src: simplify OpenSSL feature gates

panva · aduh95 · commit 592f741bd0f3 · 2026-05-19T14:08:24.000+02:00
Add OPENSSL_WITH_* feature macros for crypto capabilities that vary by OpenSSL version and use those instead of repeating version checks. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63255 Refs: electron/electron#36256 Refs: electron/electron#41720 Refs: electron/electron#51127 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
@@ -20,7 +20,7 @@
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/provider.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
+#if OPENSSL_WITH_ARGON2
 #include <openssl/thread.h>
 #endif
 #endif
@@ -1955,8 +1955,7 @@ DataPointer pbkdf2(const Digest& md,
   return {};
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
-#ifndef OPENSSL_NO_ARGON2
+#if OPENSSL_WITH_ARGON2
 DataPointer argon2(const Buffer<const char>& pass,
                    const Buffer<const unsigned char>& salt,
                    uint32_t lanes,
@@ -2049,7 +2048,6 @@ DataPointer argon2(const Buffer<const char>& pass,
   return {};
 }
 #endif
-#endif
 
 // ============================================================================
 
@@ -4614,7 +4612,7 @@ HMACCtxPointer HMACCtxPointer::New() {
   return HMACCtxPointer(HMAC_CTX_new());
 }
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KMAC
 EVPMacPointer::EVPMacPointer(EVP_MAC* mac) : mac_(mac) {}
 
 EVPMacPointer::EVPMacPointer(EVPMacPointer&& other) noexcept
@@ -4702,7 +4700,7 @@ EVPMacCtxPointer EVPMacCtxPointer::New(EVP_MAC* mac) {
   if (!mac) return EVPMacCtxPointer();
   return EVPMacCtxPointer(EVP_MAC_CTX_new(mac));
 }
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KMAC
 
 DataPointer hashDigest(const Buffer<const unsigned char>& buf,
                        const EVP_MD* md) {
@@ -4849,16 +4847,16 @@ const Digest Digest::FromName(const char* name) {
 
 // ============================================================================
 // KEM Implementation
-#if OPENSSL_VERSION_MAJOR >= 3
-#if !OPENSSL_VERSION_PREREQ(3, 5)
+#if OPENSSL_WITH_KEM
+#if OPENSSL_WITH_KEM_OPERATION_PARAM
 bool KEM::SetOperationParameter(EVP_PKEY_CTX* ctx, const EVPKeyPointer& key) {
   const char* operation = nullptr;
 
   switch (EVP_PKEY_id(key.get())) {
     case EVP_PKEY_RSA:
       operation = OSSL_KEM_PARAM_OPERATION_RSASVE;
       break;
-#if OPENSSL_VERSION_PREREQ(3, 2)
+#if OPENSSL_WITH_OPENSSL_DHKEM
     case EVP_PKEY_EC:
     case EVP_PKEY_X25519:
     case EVP_PKEY_X448:
@@ -4895,7 +4893,7 @@ std::optional<KEM::EncapsulateResult> KEM::Encapsulate(
     return std::nullopt;
   }
 
-#if !OPENSSL_VERSION_PREREQ(3, 5)
+#if OPENSSL_WITH_KEM_OPERATION_PARAM
   if (!SetOperationParameter(ctx.get(), public_key)) {
     return std::nullopt;
   }
@@ -4936,7 +4934,7 @@ DataPointer KEM::Decapsulate(const EVPKeyPointer& private_key,
     return {};
   }
 
-#if !OPENSSL_VERSION_PREREQ(3, 5)
+#if OPENSSL_WITH_KEM_OPERATION_PARAM
   if (!SetOperationParameter(ctx.get(), private_key)) {
     return {};
   }
@@ -4966,6 +4964,6 @@ DataPointer KEM::Decapsulate(const EVPKeyPointer& private_key,
   return shared_key;
 }
 
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KEM
 
 }  // namespace ncrypto
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -42,20 +42,67 @@
 
 // The FIPS-related functions are only available
 // when the OpenSSL itself was compiled with FIPS support.
-#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3
+#if defined(OPENSSL_FIPS) && !OPENSSL_VERSION_PREREQ(3, 0)
 #include <openssl/fips.h>
 #endif  // OPENSSL_FIPS
 
