]> git.zerfleddert.de Git - proxmark3-svn/blame - common/mbedtls/rsa.h
Add ROCA vulnerability test (RRG repository PR 76 by @merlokk) (#762)
[proxmark3-svn] / common / mbedtls / rsa.h
CommitLineData
700d8687
OM
1/**
2 * \file rsa.h
3 *
4 * \brief This file provides an API for the RSA public-key cryptosystem.
5 *
6 * The RSA public-key cryptosystem is defined in <em>Public-Key
7 * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
8 * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
9 * RSA Cryptography Specifications</em>.
10 *
11 */
12/*
13 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
14 * SPDX-License-Identifier: GPL-2.0
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License along
27 * with this program; if not, write to the Free Software Foundation, Inc.,
28 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 *
30 * This file is part of Mbed TLS (https://tls.mbed.org)
31 */
32#ifndef MBEDTLS_RSA_H
33#define MBEDTLS_RSA_H
34
35#if !defined(MBEDTLS_CONFIG_FILE)
36#include "config.h"
37#else
38#include MBEDTLS_CONFIG_FILE
39#endif
40
41#include "bignum.h"
42#include "md.h"
43
44#if defined(MBEDTLS_THREADING_C)
45#include "threading.h"
46#endif
47
48/*
49 * RSA Error codes
50 */
51#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
52#define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
53#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
54#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the validity check of the library. */
55#define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
56#define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
57#define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
58#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
59#define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
60#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
61#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */
62
63/*
64 * RSA constants
65 */
66#define MBEDTLS_RSA_PUBLIC 0 /**< Request private key operation. */
67#define MBEDTLS_RSA_PRIVATE 1 /**< Request public key operation. */
68
69#define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */
70#define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */
71
72#define MBEDTLS_RSA_SIGN 1 /**< Identifier for RSA signature operations. */
73#define MBEDTLS_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */
74
75#define MBEDTLS_RSA_SALT_LEN_ANY -1
76
77/*
78 * The above constants may be used even if the RSA module is compile out,
79 * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
80 */
81
82#ifdef __cplusplus
83extern "C" {
84#endif
85
86#if !defined(MBEDTLS_RSA_ALT)
87// Regular implementation
88//
89
90/**
91 * \brief The RSA context structure.
92 *
93 * \note Direct manipulation of the members of this structure
94 * is deprecated. All manipulation should instead be done through
95 * the public interface functions.
96 */
97typedef struct mbedtls_rsa_context
98{
99 int ver; /*!< Always 0.*/
100 size_t len; /*!< The size of \p N in Bytes. */
101
102 mbedtls_mpi N; /*!< The public modulus. */
103 mbedtls_mpi E; /*!< The public exponent. */
104
105 mbedtls_mpi D; /*!< The private exponent. */
106 mbedtls_mpi P; /*!< The first prime factor. */
107 mbedtls_mpi Q; /*!< The second prime factor. */
108
109 mbedtls_mpi DP; /*!< <code>D % (P - 1)</code>. */
110 mbedtls_mpi DQ; /*!< <code>D % (Q - 1)</code>. */
111 mbedtls_mpi QP; /*!< <code>1 / (Q % P)</code>. */
112
113 mbedtls_mpi RN; /*!< cached <code>R^2 mod N</code>. */
114
115 mbedtls_mpi RP; /*!< cached <code>R^2 mod P</code>. */
116 mbedtls_mpi RQ; /*!< cached <code>R^2 mod Q</code>. */
117
118 mbedtls_mpi Vi; /*!< The cached blinding value. */
119 mbedtls_mpi Vf; /*!< The cached un-blinding value. */
120
121 int padding; /*!< Selects padding mode:
122 #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
123 #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
124 int hash_id; /*!< Hash identifier of mbedtls_md_type_t type,
125 as specified in md.h for use in the MGF
126 mask generating function used in the
127 EME-OAEP and EMSA-PSS encodings. */
128#if defined(MBEDTLS_THREADING_C)
129 mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */
130#endif
131}
132mbedtls_rsa_context;
133
134#else /* MBEDTLS_RSA_ALT */
135#include "rsa_alt.h"
136#endif /* MBEDTLS_RSA_ALT */
137
138/**
139 * \brief This function initializes an RSA context.
140 *
141 * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
142 * encryption scheme and the RSASSA-PSS signature scheme.
143 *
144 * \note The \p hash_id parameter is ignored when using
145 * #MBEDTLS_RSA_PKCS_V15 padding.
146 *
147 * \note The choice of padding mode is strictly enforced for private key
148 * operations, since there might be security concerns in
149 * mixing padding modes. For public key operations it is
150 * a default value, which can be overriden by calling specific
151 * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
152 *
153 * \note The hash selected in \p hash_id is always used for OEAP
154 * encryption. For PSS signatures, it is always used for
155 * making signatures, but can be overriden for verifying them.
