Refactor the computation of API version limits

Previously, the API version limit was indicated with a numeric version number. This was "natural" in the pre-3.0.0 because the version was this simple number. With 3.0.0, the version is divided into three separate numbers, and it's only the major number that counts, but we still need to be able to support pre-3.0.0 version limits. Therefore, we allow OPENSSL_API_COMPAT to be defined with a pre-3.0.0 style numeric version number or with a simple major number, i.e. can be defined like this for any application: -D OPENSSL_API_COMPAT=0x10100000L -D OPENSSL_API_COMPAT=3 Since the pre-3.0.0 numerical version numbers are high, it's easy to distinguish between a simple major number and a pre-3.0.0 numerical version number and to thereby support both forms at the same time. Internally, we define the following macros depending on the value of OPENSSL_API_COMPAT: OPENSSL_API_0_9_8 OPENSSL_API_1_0_0 OPENSSL_API_1_1_0 OPENSSL_API_3 They indicate that functions marked for deprecation in the corresponding major release shall not be built if defined. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7724)
2018-11-29 23:05:03 +00:00 · 2018-11-29 23:05:03 +00:00 · fcd2d5a612
commit fcd2d5a612
parent 0695b19342
64 changed files with 230 additions and 153 deletions
--- a/9
+++ b/9
@ -9,6 +9,15 @@

 Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]

+  *) Change the possible version information given with OPENSSL_API_COMPAT.
+     It may be a pre-3.0.0 style numerical version number as it was defined
+     in 1.1.0, and it may also simply take the major version number.
+
+     Because of the version numbering of pre-3.0.0 releases, the values 0,
+     1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and
+     0x10100000L (1.1.0), respectively.
+     [Richard Levitte]
+
  *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.

     o Major releases (indicated by incrementing the MAJOR release number)
--- a/25
+++ b/25
@ -43,9 +43,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
 #
 # --cross-compile-prefix Add specified prefix to binutils components.
 #
-# --api         One of 0.9.8, 1.0.0, 1.1.0 or 3.0.0 (or 3).  Do not compile
-#               support for interfaces deprecated as of the specified OpenSSL
-#               version.
+# --api         One of 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, or 3.0.0 / 3.
+#               Do not compile support for interfaces deprecated as of the
+#               specified OpenSSL version.
 #
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
@ -176,10 +176,13 @@ our $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
 #
 my $maxapi = "3.0.0";           # API for "no-deprecated" builds
 my $apitable = {
-    "3.0.0" => "0x30000000L",
-    "1.1.0" => "0x10100000L",
-    "1.0.0" => "0x10000000L",
-    "0.9.8" => "0x00908000L",
+    "3.0.0" => 3,
+    "1.1.1" => 2,
+    "1.1.0" => 2,
+    "1.0.2" => 1,
+    "1.0.1" => 1,
+    "1.0.0" => 1,
+    "0.9.8" => 0,
 };

 our %table = ();
@ -1495,11 +1498,9 @@ $config{cflags} = [ map { (my $x = $_) =~ s/([\\\"])/\\$1/g; $x }
 $config{cxxflags} = [ map { (my $x = $_) =~ s/([\\\"])/\\$1/g; $x }
                          @{$config{cxxflags}} ] if $config{CXX};

-if (defined($config{api})) {
-    $config{openssl_api_defines} = [ "OPENSSL_MIN_API=".$apitable->{$config{api}} ];
-    my $apiflag = sprintf("OPENSSL_API_COMPAT=%s", $apitable->{$config{api}});
-    push @{$config{defines}}, $apiflag;
-}
+$config{openssl_api_defines} = [
+    "OPENSSL_MIN_API=".($apitable->{$config{api} // ""} // -1)
+];

 if ($strict_warnings)
 	{
--- a/crypto/asn1/asn1_item_list.h
+++ b/crypto/asn1/asn1_item_list.h
@ -78,7 +78,7 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
    ASN1_ITEM_ref(IPAddressRange),
 #endif
    ASN1_ITEM_ref(ISSUING_DIST_POINT),
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ASN1_ITEM_ref(LONG),
 #endif
    ASN1_ITEM_ref(NAME_CONSTRAINTS),
@ -164,7 +164,7 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
    ASN1_ITEM_ref(X509_SIG),
    ASN1_ITEM_ref(X509_VAL),
    ASN1_ITEM_ref(X509),
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ASN1_ITEM_ref(ZLONG),
 #endif
    ASN1_ITEM_ref(INT32),
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@ -383,7 +383,7 @@ const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
    return x->data;
 }

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 unsigned char *ASN1_STRING_data(ASN1_STRING *x)
 {
    return x->data;
--- a/crypto/asn1/x_long.c
+++ b/crypto/asn1/x_long.c
@ -11,7 +11,7 @@
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>

-#if !(OPENSSL_API_COMPAT < 0x30000000L)
+#if OPENSSL_API_3
 NON_EMPTY_TRANSLATION_UNIT
 #else

--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@ -24,7 +24,7 @@
 static int wsa_init_done = 0;
 # endif

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 int BIO_get_host_ip(const char *str, unsigned char *ip)
 {
    BIO_ADDRINFO *res = NULL;
@ -103,7 +103,7 @@ int BIO_sock_error(int sock)
        return j;
 }

