1 | /**
|
---|
2 | * \file rsa.h
|
---|
3 | *
|
---|
4 | * \brief This file provides an API for the RSA public-key cryptosystem.
|
---|
5 | *
|
---|
6 | * The RSA public-key cryptosystem is defined in <em>Public-Key
|
---|
7 | * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
|
---|
8 | * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
|
---|
9 | * RSA Cryptography Specifications</em>.
|
---|
10 | *
|
---|
11 | */
|
---|
12 | /*
|
---|
13 | * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
|
---|
14 | * SPDX-License-Identifier: Apache-2.0
|
---|
15 | *
|
---|
16 | * Licensed under the Apache License, Version 2.0 (the "License"); you may
|
---|
17 | * not use this file except in compliance with the License.
|
---|
18 | * You may obtain a copy of the License at
|
---|
19 | *
|
---|
20 | * http://www.apache.org/licenses/LICENSE-2.0
|
---|
21 | *
|
---|
22 | * Unless required by applicable law or agreed to in writing, software
|
---|
23 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
---|
24 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
---|
25 | * See the License for the specific language governing permissions and
|
---|
26 | * limitations under the License.
|
---|
27 | *
|
---|
28 | * This file is part of Mbed TLS (https://tls.mbed.org)
|
---|
29 | */
|
---|
30 | #ifndef MBEDTLS_RSA_H
|
---|
31 | #define MBEDTLS_RSA_H
|
---|
32 |
|
---|
33 | #if !defined(MBEDTLS_CONFIG_FILE)
|
---|
34 | #include "config.h"
|
---|
35 | #else
|
---|
36 | #include MBEDTLS_CONFIG_FILE
|
---|
37 | #endif
|
---|
38 |
|
---|
39 | #include "bignum.h"
|
---|
40 | #include "md.h"
|
---|
41 |
|
---|
42 | #if defined(MBEDTLS_THREADING_C)
|
---|
43 | #include "threading.h"
|
---|
44 | #endif
|
---|
45 |
|
---|
46 | /*
|
---|
47 | * RSA Error codes
|
---|
48 | */
|
---|
49 | #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
|
---|
50 | #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
|
---|
51 | #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
|
---|
52 | #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the validity check of the library. */
|
---|
53 | #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
|
---|
54 | #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
|
---|
55 | #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
|
---|
56 | #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
|
---|
57 | #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
|
---|
58 |
|
---|
59 | /* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
|
---|
60 | */
|
---|
61 | #define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
|
---|
62 |
|
---|
63 | /* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
|
---|
64 | #define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */
|
---|
65 |
|
---|
66 | /*
|
---|
67 | * RSA constants
|
---|
68 | */
|
---|
69 | #define MBEDTLS_RSA_PUBLIC 0 /**< Request private key operation. */
|
---|
70 | #define MBEDTLS_RSA_PRIVATE 1 /**< Request public key operation. */
|
---|
71 |
|
---|
72 | #define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */
|
---|
73 | #define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */
|
---|
74 |
|
---|
75 | #define MBEDTLS_RSA_SIGN 1 /**< Identifier for RSA signature operations. */
|
---|
76 | #define MBEDTLS_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */
|
---|
77 |
|
---|
78 | #define MBEDTLS_RSA_SALT_LEN_ANY -1
|
---|
79 |
|
---|
80 | /*
|
---|
81 | * The above constants may be used even if the RSA module is compile out,
|
---|
82 | * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
|
---|
83 | */
|
---|
84 |
|
---|
85 | #ifdef __cplusplus
|
---|
86 | extern "C" {
|
---|
87 | #endif
|
---|
88 |
|
---|
89 | #if !defined(MBEDTLS_RSA_ALT)
|
---|
90 | // Regular implementation
|
---|
91 | //
|
---|
92 |
|
---|
93 | /**
|
---|
94 | * \brief The RSA context structure.
|
---|
95 | *
|
---|
96 | * \note Direct manipulation of the members of this structure
|
---|
97 | * is deprecated. All manipulation should instead be done through
|
---|
98 | * the public interface functions.
|
---|
99 | */
|
---|
100 | typedef struct mbedtls_rsa_context
|
---|
101 | {
|
---|
102 | int ver; /*!< Always 0.*/
|
---|
103 | size_t len; /*!< The size of \p N in Bytes. */
|
---|
104 |
|
---|
105 | mbedtls_mpi N; /*!< The public modulus. */
|
---|
106 | mbedtls_mpi E; /*!< The public exponent. */
|
---|
107 |
|
---|
108 | mbedtls_mpi D; /*!< The private exponent. */
|
---|
109 | mbedtls_mpi P; /*!< The first prime factor. */
|
---|
110 | mbedtls_mpi Q; /*!< The second prime factor. */
|
---|
111 |
|
---|
112 | mbedtls_mpi DP; /*!< <code>D % (P - 1)</code>. */
|
---|
113 | mbedtls_mpi DQ; /*!< <code>D % (Q - 1)</code>. */
|
---|
114 | mbedtls_mpi QP; /*!< <code>1 / (Q % P)</code>. */
|
---|
115 |
|
---|
116 | mbedtls_mpi RN; /*!< cached <code>R^2 mod N</code>. */
|
---|
117 |
|
---|
118 | mbedtls_mpi RP; /*!< cached <code>R^2 mod P</code>. */
|
---|
119 | mbedtls_mpi RQ; /*!< cached <code>R^2 mod Q</code>. */
|
---|
120 |
|
---|
121 | mbedtls_mpi Vi; /*!< The cached blinding value. */
|
---|
122 | mbedtls_mpi Vf; /*!< The cached un-blinding value. */
|
---|
123 |
|
---|
124 | int padding; /*!< Selects padding mode:
|
---|
125 | #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
|
---|
126 | #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
|
---|
127 | int hash_id; /*!< Hash identifier of mbedtls_md_type_t type,
|
---|
128 | as specified in md.h for use in the MGF
|
---|
129 | mask generating function used in the
|
---|
130 | EME-OAEP and EMSA-PSS encodings. */
|
---|
131 | #if defined(MBEDTLS_THREADING_C)
|
---|
132 | mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */
|
---|
133 | #endif
|
---|
134 | }
|
---|
135 | mbedtls_rsa_context;
|
---|
136 |
|
---|
137 | #else /* MBEDTLS_RSA_ALT */
|
---|
138 | #include "rsa_alt.h"
|
---|
139 | #endif /* MBEDTLS_RSA_ALT */
|
---|
140 |
|
---|
141 | /**
|
---|
142 | * \brief This function initializes an RSA context.
|
---|
143 | *
|
---|
144 | * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
|
---|
145 | * encryption scheme and the RSASSA-PSS signature scheme.
|
---|
146 | *
|
---|
147 | * \note The \p hash_id parameter is ignored when using
|
---|
148 | * #MBEDTLS_RSA_PKCS_V15 padding.
|
---|
149 | *
|
---|
150 | * \note The choice of padding mode is strictly enforced for private key
|
---|
151 | * operations, since there might be security concerns in
|
---|
152 | * mixing padding modes. For public key operations it is
|
---|
153 | * a default value, which can be overriden by calling specific
|
---|
154 | * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
|
---|
155 | *
|
---|
156 | * \note The hash selected in \p hash_id is always used for OEAP
|
---|
157 | * encryption. For PSS signatures, it is always used for
|
---|
158 | * making signatures, but can be overriden for verifying them.
