rsa.h 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655
  1. /**
  2. * \file rsa.h
  3. *
  4. * \brief The RSA public-key cryptosystem
  5. *
  6. * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
  7. * SPDX-License-Identifier: GPL-2.0
  8. *
  9. * This program is free software; you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation; either version 2 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License along
  20. * with this program; if not, write to the Free Software Foundation, Inc.,
  21. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  22. *
  23. * This file is part of mbed TLS (https://tls.mbed.org)
  24. */
  25. #ifndef MBEDTLS_RSA_H
  26. #define MBEDTLS_RSA_H
  27. #if !defined(MBEDTLS_CONFIG_FILE)
  28. #include "config.h"
  29. #else
  30. #include MBEDTLS_CONFIG_FILE
  31. #endif
  32. #include "bignum.h"
  33. #include "md.h"
  34. #if defined(MBEDTLS_THREADING_C)
  35. #include "threading.h"
  36. #endif
  37. /*
  38. * RSA Error codes
  39. */
  40. #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
  41. #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
  42. #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
  43. #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */
  44. #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
  45. #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
  46. #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
  47. #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
  48. #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
  49. /*
  50. * RSA constants
  51. */
  52. #define MBEDTLS_RSA_PUBLIC 0
  53. #define MBEDTLS_RSA_PRIVATE 1
  54. #define MBEDTLS_RSA_PKCS_V15 0
  55. #define MBEDTLS_RSA_PKCS_V21 1
  56. #define MBEDTLS_RSA_SIGN 1
  57. #define MBEDTLS_RSA_CRYPT 2
  58. #define MBEDTLS_RSA_SALT_LEN_ANY -1
  59. /*
  60. * The above constants may be used even if the RSA module is compile out,
  61. * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
  62. */
  63. #if defined(MBEDTLS_RSA_C)
  64. #ifdef __cplusplus
  65. extern "C" {
  66. #endif
  67. /**
  68. * \brief RSA context structure
  69. */
  70. typedef struct
  71. {
  72. int ver; /*!< always 0 */
  73. size_t len; /*!< size(N) in chars */
  74. mbedtls_mpi N; /*!< public modulus */
  75. mbedtls_mpi E; /*!< public exponent */
  76. mbedtls_mpi D; /*!< private exponent */
  77. mbedtls_mpi P; /*!< 1st prime factor */
  78. mbedtls_mpi Q; /*!< 2nd prime factor */
  79. mbedtls_mpi DP; /*!< D % (P - 1) */
  80. mbedtls_mpi DQ; /*!< D % (Q - 1) */
  81. mbedtls_mpi QP; /*!< 1 / (Q % P) */
  82. mbedtls_mpi RN; /*!< cached R^2 mod N */
  83. mbedtls_mpi RP; /*!< cached R^2 mod P */
  84. mbedtls_mpi RQ; /*!< cached R^2 mod Q */
  85. mbedtls_mpi Vi; /*!< cached blinding value */
  86. mbedtls_mpi Vf; /*!< cached un-blinding value */
  87. int padding; /*!< MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
  88. MBEDTLS_RSA_PKCS_v21 for OAEP/PSS */
  89. int hash_id; /*!< Hash identifier of mbedtls_md_type_t as
  90. specified in the mbedtls_md.h header file
  91. for the EME-OAEP and EMSA-PSS
  92. encoding */
  93. #if defined(MBEDTLS_THREADING_C)
  94. mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex */
  95. #endif
  96. }
  97. mbedtls_rsa_context;
  98. /**
  99. * \brief Initialize an RSA context
  100. *
  101. * Note: Set padding to MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
  102. * encryption scheme and the RSASSA-PSS signature scheme.
  103. *
  104. * \param ctx RSA context to be initialized
  105. * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
  106. * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
  107. *
  108. * \note The hash_id parameter is actually ignored
  109. * when using MBEDTLS_RSA_PKCS_V15 padding.
