1 /** 2 * \file rsa.h 3 * 4 * \brief The RSA public-key cryptosystem 5 * 6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 7 * SPDX-License-Identifier: Apache-2.0 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 #ifndef MBEDTLS_RSA_H 24 #define MBEDTLS_RSA_H 25 26 #if !defined(MBEDTLS_CONFIG_FILE) 27 #include "config.h" 28 #else 29 #include MBEDTLS_CONFIG_FILE 30 #endif 31 32 #include "bignum.h" 33 #include "md.h" 34 35 #if defined(MBEDTLS_THREADING_C) 36 #include "threading.h" 37 #endif 38 39 /* 40 * RSA Error codes 41 */ 42 #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */ 43 #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */ 44 #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */ 45 #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */ 46 #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */ 47 #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */ 48 #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ 49 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ 50 #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ 51 52 /* 53 * RSA constants 54 */ 55 #define MBEDTLS_RSA_PUBLIC 0 56 #define MBEDTLS_RSA_PRIVATE 1 57 58 #define MBEDTLS_RSA_PKCS_V15 0 59 #define MBEDTLS_RSA_PKCS_V21 1 60 61 #define MBEDTLS_RSA_SIGN 1 62 #define MBEDTLS_RSA_CRYPT 2 63 64 #define MBEDTLS_RSA_SALT_LEN_ANY -1 65 66 /* 67 * The above constants may be used even if the RSA module is compile out, 68 * eg for alternative (PKCS#11) RSA implemenations in the PK layers. 69 */ 70 #if defined(MBEDTLS_RSA_C) 71 72 #ifdef __cplusplus 73 extern "C" { 74 #endif 75 76 /** 77 * \brief RSA context structure 78 */ 79 typedef struct 80 { 81 int ver; /*!< always 0 */ 82 size_t len; /*!< size(N) in chars */ 83 84 mbedtls_mpi N; /*!< public modulus */ 85 mbedtls_mpi E; /*!< public exponent */ 86 87 mbedtls_mpi D; /*!< private exponent */ 88 mbedtls_mpi P; /*!< 1st prime factor */ 89 mbedtls_mpi Q; /*!< 2nd prime factor */ 90 mbedtls_mpi DP; /*!< D % (P - 1) */ 91 mbedtls_mpi DQ; /*!< D % (Q - 1) */ 92 mbedtls_mpi QP; /*!< 1 / (Q % P) */ 93 94 mbedtls_mpi RN; /*!< cached R^2 mod N */ 95 mbedtls_mpi RP; /*!< cached R^2 mod P */ 96 mbedtls_mpi RQ; /*!< cached R^2 mod Q */ 97 98 mbedtls_mpi Vi; /*!< cached blinding value */ 99 mbedtls_mpi Vf; /*!< cached un-blinding value */ 100 101 int padding; /*!< MBEDTLS_RSA_PKCS_V15 for 1.5 padding and 102 MBEDTLS_RSA_PKCS_v21 for OAEP/PSS */ 103 int hash_id; /*!< Hash identifier of mbedtls_md_type_t as 104 specified in the mbedtls_md.h header file 105 for the EME-OAEP and EMSA-PSS 106 encoding */ 107 #if defined(MBEDTLS_THREADING_C) 108 mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex */ 109 #endif 110 } 111 mbedtls_rsa_context; 112 113 /** 114 * \brief Initialize an RSA context 115 * 116 * Note: Set padding to MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP 117 * encryption scheme and the RSASSA-PSS signature scheme. 118 * 119 * \param ctx RSA context to be initialized 120 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21 121 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier 122 * 123 * \note The hash_id parameter is actually ignored 124 * when using MBEDTLS_RSA_PKCS_V15 padding. 125 * 126 * \note Choice of padding mode is strictly enforced for private key 127 * operations, since there might be security concerns in 128 * mixing padding modes. For public key operations it's merely 129 * a default value, which can be overriden by calling specific 130 * rsa_rsaes_xxx or rsa_rsassa_xxx functions. 131 * 132 * \note The chosen hash is always used for OEAP encryption. 133 * For PSS signatures, it's always used for making signatures, 134 * but can be overriden (and always is, if set to 135 * MBEDTLS_MD_NONE) for verifying them. 136 */ 137 void mbedtls_rsa_init( mbedtls_rsa_context *ctx, 138 int padding, 139 int hash_id); 140 141 /** 142 * \brief Set padding for an already initialized RSA context 143 * See \c mbedtls_rsa_init() for details. 144 * 145 * \param ctx RSA context to be set 146 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21 147 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier 148 */ 149 void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id); 150 151 /** 152 * \brief Generate an RSA keypair 153 * 154 * \param ctx RSA context that will hold the key 155 * \param f_rng RNG function 156 * \param p_rng RNG parameter 157 * \param nbits size of the public key in bits 158 * \param exponent public exponent (e.g., 65537) 159 * 160 * \note mbedtls_rsa_init() must be called beforehand to setup 161 * the RSA context. 162 * 163 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 164 */ 165 int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, 166 int (*f_rng)(void *, unsigned char *, size_t), 167 void *p_rng, 168 unsigned int nbits, int exponent ); 169 170 /** 171 * \brief Check a public RSA key 172 * 173 * \param ctx RSA context to be checked 174 * 175 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 176 */ 177 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ); 178 179 /** 180 * \brief Check a private RSA key 181 * 182 * \param ctx RSA context to be checked 183 * 184 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 185 */ 186 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ); 187 188 /** 189 * \brief Check a public-private RSA key pair. 190 * Check each of the contexts, and make sure they match. 