1*0957b409SSimon J. Gerraty /* 2*0957b409SSimon J. Gerraty * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org> 3*0957b409SSimon J. Gerraty * 4*0957b409SSimon J. Gerraty * Permission is hereby granted, free of charge, to any person obtaining 5*0957b409SSimon J. Gerraty * a copy of this software and associated documentation files (the 6*0957b409SSimon J. Gerraty * "Software"), to deal in the Software without restriction, including 7*0957b409SSimon J. Gerraty * without limitation the rights to use, copy, modify, merge, publish, 8*0957b409SSimon J. Gerraty * distribute, sublicense, and/or sell copies of the Software, and to 9*0957b409SSimon J. Gerraty * permit persons to whom the Software is furnished to do so, subject to 10*0957b409SSimon J. Gerraty * the following conditions: 11*0957b409SSimon J. Gerraty * 12*0957b409SSimon J. Gerraty * The above copyright notice and this permission notice shall be 13*0957b409SSimon J. Gerraty * included in all copies or substantial portions of the Software. 14*0957b409SSimon J. Gerraty * 15*0957b409SSimon J. Gerraty * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16*0957b409SSimon J. Gerraty * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17*0957b409SSimon J. Gerraty * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18*0957b409SSimon J. Gerraty * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19*0957b409SSimon J. Gerraty * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20*0957b409SSimon J. Gerraty * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21*0957b409SSimon J. Gerraty * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22*0957b409SSimon J. Gerraty * SOFTWARE. 23*0957b409SSimon J. Gerraty */ 24*0957b409SSimon J. Gerraty 25*0957b409SSimon J. Gerraty #ifndef BR_BEARSSL_RSA_H__ 26*0957b409SSimon J. Gerraty #define BR_BEARSSL_RSA_H__ 27*0957b409SSimon J. Gerraty 28*0957b409SSimon J. Gerraty #include <stddef.h> 29*0957b409SSimon J. Gerraty #include <stdint.h> 30*0957b409SSimon J. Gerraty 31*0957b409SSimon J. Gerraty #include "bearssl_hash.h" 32*0957b409SSimon J. Gerraty #include "bearssl_rand.h" 33*0957b409SSimon J. Gerraty 34*0957b409SSimon J. Gerraty #ifdef __cplusplus 35*0957b409SSimon J. Gerraty extern "C" { 36*0957b409SSimon J. Gerraty #endif 37*0957b409SSimon J. Gerraty 38*0957b409SSimon J. Gerraty /** \file bearssl_rsa.h 39*0957b409SSimon J. Gerraty * 40*0957b409SSimon J. Gerraty * # RSA 41*0957b409SSimon J. Gerraty * 42*0957b409SSimon J. Gerraty * This file documents the RSA implementations provided with BearSSL. 43*0957b409SSimon J. Gerraty * Note that the SSL engine accesses these implementations through a 44*0957b409SSimon J. Gerraty * configurable API, so it is possible to, for instance, run a SSL 45*0957b409SSimon J. Gerraty * server which uses a RSA engine which is not based on this code. 46*0957b409SSimon J. Gerraty * 47*0957b409SSimon J. Gerraty * ## Key Elements 48*0957b409SSimon J. Gerraty * 49*0957b409SSimon J. Gerraty * RSA public and private keys consist in lists of big integers. All 50*0957b409SSimon J. Gerraty * such integers are represented with big-endian unsigned notation: 51*0957b409SSimon J. Gerraty * first byte is the most significant, and the value is positive (so 52*0957b409SSimon J. Gerraty * there is no dedicated "sign bit"). Public and private key structures 53*0957b409SSimon J. Gerraty * thus contain, for each such integer, a pointer to the first value byte 54*0957b409SSimon J. Gerraty * (`unsigned char *`), and a length (`size_t`) which is the number of 55*0957b409SSimon J. Gerraty * relevant bytes. As a general rule, minimal-length encoding is not 56*0957b409SSimon J. Gerraty * enforced: values may have extra leading bytes of value 0. 57*0957b409SSimon J. Gerraty * 58*0957b409SSimon J. Gerraty * RSA public keys consist in two integers: 59*0957b409SSimon J. Gerraty * 60*0957b409SSimon J. Gerraty * - the modulus (`n`); 61*0957b409SSimon J. Gerraty * - the public exponent (`e`). 62*0957b409SSimon J. Gerraty * 63*0957b409SSimon J. Gerraty * RSA private keys, as defined in 64*0957b409SSimon J. Gerraty * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers: 65*0957b409SSimon J. Gerraty * 66*0957b409SSimon J. Gerraty * - the modulus (`n`); 67*0957b409SSimon J. Gerraty * - the public exponent (`e`); 68*0957b409SSimon J. Gerraty * - the private exponent (`d`); 69*0957b409SSimon J. Gerraty * - the first prime factor (`p`); 70*0957b409SSimon J. Gerraty * - the second prime factor (`q`); 71*0957b409SSimon J. Gerraty * - the first reduced exponent (`dp`, which is `d` modulo `p-1`); 72*0957b409SSimon J. Gerraty * - the second reduced exponent (`dq`, which is `d` modulo `q-1`); 73*0957b409SSimon J. Gerraty * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`). 74*0957b409SSimon J. Gerraty * 75*0957b409SSimon J. Gerraty * However, the implementations defined in BearSSL use only five of 76*0957b409SSimon J. Gerraty * these integers: `p`, `q`, `dp`, `dq` and `iq`. 77*0957b409SSimon J. Gerraty * 78*0957b409SSimon J. Gerraty * ## Security Features and Limitations 79*0957b409SSimon J. Gerraty * 80*0957b409SSimon J. Gerraty * The implementations contained in BearSSL have the following limitations 81*0957b409SSimon J. Gerraty * and features: 82*0957b409SSimon J. Gerraty * 83*0957b409SSimon J. Gerraty * - They are constant-time. This means that the execution time and 84*0957b409SSimon J. Gerraty * memory access pattern may depend on the _lengths_ of the private 85*0957b409SSimon J. Gerraty * key components, but not on their value, nor on the value of 86*0957b409SSimon J. Gerraty * the operand. Note that this property is not achieved through 87*0957b409SSimon J. Gerraty * random masking, but "true" constant-time code. 88*0957b409SSimon J. Gerraty * 89*0957b409SSimon J. Gerraty * - They support only private keys with two prime factors. RSA private 90*0957b409SSimon J. Gerraty * keys with three or more prime factors are nominally supported, but 91*0957b409SSimon J. Gerraty * rarely used; they may offer faster operations, at the expense of 92*0957b409SSimon J. Gerraty * more code and potentially a reduction in security if there are 93*0957b409SSimon J. Gerraty * "too many" prime factors. 94*0957b409SSimon J. Gerraty * 95*0957b409SSimon J. Gerraty * - The public exponent may have arbitrary length. Of course, it is 96*0957b409SSimon J. Gerraty * a good idea to keep public exponents small, so that public key 97*0957b409SSimon J. Gerraty * operations are fast; but, contrary to some widely deployed 98*0957b409SSimon J. Gerraty * implementations, BearSSL has no problem with public exponents 99*0957b409SSimon J. Gerraty * longer than 32 bits. 100*0957b409SSimon J. Gerraty * 101*0957b409SSimon J. Gerraty * - The two prime factors of the modulus need not have the same length 102*0957b409SSimon J. Gerraty * (but severely imbalanced factor lengths might reduce security). 103*0957b409SSimon J. Gerraty * Similarly, there is no requirement that the first factor (`p`) 104*0957b409SSimon J. Gerraty * be greater than the second factor (`q`). 105*0957b409SSimon J. Gerraty * 106*0957b409SSimon J. Gerraty * - Prime factors and modulus must be smaller than a compile-time limit. 107*0957b409SSimon J. Gerraty * This is made necessary by the use of fixed-size stack buffers, and 108*0957b409SSimon J. Gerraty * the limit has been adjusted to keep stack usage under 2 kB for the 109*0957b409SSimon J. Gerraty * RSA operations. Currently, the maximum modulus size is 4096 bits, 110*0957b409SSimon J. Gerraty * and the maximum prime factor size is 2080 bits. 111*0957b409SSimon J. Gerraty * 112*0957b409SSimon J. Gerraty * - The RSA functions themselves do not enforce lower size limits, 113*0957b409SSimon J. Gerraty * except that which is absolutely necessary for the operation to 114*0957b409SSimon J. Gerraty * mathematically make sense (e.g. a PKCS#1 v1.5 signature with 115*0957b409SSimon J. Gerraty * SHA-1 requires a modulus of at least 361 bits). It is up to users 116*0957b409SSimon J. Gerraty * of this code to enforce size limitations when appropriate (e.g. 117*0957b409SSimon J. Gerraty * the X.509 validation engine, by default, rejects RSA keys of 118*0957b409SSimon J. Gerraty * less than 1017 bits). 