TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / include / mbedcrypto / rsa.h
blob: 0c33caecd67f85f6a27576243929d1550605c97a [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/**
2 * \file rsa.h
3 *
4 * \brief This file provides an API for the RSA public-key cryptosystem.
5 *
6 * The RSA public-key cryptosystem is defined in <em>Public-Key
7 * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
8 * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
9 * RSA Cryptography Specifications</em>.
10 *
11 */
12/*
13 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
14 * SPDX-License-Identifier: Apache-2.0
15 *
16 * Licensed under the Apache License, Version 2.0 (the "License"); you may
17 * not use this file except in compliance with the License.
18 * You may obtain a copy of the License at
19 *
20 * http://www.apache.org/licenses/LICENSE-2.0
21 *
22 * Unless required by applicable law or agreed to in writing, software
23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
25 * See the License for the specific language governing permissions and
26 * limitations under the License.
27 *
28 * This file is part of Mbed Crypto (https://tls.mbed.org)
29 */
30#ifndef MBEDCRYPTO_RSA_H
31#define MBEDCRYPTO_RSA_H
32
33#if !defined(MBEDCRYPTO_CONFIG_FILE)
34#include "config.h"
35#else
36#include MBEDCRYPTO_CONFIG_FILE
37#endif
38
39#include "bignum.h"
40#include "md.h"
41
42#if defined(MBEDCRYPTO_THREADING_C)
43#include "threading.h"
44#endif
45
46/*
47 * RSA Error codes
48 */
49#define MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
50#define MBEDCRYPTO_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
51#define MBEDCRYPTO_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
52#define MBEDCRYPTO_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the validity check of the library. */
53#define MBEDCRYPTO_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
54#define MBEDCRYPTO_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
55#define MBEDCRYPTO_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
56#define MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
57#define MBEDCRYPTO_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
58#define MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
59#define MBEDCRYPTO_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */
60
61/*
62 * RSA constants
63 */
64#define MBEDCRYPTO_RSA_PUBLIC 0 /**< Request private key operation. */
65#define MBEDCRYPTO_RSA_PRIVATE 1 /**< Request public key operation. */
66
67#define MBEDCRYPTO_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */
68#define MBEDCRYPTO_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */
69
70#define MBEDCRYPTO_RSA_SIGN 1 /**< Identifier for RSA signature operations. */
71#define MBEDCRYPTO_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */
72
73#define MBEDCRYPTO_RSA_SALT_LEN_ANY -1
74
75/*
76 * The above constants may be used even if the RSA module is compile out,
77 * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
78 */
79
80#ifdef __cplusplus
81extern "C" {
82#endif
83
84#if !defined(MBEDCRYPTO_RSA_ALT)
85// Regular implementation
86//
87
88/**
89 * \brief The RSA context structure.
90 *
91 * \note Direct manipulation of the members of this structure
92 * is deprecated. All manipulation should instead be done through
93 * the public interface functions.
94 */
95typedef struct
96{
97 int ver; /*!< Always 0.*/
98 size_t len; /*!< The size of \p N in Bytes. */
99
100 mbedcrypto_mpi N; /*!< The public modulus. */
101 mbedcrypto_mpi E; /*!< The public exponent. */
102
103 mbedcrypto_mpi D; /*!< The private exponent. */
104 mbedcrypto_mpi P; /*!< The first prime factor. */
105 mbedcrypto_mpi Q; /*!< The second prime factor. */
106
107 mbedcrypto_mpi DP; /*!< <code>D % (P - 1)</code>. */
108 mbedcrypto_mpi DQ; /*!< <code>D % (Q - 1)</code>. */
109 mbedcrypto_mpi QP; /*!< <code>1 / (Q % P)</code>. */
110
111 mbedcrypto_mpi RN; /*!< cached <code>R^2 mod N</code>. */
112
113 mbedcrypto_mpi RP; /*!< cached <code>R^2 mod P</code>. */
114 mbedcrypto_mpi RQ; /*!< cached <code>R^2 mod Q</code>. */
115
116 mbedcrypto_mpi Vi; /*!< The cached blinding value. */
117 mbedcrypto_mpi Vf; /*!< The cached un-blinding value. */
118
119 int padding; /*!< Selects padding mode:
120 #MBEDCRYPTO_RSA_PKCS_V15 for 1.5 padding and
121 #MBEDCRYPTO_RSA_PKCS_V21 for OAEP or PSS. */
122 int hash_id; /*!< Hash identifier of mbedcrypto_md_type_t type,
123 as specified in md.h for use in the MGF
124 mask generating function used in the
125 EME-OAEP and EMSA-PSS encodings. */
126#if defined(MBEDCRYPTO_THREADING_C)
127 mbedcrypto_threading_mutex_t mutex; /*!< Thread-safety mutex. */
128#endif
129}
130mbedcrypto_rsa_context;
131
132#else /* MBEDCRYPTO_RSA_ALT */
133#include "rsa_alt.h"
134#endif /* MBEDCRYPTO_RSA_ALT */
135
136/**
137 * \brief This function initializes an RSA context.
138 *
139 * \note Set padding to #MBEDCRYPTO_RSA_PKCS_V21 for the RSAES-OAEP
140 * encryption scheme and the RSASSA-PSS signature scheme.
141 *
142 * \note The \p hash_id parameter is ignored when using
143 * #MBEDCRYPTO_RSA_PKCS_V15 padding.