-// Define OPENSSL_WITH_PQC for post-quantum cryptography support
-#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#define OPENSSL_WITH_AES_OCB 1
+#else
+#define OPENSSL_WITH_AES_OCB 0
+#endif
+
+#if !defined(OPENSSL_NO_ARGON2) && OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_ARGON2 1
+#else
+#define OPENSSL_WITH_ARGON2 0
+#endif
+
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#define OPENSSL_WITH_KEM 1
+#else
+#define OPENSSL_WITH_KEM 0
+#endif
+
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#define OPENSSL_WITH_KMAC 1
+#else
+#define OPENSSL_WITH_KMAC 0
+#endif
+
+#if OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_SIGNATURE_CONTEXT_STRING 1
+#else
+#define OPENSSL_WITH_SIGNATURE_CONTEXT_STRING 0
+#endif
+
+#if !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_PREREQ(3, 2)
+#define OPENSSL_WITH_OPENSSL_DHKEM 1
+#else
+#define OPENSSL_WITH_OPENSSL_DHKEM 0
+#endif
+
+#if OPENSSL_WITH_KEM && !OPENSSL_VERSION_PREREQ(3, 5)
+#define OPENSSL_WITH_KEM_OPERATION_PARAM 1
+#else
+#define OPENSSL_WITH_KEM_OPERATION_PARAM 0
+#endif
+
+// Define OPENSSL_WITH_PQC for post-quantum cryptography support.
+#if OPENSSL_VERSION_PREREQ(3, 5)
 #define OPENSSL_WITH_PQC 1
+#else
+#define OPENSSL_WITH_PQC 0
+#endif
+
+#if OPENSSL_WITH_PQC
 #define EVP_PKEY_ML_KEM_512 NID_ML_KEM_512
 #define EVP_PKEY_ML_KEM_768 NID_ML_KEM_768
 #define EVP_PKEY_ML_KEM_1024 NID_ML_KEM_1024
 #include <openssl/core_names.h>
 #endif
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_VERSION_PREREQ(3, 0)
 #define OSSL3_CONST const
 #else
 #define OSSL3_CONST
@@ -1492,7 +1539,7 @@ class HMACCtxPointer final {
   DeleteFnPtr<HMAC_CTX, HMAC_CTX_free> ctx_;
 };
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KMAC
 class EVPMacPointer final {
  public:
   EVPMacPointer() = default;
@@ -1540,7 +1587,7 @@ class EVPMacCtxPointer final {
  private:
   DeleteFnPtr<EVP_MAC_CTX, EVP_MAC_CTX_free> ctx_;
 };
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KMAC
 
 #ifndef OPENSSL_NO_ENGINE
 class EnginePointer final {
@@ -1653,8 +1700,7 @@ DataPointer pbkdf2(const Digest& md,
                    uint32_t iterations,
                    size_t length);
 
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
-#ifndef OPENSSL_NO_ARGON2
+#if OPENSSL_WITH_ARGON2
 enum class Argon2Type { ARGON2D, ARGON2I, ARGON2ID };
 
 DataPointer argon2(const Buffer<const char>& pass,
@@ -1668,11 +1714,10 @@ DataPointer argon2(const Buffer<const char>& pass,
                    const Buffer<const unsigned char>& ad,
                    Argon2Type type);
 #endif
-#endif
 
 // ============================================================================
 // KEM (Key Encapsulation Mechanism)
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 
 class KEM final {
  public:
@@ -1696,13 +1741,13 @@ class KEM final {
                                  const Buffer<const void>& ciphertext);
 
  private:
-#if !OPENSSL_VERSION_PREREQ(3, 5)
+#if OPENSSL_WITH_KEM_OPERATION_PARAM
   static bool SetOperationParameter(EVP_PKEY_CTX* ctx,
                                     const EVPKeyPointer& key);
 #endif
 };
 
-#endif  // OPENSSL_VERSION_MAJOR >= 3
+#endif  // OPENSSL_WITH_KEM
 
 // ============================================================================
 // Version metadata
diff --git a/src/crypto/crypto_aes.h b/src/crypto/crypto_aes.h
@@ -26,7 +26,7 @@ constexpr unsigned kNoAuthTagLength = static_cast<unsigned>(-1);
   V(KW_192, AES_Cipher, ncrypto::Cipher::AES_192_KW)                           \
   V(KW_256, AES_Cipher, ncrypto::Cipher::AES_256_KW)
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_AES_OCB
 #define VARIANTS_OCB(V)                                                        \
   V(OCB_128, AES_Cipher, ncrypto::Cipher::AES_128_OCB)                         \
   V(OCB_192, AES_Cipher, ncrypto::Cipher::AES_192_OCB)                         \
diff --git a/src/crypto/crypto_argon2.cc b/src/crypto/crypto_argon2.cc
@@ -2,8 +2,7 @@
 #include "async_wrap-inl.h"
 #include "threadpoolwork-inl.h"
 
-#if OPENSSL_VERSION_NUMBER >= 0x30200000L
-#ifndef OPENSSL_NO_ARGON2
+#if OPENSSL_WITH_ARGON2
 #include <openssl/core_names.h>
 
 namespace node::crypto {
@@ -159,4 +158,3 @@ void Argon2::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
 }  // namespace node::crypto
 
 #endif
-#endif
diff --git a/src/crypto/crypto_argon2.h b/src/crypto/crypto_argon2.h
@@ -6,7 +6,7 @@
 #include "crypto/crypto_util.h"
 
 namespace node::crypto {
-#if !defined(OPENSSL_NO_ARGON2) && OPENSSL_VERSION_NUMBER >= 0x30200000L
+#if OPENSSL_WITH_ARGON2
 
