From 3cdc7119726013ed9d7b27b251da83808201cae3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 10:09:31 +0100 Subject: [PATCH 1/7] Deprecate usage of RSA primitives with wrong key type Further, state explicitly that wrong key types need not be supported by alternative RSA implementations, and that those may instead return the newly introduced error code MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. --- include/mbedtls/rsa.h | 117 ++++++++++++++++++++++++++++++++++++++++-- library/error.c | 2 + 2 files changed, 115 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 7d7469d50..2ffb7ab3f 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -48,6 +48,7 @@ #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ +#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't provide the requested operation. */ /* * RSA constants @@ -250,6 +251,15 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -273,6 +283,15 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -299,6 +318,15 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, * \param input buffer holding the data to be encrypted * \param output buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer must be as large as the size @@ -327,13 +355,22 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size @@ -359,13 +396,22 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size @@ -393,16 +439,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * \param output buffer that will hold the plaintext * \param output_max_len maximum length of the output buffer * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code * * \note The output buffer length \c output_max_len should be * as large as the size ctx->len of ctx->N (eg. 128 bytes * if RSA-1024 is used) to be able to hold an arbitrary * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, + * the decryption of the particular ciphertext provided, * the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * - * \note The input buffer must be as large as the size + * \note The input buffer must be as large as the size * of ctx->N (eg. 128 bytes if RSA-1024 is used). */ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, @@ -430,6 +485,15 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -460,6 +524,15 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -488,6 +561,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer that will hold the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PRIVATE. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PUBLIC and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the signing operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -522,6 +604,15 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -552,6 +643,15 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * @@ -580,6 +680,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \param hash buffer holding the message digest * \param sig buffer holding the ciphertext * + * \deprecated It is deprecated and discouraged to call this function + * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary + * are likely to remove the mode argument and have it implicitly + * set to MBEDTLS_RSA_PUBLIC. + * + * \note Alternative implementations of RSA need not support + * mode being set to MBEDTLS_RSA_PRIVATE and may instead + * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * * \return 0 if the verify operation was successful, * or an MBEDTLS_ERR_RSA_XXX error code * diff --git a/library/error.c b/library/error.c index db42381c4..0217767cc 100644 --- a/library/error.c +++ b/library/error.c @@ -331,6 +331,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" ); if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); + if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) + mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't provide the requested operation" ); #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_SSL_TLS_C) From 1613715f6f6d3d97d4ef77987bae02d1d3de4c67 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 10:10:30 +0100 Subject: [PATCH 2/7] Adapt ChangeLog --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index e199682ea..b7fb5d5d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. +API Changes + * Deprecate usage of RSA primitives with non-matching key-type + (e.g., signing with a public key). + = mbed TLS 2.6.0 branch released 2017-08-10 Security From f8b56d4e411cca80ad3788f3fa3fe0741a9acd89 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 10:16:37 +0100 Subject: [PATCH 3/7] Adapt RSA test suite Don't expect alternative implementations to implement the RSA operations for wrong key-types. --- tests/suites/test_suite_rsa.function | 65 ++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 17 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index d48bc8595..a6bd7c124 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -59,9 +59,12 @@ void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int dig msg_len = unhexify( message_str, message_hex_string ); if( mbedtls_md_info_from_type( digest ) != NULL ) - TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str, msg_len, hash_result ) == 0 ); + TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), + message_str, msg_len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, digest, 0, hash_result, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PRIVATE, digest, 0, + hash_result, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -70,7 +73,8 @@ void mbedtls_rsa_pkcs1_sign( char *message_hex_string, int padding_mode, int dig } exit: - mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); + mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); + mbedtls_mpi_free( &H ); mbedtls_mpi_free( &G ); mbedtls_rsa_free( &ctx ); } /* END_CASE */ @@ -118,6 +122,7 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, char *input_N, int radix_E, char *input_E, char *result_hex_str ) { + int res; unsigned char message_str[1000]; unsigned char hash_result[1000]; unsigned char output[1000]; @@ -156,7 +161,9 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, unhexify( message_str, message_hex_string ); hash_len = unhexify( hash_result, hash_result_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, hash_len, hash_result, output ) == 0 ); + TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, + hash_len, hash_result, output ) == 0 ); hexify( output_str, output, ctx.len ); @@ -168,13 +175,22 @@ void rsa_pkcs1_sign_raw( char *message_hex_string, char *hash_result_string, memset( output, 0x00, 1000 ); memset( output_str, 0x00, 1000 ); - TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, + res = mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PRIVATE, - hash_len, hash_result, output ) == 0 ); + hash_len, hash_result, output ); - hexify( output_str, output, ctx.len ); +#if !defined(MBEDTLS_RSA_ALT) + TEST_ASSERT( res == 0 ); +#else + TEST_ASSERT( ( res == 0 ) || + ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) ); +#endif - TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + if( res == 0 ) + { + hexify( output_str, output, ctx.len ); + TEST_ASSERT( strcasecmp( (char *) output_str, result_hex_str ) == 0 ); + } } exit: @@ -189,6 +205,7 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string, char *input_N, int radix_E, char *input_E, char *result_hex_str, int correct ) { + int res; unsigned char message_str[1000]; unsigned char hash_result[1000]; unsigned char result_str[1000]; @@ -219,15 +236,25 @@ void rsa_pkcs1_verify_raw( char *message_hex_string, char *hash_result_string, { int ok; - TEST_ASSERT( mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, + res = mbedtls_rsa_rsaes_pkcs1_v15_decrypt( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, - &olen, result_str, output, sizeof( output ) ) == 0 ); + &olen, result_str, output, sizeof( output ) ); - ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0; - if( correct == 0 ) - TEST_ASSERT( ok == 1 ); - else - TEST_ASSERT( ok == 0 ); +#if !defined(MBEDTLS_RSA_ALT) + TEST_ASSERT( res == 0 ); +#else + TEST_ASSERT( ( res == 0 ) || + ( res == MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION ) ); +#endif + + if( res == 0 ) + { + ok = olen == hash_len && memcmp( output, hash_result, olen ) == 0; + if( correct == 0 ) + TEST_ASSERT( ok == 1 ); + else + TEST_ASSERT( ok == 0 ); + } } exit: @@ -262,7 +289,9 @@ void mbedtls_rsa_pkcs1_encrypt( char *message_hex_string, int padding_mode, int msg_len = unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_pseudo_rand, &rnd_info, + MBEDTLS_RSA_PUBLIC, msg_len, + message_str, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); @@ -300,7 +329,9 @@ void rsa_pkcs1_encrypt_bad_rng( char *message_hex_string, int padding_mode, msg_len = unhexify( message_str, message_hex_string ); - TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL, MBEDTLS_RSA_PUBLIC, msg_len, message_str, output ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &rnd_zero_rand, NULL, + MBEDTLS_RSA_PUBLIC, msg_len, + message_str, output ) == result ); if( result == 0 ) { hexify( output_str, output, ctx.len ); From bc389d1d3c8edd41a8d82c8e7d0c56b222853189 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 11:49:53 +0100 Subject: [PATCH 4/7] Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code --- include/mbedtls/rsa.h | 3 ++- library/error.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 2ffb7ab3f..562395f2b 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -48,7 +48,8 @@ #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ -#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't provide the requested operation. */ +#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, + e.g. because of security violations or lack of functionality */ /* * RSA constants diff --git a/library/error.c b/library/error.c index 0217767cc..66e6aa23c 100644 --- a/library/error.c +++ b/library/error.c @@ -332,7 +332,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) - mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't provide the requested operation" ); + mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, "\ + "e.g. because of security violations or lack of functionality" ); #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_SSL_TLS_C) From 7e304fcac93209450fd835a006405d3cf48f0216 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 5 Oct 2017 11:50:16 +0100 Subject: [PATCH 5/7] Move deprecation to separate section in ChangeLog --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b7fb5d5d6..569f12f60 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,7 +6,7 @@ Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. -API Changes +New deprecations * Deprecate usage of RSA primitives with non-matching key-type (e.g., signing with a public key). From 86ffd80456f154b7a44b512d3e9aae23653bae6f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 10 Dec 2017 20:04:13 +0100 Subject: [PATCH 6/7] Register new error code in error.h --- include/mbedtls/error.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 31591e2d6..d51bcdec3 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -75,7 +75,7 @@ * PKCS5 2 4 (Started from top) * DHM 3 9 * PK 3 14 (Started from top) - * RSA 4 9 + * RSA 4 10 * ECP 4 8 (Started from top) * MD 5 4 * CIPHER 6 6 From 1434a365a64e7f95626f8ffa0fb08d912a1119fd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 13 Dec 2017 11:24:49 +0000 Subject: [PATCH 7/7] Don't split error code description across multiple lines --- include/mbedtls/rsa.h | 3 +-- library/error.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 562395f2b..d04e71d58 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -48,8 +48,7 @@ #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ -#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, - e.g. because of security violations or lack of functionality */ +#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */ /* * RSA constants diff --git a/library/error.c b/library/error.c index 66e6aa23c..23e4953fc 100644 --- a/library/error.c +++ b/library/error.c @@ -332,8 +332,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) - mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, "\ - "e.g. because of security violations or lack of functionality" ); + mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality" ); #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_SSL_TLS_C)