diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index d34a22efc..10a4fa60f 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -24,6 +24,10 @@ #include #endif +#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#include +#endif + #if defined(LIBRESSL_VERSION_NUMBER) /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus * systematically breaking when some code is written for a specific version @@ -79,6 +83,14 @@ #define HAVE_SSL_KEYLOG #endif + +#if (HA_OPENSSL_VERSION_NUMBER >= 0x3000000fL) +#define HAVE_OSSL_PARAM +#define MAC_CTX EVP_MAC_CTX +#else +#define MAC_CTX HMAC_CTX +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) @@ -298,6 +310,12 @@ static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) } #endif +#if (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) +#if defined(SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB) +#define SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_tlsext_ticket_key_cb +#endif +#endif + #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070200fL) #define __OPENSSL_110_CONST__ const #else diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1bfb18689..815a34cf3 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1051,7 +1051,8 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err) #endif #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) -static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc) + +static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, MAC_CTX *hctx, int enc) { struct tls_keys_ref *ref; union tls_sess_key *keys; @@ -4596,7 +4597,7 @@ static int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_con } #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) if(bind_conf->keys_ref) { - if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) { + if (!SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_tlsext_ticket_key_cb)) { memprintf(err, "%sProxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n", err && *err ? *err : "", curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line); cfgerr |= ERR_ALERT | ERR_FATAL;