1 /** 2 * \file rsa.h 3 * 4 * \brief This file provides an API for the RSA public-key cryptosystem. 5 * 6 * The RSA public-key cryptosystem is defined in <em>Public-Key 7 * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em> 8 * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1: 9 * RSA Cryptography Specifications</em>. 10 * 11 */ 12 /* 13 * Copyright The Mbed TLS Contributors 14 * SPDX-License-Identifier: Apache-2.0 15 * 16 * Licensed under the Apache License, Version 2.0 (the "License"); you may 17 * not use this file except in compliance with the License. 18 * You may obtain a copy of the License at 19 * 20 * http://www.apache.org/licenses/LICENSE-2.0 21 * 22 * Unless required by applicable law or agreed to in writing, software 23 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 24 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 25 * See the License for the specific language governing permissions and 26 * limitations under the License. 27 */ 28 #ifndef MBEDTLS_RSA_H 29 #define MBEDTLS_RSA_H 30 #include "mbedtls/private_access.h" 31 32 #include "mbedtls/build_info.h" 33 34 #include "mbedtls/bignum.h" 35 #include "mbedtls/md.h" 36 37 #if defined(MBEDTLS_THREADING_C) 38 #include "mbedtls/threading.h" 39 #endif 40 41 /* 42 * RSA Error codes 43 */ 44 /** Bad input parameters to function. */ 45 #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 46 /** Input data contains invalid padding and is rejected. */ 47 #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 48 /** Something failed during generation of a key. */ 49 #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 50 /** Key failed to pass the validity check of the library. */ 51 #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 52 /** The public key operation failed. */ 53 #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 54 /** The private key operation failed. */ 55 #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 56 /** The PKCS#1 verification failed. */ 57 #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 58 /** The output buffer for decryption is not large enough. */ 59 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 60 /** The random generator failed to generate non-zeros. */ 61 #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 62 63 /* 64 * RSA constants 65 */ 66 67 #define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */ 68 #define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */ 69 70 #define MBEDTLS_RSA_SIGN 1 /**< Identifier for RSA signature operations. */ 71 #define MBEDTLS_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */ 72 73 #define MBEDTLS_RSA_SALT_LEN_ANY -1 74 75 /* 76 * The above constants may be used even if the RSA module is compile out, 77 * eg for alternative (PKCS#11) RSA implementations in the PK layers. 78 */ 79 80 #ifdef __cplusplus 81 extern "C" { 82 #endif 83 84 #if !defined(MBEDTLS_RSA_ALT) 85 // Regular implementation 86 // 87 88 /** 89 * \brief The RSA context structure. 90 */ 91 typedef struct mbedtls_rsa_context { 92 int MBEDTLS_PRIVATE(ver); /*!< Reserved for internal purposes. 93 * Do not set this field in application 94 * code. Its meaning might change without 95 * notice. */ 96 size_t MBEDTLS_PRIVATE(len); /*!< The size of \p N in Bytes. */ 97 98 mbedtls_mpi MBEDTLS_PRIVATE(N); /*!< The public modulus. */ 99 mbedtls_mpi MBEDTLS_PRIVATE(E); /*!< The public exponent. */ 100 101 mbedtls_mpi MBEDTLS_PRIVATE(D); /*!< The private exponent. */ 102 mbedtls_mpi MBEDTLS_PRIVATE(P); /*!< The first prime factor. */ 103 mbedtls_mpi MBEDTLS_PRIVATE(Q); /*!< The second prime factor. */ 104 105 mbedtls_mpi MBEDTLS_PRIVATE(DP); /*!< <code>D % (P - 1)</code>. */ 106 mbedtls_mpi MBEDTLS_PRIVATE(DQ); /*!< <code>D % (Q - 1)</code>. */ 107 mbedtls_mpi MBEDTLS_PRIVATE(QP); /*!< <code>1 / (Q % P)</code>. */ 108 109 mbedtls_mpi MBEDTLS_PRIVATE(RN); /*!< cached <code>R^2 mod N</code>. */ 110 111 mbedtls_mpi MBEDTLS_PRIVATE(RP); /*!< cached <code>R^2 mod P</code>. */ 112 mbedtls_mpi MBEDTLS_PRIVATE(RQ); /*!< cached <code>R^2 mod Q</code>. */ 113 114 mbedtls_mpi MBEDTLS_PRIVATE(Vi); /*!< The cached blinding value. */ 115 mbedtls_mpi MBEDTLS_PRIVATE(Vf); /*!< The cached un-blinding value. */ 116 117 int MBEDTLS_PRIVATE(padding); /*!< Selects padding mode: 118 #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and 119 #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */ 120 int MBEDTLS_PRIVATE(hash_id); /*!< Hash identifier of mbedtls_md_type_t type, 121 as specified in md.h for use in the MGF 122 mask generating function used in the 123 EME-OAEP and EMSA-PSS encodings. */ 124 #if defined(MBEDTLS_THREADING_C) 125 /* Invariant: the mutex is initialized iff ver != 0. */ 126 mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); /*!< Thread-safety mutex. */ 127 #endif 128 } 129 mbedtls_rsa_context; 130 131 #else /* MBEDTLS_RSA_ALT */ 132 #include "rsa_alt.h" 133 #endif /* MBEDTLS_RSA_ALT */ 134 135 /** 136 * \brief This function initializes an RSA context. 137 * 138 * \note This function initializes the padding and the hash 139 * identifier to respectively #MBEDTLS_RSA_PKCS_V15 and 140 * #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more 141 * information about those parameters. 142 * 143 * \param ctx The RSA context to initialize. This must not be \c NULL. 144 */ 145 void mbedtls_rsa_init(mbedtls_rsa_context *ctx); 146 147 /** 148 * \brief This function sets padding for an already initialized RSA 149 * context. 150 * 151 * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP 152 * encryption scheme and the RSASSA-PSS signature scheme. 153 * 154 * \note The \p hash_id parameter is ignored when using 155 * #MBEDTLS_RSA_PKCS_V15 padding. 156 * 157 * \note The choice of padding mode is strictly enforced for private 158 * key operations, since there might be security concerns in 159 * mixing padding modes. For public key operations it is 160 * a default value, which can be overridden by calling specific 161 * \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx 162 * functions. 