|
---|
159 | * If set to #MBEDTLS_MD_NONE, it is always overriden.
|
---|
160 | *
|
---|
161 | * \param ctx The RSA context to initialize. This must not be \c NULL.
|
---|
162 | * \param padding The padding mode to use. This must be either
|
---|
163 | * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
|
---|
164 | * \param hash_id The hash identifier of ::mbedtls_md_type_t type, if
|
---|
165 | * \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
|
---|
166 | * otherwise.
|
---|
167 | */
|
---|
168 | void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
|
---|
169 | int padding,
|
---|
170 | int hash_id );
|
---|
171 |
|
---|
172 | /**
|
---|
173 | * \brief This function imports a set of core parameters into an
|
---|
174 | * RSA context.
|
---|
175 | *
|
---|
176 | * \note This function can be called multiple times for successive
|
---|
177 | * imports, if the parameters are not simultaneously present.
|
---|
178 | *
|
---|
179 | * Any sequence of calls to this function should be followed
|
---|
180 | * by a call to mbedtls_rsa_complete(), which checks and
|
---|
181 | * completes the provided information to a ready-for-use
|
---|
182 | * public or private RSA key.
|
---|
183 | *
|
---|
184 | * \note See mbedtls_rsa_complete() for more information on which
|
---|
185 | * parameters are necessary to set up a private or public
|
---|
186 | * RSA key.
|
---|
187 | *
|
---|
188 | * \note The imported parameters are copied and need not be preserved
|
---|
189 | * for the lifetime of the RSA context being set up.
|
---|
190 | *
|
---|
191 | * \param ctx The initialized RSA context to store the parameters in.
|
---|
192 | * \param N The RSA modulus. This may be \c NULL.
|
---|
193 | * \param P The first prime factor of \p N. This may be \c NULL.
|
---|
194 | * \param Q The second prime factor of \p N. This may be \c NULL.
|
---|
195 | * \param D The private exponent. This may be \c NULL.
|
---|
196 | * \param E The public exponent. This may be \c NULL.
|
---|
197 | *
|
---|
198 | * \return \c 0 on success.
|
---|
199 | * \return A non-zero error code on failure.
|
---|
200 | */
|
---|
201 | int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
|
---|
202 | const mbedtls_mpi *N,
|
---|
203 | const mbedtls_mpi *P, const mbedtls_mpi *Q,
|
---|
204 | const mbedtls_mpi *D, const mbedtls_mpi *E );
|
---|
205 |
|
---|
206 | /**
|
---|
207 | * \brief This function imports core RSA parameters, in raw big-endian
|
---|
208 | * binary format, into an RSA context.
|
---|
209 | *
|
---|
210 | * \note This function can be called multiple times for successive
|
---|
211 | * imports, if the parameters are not simultaneously present.
|
---|
212 | *
|
---|
213 | * Any sequence of calls to this function should be followed
|
---|
214 | * by a call to mbedtls_rsa_complete(), which checks and
|
---|
215 | * completes the provided information to a ready-for-use
|
---|
216 | * public or private RSA key.
|
---|
217 | *
|
---|
218 | * \note See mbedtls_rsa_complete() for more information on which
|
---|
219 | * parameters are necessary to set up a private or public
|
---|
220 | * RSA key.
|
---|
221 | *
|
---|
222 | * \note The imported parameters are copied and need not be preserved
|
---|
223 | * for the lifetime of the RSA context being set up.
|
---|
224 | *
|
---|
225 | * \param ctx The initialized RSA context to store the parameters in.
|
---|
226 | * \param N The RSA modulus. This may be \c NULL.
|
---|
227 | * \param N_len The Byte length of \p N; it is ignored if \p N == NULL.
|
---|
228 | * \param P The first prime factor of \p N. This may be \c NULL.
|
---|
229 | * \param P_len The Byte length of \p P; it ns ignored if \p P == NULL.
|
---|
230 | * \param Q The second prime factor of \p N. This may be \c NULL.
|
---|
231 | * \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL.
|
---|
232 | * \param D The private exponent. This may be \c NULL.
|
---|
233 | * \param D_len The Byte length of \p D; it is ignored if \p D == NULL.
|
---|
234 | * \param E The public exponent. This may be \c NULL.
|
---|
235 | * \param E_len The Byte length of \p E; it is ignored if \p E == NULL.
|
---|
236 | *
|
---|
237 | * \return \c 0 on success.
|
---|
238 | * \return A non-zero error code on failure.
|
---|
239 | */
|
---|
240 | int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
|
---|
241 | unsigned char const *N, size_t N_len,
|
---|
242 | unsigned char const *P, size_t P_len,
|
---|
243 | unsigned char const *Q, size_t Q_len,
|
---|
244 | unsigned char const *D, size_t D_len,
|
---|
245 | unsigned char const *E, size_t E_len );
|
---|
246 |
|
---|
247 | /**
|
---|
248 | * \brief This function completes an RSA context from
|
---|
249 | * a set of imported core parameters.
|
---|
250 | *
|
---|
251 | * To setup an RSA public key, precisely \p N and \p E
|
---|
252 | * must have been imported.
|
---|
253 | *
|
---|
254 | * To setup an RSA private key, sufficient information must
|
---|
255 | * be present for the other parameters to be derivable.
|
---|
256 | *
|
---|
257 | * The default implementation supports the following:
|
---|
258 | * <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
|
---|
259 | * <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
|
---|
260 | * Alternative implementations need not support these.
|
---|
261 | *
|
---|
262 | * If this function runs successfully, it guarantees that
|
---|
263 | * the RSA context can be used for RSA operations without
|
---|
264 | * the risk of failure or crash.
|
---|
265 | *
|
---|
266 | * \warning This function need not perform consistency checks
|
---|
267 | * for the imported parameters. In particular, parameters that
|
---|
268 | * are not needed by the implementation might be silently
|
---|
269 | * discarded and left unchecked. To check the consistency
|
---|
270 | * of the key material, see mbedtls_rsa_check_privkey().
|
---|
271 | *
|
---|
272 | * \param ctx The initialized RSA context holding imported parameters.
|
---|
273 | *
|
---|
274 | * \return \c 0 on success.
|
---|
275 | * \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
|
---|
276 | * failed.
|
---|
277 | *
|
---|
278 | */
|
---|
279 | int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
|
---|
280 |
|
---|
281 | /**
|
---|
282 | * \brief This function exports the core parameters of an RSA key.
|
---|
283 | *
|
---|
284 | * If this function runs successfully, the non-NULL buffers
|
---|
285 | * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
|
---|
286 | * written, with additional unused space filled leading by
|
---|
287 | * zero Bytes.
|
---|
288 | *
|
---|
289 | * Possible reasons for returning
|
---|
290 | * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
|
---|
291 | * <li>An alternative RSA implementation is in use, which
|
---|
292 | * stores the key externally, and either cannot or should
|
---|
293 | * not export it into RAM.</li>
|
---|
294 | * <li>A SW or HW implementation might not support a certain
|
---|
295 | * deduction. For example, \p P, \p Q from \p N, \p D,
|
---|
296 | * and \p E if the former are not part of the
|
---|
297 | * implementation.</li></ul>
|
---|
298 | *
|
---|
299 | * If the function fails due to an unsupported operation,
|
---|
300 | * the RSA context stays intact and remains usable.
|
---|
301 | *
|
---|
302 | * \param ctx The initialized RSA context.
|
---|
303 | * \param N The MPI to hold the RSA modulus.
|
---|
304 | * This may be \c NULL if this field need not be exported.
