blob: bc2f810ae8a7638783b9ff909a1ca36831157344 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/**
2 * \file rsa.h
Paul Bakkere0ccd0a2009-01-04 16:27:10 +00003 *
Paul Bakker37ca75d2011-01-06 12:28:03 +00004 * \brief The RSA public-key cryptosystem
5 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +02006 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +02007 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +000020 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +000021 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +000022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020023#ifndef MBEDTLS_RSA_H
24#define MBEDTLS_RSA_H
Paul Bakker5121ce52009-01-03 21:22:43 +000025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020026#if !defined(MBEDTLS_CONFIG_FILE)
Paul Bakkered27a042013-04-18 22:46:23 +020027#include "config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020028#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020029#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020030#endif
Paul Bakkered27a042013-04-18 22:46:23 +020031
Paul Bakker314052f2011-08-15 09:07:52 +000032#include "bignum.h"
Paul Bakkerc70b9822013-04-07 22:00:46 +020033#include "md.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020035#if defined(MBEDTLS_THREADING_C)
Paul Bakkerc9965dc2013-09-29 14:58:17 +020036#include "threading.h"
37#endif
38
Paul Bakker13e2dfe2009-07-28 07:18:38 +000039/*
40 * RSA Error codes
41 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020042#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
43#define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
44#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
Manuel Pégourié-Gonnardeecb43c2015-05-12 12:56:41 +020045#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020046#define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
47#define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
48#define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
49#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
50#define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
Paul Bakker5121ce52009-01-03 21:22:43 +000051
52/*
Paul Bakkerc70b9822013-04-07 22:00:46 +020053 * RSA constants
Paul Bakker5121ce52009-01-03 21:22:43 +000054 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020055#define MBEDTLS_RSA_PUBLIC 0
56#define MBEDTLS_RSA_PRIVATE 1
Paul Bakker5121ce52009-01-03 21:22:43 +000057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020058#define MBEDTLS_RSA_PKCS_V15 0
59#define MBEDTLS_RSA_PKCS_V21 1
Paul Bakker5121ce52009-01-03 21:22:43 +000060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020061#define MBEDTLS_RSA_SIGN 1
62#define MBEDTLS_RSA_CRYPT 2
Paul Bakker5121ce52009-01-03 21:22:43 +000063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020064#define MBEDTLS_RSA_SALT_LEN_ANY -1
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +020065
Manuel Pégourié-Gonnarde511ffc2013-08-22 17:33:21 +020066/*
67 * The above constants may be used even if the RSA module is compile out,
68 * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
69 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020070#if defined(MBEDTLS_RSA_C)
Manuel Pégourié-Gonnarde511ffc2013-08-22 17:33:21 +020071
Paul Bakker407a0da2013-06-27 14:29:21 +020072#ifdef __cplusplus
73extern "C" {
74#endif
75
Paul Bakker5121ce52009-01-03 21:22:43 +000076/**
77 * \brief RSA context structure
78 */
79typedef struct
80{
81 int ver; /*!< always 0 */
Paul Bakker23986e52011-04-24 08:57:21 +000082 size_t len; /*!< size(N) in chars */
Paul Bakker5121ce52009-01-03 21:22:43 +000083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020084 mbedtls_mpi N; /*!< public modulus */
85 mbedtls_mpi E; /*!< public exponent */
Paul Bakker5121ce52009-01-03 21:22:43 +000086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020087 mbedtls_mpi D; /*!< private exponent */
88 mbedtls_mpi P; /*!< 1st prime factor */
89 mbedtls_mpi Q; /*!< 2nd prime factor */
90 mbedtls_mpi DP; /*!< D % (P - 1) */
91 mbedtls_mpi DQ; /*!< D % (Q - 1) */
92 mbedtls_mpi QP; /*!< 1 / (Q % P) */
Paul Bakker5121ce52009-01-03 21:22:43 +000093
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020094 mbedtls_mpi RN; /*!< cached R^2 mod N */
95 mbedtls_mpi RP; /*!< cached R^2 mod P */
96 mbedtls_mpi RQ; /*!< cached R^2 mod Q */
Paul Bakker5121ce52009-01-03 21:22:43 +000097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020098 mbedtls_mpi Vi; /*!< cached blinding value */
99 mbedtls_mpi Vf; /*!< cached un-blinding value */
Manuel Pégourié-Gonnardea53a552013-09-10 13:29:30 +0200100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200101 int padding; /*!< MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
Brian J Murray98844ff2016-08-30 01:50:12 -0700102 MBEDTLS_RSA_PKCS_v21 for OAEP/PSS */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200103 int hash_id; /*!< Hash identifier of mbedtls_md_type_t as
104 specified in the mbedtls_md.h header file
Paul Bakker9dcc3222011-03-08 14:16:06 +0000105 for the EME-OAEP and EMSA-PSS
106 encoding */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200107#if defined(MBEDTLS_THREADING_C)
108 mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex */
Paul Bakkerc9965dc2013-09-29 14:58:17 +0200109#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000110}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200111mbedtls_rsa_context;
Paul Bakker5121ce52009-01-03 21:22:43 +0000112
Paul Bakker5121ce52009-01-03 21:22:43 +0000113/**
114 * \brief Initialize an RSA context
115 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200116 * Note: Set padding to MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
Paul Bakker9a736322012-11-14 12:39:52 +0000117 * encryption scheme and the RSASSA-PSS signature scheme.