  110. *
  111. * \note Choice of padding mode is strictly enforced for private key
  112. * operations, since there might be security concerns in
  113. * mixing padding modes. For public key operations it's merely
  114. * a default value, which can be overriden by calling specific
  115. * rsa_rsaes_xxx or rsa_rsassa_xxx functions.
  116. *
  117. * \note The chosen hash is always used for OEAP encryption.
  118. * For PSS signatures, it's always used for making signatures,
  119. * but can be overriden (and always is, if set to
  120. * MBEDTLS_MD_NONE) for verifying them.
  121. */
  122. void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
  123. int padding,
  124. int hash_id);
  125. /**
  126. * \brief Set padding for an already initialized RSA context
  127. * See \c mbedtls_rsa_init() for details.
  128. *
  129. * \param ctx RSA context to be set
  130. * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
  131. * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
  132. */
  133. void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id);
  134. /**
  135. * \brief Generate an RSA keypair
  136. *
  137. * \param ctx RSA context that will hold the key
  138. * \param f_rng RNG function
  139. * \param p_rng RNG parameter
  140. * \param nbits size of the public key in bits
  141. * \param exponent public exponent (e.g., 65537)
  142. *
  143. * \note mbedtls_rsa_init() must be called beforehand to setup
  144. * the RSA context.
  145. *
  146. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  147. */
  148. int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
  149. int (*f_rng)(void *, unsigned char *, size_t),
  150. void *p_rng,
  151. unsigned int nbits, int exponent );
  152. /**
  153. * \brief Check a public RSA key
  154. *
  155. * \param ctx RSA context to be checked
  156. *
  157. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  158. */
  159. int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
  160. /**
  161. * \brief Check a private RSA key
  162. *
  163. * \param ctx RSA context to be checked
  164. *
  165. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  166. */
  167. int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
  168. /**
  169. * \brief Check a public-private RSA key pair.
  170. * Check each of the contexts, and make sure they match.
  171. *
  172. * \param pub RSA context holding the public key
  173. * \param prv RSA context holding the private key
  174. *
  175. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  176. */
  177. int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv );
  178. /**
  179. * \brief Do an RSA public key operation
  180. *
  181. * \param ctx RSA context
  182. * \param input input buffer
  183. * \param output output buffer
  184. *
  185. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  186. *
  187. * \note This function does NOT take care of message
  188. * padding. Also, be sure to set input[0] = 0 or ensure that
  189. * input is smaller than N.
  190. *
  191. * \note The input and output buffers must be large
  192. * enough (eg. 128 bytes if RSA-1024 is used).
  193. */
  194. int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
  195. const unsigned char *input,
  196. unsigned char *output );
  197. /**
  198. * \brief Do an RSA private key operation
  199. *
  200. * \param ctx RSA context
  201. * \param f_rng RNG function (Needed for blinding)
  202. * \param p_rng RNG parameter
  203. * \param input input buffer
  204. * \param output output buffer
  205. *
  206. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  207. *
  208. * \note The input and output buffers must be large
  209. * enough (eg. 128 bytes if RSA-1024 is used).
  210. */
  211. int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
  212. int (*f_rng)(void *, unsigned char *, size_t),
  213. void *p_rng,
  214. const unsigned char *input,
  215. unsigned char *output );
  216. /**
  217. * \brief Generic wrapper to perform a PKCS#1 encryption using the
  218. * mode from the context. Add the message padding, then do an
  219. * RSA operation.