|
---|
305 | * \param P The MPI to hold the first prime factor of \p N.
|
---|
306 | * This may be \c NULL if this field need not be exported.
|
---|
307 | * \param Q The MPI to hold the second prime factor of \p N.
|
---|
308 | * This may be \c NULL if this field need not be exported.
|
---|
309 | * \param D The MPI to hold the private exponent.
|
---|
310 | * This may be \c NULL if this field need not be exported.
|
---|
311 | * \param E The MPI to hold the public exponent.
|
---|
312 | * This may be \c NULL if this field need not be exported.
|
---|
313 | *
|
---|
314 | * \return \c 0 on success.
|
---|
315 | * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
|
---|
316 | * requested parameters cannot be done due to missing
|
---|
317 | * functionality or because of security policies.
|
---|
318 | * \return A non-zero return code on any other failure.
|
---|
319 | *
|
---|
320 | */
|
---|
321 | int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
|
---|
322 | mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
|
---|
323 | mbedtls_mpi *D, mbedtls_mpi *E );
|
---|
324 |
|
---|
325 | /**
|
---|
326 | * \brief This function exports core parameters of an RSA key
|
---|
327 | * in raw big-endian binary format.
|
---|
328 | *
|
---|
329 | * If this function runs successfully, the non-NULL buffers
|
---|
330 | * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
|
---|
331 | * written, with additional unused space filled leading by
|
---|
332 | * zero Bytes.
|
---|
333 | *
|
---|
334 | * Possible reasons for returning
|
---|
335 | * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
|
---|
336 | * <li>An alternative RSA implementation is in use, which
|
---|
337 | * stores the key externally, and either cannot or should
|
---|
338 | * not export it into RAM.</li>
|
---|
339 | * <li>A SW or HW implementation might not support a certain
|
---|
340 | * deduction. For example, \p P, \p Q from \p N, \p D,
|
---|
341 | * and \p E if the former are not part of the
|
---|
342 | * implementation.</li></ul>
|
---|
343 | * If the function fails due to an unsupported operation,
|
---|
344 | * the RSA context stays intact and remains usable.
|
---|
345 | *
|
---|
346 | * \note The length parameters are ignored if the corresponding
|
---|
347 | * buffer pointers are NULL.
|
---|
348 | *
|
---|
349 | * \param ctx The initialized RSA context.
|
---|
350 | * \param N The Byte array to store the RSA modulus,
|
---|
351 | * or \c NULL if this field need not be exported.
|
---|
352 | * \param N_len The size of the buffer for the modulus.
|
---|
353 | * \param P The Byte array to hold the first prime factor of \p N,
|
---|
354 | * or \c NULL if this field need not be exported.
|
---|
355 | * \param P_len The size of the buffer for the first prime factor.
|
---|
356 | * \param Q The Byte array to hold the second prime factor of \p N,
|
---|
357 | * or \c NULL if this field need not be exported.
|
---|
358 | * \param Q_len The size of the buffer for the second prime factor.
|
---|
359 | * \param D The Byte array to hold the private exponent,
|
---|
360 | * or \c NULL if this field need not be exported.
|
---|
361 | * \param D_len The size of the buffer for the private exponent.
|
---|
362 | * \param E The Byte array to hold the public exponent,
|
---|
363 | * or \c NULL if this field need not be exported.
|
---|
364 | * \param E_len The size of the buffer for the public exponent.
|
---|
365 | *
|
---|
366 | * \return \c 0 on success.
|
---|
367 | * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
|
---|
368 | * requested parameters cannot be done due to missing
|
---|
369 | * functionality or because of security policies.
|
---|
370 | * \return A non-zero return code on any other failure.
|
---|
371 | */
|
---|
372 | int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
|
---|
373 | unsigned char *N, size_t N_len,
|
---|
374 | unsigned char *P, size_t P_len,
|
---|
375 | unsigned char *Q, size_t Q_len,
|
---|
376 | unsigned char *D, size_t D_len,
|
---|
377 | unsigned char *E, size_t E_len );
|
---|
378 |
|
---|
379 | /**
|
---|
380 | * \brief This function exports CRT parameters of a private RSA key.
|
---|
381 | *
|
---|
382 | * \note Alternative RSA implementations not using CRT-parameters
|
---|
383 | * internally can implement this function based on
|
---|
384 | * mbedtls_rsa_deduce_opt().
|
---|
385 | *
|
---|
386 | * \param ctx The initialized RSA context.
|
---|
387 | * \param DP The MPI to hold \c D modulo `P-1`,
|
---|
388 | * or \c NULL if it need not be exported.
|
---|
389 | * \param DQ The MPI to hold \c D modulo `Q-1`,
|
---|
390 | * or \c NULL if it need not be exported.
|
---|
391 | * \param QP The MPI to hold modular inverse of \c Q modulo \c P,
|
---|
392 | * or \c NULL if it need not be exported.
|
---|
393 | *
|
---|
394 | * \return \c 0 on success.
|
---|
395 | * \return A non-zero error code on failure.
|
---|
396 | *
|
---|
397 | */
|
---|
398 | int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
|
---|
399 | mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
|
---|
400 |
|
---|
401 | /**
|
---|
402 | * \brief This function sets padding for an already initialized RSA
|
---|
403 | * context. See mbedtls_rsa_init() for details.
|
---|
404 | *
|
---|
405 | * \param ctx The initialized RSA context to be configured.
|
---|
406 | * \param padding The padding mode to use. This must be either
|
---|
407 | * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
|
---|
408 | * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier.
|
---|
409 | */
|
---|
410 | void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
|
---|
411 | int hash_id );
|
---|
412 |
|
---|
413 | /**
|
---|
414 | * \brief This function retrieves the length of RSA modulus in Bytes.
|
---|
415 | *
|
---|
416 | * \param ctx The initialized RSA context.
|
---|
417 | *
|
---|
418 | * \return The length of the RSA modulus in Bytes.
|
---|
419 | *
|
---|
420 | */
|
---|
421 | size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
|
---|
422 |
|
---|
423 | /**
|
---|
424 | * \brief This function generates an RSA keypair.
|
---|
425 | *
|
---|
426 | * \note mbedtls_rsa_init() must be called before this function,
|
---|
427 | * to set up the RSA context.
|
---|
428 | *
|
---|
429 | * \param ctx The initialized RSA context used to hold the key.
|
---|
430 | * \param f_rng The RNG function to be used for key generation.
|
---|
431 | * This must not be \c NULL.
|
---|
432 | * \param p_rng The RNG context to be passed to \p f_rng.
|
---|
433 | * This may be \c NULL if \p f_rng doesn't need a context.
|
---|
434 | * \param nbits The size of the public key in bits.
|
---|
435 | * \param exponent The public exponent to use. For example, \c 65537.
|
---|
436 | * This must be odd and greater than \c 1.
|
---|
437 | *
|
---|
438 | * \return \c 0 on success.
|
---|
439 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
440 | */
|
---|
441 | int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
|
---|
442 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
443 | void *p_rng,
|
---|
444 | unsigned int nbits, int exponent );
|
---|
445 |
|
---|
446 | /**
|
---|
447 | * \brief This function checks if a context contains at least an RSA
|
---|
448 | * public key.
|
---|
449 | *
|
---|
450 | * If the function runs successfully, it is guaranteed that
|
---|
451 | * enough information is present to perform an RSA public key
|
---|
452 | * operation using mbedtls_rsa_public().