156 * If set to #MBEDTLS_MD_NONE, it is always overriden.
157 *
158 * \param ctx The RSA context to initialize.
159 * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
160 * #MBEDTLS_RSA_PKCS_V21.
161 * \param hash_id The hash identifier of #mbedtls_md_type_t type, if
162 * \p padding is #MBEDTLS_RSA_PKCS_V21.
163 */
164void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
165 int padding,
166 int hash_id);
167
168/**
169 * \brief This function imports a set of core parameters into an
170 * RSA context.
171 *
172 * \note This function can be called multiple times for successive
173 * imports, if the parameters are not simultaneously present.
174 *
175 * Any sequence of calls to this function should be followed
176 * by a call to mbedtls_rsa_complete(), which checks and
177 * completes the provided information to a ready-for-use
178 * public or private RSA key.
179 *
180 * \note See mbedtls_rsa_complete() for more information on which
181 * parameters are necessary to set up a private or public
182 * RSA key.
183 *
184 * \note The imported parameters are copied and need not be preserved
185 * for the lifetime of the RSA context being set up.
186 *
187 * \param ctx The initialized RSA context to store the parameters in.
188 * \param N The RSA modulus, or NULL.
189 * \param P The first prime factor of \p N, or NULL.
190 * \param Q The second prime factor of \p N, or NULL.
191 * \param D The private exponent, or NULL.
192 * \param E The public exponent, or NULL.
193 *
194 * \return \c 0 on success.
195 * \return A non-zero error code on failure.
196 */
197int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
198 const mbedtls_mpi *N,
199 const mbedtls_mpi *P, const mbedtls_mpi *Q,
200 const mbedtls_mpi *D, const mbedtls_mpi *E );
201
202/**
203 * \brief This function imports core RSA parameters, in raw big-endian
204 * binary format, into an RSA context.
205 *
206 * \note This function can be called multiple times for successive
207 * imports, if the parameters are not simultaneously present.
208 *
209 * Any sequence of calls to this function should be followed
210 * by a call to mbedtls_rsa_complete(), which checks and
211 * completes the provided information to a ready-for-use
212 * public or private RSA key.
213 *
214 * \note See mbedtls_rsa_complete() for more information on which
215 * parameters are necessary to set up a private or public
216 * RSA key.
217 *
218 * \note The imported parameters are copied and need not be preserved
219 * for the lifetime of the RSA context being set up.
220 *
221 * \param ctx The initialized RSA context to store the parameters in.
222 * \param N The RSA modulus, or NULL.
223 * \param N_len The Byte length of \p N, ignored if \p N == NULL.
224 * \param P The first prime factor of \p N, or NULL.
225 * \param P_len The Byte length of \p P, ignored if \p P == NULL.
226 * \param Q The second prime factor of \p N, or NULL.
227 * \param Q_len The Byte length of \p Q, ignored if \p Q == NULL.
228 * \param D The private exponent, or NULL.
229 * \param D_len The Byte length of \p D, ignored if \p D == NULL.
230 * \param E The public exponent, or NULL.
231 * \param E_len The Byte length of \p E, ignored if \p E == NULL.
232 *
233 * \return \c 0 on success.
234 * \return A non-zero error code on failure.
235 */
236int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
237 unsigned char const *N, size_t N_len,
238 unsigned char const *P, size_t P_len,
239 unsigned char const *Q, size_t Q_len,
240 unsigned char const *D, size_t D_len,
241 unsigned char const *E, size_t E_len );
242
243/**
244 * \brief This function completes an RSA context from
245 * a set of imported core parameters.
246 *
247 * To setup an RSA public key, precisely \p N and \p E
248 * must have been imported.
249 *
250 * To setup an RSA private key, sufficient information must
251 * be present for the other parameters to be derivable.
252 *
253 * The default implementation supports the following:
254 * <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
255 * <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
256 * Alternative implementations need not support these.
257 *
258 * If this function runs successfully, it guarantees that
259 * the RSA context can be used for RSA operations without
260 * the risk of failure or crash.
261 *
262 * \warning This function need not perform consistency checks
263 * for the imported parameters. In particular, parameters that
264 * are not needed by the implementation might be silently
265 * discarded and left unchecked. To check the consistency
266 * of the key material, see mbedtls_rsa_check_privkey().
267 *
268 * \param ctx The initialized RSA context holding imported parameters.
269 *
270 * \return \c 0 on success.
271 * \return #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
272 * failed.
273 *
274 */
275int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
276
277/**
278 * \brief This function exports the core parameters of an RSA key.
279 *
280 * If this function runs successfully, the non-NULL buffers
281 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
282 * written, with additional unused space filled leading by
283 * zero Bytes.