118 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000119 * \param ctx RSA context to be initialized
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200120 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
121 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
Paul Bakker5121ce52009-01-03 21:22:43 +0000122 *
123 * \note The hash_id parameter is actually ignored
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200124 * when using MBEDTLS_RSA_PKCS_V15 padding.
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200125 *
126 * \note Choice of padding mode is strictly enforced for private key
127 * operations, since there might be security concerns in
128 * mixing padding modes. For public key operations it's merely
129 * a default value, which can be overriden by calling specific
130 * rsa_rsaes_xxx or rsa_rsassa_xxx functions.
131 *
132 * \note The chosen hash is always used for OEAP encryption.
133 * For PSS signatures, it's always used for making signatures,
134 * but can be overriden (and always is, if set to
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200135 * MBEDTLS_MD_NONE) for verifying them.
Paul Bakker5121ce52009-01-03 21:22:43 +0000136 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200137void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000138 int padding,
Paul Bakker42099c32014-01-27 11:45:49 +0100139 int hash_id);
Paul Bakker5121ce52009-01-03 21:22:43 +0000140
141/**
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100142 * \brief Set padding for an already initialized RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200143 * See \c mbedtls_rsa_init() for details.
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100144 *
145 * \param ctx RSA context to be set
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200146 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
147 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100148 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200149void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id);
Manuel Pégourié-Gonnard844a4c02014-03-10 21:55:35 +0100150
151/**
Paul Bakker5121ce52009-01-03 21:22:43 +0000152 * \brief Generate an RSA keypair
153 *
154 * \param ctx RSA context that will hold the key
Paul Bakker21eb2802010-08-16 11:10:02 +0000155 * \param f_rng RNG function
156 * \param p_rng RNG parameter
Paul Bakker5121ce52009-01-03 21:22:43 +0000157 * \param nbits size of the public key in bits
158 * \param exponent public exponent (e.g., 65537)
159 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200160 * \note mbedtls_rsa_init() must be called beforehand to setup
Paul Bakker21eb2802010-08-16 11:10:02 +0000161 * the RSA context.
Paul Bakker5121ce52009-01-03 21:22:43 +0000162 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200163 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000164 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200165int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000166 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +0000167 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000168 unsigned int nbits, int exponent );
Paul Bakker5121ce52009-01-03 21:22:43 +0000169
170/**
171 * \brief Check a public RSA key
172 *
173 * \param ctx RSA context to be checked
174 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200175 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000176 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200177int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000178
179/**
180 * \brief Check a private RSA key
181 *
182 * \param ctx RSA context to be checked
183 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200184 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000185 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200186int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000187
188/**
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100189 * \brief Check a public-private RSA key pair.
190 * Check each of the contexts, and make sure they match.
191 *
192 * \param pub RSA context holding the public key
193 * \param prv RSA context holding the private key
194 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200195 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100196 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200197int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv );
Manuel Pégourié-Gonnard2f8d1f92014-11-06 14:02:51 +0100198
199/**
Paul Bakker5121ce52009-01-03 21:22:43 +0000200 * \brief Do an RSA public key operation
201 *
202 * \param ctx RSA context
203 * \param input input buffer
204 * \param output output buffer
205 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200206 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000207 *
208 * \note This function does NOT take care of message
Brian J Murray2adecba2016-11-06 04:45:15 -0800209 * padding. Also, be sure to set input[0] = 0 or ensure that
Paul Bakker619467a2009-03-28 23:26:51 +0000210 * input is smaller than N.
