OPENSSL_NO_xxx cleanup: SHA

Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
	GENUINE_DSA         OPENSSL_NO_SHA0
	OPENSSL_NO_SHA      OPENSSL_NO_SHA1
	OPENSSL_NO_SHA224   OPENSSL_NO_SHA256
	OPENSSL_NO_SHA384   OPENSSL_NO_SHA512

Reviewed-by: Richard Levitte <levitte@openssl.org>

6 files changed, 5 insertions, 66 deletions

diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e5a04ac..53e3c87 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -328,9 +328,6 @@ static void tls1_sha1_final_raw(void *ctx, unsigned char *md_out)
     l2n(sha1->h4, md_out);
 }
 
-#define LARGEST_DIGEST_CTX SHA_CTX
-
-#ifndef OPENSSL_NO_SHA256
 static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
 {
     SHA256_CTX *sha256 = ctx;
@@ -341,11 +338,6 @@ static void tls1_sha256_final_raw(void *ctx, unsigned char *md_out)
     }
 }
 
-# undef  LARGEST_DIGEST_CTX
-# define LARGEST_DIGEST_CTX SHA256_CTX
-#endif
-
-#ifndef OPENSSL_NO_SHA512
 static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
 {
     SHA512_CTX *sha512 = ctx;
@@ -356,9 +348,8 @@ static void tls1_sha512_final_raw(void *ctx, unsigned char *md_out)
     }
 }
 
-# undef  LARGEST_DIGEST_CTX
-# define LARGEST_DIGEST_CTX SHA512_CTX
-#endif
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA512_CTX
 
 /*
  * ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
@@ -371,14 +362,10 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
     switch (EVP_MD_CTX_type(ctx)) {
     case NID_md5:
     case NID_sha1:
-#ifndef OPENSSL_NO_SHA256
     case NID_sha224:
     case NID_sha256:
-#endif
-#ifndef OPENSSL_NO_SHA512
     case NID_sha384:
     case NID_sha512:
-#endif
         return 1;
     default:
         return 0;
@@ -465,7 +452,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
             (void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
         md_size = 20;
         break;
-#ifndef OPENSSL_NO_SHA256
     case NID_sha224:
         SHA224_Init((SHA256_CTX *)md_state.c);
         md_final_raw = tls1_sha256_final_raw;
@@ -480,8 +466,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
             (void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
         md_size = 32;
         break;
-#endif
-#ifndef OPENSSL_NO_SHA512
     case NID_sha384:
         SHA384_Init((SHA512_CTX *)md_state.c);
         md_final_raw = tls1_sha512_final_raw;
@@ -500,7 +484,6 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
         md_block_size = 128;
         md_length_size = 16;
         break;
-#endif
     default:
         /*
          * ssl3_cbc_record_digest_supported should have been called first to
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 93518b8..a383eee 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2225,11 +2225,7 @@ int ssl3_get_new_session_ticket(SSL *s)
      */
     EVP_Digest(p, ticklen,
                s->session->session_id, &s->session->session_id_length,
-# ifndef OPENSSL_NO_SHA256
                EVP_sha256(), NULL);
-# else
-               EVP_sha1(), NULL);
-# endif
     ret = 1;
     return (ret);
  f_err:
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ccc418a..e929658 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3385,7 +3385,7 @@ int ssl3_send_newsession_ticket(SSL *s)
             EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
                                tctx->tlsext_tick_aes_key, iv);
             HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-                         tlsext_tick_md(), NULL);
+                         EVP_sha256(), NULL);
             memcpy(key_name, tctx->tlsext_tick_key_name, 16);
         }
 