284 *
285 * Possible reasons for returning
286 * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
287 * <li>An alternative RSA implementation is in use, which
288 * stores the key externally, and either cannot or should
289 * not export it into RAM.</li>
290 * <li>A SW or HW implementation might not support a certain
291 * deduction. For example, \p P, \p Q from \p N, \p D,
292 * and \p E if the former are not part of the
293 * implementation.</li></ul>
294 *
295 * If the function fails due to an unsupported operation,
296 * the RSA context stays intact and remains usable.
297 *
298 * \param ctx The initialized RSA context.
299 * \param N The MPI to hold the RSA modulus, or NULL.
300 * \param P The MPI to hold the first prime factor of \p N, or NULL.
301 * \param Q The MPI to hold the second prime factor of \p N, or NULL.
302 * \param D The MPI to hold the private exponent, or NULL.
303 * \param E The MPI to hold the public exponent, or NULL.
304 *
305 * \return \c 0 on success.
306 * \return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
307 * requested parameters cannot be done due to missing
308 * functionality or because of security policies.
309 * \return A non-zero return code on any other failure.
310 *
311 */
312int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
313 mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
314 mbedtls_mpi *D, mbedtls_mpi *E );
315
316/**
317 * \brief This function exports core parameters of an RSA key
318 * in raw big-endian binary format.
319 *
320 * If this function runs successfully, the non-NULL buffers
321 * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
322 * written, with additional unused space filled leading by
323 * zero Bytes.
324 *
325 * Possible reasons for returning
326 * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:<ul>
327 * <li>An alternative RSA implementation is in use, which
328 * stores the key externally, and either cannot or should
329 * not export it into RAM.</li>
330 * <li>A SW or HW implementation might not support a certain
331 * deduction. For example, \p P, \p Q from \p N, \p D,
332 * and \p E if the former are not part of the
333 * implementation.</li></ul>
334 * If the function fails due to an unsupported operation,
335 * the RSA context stays intact and remains usable.
336 *
337 * \note The length parameters are ignored if the corresponding
338 * buffer pointers are NULL.
339 *
340 * \param ctx The initialized RSA context.
341 * \param N The Byte array to store the RSA modulus, or NULL.
342 * \param N_len The size of the buffer for the modulus.
343 * \param P The Byte array to hold the first prime factor of \p N, or
344 * NULL.
345 * \param P_len The size of the buffer for the first prime factor.
346 * \param Q The Byte array to hold the second prime factor of \p N, or
347 * NULL.
348 * \param Q_len The size of the buffer for the second prime factor.
349 * \param D The Byte array to hold the private exponent, or NULL.
350 * \param D_len The size of the buffer for the private exponent.
351 * \param E The Byte array to hold the public exponent, or NULL.
352 * \param E_len The size of the buffer for the public exponent.
353 *
354 * \return \c 0 on success.
355 * \return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the
356 * requested parameters cannot be done due to missing
357 * functionality or because of security policies.
358 * \return A non-zero return code on any other failure.
359 */
360int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
361 unsigned char *N, size_t N_len,
362 unsigned char *P, size_t P_len,
363 unsigned char *Q, size_t Q_len,
364 unsigned char *D, size_t D_len,
365 unsigned char *E, size_t E_len );
366
367/**
368 * \brief This function exports CRT parameters of a private RSA key.
369 *
370 * \note Alternative RSA implementations not using CRT-parameters
371 * internally can implement this function based on
372 * mbedtls_rsa_deduce_opt().
373 *
374 * \param ctx The initialized RSA context.
375 * \param DP The MPI to hold D modulo P-1, or NULL.
376 * \param DQ The MPI to hold D modulo Q-1, or NULL.
377 * \param QP The MPI to hold modular inverse of Q modulo P, or NULL.
378 *
379 * \return \c 0 on success.
380 * \return A non-zero error code on failure.
381 *
382 */
383int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
384 mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
385
386/**
387 * \brief This function sets padding for an already initialized RSA
388 * context. See mbedtls_rsa_init() for details.
389 *
390 * \param ctx The RSA context to be set.
391 * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or
392 * #MBEDTLS_RSA_PKCS_V21.
393 * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier.
394 */
395void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
396 int hash_id);
397
398/**
399 * \brief This function retrieves the length of RSA modulus in Bytes.
400 *
401 * \param ctx The initialized RSA context.
402 *
403 * \return The length of the RSA modulus in Bytes.
404 *
405 */
406size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
407
408/**
409 * \brief This function generates an RSA keypair.
410 *
411 * \note mbedtls_rsa_init() must be called before this function,
412 * to set up the RSA context.
413 *
414 * \param ctx The RSA context used to hold the key.
415 * \param f_rng The RNG function.
