Merge pull request #4515 from tom-daubney-arm/remove_rsa_mode_params_2

Remove rsa mode params part 2
Mbed-TLS · May 25, 2021 · b7abba2 · b7abba2
2 parents 8a5304d + 731b952
commit b7abba2
Show file tree

Hide file tree

Showing 19 changed files with 187 additions and 524 deletions.
diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt
@@ -0,0 +1,9 @@
+Removals
+   * The RSA module no longer supports private-key operations with the public
+     key and vice versa.
+API changes
+   * Remove the mode parameter from RSA operation functions. Signature and
+     decryption functions now always use the private key and verification and
+     encryption use the public key. Verification functions also no longer have
+     RNG parameters.
+   * The RNG is now mandatory for all private-key RSA operations.
diff --git a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md
@@ -0,0 +1,29 @@
+Remove the mode parameter from RSA functions
+--------------------------------------------
+
+This affects all users who use the RSA encryption, decryption, sign and
+verify APIs.
+
+The RSA module no longer supports private-key operations with the public key or
+vice versa. As a consequence, RSA operation functions no longer have a mode
+parameter. If you were calling RSA operations with the normal mode (public key
+for verification or encryption, private key for signature or decryption), remove
+the `MBEDTLS_MODE_PUBLIC` or `MBEDTLS_MODE_PRIVATE` argument. If you were calling
+RSA operations with the wrong mode, which rarely makes sense from a security
+perspective, this is no longer supported.
+
+Remove the RNG parameter from RSA verify functions
+--------------------------------------------------
+
+RSA verification functions also no longer take random generator arguments (this
+was only needed when using a private key). This affects all applications using
+the RSA verify functions.
+
+RNG is now mandatory in all RSA private key operations
+------------------------------------------------------
+
+The random generator is now mandatory for blinding in all RSA private-key
+operations (`mbedtls_rsa_private`, `mbedtls_rsa_xxx_sign`,
+`mbedtls_rsa_xxx_decrypt`) as well as for encryption
+(`mbedtls_rsa_xxx_encrypt`). This means that passing a null `f_rng` is no longer
+supported.
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
@@ -234,7 +234,7 @@ typedef int (*mbedtls_pk_rsa_alt_decrypt_func)( void *ctx, size_t *olen,
                     size_t output_max_len );
 typedef int (*mbedtls_pk_rsa_alt_sign_func)( void *ctx,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                    mbedtls_md_type_t md_alg, unsigned int hashlen,
                     const unsigned char *hash, unsigned char *sig );
 typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */

diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
diff --git a/library/pk.c b/library/pk.c
@@ -367,11 +367,10 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
             return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
         ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
-                NULL, NULL, MBEDTLS_RSA_PUBLIC,
-                md_alg, (unsigned int) hash_len, hash,
-                pss_opts->mgf1_hash_id,
-                pss_opts->expected_salt_len,
-                sig );
+                                                 md_alg, (unsigned int) hash_len, hash,
+                                                 pss_opts->mgf1_hash_id,
+                                                 pss_opts->expected_salt_len,
+                                                 sig );
         if( ret != 0 )
             return( ret );
 

diff --git a/library/pk_wrap.c b/library/pk_wrap.c
@@ -90,9 +90,9 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
     if( sig_len < rsa_len )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
-    if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
-                                  MBEDTLS_RSA_PUBLIC, md_alg,
-                                  (unsigned int) hash_len, hash, sig ) ) != 0 )
+    if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, md_alg,
+                                          (unsigned int) hash_len,
+                                          hash, sig ) ) != 0 )
         return( ret );
 
     /* The buffer contains a valid signature followed by extra data.
@@ -120,8 +120,9 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
 
     *sig_len = mbedtls_rsa_get_len( rsa );
 
-    return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
-                md_alg, (unsigned int) hash_len, hash, sig ) );
+    return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng,
+                                    md_alg, (unsigned int) hash_len,
+                                    hash, sig ) );
 }
 
 static int rsa_decrypt_wrap( void *ctx,
@@ -149,7 +150,7 @@ static int rsa_encrypt_wrap( void *ctx,
     if( *olen > osize )
         return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
 
-    return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
+    return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng,
                                        ilen, input, output ) );
 }
 
@@ -770,7 +771,7 @@ static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
     if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE )
         return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
-    return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+    return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng,
                 md_alg, (unsigned int) hash_len, hash, sig ) );
 }
 

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
@@ -2918,7 +2918,6 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key,
                     mbedtls_rsa_pkcs1_encrypt( rsa,
                                                mbedtls_psa_get_random,
                                                MBEDTLS_PSA_RANDOM_STATE,
-                                               MBEDTLS_RSA_PUBLIC,
                                                input_length,
                                                input,
                                                output ) );
@@ -2933,7 +2932,6 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key,
                 mbedtls_rsa_rsaes_oaep_encrypt( rsa,
                                                 mbedtls_psa_get_random,
                                                 MBEDTLS_PSA_RANDOM_STATE,
-                                                MBEDTLS_RSA_PUBLIC,
                                                 salt, salt_length,
                                                 input_length,
                                                 input,

diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
@@ -419,7 +419,6 @@ static psa_status_t rsa_sign_hash(
         ret = mbedtls_rsa_pkcs1_sign( rsa,
                                       mbedtls_psa_get_random,
                                       MBEDTLS_PSA_RANDOM_STATE,
-                                      MBEDTLS_RSA_PRIVATE,
                                       md_alg,
                                       (unsigned int) hash_length,
                                       hash,
@@ -434,7 +433,6 @@ static psa_status_t rsa_sign_hash(
         ret = mbedtls_rsa_rsassa_pss_sign( rsa,
                                            mbedtls_psa_get_random,
                                            MBEDTLS_PSA_RANDOM_STATE,
-                                           MBEDTLS_RSA_PRIVATE,
                                            MBEDTLS_MD_NONE,
                                            (unsigned int) hash_length,
                                            hash,
@@ -492,9 +490,6 @@ static psa_status_t rsa_verify_hash(
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
                                  MBEDTLS_MD_NONE );
         ret = mbedtls_rsa_pkcs1_verify( rsa,
-                                        mbedtls_psa_get_random,
-                                        MBEDTLS_PSA_RANDOM_STATE,
-                                        MBEDTLS_RSA_PUBLIC,
                                         md_alg,
                                         (unsigned int) hash_length,
                                         hash,
@@ -507,9 +502,6 @@ static psa_status_t rsa_verify_hash(
     {
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
         ret = mbedtls_rsa_rsassa_pss_verify( rsa,
-                                             mbedtls_psa_get_random,
-                                             MBEDTLS_PSA_RANDOM_STATE,
-                                             MBEDTLS_RSA_PUBLIC,
                                              MBEDTLS_MD_NONE,
                                              (unsigned int) hash_length,
                                              hash,