2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_RSA_H__
26 #define BR_BEARSSL_RSA_H__
35 /** \file bearssl_rsa.h
39 * This file documents the RSA implementations provided with BearSSL.
40 * Note that the SSL engine accesses these implementations through a
41 * configurable API, so it is possible to, for instance, run a SSL
42 * server which uses a RSA engine which is not based on this code.
46 * RSA public and private keys consist in lists of big integers. All
47 * such integers are represented with big-endian unsigned notation:
48 * first byte is the most significant, and the value is positive (so
49 * there is no dedicated "sign bit"). Public and private key structures
50 * thus contain, for each such integer, a pointer to the first value byte
51 * (`unsigned char *`), and a length (`size_t`) which is the number of
52 * relevant bytes. As a general rule, minimal-length encoding is not
53 * enforced: values may have extra leading bytes of value 0.
55 * RSA public keys consist in two integers:
57 * - the modulus (`n`);
58 * - the public exponent (`e`).
60 * RSA private keys, as defined in
61 * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers:
63 * - the modulus (`n`);
64 * - the public exponent (`e`);
65 * - the private exponent (`d`);
66 * - the first prime factor (`p`);
67 * - the second prime factor (`q`);
68 * - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
69 * - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
70 * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
72 * However, the implementations defined in BearSSL use only five of
73 * these integers: `p`, `q`, `dp`, `dq` and `iq`.
75 * ## Security Features and Limitations
77 * The implementations contained in BearSSL have the following limitations
80 * - They are constant-time. This means that the execution time and
81 * memory access pattern may depend on the _lengths_ of the private
82 * key components, but not on their value, nor on the value of
83 * the operand. Note that this property is not achieved through
84 * random masking, but "true" constant-time code.
86 * - They support only private keys with two prime factors. RSA private
87 * key with three or more prime factors are nominally supported, but
88 * rarely used; they may offer faster operations, at the expense of
89 * more code and potentially a reduction in security if there are
90 * "too many" prime factors.
92 * - The public exponent may have arbitrary length. Of course, it is
93 * a good idea to keep public exponents small, so that public key
94 * operations are fast; but, contrary to some widely deployed
95 * implementations, BearSSL has no problem with public exponent
96 * longer than 32 bits.
98 * - The two prime factors of the modulus need not have the same length
99 * (but severely imbalanced factor lengths might reduce security).
100 * Similarly, there is no requirement that the first factor (`p`)
101 * be greater than the second factor (`q`).
103 * - Prime factors and modulus must be smaller than a compile-time limit.
104 * This is made necessary by the use of fixed-size stack buffers, and
105 * the limit has been adjusted to keep stack usage under 2 kB for the
106 * RSA operations. Currently, the maximum modulus size is 4096 bits,
107 * and the maximum prime factor size is 2080 bits.
109 * - The RSA functions themselves do not enforce lower size limits,
110 * except that which is absolutely necessary for the operation to
111 * mathematically make sense (e.g. a PKCS#1 v1.5 signature with
112 * SHA-1 requires a modulus of at least 361 bits). It is up to users
113 * of this code to enforce size limitations when appropriate (e.g.
114 * the X.509 validation engine, by default, rejects RSA keys of
115 * less than 1017 bits).
117 * - Within the size constraints expressed above, arbitrary bit lengths
118 * are supported. There is no requirement that prime factors or
119 * modulus have a size multiple of 8 or 16.
121 * - When verifying PKCS#1 v1.5 signatures, both variants of the hash
122 * function identifying header (with and without the ASN.1 NULL) are
123 * supported. When producing such signatures, the variant with the
124 * ASN.1 NULL is used.
128 * Three RSA implementations are included:
130 * - The **i32** implementation internally represents big integers
131 * as arrays of 32-bit integers. It is perfunctory and portable,
132 * but not very efficient.
134 * - The **i31** implementation uses 32-bit integers, each containing
135 * 31 bits worth of integer data. The i31 implementation is somewhat
136 * faster than the i32 implementation (the reduced integer size makes
137 * carry propagation easier) for a similar code footprint, but uses
138 * very slightly larger stack buffers (about 4% bigger).