416 * \param p_rng The RNG context.
417 * \param nbits The size of the public key in bits.
418 * \param exponent The public exponent. For example, 65537.
419 *
420 * \return \c 0 on success.
421 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
422 */
423int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
424 int (*f_rng)(void *, unsigned char *, size_t),
425 void *p_rng,
426 unsigned int nbits, int exponent );
427
428/**
429 * \brief This function checks if a context contains at least an RSA
430 * public key.
431 *
432 * If the function runs successfully, it is guaranteed that
433 * enough information is present to perform an RSA public key
434 * operation using mbedtls_rsa_public().
435 *
436 * \param ctx The RSA context to check.
437 *
438 * \return \c 0 on success.
439 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
440 *
441 */
442int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
443
444/**
445 * \brief This function checks if a context contains an RSA private key
446 * and perform basic consistency checks.
447 *
448 * \note The consistency checks performed by this function not only
449 * ensure that mbedtls_rsa_private() can be called successfully
450 * on the given context, but that the various parameters are
451 * mutually consistent with high probability, in the sense that
452 * mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
453 *
454 * \warning This function should catch accidental misconfigurations
455 * like swapping of parameters, but it cannot establish full
456 * trust in neither the quality nor the consistency of the key
457 * material that was used to setup the given RSA context:
458 * <ul><li>Consistency: Imported parameters that are irrelevant
459 * for the implementation might be silently dropped. If dropped,
460 * the current function does not have access to them,
461 * and therefore cannot check them. See mbedtls_rsa_complete().
462 * If you want to check the consistency of the entire
463 * content of an PKCS1-encoded RSA private key, for example, you
464 * should use mbedtls_rsa_validate_params() before setting
465 * up the RSA context.
466 * Additionally, if the implementation performs empirical checks,
467 * these checks substantiate but do not guarantee consistency.</li>
468 * <li>Quality: This function is not expected to perform
469 * extended quality assessments like checking that the prime
470 * factors are safe. Additionally, it is the responsibility of the
471 * user to ensure the trustworthiness of the source of his RSA
472 * parameters, which goes beyond what is effectively checkable
473 * by the library.</li></ul>
474 *
475 * \param ctx The RSA context to check.
476 *
477 * \return \c 0 on success.
478 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
479 */
480int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
481
482/**
483 * \brief This function checks a public-private RSA key pair.
484 *
485 * It checks each of the contexts, and makes sure they match.
486 *
487 * \param pub The RSA context holding the public key.
488 * \param prv The RSA context holding the private key.
489 *
490 * \return \c 0 on success.
491 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
492 */
493int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
494 const mbedtls_rsa_context *prv );
495
496/**
497 * \brief This function performs an RSA public key operation.
498 *
499 * \note This function does not handle message padding.
500 *
501 * \note Make sure to set \p input[0] = 0 or ensure that
502 * input is smaller than \p N.
503 *
504 * \note The input and output buffers must be large
505 * enough. For example, 128 Bytes if RSA-1024 is used.
506 *
507 * \param ctx The RSA context.
508 * \param input The input buffer.
509 * \param output The output buffer.
510 *
511 * \return \c 0 on success.
512 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
513 */
514int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
515 const unsigned char *input,
516 unsigned char *output );
517
518/**
519 * \brief This function performs an RSA private key operation.
520 *
521 * \note The input and output buffers must be large
522 * enough. For example, 128 Bytes if RSA-1024 is used.
523 *
524 * \note Blinding is used if and only if a PRNG is provided.
525 *
526 * \note If blinding is used, both the base of exponentation
527 * and the exponent are blinded, providing protection
528 * against some side-channel attacks.
529 *
530 * \warning It is deprecated and a security risk to not provide
531 * a PRNG here and thereby prevent the use of blinding.
532 * Future versions of the library may enforce the presence
533 * of a PRNG.
534 *
535 * \param ctx The RSA context.
536 * \param f_rng The RNG function. Needed for blinding.
537 * \param p_rng The RNG context.
538 * \param input The input buffer.
539 * \param output The output buffer.
540 *
541 * \return \c 0 on success.
542 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
543 *
544 */
545int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
546 int (*f_rng)(void *, unsigned char *, size_t),
547 void *p_rng,
548 const unsigned char *input,
549 unsigned char *output );
550
551/**
552 * \brief This function adds the message padding, then performs an RSA
553 * operation.
554 *
555 * It is the generic wrapper for performing a PKCS#1 encryption
556 * operation using the \p mode from the context.
557 *
558 * \note The input and output buffers must be as large as the size
559 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
560 *
561 * \deprecated It is deprecated and discouraged to call this function
562 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
563 * are likely to remove the \p mode argument and have it
564 * implicitly set to #MBEDTLS_RSA_PUBLIC.