144 *
145 * \note The choice of padding mode is strictly enforced for private key
146 * operations, since there might be security concerns in
147 * mixing padding modes. For public key operations it is
148 * a default value, which can be overriden by calling specific
149 * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
150 *
151 * \note The hash selected in \p hash_id is always used for OEAP
152 * encryption. For PSS signatures, it is always used for
153 * making signatures, but can be overriden for verifying them.
154 * If set to #MBEDCRYPTO_MD_NONE, it is always overriden.
155 *
156 * \param ctx The RSA context to initialize.
157 * \param padding Selects padding mode: #MBEDCRYPTO_RSA_PKCS_V15 or
158 * #MBEDCRYPTO_RSA_PKCS_V21.
159 * \param hash_id The hash identifier of #mbedcrypto_md_type_t type, if
160 * \p padding is #MBEDCRYPTO_RSA_PKCS_V21.
161 */
162void mbedcrypto_rsa_init( mbedcrypto_rsa_context *ctx,
163 int padding,
164 int hash_id);
165
166/**
167 * \brief This function imports a set of core parameters into an
168 * RSA context.
169 *
170 * \note This function can be called multiple times for successive
171 * imports, if the parameters are not simultaneously present.
172 *
173 * Any sequence of calls to this function should be followed
174 * by a call to mbedcrypto_rsa_complete(), which checks and
175 * completes the provided information to a ready-for-use
176 * public or private RSA key.
177 *
178 * \note See mbedcrypto_rsa_complete() for more information on which
179 * parameters are necessary to set up a private or public
180 * RSA key.
181 *
182 * \note The imported parameters are copied and need not be preserved
183 * for the lifetime of the RSA context being set up.
184 *
185 * \param ctx The initialized RSA context to store the parameters in.
186 * \param N The RSA modulus, or NULL.
187 * \param P The first prime factor of \p N, or NULL.
188 * \param Q The second prime factor of \p N, or NULL.
189 * \param D The private exponent, or NULL.
190 * \param E The public exponent, or NULL.
191 *
192 * \return \c 0 on success.
193 * \return A non-zero error code on failure.
194 */
195int mbedcrypto_rsa_import( mbedcrypto_rsa_context *ctx,
196 const mbedcrypto_mpi *N,
197 const mbedcrypto_mpi *P, const mbedcrypto_mpi *Q,
198 const mbedcrypto_mpi *D, const mbedcrypto_mpi *E );
199
200/**
201 * \brief This function imports core RSA parameters, in raw big-endian
202 * binary format, into an RSA context.
203 *
204 * \note This function can be called multiple times for successive
205 * imports, if the parameters are not simultaneously present.
206 *
207 * Any sequence of calls to this function should be followed
208 * by a call to mbedcrypto_rsa_complete(), which checks and
209 * completes the provided information to a ready-for-use
210 * public or private RSA key.
211 *
212 * \note See mbedcrypto_rsa_complete() for more information on which
213 * parameters are necessary to set up a private or public
214 * RSA key.
215 *
216 * \note The imported parameters are copied and need not be preserved
217 * for the lifetime of the RSA context being set up.
218 *
219 * \param ctx The initialized RSA context to store the parameters in.
220 * \param N The RSA modulus, or NULL.
221 * \param N_len The Byte length of \p N, ignored if \p N == NULL.
222 * \param P The first prime factor of \p N, or NULL.
223 * \param P_len The Byte length of \p P, ignored if \p P == NULL.
224 * \param Q The second prime factor of \p N, or NULL.
225 * \param Q_len The Byte length of \p Q, ignored if \p Q == NULL.
226 * \param D The private exponent, or NULL.
227 * \param D_len The Byte length of \p D, ignored if \p D == NULL.
228 * \param E The public exponent, or NULL.
229 * \param E_len The Byte length of \p E, ignored if \p E == NULL.
230 *
231 * \return \c 0 on success.
232 * \return A non-zero error code on failure.
233 */
234int mbedcrypto_rsa_import_raw( mbedcrypto_rsa_context *ctx,
235 unsigned char const *N, size_t N_len,
236 unsigned char const *P, size_t P_len,
237 unsigned char const *Q, size_t Q_len,
238 unsigned char const *D, size_t D_len,
239 unsigned char const *E, size_t E_len );
240
241/**
242 * \brief This function completes an RSA context from
243 * a set of imported core parameters.
244 *
245 * To setup an RSA public key, precisely \p N and \p E
246 * must have been imported.
247 *
248 * To setup an RSA private key, sufficient information must
249 * be present for the other parameters to be derivable.
250 *
251 * The default implementation supports the following:
252 * <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
253 * <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
254 * Alternative implementations need not support these.
255 *
256 * If this function runs successfully, it guarantees that
257 * the RSA context can be used for RSA operations without
258 * the risk of failure or crash.
259 *
260 * \warning This function need not perform consistency checks
261 * for the imported parameters. In particular, parameters that
262 * are not needed by the implementation might be silently
263 * discarded and left unchecked. To check the consistency
264 * of the key material, see mbedcrypto_rsa_check_privkey().
265 *
266 * \param ctx The initialized RSA context holding imported parameters.
267 *
268 * \return \c 0 on success.
269 * \return #MBEDCRYPTO_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
270 * failed.
271 *
272 */
273int mbedcrypto_rsa_complete( mbedcrypto_rsa_context *ctx );
274
275/**
276 * \brief This function exports the core parameters of an RSA key.