140 * - The **i62** implementation is similar to the i31 implementation,
141 * except that it internally leverages the 64x64->128 multiplication
142 * opcode. This implementation is available only on architectures
143 * where such an opcode exists. It is much faster than i31.
145 * - The **i15** implementation uses 16-bit integers, each containing
146 * 15 bits worth of integer data. Multiplication results fit on
147 * 32 bits, so this won't use the "widening" multiplication routine
148 * on ARM Cortex M0/M0+, for much better performance and constant-time
153 * \brief RSA public key.
155 * The structure references the modulus and the public exponent. Both
156 * integers use unsigned big-endian representation; extra leading bytes
157 * of value 0 are allowed.
160 /** \brief Modulus. */
162 /** \brief Modulus length (in bytes). */
164 /** \brief Public exponent. */
166 /** \brief Public exponent length (in bytes). */
171 * \brief RSA private key.
173 * The structure references the primvate factors, reduced private
174 * exponents, and CRT coefficient. It also contains the bit length of
175 * the modulus. The big integers use unsigned big-endian representation;
176 * extra leading bytes of value 0 are allowed. However, the modulus bit
177 * length (`n_bitlen`) MUST be exact.
180 /** \brief Modulus bit length (in bits, exact value). */
182 /** \brief First prime factor. */
184 /** \brief First prime factor length (in bytes). */
186 /** \brief Second prime factor. */
188 /** \brief Second prime factor length (in bytes). */
190 /** \brief First reduced private exponent. */
192 /** \brief First reduced private exponent length (in bytes). */
194 /** \brief Second reduced private exponent. */
196 /** \brief Second reduced private exponent length (in bytes). */
198 /** \brief CRT coefficient. */
200 /** \brief CRT coefficient length (in bytes). */
202 } br_rsa_private_key
;
205 * \brief Type for a RSA public key engine.
207 * The public key engine performs the modular exponentiation of the
208 * provided value with the public exponent. The value is modified in
211 * The value length (`xlen`) is verified to have _exactly_ the same
212 * length as the modulus (actual modulus length, without extra leading
213 * zeros in the modulus representation in memory). If the length does
214 * not match, then this function returns 0 and `x[]` is unmodified.
216 * It `xlen` is correct, then `x[]` is modified. Returned value is 1
217 * on success, 0 on error. Error conditions include an oversized `x[]`
218 * (the array has the same length as the modulus, but the numerical value
219 * is not lower than the modulus) and an invalid modulus (e.g. an even
220 * integer). If an error is reported, then the new contents of `x[]` are
223 * \param x operand to exponentiate.
224 * \param xlen length of the operand (in bytes).
225 * \param pk RSA public key.
226 * \return 1 on success, 0 on error.
228 typedef uint32_t (*br_rsa_public
)(unsigned char *x
, size_t xlen
,
229 const br_rsa_public_key
*pk
);
232 * \brief Type for a RSA signature verification engine (PKCS#1 v1.5).
236 * - The signature itself. The provided array is NOT modified.
238 * - The encoded OID for the hash function. The provided array must begin
239 * with a single byte that contains the length of the OID value (in
240 * bytes), followed by exactly that many bytes. This parameter may
241 * also be `NULL`, in which case the raw hash value should be used
242 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
243 * to TLS-1.1, with a 36-byte hash value).
245 * - The hash output length, in bytes.
249 * - An output buffer for the hash value. The caller must still compare
250 * it with the hash of the data over which the signature is computed.
254 * - Hash length MUST be no more than 64 bytes.
256 * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
257 * must have a value in the 0..32 range, inclusive).
259 * This function verifies that the signature length (`xlen`) matches the
260 * modulus length (this function returns 0 on mismatch). If the modulus
261 * size exceeds the maximum supported RSA size, then the function also
264 * Returned value is 1 on success, 0 on error.
266 * Implementations of this type need not be constant-time.
268 * \param x signature buffer.
269 * \param xlen signature length (in bytes).
270 * \param hash_oid encoded hash algorithm OID (or `NULL`).
271 * \param hash_len expected hash value length (in bytes).
