Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.
v2: bail out immediately on failure.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1462438933-14902-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11599
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -363,11 +363,12 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, |
363 | 363 |
|
364 | 364 |
warn_if_group_others_accessible (priv_key_file); |
365 | 365 |
|
366 |
- /* TODO: Check Private Key */ |
|
367 |
-#if 0 |
|
368 |
- if (!SSL_CTX_check_private_key (ctx)) |
|
369 |
- msg (M_SSLERR, "Private key does not match the certificate"); |
|
370 |
-#endif |
|
366 |
+ if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key))) |
|
367 |
+ { |
|
368 |
+ msg (M_WARN, "Private key does not match the certificate"); |
|
369 |
+ return 1; |
|
370 |
+ } |
|
371 |
+ |
|
371 | 372 |
return 0; |
372 | 373 |
} |
373 | 374 |
|