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 struct hostent *BIO_gethostbyname(const char *name)
 {
    /*
@ -196,7 +196,7 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
    return i;
 }

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 int BIO_get_accept_socket(char *host, int bind_mode)
 {
    int s = INVALID_SOCKET;
--- a/crypto/bn/bn_depr.c
+++ b/crypto/bn/bn_depr.c
@ -13,7 +13,7 @@
 */

 #include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
+#if OPENSSL_API_0_9_8
 NON_EMPTY_TRANSLATION_UNIT
 #else

--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@ -15,7 +15,7 @@
 #include "internal/constant_time_locl.h"

 /* This stuff appears to be completely unused, so is deprecated */
-#if OPENSSL_API_COMPAT < 0x00908000L
+#if !OPENSSL_API_0_9_8
 /*-
 * For a 32 bit machine
 * 2 -   4 ==  128
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c
@ -27,7 +27,7 @@

 static int openssl_configured = 0;

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 void OPENSSL_config(const char *appname)
 {
    OPENSSL_INIT_SETTINGS settings;
--- a/crypto/cversion.c
+++ b/crypto/cversion.c
@ -11,7 +11,7 @@

 #include "buildinf.h"

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 unsigned long OpenSSL_version_num(void)
 {
    return OPENSSL_VERSION_NUMBER;
--- a/crypto/dh/dh_depr.c
+++ b/crypto/dh/dh_depr.c
@ -10,7 +10,7 @@
 /* This file contains deprecated functions as wrappers to the new ones */

 #include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
+#if OPENSSL_API_0_9_8
 NON_EMPTY_TRANSLATION_UNIT
 #else

--- a/crypto/dsa/dsa_depr.c
+++ b/crypto/dsa/dsa_depr.c
@ -20,7 +20,7 @@
 #define xxxHASH    EVP_sha1()

 #include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
+#if OPENSSL_API_0_9_8
 NON_EMPTY_TRANSLATION_UNIT
 #else

--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@ -16,7 +16,7 @@ DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
    return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 {
    return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@ -435,7 +435,7 @@ int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
    return group->meth->group_get_curve(group, p, a, b, ctx);
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
                           const BIGNUM *b, BN_CTX *ctx)
 {
@ -726,7 +726,7 @@ int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
    return 1;
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
                                        EC_POINT *point, const BIGNUM *x,
                                        const BIGNUM *y, BN_CTX *ctx)
@ -764,7 +764,7 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group,
    return group->meth->point_get_affine_coordinates(group, point, x, y, ctx);
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
                                        const EC_POINT *point, BIGNUM *x,
                                        BIGNUM *y, BN_CTX *ctx)
--- a/crypto/ec/ec_oct.c
+++ b/crypto/ec/ec_oct.c
@ -49,7 +49,7 @@ int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
                                                         y_bit, ctx);
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
                                            EC_POINT *point, const BIGNUM *x,
                                            int y_bit, BN_CTX *ctx)
--- a/crypto/ec/ecdh_kdf.c
+++ b/crypto/ec/ecdh_kdf.c
@ -72,7 +72,7 @@ int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
 * The old name for ecdh_KDF_X9_63
 * Retained for ABI compatibility
 */
-#if OPENSSL_API_COMPAT < 0x10200000L
+#if !OPENSSL_API_3
 int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
                   const unsigned char *Z, size_t Zlen,
                   const unsigned char *sinfo, size_t sinfolen,
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@ -18,7 +18,8 @@ void ENGINE_load_builtin_engines(void)
    OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
 }

-#if (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)) && OPENSSL_API_COMPAT < 0x10100000L
+#if (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)) \
+    && !OPENSSL_API_1_1_0
 void ENGINE_setup_bsd_cryptodev(void)
 {
 }
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@ -672,13 +672,13 @@ void err_delete_thread_state(void)
    ERR_STATE_free(state);
 }

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 void ERR_remove_thread_state(void *dummy)
 {
 }
 #endif

-#if OPENSSL_API_COMPAT < 0x10000000L
+#if !OPENSSL_API_1_0_0
 void ERR_remove_state(unsigned long pid)
 {
 }
--- a/crypto/evp/e_old.c
+++ b/crypto/evp/e_old.c
@ -8,7 +8,7 @@
 */

 #include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
+#if OPENSSL_API_0_9_8
 NON_EMPTY_TRANSLATION_UNIT
 #else

--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@ -79,7 +79,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
    return rv;
 }

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md)
 {
    if (key && md)
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@ -12,7 +12,7 @@
 #include <openssl/pkcs12.h>
 #include "p12_lcl.h"

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
 {
    return PKCS12_get_attr_gen(bag->attrib, attr_nid);
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@ -838,7 +838,7 @@ int RAND_bytes(unsigned char *buf, int num)
    return -1;
 }

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 int RAND_pseudo_bytes(unsigned char *buf, int num)
 {
    const RAND_METHOD *meth = RAND_get_rand_method();
--- a/crypto/rand/rand_win.c
+++ b/crypto/rand/rand_win.c
@ -156,7 +156,7 @@ int rand_pool_add_additional_data(RAND_POOL *pool)
    return rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
 }