277 *
278 * If this function runs successfully, the non-NULL buffers
279 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
280 * written, with additional unused space filled leading by
281 * zero Bytes.
282 *
283 * Possible reasons for returning
284 * #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
285 * <li>An alternative RSA implementation is in use, which
286 * stores the key externally, and either cannot or should
287 * not export it into RAM.</li>
288 * <li>A SW or HW implementation might not support a certain
289 * deduction. For example, \p P, \p Q from \p N, \p D,
290 * and \p E if the former are not part of the
291 * implementation.</li></ul>
292 *
293 * If the function fails due to an unsupported operation,
294 * the RSA context stays intact and remains usable.
295 *
296 * \param ctx The initialized RSA context.
297 * \param N The MPI to hold the RSA modulus, or NULL.
298 * \param P The MPI to hold the first prime factor of \p N, or NULL.
299 * \param Q The MPI to hold the second prime factor of \p N, or NULL.
300 * \param D The MPI to hold the private exponent, or NULL.
301 * \param E The MPI to hold the public exponent, or NULL.
302 *
303 * \return \c 0 on success.
304 * \return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
305 * requested parameters cannot be done due to missing
306 * functionality or because of security policies.
307 * \return A non-zero return code on any other failure.
308 *
309 */
310int mbedcrypto_rsa_export( const mbedcrypto_rsa_context *ctx,
311 mbedcrypto_mpi *N, mbedcrypto_mpi *P, mbedcrypto_mpi *Q,
312 mbedcrypto_mpi *D, mbedcrypto_mpi *E );
313
314/**
315 * \brief This function exports core parameters of an RSA key
316 * in raw big-endian binary format.
317 *
318 * If this function runs successfully, the non-NULL buffers
319 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
320 * written, with additional unused space filled leading by
321 * zero Bytes.
322 *
323 * Possible reasons for returning
324 * #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
325 * <li>An alternative RSA implementation is in use, which
326 * stores the key externally, and either cannot or should
327 * not export it into RAM.</li>
328 * <li>A SW or HW implementation might not support a certain
329 * deduction. For example, \p P, \p Q from \p N, \p D,
330 * and \p E if the former are not part of the
331 * implementation.</li></ul>
332 * If the function fails due to an unsupported operation,
333 * the RSA context stays intact and remains usable.
334 *
335 * \note The length parameters are ignored if the corresponding
336 * buffer pointers are NULL.
337 *
338 * \param ctx The initialized RSA context.
339 * \param N The Byte array to store the RSA modulus, or NULL.
340 * \param N_len The size of the buffer for the modulus.
341 * \param P The Byte array to hold the first prime factor of \p N, or
342 * NULL.
343 * \param P_len The size of the buffer for the first prime factor.
344 * \param Q The Byte array to hold the second prime factor of \p N, or
345 * NULL.
346 * \param Q_len The size of the buffer for the second prime factor.
347 * \param D The Byte array to hold the private exponent, or NULL.
348 * \param D_len The size of the buffer for the private exponent.
349 * \param E The Byte array to hold the public exponent, or NULL.
350 * \param E_len The size of the buffer for the public exponent.
351 *
352 * \return \c 0 on success.
353 * \return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
354 * requested parameters cannot be done due to missing
355 * functionality or because of security policies.
356 * \return A non-zero return code on any other failure.
357 */
358int mbedcrypto_rsa_export_raw( const mbedcrypto_rsa_context *ctx,
359 unsigned char *N, size_t N_len,
360 unsigned char *P, size_t P_len,
361 unsigned char *Q, size_t Q_len,
362 unsigned char *D, size_t D_len,
363 unsigned char *E, size_t E_len );
364
365/**
366 * \brief This function exports CRT parameters of a private RSA key.
367 *
368 * \note Alternative RSA implementations not using CRT-parameters
369 * internally can implement this function based on
370 * mbedcrypto_rsa_deduce_opt().
371 *
372 * \param ctx The initialized RSA context.
373 * \param DP The MPI to hold D modulo P-1, or NULL.
374 * \param DQ The MPI to hold D modulo Q-1, or NULL.
375 * \param QP The MPI to hold modular inverse of Q modulo P, or NULL.
376 *
377 * \return \c 0 on success.
378 * \return A non-zero error code on failure.
379 *
380 */
381int mbedcrypto_rsa_export_crt( const mbedcrypto_rsa_context *ctx,
382 mbedcrypto_mpi *DP, mbedcrypto_mpi *DQ, mbedcrypto_mpi *QP );
383
384/**
385 * \brief This function sets padding for an already initialized RSA
386 * context. See mbedcrypto_rsa_init() for details.
387 *
388 * \param ctx The RSA context to be set.
389 * \param padding Selects padding mode: #MBEDCRYPTO_RSA_PKCS_V15 or
390 * #MBEDCRYPTO_RSA_PKCS_V21.
391 * \param hash_id The #MBEDCRYPTO_RSA_PKCS_V21 hash identifier.
392 */
393void mbedcrypto_rsa_set_padding( mbedcrypto_rsa_context *ctx, int padding,
394 int hash_id);
395
396/**
397 * \brief This function retrieves the length of RSA modulus in Bytes.
398 *
399 * \param ctx The initialized RSA context.
400 *
401 * \return The length of the RSA modulus in Bytes.
