dh now disabled by default but can be enabled w/o opensslextra

configure.ac

@@ -772,9 +772,9 @@ AM_CONDITIONAL([BUILD_RSA], [test "x$ENABLED_RSA" = "xyes"])
 
 # DH
 AC_ARG_ENABLE([dh],
-    [  --enable-dh             Enable DH (default: enabled)],
+    [  --enable-dh             Enable DH (default: disabled)],
     [ ENABLED_DH=$enableval ],
-    [ ENABLED_DH=yes ]
+    [ ENABLED_DH=no ]
     )
 
 if test "$ENABLED_DH" = "no"

ctaocrypt/src/asn.c

@@ -1163,8 +1163,6 @@ int DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g, word32 gSz)
 }
 
 
-#ifdef OPENSSL_EXTRA
-
 int DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
                  byte* g, word32* gInOutSz)
 {
@@ -1213,7 +1211,6 @@ int DhParamsLoad(const byte* input, word32 inSz, byte* p, word32* pInOutSz,
     return 0;
 }
 
-#endif /* OPENSSL_EXTRA */
 #endif /* NO_DH */
 
 

cyassl/internal.h

@@ -214,7 +214,7 @@ void c32to24(word32 in, word24 out);
             #define BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
             #define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
         #endif
-        #if !defined(NO_DH) && defined(OPENSSL_EXTRA)
+        #if !defined(NO_DH)
           #if !defined(NO_SHA)
             #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
             #define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
@@ -291,7 +291,7 @@ void c32to24(word32 in, word24 out);
 #endif
 
 #if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
-    !defined(NO_RSA) && defined(OPENSSL_EXTRA)
+    !defined(NO_RSA)
   #if !defined(NO_SHA)
     #define BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
     #define BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
@@ -309,8 +309,7 @@ void c32to24(word32 in, word24 out);
 #endif
 
 
-#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \
+#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS)
-    defined(OPENSSL_EXTRA)
     #ifndef NO_SHA256
         #define BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
         #ifdef HAVE_NULL_CIPHER

cyassl/test.h

@@ -932,6 +932,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type)
 }
 
 
+#ifndef NO_DH
 static INLINE void SetDH(CYASSL* ssl)
 {
     /* dh1024 p */
@@ -985,7 +986,7 @@ static INLINE void SetDHCtx(CYASSL_CTX* ctx)
 
     CyaSSL_CTX_SetTmpDH(ctx, p, sizeof(p), g, sizeof(g));
 }
-
+#endif /* NO_DH */
 #endif /* !NO_CERTS */
 
 #ifdef HAVE_CAVIUM

examples/echoserver/echoserver.c

@@ -227,9 +227,9 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
         ssl = CyaSSL_new(ctx);
         if (ssl == NULL) err_sys("SSL_new failed");
         CyaSSL_set_fd(ssl, clientfd);
-        #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+        #if !defined(NO_FILESYSTEM) && !defined(NO_DH)
             CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
-        #elif !defined(NO_CERTS)
+        #elif !defined(NO_DH)
             SetDH(ssl);  /* will repick suites with DHE, higher than PSK */
         #endif
         if (CyaSSL_accept(ssl) != SSL_SUCCESS) {

examples/server/server.c

@@ -481,9 +481,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 
     SSL_set_fd(ssl, clientfd);
     if (usePsk == 0 || cipherList != NULL) {
-        #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+        #if !defined(NO_FILESYSTEM) && !defined(NO_DH)
             CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
-        #elif !defined(NO_CERTS)
+        #elif !defined(NO_DH)
             SetDH(ssl);  /* repick suites with DHE, higher priority than PSK */
         #endif
     }

src/internal.c

@@ -58,10 +58,6 @@
 #endif
 
 
-#if defined(OPENSSL_EXTRA) && defined(NO_DH)
-    #error OPENSSL_EXTRA needs DH, please remove NO_DH
-#endif
-
 #if defined(CYASSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS)
     #error \
 CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
@@ -8581,7 +8577,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
             return 0;
         }
     #endif
-    #ifdef OPENSSL_EXTRA
+    #ifndef NO_DH
         if (ssl->specs.kea == diffie_hellman_kea)
         {
         /* p */
@@ -8647,7 +8643,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
         XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
         *inOutIdx += length;
         }  /* dh_kea */
-    #endif /* OPENSSL_EXTRA */
+    #endif /* NO_DH */
 
     #ifdef HAVE_ECC
         if (ssl->specs.kea == ecc_diffie_hellman_kea)
@@ -8682,7 +8678,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
         }
     #endif /* HAVE_ECC */
 
