[Openvpn-devel] [PATCH v2] mbedtls: check that private key and certificate match on start

Steffan Karger Thu, 05 May 2016 09:02:24 +0000

Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.


v2: bail out immediately on failure.

Signed-off-by: Steffan Karger <stef...@karger.me>
---
 src/openvpn/ssl_mbedtls.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 9da33ad..b5e7a6a 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -363,11 +363,12 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const 
char *priv_key_file,

   warn_if_group_others_accessible (priv_key_file);

-  /* TODO: Check Private Key */
-#if 0
-  if (!SSL_CTX_check_private_key (ctx))
-    msg (M_SSLERR, "Private key does not match the certificate");
-#endif
+  if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key)))
+    {
+      msg (M_WARN, "Private key does not match the certificate");
+      return 1;
+    }
+
   return 0;
 }

-- 
2.7.4

[Openvpn-devel] [PATCH v2] mbedtls: check that private key and certificate match on start

Reply via email to