1 /** 2 * \file rsa.h 3 * 4 * \brief The RSA public-key cryptosystem 5 * 6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 7 * SPDX-License-Identifier: Apache-2.0 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 #ifndef MBEDTLS_RSA_H 24 #define MBEDTLS_RSA_H 25 26 #include "bignum.h" 27 #include "md.h" 28 29 #if defined(MBEDTLS_THREADING_C) 30 #include "threading.h" 31 #endif 32 33 typedef struct RSA_KEY { 34 unsigned short key_len; 35 unsigned short e_len; 36 unsigned short d_len; 37 unsigned short p_len; 38 unsigned short q_len; 39 unsigned short dp_len; 40 unsigned short dq_len; 41 unsigned short iq_len; 42 unsigned short np_len; 43 unsigned char n[512]; 44 unsigned char e[8]; 45 unsigned char d[512]; 46 unsigned char p[256]; 47 unsigned char q[256]; 48 unsigned char dp[256]; 49 unsigned char dq[256]; 50 unsigned char iq[256]; 51 unsigned char np[32]; 52 } rsa_key_t; 53 54 /* 55 * RSA Error codes 56 */ 57 #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */ 58 #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */ 59 #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */ 60 #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */ 61 #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */ 62 #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */ 63 #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ 64 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ 65 #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ 66 67 /* 68 * RSA constants 69 */ 70 #define MBEDTLS_RSA_PUBLIC 0 71 #define MBEDTLS_RSA_PRIVATE 1 72 73 #define MBEDTLS_RSA_PKCS_V15 0 74 #define MBEDTLS_RSA_PKCS_V21 1 75 76 #define MBEDTLS_RSA_SIGN 1 77 #define MBEDTLS_RSA_CRYPT 2 78 79 #define MBEDTLS_RSA_SALT_LEN_ANY -1 80 81 /* 82 * The above constants may be used even if the RSA module is compile out, 83 * eg for alternative (PKCS#11) RSA implemenations in the PK layers. 84 */ 85 86 #ifdef __cplusplus 87 extern "C" { 88 #endif 89 90 /** 91 * \brief RSA context structure 92 */ 93 typedef struct 94 { 95 int ver; /*!< always 0 */ 96 unsigned int len; /*!< size(N) in chars */ 97 98 mbedtls_mpi N; /*!< public modulus */ 99 mbedtls_mpi E; /*!< public exponent */ 100 101 mbedtls_mpi D; /*!< private exponent */ 102 mbedtls_mpi P; /*!< 1st prime factor */ 103 mbedtls_mpi Q; /*!< 2nd prime factor */ 104 mbedtls_mpi DP; /*!< D % (P - 1) */ 105 mbedtls_mpi DQ; /*!< D % (Q - 1) */ 106 mbedtls_mpi QP; /*!< 1 / (Q % P) */ 107 108 mbedtls_mpi RN; /*!< cached R^2 mod N */ 109 mbedtls_mpi RP; /*!< cached R^2 mod P */ 110 mbedtls_mpi RQ; /*!< cached R^2 mod Q */ 111 112 mbedtls_mpi Vi; /*!< cached blinding value */ 113 mbedtls_mpi Vf; /*!< cached un-blinding value */ 114 115 #if defined(MBEDTLS_THREADING_C) 116 mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex */ 117 #endif 118 } 119 mbedtls_rsa_context; 120 121 /** 122 * \brief Initialize an RSA context 123 * 124 * Note: Set padding to MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP 125 * encryption scheme and the RSASSA-PSS signature scheme. 126 * 127 * \param ctx RSA context to be initialized 128 * 129 * \note The hash_id parameter is actually ignored 130 * when using MBEDTLS_RSA_PKCS_V15 padding. 131 * 132 * \note Choice of padding mode is strictly enforced for private key 133 * operations, since there might be security concerns in 134 * mixing padding modes. For public key operations it's merely 135 * a default value, which can be overriden by calling specific 136 * rsa_rsaes_xxx or rsa_rsassa_xxx functions. 137 * 138 * \note The chosen hash is always used for OEAP encryption. 139 * For PSS signatures, it's always used for making signatures, 140 * but can be overriden (and always is, if set to 141 * MBEDTLS_MD_NONE) for verifying them. 142 */ 143 void mbedtls_rsa_init( mbedtls_rsa_context *ctx); 144 145 /** 146 * \brief Set padding for an already initialized RSA context 147 * See \c mbedtls_rsa_init() for details. 148 * 149 * \param ctx RSA context to be set 150 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21 151 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier 152 */ 153 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id); 154 155 /** 156 * \brief Generate an RSA keypair 157 * 158 * \param ctx RSA context that will hold the key 159 * \param f_rng RNG function 160 * \param p_rng RNG parameter 161 * \param nbits size of the public key in bits 162 * \param exponent public exponent (e.g., 65537) 163 * 164 * \note mbedtls_rsa_init() must be called beforehand to setup 165 * the RSA context. 166 * 167 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 168 */ 169 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 170 int (*f_rng)(void *, unsigned char *, size_t), 171 void *p_rng, 172 unsigned int nbits, int exponent ); 173 174 /** 175 * \brief Check a public RSA key 176 * 177 * \param ctx RSA context to be checked 178 * 179 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 180 */ 181 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ); 182 183 /** 184 * \brief Check a private RSA key 185 * 186 * \param ctx RSA context to be checked 187 * 188 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 189 */ 190 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ); 191 192 /** 193 * \brief Check a public-private RSA key pair. 194 * Check each of the contexts, and make sure they match. 