119*0957b409SSimon J. Gerraty * 120*0957b409SSimon J. Gerraty * - Within the size constraints expressed above, arbitrary bit lengths 121*0957b409SSimon J. Gerraty * are supported. There is no requirement that prime factors or 122*0957b409SSimon J. Gerraty * modulus have a size multiple of 8 or 16. 123*0957b409SSimon J. Gerraty * 124*0957b409SSimon J. Gerraty * - When verifying PKCS#1 v1.5 signatures, both variants of the hash 125*0957b409SSimon J. Gerraty * function identifying header (with and without the ASN.1 NULL) are 126*0957b409SSimon J. Gerraty * supported. When producing such signatures, the variant with the 127*0957b409SSimon J. Gerraty * ASN.1 NULL is used. 128*0957b409SSimon J. Gerraty * 129*0957b409SSimon J. Gerraty * ## Implementations 130*0957b409SSimon J. Gerraty * 131*0957b409SSimon J. Gerraty * Three RSA implementations are included: 132*0957b409SSimon J. Gerraty * 133*0957b409SSimon J. Gerraty * - The **i32** implementation internally represents big integers 134*0957b409SSimon J. Gerraty * as arrays of 32-bit integers. It is perfunctory and portable, 135*0957b409SSimon J. Gerraty * but not very efficient. 136*0957b409SSimon J. Gerraty * 137*0957b409SSimon J. Gerraty * - The **i31** implementation uses 32-bit integers, each containing 138*0957b409SSimon J. Gerraty * 31 bits worth of integer data. The i31 implementation is somewhat 139*0957b409SSimon J. Gerraty * faster than the i32 implementation (the reduced integer size makes 140*0957b409SSimon J. Gerraty * carry propagation easier) for a similar code footprint, but uses 141*0957b409SSimon J. Gerraty * very slightly larger stack buffers (about 4% bigger). 142*0957b409SSimon J. Gerraty * 143*0957b409SSimon J. Gerraty * - The **i62** implementation is similar to the i31 implementation, 144*0957b409SSimon J. Gerraty * except that it internally leverages the 64x64->128 multiplication 145*0957b409SSimon J. Gerraty * opcode. This implementation is available only on architectures 146*0957b409SSimon J. Gerraty * where such an opcode exists. It is much faster than i31. 147*0957b409SSimon J. Gerraty * 148*0957b409SSimon J. Gerraty * - The **i15** implementation uses 16-bit integers, each containing 149*0957b409SSimon J. Gerraty * 15 bits worth of integer data. Multiplication results fit on 150*0957b409SSimon J. Gerraty * 32 bits, so this won't use the "widening" multiplication routine 151*0957b409SSimon J. Gerraty * on ARM Cortex M0/M0+, for much better performance and constant-time 152*0957b409SSimon J. Gerraty * execution. 153*0957b409SSimon J. Gerraty */ 154*0957b409SSimon J. Gerraty 155*0957b409SSimon J. Gerraty /** 156*0957b409SSimon J. Gerraty * \brief RSA public key. 157*0957b409SSimon J. Gerraty * 158*0957b409SSimon J. Gerraty * The structure references the modulus and the public exponent. Both 159*0957b409SSimon J. Gerraty * integers use unsigned big-endian representation; extra leading bytes 160*0957b409SSimon J. Gerraty * of value 0 are allowed. 161*0957b409SSimon J. Gerraty */ 162*0957b409SSimon J. Gerraty typedef struct { 163*0957b409SSimon J. Gerraty /** \brief Modulus. */ 164*0957b409SSimon J. Gerraty unsigned char *n; 165*0957b409SSimon J. Gerraty /** \brief Modulus length (in bytes). */ 166*0957b409SSimon J. Gerraty size_t nlen; 167*0957b409SSimon J. Gerraty /** \brief Public exponent. */ 168*0957b409SSimon J. Gerraty unsigned char *e; 169*0957b409SSimon J. Gerraty /** \brief Public exponent length (in bytes). */ 170*0957b409SSimon J. Gerraty size_t elen; 171*0957b409SSimon J. Gerraty } br_rsa_public_key; 172*0957b409SSimon J. Gerraty 173*0957b409SSimon J. Gerraty /** 174*0957b409SSimon J. Gerraty * \brief RSA private key. 175*0957b409SSimon J. Gerraty * 176*0957b409SSimon J. Gerraty * The structure references the private factors, reduced private 177*0957b409SSimon J. Gerraty * exponents, and CRT coefficient. It also contains the bit length of 178*0957b409SSimon J. Gerraty * the modulus. The big integers use unsigned big-endian representation; 179*0957b409SSimon J. Gerraty * extra leading bytes of value 0 are allowed. However, the modulus bit 180*0957b409SSimon J. Gerraty * length (`n_bitlen`) MUST be exact. 181*0957b409SSimon J. Gerraty */ 182*0957b409SSimon J. Gerraty typedef struct { 183*0957b409SSimon J. Gerraty /** \brief Modulus bit length (in bits, exact value). */ 184*0957b409SSimon J. Gerraty uint32_t n_bitlen; 185*0957b409SSimon J. Gerraty /** \brief First prime factor. */ 186*0957b409SSimon J. Gerraty unsigned char *p; 187*0957b409SSimon J. Gerraty /** \brief First prime factor length (in bytes). */ 188*0957b409SSimon J. Gerraty size_t plen; 189*0957b409SSimon J. Gerraty /** \brief Second prime factor. */ 190*0957b409SSimon J. Gerraty unsigned char *q; 191*0957b409SSimon J. Gerraty /** \brief Second prime factor length (in bytes). */ 192*0957b409SSimon J. Gerraty size_t qlen; 193*0957b409SSimon J. Gerraty /** \brief First reduced private exponent. */ 194*0957b409SSimon J. Gerraty unsigned char *dp; 195*0957b409SSimon J. Gerraty /** \brief First reduced private exponent length (in bytes). */ 196*0957b409SSimon J. Gerraty size_t dplen; 197*0957b409SSimon J. Gerraty /** \brief Second reduced private exponent. */ 198*0957b409SSimon J. Gerraty unsigned char *dq; 199*0957b409SSimon J. Gerraty /** \brief Second reduced private exponent length (in bytes). */ 200*0957b409SSimon J. Gerraty size_t dqlen; 201*0957b409SSimon J. Gerraty /** \brief CRT coefficient. */ 202*0957b409SSimon J. Gerraty unsigned char *iq; 203*0957b409SSimon J. Gerraty /** \brief CRT coefficient length (in bytes). */ 204*0957b409SSimon J. Gerraty size_t iqlen; 205*0957b409SSimon J. Gerraty } br_rsa_private_key; 206*0957b409SSimon J. Gerraty 207*0957b409SSimon J. Gerraty /** 208*0957b409SSimon J. Gerraty * \brief Type for a RSA public key engine. 209*0957b409SSimon J. Gerraty * 210*0957b409SSimon J. Gerraty * The public key engine performs the modular exponentiation of the 211*0957b409SSimon J. Gerraty * provided value with the public exponent. The value is modified in 212*0957b409SSimon J. Gerraty * place. 213*0957b409SSimon J. Gerraty * 214*0957b409SSimon J. Gerraty * The value length (`xlen`) is verified to have _exactly_ the same 215*0957b409SSimon J. Gerraty * length as the modulus (actual modulus length, without extra leading 216*0957b409SSimon J. Gerraty * zeros in the modulus representation in memory). If the length does 217*0957b409SSimon J. Gerraty * not match, then this function returns 0 and `x[]` is unmodified. 218*0957b409SSimon J. Gerraty * 219*0957b409SSimon J. Gerraty * It `xlen` is correct, then `x[]` is modified. Returned value is 1 220*0957b409SSimon J. Gerraty * on success, 0 on error. Error conditions include an oversized `x[]` 221*0957b409SSimon J. Gerraty * (the array has the same length as the modulus, but the numerical value 222*0957b409SSimon J. Gerraty * is not lower than the modulus) and an invalid modulus (e.g. an even 223*0957b409SSimon J. Gerraty * integer). If an error is reported, then the new contents of `x[]` are 224*0957b409SSimon J. Gerraty * unspecified. 225*0957b409SSimon J. Gerraty * 226*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 227*0957b409SSimon J. Gerraty * \param xlen length of the operand (in bytes). 228*0957b409SSimon J. Gerraty * \param pk RSA public key. 229*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 230*0957b409SSimon J. Gerraty */ 231*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_public)(unsigned char *x, size_t xlen, 232*0957b409SSimon J. Gerraty const br_rsa_public_key *pk); 233*0957b409SSimon J. Gerraty 234*0957b409SSimon J. Gerraty /** 235*0957b409SSimon J. Gerraty * \brief Type for a RSA signature verification engine (PKCS#1 v1.5). 