191 * 192 * \param pub RSA context holding the public key 193 * \param prv RSA context holding the private key 194 * 195 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 196 */ 197 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ); 198 199 /** 200 * \brief Do an RSA public key operation 201 * 202 * \param ctx RSA context 203 * \param input input buffer 204 * \param output output buffer 205 * 206 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 207 * 208 * \note This function does NOT take care of message 209 * padding. Also, be sure to set input[0] = 0 or assure that 210 * input is smaller than N. 211 * 212 * \note The input and output buffers must be large 213 * enough (eg. 128 bytes if RSA-1024 is used). 214 */ 215 int mbedtls_rsa_public( mbedtls_rsa_context *ctx, 216 const unsigned char *input, 217 unsigned char *output ); 218 219 /** 220 * \brief Do an RSA private key operation 221 * 222 * \param ctx RSA context 223 * \param f_rng RNG function (Needed for blinding) 224 * \param p_rng RNG parameter 225 * \param input input buffer 226 * \param output output buffer 227 * 228 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 229 * 230 * \note The input and output buffers must be large 231 * enough (eg. 128 bytes if RSA-1024 is used). 232 */ 233 int mbedtls_rsa_private( mbedtls_rsa_context *ctx, 234 int (*f_rng)(void *, unsigned char *, size_t), 235 void *p_rng, 236 const unsigned char *input, 237 unsigned char *output ); 238 239 /** 240 * \brief Generic wrapper to perform a PKCS#1 encryption using the 241 * mode from the context. Add the message padding, then do an 242 * RSA operation. 243 * 244 * \param ctx RSA context 245 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding 246 * and MBEDTLS_RSA_PRIVATE) 247 * \param p_rng RNG parameter 248 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 249 * \param ilen contains the plaintext length 250 * \param input buffer holding the data to be encrypted 251 * \param output buffer that will hold the ciphertext 252 * 253 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 254 * 255 * \note The output buffer must be as large as the size 256 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 257 */ 258 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, 259 int (*f_rng)(void *, unsigned char *, size_t), 260 void *p_rng, 261 int mode, size_t ilen, 262 const unsigned char *input, 263 unsigned char *output ); 264 265 /** 266 * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT) 267 * 268 * \param ctx RSA context 269 * \param f_rng RNG function (Needed for padding and MBEDTLS_RSA_PRIVATE) 270 * \param p_rng RNG parameter 271 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 272 * \param ilen contains the plaintext length 273 * \param input buffer holding the data to be encrypted 274 * \param output buffer that will hold the ciphertext 275 * 276 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 277 * 278 * \note The output buffer must be as large as the size 279 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 280 */ 281 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, 282 int (*f_rng)(void *, unsigned char *, size_t), 283 void *p_rng, 284 int mode, size_t ilen, 285 const unsigned char *input, 286 unsigned char *output ); 287 288 /** 289 * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT) 290 * 291 * \param ctx RSA context 292 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding 293 * and MBEDTLS_RSA_PRIVATE) 294 * \param p_rng RNG parameter 295 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 296 * \param label buffer holding the custom label to use 297 * \param label_len contains the label length 298 * \param ilen contains the plaintext length 299 * \param input buffer holding the data to be encrypted 300 * \param output buffer that will hold the ciphertext 301 * 302 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 303 * 304 * \note The output buffer must be as large as the size 305 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 306 */ 307 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, 308 int (*f_rng)(void *, unsigned char *, size_t), 309 void *p_rng, 310 int mode, 311 const unsigned char *label, size_t label_len, 312 size_t ilen, 313 const unsigned char *input, 314 unsigned char *output ); 315 316 /** 317 * \brief Generic wrapper to perform a PKCS#1 decryption using the 318 * mode from the context. Do an RSA operation, then remove 319 * the message padding 320 * 321 * \param ctx RSA context 322 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 323 * \param p_rng RNG parameter 324 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 325 * \param olen will contain the plaintext length 326 * \param input buffer holding the encrypted data 327 * \param output buffer that will hold the plaintext 328 * \param output_max_len maximum length of the output buffer 329 * 330 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 331 * 332 * \note The output buffer must be as large as the size 333 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 334 * an error is thrown. 