|
---|
453 | *
|
---|
454 | * \param ctx The initialized RSA context to check.
|
---|
455 | *
|
---|
456 | * \return \c 0 on success.
|
---|
457 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
458 | *
|
---|
459 | */
|
---|
460 | int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
|
---|
461 |
|
---|
462 | /**
|
---|
463 | * \brief This function checks if a context contains an RSA private key
|
---|
464 | * and perform basic consistency checks.
|
---|
465 | *
|
---|
466 | * \note The consistency checks performed by this function not only
|
---|
467 | * ensure that mbedtls_rsa_private() can be called successfully
|
---|
468 | * on the given context, but that the various parameters are
|
---|
469 | * mutually consistent with high probability, in the sense that
|
---|
470 | * mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
|
---|
471 | *
|
---|
472 | * \warning This function should catch accidental misconfigurations
|
---|
473 | * like swapping of parameters, but it cannot establish full
|
---|
474 | * trust in neither the quality nor the consistency of the key
|
---|
475 | * material that was used to setup the given RSA context:
|
---|
476 | * <ul><li>Consistency: Imported parameters that are irrelevant
|
---|
477 | * for the implementation might be silently dropped. If dropped,
|
---|
478 | * the current function does not have access to them,
|
---|
479 | * and therefore cannot check them. See mbedtls_rsa_complete().
|
---|
480 | * If you want to check the consistency of the entire
|
---|
481 | * content of an PKCS1-encoded RSA private key, for example, you
|
---|
482 | * should use mbedtls_rsa_validate_params() before setting
|
---|
483 | * up the RSA context.
|
---|
484 | * Additionally, if the implementation performs empirical checks,
|
---|
485 | * these checks substantiate but do not guarantee consistency.</li>
|
---|
486 | * <li>Quality: This function is not expected to perform
|
---|
487 | * extended quality assessments like checking that the prime
|
---|
488 | * factors are safe. Additionally, it is the responsibility of the
|
---|
489 | * user to ensure the trustworthiness of the source of his RSA
|
---|
490 | * parameters, which goes beyond what is effectively checkable
|
---|
491 | * by the library.</li></ul>
|
---|
492 | *
|
---|
493 | * \param ctx The initialized RSA context to check.
|
---|
494 | *
|
---|
495 | * \return \c 0 on success.
|
---|
496 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
497 | */
|
---|
498 | int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
|
---|
499 |
|
---|
500 | /**
|
---|
501 | * \brief This function checks a public-private RSA key pair.
|
---|
502 | *
|
---|
503 | * It checks each of the contexts, and makes sure they match.
|
---|
504 | *
|
---|
505 | * \param pub The initialized RSA context holding the public key.
|
---|
506 | * \param prv The initialized RSA context holding the private key.
|
---|
507 | *
|
---|
508 | * \return \c 0 on success.
|
---|
509 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
510 | */
|
---|
511 | int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
|
---|
512 | const mbedtls_rsa_context *prv );
|
---|
513 |
|
---|
514 | /**
|
---|
515 | * \brief This function performs an RSA public key operation.
|
---|
516 | *
|
---|
517 | * \param ctx The initialized RSA context to use.
|
---|
518 | * \param input The input buffer. This must be a readable buffer
|
---|
519 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
520 | * for an 2048-bit RSA modulus.
|
---|
521 | * \param output The output buffer. This must be a writable buffer
|
---|
522 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
523 | * for an 2048-bit RSA modulus.
|
---|
524 | *
|
---|
525 | * \note This function does not handle message padding.
|
---|
526 | *
|
---|
527 | * \note Make sure to set \p input[0] = 0 or ensure that
|
---|
528 | * input is smaller than \p N.
|
---|
529 | *
|
---|
530 | * \return \c 0 on success.
|
---|
531 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
532 | */
|
---|
533 | int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
|
---|
534 | const unsigned char *input,
|
---|
535 | unsigned char *output );
|
---|
536 |
|
---|
537 | /**
|
---|
538 | * \brief This function performs an RSA private key operation.
|
---|
539 | *
|
---|
540 | * \note Blinding is used if and only if a PRNG is provided.
|
---|
541 | *
|
---|
542 | * \note If blinding is used, both the base of exponentation
|
---|
543 | * and the exponent are blinded, providing protection
|
---|
544 | * against some side-channel attacks.
|
---|
545 | *
|
---|
546 | * \warning It is deprecated and a security risk to not provide
|
---|
547 | * a PRNG here and thereby prevent the use of blinding.
|
---|
548 | * Future versions of the library may enforce the presence
|
---|
549 | * of a PRNG.
|
---|
550 | *
|
---|
551 | * \param ctx The initialized RSA context to use.
|
---|
552 | * \param f_rng The RNG function, used for blinding. It is discouraged
|
---|
553 | * and deprecated to pass \c NULL here, in which case
|
---|
554 | * blinding will be omitted.
|
---|
555 | * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL
|
---|
556 | * if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
|
---|
557 | * \param input The input buffer. This must be a readable buffer
|
---|
558 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
559 | * for an 2048-bit RSA modulus.
|
---|
560 | * \param output The output buffer. This must be a writable buffer
|
---|
561 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
562 | * for an 2048-bit RSA modulus.
|
---|
563 | *
|
---|
564 | * \return \c 0 on success.
|
---|
565 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
566 | *
|
---|
567 | */
|
---|
568 | int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
---|
569 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
570 | void *p_rng,
|
---|
571 | const unsigned char *input,
|
---|
572 | unsigned char *output );
|
---|
573 |
|
---|
574 | /**
|
---|
575 | * \brief This function adds the message padding, then performs an RSA
|
---|
576 | * operation.
|
---|
577 | *
|
---|
578 | * It is the generic wrapper for performing a PKCS#1 encryption
|
---|
579 | * operation using the \p mode from the context.
|
---|
580 | *
|
---|
581 | * \deprecated It is deprecated and discouraged to call this function
|
---|
582 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
583 | * are likely to remove the \p mode argument and have it
|
---|
584 | * implicitly set to #MBEDTLS_RSA_PUBLIC.
|
---|
585 | *
|
---|
586 | * \note Alternative implementations of RSA need not support
|
---|
587 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
588 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
589 | *
|
---|
590 | * \param ctx The initialized RSA context to use.
|
---|
591 | * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding
|
---|
592 | * encoding, and for PKCS#1 v1.5 padding encoding when used
|
---|
593 | * with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
|
---|
594 | * padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
|
---|
595 | * it is used for blinding and should be provided in this
|
---|
596 | * case; see mbedtls_rsa_private() for more.
|
---|
597 | * \param p_rng The RNG context to be passed to \p f_rng. May be
|
---|
598 | * \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
|
---|
599 | * need a context argument.
|
---|
600 | * \param mode The mode of operation. This must be either
|
---|
601 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
602 | * \param ilen The length of the plaintext in Bytes.
|
---|
603 | * \param input The input data to encrypt. This must be a readable
|
---|
604 | * buffer of size \p ilen Bytes. This must not be \c NULL.
|
---|
605 | * \param output The output buffer. This must be a writable buffer
|
---|
606 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
607 | * for an 2048-bit RSA modulus.
|
---|
608 | *
|
---|
609 | * \return \c 0 on success.
|
---|
610 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
611 | */
|
---|
612 | int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
|
---|
613 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
614 | void *p_rng,
|
---|
615 | int mode, size_t ilen,
|
---|
616 | const unsigned char *input,
|
---|
617 | unsigned char *output );
|
---|
618 |
|
---|
619 | /**
|
---|
620 | * \brief This function performs a PKCS#1 v1.5 encryption operation
|
---|
621 | * (RSAES-PKCS1-v1_5-ENCRYPT).