236*0957b409SSimon J. Gerraty * 237*0957b409SSimon J. Gerraty * Parameters are: 238*0957b409SSimon J. Gerraty * 239*0957b409SSimon J. Gerraty * - The signature itself. The provided array is NOT modified. 240*0957b409SSimon J. Gerraty * 241*0957b409SSimon J. Gerraty * - The encoded OID for the hash function. The provided array must begin 242*0957b409SSimon J. Gerraty * with a single byte that contains the length of the OID value (in 243*0957b409SSimon J. Gerraty * bytes), followed by exactly that many bytes. This parameter may 244*0957b409SSimon J. Gerraty * also be `NULL`, in which case the raw hash value should be used 245*0957b409SSimon J. Gerraty * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up 246*0957b409SSimon J. Gerraty * to TLS-1.1, with a 36-byte hash value). 247*0957b409SSimon J. Gerraty * 248*0957b409SSimon J. Gerraty * - The hash output length, in bytes. 249*0957b409SSimon J. Gerraty * 250*0957b409SSimon J. Gerraty * - The public key. 251*0957b409SSimon J. Gerraty * 252*0957b409SSimon J. Gerraty * - An output buffer for the hash value. The caller must still compare 253*0957b409SSimon J. Gerraty * it with the hash of the data over which the signature is computed. 254*0957b409SSimon J. Gerraty * 255*0957b409SSimon J. Gerraty * **Constraints:** 256*0957b409SSimon J. Gerraty * 257*0957b409SSimon J. Gerraty * - Hash length MUST be no more than 64 bytes. 258*0957b409SSimon J. Gerraty * 259*0957b409SSimon J. Gerraty * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]` 260*0957b409SSimon J. Gerraty * must have a value in the 0..32 range, inclusive). 261*0957b409SSimon J. Gerraty * 262*0957b409SSimon J. Gerraty * This function verifies that the signature length (`xlen`) matches the 263*0957b409SSimon J. Gerraty * modulus length (this function returns 0 on mismatch). If the modulus 264*0957b409SSimon J. Gerraty * size exceeds the maximum supported RSA size, then the function also 265*0957b409SSimon J. Gerraty * returns 0. 266*0957b409SSimon J. Gerraty * 267*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. 268*0957b409SSimon J. Gerraty * 269*0957b409SSimon J. Gerraty * Implementations of this type need not be constant-time. 270*0957b409SSimon J. Gerraty * 271*0957b409SSimon J. Gerraty * \param x signature buffer. 272*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 273*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 274*0957b409SSimon J. Gerraty * \param hash_len expected hash value length (in bytes). 275*0957b409SSimon J. Gerraty * \param pk RSA public key. 276*0957b409SSimon J. Gerraty * \param hash_out output buffer for the hash value. 277*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 278*0957b409SSimon J. Gerraty */ 279*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_pkcs1_vrfy)(const unsigned char *x, size_t xlen, 280*0957b409SSimon J. Gerraty const unsigned char *hash_oid, size_t hash_len, 281*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, unsigned char *hash_out); 282*0957b409SSimon J. Gerraty 283*0957b409SSimon J. Gerraty /** 284*0957b409SSimon J. Gerraty * \brief Type for a RSA signature verification engine (PSS). 285*0957b409SSimon J. Gerraty * 286*0957b409SSimon J. Gerraty * Parameters are: 287*0957b409SSimon J. Gerraty * 288*0957b409SSimon J. Gerraty * - The signature itself. The provided array is NOT modified. 289*0957b409SSimon J. Gerraty * 290*0957b409SSimon J. Gerraty * - The hash function which was used to hash the message. 291*0957b409SSimon J. Gerraty * 292*0957b409SSimon J. Gerraty * - The hash function to use with MGF1 within the PSS padding. This 293*0957b409SSimon J. Gerraty * is not necessarily the same hash function as the one which was 294*0957b409SSimon J. Gerraty * used to hash the signed message. 295*0957b409SSimon J. Gerraty * 296*0957b409SSimon J. Gerraty * - The hashed message (as an array of bytes). 297*0957b409SSimon J. Gerraty * 298*0957b409SSimon J. Gerraty * - The PSS salt length (in bytes). 299*0957b409SSimon J. Gerraty * 300*0957b409SSimon J. Gerraty * - The public key. 301*0957b409SSimon J. Gerraty * 302*0957b409SSimon J. Gerraty * **Constraints:** 303*0957b409SSimon J. Gerraty * 304*0957b409SSimon J. Gerraty * - Hash message length MUST be no more than 64 bytes. 305*0957b409SSimon J. Gerraty * 306*0957b409SSimon J. Gerraty * Note that, contrary to PKCS#1 v1.5 signature, the hash value of the 307*0957b409SSimon J. Gerraty * signed data cannot be extracted from the signature; it must be 308*0957b409SSimon J. Gerraty * provided to the verification function. 309*0957b409SSimon J. Gerraty * 310*0957b409SSimon J. Gerraty * This function verifies that the signature length (`xlen`) matches the 311*0957b409SSimon J. Gerraty * modulus length (this function returns 0 on mismatch). If the modulus 312*0957b409SSimon J. Gerraty * size exceeds the maximum supported RSA size, then the function also 313*0957b409SSimon J. Gerraty * returns 0. 314*0957b409SSimon J. Gerraty * 315*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. 316*0957b409SSimon J. Gerraty * 317*0957b409SSimon J. Gerraty * Implementations of this type need not be constant-time. 318*0957b409SSimon J. Gerraty * 319*0957b409SSimon J. Gerraty * \param x signature buffer. 320*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 321*0957b409SSimon J. Gerraty * \param hf_data hash function applied on the message. 322*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 323*0957b409SSimon J. Gerraty * \param hash hash value of the signed message. 324*0957b409SSimon J. Gerraty * \param salt_len PSS salt length (in bytes). 325*0957b409SSimon J. Gerraty * \param pk RSA public key. 326*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 327*0957b409SSimon J. Gerraty */ 328*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_pss_vrfy)(const unsigned char *x, size_t xlen, 329*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 330*0957b409SSimon J. Gerraty const void *hash, size_t salt_len, const br_rsa_public_key *pk); 331*0957b409SSimon J. Gerraty 332*0957b409SSimon J. Gerraty /** 333*0957b409SSimon J. Gerraty * \brief Type for a RSA encryption engine (OAEP). 334*0957b409SSimon J. Gerraty * 335*0957b409SSimon J. Gerraty * Parameters are: 336*0957b409SSimon J. Gerraty * 337*0957b409SSimon J. Gerraty * - A source of random bytes. The source must be already initialized. 338*0957b409SSimon J. Gerraty * 339*0957b409SSimon J. Gerraty * - A hash function, used internally with the mask generation function 340*0957b409SSimon J. Gerraty * (MGF1). 341*0957b409SSimon J. Gerraty * 342*0957b409SSimon J. Gerraty * - A label. The `label` pointer may be `NULL` if `label_len` is zero 343*0957b409SSimon J. Gerraty * (an empty label, which is the default in PKCS#1 v2.2). 344*0957b409SSimon J. Gerraty * 345*0957b409SSimon J. Gerraty * - The public key. 346*0957b409SSimon J. Gerraty * 347*0957b409SSimon J. Gerraty * - The destination buffer. Its maximum length (in bytes) is provided; 348*0957b409SSimon J. Gerraty * if that length is lower than the public key length, then an error 349*0957b409SSimon J. Gerraty * is reported. 350*0957b409SSimon J. Gerraty * 351*0957b409SSimon J. Gerraty * - The source message. 352*0957b409SSimon J. Gerraty * 353*0957b409SSimon J. Gerraty * The encrypted message output has exactly the same length as the modulus 354*0957b409SSimon J. Gerraty * (mathematical length, in bytes, not counting extra leading zeros in the 355*0957b409SSimon J. Gerraty * modulus representation in the public key). 356*0957b409SSimon J. Gerraty * 357*0957b409SSimon J. Gerraty * The source message (`src`, length `src_len`) may overlap with the 358*0957b409SSimon J. Gerraty * destination buffer (`dst`, length `dst_max_len`). 