1 /** 2 * \file rsa.h 3 * 4 * \brief This file provides an API for the RSA public-key cryptosystem. 5 * 6 * The RSA public-key cryptosystem is defined in <em>Public-Key 7 * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em> 8 * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1: 9 * RSA Cryptography Specifications</em>. 10 * 11 */ 12 /* 13 * Copyright The Mbed TLS Contributors 14 * SPDX-License-Identifier: Apache-2.0 15 * 16 * Licensed under the Apache License, Version 2.0 (the "License"); you may 17 * not use this file except in compliance with the License. 18 * You may obtain a copy of the License at 19 * 20 * http://www.apache.org/licenses/LICENSE-2.0 21 * 22 * Unless required by applicable law or agreed to in writing, software 23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 25 * See the License for the specific language governing permissions and 26 * limitations under the License. 27 */ 28 #ifndef MBEDTLS_RSA_H 29 #define MBEDTLS_RSA_H 30 31 #if !defined(MBEDTLS_CONFIG_FILE) 32 #include "mbedtls/config.h" 33 #else 34 #include MBEDTLS_CONFIG_FILE 35 #endif 36 37 #include "mbedtls/bignum.h" 38 #include "mbedtls/md.h" 39 40 #if defined(MBEDTLS_THREADING_C) 41 #include "mbedtls/threading.h" 42 #endif 43 44 /* 45 * RSA Error codes 46 */ 47 /** Bad input parameters to function. */ 48 #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 49 /** Input data contains invalid padding and is rejected. */ 50 #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 51 /** Something failed during generation of a key. */ 52 #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 53 /** Key failed to pass the validity check of the library. */ 54 #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 55 /** The public key operation failed. */ 56 #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 57 /** The private key operation failed. */ 58 #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 59 /** The PKCS#1 verification failed. */ 60 #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 61 /** The output buffer for decryption is not large enough. */ 62 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 63 /** The random generator failed to generate non-zeros. */ 64 #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 65 66 /* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used. 67 */ 68 /** The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */ 69 #define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 70 71 /* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */ 72 /** RSA hardware accelerator failed. */ 73 #define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 74 75 /* 76 * RSA constants 77 */ 78 #define MBEDTLS_RSA_PUBLIC 0 /**< Request private key operation. */ 79 #define MBEDTLS_RSA_PRIVATE 1 /**< Request public key operation. */ 80 81 #define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */ 82 #define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */ 83 84 #define MBEDTLS_RSA_SIGN 1 /**< Identifier for RSA signature operations. */ 85 #define MBEDTLS_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */ 86 87 #define MBEDTLS_RSA_SALT_LEN_ANY -1 88 89 /* 90 * The above constants may be used even if the RSA module is compile out, 91 * eg for alternative (PKCS#11) RSA implemenations in the PK layers. 92 */ 93 94 #ifdef __cplusplus 95 extern "C" { 96 #endif 97 98 #if !defined(MBEDTLS_RSA_ALT) 99 // Regular implementation 100 // 101 102 /** 103 * \brief The RSA context structure. 104 * 105 * \note Direct manipulation of the members of this structure 106 * is deprecated. All manipulation should instead be done through 107 * the public interface functions. 108 */ 109 typedef struct mbedtls_rsa_context 110 { 111 int ver; /*!< Reserved for internal purposes. 112 * Do not set this field in application 113 * code. Its meaning might change without 114 * notice. */ 115 size_t len; /*!< The size of \p N in Bytes. */ 116 117 mbedtls_mpi N; /*!< The public modulus. */ 118 mbedtls_mpi E; /*!< The public exponent. */ 119 120 mbedtls_mpi D; /*!< The private exponent. */ 121 mbedtls_mpi P; /*!< The first prime factor. */ 122 mbedtls_mpi Q; /*!< The second prime factor. */ 123 124 mbedtls_mpi DP; /*!< <code>D % (P - 1)</code>. */ 125 mbedtls_mpi DQ; /*!< <code>D % (Q - 1)</code>. */ 126 mbedtls_mpi QP; /*!< <code>1 / (Q % P)</code>. */ 127 128 mbedtls_mpi RN; /*!< cached <code>R^2 mod N</code>. */ 129 130 mbedtls_mpi RP; /*!< cached <code>R^2 mod P</code>. */ 131 mbedtls_mpi RQ; /*!< cached <code>R^2 mod Q</code>. */ 132 133 mbedtls_mpi Vi; /*!< The cached blinding value. */ 134 mbedtls_mpi Vf; /*!< The cached un-blinding value. */ 135 136 int padding; /*!< Selects padding mode: 137 #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and 138 #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */ 139 int hash_id; /*!< Hash identifier of mbedtls_md_type_t type, 140 as specified in md.h for use in the MGF 141 mask generating function used in the 142 EME-OAEP and EMSA-PSS encodings. */ 143 #if defined(MBEDTLS_THREADING_C) 144 /* Invariant: the mutex is initialized iff ver != 0. */ 145 mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */ 146 #endif 147 } 148 mbedtls_rsa_context; 149 150 #else /* MBEDTLS_RSA_ALT */ 151 #include "rsa_alt.h" 152 #endif /* MBEDTLS_RSA_ALT */ 153 154 /** 155 * \brief This function initializes an RSA context. 156 * 157 * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP 158 * encryption scheme and the RSASSA-PSS signature scheme. 159 * 160 * \note The \p hash_id parameter is ignored when using 161 * #MBEDTLS_RSA_PKCS_V15 padding. 162 * 163 * \note The choice of padding mode is strictly enforced for private key 164 * operations, since there might be security concerns in 165 * mixing padding modes. For public key operations it is 166 * a default value, which can be overridden by calling specific 167 * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions. 168 * 169 * \note The hash selected in \p hash_id is always used for OEAP 170 * encryption. For PSS signatures, it is always used for 171 * making signatures, but can be overridden for verifying them. 172 * If set to #MBEDTLS_MD_NONE, it is always overridden. 173 * 174 * \param ctx The RSA context to initialize. This must not be \c NULL. 175 * \param padding The padding mode to use. This must be either 176 * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. 177 * \param hash_id The hash identifier of ::mbedtls_md_type_t type, if 178 * \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused 179 * otherwise. 180 */ 181 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 182 int padding, 183 int hash_id ); 184 185 /** 186 * \brief This function imports a set of core parameters into an 187 * RSA context. 188 * 189 * \note This function can be called multiple times for successive 190 * imports, if the parameters are not simultaneously present. 