272 * \param pk RSA public key.
273 * \param hash_out output buffer for the hash value.
274 * \return 1 on success, 0 on error.
276 typedef uint32_t (*br_rsa_pkcs1_vrfy
)(const unsigned char *x
, size_t xlen
,
277 const unsigned char *hash_oid
, size_t hash_len
,
278 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
281 * \brief Type for a RSA encryption engine (OAEP).
285 * - A source of random bytes. The source must be already initialized.
287 * - A hash function, used internally with the mask generation function
290 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
291 * (an empty label, which is the default in PKCS#1 v2.2).
295 * - The destination buffer. Its maximum length (in bytes) is provided;
296 * if that length is lower than the public key length, then an error
299 * - The source message.
301 * The encrypted message output has exactly the same length as the modulus
302 * (mathematical length, in bytes, not counting extra leading zeros in the
303 * modulus representation in the public key).
305 * The source message (`src`, length `src_len`) may overlap with the
306 * destination buffer (`dst`, length `dst_max_len`).
308 * This function returns the actual encrypted message length, in bytes;
309 * on error, zero is returned. An error is reported if the output buffer
310 * is not large enough, or the public is invalid, or the public key
311 * modulus exceeds the maximum supported RSA size.
313 * \param rnd source of random bytes.
314 * \param dig hash function to use with MGF1.
315 * \param label label value (may be `NULL` if `label_len` is zero).
316 * \param label_len label length, in bytes.
317 * \param pk RSA public key.
318 * \param dst destination buffer.
319 * \param dst_max_len destination buffer length (maximum encrypted data size).
320 * \param src message to encrypt.
321 * \param src_len source message length (in bytes).
322 * \return encrypted message length (in bytes), or 0 on error.
324 typedef size_t (*br_rsa_oaep_encrypt
)(
325 const br_prng_class
**rnd
, const br_hash_class
*dig
,
326 const void *label
, size_t label_len
,
327 const br_rsa_public_key
*pk
,
328 void *dst
, size_t dst_max_len
,
329 const void *src
, size_t src_len
);
332 * \brief Type for a RSA private key engine.
334 * The `x[]` buffer is modified in place, and its length is inferred from
335 * the modulus length (`x[]` is assumed to have a length of
336 * `(sk->n_bitlen+7)/8` bytes).
338 * Returned value is 1 on success, 0 on error.
340 * \param x operand to exponentiate.
341 * \param sk RSA private key.
342 * \return 1 on success, 0 on error.
344 typedef uint32_t (*br_rsa_private
)(unsigned char *x
,
345 const br_rsa_private_key
*sk
);
348 * \brief Type for a RSA signature generation engine (PKCS#1 v1.5).
352 * - The encoded OID for the hash function. The provided array must begin
353 * with a single byte that contains the length of the OID value (in
354 * bytes), followed by exactly that many bytes. This parameter may
355 * also be `NULL`, in which case the raw hash value should be used
356 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
357 * to TLS-1.1, with a 36-byte hash value).
359 * - The hash value computes over the data to sign (its length is
360 * expressed in bytes).
362 * - The RSA private key.
364 * - The output buffer, that receives the signature.
366 * Returned value is 1 on success, 0 on error. Error conditions include
367 * a too small modulus for the provided hash OID and value, or some
368 * invalid key parameters. The signature length is exactly
369 * `(sk->n_bitlen+7)/8` bytes.
371 * This function is expected to be constant-time with regards to the
372 * private key bytes (lengths of the modulus and the individual factors
373 * may leak, though) and to the hashed data.
375 * \param hash_oid encoded hash algorithm OID (or `NULL`).
376 * \param hash hash value.
377 * \param hash_len hash value length (in bytes).
378 * \param sk RSA private key.
379 * \param x output buffer for the signature value.
380 * \return 1 on success, 0 on error.
