Browse code
mbedtls: check that private key and certificate match on start
Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.
v2: bail out immediately on failure.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1462438933-14902-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11599
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2016/05/05 18:02:13Showing 1 changed files
| ... | ... |
@@ -363,11 +363,12 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, |
| 363 | 363 |
|
| 364 | 364 |
warn_if_group_others_accessible (priv_key_file); |
| 365 | 365 |
|
| 366 |
- /* TODO: Check Private Key */ |
|
| 367 |
-#if 0 |
|
| 368 |
- if (!SSL_CTX_check_private_key (ctx)) |
|
| 369 |
- msg (M_SSLERR, "Private key does not match the certificate"); |
|
| 370 |
-#endif |
|
| 366 |
+ if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key))) |
|
| 367 |
+ {
|
|
| 368 |
+ msg (M_WARN, "Private key does not match the certificate"); |
|
| 369 |
+ return 1; |
|
| 370 |
+ } |
|
| 371 |
+ |
|
| 371 | 372 |
return 0; |
| 372 | 373 |
} |
| 373 | 374 |
|