Paul Bakker5121ce52009-01-03 21:22:43 +0000211 *
212 * \note The input and output buffers must be large
213 * enough (eg. 128 bytes if RSA-1024 is used).
214 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200215int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000216 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000217 unsigned char *output );
218
219/**
220 * \brief Do an RSA private key operation
221 *
222 * \param ctx RSA context
Hanno Becker88ec2382017-05-03 13:51:16 +0100223 * \param f_rng RNG function (used for blinding)
Paul Bakker548957d2013-08-30 10:30:02 +0200224 * \param p_rng RNG parameter
Paul Bakker5121ce52009-01-03 21:22:43 +0000225 * \param input input buffer
226 * \param output output buffer
227 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200228 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000229 *
230 * \note The input and output buffers must be large
231 * enough (eg. 128 bytes if RSA-1024 is used).
Hanno Becker88ec2382017-05-03 13:51:16 +0100232 *
Hanno Becker4e1be392017-10-02 15:56:48 +0100233 * \note Blinding is used if and onlf if a PRNG is provided.
Hanno Becker88ec2382017-05-03 13:51:16 +0100234 *
235 * \note If blinding is used, both the base of exponentation
236 * and the exponent are blinded, preventing both statistical
237 * timing and power analysis attacks.
238 *
Hanno Becker4e1be392017-10-02 15:56:48 +0100239 * \warning It is deprecated and a security risk to not provide
240 * a PRNG here and thereby prevent the use of blinding.
241 * Future versions of the library may enforce the presence
242 * of a PRNG.
Hanno Becker88ec2382017-05-03 13:51:16 +0100243 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000244 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200245int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200246 int (*f_rng)(void *, unsigned char *, size_t),
247 void *p_rng,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000248 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000249 unsigned char *output );
250
251/**
Paul Bakkerb3869132013-02-28 17:21:01 +0100252 * \brief Generic wrapper to perform a PKCS#1 encryption using the
253 * mode from the context. Add the message padding, then do an
254 * RSA operation.
Paul Bakker5121ce52009-01-03 21:22:43 +0000255 *
256 * \param ctx RSA context
Paul Bakker548957d2013-08-30 10:30:02 +0200257 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200258 * and MBEDTLS_RSA_PRIVATE)
Paul Bakker21eb2802010-08-16 11:10:02 +0000259 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200260 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakker592457c2009-04-01 19:01:43 +0000261 * \param ilen contains the plaintext length
Paul Bakker5121ce52009-01-03 21:22:43 +0000262 * \param input buffer holding the data to be encrypted
263 * \param output buffer that will hold the ciphertext
264 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200265 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000266 *
267 * \note The output buffer must be as large as the size
268 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
269 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200270int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000271 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker21eb2802010-08-16 11:10:02 +0000272 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000273 int mode, size_t ilen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000274 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000275 unsigned char *output );
276
277/**
Paul Bakkerb3869132013-02-28 17:21:01 +0100278 * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
279 *
280 * \param ctx RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200281 * \param f_rng RNG function (Needed for padding and MBEDTLS_RSA_PRIVATE)
Paul Bakkerb3869132013-02-28 17:21:01 +0100282 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200283 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakkerb3869132013-02-28 17:21:01 +0100284 * \param ilen contains the plaintext length
285 * \param input buffer holding the data to be encrypted
286 * \param output buffer that will hold the ciphertext
287 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200288 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100289 *
290 * \note The output buffer must be as large as the size
291 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
292 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200293int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +0100294 int (*f_rng)(void *, unsigned char *, size_t),
295 void *p_rng,
296 int mode, size_t ilen,
297 const unsigned char *input,
298 unsigned char *output );
299
300/**
301 * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
302 *
303 * \param ctx RSA context
Paul Bakker548957d2013-08-30 10:30:02 +0200304 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200305 * and MBEDTLS_RSA_PRIVATE)
Paul Bakkerb3869132013-02-28 17:21:01 +0100306 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200307 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakkera43231c2013-02-28 17:33:49 +0100308 * \param label buffer holding the custom label to use
309 * \param label_len contains the label length
Paul Bakkerb3869132013-02-28 17:21:01 +0100310 * \param ilen contains the plaintext length
311 * \param input buffer holding the data to be encrypted
312 * \param output buffer that will hold the ciphertext
313 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200314 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100315 *
316 * \note The output buffer must be as large as the size
317 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
318 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200319int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +0100320 int (*f_rng)(void *, unsigned char *, size_t),
321 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +0100322 int mode,
323 const unsigned char *label, size_t label_len,
324 size_t ilen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100325 const unsigned char *input,
326 unsigned char *output );
327
328/**
329 * \brief Generic wrapper to perform a PKCS#1 decryption using the
330 * mode from the context. Do an RSA operation, then remove
331 * the message padding
Paul Bakker5121ce52009-01-03 21:22:43 +0000332 *
333 * \param ctx RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200334 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200335 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200336 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakker4d8ca702011-08-09 10:31:05 +0000337 * \param olen will contain the plaintext length
Paul Bakker5121ce52009-01-03 21:22:43 +0000338 * \param input buffer holding the encrypted data
339 * \param output buffer that will hold the plaintext
Paul Bakker23986e52011-04-24 08:57:21 +0000340 * \param output_max_len maximum length of the output buffer
Paul Bakker5121ce52009-01-03 21:22:43 +0000341 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200342 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000343 *
344 * \note The output buffer must be as large as the size
Paul Bakker060c5682009-01-12 21:48:39 +0000345 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
346 * an error is thrown.