382 typedef uint32_t (*br_rsa_pkcs1_sign
)(const unsigned char *hash_oid
,
383 const unsigned char *hash
, size_t hash_len
,
384 const br_rsa_private_key
*sk
, unsigned char *x
);
387 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
389 #define BR_HASH_OID_SHA1 \
390 ((const unsigned char *)"\x05\x2B\x0E\x03\x02\x1A")
393 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
395 #define BR_HASH_OID_SHA224 \
396 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04")
399 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
401 #define BR_HASH_OID_SHA256 \
402 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01")
405 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
407 #define BR_HASH_OID_SHA384 \
408 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02")
411 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
413 #define BR_HASH_OID_SHA512 \
414 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03")
417 * \brief Type for a RSA decryption engine (OAEP).
421 * - A hash function, used internally with the mask generation function
424 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
425 * (an empty label, which is the default in PKCS#1 v2.2).
429 * - The source and destination buffer. The buffer initially contains
430 * the encrypted message; the buffer contents are altered, and the
431 * decrypted message is written at the start of that buffer
432 * (decrypted message is always shorter than the encrypted message).
434 * If decryption fails in any way, then `*len` is unmodified, and the
435 * function returns 0. Otherwise, `*len` is set to the decrypted message
436 * length, and 1 is returned. The implementation is responsible for
437 * checking that the input message length matches the key modulus length,
438 * and that the padding is correct.
440 * Implementations MUST use constant-time check of the validity of the
441 * OAEP padding, at least until the leading byte and hash value have
442 * been checked. Whether overall decryption worked, and the length of
443 * the decrypted message, may leak.
445 * \param dig hash function to use with MGF1.
446 * \param label label value (may be `NULL` if `label_len` is zero).
447 * \param label_len label length, in bytes.
448 * \param sk RSA private key.
449 * \param data input/output buffer.
450 * \param len encrypted/decrypted message length.
451 * \return 1 on success, 0 on error.
453 typedef uint32_t (*br_rsa_oaep_decrypt
)(
454 const br_hash_class
*dig
, const void *label
, size_t label_len
,
455 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
458 * RSA "i32" engine. Integers are internally represented as arrays of
459 * 32-bit integers, and the core multiplication primitive is the
460 * 32x32->64 multiplication.
464 * \brief RSA public key engine "i32".
468 * \param x operand to exponentiate.
469 * \param xlen length of the operand (in bytes).
470 * \param pk RSA public key.
471 * \return 1 on success, 0 on error.
473 uint32_t br_rsa_i32_public(unsigned char *x
, size_t xlen
,
474 const br_rsa_public_key
*pk
);
477 * \brief RSA signature verification engine "i32".
479 * \see br_rsa_pkcs1_vrfy
481 * \param x signature buffer.
482 * \param xlen signature length (in bytes).
483 * \param hash_oid encoded hash algorithm OID (or `NULL`).
484 * \param hash_len expected hash value length (in bytes).
485 * \param pk RSA public key.
486 * \param hash_out output buffer for the hash value.
487 * \return 1 on success, 0 on error.
489 uint32_t br_rsa_i32_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
490 const unsigned char *hash_oid
, size_t hash_len
,
491 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
494 * \brief RSA private key engine "i32".
496 * \see br_rsa_private
498 * \param x operand to exponentiate.
499 * \param sk RSA private key.
500 * \return 1 on success, 0 on error.
502 uint32_t br_rsa_i32_private(unsigned char *x
,
503 const br_rsa_private_key
*sk
);
506 * \brief RSA signature generation engine "i32".
508 * \see br_rsa_pkcs1_sign
510 * \param hash_oid encoded hash algorithm OID (or `NULL`).
511 * \param hash hash value.
512 * \param hash_len hash value length (in bytes).
513 * \param sk RSA private key.
514 * \param x output buffer for the hash value.
515 * \return 1 on success, 0 on error.
517 uint32_t br_rsa_i32_pkcs1_sign(const unsigned char *hash_oid
,
518 const unsigned char *hash
, size_t hash_len
,
519 const br_rsa_private_key
*sk
, unsigned char *x
);
522 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
523 * word. This uses slightly more stack space (about 4% more) and code
524 * space, but it quite faster.
528 * \brief RSA public key engine "i31".
532 * \param x operand to exponentiate.
533 * \param xlen length of the operand (in bytes).
534 * \param pk RSA public key.