402 *
403 */
404size_t mbedcrypto_rsa_get_len( const mbedcrypto_rsa_context *ctx );
405
406/**
407 * \brief This function retrieves the length of the RSA modulus in bits.
408 *
409 * \param ctx The initialized RSA context.
410 *
411 * \return The length of the RSA modulus in bits.
412 *
413 */
414size_t mbedcrypto_rsa_get_bitlen( const mbedcrypto_rsa_context *ctx );
415
416/**
417 * \brief This function generates an RSA keypair.
418 *
419 * \note mbedcrypto_rsa_init() must be called before this function,
420 * to set up the RSA context.
421 *
422 * \param ctx The RSA context used to hold the key.
423 * \param f_rng The RNG function.
424 * \param p_rng The RNG context.
425 * \param nbits The size of the public key in bits.
426 * \param exponent The public exponent. For example, 65537.
427 *
428 * \return \c 0 on success.
429 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
430 */
431int mbedcrypto_rsa_gen_key( mbedcrypto_rsa_context *ctx,
432 int (*f_rng)(void *, unsigned char *, size_t),
433 void *p_rng,
434 unsigned int nbits, int exponent );
435
436/**
437 * \brief This function checks if a context contains at least an RSA
438 * public key.
439 *
440 * If the function runs successfully, it is guaranteed that
441 * enough information is present to perform an RSA public key
442 * operation using mbedcrypto_rsa_public().
443 *
444 * \param ctx The RSA context to check.
445 *
446 * \return \c 0 on success.
447 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
448 *
449 */
450int mbedcrypto_rsa_check_pubkey( const mbedcrypto_rsa_context *ctx );
451
452/**
453 * \brief This function checks if a context contains an RSA private key
454 * and perform basic consistency checks.
455 *
456 * \note The consistency checks performed by this function not only
457 * ensure that mbedcrypto_rsa_private() can be called successfully
458 * on the given context, but that the various parameters are
459 * mutually consistent with high probability, in the sense that
460 * mbedcrypto_rsa_public() and mbedcrypto_rsa_private() are inverses.
461 *
462 * \warning This function should catch accidental misconfigurations
463 * like swapping of parameters, but it cannot establish full
464 * trust in neither the quality nor the consistency of the key
465 * material that was used to setup the given RSA context:
466 * <ul><li>Consistency: Imported parameters that are irrelevant
467 * for the implementation might be silently dropped. If dropped,
468 * the current function does not have access to them,
469 * and therefore cannot check them. See mbedcrypto_rsa_complete().
470 * If you want to check the consistency of the entire
471 * content of an PKCS1-encoded RSA private key, for example, you
472 * should use mbedcrypto_rsa_validate_params() before setting
473 * up the RSA context.
474 * Additionally, if the implementation performs empirical checks,
475 * these checks substantiate but do not guarantee consistency.</li>
476 * <li>Quality: This function is not expected to perform
477 * extended quality assessments like checking that the prime
478 * factors are safe. Additionally, it is the responsibility of the
479 * user to ensure the trustworthiness of the source of his RSA
480 * parameters, which goes beyond what is effectively checkable
481 * by the library.</li></ul>
482 *
483 * \param ctx The RSA context to check.
484 *
485 * \return \c 0 on success.
486 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
487 */
488int mbedcrypto_rsa_check_privkey( const mbedcrypto_rsa_context *ctx );
489
490/**
491 * \brief This function checks a public-private RSA key pair.
492 *
493 * It checks each of the contexts, and makes sure they match.
494 *
495 * \param pub The RSA context holding the public key.
496 * \param prv The RSA context holding the private key.
497 *
498 * \return \c 0 on success.
499 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
500 */
501int mbedcrypto_rsa_check_pub_priv( const mbedcrypto_rsa_context *pub,
502 const mbedcrypto_rsa_context *prv );
503
504/**
505 * \brief This function performs an RSA public key operation.
506 *
507 * \note This function does not handle message padding.
508 *
509 * \note Make sure to set \p input[0] = 0 or ensure that
510 * input is smaller than \p N.
511 *
512 * \note The input and output buffers must be large
513 * enough. For example, 128 Bytes if RSA-1024 is used.
514 *
515 * \param ctx The RSA context.
516 * \param input The input buffer.
517 * \param output The output buffer.
518 *
519 * \return \c 0 on success.
520 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
521 */
522int mbedcrypto_rsa_public( mbedcrypto_rsa_context *ctx,
523 const unsigned char *input,
524 unsigned char *output );
525
526/**
527 * \brief This function performs an RSA private key operation.
528 *
529 * \note The input and output buffers must be large
530 * enough. For example, 128 Bytes if RSA-1024 is used.
531 *
532 * \note Blinding is used if and only if a PRNG is provided.
533 *
534 * \note If blinding is used, both the base of exponentation
535 * and the exponent are blinded, providing protection
536 * against some side-channel attacks.
537 *
538 * \warning It is deprecated and a security risk to not provide
539 * a PRNG here and thereby prevent the use of blinding.
540 * Future versions of the library may enforce the presence
541 * of a PRNG.
542 *
543 * \param ctx The RSA context.
544 * \param f_rng The RNG function. Needed for blinding.
545 * \param p_rng The RNG context.
546 * \param input The input buffer.
547 * \param output The output buffer.
548 *
549 * \return \c 0 on success.
