mbedtls: check that private key and certificate match on start

Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.

v2: bail out immediately on failure.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1462438933-14902-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11599
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 9da33adfea9c5c8f7aa3bce988d7c3d32403db08..b5e7a6a72cc4f4234084ef33c4de99243d941069 100644 (file)
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -363,11 +363,12 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
 
   warn_if_group_others_accessible (priv_key_file);
 
-  /* TODO: Check Private Key */
-#if 0
-  if (!SSL_CTX_check_private_key (ctx))
-    msg (M_SSLERR, "Private key does not match the certificate");
-#endif
+  if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key)))
+    {
+      msg (M_WARN, "Private key does not match the certificate");
+      return 1;
+    }
+
   return 0;
 }