From b3c24842a807014c1663eed6f79e888d73182205 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Mon, 8 Oct 2018 23:41:23 +0200
Subject: [PATCH] Refuse mbed TLS external key with non RSA certificates

The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.

Instead fail early and provide a clear message that only RSA keys are
supported.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 src/openvpn/ssl_mbedtls.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 3a0b5641c..f7e8c2d08 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
         return 1;
     }
 
+    if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
+    {
+        msg(M_WARN, "ERROR: external key with mbed TLS requires a "
+                     "certificate with an RSA key.");
+        return 1;
+    }
+
     ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk);
     ctx->external_key.sign = sign_func;
     ctx->external_key.sign_ctx = sign_ctx;
-- 
2.47.2