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
 {
    RAND_poll();
--- a/crypto/rsa/rsa_depr.c
+++ b/crypto/rsa/rsa_depr.c
@ -13,7 +13,7 @@
 */

 #include <openssl/opensslconf.h>
-#if OPENSSL_API_COMPAT >= 0x00908000L
+#if OPENSSL_API_0_9_8
 NON_EMPTY_TRANSLATION_UNIT

 #else
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@ -525,7 +525,7 @@ int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd)
    return 1;
 }

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /*
 * DEPRECATED: use SRP_VBASE_get1_by_user instead.
 * This method ignores the configured seed and fails for an unknown user.
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@ -91,7 +91,7 @@ const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl)
    return crl->crl.nextUpdate;
 }

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl)
 {
    return crl->crl.lastUpdate;
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
@ -8,10 +8,12 @@ OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions

 #include <openssl/conf.h>

- #if OPENSSL_API_COMPAT < 0x10100000L
+Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
 void OPENSSL_config(const char *appname);
 void OPENSSL_no_config(void);
- #endif

 =head1 DESCRIPTION

--- a/doc/man3/RAND_cleanup.pod
+++ b/doc/man3/RAND_cleanup.pod
@ -8,9 +8,11 @@ RAND_cleanup - erase the PRNG state

 #include <openssl/rand.h>

- #if OPENSSL_API_COMPAT < 0x10100000L
+Deprecated since OpenSSL 1.1.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
 void RAND_cleanup(void)
- #endif

 =head1 DESCRIPTION

--- a/doc/man7/openssl_user_macros.pod.in
+++ b/doc/man7/openssl_user_macros.pod.in
@ -26,7 +26,20 @@ user defined macros.
 The value is a version number similar to the
 L<OPENSSL_VERSION_NUMBER(3)> macro.  Any symbol that is deprecated in
 versions up to and including the version given in this macro will not
-be declared.  Any version number may be given, but these numbers are
+be declared.
+
+The version number assigned to this macro can take one of two forms:
+
+=over
+
+=item C<0xMNNFF000L>
+
+This is the form supported for all versions up 1.1.x, where C<M>
+represents the major number, C<NN> represents the minor number, and
+C<FF> represents the fix number.  For version 1.1.0, that's
+C<0x10100000L>.
+
+Any version number may be given, but these numbers are
 the current known major deprecation points, making them the most
 meaningful:

@ -40,6 +53,30 @@ meaningful:

 =back

+For convenience, higher numbers are accepted as well, as long as
+feasible.  For example, C<0x60000000L> will work as expected.
+However, it is recommended to start using the second form instead:
+
+=item C<m>
+
+This form is a simple number that represents the major version number
+and is supported for version 3.0.0 and up.  For extra convenience,
+these numbers are also available:
+
+=over
+
+=item Z<>0 (C<0x00908000L>, i.e. version 0.9.8)
+
+=item Z<>1 (C<0x10000000L>, i.e. version 1.0.0)
+
+=item Z<>2 (C<0x10100000L>, i.e. version 1.1.0)
+
+=back
+
+For all other numbers C<m>, they are equivalent to version m.0.0.
+
+=back
+
 If not set, this macro will default to
 C<{- join('', map { my @x = split /=/,$_; $x[1] }
              grep /^OPENSSL_MIN_API=/, @{$config{openssl_api_defines} // []})
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@ -106,7 +106,7 @@ static ASN1_ITEM_EXP *item_type[] = {
    ASN1_ITEM_ref(IPAddressRange),
 #endif
    ASN1_ITEM_ref(ISSUING_DIST_POINT),
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ASN1_ITEM_ref(LONG),
 #endif
    ASN1_ITEM_ref(NAME_CONSTRAINTS),
@ -187,7 +187,7 @@ static ASN1_ITEM_EXP *item_type[] = {
    ASN1_ITEM_ref(X509_REVOKED),
    ASN1_ITEM_ref(X509_SIG),
    ASN1_ITEM_ref(X509_VAL),
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ASN1_ITEM_ref(ZLONG),
 #endif
    ASN1_ITEM_ref(INT32),
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h
@ -19,7 +19,7 @@
 # include <openssl/symhacks.h>

 # include <openssl/ossl_typ.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/bn.h>
 # endif

--- a/include/openssl/asn1t.h
+++ b/include/openssl/asn1t.h
@ -915,7 +915,7 @@ DECLARE_ASN1_ITEM(ZINT64)
 DECLARE_ASN1_ITEM(UINT64)
 DECLARE_ASN1_ITEM(ZUINT64)

-# if OPENSSL_API_COMPAT < 0x30000000L
+# if !OPENSSL_API_3
 /*
 * LONG and ZLONG are strongly discouraged for use as stored data, as the
 * underlying C type (long) differs in size depending on the architecture.
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@ -681,7 +681,7 @@ int BIO_sock_error(int sock);
 int BIO_socket_ioctl(int fd, long type, void *arg);
 int BIO_socket_nbio(int fd, int mode);
 int BIO_sock_init(void);
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define BIO_sock_cleanup() while(0) continue
 # endif
 int BIO_set_tcp_ndelay(int sock, int turn_on);
--- a/include/openssl/bn.h
+++ b/include/openssl/bn.h
@ -61,7 +61,7 @@ extern "C" {
 # define BN_FLG_CONSTTIME        0x04
 # define BN_FLG_SECURE           0x08