195 * 196 * \param pub RSA context holding the public key 197 * \param prv RSA context holding the private key 198 * 199 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 200 */ 201 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ); 202 203 /** 204 * \brief Do an RSA public key operation 205 * 206 * \param ctx RSA context 207 * \param input input buffer 208 * \param output output buffer 209 * 210 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 211 * 212 * \note This function does NOT take care of message 213 * padding. Also, be sure to set input[0] = 0 or ensure that 214 * input is smaller than N. 215 * 216 * \note The input and output buffers must be large 217 * enough (eg. 128 bytes if RSA-1024 is used). 218 */ 219 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 220 const unsigned char *input, 221 unsigned char *output ); 222 223 /** 224 * \brief Do an RSA private key operation 225 * 226 * \param ctx RSA context 227 * \param f_rng RNG function (Needed for blinding) 228 * \param p_rng RNG parameter 229 * \param input input buffer 230 * \param output output buffer 231 * 232 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 233 * 234 * \note The input and output buffers must be large 235 * enough (eg. 128 bytes if RSA-1024 is used). 236 */ 237 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 238 int (*f_rng)(void *, unsigned char *, size_t), 239 void *p_rng, 240 const unsigned char *input, 241 unsigned char *output ); 242 243 /** 244 * \brief Generic wrapper to perform a PKCS#1 encryption using the 245 * mode from the context. Add the message padding, then do an 246 * RSA operation. 247 * 248 * \param ctx RSA context 249 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding 250 * and MBEDTLS_RSA_PRIVATE) 251 * \param p_rng RNG parameter 252 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 253 * \param ilen contains the plaintext length 254 * \param input buffer holding the data to be encrypted 255 * \param output buffer that will hold the ciphertext 256 * 257 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 258 * 259 * \note The output buffer must be as large as the size 260 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 261 */ 262 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 263 int (*f_rng)(void *, unsigned char *, size_t), 264 void *p_rng, 265 int mode, size_t ilen, 266 const unsigned char *input, 267 unsigned char *output ); 268 269 /** 270 * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT) 271 * 272 * \param ctx RSA context 273 * \param f_rng RNG function (Needed for padding and MBEDTLS_RSA_PRIVATE) 274 * \param p_rng RNG parameter 275 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 276 * \param ilen contains the plaintext length 277 * \param input buffer holding the data to be encrypted 278 * \param output buffer that will hold the ciphertext 279 * 280 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 281 * 282 * \note The output buffer must be as large as the size 283 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 284 */ 285 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 286 int (*f_rng)(void *, unsigned char *, size_t), 287 void *p_rng, 288 int mode, size_t ilen, 289 const unsigned char *input, 290 unsigned char *output ); 291 292 /** 293 * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT) 294 * 295 * \param ctx RSA context 296 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding 297 * and MBEDTLS_RSA_PRIVATE) 298 * \param p_rng RNG parameter 299 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 300 * \param label buffer holding the custom label to use 301 * \param label_len contains the label length 302 * \param ilen contains the plaintext length 303 * \param input buffer holding the data to be encrypted 304 * \param output buffer that will hold the ciphertext 305 * 306 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 307 * 308 * \note The output buffer must be as large as the size 309 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 310 */ 311 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 312 int (*f_rng)(void *, unsigned char *, size_t), 313 void *p_rng, 314 int mode, 315 const unsigned char *label, size_t label_len, 316 size_t ilen, 317 const unsigned char *input, 318 unsigned char *output ); 319 320 /** 321 * \brief Generic wrapper to perform a PKCS#1 decryption using the 322 * mode from the context. Do an RSA operation, then remove 323 * the message padding 324 * 325 * \param ctx RSA context 326 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 327 * \param p_rng RNG parameter 328 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 329 * \param olen will contain the plaintext length 330 * \param input buffer holding the encrypted data 331 * \param output buffer that will hold the plaintext 332 * \param output_max_len maximum length of the output buffer 333 * 334 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 335 * 336 * \note The output buffer must be as large as the size 337 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 338 * an error is thrown. 339 */ 340 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 341 int (*f_rng)(void *, unsigned char *, size_t), 342 void *p_rng, 343 int mode, size_t *olen, 344 const unsigned char *input, 345 unsigned char *output, 346 size_t output_max_len ); 347 348 /** 349 * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT) 350 * 351 * \param ctx RSA context 352 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 353 * \param p_rng RNG parameter 354 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 355 * \param olen will contain the plaintext length 356 * \param input buffer holding the encrypted data 357 * \param output buffer that will hold the plaintext 358 * \param output_max_len maximum length of the output buffer 359 * 360 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 361 * 362 * \note The output buffer must be as large as the size 363 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 364 * an error is thrown. 