550 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
551 *
552 */
553int mbedcrypto_rsa_private( mbedcrypto_rsa_context *ctx,
554 int (*f_rng)(void *, unsigned char *, size_t),
555 void *p_rng,
556 const unsigned char *input,
557 unsigned char *output );
558
559/**
560 * \brief This function adds the message padding, then performs an RSA
561 * operation.
562 *
563 * It is the generic wrapper for performing a PKCS#1 encryption
564 * operation using the \p mode from the context.
565 *
566 * \note The input and output buffers must be as large as the size
567 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
568 *
569 * \deprecated It is deprecated and discouraged to call this function
570 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
571 * are likely to remove the \p mode argument and have it
572 * implicitly set to #MBEDCRYPTO_RSA_PUBLIC.
573 *
574 * \note Alternative implementations of RSA need not support
575 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
576 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
577 *
578 * \param ctx The RSA context.
579 * \param f_rng The RNG function. Needed for padding, PKCS#1 v2.1
580 * encoding, and #MBEDCRYPTO_RSA_PRIVATE.
581 * \param p_rng The RNG context.
582 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
583 * \param ilen The length of the plaintext.
584 * \param input The buffer holding the data to encrypt.
585 * \param output The buffer used to hold the ciphertext.
586 *
587 * \return \c 0 on success.
588 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
589 */
590int mbedcrypto_rsa_pkcs1_encrypt( mbedcrypto_rsa_context *ctx,
591 int (*f_rng)(void *, unsigned char *, size_t),
592 void *p_rng,
593 int mode, size_t ilen,
594 const unsigned char *input,
595 unsigned char *output );
596
597/**
598 * \brief This function performs a PKCS#1 v1.5 encryption operation
599 * (RSAES-PKCS1-v1_5-ENCRYPT).
600 *
601 * \note The output buffer must be as large as the size
602 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
603 *
604 * \deprecated It is deprecated and discouraged to call this function
605 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
606 * are likely to remove the \p mode argument and have it
607 * implicitly set to #MBEDCRYPTO_RSA_PUBLIC.
608 *
609 * \note Alternative implementations of RSA need not support
610 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
611 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
612 *
613 * \param ctx The RSA context.
614 * \param f_rng The RNG function. Needed for padding and
615 * #MBEDCRYPTO_RSA_PRIVATE.
616 * \param p_rng The RNG context.
617 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
618 * \param ilen The length of the plaintext.
619 * \param input The buffer holding the data to encrypt.
620 * \param output The buffer used to hold the ciphertext.
621 *
622 * \return \c 0 on success.
623 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
624 */
625int mbedcrypto_rsa_rsaes_pkcs1_v15_encrypt( mbedcrypto_rsa_context *ctx,
626 int (*f_rng)(void *, unsigned char *, size_t),
627 void *p_rng,
628 int mode, size_t ilen,
629 const unsigned char *input,
630 unsigned char *output );
631
632/**
633 * \brief This function performs a PKCS#1 v2.1 OAEP encryption
634 * operation (RSAES-OAEP-ENCRYPT).
635 *
636 * \note The output buffer must be as large as the size
637 * of ctx->N. For example, 128 Bytes if RSA-1024 is used.
638 *
639 * \deprecated It is deprecated and discouraged to call this function
640 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
641 * are likely to remove the \p mode argument and have it
642 * implicitly set to #MBEDCRYPTO_RSA_PUBLIC.
643 *
644 * \note Alternative implementations of RSA need not support
645 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
646 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
647 *
648 * \param ctx The RSA context.
649 * \param f_rng The RNG function. Needed for padding and PKCS#1 v2.1
650 * encoding and #MBEDCRYPTO_RSA_PRIVATE.
651 * \param p_rng The RNG context.
652 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
653 * \param label The buffer holding the custom label to use.
654 * \param label_len The length of the label.
655 * \param ilen The length of the plaintext.
656 * \param input The buffer holding the data to encrypt.
657 * \param output The buffer used to hold the ciphertext.
658 *
659 * \return \c 0 on success.
660 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
661 */
662int mbedcrypto_rsa_rsaes_oaep_encrypt( mbedcrypto_rsa_context *ctx,
663 int (*f_rng)(void *, unsigned char *, size_t),
664 void *p_rng,
665 int mode,
666 const unsigned char *label, size_t label_len,
667 size_t ilen,
668 const unsigned char *input,
669 unsigned char *output );
670
671/**
672 * \brief This function performs an RSA operation, then removes the
673 * message padding.
674 *
675 * It is the generic wrapper for performing a PKCS#1 decryption
676 * operation using the \p mode from the context.
677 *
678 * \note The output buffer length \c output_max_len should be
679 * as large as the size \p ctx->len of \p ctx->N (for example,
680 * 128 Bytes if RSA-1024 is used) to be able to hold an
681 * arbitrary decrypted message. If it is not large enough to
682 * hold the decryption of the particular ciphertext provided,
683 * the function returns \c MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE.
684 *
685 * \note The input buffer must be as large as the size
686 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
687 *
688 * \deprecated It is deprecated and discouraged to call this function
689 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
690 * are likely to remove the \p mode argument and have it
691 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
692 *
693 * \note Alternative implementations of RSA need not support
694 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
695 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
696 *
697 * \param ctx The RSA context.
698 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
699 * \param p_rng The RNG context.
700 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
701 * \param olen The length of the plaintext.
702 * \param input The buffer holding the encrypted data.
703 * \param output The buffer used to hold the plaintext.
704 * \param output_max_len The maximum length of the output buffer.