  220. *
  221. * \param ctx RSA context
  222. * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
  223. * and MBEDTLS_RSA_PRIVATE)
  224. * \param p_rng RNG parameter
  225. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  226. * \param ilen contains the plaintext length
  227. * \param input buffer holding the data to be encrypted
  228. * \param output buffer that will hold the ciphertext
  229. *
  230. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  231. *
  232. * \note The output buffer must be as large as the size
  233. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  234. */
  235. int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
  236. int (*f_rng)(void *, unsigned char *, size_t),
  237. void *p_rng,
  238. int mode, size_t ilen,
  239. const unsigned char *input,
  240. unsigned char *output );
  241. /**
  242. * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
  243. *
  244. * \param ctx RSA context
  245. * \param f_rng RNG function (Needed for padding and MBEDTLS_RSA_PRIVATE)
  246. * \param p_rng RNG parameter
  247. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  248. * \param ilen contains the plaintext length
  249. * \param input buffer holding the data to be encrypted
  250. * \param output buffer that will hold the ciphertext
  251. *
  252. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  253. *
  254. * \note The output buffer must be as large as the size
  255. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  256. */
  257. int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
  258. int (*f_rng)(void *, unsigned char *, size_t),
  259. void *p_rng,
  260. int mode, size_t ilen,
  261. const unsigned char *input,
  262. unsigned char *output );
  263. /**
  264. * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
  265. *
  266. * \param ctx RSA context
  267. * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
  268. * and MBEDTLS_RSA_PRIVATE)
  269. * \param p_rng RNG parameter
  270. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  271. * \param label buffer holding the custom label to use
  272. * \param label_len contains the label length
  273. * \param ilen contains the plaintext length
  274. * \param input buffer holding the data to be encrypted
  275. * \param output buffer that will hold the ciphertext
  276. *
  277. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  278. *
  279. * \note The output buffer must be as large as the size
  280. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  281. */
  282. int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
  283. int (*f_rng)(void *, unsigned char *, size_t),
  284. void *p_rng,
  285. int mode,
  286. const unsigned char *label, size_t label_len,
  287. size_t ilen,
  288. const unsigned char *input,
  289. unsigned char *output );
  290. /**
  291. * \brief Generic wrapper to perform a PKCS#1 decryption using the
  292. * mode from the context. Do an RSA operation, then remove
  293. * the message padding
  294. *
  295. * \param ctx RSA context
  296. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  297. * \param p_rng RNG parameter
  298. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  299. * \param olen will contain the plaintext length
  300. * \param input buffer holding the encrypted data
  301. * \param output buffer that will hold the plaintext
  302. * \param output_max_len maximum length of the output buffer
  303. *
  304. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  305. *
  306. * \note The output buffer must be as large as the size
  307. * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
  308. * an error is thrown.
  309. */
  310. int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
  311. int (*f_rng)(void *, unsigned char *, size_t),
  312. void *p_rng,
  313. int mode, size_t *olen,
  314. const unsigned char *input,
  315. unsigned char *output,
  316. size_t output_max_len );
  317. /**
  318. * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
  319. *
  320. * \param ctx RSA context
  321. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  322. * \param p_rng RNG parameter
  323. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  324. * \param olen will contain the plaintext length
  325. * \param input buffer holding the encrypted data
  326. * \param output buffer that will hold the plaintext
  327. * \param output_max_len maximum length of the output buffer
  328. *
  329. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  330. *
  331. * \note The output buffer must be as large as the size
  332. * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
  333. * an error is thrown.
  334. */
  335. int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
  336. int (*f_rng)(void *, unsigned char *, size_t),
  337. void *p_rng,
  338. int mode, size_t *olen,
  339. const unsigned char *input,
  340. unsigned char *output,
  341. size_t output_max_len );
  342. /**
  343. * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
  344. *
  345. * \param ctx RSA context
  346. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  347. * \param p_rng RNG parameter
  348. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  349. * \param label buffer holding the custom label to use
  350. * \param label_len contains the label length
  351. * \param olen will contain the plaintext length
  352. * \param input buffer holding the encrypted data
  353. * \param output buffer that will hold the plaintext
  354. * \param output_max_len maximum length of the output buffer
  355. *
  356. * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  357. *
  358. * \note The output buffer must be as large as the size
  359. * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
  360. * an error is thrown.