|
---|
622 | *
|
---|
623 | * \deprecated It is deprecated and discouraged to call this function
|
---|
624 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
625 | * are likely to remove the \p mode argument and have it
|
---|
626 | * implicitly set to #MBEDTLS_RSA_PUBLIC.
|
---|
627 | *
|
---|
628 | * \note Alternative implementations of RSA need not support
|
---|
629 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
630 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
631 | *
|
---|
632 | * \param ctx The initialized RSA context to use.
|
---|
633 | * \param f_rng The RNG function to use. It is needed for padding generation
|
---|
634 | * if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
|
---|
635 | * #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
|
---|
636 | * blinding and should be provided; see mbedtls_rsa_private().
|
---|
637 | * \param p_rng The RNG context to be passed to \p f_rng. This may
|
---|
638 | * be \c NULL if \p f_rng is \c NULL or if \p f_rng
|
---|
639 | * doesn't need a context argument.
|
---|
640 | * \param mode The mode of operation. This must be either
|
---|
641 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
642 | * \param ilen The length of the plaintext in Bytes.
|
---|
643 | * \param input The input data to encrypt. This must be a readable
|
---|
644 | * buffer of size \p ilen Bytes. This must not be \c NULL.
|
---|
645 | * \param output The output buffer. This must be a writable buffer
|
---|
646 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
647 | * for an 2048-bit RSA modulus.
|
---|
648 | *
|
---|
649 | * \return \c 0 on success.
|
---|
650 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
651 | */
|
---|
652 | int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
|
---|
653 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
654 | void *p_rng,
|
---|
655 | int mode, size_t ilen,
|
---|
656 | const unsigned char *input,
|
---|
657 | unsigned char *output );
|
---|
658 |
|
---|
659 | /**
|
---|
660 | * \brief This function performs a PKCS#1 v2.1 OAEP encryption
|
---|
661 | * operation (RSAES-OAEP-ENCRYPT).
|
---|
662 | *
|
---|
663 | * \note The output buffer must be as large as the size
|
---|
664 | * of ctx->N. For example, 128 Bytes if RSA-1024 is used.
|
---|
665 | *
|
---|
666 | * \deprecated It is deprecated and discouraged to call this function
|
---|
667 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
668 | * are likely to remove the \p mode argument and have it
|
---|
669 | * implicitly set to #MBEDTLS_RSA_PUBLIC.
|
---|
670 | *
|
---|
671 | * \note Alternative implementations of RSA need not support
|
---|
672 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
673 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
674 | *
|
---|
675 | * \param ctx The initnialized RSA context to use.
|
---|
676 | * \param f_rng The RNG function to use. This is needed for padding
|
---|
677 | * generation and must be provided.
|
---|
678 | * \param p_rng The RNG context to be passed to \p f_rng. This may
|
---|
679 | * be \c NULL if \p f_rng doesn't need a context argument.
|
---|
680 | * \param mode The mode of operation. This must be either
|
---|
681 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
682 | * \param label The buffer holding the custom label to use.
|
---|
683 | * This must be a readable buffer of length \p label_len
|
---|
684 | * Bytes. It may be \c NULL if \p label_len is \c 0.
|
---|
685 | * \param label_len The length of the label in Bytes.
|
---|
686 | * \param ilen The length of the plaintext buffer \p input in Bytes.
|
---|
687 | * \param input The input data to encrypt. This must be a readable
|
---|
688 | * buffer of size \p ilen Bytes. This must not be \c NULL.
|
---|
689 | * \param output The output buffer. This must be a writable buffer
|
---|
690 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
691 | * for an 2048-bit RSA modulus.
|
---|
692 | *
|
---|
693 | * \return \c 0 on success.
|
---|
694 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
695 | */
|
---|
696 | int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
|
---|
697 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
698 | void *p_rng,
|
---|
699 | int mode,
|
---|
700 | const unsigned char *label, size_t label_len,
|
---|
701 | size_t ilen,
|
---|
702 | const unsigned char *input,
|
---|
703 | unsigned char *output );
|
---|
704 |
|
---|
705 | /**
|
---|
706 | * \brief This function performs an RSA operation, then removes the
|
---|
707 | * message padding.
|
---|
708 | *
|
---|
709 | * It is the generic wrapper for performing a PKCS#1 decryption
|
---|
710 | * operation using the \p mode from the context.
|
---|
711 | *
|
---|
712 | * \note The output buffer length \c output_max_len should be
|
---|
713 | * as large as the size \p ctx->len of \p ctx->N (for example,
|
---|
714 | * 128 Bytes if RSA-1024 is used) to be able to hold an
|
---|
715 | * arbitrary decrypted message. If it is not large enough to
|
---|
716 | * hold the decryption of the particular ciphertext provided,
|
---|
717 | * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
|
---|
718 | *
|
---|
719 | * \deprecated It is deprecated and discouraged to call this function
|
---|
720 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
721 | * are likely to remove the \p mode argument and have it
|
---|
722 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
723 | *
|
---|
724 | * \note Alternative implementations of RSA need not support
|
---|
725 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
726 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
727 | *
|
---|
728 | * \param ctx The initialized RSA context to use.
|
---|
729 | * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
730 | * this is used for blinding and should be provided; see
|
---|
731 | * mbedtls_rsa_private() for more. If \p mode is
|
---|
732 | * #MBEDTLS_RSA_PUBLIC, it is ignored.
|
---|
733 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
734 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
735 | * \param mode The mode of operation. This must be either
|
---|
736 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
737 | * \param olen The address at which to store the length of
|
---|
738 | * the plaintext. This must not be \c NULL.
|
---|
739 | * \param input The ciphertext buffer. This must be a readable buffer
|
---|
740 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
741 | * for an 2048-bit RSA modulus.
|
---|
742 | * \param output The buffer used to hold the plaintext. This must
|
---|
743 | * be a writable buffer of length \p output_max_len Bytes.
|
---|
744 | * \param output_max_len The length in Bytes of the output buffer \p output.
|
---|
745 | *
|
---|
746 | * \return \c 0 on success.
|
---|
747 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
748 | */
|
---|
749 | int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
|
---|
750 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
751 | void *p_rng,
|
---|
752 | int mode, size_t *olen,
|
---|
753 | const unsigned char *input,
|
---|
754 | unsigned char *output,
|
---|
755 | size_t output_max_len );
|
---|
756 |
|
---|
757 | /**
|
---|
758 | * \brief This function performs a PKCS#1 v1.5 decryption
|
---|
759 | * operation (RSAES-PKCS1-v1_5-DECRYPT).
|
---|
760 | *
|
---|
761 | * \note The output buffer length \c output_max_len should be
|
---|
762 | * as large as the size \p ctx->len of \p ctx->N, for example,
|
---|
763 | * 128 Bytes if RSA-1024 is used, to be able to hold an
|
---|
764 | * arbitrary decrypted message. If it is not large enough to
|
---|
765 | * hold the decryption of the particular ciphertext provided,
|
---|
766 | * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
|
---|
767 | *
|
---|
768 | * \deprecated It is deprecated and discouraged to call this function
|
---|
769 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
770 | * are likely to remove the \p mode argument and have it
|
---|
771 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
772 | *
|
---|
773 | * \note Alternative implementations of RSA need not support
|
---|
774 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
775 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
776 | *
|
---|
777 | * \param ctx The initialized RSA context to use.