565 *
566 * \note Alternative implementations of RSA need not support
567 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
568 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
569 *
570 * \param ctx The RSA context.
571 * \param f_rng The RNG function. Needed for padding, PKCS#1 v2.1
572 * encoding, and #MBEDTLS_RSA_PRIVATE.
573 * \param p_rng The RNG context.
574 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
575 * \param ilen The length of the plaintext.
576 * \param input The buffer holding the data to encrypt.
577 * \param output The buffer used to hold the ciphertext.
578 *
579 * \return \c 0 on success.
580 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
581 */
582int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
583 int (*f_rng)(void *, unsigned char *, size_t),
584 void *p_rng,
585 int mode, size_t ilen,
586 const unsigned char *input,
587 unsigned char *output );
588
589/**
590 * \brief This function performs a PKCS#1 v1.5 encryption operation
591 * (RSAES-PKCS1-v1_5-ENCRYPT).
592 *
593 * \note The output buffer must be as large as the size
594 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
595 *
596 * \deprecated It is deprecated and discouraged to call this function
597 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
598 * are likely to remove the \p mode argument and have it
599 * implicitly set to #MBEDTLS_RSA_PUBLIC.
600 *
601 * \note Alternative implementations of RSA need not support
602 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
603 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
604 *
605 * \param ctx The RSA context.
606 * \param f_rng The RNG function. Needed for padding and
607 * #MBEDTLS_RSA_PRIVATE.
608 * \param p_rng The RNG context.
609 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
610 * \param ilen The length of the plaintext.
611 * \param input The buffer holding the data to encrypt.
612 * \param output The buffer used to hold the ciphertext.
613 *
614 * \return \c 0 on success.
615 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
616 */
617int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
618 int (*f_rng)(void *, unsigned char *, size_t),
619 void *p_rng,
620 int mode, size_t ilen,
621 const unsigned char *input,
622 unsigned char *output );
623
624/**
625 * \brief This function performs a PKCS#1 v2.1 OAEP encryption
626 * operation (RSAES-OAEP-ENCRYPT).
627 *
628 * \note The output buffer must be as large as the size
629 * of ctx->N. For example, 128 Bytes if RSA-1024 is used.
630 *
631 * \deprecated It is deprecated and discouraged to call this function
632 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
633 * are likely to remove the \p mode argument and have it
634 * implicitly set to #MBEDTLS_RSA_PUBLIC.
635 *
636 * \note Alternative implementations of RSA need not support
637 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
638 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
639 *
640 * \param ctx The RSA context.
641 * \param f_rng The RNG function. Needed for padding and PKCS#1 v2.1
642 * encoding and #MBEDTLS_RSA_PRIVATE.
643 * \param p_rng The RNG context.
644 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
645 * \param label The buffer holding the custom label to use.
646 * \param label_len The length of the label.
647 * \param ilen The length of the plaintext.
648 * \param input The buffer holding the data to encrypt.
649 * \param output The buffer used to hold the ciphertext.
650 *
651 * \return \c 0 on success.
652 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
653 */
654int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
655 int (*f_rng)(void *, unsigned char *, size_t),
656 void *p_rng,
657 int mode,
658 const unsigned char *label, size_t label_len,
659 size_t ilen,
660 const unsigned char *input,
661 unsigned char *output );
662
663/**
664 * \brief This function performs an RSA operation, then removes the
665 * message padding.
666 *
667 * It is the generic wrapper for performing a PKCS#1 decryption
668 * operation using the \p mode from the context.
669 *
670 * \note The output buffer length \c output_max_len should be
671 * as large as the size \p ctx->len of \p ctx->N (for example,
672 * 128 Bytes if RSA-1024 is used) to be able to hold an
673 * arbitrary decrypted message. If it is not large enough to
674 * hold the decryption of the particular ciphertext provided,
675 * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
676 *
677 * \note The input buffer must be as large as the size
678 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
679 *
680 * \deprecated It is deprecated and discouraged to call this function
681 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
682 * are likely to remove the \p mode argument and have it
683 * implicitly set to #MBEDTLS_RSA_PRIVATE.
684 *
685 * \note Alternative implementations of RSA need not support
686 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
687 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
688 *
689 * \param ctx The RSA context.
690 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
691 * \param p_rng The RNG context.
692 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
693 * \param olen The length of the plaintext.
694 * \param input The buffer holding the encrypted data.
695 * \param output The buffer used to hold the plaintext.
696 * \param output_max_len The maximum length of the output buffer.
697 *
698 * \return \c 0 on success.
699 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
700 */
701int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
702 int (*f_rng)(void *, unsigned char *, size_t),
703 void *p_rng,
704 int mode, size_t *olen,
705 const unsigned char *input,
706 unsigned char *output,
707 size_t output_max_len );
708
709/**
710 * \brief This function performs a PKCS#1 v1.5 decryption
711 * operation (RSAES-PKCS1-v1_5-DECRYPT).