359*0957b409SSimon J. Gerraty * 360*0957b409SSimon J. Gerraty * This function returns the actual encrypted message length, in bytes; 361*0957b409SSimon J. Gerraty * on error, zero is returned. An error is reported if the output buffer 362*0957b409SSimon J. Gerraty * is not large enough, or the public is invalid, or the public key 363*0957b409SSimon J. Gerraty * modulus exceeds the maximum supported RSA size. 364*0957b409SSimon J. Gerraty * 365*0957b409SSimon J. Gerraty * \param rnd source of random bytes. 366*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 367*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 368*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 369*0957b409SSimon J. Gerraty * \param pk RSA public key. 370*0957b409SSimon J. Gerraty * \param dst destination buffer. 371*0957b409SSimon J. Gerraty * \param dst_max_len destination buffer length (maximum encrypted data size). 372*0957b409SSimon J. Gerraty * \param src message to encrypt. 373*0957b409SSimon J. Gerraty * \param src_len source message length (in bytes). 374*0957b409SSimon J. Gerraty * \return encrypted message length (in bytes), or 0 on error. 375*0957b409SSimon J. Gerraty */ 376*0957b409SSimon J. Gerraty typedef size_t (*br_rsa_oaep_encrypt)( 377*0957b409SSimon J. Gerraty const br_prng_class **rnd, const br_hash_class *dig, 378*0957b409SSimon J. Gerraty const void *label, size_t label_len, 379*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, 380*0957b409SSimon J. Gerraty void *dst, size_t dst_max_len, 381*0957b409SSimon J. Gerraty const void *src, size_t src_len); 382*0957b409SSimon J. Gerraty 383*0957b409SSimon J. Gerraty /** 384*0957b409SSimon J. Gerraty * \brief Type for a RSA private key engine. 385*0957b409SSimon J. Gerraty * 386*0957b409SSimon J. Gerraty * The `x[]` buffer is modified in place, and its length is inferred from 387*0957b409SSimon J. Gerraty * the modulus length (`x[]` is assumed to have a length of 388*0957b409SSimon J. Gerraty * `(sk->n_bitlen+7)/8` bytes). 389*0957b409SSimon J. Gerraty * 390*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. 391*0957b409SSimon J. Gerraty * 392*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 393*0957b409SSimon J. Gerraty * \param sk RSA private key. 394*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 395*0957b409SSimon J. Gerraty */ 396*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_private)(unsigned char *x, 397*0957b409SSimon J. Gerraty const br_rsa_private_key *sk); 398*0957b409SSimon J. Gerraty 399*0957b409SSimon J. Gerraty /** 400*0957b409SSimon J. Gerraty * \brief Type for a RSA signature generation engine (PKCS#1 v1.5). 401*0957b409SSimon J. Gerraty * 402*0957b409SSimon J. Gerraty * Parameters are: 403*0957b409SSimon J. Gerraty * 404*0957b409SSimon J. Gerraty * - The encoded OID for the hash function. The provided array must begin 405*0957b409SSimon J. Gerraty * with a single byte that contains the length of the OID value (in 406*0957b409SSimon J. Gerraty * bytes), followed by exactly that many bytes. This parameter may 407*0957b409SSimon J. Gerraty * also be `NULL`, in which case the raw hash value should be used 408*0957b409SSimon J. Gerraty * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up 409*0957b409SSimon J. Gerraty * to TLS-1.1, with a 36-byte hash value). 410*0957b409SSimon J. Gerraty * 411*0957b409SSimon J. Gerraty * - The hash value computes over the data to sign (its length is 412*0957b409SSimon J. Gerraty * expressed in bytes). 413*0957b409SSimon J. Gerraty * 414*0957b409SSimon J. Gerraty * - The RSA private key. 415*0957b409SSimon J. Gerraty * 416*0957b409SSimon J. Gerraty * - The output buffer, that receives the signature. 417*0957b409SSimon J. Gerraty * 418*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. Error conditions include 419*0957b409SSimon J. Gerraty * a too small modulus for the provided hash OID and value, or some 420*0957b409SSimon J. Gerraty * invalid key parameters. The signature length is exactly 421*0957b409SSimon J. Gerraty * `(sk->n_bitlen+7)/8` bytes. 422*0957b409SSimon J. Gerraty * 423*0957b409SSimon J. Gerraty * This function is expected to be constant-time with regards to the 424*0957b409SSimon J. Gerraty * private key bytes (lengths of the modulus and the individual factors 425*0957b409SSimon J. Gerraty * may leak, though) and to the hashed data. 426*0957b409SSimon J. Gerraty * 427*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 428*0957b409SSimon J. Gerraty * \param hash hash value. 429*0957b409SSimon J. Gerraty * \param hash_len hash value length (in bytes). 430*0957b409SSimon J. Gerraty * \param sk RSA private key. 431*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 432*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 433*0957b409SSimon J. Gerraty */ 434*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_pkcs1_sign)(const unsigned char *hash_oid, 435*0957b409SSimon J. Gerraty const unsigned char *hash, size_t hash_len, 436*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 437*0957b409SSimon J. Gerraty 438*0957b409SSimon J. Gerraty /** 439*0957b409SSimon J. Gerraty * \brief Type for a RSA signature generation engine (PSS). 440*0957b409SSimon J. Gerraty * 441*0957b409SSimon J. Gerraty * Parameters are: 442*0957b409SSimon J. Gerraty * 443*0957b409SSimon J. Gerraty * - An initialized PRNG for salt generation. If the salt length is 444*0957b409SSimon J. Gerraty * zero (`salt_len` parameter), then the PRNG is optional (this is 445*0957b409SSimon J. Gerraty * not the typical case, as the security proof of RSA/PSS is 446*0957b409SSimon J. Gerraty * tighter when a non-empty salt is used). 447*0957b409SSimon J. Gerraty * 448*0957b409SSimon J. Gerraty * - The hash function which was used to hash the message. 449*0957b409SSimon J. Gerraty * 450*0957b409SSimon J. Gerraty * - The hash function to use with MGF1 within the PSS padding. This 451*0957b409SSimon J. Gerraty * is not necessarily the same function as the one used to hash the 452*0957b409SSimon J. Gerraty * message. 453*0957b409SSimon J. Gerraty * 454*0957b409SSimon J. Gerraty * - The hashed message. 455*0957b409SSimon J. Gerraty * 456*0957b409SSimon J. Gerraty * - The salt length, in bytes. 457*0957b409SSimon J. Gerraty * 458*0957b409SSimon J. Gerraty * - The RSA private key. 459*0957b409SSimon J. Gerraty * 460*0957b409SSimon J. Gerraty * - The output buffer, that receives the signature. 461*0957b409SSimon J. Gerraty * 462*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. Error conditions include 463*0957b409SSimon J. Gerraty * a too small modulus for the provided hash and salt lengths, or some 464*0957b409SSimon J. Gerraty * invalid key parameters. The signature length is exactly 465*0957b409SSimon J. Gerraty * `(sk->n_bitlen+7)/8` bytes. 466*0957b409SSimon J. Gerraty * 467*0957b409SSimon J. Gerraty * This function is expected to be constant-time with regards to the 468*0957b409SSimon J. Gerraty * private key bytes (lengths of the modulus and the individual factors 469*0957b409SSimon J. Gerraty * may leak, though) and to the hashed data. 470*0957b409SSimon J. Gerraty * 471*0957b409SSimon J. Gerraty * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero). 472*0957b409SSimon J. Gerraty * \param hf_data hash function used to hash the signed data. 473*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 474*0957b409SSimon J. Gerraty * \param hash hashed message. 475*0957b409SSimon J. Gerraty * \param salt_len salt length (in bytes). 476*0957b409SSimon J. Gerraty * \param sk RSA private key. 477*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 478*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 479*0957b409SSimon J. Gerraty */ 480*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_pss_sign)(const br_prng_class **rng, 481*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 482*0957b409SSimon J. Gerraty const unsigned char *hash_value, size_t salt_len, 483*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 484*0957b409SSimon J. Gerraty 485*0957b409SSimon J. Gerraty /** 486*0957b409SSimon J. Gerraty * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures). 