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index fdf1481..3843aef 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -91,14 +91,10 @@ int SSL_library_init(void)
     EVP_add_cipher(EVP_aes_256_cbc());
     EVP_add_cipher(EVP_aes_128_gcm());
     EVP_add_cipher(EVP_aes_256_gcm());
-# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
     EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
-# endif
-# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA256)
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
     EVP_add_cipher(EVP_aes_256_cbc_hmac_sha256());
-# endif
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
     EVP_add_cipher(EVP_camellia_128_cbc());
@@ -113,20 +109,14 @@ int SSL_library_init(void)
     EVP_add_digest(EVP_md5());
     EVP_add_digest_alias(SN_md5, "ssl3-md5");
 #endif
-#ifndef OPENSSL_NO_SHA
     EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
     EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
     EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-#endif
-#ifndef OPENSSL_NO_SHA256
     EVP_add_digest(EVP_sha224());
     EVP_add_digest(EVP_sha256());
-#endif
-#ifndef OPENSSL_NO_SHA512
     EVP_add_digest(EVP_sha384());
     EVP_add_digest(EVP_sha512());
-#endif
-#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
+#if !defined(OPENSSL_NO_DSA)
     EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
     EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
     EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
@@ -135,11 +125,6 @@ int SSL_library_init(void)
 #ifndef OPENSSL_NO_ECDSA
     EVP_add_digest(EVP_ecdsa());
 #endif
-    /* If you want support for phased out ciphers, add the following */
-#if 0
-    EVP_add_digest(EVP_sha());
-    EVP_add_digest(EVP_dss());
-#endif
 #ifndef OPENSSL_NO_COMP
     /*
      * This will initialise the built-in compression algorithms. The value
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f58a605..fcf5f8d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1329,11 +1329,6 @@ int tls1_process_heartbeat(SSL *s);
 int dtls1_process_heartbeat(SSL *s);
 #   endif
 
-#   ifdef OPENSSL_NO_SHA256
-#    define tlsext_tick_md  EVP_sha1
-#   else
-#    define tlsext_tick_md  EVP_sha256
-#   endif
 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                         const unsigned char *limit, SSL_SESSION **ret);
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 115aab5..6a1ed6a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -906,17 +906,11 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
                 tlsext_sigalg_ecdsa(md)
 
 static const unsigned char tls12_sigalgs[] = {
-# ifndef OPENSSL_NO_SHA512
     tlsext_sigalg(TLSEXT_hash_sha512)
         tlsext_sigalg(TLSEXT_hash_sha384)
-# endif
-# ifndef OPENSSL_NO_SHA256
         tlsext_sigalg(TLSEXT_hash_sha256)
         tlsext_sigalg(TLSEXT_hash_sha224)
-# endif
-# ifndef OPENSSL_NO_SHA
         tlsext_sigalg(TLSEXT_hash_sha1)
-# endif
 };
 
 # ifndef OPENSSL_NO_ECDSA
@@ -3318,7 +3312,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
             return 2;
         HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-                     tlsext_tick_md(), NULL);
+                     EVP_sha256(), NULL);
         EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
                            tctx->tlsext_tick_aes_key, etick + 16);
     }
@@ -3462,25 +3456,11 @@ static const tls12_hash_info tls12_md_info[] = {
 # else
     {NID_md5, 64, EVP_md5},
 # endif
-# ifdef OPENSSL_NO_SHA
-    {NID_sha1, 80, 0},
-# else
     {NID_sha1, 80, EVP_sha1},
-# endif
-# ifdef OPENSSL_NO_SHA256
-    {NID_sha224, 112, 0},
-    {NID_sha256, 128, 0},
-# else
     {NID_sha224, 112, EVP_sha224},
     {NID_sha256, 128, EVP_sha256},
-# endif
-# ifdef OPENSSL_NO_SHA512
-    {NID_sha384, 192, 0},
-    {NID_sha512, 256, 0}
-# else
     {NID_sha384, 192, EVP_sha384},
     {NID_sha512, 256, EVP_sha512}
-# endif
 };
 
 static const tls12_hash_info *tls12_get_hash_info(unsigned char hash_alg)