Hi,
On 08-10-18 23:41, Arne Schwabe wrote:
> The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
> using RSA keys with the external API. Using an EC, mbed TLS and external
> key in OpenVPN will fail very late with a rather obscure error message.
>
> Instead fail early and provide a clear message that only RSA keys are
> supported.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> src/openvpn/ssl_mbedtls.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index 3e97a329..95061d6d 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx
> *ctx,
> return 1;
> }
>
> + if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
> + {
> + msg (M_WARN, "ERROR: external key with mbed TLS requires a "
> + "certificate with an RSA key.");
> + return 1;
> + }
> +
> ctx->external_key.signature_length =
> mbedtls_pk_get_len(&ctx->crt_chain->pk);
> ctx->external_key.sign = sign_func;
> ctx->external_key.sign_ctx = sign_ctx;
>
There should be no space in "msg(", but other than that this makes sense
and looks good.
Acked-by: Steffan Karger <stef...@karger.me>
-Steffan
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