487*0957b409SSimon J. Gerraty */ 488*0957b409SSimon J. Gerraty #define BR_HASH_OID_SHA1 \ 489*0957b409SSimon J. Gerraty ((const unsigned char *)"\x05\x2B\x0E\x03\x02\x1A") 490*0957b409SSimon J. Gerraty 491*0957b409SSimon J. Gerraty /** 492*0957b409SSimon J. Gerraty * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures). 493*0957b409SSimon J. Gerraty */ 494*0957b409SSimon J. Gerraty #define BR_HASH_OID_SHA224 \ 495*0957b409SSimon J. Gerraty ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04") 496*0957b409SSimon J. Gerraty 497*0957b409SSimon J. Gerraty /** 498*0957b409SSimon J. Gerraty * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures). 499*0957b409SSimon J. Gerraty */ 500*0957b409SSimon J. Gerraty #define BR_HASH_OID_SHA256 \ 501*0957b409SSimon J. Gerraty ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01") 502*0957b409SSimon J. Gerraty 503*0957b409SSimon J. Gerraty /** 504*0957b409SSimon J. Gerraty * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures). 505*0957b409SSimon J. Gerraty */ 506*0957b409SSimon J. Gerraty #define BR_HASH_OID_SHA384 \ 507*0957b409SSimon J. Gerraty ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02") 508*0957b409SSimon J. Gerraty 509*0957b409SSimon J. Gerraty /** 510*0957b409SSimon J. Gerraty * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures). 511*0957b409SSimon J. Gerraty */ 512*0957b409SSimon J. Gerraty #define BR_HASH_OID_SHA512 \ 513*0957b409SSimon J. Gerraty ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03") 514*0957b409SSimon J. Gerraty 515*0957b409SSimon J. Gerraty /** 516*0957b409SSimon J. Gerraty * \brief Type for a RSA decryption engine (OAEP). 517*0957b409SSimon J. Gerraty * 518*0957b409SSimon J. Gerraty * Parameters are: 519*0957b409SSimon J. Gerraty * 520*0957b409SSimon J. Gerraty * - A hash function, used internally with the mask generation function 521*0957b409SSimon J. Gerraty * (MGF1). 522*0957b409SSimon J. Gerraty * 523*0957b409SSimon J. Gerraty * - A label. The `label` pointer may be `NULL` if `label_len` is zero 524*0957b409SSimon J. Gerraty * (an empty label, which is the default in PKCS#1 v2.2). 525*0957b409SSimon J. Gerraty * 526*0957b409SSimon J. Gerraty * - The private key. 527*0957b409SSimon J. Gerraty * 528*0957b409SSimon J. Gerraty * - The source and destination buffer. The buffer initially contains 529*0957b409SSimon J. Gerraty * the encrypted message; the buffer contents are altered, and the 530*0957b409SSimon J. Gerraty * decrypted message is written at the start of that buffer 531*0957b409SSimon J. Gerraty * (decrypted message is always shorter than the encrypted message). 532*0957b409SSimon J. Gerraty * 533*0957b409SSimon J. Gerraty * If decryption fails in any way, then `*len` is unmodified, and the 534*0957b409SSimon J. Gerraty * function returns 0. Otherwise, `*len` is set to the decrypted message 535*0957b409SSimon J. Gerraty * length, and 1 is returned. The implementation is responsible for 536*0957b409SSimon J. Gerraty * checking that the input message length matches the key modulus length, 537*0957b409SSimon J. Gerraty * and that the padding is correct. 538*0957b409SSimon J. Gerraty * 539*0957b409SSimon J. Gerraty * Implementations MUST use constant-time check of the validity of the 540*0957b409SSimon J. Gerraty * OAEP padding, at least until the leading byte and hash value have 541*0957b409SSimon J. Gerraty * been checked. Whether overall decryption worked, and the length of 542*0957b409SSimon J. Gerraty * the decrypted message, may leak. 543*0957b409SSimon J. Gerraty * 544*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 545*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 546*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 547*0957b409SSimon J. Gerraty * \param sk RSA private key. 548*0957b409SSimon J. Gerraty * \param data input/output buffer. 549*0957b409SSimon J. Gerraty * \param len encrypted/decrypted message length. 550*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 551*0957b409SSimon J. Gerraty */ 552*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_oaep_decrypt)( 553*0957b409SSimon J. Gerraty const br_hash_class *dig, const void *label, size_t label_len, 554*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, void *data, size_t *len); 555*0957b409SSimon J. Gerraty 556*0957b409SSimon J. Gerraty /* 557*0957b409SSimon J. Gerraty * RSA "i32" engine. Integers are internally represented as arrays of 558*0957b409SSimon J. Gerraty * 32-bit integers, and the core multiplication primitive is the 559*0957b409SSimon J. Gerraty * 32x32->64 multiplication. 560*0957b409SSimon J. Gerraty */ 561*0957b409SSimon J. Gerraty 562*0957b409SSimon J. Gerraty /** 563*0957b409SSimon J. Gerraty * \brief RSA public key engine "i32". 564*0957b409SSimon J. Gerraty * 565*0957b409SSimon J. Gerraty * \see br_rsa_public 566*0957b409SSimon J. Gerraty * 567*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 568*0957b409SSimon J. Gerraty * \param xlen length of the operand (in bytes). 569*0957b409SSimon J. Gerraty * \param pk RSA public key. 570*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 571*0957b409SSimon J. Gerraty */ 572*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_public(unsigned char *x, size_t xlen, 573*0957b409SSimon J. Gerraty const br_rsa_public_key *pk); 574*0957b409SSimon J. Gerraty 575*0957b409SSimon J. Gerraty /** 576*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i32" (PKCS#1 v1.5 signatures). 577*0957b409SSimon J. Gerraty * 578*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_vrfy 579*0957b409SSimon J. Gerraty * 580*0957b409SSimon J. Gerraty * \param x signature buffer. 581*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 582*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 583*0957b409SSimon J. Gerraty * \param hash_len expected hash value length (in bytes). 584*0957b409SSimon J. Gerraty * \param pk RSA public key. 585*0957b409SSimon J. Gerraty * \param hash_out output buffer for the hash value. 586*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 587*0957b409SSimon J. Gerraty */ 588*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_pkcs1_vrfy(const unsigned char *x, size_t xlen, 589*0957b409SSimon J. Gerraty const unsigned char *hash_oid, size_t hash_len, 590*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, unsigned char *hash_out); 591*0957b409SSimon J. Gerraty 592*0957b409SSimon J. Gerraty /** 593*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i32" (PSS signatures). 594*0957b409SSimon J. Gerraty * 595*0957b409SSimon J. Gerraty * \see br_rsa_pss_vrfy 596*0957b409SSimon J. Gerraty * 597*0957b409SSimon J. Gerraty * \param x signature buffer. 598*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 599*0957b409SSimon J. Gerraty * \param hf_data hash function applied on the message. 600*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 601*0957b409SSimon J. Gerraty * \param hash hash value of the signed message. 602*0957b409SSimon J. Gerraty * \param salt_len PSS salt length (in bytes). 603*0957b409SSimon J. Gerraty * \param pk RSA public key. 604*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 605*0957b409SSimon J. Gerraty */ 606*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_pss_vrfy(const unsigned char *x, size_t xlen, 607*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 608*0957b409SSimon J. Gerraty const void *hash, size_t salt_len, const br_rsa_public_key *pk); 609*0957b409SSimon J. Gerraty 610*0957b409SSimon J. Gerraty /** 611*0957b409SSimon J. Gerraty * \brief RSA private key engine "i32". 