705 *
706 * \return \c 0 on success.
707 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
708 */
709int mbedcrypto_rsa_pkcs1_decrypt( mbedcrypto_rsa_context *ctx,
710 int (*f_rng)(void *, unsigned char *, size_t),
711 void *p_rng,
712 int mode, size_t *olen,
713 const unsigned char *input,
714 unsigned char *output,
715 size_t output_max_len );
716
717/**
718 * \brief This function performs a PKCS#1 v1.5 decryption
719 * operation (RSAES-PKCS1-v1_5-DECRYPT).
720 *
721 * \note The output buffer length \c output_max_len should be
722 * as large as the size \p ctx->len of \p ctx->N, for example,
723 * 128 Bytes if RSA-1024 is used, to be able to hold an
724 * arbitrary decrypted message. If it is not large enough to
725 * hold the decryption of the particular ciphertext provided,
726 * the function returns #MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE.
727 *
728 * \note The input buffer must be as large as the size
729 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
730 *
731 * \deprecated It is deprecated and discouraged to call this function
732 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
733 * are likely to remove the \p mode argument and have it
734 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
735 *
736 * \note Alternative implementations of RSA need not support
737 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
738 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
739 *
740 * \param ctx The RSA context.
741 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
742 * \param p_rng The RNG context.
743 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
744 * \param olen The length of the plaintext.
745 * \param input The buffer holding the encrypted data.
746 * \param output The buffer to hold the plaintext.
747 * \param output_max_len The maximum length of the output buffer.
748 *
749 * \return \c 0 on success.
750 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
751 *
752 */
753int mbedcrypto_rsa_rsaes_pkcs1_v15_decrypt( mbedcrypto_rsa_context *ctx,
754 int (*f_rng)(void *, unsigned char *, size_t),
755 void *p_rng,
756 int mode, size_t *olen,
757 const unsigned char *input,
758 unsigned char *output,
759 size_t output_max_len );
760
761/**
762 * \brief This function performs a PKCS#1 v2.1 OAEP decryption
763 * operation (RSAES-OAEP-DECRYPT).
764 *
765 * \note The output buffer length \c output_max_len should be
766 * as large as the size \p ctx->len of \p ctx->N, for
767 * example, 128 Bytes if RSA-1024 is used, to be able to
768 * hold an arbitrary decrypted message. If it is not
769 * large enough to hold the decryption of the particular
770 * ciphertext provided, the function returns
771 * #MBEDCRYPTO_ERR_RSA_OUTPUT_TOO_LARGE.
772 *
773 * \note The input buffer must be as large as the size
774 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
775 *
776 * \deprecated It is deprecated and discouraged to call this function
777 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
778 * are likely to remove the \p mode argument and have it
779 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
780 *
781 * \note Alternative implementations of RSA need not support
782 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
783 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
784 *
785 * \param ctx The RSA context.
786 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
787 * \param p_rng The RNG context.
788 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
789 * \param label The buffer holding the custom label to use.
790 * \param label_len The length of the label.
791 * \param olen The length of the plaintext.
792 * \param input The buffer holding the encrypted data.
793 * \param output The buffer to hold the plaintext.
794 * \param output_max_len The maximum length of the output buffer.
795 *
796 * \return \c 0 on success.
797 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
798 */
799int mbedcrypto_rsa_rsaes_oaep_decrypt( mbedcrypto_rsa_context *ctx,
800 int (*f_rng)(void *, unsigned char *, size_t),
801 void *p_rng,
802 int mode,
803 const unsigned char *label, size_t label_len,
804 size_t *olen,
805 const unsigned char *input,
806 unsigned char *output,
807 size_t output_max_len );
808
809/**
810 * \brief This function performs a private RSA operation to sign
811 * a message digest using PKCS#1.
812 *
813 * It is the generic wrapper for performing a PKCS#1
814 * signature using the \p mode from the context.
815 *
816 * \note The \p sig buffer must be as large as the size
817 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
818 *
819 * \note For PKCS#1 v2.1 encoding, see comments on
820 * mbedcrypto_rsa_rsassa_pss_sign() for details on
821 * \p md_alg and \p hash_id.
822 *
823 * \deprecated It is deprecated and discouraged to call this function
824 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
825 * are likely to remove the \p mode argument and have it
826 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
827 *
828 * \note Alternative implementations of RSA need not support
829 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
830 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
831 *
832 * \param ctx The RSA context.
833 * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
834 * #MBEDCRYPTO_RSA_PRIVATE.
835 * \param p_rng The RNG context.
836 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
837 * \param md_alg The message-digest algorithm used to hash the original data.
838 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
839 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
840 * \param hash The buffer holding the message digest.
841 * \param sig The buffer to hold the ciphertext.
842 *
843 * \return \c 0 if the signing operation was successful.
844 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
845 */
846int mbedcrypto_rsa_pkcs1_sign( mbedcrypto_rsa_context *ctx,
847 int (*f_rng)(void *, unsigned char *, size_t),
848 void *p_rng,
849 int mode,
850 mbedcrypto_md_type_t md_alg,
851 unsigned int hashlen,
852 const unsigned char *hash,
853 unsigned char *sig );
854
855/**
856 * \brief This function performs a PKCS#1 v1.5 signature
857 * operation (RSASSA-PKCS1-v1_5-SIGN).
