Merge remote-tracking branch 'restricted/pr/397' into development

* restricted/pr/397:
  Don't split error code description across multiple lines
  Register new error code in error.h
  Move deprecation to separate section in ChangeLog
  Extend scope of ERR_RSA_UNSUPPORTED_OPERATION error code
  Adapt RSA test suite
  Adapt ChangeLog
  Deprecate usage of RSA primitives with wrong key type

include/mbedtls/error.h

@@ -75,7 +75,7 @@
  * PKCS5     2   4 (Started from top)
  * DHM       3   9
  * PK        3   14 (Started from top)
- * RSA       4   9
+ * RSA       4   10
  * ECP       4   8 (Started from top)
  * MD        5   4
  * CIPHER    6   6

include/mbedtls/rsa.h

@@ -48,6 +48,7 @@
 #define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
 #define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */
 
 /*
  * RSA constants
@@ -250,6 +251,15 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  * \param input    buffer holding the data to be encrypted
  * \param output   buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer must be as large as the size
@@ -273,6 +283,15 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  * \param input    buffer holding the data to be encrypted
  * \param output   buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer must be as large as the size
@@ -299,6 +318,15 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
  * \param input    buffer holding the data to be encrypted
  * \param output   buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer must be as large as the size
@@ -327,13 +355,22 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  * \param output   buffer that will hold the plaintext
  * \param output_max_len    maximum length of the output buffer
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer length \c output_max_len should be
  *                 as large as the size ctx->len of ctx->N (eg. 128 bytes
  *                 if RSA-1024 is used) to be able to hold an arbitrary
  *                 decrypted message. If it is not large enough to hold
- *                 the decryption of the particular ciphertext provided, 
+ *                 the decryption of the particular ciphertext provided,
  *                 the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
  * \note           The input buffer must be as large as the size
@@ -359,13 +396,22 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  * \param output   buffer that will hold the plaintext
  * \param output_max_len    maximum length of the output buffer
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer length \c output_max_len should be
  *                 as large as the size ctx->len of ctx->N (eg. 128 bytes
  *                 if RSA-1024 is used) to be able to hold an arbitrary
  *                 decrypted message. If it is not large enough to hold
- *                 the decryption of the particular ciphertext provided, 
+ *                 the decryption of the particular ciphertext provided,
  *                 the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
  * \note           The input buffer must be as large as the size
@@ -393,16 +439,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
  * \param output   buffer that will hold the plaintext
  * \param output_max_len    maximum length of the output buffer
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           The output buffer length \c output_max_len should be
  *                 as large as the size ctx->len of ctx->N (eg. 128 bytes
  *                 if RSA-1024 is used) to be able to hold an arbitrary
  *                 decrypted message. If it is not large enough to hold
- *                 the decryption of the particular ciphertext provided, 
+ *                 the decryption of the particular ciphertext provided,
  *                 the function will return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \note           The input buffer must be as large as the size 
+ * \note           The input buffer must be as large as the size
  *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
  */
 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
@@ -430,6 +485,15 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the signing operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *
@@ -460,6 +524,15 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the signing operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *
@@ -488,6 +561,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer that will hold the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PUBLIC and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the signing operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *
@@ -522,6 +604,15 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer holding the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the verify operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *
@@ -552,6 +643,15 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer holding the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the verify operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *
@@ -580,6 +680,15 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  * \param hash     buffer holding the message digest
  * \param sig      buffer holding the ciphertext
  *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary
+ *                 are likely to remove the mode argument and have it implicitly
+ *                 set to MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to MBEDTLS_RSA_PRIVATE and may instead
+ *                 return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
+ *
  * \return         0 if the verify operation was successful,
  *                 or an MBEDTLS_ERR_RSA_XXX error code
  *