365 */ 366 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 367 int (*f_rng)(void *, unsigned char *, size_t), 368 void *p_rng, 369 int mode, size_t *olen, 370 const unsigned char *input, 371 unsigned char *output, 372 size_t output_max_len ); 373 374 /** 375 * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT) 376 * 377 * \param ctx RSA context 378 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 379 * \param p_rng RNG parameter 380 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 381 * \param label buffer holding the custom label to use 382 * \param label_len contains the label length 383 * \param olen will contain the plaintext length 384 * \param input buffer holding the encrypted data 385 * \param output buffer that will hold the plaintext 386 * \param output_max_len maximum length of the output buffer 387 * 388 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 389 * 390 * \note The output buffer must be as large as the size 391 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 392 * an error is thrown. 393 */ 394 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 395 int (*f_rng)(void *, unsigned char *, size_t), 396 void *p_rng, 397 int mode, 398 const unsigned char *label, size_t label_len, 399 size_t *olen, 400 const unsigned char *input, 401 unsigned char *output, 402 size_t output_max_len ); 403 404 /** 405 * \brief Generic wrapper to perform a PKCS#1 signature using the 406 * mode from the context. Do a private RSA operation to sign 407 * a message digest 408 * 409 * \param ctx RSA context 410 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for 411 * MBEDTLS_RSA_PRIVATE) 412 * \param p_rng RNG parameter 413 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 414 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 415 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 416 * \param hash buffer holding the message digest 417 * \param sig buffer that will hold the ciphertext 418 * 419 * \return 0 if the signing operation was successful, 420 * or an MBEDTLS_ERR_RSA_XXX error code 421 * 422 * \note The "sig" buffer must be as large as the size 423 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 424 * 425 * \note In case of PKCS#1 v2.1 encoding, see comments on 426 * \note \c mbedtls_rsa_rsassa_pss_sign() for details on md_alg and hash_id. 427 */ 428 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 429 int (*f_rng)(void *, unsigned char *, size_t), 430 void *p_rng, 431 int mode, 432 mbedtls_md_type_t md_alg, 433 unsigned int hashlen, 434 const unsigned char *hash, 435 unsigned char *sig ); 436 437 /** 438 * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN) 439 * 440 * \param ctx RSA context 441 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 442 * \param p_rng RNG parameter 443 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 444 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 445 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 446 * \param hash buffer holding the message digest 447 * \param sig buffer that will hold the ciphertext 448 * 449 * \return 0 if the signing operation was successful, 450 * or an MBEDTLS_ERR_RSA_XXX error code 451 * 452 * \note The "sig" buffer must be as large as the size 453 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 454 */ 455 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 456 int (*f_rng)(void *, unsigned char *, size_t), 457 void *p_rng, 458 int mode, 459 mbedtls_md_type_t md_alg, 460 unsigned int hashlen, 461 const unsigned char *hash, 462 unsigned char *sig ); 463 464 /** 465 * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN) 466 * 467 * \param ctx RSA context 468 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for 469 * MBEDTLS_RSA_PRIVATE) 470 * \param p_rng RNG parameter 471 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 472 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 473 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 474 * \param hash buffer holding the message digest 475 * \param sig buffer that will hold the ciphertext 476 * 477 * \return 0 if the signing operation was successful, 478 * or an MBEDTLS_ERR_RSA_XXX error code 479 * 480 * \note The "sig" buffer must be as large as the size 481 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 482 * 483 * \note The hash_id in the RSA context is the one used for the 484 * encoding. md_alg in the function call is the type of hash 485 * that is encoded. According to RFC 3447 it is advised to 486 * keep both hashes the same. 487 */ 488 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 489 int (*f_rng)(void *, unsigned char *, size_t), 490 void *p_rng, 491 int mode, 492 mbedtls_md_type_t md_alg, 493 unsigned int hashlen, 494 const unsigned char *hash, 495 unsigned char *sig ); 496 497 /** 498 * \brief Generic wrapper to perform a PKCS#1 verification using the 499 * mode from the context. Do a public RSA operation and check 500 * the message digest 501 * 502 * \param ctx points to an RSA public key 503 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 504 * \param