Only disabled what we need to in a no-dh build

no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quite so much. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
author: Matt Caswell <matt@openssl.org> 2020-10-16 16:35:44 +0100
committer: Matt Caswell <matt@openssl.org> 2020-11-18 14:14:52 +0000
commit: 13c453728c076d5c1a65a5fd9424e15a9964d755 (patch)
tree: 2adfcc10718f85bab39f1ffcbdb5dff63efe6b69 /ssl
parent: 163f6dc1f70f30de46a68137c36e70cae4d95cd8 (diff)
5 files changed, 11 insertions, 19 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8a572b8dd3..d67aa31d46 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3451,8 +3451,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
     case SSL_CTRL_GET_FLAGS:
         ret = (int)(s->s3.flags);
         break;
-#ifndef OPENSSL_NO_DH
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     case SSL_CTRL_SET_TMP_DH:
         {
             EVP_PKEY *pkdh = NULL;
@@ -3477,7 +3476,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_DH_AUTO:
         s->cert->dh_tmp_auto = larg;
         return 1;
-#endif
 #ifndef OPENSSL_NO_EC
     case SSL_CTRL_SET_TMP_ECDH:
         {
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index ee56e681b4..4f085dd7e6 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -90,14 +90,15 @@ CERT *ssl_cert_dup(CERT *cert)
         OPENSSL_free(ret);
         return NULL;
     }
-#ifndef OPENSSL_NO_DH
+
     if (cert->dh_tmp != NULL) {
         ret->dh_tmp = cert->dh_tmp;
         EVP_PKEY_up_ref(ret->dh_tmp);
     }
+#ifndef OPENSSL_NO_DH
     ret->dh_tmp_cb = cert->dh_tmp_cb;
-    ret->dh_tmp_auto = cert->dh_tmp_auto;
 #endif
+    ret->dh_tmp_auto = cert->dh_tmp_auto;
 
     for (i = 0; i < SSL_PKEY_NUM; i++) {
         CERT_PKEY *cpk = cert->pkeys + i;
@@ -232,9 +233,7 @@ void ssl_cert_free(CERT *c)
         return;
     REF_ASSERT_ISNT(i < 0);
 
-#ifndef OPENSSL_NO_DH
     EVP_PKEY_free(c->dh_tmp);
-#endif
 
     ssl_cert_clear_certs(c);
     OPENSSL_free(c->conf_sigalgs);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8f6771da3d..bb0eec9b5f 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3504,11 +3504,11 @@ void ssl_set_masks(SSL *s)
     if (c == NULL)
         return;
 
+    dh_tmp = (c->dh_tmp != NULL
 #ifndef OPENSSL_NO_DH
-    dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
-#else
-    dh_tmp = 0;
+              || c->dh_tmp_cb != NULL
 #endif
+              || c->dh_tmp_auto);
 
     rsa_enc = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
     rsa_sign = pvalid[SSL_PKEY_RSA] & CERT_PKEY_VALID;
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 67bb0a8d52..a14d97b8e9 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2004,11 +2004,12 @@ typedef struct cert_st {
      * an index, not a pointer.
      */
     CERT_PKEY *key;
-# ifndef OPENSSL_NO_DH
+
     EVP_PKEY *dh_tmp;
+#ifndef OPENSSL_NO_DH
     DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize);
+#endif
     int dh_tmp_auto;
-# endif
     /* Flags related to certificates */
     uint32_t cert_flags;
     CERT_PKEY pkeys[SSL_PKEY_NUM];
@@ -2692,9 +2693,7 @@ void tls1_set_cert_validity(SSL *s);
 __owur int ssl_validate_ct(SSL *s);
 #  endif
 
-#  ifndef OPENSSL_NO_DH
 __owur EVP_PKEY *ssl_get_auto_dh(SSL *s);
-#  endif
 
 __owur int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy, int is_ee);
 __owur int ssl_security_cert_chain(SSL *s, STACK_OF(X509) *sk, X509 *ex,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b6baff28ea..c478c5a7e8 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2418,9 +2418,7 @@ int tls_construct_server_done(SSL *s, WPACKET *pkt)
 
 int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
 {
-#ifndef OPENSSL_NO_DH
     EVP_PKEY *pkdh = NULL;
-#endif
 #ifndef OPENSSL_NO_EC
     unsigned char *encodedPoint = NULL;
     size_t encodedlen = 0;
@@ -2453,7 +2451,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
     if (type & (SSL_kPSK | SSL_kRSAPSK)) {
     } else
 #endif                          /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_DH
     if (type & (SSL_kDHE | SSL_kDHEPSK)) {
         CERT *cert = s->cert;
         EVP_PKEY *pkdhp = NULL;
@@ -2468,7 +2465,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
         } else {
             pkdhp = cert->dh_tmp;
         }
-#ifndef OPENSSL_NO_DEPRECATED_3_0
+#if !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_DEPRECATED_3_0)
         if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
             pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024));
             if (pkdh == NULL) {
@@ -2513,7 +2510,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
             goto err;
         }
     } else
-#endif
 #ifndef OPENSSL_NO_EC
     if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
author	Matt Caswell <matt@openssl.org>	2020-10-16 16:35:44 +0100
committer	Matt Caswell <matt@openssl.org>	2020-11-18 14:14:52 +0000
commit	13c453728c076d5c1a65a5fd9424e15a9964d755 (patch)
tree	2adfcc10718f85bab39f1ffcbdb5dff63efe6b69 /ssl
parent	163f6dc1f70f30de46a68137c36e70cae4d95cd8 (diff)