712 *
713 * \note The output buffer length \c output_max_len should be
714 * as large as the size \p ctx->len of \p ctx->N, for example,
715 * 128 Bytes if RSA-1024 is used, to be able to hold an
716 * arbitrary decrypted message. If it is not large enough to
717 * hold the decryption of the particular ciphertext provided,
718 * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
719 *
720 * \note The input buffer must be as large as the size
721 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
722 *
723 * \deprecated It is deprecated and discouraged to call this function
724 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
725 * are likely to remove the \p mode argument and have it
726 * implicitly set to #MBEDTLS_RSA_PRIVATE.
727 *
728 * \note Alternative implementations of RSA need not support
729 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
730 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
731 *
732 * \param ctx The RSA context.
733 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
734 * \param p_rng The RNG context.
735 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
736 * \param olen The length of the plaintext.
737 * \param input The buffer holding the encrypted data.
738 * \param output The buffer to hold the plaintext.
739 * \param output_max_len The maximum length of the output buffer.
740 *
741 * \return \c 0 on success.
742 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
743 *
744 */
745int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
746 int (*f_rng)(void *, unsigned char *, size_t),
747 void *p_rng,
748 int mode, size_t *olen,
749 const unsigned char *input,
750 unsigned char *output,
751 size_t output_max_len );
752
753/**
754 * \brief This function performs a PKCS#1 v2.1 OAEP decryption
755 * operation (RSAES-OAEP-DECRYPT).
756 *
757 * \note The output buffer length \c output_max_len should be
758 * as large as the size \p ctx->len of \p ctx->N, for
759 * example, 128 Bytes if RSA-1024 is used, to be able to
760 * hold an arbitrary decrypted message. If it is not
761 * large enough to hold the decryption of the particular
762 * ciphertext provided, the function returns
763 * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
764 *
765 * \note The input buffer must be as large as the size
766 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
767 *
768 * \deprecated It is deprecated and discouraged to call this function
769 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
770 * are likely to remove the \p mode argument and have it
771 * implicitly set to #MBEDTLS_RSA_PRIVATE.
772 *
773 * \note Alternative implementations of RSA need not support
774 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
775 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
776 *
777 * \param ctx The RSA context.
778 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
779 * \param p_rng The RNG context.
780 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
781 * \param label The buffer holding the custom label to use.
782 * \param label_len The length of the label.
783 * \param olen The length of the plaintext.
784 * \param input The buffer holding the encrypted data.
785 * \param output The buffer to hold the plaintext.
786 * \param output_max_len The maximum length of the output buffer.
787 *
788 * \return \c 0 on success.
789 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
790 */
791int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
792 int (*f_rng)(void *, unsigned char *, size_t),
793 void *p_rng,
794 int mode,
795 const unsigned char *label, size_t label_len,
796 size_t *olen,
797 const unsigned char *input,
798 unsigned char *output,
799 size_t output_max_len );
800
801/**
802 * \brief This function performs a private RSA operation to sign
803 * a message digest using PKCS#1.
804 *
805 * It is the generic wrapper for performing a PKCS#1
806 * signature using the \p mode from the context.
807 *
808 * \note The \p sig buffer must be as large as the size
809 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
810 *
811 * \note For PKCS#1 v2.1 encoding, see comments on
812 * mbedtls_rsa_rsassa_pss_sign() for details on
813 * \p md_alg and \p hash_id.
814 *
815 * \deprecated It is deprecated and discouraged to call this function
816 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
817 * are likely to remove the \p mode argument and have it
818 * implicitly set to #MBEDTLS_RSA_PRIVATE.
819 *
820 * \note Alternative implementations of RSA need not support
821 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
822 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
823 *
824 * \param ctx The RSA context.
825 * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
826 * #MBEDTLS_RSA_PRIVATE.
827 * \param p_rng The RNG context.
828 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
829 * \param md_alg The message-digest algorithm used to hash the original data.
830 * Use #MBEDTLS_MD_NONE for signing raw data.
831 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
832 * \param hash The buffer holding the message digest.
833 * \param sig The buffer to hold the ciphertext.
834 *
835 * \return \c 0 if the signing operation was successful.
836 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
837 */
838int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
839 int (*f_rng)(void *, unsigned char *, size_t),
840 void *p_rng,
841 int mode,
842 mbedtls_md_type_t md_alg,
843 unsigned int hashlen,
844 const unsigned char *hash,
845 unsigned char *sig );
846
847/**
848 * \brief This function performs a PKCS#1 v1.5 signature
849 * operation (RSASSA-PKCS1-v1_5-SIGN).