858 *
859 * \note The \p sig buffer must be as large as the size
860 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
861 *
862 * \deprecated It is deprecated and discouraged to call this function
863 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
864 * are likely to remove the \p mode argument and have it
865 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
866 *
867 * \note Alternative implementations of RSA need not support
868 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
869 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
870 *
871 * \param ctx The RSA context.
872 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
873 * \param p_rng The RNG context.
874 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
875 * \param md_alg The message-digest algorithm used to hash the original data.
876 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
877 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
878 * \param hash The buffer holding the message digest.
879 * \param sig The buffer to hold the ciphertext.
880 *
881 * \return \c 0 if the signing operation was successful.
882 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
883 */
884int mbedcrypto_rsa_rsassa_pkcs1_v15_sign( mbedcrypto_rsa_context *ctx,
885 int (*f_rng)(void *, unsigned char *, size_t),
886 void *p_rng,
887 int mode,
888 mbedcrypto_md_type_t md_alg,
889 unsigned int hashlen,
890 const unsigned char *hash,
891 unsigned char *sig );
892
893/**
894 * \brief This function performs a PKCS#1 v2.1 PSS signature
895 * operation (RSASSA-PSS-SIGN).
896 *
897 * \note The \p sig buffer must be as large as the size
898 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
899 *
900 * \note The \p hash_id in the RSA context is the one used for the
901 * encoding. \p md_alg in the function call is the type of hash
902 * that is encoded. According to <em>RFC-3447: Public-Key
903 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
904 * Specifications</em> it is advised to keep both hashes the
905 * same.
906 *
907 * \deprecated It is deprecated and discouraged to call this function
908 * in #MBEDCRYPTO_RSA_PUBLIC mode. Future versions of the library
909 * are likely to remove the \p mode argument and have it
910 * implicitly set to #MBEDCRYPTO_RSA_PRIVATE.
911 *
912 * \note Alternative implementations of RSA need not support
913 * mode being set to #MBEDCRYPTO_RSA_PUBLIC and might instead
914 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
915 *
916 * \param ctx The RSA context.
917 * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
918 * #MBEDCRYPTO_RSA_PRIVATE.
919 * \param p_rng The RNG context.
920 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
921 * \param md_alg The message-digest algorithm used to hash the original data.
922 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
923 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
924 * \param hash The buffer holding the message digest.
925 * \param sig The buffer to hold the ciphertext.
926 *
927 * \return \c 0 if the signing operation was successful.
928 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
929 */
930int mbedcrypto_rsa_rsassa_pss_sign( mbedcrypto_rsa_context *ctx,
931 int (*f_rng)(void *, unsigned char *, size_t),
932 void *p_rng,
933 int mode,
934 mbedcrypto_md_type_t md_alg,
935 unsigned int hashlen,
936 const unsigned char *hash,
937 unsigned char *sig );
938
939/**
940 * \brief This function performs a public RSA operation and checks
941 * the message digest.
942 *
943 * This is the generic wrapper for performing a PKCS#1
944 * verification using the mode from the context.
945 *
946 * \note The \p sig buffer must be as large as the size
947 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
948 *
949 * \note For PKCS#1 v2.1 encoding, see comments on
950 * mbedcrypto_rsa_rsassa_pss_verify() about \p md_alg and
951 * \p hash_id.
952 *
953 * \deprecated It is deprecated and discouraged to call this function
954 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
955 * are likely to remove the \p mode argument and have it
956 * set to #MBEDCRYPTO_RSA_PUBLIC.
957 *
958 * \note Alternative implementations of RSA need not support
959 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
960 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
961 *
962 * \param ctx The RSA public key context.
963 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
964 * \param p_rng The RNG context.
965 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
966 * \param md_alg The message-digest algorithm used to hash the original data.
967 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
968 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
969 * \param hash The buffer holding the message digest.
970 * \param sig The buffer holding the ciphertext.
971 *
972 * \return \c 0 if the verify operation was successful.
973 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
974 */
975int mbedcrypto_rsa_pkcs1_verify( mbedcrypto_rsa_context *ctx,
976 int (*f_rng)(void *, unsigned char *, size_t),
977 void *p_rng,
978 int mode,
979 mbedcrypto_md_type_t md_alg,
980 unsigned int hashlen,
981 const unsigned char *hash,
982 const unsigned char *sig );
983
984/**
985 * \brief This function performs a PKCS#1 v1.5 verification
986 * operation (RSASSA-PKCS1-v1_5-VERIFY).
987 *
988 * \note The \p sig buffer must be as large as the size
989 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
990 *
991 * \deprecated It is deprecated and discouraged to call this function
992 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
993 * are likely to remove the \p mode argument and have it
994 * set to #MBEDCRYPTO_RSA_PUBLIC.
995 *
996 * \note Alternative implementations of RSA need not support
997 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
998 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
999 *
1000 * \param ctx The RSA public key context.
1001 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
1002 * \param p_rng The RNG context.
1003 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
1004 * \param md_alg The message-digest algorithm used to hash the original data.
1005 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
1006 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
1007 * \param hash The buffer holding the message digest.
1008 * \param sig The buffer holding the ciphertext.
1009 *
1010 * \return \c 0 if the verify operation was successful.