|
---|
778 | * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
779 | * this is used for blinding and should be provided; see
|
---|
780 | * mbedtls_rsa_private() for more. If \p mode is
|
---|
781 | * #MBEDTLS_RSA_PUBLIC, it is ignored.
|
---|
782 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
783 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
784 | * \param mode The mode of operation. This must be either
|
---|
785 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
786 | * \param olen The address at which to store the length of
|
---|
787 | * the plaintext. This must not be \c NULL.
|
---|
788 | * \param input The ciphertext buffer. This must be a readable buffer
|
---|
789 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
790 | * for an 2048-bit RSA modulus.
|
---|
791 | * \param output The buffer used to hold the plaintext. This must
|
---|
792 | * be a writable buffer of length \p output_max_len Bytes.
|
---|
793 | * \param output_max_len The length in Bytes of the output buffer \p output.
|
---|
794 | *
|
---|
795 | * \return \c 0 on success.
|
---|
796 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
797 | *
|
---|
798 | */
|
---|
799 | int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
---|
800 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
801 | void *p_rng,
|
---|
802 | int mode, size_t *olen,
|
---|
803 | const unsigned char *input,
|
---|
804 | unsigned char *output,
|
---|
805 | size_t output_max_len );
|
---|
806 |
|
---|
807 | /**
|
---|
808 | * \brief This function performs a PKCS#1 v2.1 OAEP decryption
|
---|
809 | * operation (RSAES-OAEP-DECRYPT).
|
---|
810 | *
|
---|
811 | * \note The output buffer length \c output_max_len should be
|
---|
812 | * as large as the size \p ctx->len of \p ctx->N, for
|
---|
813 | * example, 128 Bytes if RSA-1024 is used, to be able to
|
---|
814 | * hold an arbitrary decrypted message. If it is not
|
---|
815 | * large enough to hold the decryption of the particular
|
---|
816 | * ciphertext provided, the function returns
|
---|
817 | * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
|
---|
818 | *
|
---|
819 | * \deprecated It is deprecated and discouraged to call this function
|
---|
820 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
821 | * are likely to remove the \p mode argument and have it
|
---|
822 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
823 | *
|
---|
824 | * \note Alternative implementations of RSA need not support
|
---|
825 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
826 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
827 | *
|
---|
828 | * \param ctx The initialized RSA context to use.
|
---|
829 | * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
830 | * this is used for blinding and should be provided; see
|
---|
831 | * mbedtls_rsa_private() for more. If \p mode is
|
---|
832 | * #MBEDTLS_RSA_PUBLIC, it is ignored.
|
---|
833 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
834 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
835 | * \param mode The mode of operation. This must be either
|
---|
836 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
837 | * \param label The buffer holding the custom label to use.
|
---|
838 | * This must be a readable buffer of length \p label_len
|
---|
839 | * Bytes. It may be \c NULL if \p label_len is \c 0.
|
---|
840 | * \param label_len The length of the label in Bytes.
|
---|
841 | * \param olen The address at which to store the length of
|
---|
842 | * the plaintext. This must not be \c NULL.
|
---|
843 | * \param input The ciphertext buffer. This must be a readable buffer
|
---|
844 | * of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
845 | * for an 2048-bit RSA modulus.
|
---|
846 | * \param output The buffer used to hold the plaintext. This must
|
---|
847 | * be a writable buffer of length \p output_max_len Bytes.
|
---|
848 | * \param output_max_len The length in Bytes of the output buffer \p output.
|
---|
849 | *
|
---|
850 | * \return \c 0 on success.
|
---|
851 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
852 | */
|
---|
853 | int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
|
---|
854 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
855 | void *p_rng,
|
---|
856 | int mode,
|
---|
857 | const unsigned char *label, size_t label_len,
|
---|
858 | size_t *olen,
|
---|
859 | const unsigned char *input,
|
---|
860 | unsigned char *output,
|
---|
861 | size_t output_max_len );
|
---|
862 |
|
---|
863 | /**
|
---|
864 | * \brief This function performs a private RSA operation to sign
|
---|
865 | * a message digest using PKCS#1.
|
---|
866 | *
|
---|
867 | * It is the generic wrapper for performing a PKCS#1
|
---|
868 | * signature using the \p mode from the context.
|
---|
869 | *
|
---|
870 | * \note The \p sig buffer must be as large as the size
|
---|
871 | * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
|
---|
872 | *
|
---|
873 | * \note For PKCS#1 v2.1 encoding, see comments on
|
---|
874 | * mbedtls_rsa_rsassa_pss_sign() for details on
|
---|
875 | * \p md_alg and \p hash_id.
|
---|
876 | *
|
---|
877 | * \deprecated It is deprecated and discouraged to call this function
|
---|
878 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
879 | * are likely to remove the \p mode argument and have it
|
---|
880 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
881 | *
|
---|
882 | * \note Alternative implementations of RSA need not support
|
---|
883 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
884 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
885 | *
|
---|
886 | * \param ctx The initialized RSA context to use.
|
---|
887 | * \param f_rng The RNG function to use. If the padding mode is PKCS#1 v2.1,
|
---|
888 | * this must be provided. If the padding mode is PKCS#1 v1.5 and
|
---|
889 | * \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
|
---|
890 | * and should be provided; see mbedtls_rsa_private() for more
|
---|
891 | * more. It is ignored otherwise.
|
---|
892 | * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
|
---|
893 | * if \p f_rng is \c NULL or doesn't need a context argument.
|
---|
894 | * \param mode The mode of operation. This must be either
|
---|
895 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
896 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
897 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
898 | * \param hashlen The length of the message digest.
|
---|
899 | * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
900 | * \param hash The buffer holding the message digest or raw data.
|
---|
901 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
902 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
903 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
904 | * the size of the hash corresponding to \p md_alg.
|
---|
905 | * \param sig The buffer to hold the signature. This must be a writable
|
---|
906 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
907 | * for an 2048-bit RSA modulus.
|
---|
908 | *
|
---|
909 | * \return \c 0 if the signing operation was successful.
|
---|
910 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
911 | */
|
---|
912 | int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
|
---|
913 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
914 | void *p_rng,
|
---|
915 | int mode,
|
---|
916 | mbedtls_md_type_t md_alg,
|
---|
917 | unsigned int hashlen,
|
---|
918 | const unsigned char *hash,
|
---|
919 | unsigned char *sig );
|
---|
920 |
|
---|
921 | /**
|
---|
922 | * \brief This function performs a PKCS#1 v1.5 signature
|
---|
923 | * operation (RSASSA-PKCS1-v1_5-SIGN).
|
---|
924 | *
|
---|
925 | * \deprecated It is deprecated and discouraged to call this function
|
---|
926 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
927 | * are likely to remove the \p mode argument and have it
|
---|
928 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
929 | *
|
---|
930 | * \note Alternative implementations of RSA need not support
|
---|
931 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
932 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
933 | *
|
---|
934 | * \param ctx The initialized RSA context to use.
|
---|
935 | * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
936 | * this is used for blinding and should be provided; see
|
---|
937 | * mbedtls_rsa_private() for more. If \p mode is
|
---|
938 | * #MBEDTLS_RSA_PUBLIC, it is ignored.
|
---|
939 | * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
|
---|
940 | * if \p f_rng is \c NULL or doesn't need a context argument.