-# if OPENSSL_API_COMPAT < 0x00908000L
+# if !OPENSSL_API_0_9_8
 /* deprecated name for the flag */
 #  define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
 #  define BN_FLG_FREE            0x8000 /* used for debugging */
@ -190,7 +190,7 @@ int BN_is_odd(const BIGNUM *a);

 void BN_zero_ex(BIGNUM *a);

-# if OPENSSL_API_COMPAT >= 0x00908000L
+# if OPENSSL_API_0_9_8
 #  define BN_zero(a)      BN_zero_ex(a)
 # else
 #  define BN_zero(a)      (BN_set_word((a),0))
@ -519,7 +519,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn);
 BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn);
 BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define get_rfc2409_prime_768 BN_get_rfc2409_prime_768
 #  define get_rfc2409_prime_1024 BN_get_rfc2409_prime_1024
 #  define get_rfc3526_prime_1536 BN_get_rfc3526_prime_1536
--- a/include/openssl/comp.h
+++ b/include/openssl/comp.h
@ -35,7 +35,7 @@ int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,

 COMP_METHOD *COMP_zlib(void);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 #define COMP_zlib_cleanup() while(0) continue
 #endif

--- a/include/openssl/conf.h
+++ b/include/openssl/conf.h
@ -90,7 +90,7 @@ int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out);

 DEPRECATEDIN_1_1_0(void OPENSSL_config(const char *config_name))

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define OPENSSL_no_config() \
    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
 #endif
@ -137,7 +137,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
                           unsigned long flags);
 void CONF_modules_unload(int all);
 void CONF_modules_finish(void);
-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define CONF_modules_free() while(0) continue
 #endif
 int CONF_module_add(const char *name, conf_init_func *ifunc,
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@ -36,7 +36,7 @@
 */
 # include <openssl/symhacks.h>

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/opensslv.h>
 # endif

@ -44,7 +44,7 @@
 extern "C" {
 #endif

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define SSLeay                  OpenSSL_version_num
 #  define SSLeay_version          OpenSSL_version
 #  define SSLEAY_VERSION_NUMBER   OPENSSL_VERSION_NUMBER
@ -62,7 +62,7 @@ typedef struct {
    int dummy;
 } CRYPTO_dynlock;

-# endif /* OPENSSL_API_COMPAT */
+# endif /* OPENSSL_API_1_1_0 */

 typedef void CRYPTO_RWLOCK;

@ -199,7 +199,7 @@ void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad);
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val);
 void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /*
 * This function cleans up all "ex_data" state. It mustn't be called under
 * potential race-conditions.
@ -246,11 +246,11 @@ typedef struct crypto_threadid_st {
 #  define CRYPTO_THREADID_cpy(dest, src)
 #  define CRYPTO_THREADID_hash(id)                      (0UL)

-#  if OPENSSL_API_COMPAT < 0x10000000L
+#  if !OPENSSL_API_1_0_0
 #   define CRYPTO_set_id_callback(func)
 #   define CRYPTO_get_id_callback()                     (NULL)
 #   define CRYPTO_thread_id()                           (0UL)
-#  endif /* OPENSSL_API_COMPAT < 0x10000000L */
+#  endif /* OPENSSL_API_1_0_0 */

 #  define CRYPTO_set_dynlock_create_callback(dyn_create_function)
 #  define CRYPTO_set_dynlock_lock_callback(dyn_lock_function)
@ -258,7 +258,7 @@ typedef struct crypto_threadid_st {
 #  define CRYPTO_get_dynlock_create_callback()          (NULL)
 #  define CRYPTO_get_dynlock_lock_callback()            (NULL)
 #  define CRYPTO_get_dynlock_destroy_callback()         (NULL)
-# endif /* OPENSSL_API_COMPAT < 0x10100000L */
+# endif /* OPENSSL_API_1_1_0 */

 int CRYPTO_set_mem_functions(
        void *(*m) (size_t, const char *, int),
@ -327,7 +327,7 @@ int CRYPTO_mem_leaks(BIO *bio);

 /* die if we have to */
 ossl_noreturn void OPENSSL_die(const char *assertion, const char *file, int line);
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define OpenSSLDie(f,l,a) OPENSSL_die((a),(f),(l))
 # endif
 # define OPENSSL_assert(e) \
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@ -17,7 +17,7 @@
 # include <openssl/bio.h>
 # include <openssl/asn1.h>
 # include <openssl/ossl_typ.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/bn.h>
 # endif
 # include <openssl/dherr.h>
@ -34,7 +34,7 @@ extern "C" {

 # define DH_FLAG_CACHE_MONT_P     0x01

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /*
 * Does nothing. Previously this switched off constant time behaviour.
 */
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@ -21,7 +21,7 @@ extern "C" {
 # include <openssl/crypto.h>
 # include <openssl/ossl_typ.h>
 # include <openssl/bn.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/dh.h>
 # endif
 # include <openssl/dsaerr.h>
@ -33,7 +33,7 @@ extern "C" {
 # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024

