diff --git a/src/ssl.c b/src/ssl.c index 3c545874b..2bb1a7936 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6913,68 +6913,6 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, return ret; } -#ifndef NO_CHECK_PRIVATE_KEY -/* Check private against public in certificate for match - * - * ctx WOLFSSL_CTX structure to check private key in - * - * Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */ -int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) -{ -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* der = NULL; -#else - DecodedCert der[1]; -#endif - word32 size; - byte* buff; - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); - - if (ctx == NULL || ctx->certificate == NULL) { - return WOLFSSL_FAILURE; - } - -#ifndef NO_CERTS -#ifdef WOLFSSL_SMALL_STACK - der = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (der == NULL) - return MEMORY_E; -#endif - - size = ctx->certificate->length; - buff = ctx->certificate->buffer; - InitDecodedCert(der, buff, size, ctx->heap); - if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { - FreeDecodedCert(der); - #ifdef WOLFSSL_SMALL_STACK - XFREE(der, NULL, DYNAMIC_TYPE_DCERT); - #endif - return WOLFSSL_FAILURE; - } - - size = ctx->privateKey->length; - buff = ctx->privateKey->buffer; - ret = wc_CheckPrivateKey(buff, size, der); - FreeDecodedCert(der); -#ifdef WOLFSSL_SMALL_STACK - XFREE(der, NULL, DYNAMIC_TYPE_DCERT); -#endif - - if (ret == 1) { - return WOLFSSL_SUCCESS; - } - else { - return WOLFSSL_FAILURE; - } -#else - WOLFSSL_MSG("NO_CERTS is defined, can not check private key"); - return WOLFSSL_FAILURE; -#endif -} -#endif /* !NO_CHECK_PRIVATE_KEY */ - #ifdef HAVE_CRL @@ -7373,6 +7311,68 @@ int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) #endif /* NO_FILESYSTEM */ +#ifndef NO_CHECK_PRIVATE_KEY +/* Check private against public in certificate for match + * + * ctx WOLFSSL_CTX structure to check private key in + * + * Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */ +int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) +{ +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* der = NULL; +#else + DecodedCert der[1]; +#endif + word32 size; + byte* buff; + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); + + if (ctx == NULL || ctx->certificate == NULL) { + return WOLFSSL_FAILURE; + } + +#ifndef NO_CERTS +#ifdef WOLFSSL_SMALL_STACK + der = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + if (der == NULL) + return MEMORY_E; +#endif + + size = ctx->certificate->length; + buff = ctx->certificate->buffer; + InitDecodedCert(der, buff, size, ctx->heap); + if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { + FreeDecodedCert(der); + #ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_DCERT); + #endif + return WOLFSSL_FAILURE; + } + + size = ctx->privateKey->length; + buff = ctx->privateKey->buffer; + ret = wc_CheckPrivateKey(buff, size, der); + FreeDecodedCert(der); +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_DCERT); +#endif + + if (ret == 1) { + return WOLFSSL_SUCCESS; + } + else { + return WOLFSSL_FAILURE; + } +#else + WOLFSSL_MSG("NO_CERTS is defined, can not check private key"); + return WOLFSSL_FAILURE; +#endif +} +#endif /* !NO_CHECK_PRIVATE_KEY */ + #ifdef OPENSSL_EXTRA /* put SSL type in extra for now, not very common */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 68f026888..6f99f74ed 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2014,7 +2014,7 @@ WOLFSSL_API long wolfSSL_CTX_set_options(WOLFSSL_CTX*, long); WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx); WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long); -#if !defined(NO_FILESYSTEM) && !defined(NO_CHECK_PRIVATE_KEY) +#if !defined(NO_CHECK_PRIVATE_KEY) WOLFSSL_API int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX*); #endif WOLFSSL_API void wolfSSL_ERR_free_strings(void);