-    #if defined(OPENSSL_EXTRA) && !defined(NO_PSK)
+    #if !defined(NO_DH) && !defined(NO_PSK)
     if (ssl->specs.kea == dhe_psk_kea) {
         if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
             return BUFFER_ERROR;
@@ -8762,9 +8758,9 @@ static void PickHashSigAlgo(CYASSL* ssl,
         XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
         *inOutIdx += length;
     }
-    #endif /* OPENSSL_EXTRA || !NO_PSK */
+    #endif /* !NO_DH || !NO_PSK */
 
-    #if defined(OPENSSL_EXTRA) || defined(HAVE_ECC)
+    #if !defined(NO_DH) || defined(HAVE_ECC)
     if (ssl->specs.kea == ecc_diffie_hellman_kea ||
         ssl->specs.kea == diffie_hellman_kea)
     {
@@ -9011,9 +9007,9 @@ static void PickHashSigAlgo(CYASSL* ssl,
         ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
     }
     return 0;
-#else  /* HAVE_OPENSSL or HAVE_ECC */
+#else  /* !NO_DH or HAVE_ECC */
         return NOT_COMPILED_IN;  /* not supported by build */
-#endif /* HAVE_OPENSSL or HAVE_ECC */
+#endif /* !NO_DH or HAVE_ECC */
     }
 
 
@@ -9074,7 +9070,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 }
                 break;
         #endif
-        #ifdef OPENSSL_EXTRA
+        #ifndef NO_DH
             case diffie_hellman_kea:
                 {
                     buffer  serverP   = ssl->buffers.serverDH_P;
@@ -9102,7 +9098,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                     FreeDhKey(&key);
                 }
                 break;
-        #endif /* OPENSSL_EXTRA */
+        #endif /* NO_DH */
         #ifndef NO_PSK
             case psk_kea:
                 {
@@ -9133,7 +9129,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 }
                 break;
         #endif /* NO_PSK */
-        #if defined(OPENSSL_EXTRA) && !defined(NO_PSK)
+        #if !defined(NO_DH) && !defined(NO_PSK)
             case dhe_psk_kea:
                 {
                     byte* pms = ssl->arrays->preMasterSecret;
@@ -9199,7 +9195,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                     ssl->arrays->psk_keySz = 0; /* No further need */
                 }
                 break;
-        #endif /* OPENSSL_EXTRA && !NO_PSK */
+        #endif /* !NO_DH && !NO_PSK */
         #ifdef HAVE_NTRU
             case ntru_kea:
                 {
@@ -9845,7 +9841,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
         }
         #endif /*NO_PSK */
 
-        #if defined(OPENSSL_EXTRA) && !defined(NO_PSK)
+        #if !defined(NO_DH) && !defined(NO_PSK)
         if (ssl->specs.kea == dhe_psk_kea) {
             byte    *output;
             word32   length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
@@ -9963,7 +9959,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 ret = SendBuffered(ssl);
             ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
         }
-        #endif /* OPENSSL_EXTRA && !NO_PSK */
+        #endif /* !NO_DH && !NO_PSK */
 
         #ifdef HAVE_ECC
         if (ssl->specs.kea == ecc_diffie_hellman_kea)
@@ -10307,7 +10303,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
         }
         #endif /* HAVE_ECC */
 
-        #if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
+        #if !defined(NO_DH) && !defined(NO_RSA)
         if (ssl->specs.kea == diffie_hellman_kea) {
             byte    *output;
             word32   length = 0, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
@@ -10588,7 +10584,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 ret = SendBuffered(ssl);
             ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
         }
-        #endif /* OPENSSL_EXTRA */
+        #endif /* NO_DH */
 
         return ret;
     }
@@ -11703,7 +11699,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
             }
             break;
         #endif /* HAVE_ECC */
-        #ifdef OPENSSL_EXTRA 
+        #ifndef NO_DH
             case diffie_hellman_kea:
             {
                 word16 clientPubSz;
@@ -11737,8 +11733,8 @@ static void PickHashSigAlgo(CYASSL* ssl,
                     ret = MakeMasterSecret(ssl);
             }
             break;
-        #endif /* OPENSSL_EXTRA */
+        #endif /* NO_DH */
-        #if defined(OPENSSL_EXTRA) && !defined(NO_PSK)
+        #if !defined(NO_DH) && !defined(NO_PSK)
             case dhe_psk_kea:
             {
                 byte* pms = ssl->arrays->preMasterSecret;
@@ -11815,7 +11811,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
                 ssl->arrays->psk_keySz = 0;
             }
             break;
-        #endif /* OPENSSL_EXTRA && !NO_PSK */
+        #endif /* !NO_DH && !NO_PSK */
             default:
             {
                 CYASSL_MSG("Bad kea type");