1011 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
1012 */
1013int mbedcrypto_rsa_rsassa_pkcs1_v15_verify( mbedcrypto_rsa_context *ctx,
1014 int (*f_rng)(void *, unsigned char *, size_t),
1015 void *p_rng,
1016 int mode,
1017 mbedcrypto_md_type_t md_alg,
1018 unsigned int hashlen,
1019 const unsigned char *hash,
1020 const unsigned char *sig );
1021
1022/**
1023 * \brief This function performs a PKCS#1 v2.1 PSS verification
1024 * operation (RSASSA-PSS-VERIFY).
1025 *
1026 * The hash function for the MGF mask generating function
1027 * is that specified in the RSA context.
1028 *
1029 * \note The \p sig buffer must be as large as the size
1030 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
1031 *
1032 * \note The \p hash_id in the RSA context is the one used for the
1033 * verification. \p md_alg in the function call is the type of
1034 * hash that is verified. According to <em>RFC-3447: Public-Key
1035 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
1036 * Specifications</em> it is advised to keep both hashes the
1037 * same. If \p hash_id in the RSA context is unset,
1038 * the \p md_alg from the function call is used.
1039 *
1040 * \deprecated It is deprecated and discouraged to call this function
1041 * in #MBEDCRYPTO_RSA_PRIVATE mode. Future versions of the library
1042 * are likely to remove the \p mode argument and have it
1043 * implicitly set to #MBEDCRYPTO_RSA_PUBLIC.
1044 *
1045 * \note Alternative implementations of RSA need not support
1046 * mode being set to #MBEDCRYPTO_RSA_PRIVATE and might instead
1047 * return #MBEDCRYPTO_ERR_RSA_UNSUPPORTED_OPERATION.
1048 *
1049 * \param ctx The RSA public key context.
1050 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
1051 * \param p_rng The RNG context.
1052 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
1053 * \param md_alg The message-digest algorithm used to hash the original data.
1054 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
1055 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDCRYPTO_MD_NONE.
1056 * \param hash The buffer holding the message digest.
1057 * \param sig The buffer holding the ciphertext.
1058 *
1059 * \return \c 0 if the verify operation was successful.
1060 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
1061 */
1062int mbedcrypto_rsa_rsassa_pss_verify( mbedcrypto_rsa_context *ctx,
1063 int (*f_rng)(void *, unsigned char *, size_t),
1064 void *p_rng,
1065 int mode,
1066 mbedcrypto_md_type_t md_alg,
1067 unsigned int hashlen,
1068 const unsigned char *hash,
1069 const unsigned char *sig );
1070
1071/**
1072 * \brief This function performs a PKCS#1 v2.1 PSS verification
1073 * operation (RSASSA-PSS-VERIFY).
1074 *
1075 * The hash function for the MGF mask generating function
1076 * is that specified in \p mgf1_hash_id.
1077 *
1078 * \note The \p sig buffer must be as large as the size
1079 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
1080 *
1081 * \note The \p hash_id in the RSA context is ignored.
1082 *
1083 * \param ctx The RSA public key context.
1084 * \param f_rng The RNG function. Only needed for #MBEDCRYPTO_RSA_PRIVATE.
1085 * \param p_rng The RNG context.
1086 * \param mode #MBEDCRYPTO_RSA_PUBLIC or #MBEDCRYPTO_RSA_PRIVATE.
1087 * \param md_alg The message-digest algorithm used to hash the original data.
1088 * Use #MBEDCRYPTO_MD_NONE for signing raw data.
1089 * \param hashlen The length of the message digest. Only used if \p md_alg is
1090 * #MBEDCRYPTO_MD_NONE.
1091 * \param hash The buffer holding the message digest.
1092 * \param mgf1_hash_id The message digest used for mask generation.
1093 * \param expected_salt_len The length of the salt used in padding. Use
1094 * #MBEDCRYPTO_RSA_SALT_LEN_ANY to accept any salt length.
1095 * \param sig The buffer holding the ciphertext.
1096 *
1097 * \return \c 0 if the verify operation was successful.
1098 * \return An \c MBEDCRYPTO_ERR_RSA_XXX error code on failure.
1099 */
1100int mbedcrypto_rsa_rsassa_pss_verify_ext( mbedcrypto_rsa_context *ctx,
1101 int (*f_rng)(void *, unsigned char *, size_t),
1102 void *p_rng,
1103 int mode,
1104 mbedcrypto_md_type_t md_alg,
1105 unsigned int hashlen,
1106 const unsigned char *hash,
1107 mbedcrypto_md_type_t mgf1_hash_id,
1108 int expected_salt_len,
1109 const unsigned char *sig );
1110
1111/**
1112 * \brief This function copies the components of an RSA context.
1113 *
1114 * \param dst The destination context.
1115 * \param src The source context.
1116 *
1117 * \return \c 0 on success.
1118 * \return #MBEDCRYPTO_ERR_MPI_ALLOC_FAILED on memory allocation failure.
1119 */
1120int mbedcrypto_rsa_copy( mbedcrypto_rsa_context *dst, const mbedcrypto_rsa_context *src );
1121
1122/**
1123 * \brief This function frees the components of an RSA key.
1124 *
1125 * \param ctx The RSA Context to free.
1126 */
1127void mbedcrypto_rsa_free( mbedcrypto_rsa_context *ctx );
1128
1129/**
1130 * \brief The RSA checkup routine.
1131 *
1132 * \return \c 0 on success.
1133 * \return \c 1 on failure.
1134 */
1135int mbedcrypto_rsa_self_test( int verbose );
1136
1137#ifdef __cplusplus
1138}
1139#endif
1140
1141#endif /* rsa.h */