535 * \return 1 on success, 0 on error.
537 uint32_t br_rsa_i31_public(unsigned char *x
, size_t xlen
,
538 const br_rsa_public_key
*pk
);
541 * \brief RSA signature verification engine "i31".
543 * \see br_rsa_pkcs1_vrfy
545 * \param x signature buffer.
546 * \param xlen signature length (in bytes).
547 * \param hash_oid encoded hash algorithm OID (or `NULL`).
548 * \param hash_len expected hash value length (in bytes).
549 * \param pk RSA public key.
550 * \param hash_out output buffer for the hash value.
551 * \return 1 on success, 0 on error.
553 uint32_t br_rsa_i31_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
554 const unsigned char *hash_oid
, size_t hash_len
,
555 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
558 * \brief RSA private key engine "i31".
560 * \see br_rsa_private
562 * \param x operand to exponentiate.
563 * \param sk RSA private key.
564 * \return 1 on success, 0 on error.
566 uint32_t br_rsa_i31_private(unsigned char *x
,
567 const br_rsa_private_key
*sk
);
570 * \brief RSA signature generation engine "i31".
572 * \see br_rsa_pkcs1_sign
574 * \param hash_oid encoded hash algorithm OID (or `NULL`).
575 * \param hash hash value.
576 * \param hash_len hash value length (in bytes).
577 * \param sk RSA private key.
578 * \param x output buffer for the hash value.
579 * \return 1 on success, 0 on error.
581 uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid
,
582 const unsigned char *hash
, size_t hash_len
,
583 const br_rsa_private_key
*sk
, unsigned char *x
);
586 * RSA "i62" engine. Similar to i31, but internal multiplication use
587 * 64x64->128 multiplications. This is available only on architecture
588 * that offer such an opcode.
592 * \brief RSA public key engine "i62".
594 * This function is defined only on architecture that offer a 64x64->128
595 * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer
600 * \param x operand to exponentiate.
601 * \param xlen length of the operand (in bytes).
602 * \param pk RSA public key.
603 * \return 1 on success, 0 on error.
605 uint32_t br_rsa_i62_public(unsigned char *x
, size_t xlen
,
606 const br_rsa_public_key
*pk
);
609 * \brief RSA signature verification engine "i62".
611 * This function is defined only on architecture that offer a 64x64->128
612 * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer
615 * \see br_rsa_pkcs1_vrfy
617 * \param x signature buffer.
618 * \param xlen signature length (in bytes).
619 * \param hash_oid encoded hash algorithm OID (or `NULL`).
620 * \param hash_len expected hash value length (in bytes).
621 * \param pk RSA public key.
622 * \param hash_out output buffer for the hash value.
623 * \return 1 on success, 0 on error.
625 uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
626 const unsigned char *hash_oid
, size_t hash_len
,
627 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
630 * \brief RSA private key engine "i62".
632 * This function is defined only on architecture that offer a 64x64->128
633 * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer
636 * \see br_rsa_private
638 * \param x operand to exponentiate.
639 * \param sk RSA private key.
640 * \return 1 on success, 0 on error.
642 uint32_t br_rsa_i62_private(unsigned char *x
,
643 const br_rsa_private_key
*sk
);
646 * \brief RSA signature generation engine "i62".
648 * This function is defined only on architecture that offer a 64x64->128
649 * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer
652 * \see br_rsa_pkcs1_sign
654 * \param hash_oid encoded hash algorithm OID (or `NULL`).
655 * \param hash hash value.
656 * \param hash_len hash value length (in bytes).
657 * \param sk RSA private key.
658 * \param x output buffer for the hash value.
659 * \return 1 on success, 0 on error.
661 uint32_t br_rsa_i62_pkcs1_sign(const unsigned char *hash_oid
,
662 const unsigned char *hash
, size_t hash_len
,
663 const br_rsa_private_key
*sk
, unsigned char *x
);
666 * \brief Get the RSA "i62" implementation (public key operations),
669 * \return the implementation, or 0.
671 br_rsa_public
br_rsa_i62_public_get(void);
674 * \brief Get the RSA "i62" implementation (PKCS#1 signature verification),
677 * \return the implementation, or 0.