  361. */
  362. int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
  363. int (*f_rng)(void *, unsigned char *, size_t),
  364. void *p_rng,
  365. int mode,
  366. const unsigned char *label, size_t label_len,
  367. size_t *olen,
  368. const unsigned char *input,
  369. unsigned char *output,
  370. size_t output_max_len );
  371. /**
  372. * \brief Generic wrapper to perform a PKCS#1 signature using the
  373. * mode from the context. Do a private RSA operation to sign
  374. * a message digest
  375. *
  376. * \param ctx RSA context
  377. * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
  378. * MBEDTLS_RSA_PRIVATE)
  379. * \param p_rng RNG parameter
  380. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  381. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  382. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  383. * \param hash buffer holding the message digest
  384. * \param sig buffer that will hold the ciphertext
  385. *
  386. * \return 0 if the signing operation was successful,
  387. * or an MBEDTLS_ERR_RSA_XXX error code
  388. *
  389. * \note The "sig" buffer must be as large as the size
  390. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  391. *
  392. * \note In case of PKCS#1 v2.1 encoding, see comments on
  393. * \note \c mbedtls_rsa_rsassa_pss_sign() for details on md_alg and hash_id.
  394. */
  395. int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
  396. int (*f_rng)(void *, unsigned char *, size_t),
  397. void *p_rng,
  398. int mode,
  399. mbedtls_md_type_t md_alg,
  400. unsigned int hashlen,
  401. const unsigned char *hash,
  402. unsigned char *sig );
  403. /**
  404. * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
  405. *
  406. * \param ctx RSA context
  407. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  408. * \param p_rng RNG parameter
  409. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  410. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  411. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  412. * \param hash buffer holding the message digest
  413. * \param sig buffer that will hold the ciphertext
  414. *
  415. * \return 0 if the signing operation was successful,
  416. * or an MBEDTLS_ERR_RSA_XXX error code
  417. *
  418. * \note The "sig" buffer must be as large as the size
  419. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  420. */
  421. int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
  422. int (*f_rng)(void *, unsigned char *, size_t),
  423. void *p_rng,
  424. int mode,
  425. mbedtls_md_type_t md_alg,
  426. unsigned int hashlen,
  427. const unsigned char *hash,
  428. unsigned char *sig );
  429. /**
  430. * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
  431. *
  432. * \param ctx RSA context
  433. * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
  434. * MBEDTLS_RSA_PRIVATE)
  435. * \param p_rng RNG parameter
  436. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  437. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  438. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  439. * \param hash buffer holding the message digest
  440. * \param sig buffer that will hold the ciphertext
  441. *
  442. * \return 0 if the signing operation was successful,
  443. * or an MBEDTLS_ERR_RSA_XXX error code
  444. *
  445. * \note The "sig" buffer must be as large as the size
  446. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  447. *
  448. * \note The hash_id in the RSA context is the one used for the
  449. * encoding. md_alg in the function call is the type of hash
  450. * that is encoded. According to RFC 3447 it is advised to
  451. * keep both hashes the same.
  452. */
  453. int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
  454. int (*f_rng)(void *, unsigned char *, size_t),
  455. void *p_rng,
  456. int mode,
  457. mbedtls_md_type_t md_alg,
  458. unsigned int hashlen,
  459. const unsigned char *hash,
  460. unsigned char *sig );
  461. /**
  462. * \brief Generic wrapper to perform a PKCS#1 verification using the
  463. * mode from the context. Do a public RSA operation and check
  464. * the message digest
  465. *
  466. * \param ctx points to an RSA public key
  467. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  468. * \param p_rng RNG parameter
  469. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  470. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  471. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  472. * \param hash buffer holding the message digest
  473. * \param sig buffer holding the ciphertext
  474. *
  475. * \return 0 if the verify operation was successful,
  476. * or an MBEDTLS_ERR_RSA_XXX error code
  477. *
  478. * \note The "sig" buffer must be as large as the size
  479. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  480. *
  481. * \note In case of PKCS#1 v2.1 encoding, see comments on
  482. * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id.