191 * 192 * Any sequence of calls to this function should be followed 193 * by a call to mbedtls_rsa_complete(), which checks and 194 * completes the provided information to a ready-for-use 195 * public or private RSA key. 196 * 197 * \note See mbedtls_rsa_complete() for more information on which 198 * parameters are necessary to set up a private or public 199 * RSA key. 200 * 201 * \note The imported parameters are copied and need not be preserved 202 * for the lifetime of the RSA context being set up. 203 * 204 * \param ctx The initialized RSA context to store the parameters in. 205 * \param N The RSA modulus. This may be \c NULL. 206 * \param P The first prime factor of \p N. This may be \c NULL. 207 * \param Q The second prime factor of \p N. This may be \c NULL. 208 * \param D The private exponent. This may be \c NULL. 209 * \param E The public exponent. This may be \c NULL. 210 * 211 * \return \c 0 on success. 212 * \return A non-zero error code on failure. 213 */ 214 int mbedtls_rsa_import( mbedtls_rsa_context *ctx, 215 const mbedtls_mpi *N, 216 const mbedtls_mpi *P, const mbedtls_mpi *Q, 217 const mbedtls_mpi *D, const mbedtls_mpi *E ); 218 219 /** 220 * \brief This function imports core RSA parameters, in raw big-endian 221 * binary format, into an RSA context. 222 * 223 * \note This function can be called multiple times for successive 224 * imports, if the parameters are not simultaneously present. 225 * 226 * Any sequence of calls to this function should be followed 227 * by a call to mbedtls_rsa_complete(), which checks and 228 * completes the provided information to a ready-for-use 229 * public or private RSA key. 230 * 231 * \note See mbedtls_rsa_complete() for more information on which 232 * parameters are necessary to set up a private or public 233 * RSA key. 234 * 235 * \note The imported parameters are copied and need not be preserved 236 * for the lifetime of the RSA context being set up. 237 * 238 * \param ctx The initialized RSA context to store the parameters in. 239 * \param N The RSA modulus. This may be \c NULL. 240 * \param N_len The Byte length of \p N; it is ignored if \p N == NULL. 241 * \param P The first prime factor of \p N. This may be \c NULL. 242 * \param P_len The Byte length of \p P; it ns ignored if \p P == NULL. 243 * \param Q The second prime factor of \p N. This may be \c NULL. 244 * \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. 245 * \param D The private exponent. This may be \c NULL. 246 * \param D_len The Byte length of \p D; it is ignored if \p D == NULL. 247 * \param E The public exponent. This may be \c NULL. 248 * \param E_len The Byte length of \p E; it is ignored if \p E == NULL. 249 * 250 * \return \c 0 on success. 251 * \return A non-zero error code on failure. 252 */ 253 int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, 254 unsigned char const *N, size_t N_len, 255 unsigned char const *P, size_t P_len, 256 unsigned char const *Q, size_t Q_len, 257 unsigned char const *D, size_t D_len, 258 unsigned char const *E, size_t E_len ); 259 260 /** 261 * \brief This function completes an RSA context from 262 * a set of imported core parameters. 263 * 264 * To setup an RSA public key, precisely \p N and \p E 265 * must have been imported. 266 * 267 * To setup an RSA private key, sufficient information must 268 * be present for the other parameters to be derivable. 269 * 270 * The default implementation supports the following: 271 * <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li> 272 * <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul> 273 * Alternative implementations need not support these. 274 * 275 * If this function runs successfully, it guarantees that 276 * the RSA context can be used for RSA operations without 277 * the risk of failure or crash. 278 * 279 * \warning This function need not perform consistency checks 280 * for the imported parameters. In particular, parameters that 281 * are not needed by the implementation might be silently 282 * discarded and left unchecked. To check the consistency 283 * of the key material, see mbedtls_rsa_check_privkey(). 284 * 285 * \param ctx The initialized RSA context holding imported parameters. 286 * 287 * \return \c 0 on success. 288 * \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations 289 * failed. 290 * 291 */ 292 int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ); 293 294 /** 295 * \brief This function exports the core parameters of an RSA key. 296 * 297 * If this function runs successfully, the non-NULL buffers 298 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully 299 * written, with additional unused space filled leading by 300 * zero Bytes. 301 * 302 * Possible reasons for returning 303 * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul> 304 * <li>An alternative RSA implementation is in use, which 305 * stores the key externally, and either cannot or should 306 * not export it into RAM.</li> 307 * <li>A SW or HW implementation might not support a certain 308 * deduction. For example, \p P, \p Q from \p N, \p D, 309 * and \p E if the former are not part of the 310 * implementation.</li></ul> 311 * 312 * If the function fails due to an unsupported operation, 313 * the RSA context stays intact and remains usable. 314 * 315 * \param ctx The initialized RSA context. 316 * \param N The MPI to hold the RSA modulus. 317 * This may be \c NULL if this field need not be exported. 318 * \param P The MPI to hold the first prime factor of \p N. 319 * This may be \c NULL if this field need not be exported. 320 * \param Q The MPI to hold the second prime factor of \p N. 321 * This may be \c NULL if this field need not be exported. 322 * \param D The MPI to hold the private exponent. 323 * This may be \c NULL if this field need not be exported. 324 * \param E The MPI to hold the public exponent. 325 * This may be \c NULL if this field need not be exported. 326 * 327 * \return \c 0 on success. 328 * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the 329 * requested parameters cannot be done due to missing 330 * functionality or because of security policies. 331 * \return A non-zero return code on any other failure. 332 * 333 */ 334 int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, 335 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 336 mbedtls_mpi *D, mbedtls_mpi *E ); 337 338 /** 339 * \brief This function exports core parameters of an RSA key 340 * in raw big-endian binary format. 341 * 342 * If this function runs successfully, the non-NULL buffers 343 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully 344 * written, with additional unused space filled leading by 345 * zero Bytes. 346 * 347 * Possible reasons for returning 348 * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul> 349 * <li>An alternative RSA implementation is in use, which 350 * stores the key externally, and either cannot or should 351 * not export it into RAM.</li> 352 * <li>A SW or HW implementation might not support a certain 353 * deduction. For example, \p P, \p Q from \p N, \p D, 354 * and \p E if the former are not part of the 355 * implementation.</li></ul> 356 * If the function fails due to an unsupported operation, 357 * the RSA context stays intact and remains usable. 358 * 359 * \note The length parameters are ignored if the corresponding 360 * buffer pointers are NULL. 361 * 362 * \param ctx The initialized RSA context. 363 * \param N The Byte array to store the RSA modulus, 364 * or \c NULL if this field need not be exported. 365 * \param N_len The size of the buffer for the modulus. 366 * \param P The Byte array to hold the first prime factor of \p N, 367 * or \c NULL if this field need not be exported. 368 * \param P_len The size of the buffer for the first prime factor. 