diff --git a/ChangeLog b/ChangeLog index f954c95568..4b627a1252 100644 --- a/ChangeLog +++ b/ChangeLog @@ -60,6 +60,10 @@ Changes and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. +New deprecations + * Deprecate usage of RSA primitives with non-matching key-type + (e.g., signing with a public key). + = mbed TLS 2.6.0 branch released 2017-08-10 Security diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 31591e2d64..d51bcdec36 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -75,7 +75,7 @@ * PKCS5 2 4 (Started from top) * DHM 3 9 * PK 3 14 (Started from top) - * RSA 4 9 + * RSA 4 10 * ECP 4 8 (Started from top) * MD 5 4 * CIPHER 6 6 diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 7d7469d509..d04e71d58c 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -48,6 +48,7 @@ #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ +#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */ /* * RSA constants @@ -250,6 +251,15 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -273,6 +283,15 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -299,6 +318,15 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -327,13 +355,22 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size @@ -359,13 +396,22 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size @@ -393,16 +439,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * - * \note The input buffer must be as large as the size + * \note The input buffer must be as large as the size * of ctx->N (eg. 128 bytes if RSA-1024 is used). */ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, @@ -430,6 +485,15 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -460,6 +524,15 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -488,6 +561,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -522,6 +604,15 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -552,6 +643,15 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -580,6 +680,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * diff --git a/library/error.c b/library/error.c index db42381c42..23e4953fca 100644 --- a/library/error.c +++ b/library/error.c @@ -331,6 +331,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" ); if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); + if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) + mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality" ); #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_SSL_TLS_C) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 270e2d989b..09309d687e 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -60,9 +60,12 @@ void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int dig msg_len = unhexify( message_str, message_hex_string ); if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), + message_str, msg_len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PRIVATE, digest, 0, + hash_result, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -71,7 +74,8 @@ void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int dig } exit: - mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); + mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); + mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); mbedtls_rsa_free( &ctx ); } /* END_CASE */ @@ -119,6 +123,7 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, char *input_N, int radix_E, char *input_E, char *result_hex_str ) { + int res; unsigned char message_str[1000]; unsigned char hash_result[1000]; unsigned char output[1000]; @@ -157,7 +162,9 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, unhexify( message_str, message_hex_string ); hash_len = unhexify( hash_result, hash_result_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, hash_len, hash_result, output ) == 0 ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, + hash_len, hash_result, output ) == 0 ); hexify( output_str, output, ctx.len ); @@ -169,13 +176,22 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, memset( output, 0x00, 1000 ); memset( output_str, 0x00, 1000 ); - TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, + res = mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, - hash_len, hash_result, output ) == 0 ); + hash_len, hash_result, output ); - hexify( output_str, output, ctx.len ); +#if !defined(MBEDTLS_RSA_ALT) + TEST_ASSERT( res == 0 ); +#else + TEST_ASSERT( ( res == 0 ) || + ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) ); +#endif - TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + if( res == 0 ) + { + hexify( output_str, output, ctx.len ); + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } } exit: @@ -190,6 +206,7 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string, char *input_N, int radix_E, char *input_E, char *result_hex_str, int correct ) { + int res; unsigned char message_str[1000]; unsigned char hash_result[1000]; unsigned char result_str[1000]; @@ -220,15 +237,25 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string, { int ok; - TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, + res = mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, - &olen, result_str, output, sizeof( output ) ) == 0 ); + &olen, result_str, output, sizeof( output ) ); - ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0; - if( correct == 0 ) - TEST_ASSERT( ok == 1 ); - else - TEST_ASSERT( ok == 0 ); +#if !defined(MBEDTLS_RSA_ALT) + TEST_ASSERT( res == 0 ); +#else + TEST_ASSERT( ( res == 0 ) || + ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) ); +#endif + + if( res == 0 ) + { + ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0; + if( correct == 0 ) + TEST_ASSERT( ok == 1 ); + else + TEST_ASSERT( ok == 0 ); + } } exit: @@ -263,7 +290,9 @@ void mbedtls_rsa_pkcs1_encrypt( char *message_hex_string, int padding_mode, int msg_len = unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PUBLIC, msg_len, + message_str, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -301,7 +330,9 @@ void rsa_pkcs1_encrypt_bad_rng( char *message_hex_string, int padding_mode, msg_len = unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL, + MBEDTLS_RSA_PUBLIC, msg_len, + message_str, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len );