 # define DSA_FLAG_CACHE_MONT_P   0x01
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /*
 * Does nothing. Previously this switched off constant time behaviour.
 */
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@ -16,7 +16,7 @@
 # ifndef OPENSSL_NO_EC
 # include <openssl/asn1.h>
 # include <openssl/symhacks.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/bn.h>
 # endif
 # include <openssl/ecerr.h>
--- a/include/openssl/engine.h
+++ b/include/openssl/engine.h
@ -14,7 +14,7 @@
 # include <openssl/opensslconf.h>

 # ifndef OPENSSL_NO_ENGINE
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/bn.h>
 #  include <openssl/rsa.h>
 #  include <openssl/dsa.h>
@ -320,7 +320,7 @@ int ENGINE_remove(ENGINE *e);
 /* Retrieve an engine from the list by its unique "id" value. */
 ENGINE *ENGINE_by_id(const char *id);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define ENGINE_load_openssl() \
    OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_OPENSSL, NULL)
 # define ENGINE_load_dynamic() \
@ -494,7 +494,7 @@ int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
 int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
 void *ENGINE_get_ex_data(const ENGINE *e, int idx);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 /*
 * This function previously cleaned up anything that needs it. Auto-deinit will
 * now take care of it so it is no longer required to call this function.
--- a/include/openssl/err.h
+++ b/include/openssl/err.h
@ -250,7 +250,7 @@ int ERR_load_strings_const(const ERR_STRING_DATA *str);
 int ERR_unload_strings(int lib, ERR_STRING_DATA *str);
 int ERR_load_ERR_strings(void);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define ERR_load_crypto_strings() \
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)
 # define ERR_free_strings() while(0) continue
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@ -486,7 +486,7 @@ void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data);
 void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx);
 void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data);
 # define EVP_CIPHER_CTX_type(c)         EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define EVP_CIPHER_CTX_flags(c)       EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(c))
 # endif
 # define EVP_CIPHER_CTX_mode(c)         EVP_CIPHER_mode(EVP_CIPHER_CTX_cipher(c))
@ -670,7 +670,7 @@ int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
                    char *out, int *outl);
 int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define EVP_CIPHER_CTX_init(c)      EVP_CIPHER_CTX_reset(c)
 #  define EVP_CIPHER_CTX_cleanup(c)   EVP_CIPHER_CTX_reset(c)
 # endif
@ -938,7 +938,7 @@ const EVP_CIPHER *EVP_sm4_ofb(void);
 const EVP_CIPHER *EVP_sm4_ctr(void);
 # endif

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define OPENSSL_add_all_algorithms_conf() \
    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
                        | OPENSSL_INIT_ADD_ALL_DIGESTS \
--- a/include/openssl/hmac.h
+++ b/include/openssl/hmac.h
@ -14,7 +14,7 @@

 # include <openssl/evp.h>

-# if OPENSSL_API_COMPAT < 0x30000000L
+# if !OPENSSL_API_3
 #  define HMAC_MAX_MD_CBLOCK      128    /* Deprecated */
 # endif

--- a/include/openssl/idea.h
+++ b/include/openssl/idea.h
@ -45,7 +45,7 @@ void IDEA_ofb64_encrypt(const unsigned char *in, unsigned char *out,
                        int *num);
 void IDEA_encrypt(unsigned long *in, IDEA_KEY_SCHEDULE *ks);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define idea_options          IDEA_options
 #  define idea_ecb_encrypt      IDEA_ecb_encrypt
 #  define idea_set_encrypt_key  IDEA_set_encrypt_key
--- a/include/openssl/lhash.h
+++ b/include/openssl/lhash.h
@ -91,7 +91,7 @@ void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out);
 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out);
 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define _LHASH OPENSSL_LHASH
 #  define LHASH_NODE OPENSSL_LH_NODE
 #  define lh_error OPENSSL_LH_error
--- a/include/openssl/objects.h
+++ b/include/openssl/objects.h
@ -156,7 +156,7 @@ const void *OBJ_bsearch_ex_(const void *key, const void *base, int num,
 int OBJ_new_nid(int num);
 int OBJ_add_object(const ASN1_OBJECT *obj);
 int OBJ_create(const char *oid, const char *sn, const char *ln);
-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define OBJ_cleanup() while(0) continue
 #endif
 int OBJ_create_objects(BIO *in);
--- a/include/openssl/opensslconf.h.in
+++ b/include/openssl/opensslconf.h.in
@ -52,9 +52,13 @@ extern "C" {

 /*
 * Applications should use -DOPENSSL_API_COMPAT=<version> to suppress the
- * declarations of functions deprecated in or before <version>. Otherwise, they
- * still won't see them if the library has been built to disable deprecated
- * functions.
+ * declarations of functions deprecated in or before <version>.  If this is
+ * undefined, the value of the macro OPENSSL_API_MIN above is the default.
+ *
+ * For any version number up until version 1.1.x, <version> is expected to be
+ * the calculated version number 0xMNNFFPPSL.  For version numbers 3.0.0 and
+ * on, <version> is expected to be only the major version number (i.e. 3 for
+ * version 3.0.0).
 */
 #ifndef DECLARE_DEPRECATED
 # define DECLARE_DEPRECATED(f)   f;
@ -66,59 +70,93 @@ extern "C" {
 # endif
 #endif