369 * \param Q The Byte array to hold the second prime factor of \p N, 370 * or \c NULL if this field need not be exported. 371 * \param Q_len The size of the buffer for the second prime factor. 372 * \param D The Byte array to hold the private exponent, 373 * or \c NULL if this field need not be exported. 374 * \param D_len The size of the buffer for the private exponent. 375 * \param E The Byte array to hold the public exponent, 376 * or \c NULL if this field need not be exported. 377 * \param E_len The size of the buffer for the public exponent. 378 * 379 * \return \c 0 on success. 380 * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the 381 * requested parameters cannot be done due to missing 382 * functionality or because of security policies. 383 * \return A non-zero return code on any other failure. 384 */ 385 int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, 386 unsigned char *N, size_t N_len, 387 unsigned char *P, size_t P_len, 388 unsigned char *Q, size_t Q_len, 389 unsigned char *D, size_t D_len, 390 unsigned char *E, size_t E_len ); 391 392 /** 393 * \brief This function exports CRT parameters of a private RSA key. 394 * 395 * \note Alternative RSA implementations not using CRT-parameters 396 * internally can implement this function based on 397 * mbedtls_rsa_deduce_opt(). 398 * 399 * \param ctx The initialized RSA context. 400 * \param DP The MPI to hold \c D modulo `P-1`, 401 * or \c NULL if it need not be exported. 402 * \param DQ The MPI to hold \c D modulo `Q-1`, 403 * or \c NULL if it need not be exported. 404 * \param QP The MPI to hold modular inverse of \c Q modulo \c P, 405 * or \c NULL if it need not be exported. 406 * 407 * \return \c 0 on success. 408 * \return A non-zero error code on failure. 409 * 410 */ 411 int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, 412 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ); 413 414 /** 415 * \brief This function sets padding for an already initialized RSA 416 * context. See mbedtls_rsa_init() for details. 417 * 418 * \param ctx The initialized RSA context to be configured. 419 * \param padding The padding mode to use. This must be either 420 * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. 421 * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. 422 */ 423 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, 424 int hash_id ); 425 426 /** 427 * \brief This function retrieves the length of RSA modulus in Bytes. 428 * 429 * \param ctx The initialized RSA context. 430 * 431 * \return The length of the RSA modulus in Bytes. 432 * 433 */ 434 size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ); 435 436 /** 437 * \brief This function generates an RSA keypair. 438 * 439 * \note mbedtls_rsa_init() must be called before this function, 440 * to set up the RSA context. 441 * 442 * \param ctx The initialized RSA context used to hold the key. 443 * \param f_rng The RNG function to be used for key generation. 444 * This must not be \c NULL. 445 * \param p_rng The RNG context to be passed to \p f_rng. 446 * This may be \c NULL if \p f_rng doesn't need a context. 447 * \param nbits The size of the public key in bits. 448 * \param exponent The public exponent to use. For example, \c 65537. 449 * This must be odd and greater than \c 1. 450 * 451 * \return \c 0 on success. 452 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 453 */ 454 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 455 int (*f_rng)(void *, unsigned char *, size_t), 456 void *p_rng, 457 unsigned int nbits, int exponent ); 458 459 /** 460 * \brief This function checks if a context contains at least an RSA 461 * public key. 462 * 463 * If the function runs successfully, it is guaranteed that 464 * enough information is present to perform an RSA public key 465 * operation using mbedtls_rsa_public(). 466 * 467 * \param ctx The initialized RSA context to check. 468 * 469 * \return \c 0 on success. 470 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 471 * 472 */ 473 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ); 474 475 /** 476 * \brief This function checks if a context contains an RSA private key 477 * and perform basic consistency checks. 478 * 479 * \note The consistency checks performed by this function not only 480 * ensure that mbedtls_rsa_private() can be called successfully 481 * on the given context, but that the various parameters are 482 * mutually consistent with high probability, in the sense that 483 * mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. 484 * 485 * \warning This function should catch accidental misconfigurations 486 * like swapping of parameters, but it cannot establish full 487 * trust in neither the quality nor the consistency of the key 488 * material that was used to setup the given RSA context: 489 * <ul><li>Consistency: Imported parameters that are irrelevant 490 * for the implementation might be silently dropped. If dropped, 491 * the current function does not have access to them, 492 * and therefore cannot check them. See mbedtls_rsa_complete(). 493 * If you want to check the consistency of the entire 494 * content of an PKCS1-encoded RSA private key, for example, you 495 * should use mbedtls_rsa_validate_params() before setting 496 * up the RSA context. 497 * Additionally, if the implementation performs empirical checks, 498 * these checks substantiate but do not guarantee consistency.</li> 499 * <li>Quality: This function is not expected to perform 500 * extended quality assessments like checking that the prime 501 * factors are safe. Additionally, it is the responsibility of the 502 * user to ensure the trustworthiness of the source of his RSA 503 * parameters, which goes beyond what is effectively checkable 504 * by the library.</li></ul> 505 * 506 * \param ctx The initialized RSA context to check. 507 * 508 * \return \c 0 on success. 509 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 510 */ 511 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ); 512 513 /** 514 * \brief This function checks a public-private RSA key pair. 515 * 516 * It checks each of the contexts, and makes sure they match. 517 * 518 * \param pub The initialized RSA context holding the public key. 519 * \param prv The initialized RSA context holding the private key. 520 * 521 * \return \c 0 on success. 522 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 523 */ 524 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, 525 const mbedtls_rsa_context *prv ); 526 527 /** 528 * \brief This function performs an RSA public key operation. 529 * 530 * \param ctx The initialized RSA context to use. 531 * \param input The input buffer. This must be a readable buffer 532 * of length \c ctx->len Bytes. For example, \c 256 Bytes 533 * for an 2048-bit RSA modulus. 534 * \param output The output buffer. This must be a writable buffer 535 * of length \c ctx->len Bytes. For example, \c 256 Bytes 536 * for an 2048-bit RSA modulus. 537 * 538 * \note This function does not handle message padding. 539 * 540 * \note Make sure to set \p input[0] = 0 or ensure that 541 * input is smaller than \p N. 542 * 543 * \return \c 0 on success. 544 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 545 */ 546 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 547 const unsigned char *input, 548 unsigned char *output ); 549 550 /** 551 * \brief This function performs an RSA private key operation. 