163 * 164 * \note The hash selected in \p hash_id is always used for OEAP 165 * encryption. For PSS signatures, it is always used for 166 * making signatures, but can be overridden for verifying them. 167 * If set to #MBEDTLS_MD_NONE, it is always overridden. 168 * 169 * \param ctx The initialized RSA context to be configured. 170 * \param padding The padding mode to use. This must be either 171 * #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21. 172 * \param hash_id The hash identifier for PSS or OAEP, if \p padding is 173 * #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this 174 * function but may be not suitable for some operations. 175 * Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15. 176 * 177 * \return \c 0 on success. 178 * \return #MBEDTLS_ERR_RSA_INVALID_PADDING failure: 179 * \p padding or \p hash_id is invalid. 180 */ 181 int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding, 182 mbedtls_md_type_t hash_id); 183 184 /** 185 * \brief This function retrieves padding mode of initialized 186 * RSA context. 187 * 188 * \param ctx The initialized RSA context. 189 * 190 * \return RSA padding mode. 191 * 192 */ 193 int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx); 194 195 /** 196 * \brief This function retrieves hash identifier of mbedtls_md_type_t 197 * type. 198 * 199 * \param ctx The initialized RSA context. 200 * 201 * \return Hash identifier of mbedtls_md_type_t type. 202 * 203 */ 204 int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx); 205 206 /** 207 * \brief This function imports a set of core parameters into an 208 * RSA context. 209 * 210 * \note This function can be called multiple times for successive 211 * imports, if the parameters are not simultaneously present. 212 * 213 * Any sequence of calls to this function should be followed 214 * by a call to mbedtls_rsa_complete(), which checks and 215 * completes the provided information to a ready-for-use 216 * public or private RSA key. 217 * 218 * \note See mbedtls_rsa_complete() for more information on which 219 * parameters are necessary to set up a private or public 220 * RSA key. 221 * 222 * \note The imported parameters are copied and need not be preserved 223 * for the lifetime of the RSA context being set up. 224 * 225 * \param ctx The initialized RSA context to store the parameters in. 226 * \param N The RSA modulus. This may be \c NULL. 227 * \param P The first prime factor of \p N. This may be \c NULL. 228 * \param Q The second prime factor of \p N. This may be \c NULL. 229 * \param D The private exponent. This may be \c NULL. 230 * \param E The public exponent. This may be \c NULL. 231 * 232 * \return \c 0 on success. 233 * \return A non-zero error code on failure. 234 */ 235 int mbedtls_rsa_import(mbedtls_rsa_context *ctx, 236 const mbedtls_mpi *N, 237 const mbedtls_mpi *P, const mbedtls_mpi *Q, 238 const mbedtls_mpi *D, const mbedtls_mpi *E); 239 240 /** 241 * \brief This function imports core RSA parameters, in raw big-endian 242 * binary format, into an RSA context. 243 * 244 * \note This function can be called multiple times for successive 245 * imports, if the parameters are not simultaneously present. 246 * 247 * Any sequence of calls to this function should be followed 248 * by a call to mbedtls_rsa_complete(), which checks and 249 * completes the provided information to a ready-for-use 250 * public or private RSA key. 251 * 252 * \note See mbedtls_rsa_complete() for more information on which 253 * parameters are necessary to set up a private or public 254 * RSA key. 255 * 256 * \note The imported parameters are copied and need not be preserved 257 * for the lifetime of the RSA context being set up. 258 * 259 * \param ctx The initialized RSA context to store the parameters in. 260 * \param N The RSA modulus. This may be \c NULL. 261 * \param N_len The Byte length of \p N; it is ignored if \p N == NULL. 262 * \param P The first prime factor of \p N. This may be \c NULL. 263 * \param P_len The Byte length of \p P; it is ignored if \p P == NULL. 264 * \param Q The second prime factor of \p N. This may be \c NULL. 265 * \param Q_len The Byte length of \p Q; it is ignored if \p Q == NULL. 266 * \param D The private exponent. This may be \c NULL. 267 * \param D_len The Byte length of \p D; it is ignored if \p D == NULL. 268 * \param E The public exponent. This may be \c NULL. 269 * \param E_len The Byte length of \p E; it is ignored if \p E == NULL. 270 * 271 * \return \c 0 on success. 272 * \return A non-zero error code on failure. 273 */ 274 int mbedtls_rsa_import_raw(mbedtls_rsa_context *ctx, 275 unsigned char const *N, size_t N_len, 276 unsigned char const *P, size_t P_len, 277 unsigned char const *Q, size_t Q_len, 278 unsigned char const *D, size_t D_len, 279 unsigned char const *E, size_t E_len); 280 281 /** 282 * \brief This function completes an RSA context from 283 * a set of imported core parameters. 284 * 285 * To setup an RSA public key, precisely \p N and \p E 286 * must have been imported. 287 * 288 * To setup an RSA private key, sufficient information must 289 * be present for the other parameters to be derivable. 290 * 291 * The default implementation supports the following: 292 * <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li> 293 * <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul> 294 * Alternative implementations need not support these. 295 * 296 * If this function runs successfully, it guarantees that 297 * the RSA context can be used for RSA operations without 298 * the risk of failure or crash. 299 * 300 * \warning This function need not perform consistency checks 301 * for the imported parameters. In particular, parameters that 302 * are not needed by the implementation might be silently 303 * discarded and left unchecked. To check the consistency 304 * of the key material, see mbedtls_rsa_check_privkey(). 305 * 306 * \param ctx The initialized RSA context holding imported parameters. 307 * 308 * \return \c 0 on success. 