-#ifndef OPENSSL_FILE
-# ifdef OPENSSL_NO_FILENAMES
-#  define OPENSSL_FILE ""
-#  define OPENSSL_LINE 0
+/*
+ * We convert the OPENSSL_API_COMPAT value to an API level.  The API level
+ * is the major version number for 3.0.0 and on.  For earlier versions, it
+ * uses this scheme, which is close enough for our purposes:
+ *
+ *      0.x.y   0       (0.9.8 was the last release in this series)
+ *      1.0.x   1       (1.0.2 was the last release in this series)
+ *      1.1.x   2       (1.1.1 was the last release in this series)
+ */
+
+/* In case someone defined both */
+#if defined(OPENSSL_API_COMPAT) && defined(OPENSSL_API_LEVEL)
+# error "Disallowed to defined both OPENSSL_API_COMPAT and OPENSSL_API_LEVEL"
+#endif
+
+#ifndef OPENSSL_API_COMPAT
+# define OPENSSL_API_LEVEL OPENSSL_MIN_API
+#else
+# if (OPENSSL_API_COMPAT < 0x1000L) /* Major version numbers up to 16777215 */
+#  define OPENSSL_API_LEVEL OPENSSL_API_COMPAT
+# elif (OPENSSL_API_COMPAT & 0xF0000000L) == 0x00000000L
+#  define OPENSSL_API_LEVEL 0
+# elif (OPENSSL_API_COMPAT & 0xFFF00000L) == 0x10000000L
+#  define OPENSSL_API_LEVEL 1
+# elif (OPENSSL_API_COMPAT & 0xFFF00000L) == 0x10100000L
+#  define OPENSSL_API_LEVEL 2
 # else
-#  define OPENSSL_FILE __FILE__
-#  define OPENSSL_LINE __LINE__
+/ * Major number 3 to 15 */
+#  define OPENSSL_API_LEVEL ((OPENSSL_API_COMPAT >> 28) & 0xF)
 # endif
 #endif

-#ifndef OPENSSL_MIN_API
-# define OPENSSL_MIN_API 0
-#endif
-
-#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API
-# undef OPENSSL_API_COMPAT
-# define OPENSSL_API_COMPAT OPENSSL_MIN_API
-#endif
-
 /*
 * Do not deprecate things to be deprecated in version 4.0 before the
 * OpenSSL version number matches.
 */
 #if OPENSSL_VERSION_MAJOR < 4
 # define DEPRECATEDIN_4(f)       f;
-#elif OPENSSL_API_COMPAT < 0x40000000L
+# define OPENSSL_API_4 0
+#elif OPENSSL_API_LEVEL < 4
 # define DEPRECATEDIN_4(f)       DECLARE_DEPRECATED(f)
+# define OPENSSL_API_4 0
 #else
 # define DEPRECATEDIN_4(f)
+# define OPENSSL_API_4 1
 #endif

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if OPENSSL_API_LEVEL < 3
 # define DEPRECATEDIN_3(f)       DECLARE_DEPRECATED(f)
+# define OPENSSL_API_3 0
 #else
 # define DEPRECATEDIN_3(f)
+# define OPENSSL_API_3 1
 #endif

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if OPENSSL_API_LEVEL < 2
 # define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
+# define OPENSSL_API_1_1_0 0
 #else
 # define DEPRECATEDIN_1_1_0(f)
+# define OPENSSL_API_1_1_0 1
 #endif

-#if OPENSSL_API_COMPAT < 0x10000000L
+#if OPENSSL_API_LEVEL < 1
 # define DEPRECATEDIN_1_0_0(f)   DECLARE_DEPRECATED(f)
+# define OPENSSL_API_1_0_0 0
 #else
 # define DEPRECATEDIN_1_0_0(f)
+# define OPENSSL_API_1_0_0 1
 #endif

-#if OPENSSL_API_COMPAT < 0x00908000L
+#if OPENSSL_API_LEVEL < 0
 # define DEPRECATEDIN_0_9_8(f)   DECLARE_DEPRECATED(f)
+# define OPENSSL_API_0_9_8 0
 #else
 # define DEPRECATEDIN_0_9_8(f)
+# define OPENSSL_API_0_9_8 1
+#endif
+
+#ifndef OPENSSL_FILE
+# ifdef OPENSSL_NO_FILENAMES
+#  define OPENSSL_FILE ""
+#  define OPENSSL_LINE 0
+# else
+#  define OPENSSL_FILE __FILE__
+#  define OPENSSL_LINE __LINE__
+# endif
 #endif

 /* Generate 80386 code? */
--- a/include/openssl/pkcs12.h
+++ b/include/openssl/pkcs12.h
@ -55,7 +55,7 @@ typedef struct pkcs12_bag_st PKCS12_BAGS;