552 * 553 * \note Blinding is used if and only if a PRNG is provided. 554 * 555 * \note If blinding is used, both the base of exponentation 556 * and the exponent are blinded, providing protection 557 * against some side-channel attacks. 558 * 559 * \warning It is deprecated and a security risk to not provide 560 * a PRNG here and thereby prevent the use of blinding. 561 * Future versions of the library may enforce the presence 562 * of a PRNG. 563 * 564 * \param ctx The initialized RSA context to use. 565 * \param f_rng The RNG function, used for blinding. It is discouraged 566 * and deprecated to pass \c NULL here, in which case 567 * blinding will be omitted. 568 * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL 569 * if \p f_rng is \c NULL or if \p f_rng doesn't need a context. 570 * \param input The input buffer. This must be a readable buffer 571 * of length \c ctx->len Bytes. For example, \c 256 Bytes 572 * for an 2048-bit RSA modulus. 573 * \param output The output buffer. This must be a writable buffer 574 * of length \c ctx->len Bytes. For example, \c 256 Bytes 575 * for an 2048-bit RSA modulus. 576 * 577 * \return \c 0 on success. 578 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 579 * 580 */ 581 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 582 int (*f_rng)(void *, unsigned char *, size_t), 583 void *p_rng, 584 const unsigned char *input, 585 unsigned char *output ); 586 587 /** 588 * \brief This function adds the message padding, then performs an RSA 589 * operation. 590 * 591 * It is the generic wrapper for performing a PKCS#1 encryption 592 * operation using the \p mode from the context. 593 * 594 * \deprecated It is deprecated and discouraged to call this function 595 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 596 * are likely to remove the \p mode argument and have it 597 * implicitly set to #MBEDTLS_RSA_PUBLIC. 598 * 599 * \note Alternative implementations of RSA need not support 600 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 601 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 602 * 603 * \param ctx The initialized RSA context to use. 604 * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding 605 * encoding, and for PKCS#1 v1.5 padding encoding when used 606 * with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5 607 * padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE, 608 * it is used for blinding and should be provided in this 609 * case; see mbedtls_rsa_private() for more. 610 * \param p_rng The RNG context to be passed to \p f_rng. May be 611 * \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't 612 * need a context argument. 613 * \param mode The mode of operation. This must be either 614 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 615 * \param ilen The length of the plaintext in Bytes. 616 * \param input The input data to encrypt. This must be a readable 617 * buffer of size \p ilen Bytes. It may be \c NULL if 618 * `ilen == 0`. 619 * \param output The output buffer. This must be a writable buffer 620 * of length \c ctx->len Bytes. For example, \c 256 Bytes 621 * for an 2048-bit RSA modulus. 622 * 623 * \return \c 0 on success. 624 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 625 */ 626 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 627 int (*f_rng)(void *, unsigned char *, size_t), 628 void *p_rng, 629 int mode, size_t ilen, 630 const unsigned char *input, 631 unsigned char *output ); 632 633 /** 634 * \brief This function performs a PKCS#1 v1.5 encryption operation 635 * (RSAES-PKCS1-v1_5-ENCRYPT). 636 * 637 * \deprecated It is deprecated and discouraged to call this function 638 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 639 * are likely to remove the \p mode argument and have it 640 * implicitly set to #MBEDTLS_RSA_PUBLIC. 641 * 642 * \note Alternative implementations of RSA need not support 643 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 644 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 645 * 646 * \param ctx The initialized RSA context to use. 647 * \param f_rng The RNG function to use. It is needed for padding generation 648 * if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is 649 * #MBEDTLS_RSA_PRIVATE (discouraged), it is used for 650 * blinding and should be provided; see mbedtls_rsa_private(). 651 * \param p_rng The RNG context to be passed to \p f_rng. This may 652 * be \c NULL if \p f_rng is \c NULL or if \p f_rng 653 * doesn't need a context argument. 654 * \param mode The mode of operation. This must be either 655 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 656 * \param ilen The length of the plaintext in Bytes. 657 * \param input The input data to encrypt. This must be a readable 658 * buffer of size \p ilen Bytes. It may be \c NULL if 659 * `ilen == 0`. 660 * \param output The output buffer. This must be a writable buffer 661 * of length \c ctx->len Bytes. For example, \c 256 Bytes 662 * for an 2048-bit RSA modulus. 663 * 664 * \return \c 0 on success. 665 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 666 */ 667 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 668 int (*f_rng)(void *, unsigned char *, size_t), 669 void *p_rng, 670 int mode, size_t ilen, 671 const unsigned char *input, 672 unsigned char *output ); 673 674 /** 675 * \brief This function performs a PKCS#1 v2.1 OAEP encryption 676 * operation (RSAES-OAEP-ENCRYPT). 677 * 678 * \note The output buffer must be as large as the size 679 * of ctx->N. For example, 128 Bytes if RSA-1024 is used. 680 * 681 * \deprecated It is deprecated and discouraged to call this function 682 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 683 * are likely to remove the \p mode argument and have it 684 * implicitly set to #MBEDTLS_RSA_PUBLIC. 685 * 686 * \note Alternative implementations of RSA need not support 687 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 688 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 689 * 690 * \param ctx The initnialized RSA context to use. 691 * \param f_rng The RNG function to use. This is needed for padding 692 * generation and must be provided. 693 * \param p_rng The RNG context to be passed to \p f_rng. This may 694 * be \c NULL if \p f_rng doesn't need a context argument. 695 * \param mode The mode of operation. This must be either 696 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 697 * \param label The buffer holding the custom label to use. 698 * This must be a readable buffer of length \p label_len 699 * Bytes. It may be \c NULL if \p label_len is \c 0. 700 * \param label_len The length of the label in Bytes. 701 * \param ilen The length of the plaintext buffer \p input in Bytes. 702 * \param input The input data to encrypt. This must be a readable 703 * buffer of size \p ilen Bytes. It may be \c NULL if 704 * `ilen == 0`. 705 * \param output The output buffer. This must be a writable buffer 706 * of length \c ctx->len Bytes. For example, \c 256 Bytes 707 * for an 2048-bit RSA modulus. 708 * 709 * \return \c 0 on success. 