Paul Bakker5121ce52009-01-03 21:22:43 +0000347 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200348int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200349 int (*f_rng)(void *, unsigned char *, size_t),
350 void *p_rng,
Paul Bakker23986e52011-04-24 08:57:21 +0000351 int mode, size_t *olen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000352 const unsigned char *input,
Paul Bakker060c5682009-01-12 21:48:39 +0000353 unsigned char *output,
Paul Bakker23986e52011-04-24 08:57:21 +0000354 size_t output_max_len );
Paul Bakker5121ce52009-01-03 21:22:43 +0000355
356/**
Paul Bakkerb3869132013-02-28 17:21:01 +0100357 * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
358 *
359 * \param ctx RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200360 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200361 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200362 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakkerb3869132013-02-28 17:21:01 +0100363 * \param olen will contain the plaintext length
364 * \param input buffer holding the encrypted data
365 * \param output buffer that will hold the plaintext
366 * \param output_max_len maximum length of the output buffer
367 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200368 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100369 *
370 * \note The output buffer must be as large as the size
371 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
372 * an error is thrown.
373 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200374int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200375 int (*f_rng)(void *, unsigned char *, size_t),
376 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100377 int mode, size_t *olen,
378 const unsigned char *input,
379 unsigned char *output,
380 size_t output_max_len );
381
382/**
383 * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
384 *
385 * \param ctx RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200386 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200387 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200388 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
Paul Bakkera43231c2013-02-28 17:33:49 +0100389 * \param label buffer holding the custom label to use
390 * \param label_len contains the label length
Paul Bakkerb3869132013-02-28 17:21:01 +0100391 * \param olen will contain the plaintext length
392 * \param input buffer holding the encrypted data
393 * \param output buffer that will hold the plaintext
394 * \param output_max_len maximum length of the output buffer
395 *
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200396 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100397 *
398 * \note The output buffer must be as large as the size
399 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
400 * an error is thrown.
401 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200402int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200403 int (*f_rng)(void *, unsigned char *, size_t),
404 void *p_rng,
Paul Bakkera43231c2013-02-28 17:33:49 +0100405 int mode,
406 const unsigned char *label, size_t label_len,
407 size_t *olen,
Paul Bakkerb3869132013-02-28 17:21:01 +0100408 const unsigned char *input,
409 unsigned char *output,
410 size_t output_max_len );
411
412/**
413 * \brief Generic wrapper to perform a PKCS#1 signature using the
414 * mode from the context. Do a private RSA operation to sign
415 * a message digest
Paul Bakker5121ce52009-01-03 21:22:43 +0000416 *
417 * \param ctx RSA context
Paul Bakker548957d2013-08-30 10:30:02 +0200418 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200419 * MBEDTLS_RSA_PRIVATE)
Paul Bakker9dcc3222011-03-08 14:16:06 +0000420 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200421 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
422 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
423 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000424 * \param hash buffer holding the message digest
425 * \param sig buffer that will hold the ciphertext
426 *
427 * \return 0 if the signing operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200428 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000429 *
430 * \note The "sig" buffer must be as large as the size
431 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
Paul Bakker9dcc3222011-03-08 14:16:06 +0000432 *
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200433 * \note In case of PKCS#1 v2.1 encoding, see comments on
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200434 * \note \c mbedtls_rsa_rsassa_pss_sign() for details on md_alg and hash_id.