679 br_rsa_pkcs1_vrfy
br_rsa_i62_pkcs1_vrfy_get(void);
682 * \brief Get the RSA "i62" implementation (private key operations),
685 * \return the implementation, or 0.
687 br_rsa_private
br_rsa_i62_private_get(void);
690 * \brief Get the RSA "i62" implementation (PKCS#1 signature generation),
693 * \return the implementation, or 0.
695 br_rsa_pkcs1_sign
br_rsa_i62_pkcs1_sign_get(void);
698 * \brief Get the RSA "i62" implementation (OAEP encryption),
701 * \return the implementation, or 0.
703 br_rsa_oaep_encrypt
br_rsa_i62_oaep_encrypt_get(void);
706 * \brief Get the RSA "i62" implementation (OAEP decryption),
709 * \return the implementation, or 0.
711 br_rsa_oaep_decrypt
br_rsa_i62_oaep_decrypt_get(void);
714 * RSA "i15" engine. Integers are represented as 15-bit integers, so
715 * the code uses only 32-bit multiplication (no 64-bit result), which
716 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
720 * \brief RSA public key engine "i15".
724 * \param x operand to exponentiate.
725 * \param xlen length of the operand (in bytes).
726 * \param pk RSA public key.
727 * \return 1 on success, 0 on error.
729 uint32_t br_rsa_i15_public(unsigned char *x
, size_t xlen
,
730 const br_rsa_public_key
*pk
);
733 * \brief RSA signature verification engine "i15".
735 * \see br_rsa_pkcs1_vrfy
737 * \param x signature buffer.
738 * \param xlen signature length (in bytes).
739 * \param hash_oid encoded hash algorithm OID (or `NULL`).
740 * \param hash_len expected hash value length (in bytes).
741 * \param pk RSA public key.
742 * \param hash_out output buffer for the hash value.
743 * \return 1 on success, 0 on error.
745 uint32_t br_rsa_i15_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
746 const unsigned char *hash_oid
, size_t hash_len
,
747 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
750 * \brief RSA private key engine "i15".
752 * \see br_rsa_private
754 * \param x operand to exponentiate.
755 * \param sk RSA private key.
756 * \return 1 on success, 0 on error.
758 uint32_t br_rsa_i15_private(unsigned char *x
,
759 const br_rsa_private_key
*sk
);
762 * \brief RSA signature generation engine "i15".
764 * \see br_rsa_pkcs1_sign
766 * \param hash_oid encoded hash algorithm OID (or `NULL`).
767 * \param hash hash value.
768 * \param hash_len hash value length (in bytes).
769 * \param sk RSA private key.
770 * \param x output buffer for the hash value.
771 * \return 1 on success, 0 on error.
773 uint32_t br_rsa_i15_pkcs1_sign(const unsigned char *hash_oid
,
774 const unsigned char *hash
, size_t hash_len
,
775 const br_rsa_private_key
*sk
, unsigned char *x
);
778 * \brief Get "default" RSA implementation (public-key operations).
780 * This returns the preferred implementation of RSA (public-key operations)
781 * on the current system.
783 * \return the default implementation.
785 br_rsa_public
br_rsa_public_get_default(void);
788 * \brief Get "default" RSA implementation (private-key operations).
790 * This returns the preferred implementation of RSA (private-key operations)
791 * on the current system.
793 * \return the default implementation.
795 br_rsa_private
br_rsa_private_get_default(void);
798 * \brief Get "default" RSA implementation (PKCS#1 signature verification).
800 * This returns the preferred implementation of RSA (signature verification)
801 * on the current system.
803 * \return the default implementation.
805 br_rsa_pkcs1_vrfy
br_rsa_pkcs1_vrfy_get_default(void);
808 * \brief Get "default" RSA implementation (PKCS#1 signature generation).
810 * This returns the preferred implementation of RSA (signature generation)
811 * on the current system.
813 * \return the default implementation.
815 br_rsa_pkcs1_sign
br_rsa_pkcs1_sign_get_default(void);
818 * \brief Get "default" RSA implementation (OAEP encryption).
