Incorrect call to mbedtls_pk_check_pair (missing arguments!)

[snej]

In the function mbedtls_set_own_cert in mbedtls/engine.c, the MbedTLS function mbedtls_pk_check_pair is called with two arguments. Unfortunately it takes four. This causes a compile error.

    if (mbedtls_pk_check_pair(&x509->pk, &pk->pkey) != 0) {

I’ve got the latest release of MbedTLS, v3.4.1. I don’t think they’re in the habit of changing the signatures of functions incompatibly, so I don’t know where this error came from.

Here’s the docs & signature of the function from pk.h:

/**
 * \brief           Check if a public-private pair of keys matches.
 *
 * \param pub       Context holding a public key.
 * \param prv       Context holding a private (and public) key.
 * \param f_rng     RNG function, must not be \c NULL.
 * \param p_rng     RNG parameter
 *
 * \return          \c 0 on success (keys were checked and match each other).
 * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
 *                  be checked - in that case they may or may not match.
 * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
 * \return          Another non-zero value if the keys do not match.
 */
int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
                          const mbedtls_pk_context *prv,
                          int (*f_rng)(void *, unsigned char *, size_t),
                          void *p_rng);

When creating the engine up above, you’re using mbedtls_ctr_drbg_random as the RNG, so that seems like the right value for arg 3. But arg 4 is harder: the value from the setup is engine->drbg, but I can’t figure out how to get a reference to the engine in this function. All it gets is the tls_context, and that has no reference to an engine, in fact it seems to be the other way around.

[ekoby]

this API function was changed between 2.x and 3.x