Bignum: Deprecate mbedtls_mpi_is_prime()

When using a primality testing function the tolerable error rate depends on the scheme in question, the required security strength and wether it is used for key generation or parameter validation. To support all use cases we need more flexibility than what the old API provides.
2018-09-18 14:48:23 +01:00 · 2018-09-18 14:48:23 +01:00 · a0b67c2f3e
commit a0b67c2f3e
parent da31fa137a
6 changed files with 70 additions and 18 deletions
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@ -725,10 +725,19 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B
 */
 int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N );

+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
 /**
 * \brief          Miller-Rabin primality test with error probability of
 *                 2<sup>-80</sup>
 *
+ * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
+ *                 specifying the number of Miller-Rabin rounds.
+ *
 * \param X        MPI to check
 * \param f_rng    RNG function
 * \param p_rng    RNG parameter
@ -737,10 +746,38 @@ int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
 *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
 *                 MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
 */
-int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng );
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */

+/**
+ * \brief          Miller-Rabin primality test.
+ *
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
+ *
+ * \param X        MPI to check
+ * \param rounds   Number of bases to perform Miller-Rabin primality test for.
+ *                 The probability of returning 0 on a composite is at most
+ *                 2<sup>-2*\p rounds</sup>.
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ *
+ * \return         0 if successful (probably prime),
+ *                 MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if X is not prime
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng );
 /**
 * \brief Flags for mbedtls_mpi_gen_prime()
 *