|
---|
941 | * \param mode The mode of operation. This must be either
|
---|
942 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
943 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
944 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
945 | * \param hashlen The length of the message digest.
|
---|
946 | * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
947 | * \param hash The buffer holding the message digest or raw data.
|
---|
948 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
949 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
950 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
951 | * the size of the hash corresponding to \p md_alg.
|
---|
952 | * \param sig The buffer to hold the signature. This must be a writable
|
---|
953 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
954 | * for an 2048-bit RSA modulus.
|
---|
955 | *
|
---|
956 | * \return \c 0 if the signing operation was successful.
|
---|
957 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
958 | */
|
---|
959 | int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
|
---|
960 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
961 | void *p_rng,
|
---|
962 | int mode,
|
---|
963 | mbedtls_md_type_t md_alg,
|
---|
964 | unsigned int hashlen,
|
---|
965 | const unsigned char *hash,
|
---|
966 | unsigned char *sig );
|
---|
967 |
|
---|
968 | /**
|
---|
969 | * \brief This function performs a PKCS#1 v2.1 PSS signature
|
---|
970 | * operation (RSASSA-PSS-SIGN).
|
---|
971 | *
|
---|
972 | * \note The \p hash_id in the RSA context is the one used for the
|
---|
973 | * encoding. \p md_alg in the function call is the type of hash
|
---|
974 | * that is encoded. According to <em>RFC-3447: Public-Key
|
---|
975 | * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
|
---|
976 | * Specifications</em> it is advised to keep both hashes the
|
---|
977 | * same.
|
---|
978 | *
|
---|
979 | * \note This function always uses the maximum possible salt size,
|
---|
980 | * up to the length of the payload hash. This choice of salt
|
---|
981 | * size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
|
---|
982 | * v2.2) §9.1.1 step 3. Furthermore this function enforces a
|
---|
983 | * minimum salt size which is the hash size minus 2 bytes. If
|
---|
984 | * this minimum size is too large given the key size (the salt
|
---|
985 | * size, plus the hash size, plus 2 bytes must be no more than
|
---|
986 | * the key size in bytes), this function returns
|
---|
987 | * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
|
---|
988 | *
|
---|
989 | * \deprecated It is deprecated and discouraged to call this function
|
---|
990 | * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
|
---|
991 | * are likely to remove the \p mode argument and have it
|
---|
992 | * implicitly set to #MBEDTLS_RSA_PRIVATE.
|
---|
993 | *
|
---|
994 | * \note Alternative implementations of RSA need not support
|
---|
995 | * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
|
---|
996 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
997 | *
|
---|
998 | * \param ctx The initialized RSA context to use.
|
---|
999 | * \param f_rng The RNG function. It must not be \c NULL.
|
---|
1000 | * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
|
---|
1001 | * if \p f_rng doesn't need a context argument.
|
---|
1002 | * \param mode The mode of operation. This must be either
|
---|
1003 | * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
|
---|
1004 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
1005 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
1006 | * \param hashlen The length of the message digest.
|
---|
1007 | * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
1008 | * \param hash The buffer holding the message digest or raw data.
|
---|
1009 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
1010 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
1011 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
1012 | * the size of the hash corresponding to \p md_alg.
|
---|
1013 | * \param sig The buffer to hold the signature. This must be a writable
|
---|
1014 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
1015 | * for an 2048-bit RSA modulus.
|
---|
1016 | *
|
---|
1017 | * \return \c 0 if the signing operation was successful.
|
---|
1018 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
1019 | */
|
---|
1020 | int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
|
---|
1021 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
1022 | void *p_rng,
|
---|
1023 | int mode,
|
---|
1024 | mbedtls_md_type_t md_alg,
|
---|
1025 | unsigned int hashlen,
|
---|
1026 | const unsigned char *hash,
|
---|
1027 | unsigned char *sig );
|
---|
1028 |
|
---|
1029 | /**
|
---|
1030 | * \brief This function performs a public RSA operation and checks
|
---|
1031 | * the message digest.
|
---|
1032 | *
|
---|
1033 | * This is the generic wrapper for performing a PKCS#1
|
---|
1034 | * verification using the mode from the context.
|
---|
1035 | *
|
---|
1036 | * \note For PKCS#1 v2.1 encoding, see comments on
|
---|
1037 | * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
|
---|
1038 | * \p hash_id.
|
---|
1039 | *
|
---|
1040 | * \deprecated It is deprecated and discouraged to call this function
|
---|
1041 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
1042 | * are likely to remove the \p mode argument and have it
|
---|
1043 | * set to #MBEDTLS_RSA_PUBLIC.
|
---|
1044 | *
|
---|
1045 | * \note Alternative implementations of RSA need not support
|
---|
1046 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
1047 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
1048 | *
|
---|
1049 | * \param ctx The initialized RSA public key context to use.
|
---|
1050 | * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
1051 | * this is used for blinding and should be provided; see
|
---|
1052 | * mbedtls_rsa_private() for more. Otherwise, it is ignored.
|
---|
1053 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
1054 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
1055 | * \param mode The mode of operation. This must be either
|
---|
1056 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
1057 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
1058 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
1059 | * \param hashlen The length of the message digest.
|
---|
1060 | * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
1061 | * \param hash The buffer holding the message digest or raw data.
|
---|
1062 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
1063 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
1064 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
1065 | * the size of the hash corresponding to \p md_alg.
|
---|
1066 | * \param sig The buffer holding the signature. This must be a readable
|
---|
1067 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
1068 | * for an 2048-bit RSA modulus.
|
---|
1069 | *
|
---|
1070 | * \return \c 0 if the verify operation was successful.
|
---|
1071 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
1072 | */
|
---|
1073 | int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
|
---|
1074 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
1075 | void *p_rng,
|
---|
1076 | int mode,
|
---|
1077 | mbedtls_md_type_t md_alg,
|
---|
1078 | unsigned int hashlen,
|
---|
1079 | const unsigned char *hash,
|
---|
1080 | const unsigned char *sig );
|
---|
1081 |
|
---|
1082 | /**
|
---|
1083 | * \brief This function performs a PKCS#1 v1.5 verification
|
---|
1084 | * operation (RSASSA-PKCS1-v1_5-VERIFY).
|
---|
1085 | *
|
---|
1086 | * \deprecated It is deprecated and discouraged to call this function
|
---|
1087 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
1088 | * are likely to remove the \p mode argument and have it
|
---|
1089 | * set to #MBEDTLS_RSA_PUBLIC.
|
---|
1090 | *
|
---|
1091 | * \note Alternative implementations of RSA need not support
|
---|
1092 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
1093 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
1094 | *
|
---|
1095 | * \param ctx The initialized RSA public key context to use.
|
---|
1096 | * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
1097 | * this is used for blinding and should be provided; see
|
---|
1098 | * mbedtls_rsa_private() for more. Otherwise, it is ignored.
|
---|
1099 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
1100 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
1101 | * \param mode The mode of operation. This must be either
|
---|
1102 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
1103 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
1104 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
1105 | * \param hashlen The length of the message digest.
|
---|
1106 | * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
1107 | * \param hash The buffer holding the message digest or raw data.
|
---|
1108 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
1109 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
1110 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
1111 | * the size of the hash corresponding to \p md_alg.
|
---|
1112 | * \param sig The buffer holding the signature. This must be a readable
|
---|
1113 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
1114 | * for an 2048-bit RSA modulus.
|
---|
1115 | *
|
---|
1116 | * \return \c 0 if the verify operation was successful.