 /* Compatibility macros */

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0

 # define M_PKCS12_bag_type PKCS12_bag_type
 # define M_PKCS12_cert_bag_type PKCS12_cert_bag_type
--- a/include/openssl/rand.h
+++ b/include/openssl/rand.h
@ -36,7 +36,7 @@ int RAND_set_rand_engine(ENGINE *engine);

 RAND_METHOD *RAND_OpenSSL(void);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #   define RAND_cleanup() while(0) continue
 # endif
 int RAND_bytes(unsigned char *buf, int num);
--- a/include/openssl/rand_drbg.h
+++ b/include/openssl/rand_drbg.h
@ -36,7 +36,7 @@
 /* Used by RAND_DRBG_set_defaults() to set the private DRBG type and flags. */
 # define RAND_DRBG_FLAG_PRIVATE              0x10

-# if OPENSSL_API_COMPAT < 0x30000000L
+# if !OPENSSL_API_3
 /* This #define was replaced by an internal constant and should not be used. */
 #  define RAND_DRBG_USED_FLAGS  (RAND_DRBG_FLAG_CTR_NO_DF)
 # endif
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@ -17,7 +17,7 @@
 # include <openssl/bio.h>
 # include <openssl/crypto.h>
 # include <openssl/ossl_typ.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/bn.h>
 # endif
 # include <openssl/rsaerr.h>
@ -73,13 +73,13 @@ extern "C" {
 * but other engines might not need it
 */
 # define RSA_FLAG_NO_BLINDING            0x0080
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /*
 * Does nothing. Previously this switched off constant time behaviour.
 */
 #  define RSA_FLAG_NO_CONSTTIME           0x0000
 # endif
-# if OPENSSL_API_COMPAT < 0x00908000L
+# if !OPENSSL_API_0_9_8
 /* deprecated name for the flag*/
 /*
 * new with 0.9.7h; the built-in RSA
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -16,7 +16,7 @@
 # include <openssl/opensslconf.h>
 # include <openssl/comp.h>
 # include <openssl/bio.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/x509.h>
 #  include <openssl/crypto.h>
 #  include <openssl/buffer.h>
@ -1089,7 +1089,7 @@ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 # define SSL_VERIFY_CLIENT_ONCE          0x04
 # define SSL_VERIFY_POST_HANDSHAKE       0x08

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define OpenSSL_add_ssl_algorithms()   SSL_library_init()
 #  define SSLeay_add_ssl_algorithms()    SSL_library_init()
 # endif
@ -1313,7 +1313,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
        SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
 # define SSL_set_tmp_dh(ssl,dh) \
        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
-# if OPENSSL_API_COMPAT < 0x10200000L
+# if !OPENSSL_API_3
 #  define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
 #  define SSL_set_tmp_ecdh(ssl,ecdh) \
@ -1466,7 +1466,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_get_shared_curve          SSL_get_shared_group


-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 /* Provide some compatibility macros for removed functionality. */
 #  define SSL_CTX_need_tmp_RSA(ctx)                0
 #  define SSL_CTX_set_tmp_rsa(ctx,rsa)             1
@ -1594,7 +1594,7 @@ __owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
 int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
                                       const char *dir);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define SSL_load_error_strings() \
    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \
                     | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)
@ -1943,7 +1943,7 @@ void SSL_set_accept_state(SSL *s);

 __owur long SSL_get_default_timeout(const SSL *s);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define SSL_library_init() OPENSSL_init_ssl(0, NULL)
 # endif

@ -2072,7 +2072,7 @@ __owur int SSL_COMP_get_id(const SSL_COMP *comp);
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 __owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
                                                             *meths);
-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define SSL_COMP_free_compression_methods() while(0) continue
 # endif
 __owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
@ -2124,7 +2124,7 @@ size_t SSL_get_num_tickets(SSL *s);
 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
 size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define SSL_cache_hit(s) SSL_session_reused(s)
 # endif

--- a/include/openssl/stack.h
+++ b/include/openssl/stack.h
@ -50,7 +50,7 @@ OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *st);
 void OPENSSL_sk_sort(OPENSSL_STACK *st);
 int OPENSSL_sk_is_sorted(const OPENSSL_STACK *st);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define _STACK OPENSSL_STACK
 #  define sk_num OPENSSL_sk_num
 #  define sk_value OPENSSL_sk_value
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@ -335,7 +335,7 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
 #  define SSL_set_dtlsext_heartbeat_no_requests(ssl, arg) \
        SSL_ctrl(ssl,SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)

-#  if OPENSSL_API_COMPAT < 0x10100000L
+#  if !OPENSSL_API_1_1_0
 #   define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT \
        SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT
 #   define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING \
--- a/include/openssl/ui.h
+++ b/include/openssl/ui.h
@ -12,7 +12,7 @@

 # include <openssl/opensslconf.h>

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/crypto.h>
 # endif
 # include <openssl/safestack.h>
@ -21,7 +21,7 @@
 # include <openssl/uierr.h>

 /* For compatibility reasons, the macro OPENSSL_NO_UI is currently retained */
-# if OPENSSL_API_COMPAT < 0x30000000L
+# if !OPENSSL_API_3
 #  ifdef OPENSSL_NO_UI_CONSOLE
 #   define OPENSSL_NO_UI
 #  endif
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -21,7 +21,7 @@
 # include <openssl/safestack.h>
 # include <openssl/ec.h>