 // Argon2 is a password-based key derivation algorithm
 // defined in https://datatracker.ietf.org/doc/html/rfc9106
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
@@ -711,7 +711,7 @@ bool CipherBase::Final(std::unique_ptr<BackingStore>* out) {
       static_cast<size_t>(ctx_.getBlockSize()),
       BackingStoreInitializationMode::kUninitialized);
 
-#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
+#if !OPENSSL_VERSION_PREREQ(3, 0)
   // OpenSSL v1.x doesn't verify the presence of the auth tag so do
   // it ourselves, see https://github.com/nodejs/node/issues/45874.
   if (kind_ == kDecipher && ctx_.isChaCha20Poly1305() &&
diff --git a/src/crypto/crypto_kem.cc b/src/crypto/crypto_kem.cc
@@ -1,6 +1,6 @@
 #include "crypto/crypto_kem.h"
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 
 #include "async_wrap-inl.h"
 #include "base_object-inl.h"
diff --git a/src/crypto/crypto_kem.h b/src/crypto/crypto_kem.h
@@ -10,7 +10,7 @@
 #include "memory_tracker.h"
 #include "node_external_reference.h"
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 
 namespace node {
 namespace crypto {
diff --git a/src/crypto/crypto_kmac.cc b/src/crypto/crypto_kmac.cc
@@ -3,7 +3,7 @@
 #include "node_internals.h"
 #include "threadpoolwork-inl.h"
 
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KMAC
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include "crypto/crypto_keys.h"
@@ -220,4 +220,4 @@ void Kmac::RegisterExternalReferences(ExternalReferenceRegistry* registry) {
 
 }  // namespace node::crypto
 
-#endif
+#endif  // OPENSSL_WITH_KMAC
diff --git a/src/crypto/crypto_kmac.h b/src/crypto/crypto_kmac.h
@@ -10,8 +10,7 @@
 
 namespace node::crypto {
 
-// KMAC (Keccak Message Authentication Code) is available since OpenSSL 3.0.
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KMAC
 
 enum class KmacVariant { KMAC128, KMAC256 };
 
@@ -72,7 +71,7 @@ namespace Kmac {
 void Initialize(Environment* env, v8::Local<v8::Object> target) {}
 void RegisterExternalReferences(ExternalReferenceRegistry* registry) {}
 }  // namespace Kmac
-#endif
+#endif  // OPENSSL_WITH_KMAC
 
 }  // namespace node::crypto
 
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
@@ -237,9 +237,8 @@ bool UseP1363Encoding(const EVPKeyPointer& key, const DSASigEnc dsa_encoding) {
 }
 
 bool SupportsContextString(const EVPKeyPointer& key) {
-#if OPENSSL_VERSION_NUMBER < 0x3020000fL
-  return false;
-#else
+  if (!OPENSSL_WITH_SIGNATURE_CONTEXT_STRING) return false;
+
   switch (key.id()) {
     case EVP_PKEY_ED25519:
     case EVP_PKEY_ED448:
@@ -264,7 +263,6 @@ bool SupportsContextString(const EVPKeyPointer& key) {
     default:
       return false;
   }
-#endif
 }
 }  // namespace
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -61,21 +61,24 @@ namespace crypto {
   V(Verify)                                                                    \
   V(X509Certificate)
 
-#if !defined(OPENSSL_NO_ARGON2) && OPENSSL_VERSION_NUMBER >= 0x30200000L
+#if OPENSSL_WITH_ARGON2
 #define ARGON2_NAMESPACE_LIST(V) V(Argon2)
 #else
 #define ARGON2_NAMESPACE_LIST(V)
-#endif  // !OPENSSL_NO_ARGON2 && OpenSSL >= 3.2
+#endif  // OPENSSL_WITH_ARGON2
 
-// KEM and KMAC functionality requires OpenSSL 3.0.0 or later
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 #define KEM_NAMESPACE_LIST(V) V(KEM)
-#define KMAC_NAMESPACE_LIST(V) V(Kmac)
 #else
 #define KEM_NAMESPACE_LIST(V)
-#define KMAC_NAMESPACE_LIST(V)
 #endif
 
+#if OPENSSL_WITH_KMAC
+#define KMAC_NAMESPACE_LIST(V) V(Kmac)
+#else
+#define KMAC_NAMESPACE_LIST(V)
+#endif  // OPENSSL_WITH_KMAC
+
 #define TURBOSHAKE_NAMESPACE_LIST(V) V(TurboShake)
 
 #ifdef OPENSSL_NO_SCRYPT
diff --git a/src/node_crypto.h b/src/node_crypto.h
@@ -40,8 +40,10 @@
 #include "crypto/crypto_hash.h"
 #include "crypto/crypto_hkdf.h"
 #include "crypto/crypto_hmac.h"
-#if OPENSSL_VERSION_MAJOR >= 3
+#if OPENSSL_WITH_KEM
 #include "crypto/crypto_kem.h"
+#endif
+#if OPENSSL_WITH_KMAC
 #include "crypto/crypto_kmac.h"
 #endif
 #include "crypto/crypto_keygen.h"