309 * \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations 310 * failed. 311 * 312 */ 313 int mbedtls_rsa_complete(mbedtls_rsa_context *ctx); 314 315 /** 316 * \brief This function exports the core parameters of an RSA key. 317 * 318 * If this function runs successfully, the non-NULL buffers 319 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully 320 * written, with additional unused space filled leading by 321 * zero Bytes. 322 * 323 * Possible reasons for returning 324 * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul> 325 * <li>An alternative RSA implementation is in use, which 326 * stores the key externally, and either cannot or should 327 * not export it into RAM.</li> 328 * <li>A SW or HW implementation might not support a certain 329 * deduction. For example, \p P, \p Q from \p N, \p D, 330 * and \p E if the former are not part of the 331 * implementation.</li></ul> 332 * 333 * If the function fails due to an unsupported operation, 334 * the RSA context stays intact and remains usable. 335 * 336 * \param ctx The initialized RSA context. 337 * \param N The MPI to hold the RSA modulus. 338 * This may be \c NULL if this field need not be exported. 339 * \param P The MPI to hold the first prime factor of \p N. 340 * This may be \c NULL if this field need not be exported. 341 * \param Q The MPI to hold the second prime factor of \p N. 342 * This may be \c NULL if this field need not be exported. 343 * \param D The MPI to hold the private exponent. 344 * This may be \c NULL if this field need not be exported. 345 * \param E The MPI to hold the public exponent. 346 * This may be \c NULL if this field need not be exported. 347 * 348 * \return \c 0 on success. 349 * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the 350 * requested parameters cannot be done due to missing 351 * functionality or because of security policies. 352 * \return A non-zero return code on any other failure. 353 * 354 */ 355 int mbedtls_rsa_export(const mbedtls_rsa_context *ctx, 356 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q, 357 mbedtls_mpi *D, mbedtls_mpi *E); 358 359 /** 360 * \brief This function exports core parameters of an RSA key 361 * in raw big-endian binary format. 362 * 363 * If this function runs successfully, the non-NULL buffers 364 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully 365 * written, with additional unused space filled leading by 366 * zero Bytes. 367 * 368 * Possible reasons for returning 369 * #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul> 370 * <li>An alternative RSA implementation is in use, which 371 * stores the key externally, and either cannot or should 372 * not export it into RAM.</li> 373 * <li>A SW or HW implementation might not support a certain 374 * deduction. For example, \p P, \p Q from \p N, \p D, 375 * and \p E if the former are not part of the 376 * implementation.</li></ul> 377 * If the function fails due to an unsupported operation, 378 * the RSA context stays intact and remains usable. 379 * 380 * \note The length parameters are ignored if the corresponding 381 * buffer pointers are NULL. 382 * 383 * \param ctx The initialized RSA context. 384 * \param N The Byte array to store the RSA modulus, 385 * or \c NULL if this field need not be exported. 386 * \param N_len The size of the buffer for the modulus. 387 * \param P The Byte array to hold the first prime factor of \p N, 388 * or \c NULL if this field need not be exported. 389 * \param P_len The size of the buffer for the first prime factor. 390 * \param Q The Byte array to hold the second prime factor of \p N, 391 * or \c NULL if this field need not be exported. 392 * \param Q_len The size of the buffer for the second prime factor. 393 * \param D The Byte array to hold the private exponent, 394 * or \c NULL if this field need not be exported. 395 * \param D_len The size of the buffer for the private exponent. 396 * \param E The Byte array to hold the public exponent, 397 * or \c NULL if this field need not be exported. 398 * \param E_len The size of the buffer for the public exponent. 399 * 400 * \return \c 0 on success. 401 * \return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the 402 * requested parameters cannot be done due to missing 403 * functionality or because of security policies. 404 * \return A non-zero return code on any other failure. 405 */ 406 int mbedtls_rsa_export_raw(const mbedtls_rsa_context *ctx, 407 unsigned char *N, size_t N_len, 408 unsigned char *P, size_t P_len, 409 unsigned char *Q, size_t Q_len, 410 unsigned char *D, size_t D_len, 411 unsigned char *E, size_t E_len); 412 413 /** 414 * \brief This function exports CRT parameters of a private RSA key. 415 * 416 * \note Alternative RSA implementations not using CRT-parameters 417 * internally can implement this function based on 418 * mbedtls_rsa_deduce_opt(). 419 * 420 * \param ctx The initialized RSA context. 421 * \param DP The MPI to hold \c D modulo `P-1`, 422 * or \c NULL if it need not be exported. 423 * \param DQ The MPI to hold \c D modulo `Q-1`, 424 * or \c NULL if it need not be exported. 425 * \param QP The MPI to hold modular inverse of \c Q modulo \c P, 426 * or \c NULL if it need not be exported. 427 * 428 * \return \c 0 on success. 429 * \return A non-zero error code on failure. 430 * 431 */ 432 int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx, 433 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP); 434 435 /** 436 * \brief This function retrieves the length of RSA modulus in Bytes. 437 * 438 * \param ctx The initialized RSA context. 439 * 440 * \return The length of the RSA modulus in Bytes. 441 * 442 */ 443 size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx); 444 445 /** 446 * \brief This function generates an RSA keypair. 447 * 448 * \note mbedtls_rsa_init() must be called before this function, 449 * to set up the RSA context. 450 * 451 * \param ctx The initialized RSA context used to hold the key. 452 * \param f_rng The RNG function to be used for key generation. 