Return value should
0e3136
  * be treated as unmutable, since it is stored in process-global
0e3136
  * memory. */
0e3136
 DH *modssl_get_dh_params(unsigned keylen);
0e3136
+#endif
0e3136
 
0e3136
 /* Returns non-zero if the request was made over SSL/TLS.  If sslconn
0e3136
  * is non-NULL and the request is using SSL/TLS, sets *sslconn to the