  483. */
  484. int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
  485. int (*f_rng)(void *, unsigned char *, size_t),
  486. void *p_rng,
  487. int mode,
  488. mbedtls_md_type_t md_alg,
  489. unsigned int hashlen,
  490. const unsigned char *hash,
  491. const unsigned char *sig );
  492. /**
  493. * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
  494. *
  495. * \param ctx points to an RSA public key
  496. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  497. * \param p_rng RNG parameter
  498. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  499. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  500. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  501. * \param hash buffer holding the message digest
  502. * \param sig buffer holding the ciphertext
  503. *
  504. * \return 0 if the verify operation was successful,
  505. * or an MBEDTLS_ERR_RSA_XXX error code
  506. *
  507. * \note The "sig" buffer must be as large as the size
  508. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  509. */
  510. int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
  511. int (*f_rng)(void *, unsigned char *, size_t),
  512. void *p_rng,
  513. int mode,
  514. mbedtls_md_type_t md_alg,
  515. unsigned int hashlen,
  516. const unsigned char *hash,
  517. const unsigned char *sig );
  518. /**
  519. * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
  520. * (This is the "simple" version.)
  521. *
  522. * \param ctx points to an RSA public key
  523. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  524. * \param p_rng RNG parameter
  525. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  526. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  527. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  528. * \param hash buffer holding the message digest
  529. * \param sig buffer holding the ciphertext
  530. *
  531. * \return 0 if the verify operation was successful,
  532. * or an MBEDTLS_ERR_RSA_XXX error code
  533. *
  534. * \note The "sig" buffer must be as large as the size
  535. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  536. *
  537. * \note The hash_id in the RSA context is the one used for the
  538. * verification. md_alg in the function call is the type of
  539. * hash that is verified. According to RFC 3447 it is advised to
  540. * keep both hashes the same. If hash_id in the RSA context is
  541. * unset, the md_alg from the function call is used.
  542. */
  543. int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
  544. int (*f_rng)(void *, unsigned char *, size_t),
  545. void *p_rng,
  546. int mode,
  547. mbedtls_md_type_t md_alg,
  548. unsigned int hashlen,
  549. const unsigned char *hash,
  550. const unsigned char *sig );
  551. /**
  552. * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
  553. * (This is the version with "full" options.)
  554. *
  555. * \param ctx points to an RSA public key
  556. * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
  557. * \param p_rng RNG parameter
  558. * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
  559. * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
  560. * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
  561. * \param hash buffer holding the message digest
  562. * \param mgf1_hash_id message digest used for mask generation
  563. * \param expected_salt_len Length of the salt used in padding, use
  564. * MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length
  565. * \param sig buffer holding the ciphertext
  566. *
  567. * \return 0 if the verify operation was successful,
  568. * or an MBEDTLS_ERR_RSA_XXX error code
  569. *
  570. * \note The "sig" buffer must be as large as the size
  571. * of ctx->N (eg. 128 bytes if RSA-1024 is used).
  572. *
  573. * \note The hash_id in the RSA context is ignored.
  574. */
  575. int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
  576. int (*f_rng)(void *, unsigned char *, size_t),
  577. void *p_rng,
  578. int mode,
  579. mbedtls_md_type_t md_alg,
  580. unsigned int hashlen,
  581. const unsigned char *hash,
  582. mbedtls_md_type_t mgf1_hash_id,
  583. int expected_salt_len,
  584. const unsigned char *sig );
  585. /**
  586. * \brief Copy the components of an RSA context
  587. *
  588. * \param dst Destination context
  589. * \param src Source context
  590. *
  591. * \return 0 on success,
  592. * MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure
  593. */
  594. int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
  595. /**
  596. * \brief Free the components of an RSA key
  597. *
  598. * \param ctx RSA Context to free
  599. */
  600. void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
  601. /**
  602. * \brief Checkup routine
  603. *
  604. * \return 0 if successful, or 1 if the test failed
  605. */
  606. int mbedtls_rsa_self_test( int verbose );
  607. #ifdef __cplusplus
  608. }
  609. #endif
  610. #endif /* MBEDTLS_RSA_C */
  611. #endif /* rsa.h */