453 * This is mandatory and must not be \c NULL. 454 * \param p_rng The RNG context to be passed to \p f_rng. 455 * This may be \c NULL if \p f_rng doesn't need a context. 456 * \param nbits The size of the public key in bits. 457 * \param exponent The public exponent to use. For example, \c 65537. 458 * This must be odd and greater than \c 1. 459 * 460 * \return \c 0 on success. 461 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 462 */ 463 int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx, 464 int (*f_rng)(void *, unsigned char *, size_t), 465 void *p_rng, 466 unsigned int nbits, int exponent); 467 468 /** 469 * \brief This function checks if a context contains at least an RSA 470 * public key. 471 * 472 * If the function runs successfully, it is guaranteed that 473 * enough information is present to perform an RSA public key 474 * operation using mbedtls_rsa_public(). 475 * 476 * \param ctx The initialized RSA context to check. 477 * 478 * \return \c 0 on success. 479 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 480 * 481 */ 482 int mbedtls_rsa_check_pubkey(const mbedtls_rsa_context *ctx); 483 484 /** 485 * \brief This function checks if a context contains an RSA private key 486 * and perform basic consistency checks. 487 * 488 * \note The consistency checks performed by this function not only 489 * ensure that mbedtls_rsa_private() can be called successfully 490 * on the given context, but that the various parameters are 491 * mutually consistent with high probability, in the sense that 492 * mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. 493 * 494 * \warning This function should catch accidental misconfigurations 495 * like swapping of parameters, but it cannot establish full 496 * trust in neither the quality nor the consistency of the key 497 * material that was used to setup the given RSA context: 498 * <ul><li>Consistency: Imported parameters that are irrelevant 499 * for the implementation might be silently dropped. If dropped, 500 * the current function does not have access to them, 501 * and therefore cannot check them. See mbedtls_rsa_complete(). 502 * If you want to check the consistency of the entire 503 * content of a PKCS1-encoded RSA private key, for example, you 504 * should use mbedtls_rsa_validate_params() before setting 505 * up the RSA context. 506 * Additionally, if the implementation performs empirical checks, 507 * these checks substantiate but do not guarantee consistency.</li> 508 * <li>Quality: This function is not expected to perform 509 * extended quality assessments like checking that the prime 510 * factors are safe. Additionally, it is the responsibility of the 511 * user to ensure the trustworthiness of the source of his RSA 512 * parameters, which goes beyond what is effectively checkable 513 * by the library.</li></ul> 514 * 515 * \param ctx The initialized RSA context to check. 516 * 517 * \return \c 0 on success. 518 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 519 */ 520 int mbedtls_rsa_check_privkey(const mbedtls_rsa_context *ctx); 521 522 /** 523 * \brief This function checks a public-private RSA key pair. 524 * 525 * It checks each of the contexts, and makes sure they match. 526 * 527 * \param pub The initialized RSA context holding the public key. 528 * \param prv The initialized RSA context holding the private key. 529 * 530 * \return \c 0 on success. 531 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 532 */ 533 int mbedtls_rsa_check_pub_priv(const mbedtls_rsa_context *pub, 534 const mbedtls_rsa_context *prv); 535 536 /** 537 * \brief This function performs an RSA public key operation. 538 * 539 * \param ctx The initialized RSA context to use. 540 * \param input The input buffer. This must be a readable buffer 541 * of length \c ctx->len Bytes. For example, \c 256 Bytes 542 * for an 2048-bit RSA modulus. 543 * \param output The output buffer. This must be a writable buffer 544 * of length \c ctx->len Bytes. For example, \c 256 Bytes 545 * for an 2048-bit RSA modulus. 546 * 547 * \note This function does not handle message padding. 548 * 549 * \note Make sure to set \p input[0] = 0 or ensure that 550 * input is smaller than \p N. 551 * 552 * \return \c 0 on success. 553 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 554 */ 555 int mbedtls_rsa_public(mbedtls_rsa_context *ctx, 556 const unsigned char *input, 557 unsigned char *output); 558 559 /** 560 * \brief This function performs an RSA private key operation. 561 * 562 * \note Blinding is used if and only if a PRNG is provided. 563 * 564 * \note If blinding is used, both the base of exponentiation 565 * and the exponent are blinded, providing protection 566 * against some side-channel attacks. 567 * 568 * \warning It is deprecated and a security risk to not provide 569 * a PRNG here and thereby prevent the use of blinding. 570 * Future versions of the library may enforce the presence 571 * of a PRNG. 572 * 573 * \param ctx The initialized RSA context to use. 574 * \param f_rng The RNG function, used for blinding. It is mandatory. 575 * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL 576 * if \p f_rng doesn't need a context. 577 * \param input The input buffer. This must be a readable buffer 578 * of length \c ctx->len Bytes. For example, \c 256 Bytes 579 * for an 2048-bit RSA modulus. 580 * \param output The output buffer. This must be a writable buffer 581 * of length \c ctx->len Bytes. For example, \c 256 Bytes 582 * for an 2048-bit RSA modulus. 583 * 584 * \return \c 0 on success. 585 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 586 * 587 */ 588 int mbedtls_rsa_private(mbedtls_rsa_context *ctx, 589 int (*f_rng)(void *, unsigned char *, size_t), 590 void *p_rng, 591 const unsigned char *input, 592 unsigned char *output); 593 594 /** 595 * \brief This function adds the message padding, then performs an RSA 596 * operation. 597 * 598 * It is the generic wrapper for performing a PKCS#1 encryption 599 * operation. 