From: Steffan Karger <steffan@karger.me>
Date: Thu, 5 May 2016 09:02:13 +0000 (+0200)
Subject: mbedtls: check that private key and certificate match on start
X-Git-Tag: v2.4_alpha1~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c4acf3f7b2885270a9fb2d051a18759ab458c32;p=thirdparty%2Fopenvpn.git

mbedtls: check that private key and certificate match on start

Implement a long standing todo in the code, now that we use mbed TLS 2.x,
which provides an interface for the check.

v2: bail out immediately on failure.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1462438933-14902-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11599
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 9da33adfe..b5e7a6a72 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -363,11 +363,12 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
 
   warn_if_group_others_accessible (priv_key_file);
 
-  /* TODO: Check Private Key */
-#if 0
-  if (!SSL_CTX_check_private_key (ctx))
-    msg (M_SSLERR, "Private key does not match the certificate");
-#endif
+  if (!mbed_ok(mbedtls_pk_check_pair(&ctx->crt_chain->pk, ctx->priv_key)))
+    {
+      msg (M_WARN, "Private key does not match the certificate");
+      return 1;
+    }
+
   return 0;
 }