850 *
851 * \note The \p sig buffer must be as large as the size
852 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
853 *
854 * \deprecated It is deprecated and discouraged to call this function
855 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
856 * are likely to remove the \p mode argument and have it
857 * implicitly set to #MBEDTLS_RSA_PRIVATE.
858 *
859 * \note Alternative implementations of RSA need not support
860 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
861 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
862 *
863 * \param ctx The RSA context.
864 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
865 * \param p_rng The RNG context.
866 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
867 * \param md_alg The message-digest algorithm used to hash the original data.
868 * Use #MBEDTLS_MD_NONE for signing raw data.
869 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
870 * \param hash The buffer holding the message digest.
871 * \param sig The buffer to hold the ciphertext.
872 *
873 * \return \c 0 if the signing operation was successful.
874 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
875 */
876int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
877 int (*f_rng)(void *, unsigned char *, size_t),
878 void *p_rng,
879 int mode,
880 mbedtls_md_type_t md_alg,
881 unsigned int hashlen,
882 const unsigned char *hash,
883 unsigned char *sig );
884
885/**
886 * \brief This function performs a PKCS#1 v2.1 PSS signature
887 * operation (RSASSA-PSS-SIGN).
888 *
889 * \note The \p sig buffer must be as large as the size
890 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
891 *
892 * \note The \p hash_id in the RSA context is the one used for the
893 * encoding. \p md_alg in the function call is the type of hash
894 * that is encoded. According to <em>RFC-3447: Public-Key
895 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
896 * Specifications</em> it is advised to keep both hashes the
897 * same.
898 *
899 * \deprecated It is deprecated and discouraged to call this function
900 * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
901 * are likely to remove the \p mode argument and have it
902 * implicitly set to #MBEDTLS_RSA_PRIVATE.
903 *
904 * \note Alternative implementations of RSA need not support
905 * mode being set to #MBEDTLS_RSA_PUBLIC and might instead
906 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
907 *
908 * \param ctx The RSA context.
909 * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for
910 * #MBEDTLS_RSA_PRIVATE.
911 * \param p_rng The RNG context.
912 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
913 * \param md_alg The message-digest algorithm used to hash the original data.
914 * Use #MBEDTLS_MD_NONE for signing raw data.
915 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
916 * \param hash The buffer holding the message digest.
917 * \param sig The buffer to hold the ciphertext.
918 *
919 * \return \c 0 if the signing operation was successful.
920 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
921 */
922int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
923 int (*f_rng)(void *, unsigned char *, size_t),
924 void *p_rng,
925 int mode,
926 mbedtls_md_type_t md_alg,
927 unsigned int hashlen,
928 const unsigned char *hash,
929 unsigned char *sig );
930
931/**
932 * \brief This function performs a public RSA operation and checks
933 * the message digest.
934 *
935 * This is the generic wrapper for performing a PKCS#1
936 * verification using the mode from the context.
937 *
938 * \note The \p sig buffer must be as large as the size
939 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
940 *
941 * \note For PKCS#1 v2.1 encoding, see comments on
942 * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
943 * \p hash_id.
944 *
945 * \deprecated It is deprecated and discouraged to call this function
946 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
947 * are likely to remove the \p mode argument and have it
948 * set to #MBEDTLS_RSA_PUBLIC.
949 *
950 * \note Alternative implementations of RSA need not support
951 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
952 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
953 *
954 * \param ctx The RSA public key context.
955 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
956 * \param p_rng The RNG context.
957 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
958 * \param md_alg The message-digest algorithm used to hash the original data.
959 * Use #MBEDTLS_MD_NONE for signing raw data.
960 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
961 * \param hash The buffer holding the message digest.
962 * \param sig The buffer holding the ciphertext.
963 *
964 * \return \c 0 if the verify operation was successful.
965 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
966 */
967int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
968 int (*f_rng)(void *, unsigned char *, size_t),
969 void *p_rng,
970 int mode,
971 mbedtls_md_type_t md_alg,
972 unsigned int hashlen,
973 const unsigned char *hash,
974 const unsigned char *sig );
975
976/**
977 * \brief This function performs a PKCS#1 v1.5 verification
978 * operation (RSASSA-PKCS1-v1_5-VERIFY).
979 *
980 * \note The \p sig buffer must be as large as the size
981 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
982 *
983 * \deprecated It is deprecated and discouraged to call this function
984 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
985 * are likely to remove the \p mode argument and have it
986 * set to #MBEDTLS_RSA_PUBLIC.
987 *
988 * \note Alternative implementations of RSA need not support
989 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
990 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
991 *
992 * \param ctx The RSA public key context.
993 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
994 * \param p_rng The RNG context.
995 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
996 * \param md_alg The message-digest algorithm used to hash the original data.