710 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 711 */ 712 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 713 int (*f_rng)(void *, unsigned char *, size_t), 714 void *p_rng, 715 int mode, 716 const unsigned char *label, size_t label_len, 717 size_t ilen, 718 const unsigned char *input, 719 unsigned char *output ); 720 721 /** 722 * \brief This function performs an RSA operation, then removes the 723 * message padding. 724 * 725 * It is the generic wrapper for performing a PKCS#1 decryption 726 * operation using the \p mode from the context. 727 * 728 * \note The output buffer length \c output_max_len should be 729 * as large as the size \p ctx->len of \p ctx->N (for example, 730 * 128 Bytes if RSA-1024 is used) to be able to hold an 731 * arbitrary decrypted message. If it is not large enough to 732 * hold the decryption of the particular ciphertext provided, 733 * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 734 * 735 * \deprecated It is deprecated and discouraged to call this function 736 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 737 * are likely to remove the \p mode argument and have it 738 * implicitly set to #MBEDTLS_RSA_PRIVATE. 739 * 740 * \note Alternative implementations of RSA need not support 741 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 742 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 743 * 744 * \param ctx The initialized RSA context to use. 745 * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE, 746 * this is used for blinding and should be provided; see 747 * mbedtls_rsa_private() for more. If \p mode is 748 * #MBEDTLS_RSA_PUBLIC, it is ignored. 749 * \param p_rng The RNG context to be passed to \p f_rng. This may be 750 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 751 * \param mode The mode of operation. This must be either 752 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 753 * \param olen The address at which to store the length of 754 * the plaintext. This must not be \c NULL. 755 * \param input The ciphertext buffer. This must be a readable buffer 756 * of length \c ctx->len Bytes. For example, \c 256 Bytes 757 * for an 2048-bit RSA modulus. 758 * \param output The buffer used to hold the plaintext. This must 759 * be a writable buffer of length \p output_max_len Bytes. 760 * \param output_max_len The length in Bytes of the output buffer \p output. 761 * 762 * \return \c 0 on success. 763 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 764 */ 765 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 766 int (*f_rng)(void *, unsigned char *, size_t), 767 void *p_rng, 768 int mode, size_t *olen, 769 const unsigned char *input, 770 unsigned char *output, 771 size_t output_max_len ); 772 773 /** 774 * \brief This function performs a PKCS#1 v1.5 decryption 775 * operation (RSAES-PKCS1-v1_5-DECRYPT). 776 * 777 * \note The output buffer length \c output_max_len should be 778 * as large as the size \p ctx->len of \p ctx->N, for example, 779 * 128 Bytes if RSA-1024 is used, to be able to hold an 780 * arbitrary decrypted message. If it is not large enough to 781 * hold the decryption of the particular ciphertext provided, 782 * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 783 * 784 * \deprecated It is deprecated and discouraged to call this function 785 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 786 * are likely to remove the \p mode argument and have it 787 * implicitly set to #MBEDTLS_RSA_PRIVATE. 788 * 789 * \note Alternative implementations of RSA need not support 790 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 791 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 792 * 793 * \param ctx The initialized RSA context to use. 794 * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE, 795 * this is used for blinding and should be provided; see 796 * mbedtls_rsa_private() for more. If \p mode is 797 * #MBEDTLS_RSA_PUBLIC, it is ignored. 798 * \param p_rng The RNG context to be passed to \p f_rng. This may be 799 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 800 * \param mode The mode of operation. This must be either 801 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 802 * \param olen The address at which to store the length of 803 * the plaintext. This must not be \c NULL. 804 * \param input The ciphertext buffer. This must be a readable buffer 805 * of length \c ctx->len Bytes. For example, \c 256 Bytes 806 * for an 2048-bit RSA modulus. 807 * \param output The buffer used to hold the plaintext. This must 808 * be a writable buffer of length \p output_max_len Bytes. 809 * \param output_max_len The length in Bytes of the output buffer \p output. 810 * 811 * \return \c 0 on success. 812 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 813 * 814 */ 815 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 816 int (*f_rng)(void *, unsigned char *, size_t), 817 void *p_rng, 818 int mode, size_t *olen, 819 const unsigned char *input, 820 unsigned char *output, 821 size_t output_max_len ); 822 823 /** 824 * \brief This function performs a PKCS#1 v2.1 OAEP decryption 825 * operation (RSAES-OAEP-DECRYPT). 826 * 827 * \note The output buffer length \c output_max_len should be 828 * as large as the size \p ctx->len of \p ctx->N, for 829 * example, 128 Bytes if RSA-1024 is used, to be able to 830 * hold an arbitrary decrypted message. If it is not 831 * large enough to hold the decryption of the particular 832 * ciphertext provided, the function returns 833 * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 834 * 835 * \deprecated It is deprecated and discouraged to call this function 836 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 837 * are likely to remove the \p mode argument and have it 838 * implicitly set to #MBEDTLS_RSA_PRIVATE. 839 * 840 * \note Alternative implementations of RSA need not support 841 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 842 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 843 * 844 * \param ctx The initialized RSA context to use. 845 * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE, 846 * this is used for blinding and should be provided; see 847 * mbedtls_rsa_private() for more. If \p mode is 848 * #MBEDTLS_RSA_PUBLIC, it is ignored. 849 * \param p_rng The RNG context to be passed to \p f_rng. This may be 850 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 851 * \param mode The mode of operation. This must be either 852 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 853 * \param label The buffer holding the custom label to use. 854 * This must be a readable buffer of length \p label_len 855 * Bytes. It may be \c NULL if \p label_len is \c 0. 856 * \param label_len The length of the label in Bytes. 857 * \param olen The address at which to store the length of 858 * the plaintext. This must not be \c NULL. 859 * \param input The ciphertext buffer. This must be a readable buffer 860 * of length \c ctx->len Bytes. For example, \c 256 Bytes 861 * for an 2048-bit RSA modulus. 862 * \param output The buffer used to hold the plaintext. This must 863 * be a writable buffer of length \p output_max_len Bytes. 864 * \param output_max_len The length in Bytes of the output buffer \p output. 865 * 866 * \return \c 0 on success. 