820 * This returns the preferred implementation of RSA (OAEP encryption)
821 * on the current system.
823 * \return the default implementation.
825 br_rsa_oaep_encrypt
br_rsa_oaep_encrypt_get_default(void);
828 * \brief Get "default" RSA implementation (OAEP decryption).
830 * This returns the preferred implementation of RSA (OAEP decryption)
831 * on the current system.
833 * \return the default implementation.
835 br_rsa_oaep_decrypt
br_rsa_oaep_decrypt_get_default(void);
838 * \brief RSA decryption helper, for SSL/TLS.
840 * This function performs the RSA decryption for a RSA-based key exchange
841 * in a SSL/TLS server. The provided RSA engine is used. The `data`
842 * parameter points to the value to decrypt, of length `len` bytes. On
843 * success, the 48-byte pre-master secret is copied into `data`, starting
844 * at the first byte of that buffer; on error, the contents of `data`
845 * become indeterminate.
847 * This function first checks that the provided value length (`len`) is
848 * not lower than 59 bytes, and matches the RSA modulus length; if neither
849 * of this property is met, then this function returns 0 and the buffer
852 * Otherwise, decryption and then padding verification are performed, both
853 * in constant-time. A decryption error, or a bad padding, or an
854 * incorrect decrypted value length are reported with a returned value of
855 * 0; on success, 1 is returned. The caller (SSL server engine) is supposed
856 * to proceed with a random pre-master secret in case of error.
858 * \param core RSA private key engine.
859 * \param sk RSA private key.
860 * \param data input/output buffer.
861 * \param len length (in bytes) of the data to decrypt.
862 * \return 1 on success, 0 on error.
864 uint32_t br_rsa_ssl_decrypt(br_rsa_private core
, const br_rsa_private_key
*sk
,
865 unsigned char *data
, size_t len
);
868 * \brief RSA encryption (OAEP) with the "i15" engine.
870 * \see br_rsa_oaep_encrypt
872 * \param rnd source of random bytes.
873 * \param dig hash function to use with MGF1.
874 * \param label label value (may be `NULL` if `label_len` is zero).
875 * \param label_len label length, in bytes.
876 * \param pk RSA public key.
877 * \param dst destination buffer.
878 * \param dst_max_len destination buffer length (maximum encrypted data size).
879 * \param src message to encrypt.
880 * \param src_len source message length (in bytes).
881 * \return encrypted message length (in bytes), or 0 on error.
883 size_t br_rsa_i15_oaep_encrypt(
884 const br_prng_class
**rnd
, const br_hash_class
*dig
,
885 const void *label
, size_t label_len
,
886 const br_rsa_public_key
*pk
,
887 void *dst
, size_t dst_max_len
,
888 const void *src
, size_t src_len
);
891 * \brief RSA decryption (OAEP) with the "i15" engine.
893 * \see br_rsa_oaep_decrypt
895 * \param dig hash function to use with MGF1.
896 * \param label label value (may be `NULL` if `label_len` is zero).
897 * \param label_len label length, in bytes.
898 * \param sk RSA private key.
899 * \param data input/output buffer.
900 * \param len encrypted/decrypted message length.
901 * \return 1 on success, 0 on error.
903 uint32_t br_rsa_i15_oaep_decrypt(
904 const br_hash_class
*dig
, const void *label
, size_t label_len
,
905 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
908 * \brief RSA encryption (OAEP) with the "i31" engine.
910 * \see br_rsa_oaep_encrypt
912 * \param rnd source of random bytes.
913 * \param dig hash function to use with MGF1.
914 * \param label label value (may be `NULL` if `label_len` is zero).
915 * \param label_len label length, in bytes.
916 * \param pk RSA public key.
917 * \param dst destination buffer.
918 * \param dst_max_len destination buffer length (maximum encrypted data size).
919 * \param src message to encrypt.
920 * \param src_len source message length (in bytes).
921 * \return encrypted message length (in bytes), or 0 on error.