600 * 601 * \param ctx The initialized RSA context to use. 602 * \param f_rng The RNG to use. It is used for padding generation 603 * and it is mandatory. 604 * \param p_rng The RNG context to be passed to \p f_rng. May be 605 * \c NULL if \p f_rng doesn't need a context argument. 606 * \param ilen The length of the plaintext in Bytes. 607 * \param input The input data to encrypt. This must be a readable 608 * buffer of size \p ilen Bytes. It may be \c NULL if 609 * `ilen == 0`. 610 * \param output The output buffer. This must be a writable buffer 611 * of length \c ctx->len Bytes. For example, \c 256 Bytes 612 * for an 2048-bit RSA modulus. 613 * 614 * \return \c 0 on success. 615 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 616 */ 617 int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx, 618 int (*f_rng)(void *, unsigned char *, size_t), 619 void *p_rng, 620 size_t ilen, 621 const unsigned char *input, 622 unsigned char *output); 623 624 /** 625 * \brief This function performs a PKCS#1 v1.5 encryption operation 626 * (RSAES-PKCS1-v1_5-ENCRYPT). 627 * 628 * \param ctx The initialized RSA context to use. 629 * \param f_rng The RNG function to use. It is mandatory and used for 630 * padding generation. 631 * \param p_rng The RNG context to be passed to \p f_rng. This may 632 * be \c NULL if \p f_rng doesn't need a context argument. 633 * \param ilen The length of the plaintext in Bytes. 634 * \param input The input data to encrypt. This must be a readable 635 * buffer of size \p ilen Bytes. It may be \c NULL if 636 * `ilen == 0`. 637 * \param output The output buffer. This must be a writable buffer 638 * of length \c ctx->len Bytes. For example, \c 256 Bytes 639 * for an 2048-bit RSA modulus. 640 * 641 * \return \c 0 on success. 642 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 643 */ 644 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx, 645 int (*f_rng)(void *, unsigned char *, size_t), 646 void *p_rng, 647 size_t ilen, 648 const unsigned char *input, 649 unsigned char *output); 650 651 /** 652 * \brief This function performs a PKCS#1 v2.1 OAEP encryption 653 * operation (RSAES-OAEP-ENCRYPT). 654 * 655 * \note The output buffer must be as large as the size 656 * of ctx->N. For example, 128 Bytes if RSA-1024 is used. 657 * 658 * \param ctx The initialized RSA context to use. 659 * \param f_rng The RNG function to use. This is needed for padding 660 * generation and is mandatory. 661 * \param p_rng The RNG context to be passed to \p f_rng. This may 662 * be \c NULL if \p f_rng doesn't need a context argument. 663 * \param label The buffer holding the custom label to use. 664 * This must be a readable buffer of length \p label_len 665 * Bytes. It may be \c NULL if \p label_len is \c 0. 666 * \param label_len The length of the label in Bytes. 667 * \param ilen The length of the plaintext buffer \p input in Bytes. 668 * \param input The input data to encrypt. This must be a readable 669 * buffer of size \p ilen Bytes. It may be \c NULL if 670 * `ilen == 0`. 671 * \param output The output buffer. This must be a writable buffer 672 * of length \c ctx->len Bytes. For example, \c 256 Bytes 673 * for an 2048-bit RSA modulus. 674 * 675 * \return \c 0 on success. 676 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 677 */ 678 int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx, 679 int (*f_rng)(void *, unsigned char *, size_t), 680 void *p_rng, 681 const unsigned char *label, size_t label_len, 682 size_t ilen, 683 const unsigned char *input, 684 unsigned char *output); 685 686 /** 687 * \brief This function performs an RSA operation, then removes the 688 * message padding. 689 * 690 * It is the generic wrapper for performing a PKCS#1 decryption 691 * operation. 692 * 693 * \note The output buffer length \c output_max_len should be 694 * as large as the size \p ctx->len of \p ctx->N (for example, 695 * 128 Bytes if RSA-1024 is used) to be able to hold an 696 * arbitrary decrypted message. If it is not large enough to 697 * hold the decryption of the particular ciphertext provided, 698 * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 699 * 700 * \param ctx The initialized RSA context to use. 701 * \param f_rng The RNG function. This is used for blinding and is 702 * mandatory; see mbedtls_rsa_private() for more. 703 * \param p_rng The RNG context to be passed to \p f_rng. This may be 704 * \c NULL if \p f_rng doesn't need a context. 705 * \param olen The address at which to store the length of 706 * the plaintext. This must not be \c NULL. 707 * \param input The ciphertext buffer. This must be a readable buffer 708 * of length \c ctx->len Bytes. For example, \c 256 Bytes 709 * for an 2048-bit RSA modulus. 710 * \param output The buffer used to hold the plaintext. This must 711 * be a writable buffer of length \p output_max_len Bytes. 712 * \param output_max_len The length in Bytes of the output buffer \p output. 713 * 714 * \return \c 0 on success. 715 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 716 */ 717 int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx, 718 int (*f_rng)(void *, unsigned char *, size_t), 719 void *p_rng, 720 size_t *olen, 721 const unsigned char *input, 722 unsigned char *output, 723 size_t output_max_len); 724 725 /** 726 * \brief This function performs a PKCS#1 v1.5 decryption 727 * operation (RSAES-PKCS1-v1_5-DECRYPT). 728 * 729 * \note The output buffer length \c output_max_len should be 730 * as large as the size \p ctx->len of \p ctx->N, for example, 731 * 128 Bytes if RSA-1024 is used, to be able to hold an 732 * arbitrary decrypted message. If it is not large enough to 733 * hold the decryption of the particular ciphertext provided, 734 * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 735 * 736 * \param ctx The initialized RSA context to use. 737 * \param f_rng The RNG function. This is used for blinding and is 738 * mandatory; see mbedtls_rsa_private() for more. 739 * \param p_rng The RNG context to be passed to \p f_rng. This may be 740 * \c NULL if \p f_rng doesn't need a context. 