867 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 868 */ 869 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 870 int (*f_rng)(void *, unsigned char *, size_t), 871 void *p_rng, 872 int mode, 873 const unsigned char *label, size_t label_len, 874 size_t *olen, 875 const unsigned char *input, 876 unsigned char *output, 877 size_t output_max_len ); 878 879 /** 880 * \brief This function performs a private RSA operation to sign 881 * a message digest using PKCS#1. 882 * 883 * It is the generic wrapper for performing a PKCS#1 884 * signature using the \p mode from the context. 885 * 886 * \note The \p sig buffer must be as large as the size 887 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. 888 * 889 * \note For PKCS#1 v2.1 encoding, see comments on 890 * mbedtls_rsa_rsassa_pss_sign() for details on 891 * \p md_alg and \p hash_id. 892 * 893 * \deprecated It is deprecated and discouraged to call this function 894 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 895 * are likely to remove the \p mode argument and have it 896 * implicitly set to #MBEDTLS_RSA_PRIVATE. 897 * 898 * \note Alternative implementations of RSA need not support 899 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 900 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 901 * 902 * \param ctx The initialized RSA context to use. 903 * \param f_rng The RNG function to use. If the padding mode is PKCS#1 v2.1, 904 * this must be provided. If the padding mode is PKCS#1 v1.5 and 905 * \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding 906 * and should be provided; see mbedtls_rsa_private() for more 907 * more. It is ignored otherwise. 908 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 909 * if \p f_rng is \c NULL or doesn't need a context argument. 910 * \param mode The mode of operation. This must be either 911 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 912 * \param md_alg The message-digest algorithm used to hash the original data. 913 * Use #MBEDTLS_MD_NONE for signing raw data. 914 * \param hashlen The length of the message digest. 915 * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. 916 * \param hash The buffer holding the message digest or raw data. 917 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 918 * buffer of length \p hashlen Bytes. If \p md_alg is not 919 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 920 * the size of the hash corresponding to \p md_alg. 921 * \param sig The buffer to hold the signature. This must be a writable 922 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 923 * for an 2048-bit RSA modulus. A buffer length of 924 * #MBEDTLS_MPI_MAX_SIZE is always safe. 925 * 926 * \return \c 0 if the signing operation was successful. 927 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 928 */ 929 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 930 int (*f_rng)(void *, unsigned char *, size_t), 931 void *p_rng, 932 int mode, 933 mbedtls_md_type_t md_alg, 934 unsigned int hashlen, 935 const unsigned char *hash, 936 unsigned char *sig ); 937 938 /** 939 * \brief This function performs a PKCS#1 v1.5 signature 940 * operation (RSASSA-PKCS1-v1_5-SIGN). 941 * 942 * \deprecated It is deprecated and discouraged to call this function 943 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 944 * are likely to remove the \p mode argument and have it 945 * implicitly set to #MBEDTLS_RSA_PRIVATE. 946 * 947 * \note Alternative implementations of RSA need not support 948 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 949 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 950 * 951 * \param ctx The initialized RSA context to use. 952 * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE, 953 * this is used for blinding and should be provided; see 954 * mbedtls_rsa_private() for more. If \p mode is 955 * #MBEDTLS_RSA_PUBLIC, it is ignored. 956 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 957 * if \p f_rng is \c NULL or doesn't need a context argument. 958 * \param mode The mode of operation. This must be either 959 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 960 * \param md_alg The message-digest algorithm used to hash the original data. 961 * Use #MBEDTLS_MD_NONE for signing raw data. 962 * \param hashlen The length of the message digest. 963 * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. 964 * \param hash The buffer holding the message digest or raw data. 965 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 966 * buffer of length \p hashlen Bytes. If \p md_alg is not 967 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 968 * the size of the hash corresponding to \p md_alg. 969 * \param sig The buffer to hold the signature. This must be a writable 970 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 971 * for an 2048-bit RSA modulus. A buffer length of 972 * #MBEDTLS_MPI_MAX_SIZE is always safe. 973 * 974 * \return \c 0 if the signing operation was successful. 975 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 976 */ 977 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 978 int (*f_rng)(void *, unsigned char *, size_t), 979 void *p_rng, 980 int mode, 981 mbedtls_md_type_t md_alg, 982 unsigned int hashlen, 983 const unsigned char *hash, 984 unsigned char *sig ); 985 986 /** 987 * \brief This function performs a PKCS#1 v2.1 PSS signature 988 * operation (RSASSA-PSS-SIGN). 989 * 990 * \note The \c hash_id set in \p ctx (when calling 991 * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding() 992 * afterwards) selects the hash used for the 993 * encoding operation and for the mask generation function 994 * (MGF1). For more details on the encoding operation and the 995 * mask generation function, consult <em>RFC-3447: Public-Key 996 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 997 * Specifications</em>. 998 * 999 * \note This function enforces that the provided salt length complies 1000 * with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 1001 * step 3. The constraint is that the hash length plus the salt 1002 * length plus 2 bytes must be at most the key length. If this 1003 * constraint is not met, this function returns 1004 * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. 1005 * 1006 * \param ctx The initialized RSA context to use. 1007 * \param f_rng The RNG function. It must not be \c NULL. 1008 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 1009 * if \p f_rng doesn't need a context argument. 1010 * \param md_alg The message-digest algorithm used to hash the original data. 1011 * Use #MBEDTLS_MD_NONE for signing raw data. 1012 * \param hashlen The length of the message digest. 1013 * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE. 1014 * \param hash The buffer holding the message digest or raw data. 1015 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1016 * buffer of length \p hashlen Bytes. If \p md_alg is not 1017 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1018 * the size of the hash corresponding to \p md_alg. 1019 * \param saltlen The length of the salt that should be used. 1020 * If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use 1021 * the largest possible salt length up to the hash length, 1022 * which is the largest permitted by some standards including 1023 * FIPS 186-4 §5.5. 1024 * \param sig The buffer to hold the signature. This must be a writable 1025 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1026 * for an 2048-bit RSA modulus. A buffer length of 1027 * #MBEDTLS_MPI_MAX_SIZE is always safe. 1028 * 1029 * \return \c 0 if the signing operation was successful. 