997 * Use #MBEDTLS_MD_NONE for signing raw data.
998 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
999 * \param hash The buffer holding the message digest.
1000 * \param sig The buffer holding the ciphertext.
1001 *
1002 * \return \c 0 if the verify operation was successful.
1003 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
1004 */
1005int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
1006 int (*f_rng)(void *, unsigned char *, size_t),
1007 void *p_rng,
1008 int mode,
1009 mbedtls_md_type_t md_alg,
1010 unsigned int hashlen,
1011 const unsigned char *hash,
1012 const unsigned char *sig );
1013
1014/**
1015 * \brief This function performs a PKCS#1 v2.1 PSS verification
1016 * operation (RSASSA-PSS-VERIFY).
1017 *
1018 * The hash function for the MGF mask generating function
1019 * is that specified in the RSA context.
1020 *
1021 * \note The \p sig buffer must be as large as the size
1022 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
1023 *
1024 * \note The \p hash_id in the RSA context is the one used for the
1025 * verification. \p md_alg in the function call is the type of
1026 * hash that is verified. According to <em>RFC-3447: Public-Key
1027 * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
1028 * Specifications</em> it is advised to keep both hashes the
1029 * same. If \p hash_id in the RSA context is unset,
1030 * the \p md_alg from the function call is used.
1031 *
1032 * \deprecated It is deprecated and discouraged to call this function
1033 * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
1034 * are likely to remove the \p mode argument and have it
1035 * implicitly set to #MBEDTLS_RSA_PUBLIC.
1036 *
1037 * \note Alternative implementations of RSA need not support
1038 * mode being set to #MBEDTLS_RSA_PRIVATE and might instead
1039 * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION.
1040 *
1041 * \param ctx The RSA public key context.
1042 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
1043 * \param p_rng The RNG context.
1044 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
1045 * \param md_alg The message-digest algorithm used to hash the original data.
1046 * Use #MBEDTLS_MD_NONE for signing raw data.
1047 * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE.
1048 * \param hash The buffer holding the message digest.
1049 * \param sig The buffer holding the ciphertext.
1050 *
1051 * \return \c 0 if the verify operation was successful.
1052 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
1053 */
1054int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
1055 int (*f_rng)(void *, unsigned char *, size_t),
1056 void *p_rng,
1057 int mode,
1058 mbedtls_md_type_t md_alg,
1059 unsigned int hashlen,
1060 const unsigned char *hash,
1061 const unsigned char *sig );
1062
1063/**
1064 * \brief This function performs a PKCS#1 v2.1 PSS verification
1065 * operation (RSASSA-PSS-VERIFY).
1066 *
1067 * The hash function for the MGF mask generating function
1068 * is that specified in \p mgf1_hash_id.
1069 *
1070 * \note The \p sig buffer must be as large as the size
1071 * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
1072 *
1073 * \note The \p hash_id in the RSA context is ignored.
1074 *
1075 * \param ctx The RSA public key context.
1076 * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE.
1077 * \param p_rng The RNG context.
1078 * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
1079 * \param md_alg The message-digest algorithm used to hash the original data.
1080 * Use #MBEDTLS_MD_NONE for signing raw data.
1081 * \param hashlen The length of the message digest. Only used if \p md_alg is
1082 * #MBEDTLS_MD_NONE.
1083 * \param hash The buffer holding the message digest.
1084 * \param mgf1_hash_id The message digest used for mask generation.
1085 * \param expected_salt_len The length of the salt used in padding. Use
1086 * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
1087 * \param sig The buffer holding the ciphertext.
1088 *
1089 * \return \c 0 if the verify operation was successful.
1090 * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
1091 */
1092int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
1093 int (*f_rng)(void *, unsigned char *, size_t),
1094 void *p_rng,
1095 int mode,
1096 mbedtls_md_type_t md_alg,
1097 unsigned int hashlen,
1098 const unsigned char *hash,
1099 mbedtls_md_type_t mgf1_hash_id,
1100 int expected_salt_len,
1101 const unsigned char *sig );
1102
1103/**
1104 * \brief This function copies the components of an RSA context.
1105 *
1106 * \param dst The destination context.
1107 * \param src The source context.
1108 *
1109 * \return \c 0 on success.
1110 * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
1111 */
1112int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
1113
1114/**
1115 * \brief This function frees the components of an RSA key.
1116 *
1117 * \param ctx The RSA Context to free.
1118 */
1119void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
1120
1121/**
1122 * \brief The RSA checkup routine.
1123 *
1124 * \return \c 0 on success.
1125 * \return \c 1 on failure.
1126 */
1127int mbedtls_rsa_self_test( int verbose );
1128
1129#ifdef __cplusplus
1130}
1131#endif
1132
1133#endif /* rsa.h */
Impressum, Datenschutz