741 * \param olen The address at which to store the length of 742 * the plaintext. This must not be \c NULL. 743 * \param input The ciphertext buffer. This must be a readable buffer 744 * of length \c ctx->len Bytes. For example, \c 256 Bytes 745 * for an 2048-bit RSA modulus. 746 * \param output The buffer used to hold the plaintext. This must 747 * be a writable buffer of length \p output_max_len Bytes. 748 * \param output_max_len The length in Bytes of the output buffer \p output. 749 * 750 * \return \c 0 on success. 751 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 752 * 753 */ 754 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx, 755 int (*f_rng)(void *, unsigned char *, size_t), 756 void *p_rng, 757 size_t *olen, 758 const unsigned char *input, 759 unsigned char *output, 760 size_t output_max_len); 761 762 /** 763 * \brief This function performs a PKCS#1 v2.1 OAEP decryption 764 * operation (RSAES-OAEP-DECRYPT). 765 * 766 * \note The output buffer length \c output_max_len should be 767 * as large as the size \p ctx->len of \p ctx->N, for 768 * example, 128 Bytes if RSA-1024 is used, to be able to 769 * hold an arbitrary decrypted message. If it is not 770 * large enough to hold the decryption of the particular 771 * ciphertext provided, the function returns 772 * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. 773 * 774 * \param ctx The initialized RSA context to use. 775 * \param f_rng The RNG function. This is used for blinding and is 776 * mandatory. 777 * \param p_rng The RNG context to be passed to \p f_rng. This may be 778 * \c NULL if \p f_rng doesn't need a context. 779 * \param label The buffer holding the custom label to use. 780 * This must be a readable buffer of length \p label_len 781 * Bytes. It may be \c NULL if \p label_len is \c 0. 782 * \param label_len The length of the label in Bytes. 783 * \param olen The address at which to store the length of 784 * the plaintext. This must not be \c NULL. 785 * \param input The ciphertext buffer. This must be a readable buffer 786 * of length \c ctx->len Bytes. For example, \c 256 Bytes 787 * for an 2048-bit RSA modulus. 788 * \param output The buffer used to hold the plaintext. This must 789 * be a writable buffer of length \p output_max_len Bytes. 790 * \param output_max_len The length in Bytes of the output buffer \p output. 791 * 792 * \return \c 0 on success. 793 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 794 */ 795 int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx, 796 int (*f_rng)(void *, unsigned char *, size_t), 797 void *p_rng, 798 const unsigned char *label, size_t label_len, 799 size_t *olen, 800 const unsigned char *input, 801 unsigned char *output, 802 size_t output_max_len); 803 804 /** 805 * \brief This function performs a private RSA operation to sign 806 * a message digest using PKCS#1. 807 * 808 * It is the generic wrapper for performing a PKCS#1 809 * signature. 810 * 811 * \note The \p sig buffer must be as large as the size 812 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. 813 * 814 * \note For PKCS#1 v2.1 encoding, see comments on 815 * mbedtls_rsa_rsassa_pss_sign() for details on 816 * \p md_alg and \p hash_id. 817 * 818 * \param ctx The initialized RSA context to use. 819 * \param f_rng The RNG function to use. This is mandatory and 820 * must not be \c NULL. 821 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 822 * if \p f_rng doesn't need a context argument. 823 * \param md_alg The message-digest algorithm used to hash the original data. 824 * Use #MBEDTLS_MD_NONE for signing raw data. 825 * \param hashlen The length of the message digest or raw data in Bytes. 826 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 827 * output length of the corresponding hash algorithm. 828 * \param hash The buffer holding the message digest or raw data. 829 * This must be a readable buffer of at least \p hashlen Bytes. 830 * \param sig The buffer to hold the signature. This must be a writable 831 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 832 * for an 2048-bit RSA modulus. A buffer length of 833 * #MBEDTLS_MPI_MAX_SIZE is always safe. 834 * 835 * \return \c 0 if the signing operation was successful. 836 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 837 */ 838 int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx, 839 int (*f_rng)(void *, unsigned char *, size_t), 840 void *p_rng, 841 mbedtls_md_type_t md_alg, 842 unsigned int hashlen, 843 const unsigned char *hash, 844 unsigned char *sig); 845 846 /** 847 * \brief This function performs a PKCS#1 v1.5 signature 848 * operation (RSASSA-PKCS1-v1_5-SIGN). 849 * 850 * \param ctx The initialized RSA context to use. 851 * \param f_rng The RNG function. This is used for blinding and is 852 * mandatory; see mbedtls_rsa_private() for more. 853 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 854 * if \p f_rng doesn't need a context argument. 855 * \param md_alg The message-digest algorithm used to hash the original data. 856 * Use #MBEDTLS_MD_NONE for signing raw data. 857 * \param hashlen The length of the message digest or raw data in Bytes. 858 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 859 * output length of the corresponding hash algorithm. 860 * \param hash The buffer holding the message digest or raw data. 861 * This must be a readable buffer of at least \p hashlen Bytes. 862 * \param sig The buffer to hold the signature. This must be a writable 863 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 864 * for an 2048-bit RSA modulus. A buffer length of 865 * #MBEDTLS_MPI_MAX_SIZE is always safe. 866 * 867 * \return \c 0 if the signing operation was successful. 868 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 869 */ 870 int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx, 871 int (*f_rng)(void *, unsigned char *, size_t), 872 void *p_rng, 873 mbedtls_md_type_t md_alg, 874 unsigned int hashlen, 875 const unsigned char *hash, 876 unsigned char *sig); 877 878 /** 879 * \brief This function performs a PKCS#1 v2.1 PSS signature 880 * operation (RSASSA-PSS-SIGN). 