612*0957b409SSimon J. Gerraty * 613*0957b409SSimon J. Gerraty * \see br_rsa_private 614*0957b409SSimon J. Gerraty * 615*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 616*0957b409SSimon J. Gerraty * \param sk RSA private key. 617*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 618*0957b409SSimon J. Gerraty */ 619*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_private(unsigned char *x, 620*0957b409SSimon J. Gerraty const br_rsa_private_key *sk); 621*0957b409SSimon J. Gerraty 622*0957b409SSimon J. Gerraty /** 623*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i32" (PKCS#1 v1.5 signatures). 624*0957b409SSimon J. Gerraty * 625*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_sign 626*0957b409SSimon J. Gerraty * 627*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 628*0957b409SSimon J. Gerraty * \param hash hash value. 629*0957b409SSimon J. Gerraty * \param hash_len hash value length (in bytes). 630*0957b409SSimon J. Gerraty * \param sk RSA private key. 631*0957b409SSimon J. Gerraty * \param x output buffer for the hash value. 632*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 633*0957b409SSimon J. Gerraty */ 634*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_pkcs1_sign(const unsigned char *hash_oid, 635*0957b409SSimon J. Gerraty const unsigned char *hash, size_t hash_len, 636*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 637*0957b409SSimon J. Gerraty 638*0957b409SSimon J. Gerraty /** 639*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i32" (PSS signatures). 640*0957b409SSimon J. Gerraty * 641*0957b409SSimon J. Gerraty * \see br_rsa_pss_sign 642*0957b409SSimon J. Gerraty * 643*0957b409SSimon J. Gerraty * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero). 644*0957b409SSimon J. Gerraty * \param hf_data hash function used to hash the signed data. 645*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 646*0957b409SSimon J. Gerraty * \param hash hashed message. 647*0957b409SSimon J. Gerraty * \param salt_len salt length (in bytes). 648*0957b409SSimon J. Gerraty * \param sk RSA private key. 649*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 650*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 651*0957b409SSimon J. Gerraty */ 652*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_pss_sign(const br_prng_class **rng, 653*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 654*0957b409SSimon J. Gerraty const unsigned char *hash_value, size_t salt_len, 655*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 656*0957b409SSimon J. Gerraty 657*0957b409SSimon J. Gerraty /* 658*0957b409SSimon J. Gerraty * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit 659*0957b409SSimon J. Gerraty * word. This uses slightly more stack space (about 4% more) and code 660*0957b409SSimon J. Gerraty * space, but it quite faster. 661*0957b409SSimon J. Gerraty */ 662*0957b409SSimon J. Gerraty 663*0957b409SSimon J. Gerraty /** 664*0957b409SSimon J. Gerraty * \brief RSA public key engine "i31". 665*0957b409SSimon J. Gerraty * 666*0957b409SSimon J. Gerraty * \see br_rsa_public 667*0957b409SSimon J. Gerraty * 668*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 669*0957b409SSimon J. Gerraty * \param xlen length of the operand (in bytes). 670*0957b409SSimon J. Gerraty * \param pk RSA public key. 671*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 672*0957b409SSimon J. Gerraty */ 673*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_public(unsigned char *x, size_t xlen, 674*0957b409SSimon J. Gerraty const br_rsa_public_key *pk); 675*0957b409SSimon J. Gerraty 676*0957b409SSimon J. Gerraty /** 677*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i31" (PKCS#1 v1.5 signatures). 678*0957b409SSimon J. Gerraty * 679*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_vrfy 680*0957b409SSimon J. Gerraty * 681*0957b409SSimon J. Gerraty * \param x signature buffer. 682*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 683*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 684*0957b409SSimon J. Gerraty * \param hash_len expected hash value length (in bytes). 685*0957b409SSimon J. Gerraty * \param pk RSA public key. 686*0957b409SSimon J. Gerraty * \param hash_out output buffer for the hash value. 687*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 688*0957b409SSimon J. Gerraty */ 689*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_pkcs1_vrfy(const unsigned char *x, size_t xlen, 690*0957b409SSimon J. Gerraty const unsigned char *hash_oid, size_t hash_len, 691*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, unsigned char *hash_out); 692*0957b409SSimon J. Gerraty 693*0957b409SSimon J. Gerraty /** 694*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i31" (PSS signatures). 695*0957b409SSimon J. Gerraty * 696*0957b409SSimon J. Gerraty * \see br_rsa_pss_vrfy 697*0957b409SSimon J. Gerraty * 698*0957b409SSimon J. Gerraty * \param x signature buffer. 699*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 700*0957b409SSimon J. Gerraty * \param hf_data hash function applied on the message. 701*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 702*0957b409SSimon J. Gerraty * \param hash hash value of the signed message. 703*0957b409SSimon J. Gerraty * \param salt_len PSS salt length (in bytes). 704*0957b409SSimon J. Gerraty * \param pk RSA public key. 705*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 706*0957b409SSimon J. Gerraty */ 707*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_pss_vrfy(const unsigned char *x, size_t xlen, 708*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 709*0957b409SSimon J. Gerraty const void *hash, size_t salt_len, const br_rsa_public_key *pk); 710*0957b409SSimon J. Gerraty 711*0957b409SSimon J. Gerraty /** 712*0957b409SSimon J. Gerraty * \brief RSA private key engine "i31". 713*0957b409SSimon J. Gerraty * 714*0957b409SSimon J. Gerraty * \see br_rsa_private 715*0957b409SSimon J. Gerraty * 716*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 717*0957b409SSimon J. Gerraty * \param sk RSA private key. 718*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 719*0957b409SSimon J. Gerraty */ 720*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_private(unsigned char *x, 721*0957b409SSimon J. Gerraty const br_rsa_private_key *sk); 722*0957b409SSimon J. Gerraty 723*0957b409SSimon J. Gerraty /** 724*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i31" (PKCS#1 v1.5 signatures). 725*0957b409SSimon J. Gerraty * 726*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_sign 727*0957b409SSimon J. Gerraty * 728*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 729*0957b409SSimon J. Gerraty * \param hash hash value. 730*0957b409SSimon J. Gerraty * \param hash_len hash value length (in bytes). 731*0957b409SSimon J. Gerraty * \param sk RSA private key. 732*0957b409SSimon J. Gerraty * \param x output buffer for the hash value. 733*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 734*0957b409SSimon J. Gerraty */ 735*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid, 736*0957b409SSimon J. Gerraty const unsigned char *hash, size_t hash_len, 737*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 738*0957b409SSimon J. Gerraty 739*0957b409SSimon J. Gerraty /** 740*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i31" (PSS signatures). 741*0957b409SSimon J. Gerraty * 742*0957b409SSimon J. Gerraty * \see br_rsa_pss_sign 743*0957b409SSimon J. Gerraty * 744*0957b409SSimon J. Gerraty * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero). 745*0957b409SSimon J. Gerraty * \param hf_data hash function used to hash the signed data. 746*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 747*0957b409SSimon J. Gerraty * \param hash hashed message. 748*0957b409SSimon J. Gerraty * \param salt_len salt length (in bytes). 