1030 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1031 */ 1032 int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, 1033 int (*f_rng)(void *, unsigned char *, size_t), 1034 void *p_rng, 1035 mbedtls_md_type_t md_alg, 1036 unsigned int hashlen, 1037 const unsigned char *hash, 1038 int saltlen, 1039 unsigned char *sig ); 1040 1041 /** 1042 * \brief This function performs a PKCS#1 v2.1 PSS signature 1043 * operation (RSASSA-PSS-SIGN). 1044 * 1045 * \note The \c hash_id set in \p ctx (when calling 1046 * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding() 1047 * afterwards) selects the hash used for the 1048 * encoding operation and for the mask generation function 1049 * (MGF1). For more details on the encoding operation and the 1050 * mask generation function, consult <em>RFC-3447: Public-Key 1051 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 1052 * Specifications</em>. 1053 * 1054 * \note This function always uses the maximum possible salt size, 1055 * up to the length of the payload hash. This choice of salt 1056 * size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 1057 * v2.2) §9.1.1 step 3. Furthermore this function enforces a 1058 * minimum salt size which is the hash size minus 2 bytes. If 1059 * this minimum size is too large given the key size (the salt 1060 * size, plus the hash size, plus 2 bytes must be no more than 1061 * the key size in bytes), this function returns 1062 * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. 1063 * 1064 * \deprecated It is deprecated and discouraged to call this function 1065 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library 1066 * are likely to remove the \p mode argument and have it 1067 * implicitly set to #MBEDTLS_RSA_PRIVATE. 1068 * 1069 * \note Alternative implementations of RSA need not support 1070 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead 1071 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 1072 * 1073 * \param ctx The initialized RSA context to use. 1074 * \param f_rng The RNG function. It must not be \c NULL. 1075 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 1076 * if \p f_rng doesn't need a context argument. 1077 * \param mode The mode of operation. This must be either 1078 * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 1079 * \param md_alg The message-digest algorithm used to hash the original data. 1080 * Use #MBEDTLS_MD_NONE for signing raw data. 1081 * \param hashlen The length of the message digest. 1082 * This is only used if \p md_alg is #MBEDTLS_MD_NONE. 1083 * \param hash The buffer holding the message digest or raw data. 1084 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1085 * buffer of length \p hashlen Bytes. If \p md_alg is not 1086 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1087 * the size of the hash corresponding to \p md_alg. 1088 * \param sig The buffer to hold the signature. This must be a writable 1089 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1090 * for an 2048-bit RSA modulus. A buffer length of 1091 * #MBEDTLS_MPI_MAX_SIZE is always safe. 1092 * 1093 * \return \c 0 if the signing operation was successful. 1094 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1095 */ 1096 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 1097 int (*f_rng)(void *, unsigned char *, size_t), 1098 void *p_rng, 1099 int mode, 1100 mbedtls_md_type_t md_alg, 1101 unsigned int hashlen, 1102 const unsigned char *hash, 1103 unsigned char *sig ); 1104 1105 /** 1106 * \brief This function performs a public RSA operation and checks 1107 * the message digest. 1108 * 1109 * This is the generic wrapper for performing a PKCS#1 1110 * verification using the mode from the context. 1111 * 1112 * \note For PKCS#1 v2.1 encoding, see comments on 1113 * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and 1114 * \p hash_id. 1115 * 1116 * \deprecated It is deprecated and discouraged to call this function 1117 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 1118 * are likely to remove the \p mode argument and have it 1119 * set to #MBEDTLS_RSA_PUBLIC. 1120 * 1121 * \note Alternative implementations of RSA need not support 1122 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 1123 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 1124 * 1125 * \param ctx The initialized RSA public key context to use. 1126 * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, 1127 * this is used for blinding and should be provided; see 1128 * mbedtls_rsa_private() for more. Otherwise, it is ignored. 1129 * \param p_rng The RNG context to be passed to \p f_rng. This may be 1130 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 1131 * \param mode The mode of operation. This must be either 1132 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 1133 * \param md_alg The message-digest algorithm used to hash the original data. 1134 * Use #MBEDTLS_MD_NONE for signing raw data. 1135 * \param hashlen The length of the message digest. 1136 * This is only used if \p md_alg is #MBEDTLS_MD_NONE. 1137 * \param hash The buffer holding the message digest or raw data. 1138 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1139 * buffer of length \p hashlen Bytes. If \p md_alg is not 1140 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1141 * the size of the hash corresponding to \p md_alg. 1142 * \param sig The buffer holding the signature. This must be a readable 1143 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1144 * for an 2048-bit RSA modulus. 1145 * 1146 * \return \c 0 if the verify operation was successful. 1147 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1148 */ 1149 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 1150 int (*f_rng)(void *, unsigned char *, size_t), 1151 void *p_rng, 1152 int mode, 1153 mbedtls_md_type_t md_alg, 1154 unsigned int hashlen, 1155 const unsigned char *hash, 1156 const unsigned char *sig ); 1157 1158 /** 1159 * \brief This function performs a PKCS#1 v1.5 verification 1160 * operation (RSASSA-PKCS1-v1_5-VERIFY). 1161 * 1162 * \deprecated It is deprecated and discouraged to call this function 1163 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 1164 * are likely to remove the \p mode argument and have it 1165 * set to #MBEDTLS_RSA_PUBLIC. 1166 * 1167 * \note Alternative implementations of RSA need not support 1168 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 1169 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 1170 * 1171 * \param ctx The initialized RSA public key context to use. 1172 * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, 1173 * this is used for blinding and should be provided; see 1174 * mbedtls_rsa_private() for more. Otherwise, it is ignored. 1175 * \param p_rng The RNG context to be passed to \p f_rng. This may be 1176 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 1177 * \param mode The mode of operation. This must be either 1178 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 1179 * \param md_alg The message-digest algorithm used to hash the original data. 1180 * Use #MBEDTLS_MD_NONE for signing raw data. 1181 * \param hashlen The length of the message digest. 