881 * 882 * \note The \c hash_id set in \p ctx by calling 883 * mbedtls_rsa_set_padding() selects the hash used for the 884 * encoding operation and for the mask generation function 885 * (MGF1). For more details on the encoding operation and the 886 * mask generation function, consult <em>RFC-3447: Public-Key 887 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 888 * Specifications</em>. 889 * 890 * \note This function enforces that the provided salt length complies 891 * with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1 892 * step 3. The constraint is that the hash length plus the salt 893 * length plus 2 bytes must be at most the key length. If this 894 * constraint is not met, this function returns 895 * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. 896 * 897 * \param ctx The initialized RSA context to use. 898 * \param f_rng The RNG function. It is mandatory and must not be \c NULL. 899 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 900 * if \p f_rng doesn't need a context argument. 901 * \param md_alg The message-digest algorithm used to hash the original data. 902 * Use #MBEDTLS_MD_NONE for signing raw data. 903 * \param hashlen The length of the message digest or raw data in Bytes. 904 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 905 * output length of the corresponding hash algorithm. 906 * \param hash The buffer holding the message digest or raw data. 907 * This must be a readable buffer of at least \p hashlen Bytes. 908 * \param saltlen The length of the salt that should be used. 909 * If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use 910 * the largest possible salt length up to the hash length, 911 * which is the largest permitted by some standards including 912 * FIPS 186-4 §5.5. 913 * \param sig The buffer to hold the signature. This must be a writable 914 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 915 * for an 2048-bit RSA modulus. A buffer length of 916 * #MBEDTLS_MPI_MAX_SIZE is always safe. 917 * 918 * \return \c 0 if the signing operation was successful. 919 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 920 */ 921 int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx, 922 int (*f_rng)(void *, unsigned char *, size_t), 923 void *p_rng, 924 mbedtls_md_type_t md_alg, 925 unsigned int hashlen, 926 const unsigned char *hash, 927 int saltlen, 928 unsigned char *sig); 929 930 /** 931 * \brief This function performs a PKCS#1 v2.1 PSS signature 932 * operation (RSASSA-PSS-SIGN). 933 * 934 * \note The \c hash_id set in \p ctx by calling 935 * mbedtls_rsa_set_padding() selects the hash used for the 936 * encoding operation and for the mask generation function 937 * (MGF1). For more details on the encoding operation and the 938 * mask generation function, consult <em>RFC-3447: Public-Key 939 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 940 * Specifications</em>. 941 * 942 * \note This function always uses the maximum possible salt size, 943 * up to the length of the payload hash. This choice of salt 944 * size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 945 * v2.2) §9.1.1 step 3. Furthermore this function enforces a 946 * minimum salt size which is the hash size minus 2 bytes. If 947 * this minimum size is too large given the key size (the salt 948 * size, plus the hash size, plus 2 bytes must be no more than 949 * the key size in bytes), this function returns 950 * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. 951 * 952 * \param ctx The initialized RSA context to use. 953 * \param f_rng The RNG function. It is mandatory and must not be \c NULL. 954 * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL 955 * if \p f_rng doesn't need a context argument. 956 * \param md_alg The message-digest algorithm used to hash the original data. 957 * Use #MBEDTLS_MD_NONE for signing raw data. 958 * \param hashlen The length of the message digest or raw data in Bytes. 959 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 960 * output length of the corresponding hash algorithm. 961 * \param hash The buffer holding the message digest or raw data. 962 * This must be a readable buffer of at least \p hashlen Bytes. 963 * \param sig The buffer to hold the signature. This must be a writable 964 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 965 * for an 2048-bit RSA modulus. A buffer length of 966 * #MBEDTLS_MPI_MAX_SIZE is always safe. 967 * 968 * \return \c 0 if the signing operation was successful. 969 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 970 */ 971 int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx, 972 int (*f_rng)(void *, unsigned char *, size_t), 973 void *p_rng, 974 mbedtls_md_type_t md_alg, 975 unsigned int hashlen, 976 const unsigned char *hash, 977 unsigned char *sig); 978 979 /** 980 * \brief This function performs a public RSA operation and checks 981 * the message digest. 982 * 983 * This is the generic wrapper for performing a PKCS#1 984 * verification. 985 * 986 * \note For PKCS#1 v2.1 encoding, see comments on 987 * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and 988 * \p hash_id. 989 * 990 * \param ctx The initialized RSA public key context to use. 991 * \param md_alg The message-digest algorithm used to hash the original data. 992 * Use #MBEDTLS_MD_NONE for signing raw data. 993 * \param hashlen The length of the message digest or raw data in Bytes. 994 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 995 * output length of the corresponding hash algorithm. 996 * \param hash The buffer holding the message digest or raw data. 997 * This must be a readable buffer of at least \p hashlen Bytes. 998 * \param sig The buffer holding the signature. This must be a readable 999 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1000 * for an 2048-bit RSA modulus. 1001 * 1002 * \return \c 0 if the verify operation was successful. 