src/ssl.c

@@ -362,8 +362,8 @@ int CyaSSL_GetObjectSize(void)
 }
 #endif
 
-/* XXX should be NO_DH */
+
-#ifndef NO_CERTS
+#ifndef NO_DH
 /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */
 int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
                     const unsigned char* g, int gSz)
@@ -415,7 +415,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
     CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
     return SSL_SUCCESS;
 }
-#endif /* !NO_CERTS */
+#endif /* !NO_DH */
 
 
 int CyaSSL_write(CYASSL* ssl, const void* data, int sz)
@@ -3105,42 +3105,7 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file)
 }
 
 
-#ifdef OPENSSL_EXTRA
+#ifndef NO_DH
-/* put SSL type in extra for now, not very common */
-
-int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format)
-{
-    CYASSL_ENTER("CyaSSL_use_certificate_file");
-    if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL)
-                    == SSL_SUCCESS)
-        return SSL_SUCCESS;
-
-    return SSL_FAILURE;
-}
-
-
-int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format)
-{
-    CYASSL_ENTER("CyaSSL_use_PrivateKey_file");
-    if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL)
-                                                                 == SSL_SUCCESS)
-        return SSL_SUCCESS;
-
-    return SSL_FAILURE;
-}
-
-
-int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file)
-{
-   /* procces up to MAX_CHAIN_DEPTH plus subject cert */
-   CYASSL_ENTER("CyaSSL_use_certificate_chain_file");
-   if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL)
-                                                                 == SSL_SUCCESS)
-       return SSL_SUCCESS;
-
-   return SSL_FAILURE;
-}
-
 
 /* server wrapper for ctx or ssl Diffie-Hellman parameters */
 static int CyaSSL_SetTmpDH_buffer_wrapper(CYASSL_CTX* ctx, CYASSL* ssl,
@@ -3185,6 +3150,7 @@ static int CyaSSL_SetTmpDH_buffer_wrapper(CYASSL_CTX* ctx, CYASSL* ssl,
     return ret;
 }
 
+
 /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */
 int CyaSSL_SetTmpDH_buffer(CYASSL* ssl, const unsigned char* buf, long sz,
                            int format)
@@ -3201,34 +3167,6 @@ int CyaSSL_CTX_SetTmpDH_buffer(CYASSL_CTX* ctx, const unsigned char* buf,
 }
 
 
-#ifdef HAVE_ECC
-
-/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
-int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX* ctx, word16 sz)
-{
-    if (ctx == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
-        return BAD_FUNC_ARG;
-
-    ctx->eccTempKeySz = sz;
-
-    return SSL_SUCCESS;
-}
-
-
-/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
-int CyaSSL_SetTmpEC_DHE_Sz(CYASSL* ssl, word16 sz)
-{
-    if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
-        return BAD_FUNC_ARG;
-
-    ssl->eccTempKeySz = sz;
-
-    return SSL_SUCCESS;
-}
-
-#endif /* HAVE_ECC */
-
-
 /* server Diffie-Hellman parameters */
 static int CyaSSL_SetTmpDH_file_wrapper(CYASSL_CTX* ctx, CYASSL* ssl,
                                         const char* fname, int format)
@@ -3288,6 +3226,108 @@ int CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX* ctx, const char* fname, int format)
 }
 
