From: Matt Caswell <matt@openssl.org>
Date: Wed, 20 Jan 2021 15:29:59 +0000 (+0000)
Subject: Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg
X-Git-Tag: openssl-3.0.0-alpha12~110
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e376242d28e08591af229674a2816ac6f4bb8fdf;p=thirdparty%2Fopenssl.git

Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg

We should no longer be relying on compile time checks in libssl for
the availability of crypto algorithms. The availability of crypto
algorithms should be determined at runtime based on what providers have
been loaded.

Fixes #13616

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
---

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 00956547e76..f3295143246 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -194,14 +194,9 @@ extern "C" {
  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
  * Update both macro and function simultaneously
  */
-#  if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
-                                    "TLS_CHACHA20_POLY1305_SHA256:" \
-                                    "TLS_AES_128_GCM_SHA256"
-#  else
-#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+                                   "TLS_CHACHA20_POLY1305_SHA256:" \
                                    "TLS_AES_128_GCM_SHA256"
-#  endif
 # endif
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 1e297d23d57..cf4d5fe4e7b 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -297,10 +297,8 @@ int ssl3_setup_key_block(SSL *s)
             if (s->session->cipher->algorithm_enc == SSL_eNULL)
                 s->s3.need_empty_fragments = 0;
 
-#ifndef OPENSSL_NO_RC4
             if (s->session->cipher->algorithm_enc == SSL_RC4)
                 s->s3.need_empty_fragments = 0;
-#endif
         }
     }
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 12876add7f8..ec19eeacc3d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -66,7 +66,6 @@ static SSL_CIPHER tls13_ciphers[] = {
         256,
         256,
     },
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
     {
         1,
         TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
@@ -83,7 +82,6 @@ static SSL_CIPHER tls13_ciphers[] = {
         256,
         256,
     },
-#endif
     {
         1,
         TLS1_3_RFC_AES_128_CCM_SHA256,
@@ -2036,7 +2034,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      },
 
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
     {
      1,
      TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
@@ -2149,10 +2146,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
-#endif                          /* !defined(OPENSSL_NO_CHACHA) &&
-                                 * !defined(OPENSSL_NO_POLY1305) */
 
-#ifndef OPENSSL_NO_CAMELLIA
     {
      1,
      TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
@@ -2601,7 +2595,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
-#endif                          /* OPENSSL_NO_CAMELLIA */
 
 #ifndef OPENSSL_NO_GOST
     {
@@ -2718,7 +2711,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      },
 #endif                          /* OPENSSL_NO_GOST */
 
-#ifndef OPENSSL_NO_IDEA
     {
      1,
      SSL3_TXT_RSA_IDEA_128_SHA,
@@ -2735,9 +2727,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
-#endif
 
-#ifndef OPENSSL_NO_SEED
     {
      1,
      TLS1_TXT_RSA_WITH_SEED_SHA,
@@ -2802,7 +2792,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      128,
      128,
      },
-#endif                          /* OPENSSL_NO_SEED */
 
 #ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
     {
@@ -2967,7 +2956,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      },
 #endif                          /* OPENSSL_NO_WEAK_SSL_CIPHERS */
 
-#ifndef OPENSSL_NO_ARIA
     {
      1,
      TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256,
@@ -3224,7 +3212,6 @@ static SSL_CIPHER ssl3_ciphers[] = {
      256,
      256,
      },
-#endif /* OPENSSL_NO_ARIA */
 };
 
 /*
@@ -4120,9 +4107,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
     STACK_OF(SSL_CIPHER) *prio, *allow;
     int i, ii, ok, prefer_sha256 = 0;
     unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
-#ifndef OPENSSL_NO_CHACHA
     STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
-#endif
 
     /* Let's see which ciphers we can support */
 
@@ -4155,7 +4140,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
     } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
         prio = srvr;
         allow = clnt;
-#ifndef OPENSSL_NO_CHACHA
+
         /* If ChaCha20 is at the top of the client preference list,
            and there are ChaCha20 ciphers in the server list, then
            temporarily prioritize all ChaCha20 ciphers in the servers list. */
@@ -4194,7 +4179,6 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 }
             }
         }
-# endif
     } else {
         prio = clnt;
         allow = srvr;
@@ -4308,9 +4292,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
             break;
         }
     }
-#ifndef OPENSSL_NO_CHACHA
+
     sk_SSL_CIPHER_free(prio_chacha);
-#endif
+
     return ret;
 }
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 43dcf2d6fea..d5177998958 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2215,8 +2215,6 @@ const char *OSSL_default_cipher_list(void)
 const char *OSSL_default_ciphersuites(void)
 {
     return "TLS_AES_256_GCM_SHA384:"
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
            "TLS_CHACHA20_POLY1305_SHA256:"
-#endif
            "TLS_AES_128_GCM_SHA256";
 }
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 67d148473e1..531872bfb03 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -597,10 +597,8 @@ int tls1_setup_key_block(SSL *s)
             if (s->session->cipher->algorithm_enc == SSL_eNULL)
                 s->s3.need_empty_fragments = 0;
 
-#ifndef OPENSSL_NO_RC4
             if (s->session->cipher->algorithm_enc == SSL_RC4)
                 s->s3.need_empty_fragments = 0;
-#endif
         }
     }
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5101c7a4da3..a7b5a6cc3fc 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -981,14 +981,14 @@ static const uint16_t tls12_sigalgs[] = {
 
     TLSEXT_SIGALG_rsa_pkcs1_sha224,
     TLSEXT_SIGALG_rsa_pkcs1_sha1,
-#ifndef OPENSSL_NO_DSA
+
     TLSEXT_SIGALG_dsa_sha224,
     TLSEXT_SIGALG_dsa_sha1,
 
     TLSEXT_SIGALG_dsa_sha256,
     TLSEXT_SIGALG_dsa_sha384,
     TLSEXT_SIGALG_dsa_sha512,
-#endif
+
 #ifndef OPENSSL_NO_GOST
     TLSEXT_SIGALG_gostr34102012_256_intrinsic,
     TLSEXT_SIGALG_gostr34102012_512_intrinsic,
@@ -1059,7 +1059,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
     {"rsa_pkcs1_sha1", TLSEXT_SIGALG_rsa_pkcs1_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_RSA, SSL_PKEY_RSA,
      NID_sha1WithRSAEncryption, NID_undef, 1},
-#ifndef OPENSSL_NO_DSA
     {NULL, TLSEXT_SIGALG_dsa_sha256,
      NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_dsa_with_SHA256, NID_undef, 1},
@@ -1075,7 +1074,6 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
     {NULL, TLSEXT_SIGALG_dsa_sha1,
      NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_DSA, SSL_PKEY_DSA_SIGN,
      NID_dsaWithSHA1, NID_undef, 1},
-#endif
 #ifndef OPENSSL_NO_GOST
     {NULL, TLSEXT_SIGALG_gostr34102012_256_intrinsic,
      NID_id_GostR3411_2012_256, SSL_MD_GOST12_256_IDX,