1003 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1004 */ 1005 int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx, 1006 mbedtls_md_type_t md_alg, 1007 unsigned int hashlen, 1008 const unsigned char *hash, 1009 const unsigned char *sig); 1010 1011 /** 1012 * \brief This function performs a PKCS#1 v1.5 verification 1013 * operation (RSASSA-PKCS1-v1_5-VERIFY). 1014 * 1015 * \param ctx The initialized RSA public key context to use. 1016 * \param md_alg The message-digest algorithm used to hash the original data. 1017 * Use #MBEDTLS_MD_NONE for signing raw data. 1018 * \param hashlen The length of the message digest or raw data in Bytes. 1019 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 1020 * output length of the corresponding hash algorithm. 1021 * \param hash The buffer holding the message digest or raw data. 1022 * This must be a readable buffer of at least \p hashlen Bytes. 1023 * \param sig The buffer holding the signature. This must be a readable 1024 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1025 * for an 2048-bit RSA modulus. 1026 * 1027 * \return \c 0 if the verify operation was successful. 1028 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1029 */ 1030 int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx, 1031 mbedtls_md_type_t md_alg, 1032 unsigned int hashlen, 1033 const unsigned char *hash, 1034 const unsigned char *sig); 1035 1036 /** 1037 * \brief This function performs a PKCS#1 v2.1 PSS verification 1038 * operation (RSASSA-PSS-VERIFY). 1039 * 1040 * \note The \c hash_id set in \p ctx by calling 1041 * mbedtls_rsa_set_padding() selects the hash used for the 1042 * encoding operation and for the mask generation function 1043 * (MGF1). For more details on the encoding operation and the 1044 * mask generation function, consult <em>RFC-3447: Public-Key 1045 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography 1046 * Specifications</em>. If the \c hash_id set in \p ctx by 1047 * mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg 1048 * parameter is used. 1049 * 1050 * \param ctx The initialized RSA public key context to use. 1051 * \param md_alg The message-digest algorithm used to hash the original data. 1052 * Use #MBEDTLS_MD_NONE for signing raw data. 1053 * \param hashlen The length of the message digest or raw data in Bytes. 1054 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 1055 * output length of the corresponding hash algorithm. 1056 * \param hash The buffer holding the message digest or raw data. 1057 * This must be a readable buffer of at least \p hashlen Bytes. 1058 * \param sig The buffer holding the signature. This must be a readable 1059 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1060 * for an 2048-bit RSA modulus. 1061 * 1062 * \return \c 0 if the verify operation was successful. 1063 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1064 */ 1065 int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx, 1066 mbedtls_md_type_t md_alg, 1067 unsigned int hashlen, 1068 const unsigned char *hash, 1069 const unsigned char *sig); 1070 1071 /** 1072 * \brief This function performs a PKCS#1 v2.1 PSS verification 1073 * operation (RSASSA-PSS-VERIFY). 1074 * 1075 * \note The \p sig buffer must be as large as the size 1076 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. 1077 * 1078 * \note The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is 1079 * ignored. 1080 * 1081 * \param ctx The initialized RSA public key context to use. 1082 * \param md_alg The message-digest algorithm used to hash the original data. 1083 * Use #MBEDTLS_MD_NONE for signing raw data. 1084 * \param hashlen The length of the message digest or raw data in Bytes. 1085 * If \p md_alg is not #MBEDTLS_MD_NONE, this must match the 1086 * output length of the corresponding hash algorithm. 1087 * \param hash The buffer holding the message digest or raw data. 1088 * This must be a readable buffer of at least \p hashlen Bytes. 1089 * \param mgf1_hash_id The message digest algorithm used for the 1090 * verification operation and the mask generation 1091 * function (MGF1). For more details on the encoding 1092 * operation and the mask generation function, consult 1093 * <em>RFC-3447: Public-Key Cryptography Standards 1094 * (PKCS) #1 v2.1: RSA Cryptography 1095 * Specifications</em>. 1096 * \param expected_salt_len The length of the salt used in padding. Use 1097 * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. 1098 * \param sig The buffer holding the signature. This must be a readable 1099 * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes 1100 * for an 2048-bit RSA modulus. 1101 * 1102 * \return \c 0 if the verify operation was successful. 1103 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. 1104 */ 1105 int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx, 1106 mbedtls_md_type_t md_alg, 1107 unsigned int hashlen, 1108 const unsigned char *hash, 1109 mbedtls_md_type_t mgf1_hash_id, 1110 int expected_salt_len, 1111 const unsigned char *sig); 1112 1113 /** 1114 * \brief This function copies the components of an RSA context. 1115 * 1116 * \param dst The destination context. This must be initialized. 1117 * \param src The source context. This must be initialized. 1118 * 1119 * \return \c 0 on success. 1120 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. 1121 */ 1122 int mbedtls_rsa_copy(mbedtls_rsa_context *dst, const mbedtls_rsa_context *src); 1123 1124 /** 1125 * \brief This function frees the components of an RSA key. 1126 * 1127 * \param ctx The RSA context to free. May be \c NULL, in which case 1128 * this function is a no-op. If it is not \c NULL, it must 1129 * point to an initialized RSA context. 1130 */ 1131 void mbedtls_rsa_free(mbedtls_rsa_context *ctx); 1132 1133 #if defined(MBEDTLS_SELF_TEST) 1134 1135 /** 1136 * \brief The RSA checkup routine. 1137 * 1138 * \return \c 0 on success. 1139 * \return \c 1 on failure. 1140 */ 1141 int mbedtls_rsa_self_test(int verbose); 1142 1143 #endif /* MBEDTLS_SELF_TEST */ 1144 1145 #ifdef __cplusplus 1146 } 1147 #endif 1148 1149 #endif /* rsa.h */ 1150