|
---|
1117 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
1118 | */
|
---|
1119 | int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
|
---|
1120 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
1121 | void *p_rng,
|
---|
1122 | int mode,
|
---|
1123 | mbedtls_md_type_t md_alg,
|
---|
1124 | unsigned int hashlen,
|
---|
1125 | const unsigned char *hash,
|
---|
1126 | const unsigned char *sig );
|
---|
1127 |
|
---|
1128 | /**
|
---|
1129 | * \brief This function performs a PKCS#1 v2.1 PSS verification
|
---|
1130 | * operation (RSASSA-PSS-VERIFY).
|
---|
1131 | *
|
---|
1132 | * The hash function for the MGF mask generating function
|
---|
1133 | * is that specified in the RSA context.
|
---|
1134 | *
|
---|
1135 | * \note The \p hash_id in the RSA context is the one used for the
|
---|
1136 | * verification. \p md_alg in the function call is the type of
|
---|
1137 | * hash that is verified. According to <em>RFC-3447: Public-Key
|
---|
1138 | * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
|
---|
1139 | * Specifications</em> it is advised to keep both hashes the
|
---|
1140 | * same. If \p hash_id in the RSA context is unset,
|
---|
1141 | * the \p md_alg from the function call is used.
|
---|
1142 | *
|
---|
1143 | * \deprecated It is deprecated and discouraged to call this function
|
---|
1144 | * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
|
---|
1145 | * are likely to remove the \p mode argument and have it
|
---|
1146 | * implicitly set to #MBEDTLS_RSA_PUBLIC.
|
---|
1147 | *
|
---|
1148 | * \note Alternative implementations of RSA need not support
|
---|
1149 | * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
|
---|
1150 | * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
|
---|
1151 | *
|
---|
1152 | * \param ctx The initialized RSA public key context to use.
|
---|
1153 | * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
1154 | * this is used for blinding and should be provided; see
|
---|
1155 | * mbedtls_rsa_private() for more. Otherwise, it is ignored.
|
---|
1156 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
1157 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
1158 | * \param mode The mode of operation. This must be either
|
---|
1159 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
|
---|
1160 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
1161 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
1162 | * \param hashlen The length of the message digest.
|
---|
1163 | * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
1164 | * \param hash The buffer holding the message digest or raw data.
|
---|
1165 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
1166 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
1167 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
1168 | * the size of the hash corresponding to \p md_alg.
|
---|
1169 | * \param sig The buffer holding the signature. This must be a readable
|
---|
1170 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
1171 | * for an 2048-bit RSA modulus.
|
---|
1172 | *
|
---|
1173 | * \return \c 0 if the verify operation was successful.
|
---|
1174 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
1175 | */
|
---|
1176 | int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
|
---|
1177 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
1178 | void *p_rng,
|
---|
1179 | int mode,
|
---|
1180 | mbedtls_md_type_t md_alg,
|
---|
1181 | unsigned int hashlen,
|
---|
1182 | const unsigned char *hash,
|
---|
1183 | const unsigned char *sig );
|
---|
1184 |
|
---|
1185 | /**
|
---|
1186 | * \brief This function performs a PKCS#1 v2.1 PSS verification
|
---|
1187 | * operation (RSASSA-PSS-VERIFY).
|
---|
1188 | *
|
---|
1189 | * The hash function for the MGF mask generating function
|
---|
1190 | * is that specified in \p mgf1_hash_id.
|
---|
1191 | *
|
---|
1192 | * \note The \p sig buffer must be as large as the size
|
---|
1193 | * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
|
---|
1194 | *
|
---|
1195 | * \note The \p hash_id in the RSA context is ignored.
|
---|
1196 | *
|
---|
1197 | * \param ctx The initialized RSA public key context to use.
|
---|
1198 | * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
|
---|
1199 | * this is used for blinding and should be provided; see
|
---|
1200 | * mbedtls_rsa_private() for more. Otherwise, it is ignored.
|
---|
1201 | * \param p_rng The RNG context to be passed to \p f_rng. This may be
|
---|
1202 | * \c NULL if \p f_rng is \c NULL or doesn't need a context.
|
---|
1203 | * \param mode The mode of operation. This must be either
|
---|
1204 | * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
|
---|
1205 | * \param md_alg The message-digest algorithm used to hash the original data.
|
---|
1206 | * Use #MBEDTLS_MD_NONE for signing raw data.
|
---|
1207 | * \param hashlen The length of the message digest.
|
---|
1208 | * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
|
---|
1209 | * \param hash The buffer holding the message digest or raw data.
|
---|
1210 | * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
|
---|
1211 | * buffer of length \p hashlen Bytes. If \p md_alg is not
|
---|
1212 | * #MBEDTLS_MD_NONE, it must be a readable buffer of length
|
---|
1213 | * the size of the hash corresponding to \p md_alg.
|
---|
1214 | * \param mgf1_hash_id The message digest used for mask generation.
|
---|
1215 | * \param expected_salt_len The length of the salt used in padding. Use
|
---|
1216 | * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
|
---|
1217 | * \param sig The buffer holding the signature. This must be a readable
|
---|
1218 | * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
|
---|
1219 | * for an 2048-bit RSA modulus.
|
---|
1220 | *
|
---|
1221 | * \return \c 0 if the verify operation was successful.
|
---|
1222 | * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
|
---|
1223 | */
|
---|
1224 | int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
|
---|
1225 | int (*f_rng)(void *, unsigned char *, size_t),
|
---|
1226 | void *p_rng,
|
---|
1227 | int mode,
|
---|
1228 | mbedtls_md_type_t md_alg,
|
---|
1229 | unsigned int hashlen,
|
---|
1230 | const unsigned char *hash,
|
---|
1231 | mbedtls_md_type_t mgf1_hash_id,
|
---|
1232 | int expected_salt_len,
|
---|
1233 | const unsigned char *sig );
|
---|
1234 |
|
---|
1235 | /**
|
---|
1236 | * \brief This function copies the components of an RSA context.
|
---|
1237 | *
|
---|
1238 | * \param dst The destination context. This must be initialized.
|
---|
1239 | * \param src The source context. This must be initialized.
|
---|
1240 | *
|
---|
1241 | * \return \c 0 on success.
|
---|
1242 | * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
|
---|
1243 | */
|
---|
1244 | int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
|
---|
1245 |
|
---|
1246 | /**
|
---|
1247 | * \brief This function frees the components of an RSA key.
|
---|
1248 | *
|
---|
1249 | * \param ctx The RSA context to free. May be \c NULL, in which case
|
---|
1250 | * this function is a no-op. If it is not \c NULL, it must
|
---|
1251 | * point to an initialized RSA context.
|
---|
1252 | */
|
---|
1253 | void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
|
---|
1254 |
|
---|
1255 | #if defined(MBEDTLS_SELF_TEST)
|
---|
1256 |
|
---|
1257 | /**
|
---|
1258 | * \brief The RSA checkup routine.
|
---|
1259 | *
|
---|
1260 | * \return \c 0 on success.
|
---|
1261 | * \return \c 1 on failure.
|
---|
1262 | */
|
---|
1263 | int mbedtls_rsa_self_test( int verbose );
|
---|
1264 |
|
---|
1265 | #endif /* MBEDTLS_SELF_TEST */
|
---|
1266 |
|
---|
1267 | #ifdef __cplusplus
|
---|
1268 | }
|
---|
1269 | #endif
|
---|
1270 |
|
---|
1271 | #endif /* rsa.h */
|
---|