 
+    /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */
+    int CyaSSL_CTX_SetTmpDH(CYASSL_CTX* ctx, const unsigned char* p, int pSz,
+                            const unsigned char* g, int gSz)
+    {
+        CYASSL_ENTER("CyaSSL_CTX_SetTmpDH");
+        if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG;
+
+        XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
+        XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH);
+
+        ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH);
+        if (ctx->serverDH_P.buffer == NULL)
+            return MEMORY_E;
+
+        ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH);
+        if (ctx->serverDH_G.buffer == NULL) {
+            XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
+            return MEMORY_E;
+        }
+
+        ctx->serverDH_P.length = pSz;
+        ctx->serverDH_G.length = gSz;
+
+        XMEMCPY(ctx->serverDH_P.buffer, p, pSz);
+        XMEMCPY(ctx->serverDH_G.buffer, g, gSz);
+
+        ctx->haveDH = 1;
+
+        CYASSL_LEAVE("CyaSSL_CTX_SetTmpDH", 0);
+        return SSL_SUCCESS;
+    }
+#endif /* NO_DH */
+
+
+#ifdef OPENSSL_EXTRA
+/* put SSL type in extra for now, not very common */
+
+int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format)
+{
+    CYASSL_ENTER("CyaSSL_use_certificate_file");
+    if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL)
+                    == SSL_SUCCESS)
+        return SSL_SUCCESS;
+
+    return SSL_FAILURE;
+}
+
+
+int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format)
+{
+    CYASSL_ENTER("CyaSSL_use_PrivateKey_file");
+    if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL)
+                                                                 == SSL_SUCCESS)
+        return SSL_SUCCESS;
+
+    return SSL_FAILURE;
+}
+
+
+int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file)
+{
+   /* procces up to MAX_CHAIN_DEPTH plus subject cert */
+   CYASSL_ENTER("CyaSSL_use_certificate_chain_file");
+   if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL)
+                                                                 == SSL_SUCCESS)
+       return SSL_SUCCESS;
+
+   return SSL_FAILURE;
+}
+
+
+
+#ifdef HAVE_ECC
+
+/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
+int CyaSSL_CTX_SetTmpEC_DHE_Sz(CYASSL_CTX* ctx, word16 sz)
+{
+    if (ctx == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
+        return BAD_FUNC_ARG;
+
+    ctx->eccTempKeySz = sz;
+
+    return SSL_SUCCESS;
+}
+
+
+/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */
+int CyaSSL_SetTmpEC_DHE_Sz(CYASSL* ssl, word16 sz)
+{
+    if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE)
+        return BAD_FUNC_ARG;
+
+    ssl->eccTempKeySz = sz;
+
+    return SSL_SUCCESS;
+}
+
+#endif /* HAVE_ECC */
+
+
+
+
 int CyaSSL_CTX_use_RSAPrivateKey_file(CYASSL_CTX* ctx,const char* file,
                                    int format)
 {
@@ -8645,40 +8685,6 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
 
 #ifdef OPENSSL_EXTRA
 
-/* XXX shuld be NO_DH */
-#ifndef NO_CERTS
-    /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */
-    int CyaSSL_CTX_SetTmpDH(CYASSL_CTX* ctx, const unsigned char* p, int pSz,
-                            const unsigned char* g, int gSz)
-    {
-        CYASSL_ENTER("CyaSSL_CTX_SetTmpDH");
-        if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG;
-
-        XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
-        XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH);
-
-        ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap,DYNAMIC_TYPE_DH);
-        if (ctx->serverDH_P.buffer == NULL)
-            return MEMORY_E;
-
-        ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap,DYNAMIC_TYPE_DH);
-        if (ctx->serverDH_G.buffer == NULL) {
-            XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
-            return MEMORY_E;
-        }
-
-        ctx->serverDH_P.length = pSz;
-        ctx->serverDH_G.length = gSz;
-
-        XMEMCPY(ctx->serverDH_P.buffer, p, pSz);
-        XMEMCPY(ctx->serverDH_G.buffer, g, gSz);
-
-        ctx->haveDH = 1;
-
-        CYASSL_LEAVE("CyaSSL_CTX_SetTmpDH", 0);
-        return SSL_SUCCESS;
-    }
-#endif /* !NO_CERTS */
 
 
     char* CyaSSL_CIPHER_description(CYASSL_CIPHER* cipher, char* in, int len)
@@ -10074,6 +10080,8 @@ static int initGlobalRNG = 0;
     }
 
 
+    #ifndef NO_DH
+
     static void InitCyaSSL_DH(CYASSL_DH* dh)
     {
         if (dh) {
@@ -10312,6 +10320,7 @@ static int initGlobalRNG = 0;
         CYASSL_MSG("CyaSSL_compute_key success");
         return (int)keySz;
     }
+    #endif /* NO_DH */
 
 
 #ifndef NO_DSA

tests/api.c

@@ -1046,9 +1046,9 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args)
     CyaSSL_set_fd(ssl, clientfd);
 
 #ifdef NO_PSK
-    #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+    #if !defined(NO_FILESYSTEM) && !defined(NO_DH)
         CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
-    #else
+    #elif !defined(NO_DH)
         SetDH(ssl);  /* will repick suites with DHE, higher priority than PSK */
     #endif
 #endif
@@ -1269,9 +1269,9 @@ THREAD_RETURN CYASSL_THREAD run_cyassl_server(void* args)
     CyaSSL_set_fd(ssl, cfd);
 
 #ifdef NO_PSK
-    #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA)
+    #if !defined(NO_FILESYSTEM) && !defined(NO_DH)
         CyaSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM);
-    #else
+    #elif !defined(NO_DH)
         SetDH(ssl);  /* will repick suites with DHE, higher priority than PSK */
     #endif
 #endif