Paul Bakker5121ce52009-01-03 21:22:43 +0000435 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200436int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
Paul Bakkera3d195c2011-11-27 21:07:34 +0000437 int (*f_rng)(void *, unsigned char *, size_t),
Paul Bakker9dcc3222011-03-08 14:16:06 +0000438 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000439 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200440 mbedtls_md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000441 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000442 const unsigned char *hash,
Paul Bakker5121ce52009-01-03 21:22:43 +0000443 unsigned char *sig );
444
445/**
Paul Bakkerb3869132013-02-28 17:21:01 +0100446 * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
447 *
448 * \param ctx RSA context
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200449 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200450 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200451 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
452 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
453 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakkerb3869132013-02-28 17:21:01 +0100454 * \param hash buffer holding the message digest
455 * \param sig buffer that will hold the ciphertext
456 *
457 * \return 0 if the signing operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200458 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100459 *
460 * \note The "sig" buffer must be as large as the size
461 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
462 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200463int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200464 int (*f_rng)(void *, unsigned char *, size_t),
465 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100466 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200467 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100468 unsigned int hashlen,
469 const unsigned char *hash,
470 unsigned char *sig );
471
472/**
473 * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
474 *
475 * \param ctx RSA context
Paul Bakker548957d2013-08-30 10:30:02 +0200476 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200477 * MBEDTLS_RSA_PRIVATE)
Paul Bakkerb3869132013-02-28 17:21:01 +0100478 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200479 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
480 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
481 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakkerb3869132013-02-28 17:21:01 +0100482 * \param hash buffer holding the message digest
483 * \param sig buffer that will hold the ciphertext
484 *
485 * \return 0 if the signing operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200486 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100487 *
488 * \note The "sig" buffer must be as large as the size
489 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
490 *
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200491 * \note The hash_id in the RSA context is the one used for the
492 * encoding. md_alg in the function call is the type of hash
Paul Bakkerb3869132013-02-28 17:21:01 +0100493 * that is encoded. According to RFC 3447 it is advised to
494 * keep both hashes the same.
495 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200496int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
Paul Bakkerb3869132013-02-28 17:21:01 +0100497 int (*f_rng)(void *, unsigned char *, size_t),
498 void *p_rng,
499 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200500 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100501 unsigned int hashlen,
502 const unsigned char *hash,
503 unsigned char *sig );
504
505/**
506 * \brief Generic wrapper to perform a PKCS#1 verification using the
507 * mode from the context. Do a public RSA operation and check
508 * the message digest
Paul Bakker5121ce52009-01-03 21:22:43 +0000509 *
510 * \param ctx points to an RSA public key
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200511 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200512 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200513 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
514 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
515 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakker5121ce52009-01-03 21:22:43 +0000516 * \param hash buffer holding the message digest
517 * \param sig buffer holding the ciphertext
518 *
519 * \return 0 if the verify operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200520 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakker5121ce52009-01-03 21:22:43 +0000521 *
522 * \note The "sig" buffer must be as large as the size
523 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
Paul Bakker9dcc3222011-03-08 14:16:06 +0000524 *
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200525 * \note In case of PKCS#1 v2.1 encoding, see comments on
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200526 * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id.
Paul Bakker5121ce52009-01-03 21:22:43 +0000527 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200528int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200529 int (*f_rng)(void *, unsigned char *, size_t),
530 void *p_rng,
Paul Bakker5121ce52009-01-03 21:22:43 +0000531 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200532 mbedtls_md_type_t md_alg,
Paul Bakker23986e52011-04-24 08:57:21 +0000533 unsigned int hashlen,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000534 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200535 const unsigned char *sig );
Paul Bakker5121ce52009-01-03 21:22:43 +0000536
537/**
Paul Bakkerb3869132013-02-28 17:21:01 +0100538 * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
539 *
540 * \param ctx points to an RSA public key
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200541 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200542 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200543 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
544 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
545 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakkerb3869132013-02-28 17:21:01 +0100546 * \param hash buffer holding the message digest
547 * \param sig buffer holding the ciphertext
548 *
549 * \return 0 if the verify operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200550 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100551 *
552 * \note The "sig" buffer must be as large as the size
553 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
554 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200555int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200556 int (*f_rng)(void *, unsigned char *, size_t),
557 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100558 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200559 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100560 unsigned int hashlen,
561 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200562 const unsigned char *sig );
Paul Bakkerb3869132013-02-28 17:21:01 +0100563
564/**
565 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200566 * (This is the "simple" version.)