749*0957b409SSimon J. Gerraty * \param sk RSA private key. 750*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 751*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 752*0957b409SSimon J. Gerraty */ 753*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_pss_sign(const br_prng_class **rng, 754*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 755*0957b409SSimon J. Gerraty const unsigned char *hash_value, size_t salt_len, 756*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 757*0957b409SSimon J. Gerraty 758*0957b409SSimon J. Gerraty /* 759*0957b409SSimon J. Gerraty * RSA "i62" engine. Similar to i31, but internal multiplication use 760*0957b409SSimon J. Gerraty * 64x64->128 multiplications. This is available only on architecture 761*0957b409SSimon J. Gerraty * that offer such an opcode. 762*0957b409SSimon J. Gerraty */ 763*0957b409SSimon J. Gerraty 764*0957b409SSimon J. Gerraty /** 765*0957b409SSimon J. Gerraty * \brief RSA public key engine "i62". 766*0957b409SSimon J. Gerraty * 767*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 768*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer 769*0957b409SSimon J. Gerraty * to that function. 770*0957b409SSimon J. Gerraty * 771*0957b409SSimon J. Gerraty * \see br_rsa_public 772*0957b409SSimon J. Gerraty * 773*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 774*0957b409SSimon J. Gerraty * \param xlen length of the operand (in bytes). 775*0957b409SSimon J. Gerraty * \param pk RSA public key. 776*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 777*0957b409SSimon J. Gerraty */ 778*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_public(unsigned char *x, size_t xlen, 779*0957b409SSimon J. Gerraty const br_rsa_public_key *pk); 780*0957b409SSimon J. Gerraty 781*0957b409SSimon J. Gerraty /** 782*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i62" (PKCS#1 v1.5 signatures). 783*0957b409SSimon J. Gerraty * 784*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 785*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer 786*0957b409SSimon J. Gerraty * to that function. 787*0957b409SSimon J. Gerraty * 788*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_vrfy 789*0957b409SSimon J. Gerraty * 790*0957b409SSimon J. Gerraty * \param x signature buffer. 791*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 792*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 793*0957b409SSimon J. Gerraty * \param hash_len expected hash value length (in bytes). 794*0957b409SSimon J. Gerraty * \param pk RSA public key. 795*0957b409SSimon J. Gerraty * \param hash_out output buffer for the hash value. 796*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 797*0957b409SSimon J. Gerraty */ 798*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x, size_t xlen, 799*0957b409SSimon J. Gerraty const unsigned char *hash_oid, size_t hash_len, 800*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, unsigned char *hash_out); 801*0957b409SSimon J. Gerraty 802*0957b409SSimon J. Gerraty /** 803*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i62" (PSS signatures). 804*0957b409SSimon J. Gerraty * 805*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 806*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_pss_vrfy_get()` to dynamically obtain a pointer 807*0957b409SSimon J. Gerraty * to that function. 808*0957b409SSimon J. Gerraty * 809*0957b409SSimon J. Gerraty * \see br_rsa_pss_vrfy 810*0957b409SSimon J. Gerraty * 811*0957b409SSimon J. Gerraty * \param x signature buffer. 812*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 813*0957b409SSimon J. Gerraty * \param hf_data hash function applied on the message. 814*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 815*0957b409SSimon J. Gerraty * \param hash hash value of the signed message. 816*0957b409SSimon J. Gerraty * \param salt_len PSS salt length (in bytes). 817*0957b409SSimon J. Gerraty * \param pk RSA public key. 818*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 819*0957b409SSimon J. Gerraty */ 820*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_pss_vrfy(const unsigned char *x, size_t xlen, 821*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 822*0957b409SSimon J. Gerraty const void *hash, size_t salt_len, const br_rsa_public_key *pk); 823*0957b409SSimon J. Gerraty 824*0957b409SSimon J. Gerraty /** 825*0957b409SSimon J. Gerraty * \brief RSA private key engine "i62". 826*0957b409SSimon J. Gerraty * 827*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 828*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer 829*0957b409SSimon J. Gerraty * to that function. 830*0957b409SSimon J. Gerraty * 831*0957b409SSimon J. Gerraty * \see br_rsa_private 832*0957b409SSimon J. Gerraty * 833*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 834*0957b409SSimon J. Gerraty * \param sk RSA private key. 835*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 836*0957b409SSimon J. Gerraty */ 837*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_private(unsigned char *x, 838*0957b409SSimon J. Gerraty const br_rsa_private_key *sk); 839*0957b409SSimon J. Gerraty 840*0957b409SSimon J. Gerraty /** 841*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i62" (PKCS#1 v1.5 signatures). 842*0957b409SSimon J. Gerraty * 843*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 844*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer 845*0957b409SSimon J. Gerraty * to that function. 846*0957b409SSimon J. Gerraty * 847*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_sign 848*0957b409SSimon J. Gerraty * 849*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 850*0957b409SSimon J. Gerraty * \param hash hash value. 851*0957b409SSimon J. Gerraty * \param hash_len hash value length (in bytes). 852*0957b409SSimon J. Gerraty * \param sk RSA private key. 853*0957b409SSimon J. Gerraty * \param x output buffer for the hash value. 854*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 855*0957b409SSimon J. Gerraty */ 856*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_pkcs1_sign(const unsigned char *hash_oid, 857*0957b409SSimon J. Gerraty const unsigned char *hash, size_t hash_len, 858*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 859*0957b409SSimon J. Gerraty 860*0957b409SSimon J. Gerraty /** 861*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i62" (PSS signatures). 862*0957b409SSimon J. Gerraty * 863*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 864*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_pss_sign_get()` to dynamically obtain a pointer 865*0957b409SSimon J. Gerraty * to that function. 866*0957b409SSimon J. Gerraty * 867*0957b409SSimon J. Gerraty * \see br_rsa_pss_sign 868*0957b409SSimon J. Gerraty * 869*0957b409SSimon J. Gerraty * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero). 870*0957b409SSimon J. Gerraty * \param hf_data hash function used to hash the signed data. 871*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 872*0957b409SSimon J. Gerraty * \param hash hashed message. 873*0957b409SSimon J. Gerraty * \param salt_len salt length (in bytes). 874*0957b409SSimon J. Gerraty * \param sk RSA private key. 875*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 876*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 877*0957b409SSimon J. Gerraty */ 878*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_pss_sign(const br_prng_class **rng, 879*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 880*0957b409SSimon J. Gerraty const unsigned char *hash_value, size_t salt_len, 881*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 882*0957b409SSimon J. Gerraty 883*0957b409SSimon J. Gerraty /** 884*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (public key operations), 885*0957b409SSimon J. Gerraty * if available. 886*0957b409SSimon J. Gerraty * 887*0957b409SSimon J. Gerraty * \return the implementation, or 0. 888*0957b409SSimon J. Gerraty */ 889*0957b409SSimon J. Gerraty br_rsa_public br_rsa_i62_public_get(void); 890*0957b409SSimon J. Gerraty 891*0957b409SSimon J. Gerraty /** 892*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature verification), 893*0957b409SSimon J. Gerraty * if available. 