335 */ 336 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, 337 int (*f_rng)(void *, unsigned char *, size_t), 338 void *p_rng, 339 int mode, size_t *olen, 340 const unsigned char *input, 341 unsigned char *output, 342 size_t output_max_len ); 343 344 /** 345 * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT) 346 * 347 * \param ctx RSA context 348 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 349 * \param p_rng RNG parameter 350 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 351 * \param olen will contain the plaintext length 352 * \param input buffer holding the encrypted data 353 * \param output buffer that will hold the plaintext 354 * \param output_max_len maximum length of the output buffer 355 * 356 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 357 * 358 * \note The output buffer must be as large as the size 359 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 360 * an error is thrown. 361 */ 362 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, 363 int (*f_rng)(void *, unsigned char *, size_t), 364 void *p_rng, 365 int mode, size_t *olen, 366 const unsigned char *input, 367 unsigned char *output, 368 size_t output_max_len ); 369 370 /** 371 * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT) 372 * 373 * \param ctx RSA context 374 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 375 * \param p_rng RNG parameter 376 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 377 * \param label buffer holding the custom label to use 378 * \param label_len contains the label length 379 * \param olen will contain the plaintext length 380 * \param input buffer holding the encrypted data 381 * \param output buffer that will hold the plaintext 382 * \param output_max_len maximum length of the output buffer 383 * 384 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code 385 * 386 * \note The output buffer must be as large as the size 387 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise 388 * an error is thrown. 389 */ 390 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, 391 int (*f_rng)(void *, unsigned char *, size_t), 392 void *p_rng, 393 int mode, 394 const unsigned char *label, size_t label_len, 395 size_t *olen, 396 const unsigned char *input, 397 unsigned char *output, 398 size_t output_max_len ); 399 400 /** 401 * \brief Generic wrapper to perform a PKCS#1 signature using the 402 * mode from the context. Do a private RSA operation to sign 403 * a message digest 404 * 405 * \param ctx RSA context 406 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for 407 * MBEDTLS_RSA_PRIVATE) 408 * \param p_rng RNG parameter 409 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 410 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 411 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 412 * \param hash buffer holding the message digest 413 * \param sig buffer that will hold the ciphertext 414 * 415 * \return 0 if the signing operation was successful, 416 * or an MBEDTLS_ERR_RSA_XXX error code 417 * 418 * \note The "sig" buffer must be as large as the size 419 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 420 * 421 * \note In case of PKCS#1 v2.1 encoding, see comments on 422 * \note \c mbedtls_rsa_rsassa_pss_sign() for details on md_alg and hash_id. 423 */ 424 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, 425 int (*f_rng)(void *, unsigned char *, size_t), 426 void *p_rng, 427 int mode, 428 mbedtls_md_type_t md_alg, 429 unsigned int hashlen, 430 const unsigned char *hash, 431 unsigned char *sig ); 432 433 /** 434 * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN) 435 * 436 * \param ctx RSA context 437 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 438 * \param p_rng RNG parameter 439 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 440 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 441 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 442 * \param hash buffer holding the message digest 443 * \param sig buffer that will hold the ciphertext 444 * 445 * \return 0 if the signing operation was successful, 446 * or an MBEDTLS_ERR_RSA_XXX error code 447 * 448 * \note The "sig" buffer must be as large as the size 449 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 450 */ 451 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, 452 int (*f_rng)(void *, unsigned char *, size_t), 453 void *p_rng, 454 int mode, 455 mbedtls_md_type_t md_alg, 456 unsigned int hashlen, 457 const unsigned char *hash, 458 unsigned char *sig ); 459 460 /** 461 * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN) 462 * 463 * \param ctx RSA context 464 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for 465 * MBEDTLS_RSA_PRIVATE) 466 * \param p_rng RNG parameter 467 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 468 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 469 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 470 * \param hash buffer holding the message digest 471 * \param sig buffer that will hold the ciphertext 472 * 473 * \return 0 if the signing operation was successful, 474 * or an MBEDTLS_ERR_RSA_XXX error code 475 * 476 * \note The "sig" buffer must be as large as the size 477 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 478 * 479 * \note The hash_id in the RSA context is the one used for the 480 * encoding. md_alg in the function call is the type of hash 481 * that is encoded. According to RFC 3447 it is advised to 482 * keep both hashes the same. 483 */ 484 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, 485 int (*f_rng)(void *, unsigned char *, size_t), 486 void *p_rng, 487 int mode, 488 mbedtls_md_type_t md_alg, 489 unsigned int hashlen, 490 const unsigned char *hash, 491 unsigned char *sig ); 492 493 /** 494 * \brief Generic wrapper to perform a PKCS#1 verification using the 495 * mode from the context. Do a public RSA operation and check 496 * the message digest 497 * 498 * \param ctx points to an RSA public key 499 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 500 * \param p_rng RNG parameter 501 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 502 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 503 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 504 * \param hash buffer holding the message digest 505 * \param sig buffer holding the ciphertext 506 * 507 * \return 0 if the verify operation was successful, 508 * or an MBEDTLS_ERR_RSA_XXX error code 509 * 510 * \note The "sig" buffer must be as large as the size 511 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 512 * 513 * \note In case of PKCS#1 v2.1 encoding, see comments on 514 * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id. 515 */ 516 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, 517 int (*f_rng)(void *, unsigned char *, size_t), 518 void *p_rng, 519 int mode, 520 mbedtls_md_type_t md_alg, 521 unsigned int hashlen, 522 const unsigned char *hash, 523 const unsigned char *sig ); 524 525 /** 526 * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY) 527 * 528 * \param ctx points to an RSA public key 529 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 530 * \param p_rng RNG parameter 531 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 532 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 533 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 534 * \param hash buffer holding the message digest 535 * \param sig buffer holding the ciphertext 536 * 537 * \return 0 if the verify operation was successful, 538 * or an MBEDTLS_ERR_RSA_XXX error code 539 * 540 * \note The "sig" buffer must be as large as the size 541 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 542 */ 543 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, 544 int (*f_rng)(void *, unsigned char *, size_t), 545 void *p_rng, 546 int mode, 547 mbedtls_md_type_t md_alg, 548 unsigned int hashlen, 549 const unsigned char *hash, 550 const unsigned char *sig ); 551 552 /** 553 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) 554 * (This is the "simple" version.) 555 * 556 * \param ctx points to an RSA public key 557 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 558 * \param p_rng RNG parameter 559 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 560 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 561 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 562 * \param hash buffer holding the message digest 563 * \param sig buffer holding the ciphertext 564 * 565 * \return 0 if the verify operation was successful, 566 * or an MBEDTLS_ERR_RSA_XXX error code 567 * 568 * \note The "sig" buffer must be as large as the size 569 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 570 * 571 * \note The hash_id in the RSA context is the one used for the 572 * verification. md_alg in the function call is the type of 573 * hash that is verified. According to RFC 3447 it is advised to 574 * keep both hashes the same. If hash_id in the RSA context is 575 * unset, the md_alg from the function call is used. 576 */ 577 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, 578 int (*f_rng)(void *, unsigned char *, size_t), 579 void *p_rng, 580 int mode, 581 mbedtls_md_type_t md_alg, 582 unsigned int hashlen, 583 const unsigned char *hash, 584 const unsigned char *sig ); 585 586 /** 587 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) 588 * (This is the version with "full" options.) 589 * 590 * \param ctx points to an RSA public key 591 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE) 592 * \param p_rng RNG parameter 593 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE 594 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data) 595 * \param hashlen message digest length (for MBEDTLS_MD_NONE only) 596 * \param hash buffer holding the message digest 597 * \param mgf1_hash_id message digest used for mask generation 598 * \param expected_salt_len Length of the salt used in padding, use 599 * MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length 600 * \param sig buffer holding the ciphertext 601 * 602 * \return 0 if the verify operation was successful, 603 * or an MBEDTLS_ERR_RSA_XXX error code 604 * 605 * \note The "sig" buffer must be as large as the size 606 * of ctx->N (eg. 128 bytes if RSA-1024 is used). 607 * 608 * \note The hash_id in the RSA context is ignored. 609 */ 610 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, 611 int (*f_rng)(void *, unsigned char *, size_t), 612 void *p_rng, 613 int mode, 614 mbedtls_md_type_t md_alg, 615 unsigned int hashlen, 616 const unsigned char *hash, 617 mbedtls_md_type_t mgf1_hash_id, 618 int expected_salt_len, 619 const unsigned char *sig ); 620 621 /** 622 * \brief Copy the components of an RSA context 623 * 624 * \param dst Destination context 625 * \param src Source context 626 * 627 * \return 0 on success, 628 * MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure 629 */ 630 int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ); 631 632 /** 633 * \brief Free the components of an RSA key 634 * 635 * \param ctx RSA Context to free 636 */ 637 void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); 638 639 /** 640 * \brief Checkup routine 641 * 642 * \return 0 if successful, or 1 if the test failed 643 */ 644 int mbedtls_rsa_self_test( int verbose ); 645 646 #ifdef __cplusplus 647 } 648 #endif 649 650 #endif /* MBEDTLS_RSA_C */ 651 652 #endif /* rsa.h */ 653