923 size_t br_rsa_i31_oaep_encrypt(
924 const br_prng_class
**rnd
, const br_hash_class
*dig
,
925 const void *label
, size_t label_len
,
926 const br_rsa_public_key
*pk
,
927 void *dst
, size_t dst_max_len
,
928 const void *src
, size_t src_len
);
931 * \brief RSA decryption (OAEP) with the "i31" engine.
933 * \see br_rsa_oaep_decrypt
935 * \param dig hash function to use with MGF1.
936 * \param label label value (may be `NULL` if `label_len` is zero).
937 * \param label_len label length, in bytes.
938 * \param sk RSA private key.
939 * \param data input/output buffer.
940 * \param len encrypted/decrypted message length.
941 * \return 1 on success, 0 on error.
943 uint32_t br_rsa_i31_oaep_decrypt(
944 const br_hash_class
*dig
, const void *label
, size_t label_len
,
945 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
948 * \brief RSA encryption (OAEP) with the "i32" engine.
950 * \see br_rsa_oaep_encrypt
952 * \param rnd source of random bytes.
953 * \param dig hash function to use with MGF1.
954 * \param label label value (may be `NULL` if `label_len` is zero).
955 * \param label_len label length, in bytes.
956 * \param pk RSA public key.
957 * \param dst destination buffer.
958 * \param dst_max_len destination buffer length (maximum encrypted data size).
959 * \param src message to encrypt.
960 * \param src_len source message length (in bytes).
961 * \return encrypted message length (in bytes), or 0 on error.
963 size_t br_rsa_i32_oaep_encrypt(
964 const br_prng_class
**rnd
, const br_hash_class
*dig
,
965 const void *label
, size_t label_len
,
966 const br_rsa_public_key
*pk
,
967 void *dst
, size_t dst_max_len
,
968 const void *src
, size_t src_len
);
971 * \brief RSA decryption (OAEP) with the "i32" engine.
973 * \see br_rsa_oaep_decrypt
975 * \param dig hash function to use with MGF1.
976 * \param label label value (may be `NULL` if `label_len` is zero).
977 * \param label_len label length, in bytes.
978 * \param sk RSA private key.
979 * \param data input/output buffer.
980 * \param len encrypted/decrypted message length.
981 * \return 1 on success, 0 on error.
983 uint32_t br_rsa_i32_oaep_decrypt(
984 const br_hash_class
*dig
, const void *label
, size_t label_len
,
985 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
988 * \brief RSA encryption (OAEP) with the "i62" engine.
990 * This function is defined only on architecture that offer a 64x64->128
991 * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer
994 * \see br_rsa_oaep_encrypt
996 * \param rnd source of random bytes.
997 * \param dig hash function to use with MGF1.
998 * \param label label value (may be `NULL` if `label_len` is zero).
999 * \param label_len label length, in bytes.
1000 * \param pk RSA public key.
1001 * \param dst destination buffer.
1002 * \param dst_max_len destination buffer length (maximum encrypted data size).
1003 * \param src message to encrypt.
1004 * \param src_len source message length (in bytes).
1005 * \return encrypted message length (in bytes), or 0 on error.
1007 size_t br_rsa_i62_oaep_encrypt(
1008 const br_prng_class
**rnd
, const br_hash_class
*dig
,
1009 const void *label
, size_t label_len
,
1010 const br_rsa_public_key
*pk
,
1011 void *dst
, size_t dst_max_len
,
1012 const void *src
, size_t src_len
);
1015 * \brief RSA decryption (OAEP) with the "i62" engine.
1017 * This function is defined only on architecture that offer a 64x64->128
1018 * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer
1021 * \see br_rsa_oaep_decrypt
1023 * \param dig hash function to use with MGF1.
1024 * \param label label value (may be `NULL` if `label_len` is zero).
1025 * \param label_len label length, in bytes.
1026 * \param sk RSA private key.
1027 * \param data input/output buffer.
1028 * \param len encrypted/decrypted message length.
1029 * \return 1 on success, 0 on error.
1031 uint32_t br_rsa_i62_oaep_decrypt(
1032 const br_hash_class
*dig
, const void *label
, size_t label_len
,
1033 const br_rsa_private_key
*sk
, void *data
, size_t *len
);