1182 * This is only used if \p md_alg is #MBEDTLS_MD_NONE. 1183 * \param hash The buffer holding the message digest or raw data. 1184 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1185 * buffer of length \p hashlen Bytes. If \p md_alg is not 1186 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1187 * the size of the hash corresponding to \p md_alg. 1188 * \param sig The buffer holding the signature. This must be a readable 1189 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1190 * for an 2048-bit RSA modulus. 1191 * 1192 * \return \c 0 if the verify operation was successful. 1193 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1194 */ 1195 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 1196 int (*f_rng)(void *, unsigned char *, size_t), 1197 void *p_rng, 1198 int mode, 1199 mbedtls_md_type_t md_alg, 1200 unsigned int hashlen, 1201 const unsigned char *hash, 1202 const unsigned char *sig ); 1203 1204 /** 1205 * \brief This function performs a PKCS#1 v2.1 PSS verification 1206 * operation (RSASSA-PSS-VERIFY). 1207 * 1208 * \note The \c hash_id set in \p ctx (when calling 1209 * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding() 1210 * afterwards) selects the hash used for the 1211 * encoding operation and for the mask generation function 1212 * (MGF1). For more details on the encoding operation and the 1213 * mask generation function, consult <em>RFC-3447: Public-Key 1214 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 1215 * Specifications</em>. If the \c hash_id set in \p ctx is 1216 * #MBEDTLS_MD_NONE, the \p md_alg parameter is used. 1217 * 1218 * \deprecated It is deprecated and discouraged to call this function 1219 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library 1220 * are likely to remove the \p mode argument and have it 1221 * implicitly set to #MBEDTLS_RSA_PUBLIC. 1222 * 1223 * \note Alternative implementations of RSA need not support 1224 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead 1225 * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. 1226 * 1227 * \param ctx The initialized RSA public key context to use. 1228 * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, 1229 * this is used for blinding and should be provided; see 1230 * mbedtls_rsa_private() for more. Otherwise, it is ignored. 1231 * \param p_rng The RNG context to be passed to \p f_rng. This may be 1232 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 1233 * \param mode The mode of operation. This must be either 1234 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). 1235 * \param md_alg The message-digest algorithm used to hash the original data. 1236 * Use #MBEDTLS_MD_NONE for signing raw data. 1237 * \param hashlen The length of the message digest. 1238 * This is only used if \p md_alg is #MBEDTLS_MD_NONE. 1239 * \param hash The buffer holding the message digest or raw data. 1240 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1241 * buffer of length \p hashlen Bytes. If \p md_alg is not 1242 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1243 * the size of the hash corresponding to \p md_alg. 1244 * \param sig The buffer holding the signature. This must be a readable 1245 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1246 * for an 2048-bit RSA modulus. 1247 * 1248 * \return \c 0 if the verify operation was successful. 1249 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1250 */ 1251 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 1252 int (*f_rng)(void *, unsigned char *, size_t), 1253 void *p_rng, 1254 int mode, 1255 mbedtls_md_type_t md_alg, 1256 unsigned int hashlen, 1257 const unsigned char *hash, 1258 const unsigned char *sig ); 1259 1260 /** 1261 * \brief This function performs a PKCS#1 v2.1 PSS verification 1262 * operation (RSASSA-PSS-VERIFY). 1263 * 1264 * \note The \p sig buffer must be as large as the size 1265 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. 1266 * 1267 * \note The \c hash_id set in \p ctx (when calling 1268 * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding() 1269 * afterwards) is ignored. 1270 * 1271 * \param ctx The initialized RSA public key context to use. 1272 * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, 1273 * this is used for blinding and should be provided; see 1274 * mbedtls_rsa_private() for more. Otherwise, it is ignored. 1275 * \param p_rng The RNG context to be passed to \p f_rng. This may be 1276 * \c NULL if \p f_rng is \c NULL or doesn't need a context. 1277 * \param mode The mode of operation. This must be either 1278 * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. 1279 * \param md_alg The message-digest algorithm used to hash the original data. 1280 * Use #MBEDTLS_MD_NONE for signing raw data. 1281 * \param hashlen The length of the message digest. 1282 * This is only used if \p md_alg is #MBEDTLS_MD_NONE. 1283 * \param hash The buffer holding the message digest or raw data. 1284 * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable 1285 * buffer of length \p hashlen Bytes. If \p md_alg is not 1286 * #MBEDTLS_MD_NONE, it must be a readable buffer of length 1287 * the size of the hash corresponding to \p md_alg. 1288 * \param mgf1_hash_id The message digest algorithm used for the 1289 * verification operation and the mask generation 1290 * function (MGF1). For more details on the encoding 1291 * operation and the mask generation function, consult 1292 * <em>RFC-3447: Public-Key Cryptography Standards 1293 * (PKCS) #1 v2.1: RSA Cryptography 1294 * Specifications</em>. 1295 * \param expected_salt_len The length of the salt used in padding. Use 1296 * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. 1297 * \param sig The buffer holding the signature. This must be a readable 1298 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1299 * for an 2048-bit RSA modulus. 1300 * 1301 * \return \c 0 if the verify operation was successful. 1302 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1303 */ 1304 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 1305 int (*f_rng)(void *, unsigned char *, size_t), 1306 void *p_rng, 1307 int mode, 1308 mbedtls_md_type_t md_alg, 1309 unsigned int hashlen, 1310 const unsigned char *hash, 1311 mbedtls_md_type_t mgf1_hash_id, 1312 int expected_salt_len, 1313 const unsigned char *sig ); 1314 1315 /** 1316 * \brief This function copies the components of an RSA context. 1317 * 1318 * \param dst The destination context. This must be initialized. 1319 * \param src The source context. This must be initialized. 1320 * 1321 * \return \c 0 on success. 1322 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. 1323 */ 1324 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ); 1325 1326 /** 1327 * \brief This function frees the components of an RSA key. 1328 * 1329 * \param ctx The RSA context to free. May be \c NULL, in which case 1330 * this function is a no-op. If it is not \c NULL, it must 1331 * point to an initialized RSA context. 1332 */ 1333 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); 1334 1335 #if defined(MBEDTLS_SELF_TEST) 1336 1337 /** 1338 * \brief The RSA checkup routine. 1339 * 1340 * \return \c 0 on success. 1341 * \return \c 1 on failure. 1342 */ 1343 int mbedtls_rsa_self_test( int verbose ); 1344 1345 #endif /* MBEDTLS_SELF_TEST */ 1346 1347 #ifdef __cplusplus 1348 } 1349 #endif 1350 1351 #endif /* rsa.h */ 1352