Paul Bakkerb3869132013-02-28 17:21:01 +0100567 *
568 * \param ctx points to an RSA public key
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200569 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Paul Bakker548957d2013-08-30 10:30:02 +0200570 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200571 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
572 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
573 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Paul Bakkerb3869132013-02-28 17:21:01 +0100574 * \param hash buffer holding the message digest
575 * \param sig buffer holding the ciphertext
576 *
577 * \return 0 if the verify operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200578 * or an MBEDTLS_ERR_RSA_XXX error code
Paul Bakkerb3869132013-02-28 17:21:01 +0100579 *
580 * \note The "sig" buffer must be as large as the size
581 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
582 *
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200583 * \note The hash_id in the RSA context is the one used for the
584 * verification. md_alg in the function call is the type of
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200585 * hash that is verified. According to RFC 3447 it is advised to
Manuel Pégourié-Gonnarde6d1d822014-06-02 16:47:02 +0200586 * keep both hashes the same. If hash_id in the RSA context is
587 * unset, the md_alg from the function call is used.
Paul Bakkerb3869132013-02-28 17:21:01 +0100588 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200589int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
Paul Bakker548957d2013-08-30 10:30:02 +0200590 int (*f_rng)(void *, unsigned char *, size_t),
591 void *p_rng,
Paul Bakkerb3869132013-02-28 17:21:01 +0100592 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200593 mbedtls_md_type_t md_alg,
Paul Bakkerb3869132013-02-28 17:21:01 +0100594 unsigned int hashlen,
595 const unsigned char *hash,
Manuel Pégourié-Gonnardcc0a9d02013-08-12 11:34:35 +0200596 const unsigned char *sig );
Paul Bakkerb3869132013-02-28 17:21:01 +0100597
598/**
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200599 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
600 * (This is the version with "full" options.)
601 *
602 * \param ctx points to an RSA public key
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200603 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200604 * \param p_rng RNG parameter
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200605 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
606 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
607 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200608 * \param hash buffer holding the message digest
609 * \param mgf1_hash_id message digest used for mask generation
610 * \param expected_salt_len Length of the salt used in padding, use
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200611 * MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200612 * \param sig buffer holding the ciphertext
613 *
614 * \return 0 if the verify operation was successful,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200615 * or an MBEDTLS_ERR_RSA_XXX error code
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200616 *
617 * \note The "sig" buffer must be as large as the size
618 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
619 *
620 * \note The hash_id in the RSA context is ignored.
621 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200622int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200623 int (*f_rng)(void *, unsigned char *, size_t),
624 void *p_rng,
625 int mode,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200626 mbedtls_md_type_t md_alg,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200627 unsigned int hashlen,
628 const unsigned char *hash,
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200629 mbedtls_md_type_t mgf1_hash_id,
Manuel Pégourié-Gonnard5ec628a2014-06-03 11:44:06 +0200630 int expected_salt_len,
631 const unsigned char *sig );
632
633/**
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200634 * \brief Copy the components of an RSA context
635 *
636 * \param dst Destination context
637 * \param src Source context
638 *
Manuel Pégourié-Gonnard81abefd2015-05-29 12:53:47 +0200639 * \return 0 on success,
Manuel Pégourié-Gonnard6a8ca332015-05-28 09:33:39 +0200640 * MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200641 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200642int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
Manuel Pégourié-Gonnard3053f5b2013-08-14 13:39:57 +0200643
644/**
Paul Bakker5121ce52009-01-03 21:22:43 +0000645 * \brief Free the components of an RSA key
Paul Bakker13e2dfe2009-07-28 07:18:38 +0000646 *
647 * \param ctx RSA Context to free
Paul Bakker5121ce52009-01-03 21:22:43 +0000648 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200649void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000650
651/**
652 * \brief Checkup routine
653 *
654 * \return 0 if successful, or 1 if the test failed
655 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200656int mbedtls_rsa_self_test( int verbose );
Paul Bakker5121ce52009-01-03 21:22:43 +0000657
658#ifdef __cplusplus
659}
660#endif
661
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200662#endif /* MBEDTLS_RSA_C */
Paul Bakkered27a042013-04-18 22:46:23 +0200663
Paul Bakker5121ce52009-01-03 21:22:43 +0000664#endif /* rsa.h */