p_rng RNG parameter 505 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 506 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 507 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 508 * \param hash buffer holding the message digest 509 * \param sig buffer holding the ciphertext 510 * 511 * \return 0 if the verify operation was successful, 512 * or an MBEDTLS_ERR_RSA_XXX error code 513 * 514 * \note The "sig" buffer must be as large as the size 515 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 516 * 517 * \note In case of PKCS#1 v2.1 encoding, see comments on 518 * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id. 519 */ 520 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 521 int (*f_rng)(void *, unsigned char *, size_t), 522 void *p_rng, 523 int mode, 524 mbedtls_md_type_t md_alg, 525 unsigned int hashlen, 526 const unsigned char *hash, 527 const unsigned char *sig ); 528 529 /** 530 * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY) 531 * 532 * \param ctx points to an RSA public key 533 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 534 * \param p_rng RNG parameter 535 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 536 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 537 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 538 * \param hash buffer holding the message digest 539 * \param sig buffer holding the ciphertext 540 * 541 * \return 0 if the verify operation was successful, 542 * or an MBEDTLS_ERR_RSA_XXX error code 543 * 544 * \note The "sig" buffer must be as large as the size 545 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 546 */ 547 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 548 int (*f_rng)(void *, unsigned char *, size_t), 549 void *p_rng, 550 int mode, 551 mbedtls_md_type_t md_alg, 552 unsigned int hashlen, 553 const unsigned char *hash, 554 const unsigned char *sig ); 555 556 /** 557 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) 558 * (This is the "simple" version.) 559 * 560 * \param ctx points to an RSA public key 561 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 562 * \param p_rng RNG parameter 563 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 564 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 565 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 566 * \param hash buffer holding the message digest 567 * \param sig buffer holding the ciphertext 568 * 569 * \return 0 if the verify operation was successful, 570 * or an MBEDTLS_ERR_RSA_XXX error code 571 * 572 * \note The "sig" buffer must be as large as the size 573 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 574 * 575 * \note The hash_id in the RSA context is the one used for the 576 * verification. md_alg in the function call is the type of 577 * hash that is verified. According to RFC 3447 it is advised to 578 * keep both hashes the same. If hash_id in the RSA context is 579 * unset, the md_alg from the function call is used. 580 */ 581 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 582 int (*f_rng)(void *, unsigned char *, size_t), 583 void *p_rng, 584 int mode, 585 mbedtls_md_type_t md_alg, 586 unsigned int hashlen, 587 const unsigned char *hash, 588 const unsigned char *sig ); 589 590 /** 591 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) 592 * (This is the version with "full" options.) 593 * 594 * \param ctx points to an RSA public key 595 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 596 * \param p_rng RNG parameter 597 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 598 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 599 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 600 * \param hash buffer holding the message digest 601 * \param mgf1_hash_id message digest used for mask generation 602 * \param expected_salt_len Length of the salt used in padding, use 603 * MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length 604 * \param sig buffer holding the ciphertext 605 * 606 * \return 0 if the verify operation was successful, 607 * or an MBEDTLS_ERR_RSA_XXX error code 608 * 609 * \note The "sig" buffer must be as large as the size 610 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 611 * 612 * \note The hash_id in the RSA context is ignored. 613 */ 614 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 615 int (*f_rng)(void *, unsigned char *, size_t), 616 void *p_rng, 617 int mode, 618 mbedtls_md_type_t md_alg, 619 unsigned int hashlen, 620 const unsigned char *hash, 621 mbedtls_md_type_t mgf1_hash_id, 622 int expected_salt_len, 623 const unsigned char *sig ); 624 625 /** 626 * \brief Copy the components of an RSA context 627 * 628 * \param dst Destination context 629 * \param src Source context 630 * 631 * \return 0 on success, 632 * MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure 633 */ 634 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ); 635 636 /** 637 * \brief Free the components of an RSA key 638 * 639 * \param ctx RSA Context to free 640 */ 641 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); 642 643 /** 644 * \brief Checkup routine 645 * 646 * \return 0 if successful, or 1 if the test failed 647 */ 648 int mbedtls_rsa_self_test( int verbose ); 649 650 int rk_rsa_private(rsa_key_t *key, const unsigned char *input, unsigned char *output); 651 int rk_rsa_public(rsa_key_t *key, const unsigned char *input, unsigned char *output); 652 653 654 #ifdef __cplusplus 655 } 656 #endif 657 658 #endif /* rsa.h */ 659