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  include <openssl/rsa.h>
 #  include <openssl/dsa.h>
 #  include <openssl/dh.h>
@ -650,7 +650,7 @@ int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 int X509_up_ref(X509 *x);
 int X509_get_signature_type(const X509 *x);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define X509_get_notBefore X509_getm_notBefore
 #  define X509_get_notAfter X509_getm_notAfter
 #  define X509_set_notBefore X509_set1_notBefore
@ -716,7 +716,7 @@ int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
 int X509_CRL_sort(X509_CRL *crl);
 int X509_CRL_up_ref(X509_CRL *crl);

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
 #  define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
 #endif
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@ -49,7 +49,7 @@ typedef enum {
    X509_LU_X509, X509_LU_CRL
 } X509_LOOKUP_TYPE;

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 #define X509_LU_RETRY   -1
 #define X509_LU_FAIL    0
 #endif
@ -187,7 +187,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);

 /* Certificate verify flags */

-# if OPENSSL_API_COMPAT < 0x10100000L
+# if !OPENSSL_API_1_1_0
 #  define X509_V_FLAG_CB_ISSUER_CHECK             0x0   /* Deprecated */
 # endif
 /* Use check time instead of current time */
@ -357,7 +357,7 @@ X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *c
 X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
 X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain
 # define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
 # define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@ -629,7 +629,7 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
                    int crit, unsigned long flags);

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 /* The new declarations are in crypto.h, but the old ones were here. */
 # define hex_to_string OPENSSL_buf2hexstr
 # define string_to_hex OPENSSL_hexstr2buf
--- a/ssl/methods.c
+++ b/ssl/methods.c
@ -172,7 +172,7 @@ IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                          DTLS_client_method,
                          ssl_undefined_function,
                          ossl_statem_connect, DTLSv1_2_enc_data)
-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 # ifndef OPENSSL_NO_TLS1_2_METHOD
 const SSL_METHOD *TLSv1_2_method(void)
 {
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -4466,7 +4466,7 @@ int SSL_is_server(const SSL *s)
    return s->server;
 }

-#if OPENSSL_API_COMPAT < 0x10100000L
+#if !OPENSSL_API_1_1_0
 void SSL_set_debug(SSL *s, int debug)
 {
    /* Old function was do-nothing anyway... */
--- a/test/asn1_decode_test.c
+++ b/test/asn1_decode_test.c
@ -28,7 +28,7 @@ static unsigned char t_invalid_zero[] = {
    0x02, 0x00                   /* INTEGER tag + length */
 };

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 /* LONG case ************************************************************* */

 typedef struct {
@ -162,7 +162,7 @@ static int test_uint64(void)

 int setup_tests(void)
 {
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ADD_TEST(test_long);
 #endif
    ADD_TEST(test_int32);
--- a/test/asn1_encode_test.c
+++ b/test/asn1_encode_test.c
@ -179,7 +179,7 @@ typedef struct {
    ENCDEC_DATA(-1, -1),                        \
    ENCDEC_DATA(0, ASN1_LONG_UNDEF)

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 /***** LONG ******************************************************************/

 typedef struct {
@ -824,7 +824,7 @@ static int test_intern(const TEST_PACKAGE *package)
    return fail == 0;
 }

-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
 static int test_long_32bit(void)
 {
    return test_intern(&long_test_package_32bit);
@ -858,7 +858,7 @@ static int test_uint64(void)

 int setup_tests(void)
 {
-#if OPENSSL_API_COMPAT < 0x30000000L
+#if !OPENSSL_API_3
    ADD_TEST(test_long_32bit);
    ADD_TEST(test_long_64bit);
 #endif
--- a/util/perl/OpenSSL/ParseC.pm
+++ b/util/perl/OpenSSL/ParseC.pm
@ -65,24 +65,11 @@ my @opensslcpphandlers = (
    # These are used to convert certain pre-precessor expressions into
    # others that @cpphandlers have a better chance to understand.

-    { regexp   => qr/#if OPENSSL_API_COMPAT(\S+)(0x[0-9a-fA-F]{8})L$/,
+    { regexp   => qr/#if (!?)OPENSSL_API_([0-9_]+)$/,
      massager => sub {
-          my $op = $1;
-          my $v = hex($2);
-          if ($op ne '<' && $op ne '>=') {
-              die "Error: unacceptable operator $op: $_[0]\n";
-          }
-          my ($major, $minor, $edit) =
-              ( ($v >> 28) & 0xf,
-                ($v >> 20) & 0xff,
-                ($v >> 12) & 0xff );
-          my $t = "DEPRECATEDIN_" .
-              ($major <= 1
-               ? "${major}_${minor}_${edit}"
-               : "${major}");
-          my $cond = $op eq '<' ? 'ifndef' : 'ifdef';
+          my $cnd = $1 eq '!' ? 'ndef' : 'def';
          return (<<"EOF");
-#$cond $t
+#if$cnd DEPRECATEDIN_$2
 EOF
      }
   }