894*0957b409SSimon J. Gerraty * 895*0957b409SSimon J. Gerraty * \return the implementation, or 0. 896*0957b409SSimon J. Gerraty */ 897*0957b409SSimon J. Gerraty br_rsa_pkcs1_vrfy br_rsa_i62_pkcs1_vrfy_get(void); 898*0957b409SSimon J. Gerraty 899*0957b409SSimon J. Gerraty /** 900*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (PSS signature verification), 901*0957b409SSimon J. Gerraty * if available. 902*0957b409SSimon J. Gerraty * 903*0957b409SSimon J. Gerraty * \return the implementation, or 0. 904*0957b409SSimon J. Gerraty */ 905*0957b409SSimon J. Gerraty br_rsa_pss_vrfy br_rsa_i62_pss_vrfy_get(void); 906*0957b409SSimon J. Gerraty 907*0957b409SSimon J. Gerraty /** 908*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (private key operations), 909*0957b409SSimon J. Gerraty * if available. 910*0957b409SSimon J. Gerraty * 911*0957b409SSimon J. Gerraty * \return the implementation, or 0. 912*0957b409SSimon J. Gerraty */ 913*0957b409SSimon J. Gerraty br_rsa_private br_rsa_i62_private_get(void); 914*0957b409SSimon J. Gerraty 915*0957b409SSimon J. Gerraty /** 916*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature generation), 917*0957b409SSimon J. Gerraty * if available. 918*0957b409SSimon J. Gerraty * 919*0957b409SSimon J. Gerraty * \return the implementation, or 0. 920*0957b409SSimon J. Gerraty */ 921*0957b409SSimon J. Gerraty br_rsa_pkcs1_sign br_rsa_i62_pkcs1_sign_get(void); 922*0957b409SSimon J. Gerraty 923*0957b409SSimon J. Gerraty /** 924*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (PSS signature generation), 925*0957b409SSimon J. Gerraty * if available. 926*0957b409SSimon J. Gerraty * 927*0957b409SSimon J. Gerraty * \return the implementation, or 0. 928*0957b409SSimon J. Gerraty */ 929*0957b409SSimon J. Gerraty br_rsa_pss_sign br_rsa_i62_pss_sign_get(void); 930*0957b409SSimon J. Gerraty 931*0957b409SSimon J. Gerraty /** 932*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (OAEP encryption), 933*0957b409SSimon J. Gerraty * if available. 934*0957b409SSimon J. Gerraty * 935*0957b409SSimon J. Gerraty * \return the implementation, or 0. 936*0957b409SSimon J. Gerraty */ 937*0957b409SSimon J. Gerraty br_rsa_oaep_encrypt br_rsa_i62_oaep_encrypt_get(void); 938*0957b409SSimon J. Gerraty 939*0957b409SSimon J. Gerraty /** 940*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (OAEP decryption), 941*0957b409SSimon J. Gerraty * if available. 942*0957b409SSimon J. Gerraty * 943*0957b409SSimon J. Gerraty * \return the implementation, or 0. 944*0957b409SSimon J. Gerraty */ 945*0957b409SSimon J. Gerraty br_rsa_oaep_decrypt br_rsa_i62_oaep_decrypt_get(void); 946*0957b409SSimon J. Gerraty 947*0957b409SSimon J. Gerraty /* 948*0957b409SSimon J. Gerraty * RSA "i15" engine. Integers are represented as 15-bit integers, so 949*0957b409SSimon J. Gerraty * the code uses only 32-bit multiplication (no 64-bit result), which 950*0957b409SSimon J. Gerraty * is vastly faster (and constant-time) on the ARM Cortex M0/M0+. 951*0957b409SSimon J. Gerraty */ 952*0957b409SSimon J. Gerraty 953*0957b409SSimon J. Gerraty /** 954*0957b409SSimon J. Gerraty * \brief RSA public key engine "i15". 955*0957b409SSimon J. Gerraty * 956*0957b409SSimon J. Gerraty * \see br_rsa_public 957*0957b409SSimon J. Gerraty * 958*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 959*0957b409SSimon J. Gerraty * \param xlen length of the operand (in bytes). 960*0957b409SSimon J. Gerraty * \param pk RSA public key. 961*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 962*0957b409SSimon J. Gerraty */ 963*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_public(unsigned char *x, size_t xlen, 964*0957b409SSimon J. Gerraty const br_rsa_public_key *pk); 965*0957b409SSimon J. Gerraty 966*0957b409SSimon J. Gerraty /** 967*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i15" (PKCS#1 v1.5 signatures). 968*0957b409SSimon J. Gerraty * 969*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_vrfy 970*0957b409SSimon J. Gerraty * 971*0957b409SSimon J. Gerraty * \param x signature buffer. 972*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 973*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 974*0957b409SSimon J. Gerraty * \param hash_len expected hash value length (in bytes). 975*0957b409SSimon J. Gerraty * \param pk RSA public key. 976*0957b409SSimon J. Gerraty * \param hash_out output buffer for the hash value. 977*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 978*0957b409SSimon J. Gerraty */ 979*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_pkcs1_vrfy(const unsigned char *x, size_t xlen, 980*0957b409SSimon J. Gerraty const unsigned char *hash_oid, size_t hash_len, 981*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, unsigned char *hash_out); 982*0957b409SSimon J. Gerraty 983*0957b409SSimon J. Gerraty /** 984*0957b409SSimon J. Gerraty * \brief RSA signature verification engine "i15" (PSS signatures). 985*0957b409SSimon J. Gerraty * 986*0957b409SSimon J. Gerraty * \see br_rsa_pss_vrfy 987*0957b409SSimon J. Gerraty * 988*0957b409SSimon J. Gerraty * \param x signature buffer. 989*0957b409SSimon J. Gerraty * \param xlen signature length (in bytes). 990*0957b409SSimon J. Gerraty * \param hf_data hash function applied on the message. 991*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 992*0957b409SSimon J. Gerraty * \param hash hash value of the signed message. 993*0957b409SSimon J. Gerraty * \param salt_len PSS salt length (in bytes). 994*0957b409SSimon J. Gerraty * \param pk RSA public key. 995*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 996*0957b409SSimon J. Gerraty */ 997*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_pss_vrfy(const unsigned char *x, size_t xlen, 998*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 999*0957b409SSimon J. Gerraty const void *hash, size_t salt_len, const br_rsa_public_key *pk); 1000*0957b409SSimon J. Gerraty 1001*0957b409SSimon J. Gerraty /** 1002*0957b409SSimon J. Gerraty * \brief RSA private key engine "i15". 1003*0957b409SSimon J. Gerraty * 1004*0957b409SSimon J. Gerraty * \see br_rsa_private 1005*0957b409SSimon J. Gerraty * 1006*0957b409SSimon J. Gerraty * \param x operand to exponentiate. 1007*0957b409SSimon J. Gerraty * \param sk RSA private key. 1008*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1009*0957b409SSimon J. Gerraty */ 1010*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_private(unsigned char *x, 1011*0957b409SSimon J. Gerraty const br_rsa_private_key *sk); 1012*0957b409SSimon J. Gerraty 1013*0957b409SSimon J. Gerraty /** 1014*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i15" (PKCS#1 v1.5 signatures). 1015*0957b409SSimon J. Gerraty * 1016*0957b409SSimon J. Gerraty * \see br_rsa_pkcs1_sign 1017*0957b409SSimon J. Gerraty * 1018*0957b409SSimon J. Gerraty * \param hash_oid encoded hash algorithm OID (or `NULL`). 1019*0957b409SSimon J. Gerraty * \param hash hash value. 1020*0957b409SSimon J. Gerraty * \param hash_len hash value length (in bytes). 1021*0957b409SSimon J. Gerraty * \param sk RSA private key. 1022*0957b409SSimon J. Gerraty * \param x output buffer for the hash value. 1023*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1024*0957b409SSimon J. Gerraty */ 1025*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_pkcs1_sign(const unsigned char *hash_oid, 1026*0957b409SSimon J. Gerraty const unsigned char *hash, size_t hash_len, 1027*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 1028*0957b409SSimon J. Gerraty 1029*0957b409SSimon J. Gerraty /** 1030*0957b409SSimon J. Gerraty * \brief RSA signature generation engine "i15" (PSS signatures). 1031*0957b409SSimon J. Gerraty * 1032*0957b409SSimon J. Gerraty * \see br_rsa_pss_sign 1033*0957b409SSimon J. Gerraty * 1034*0957b409SSimon J. Gerraty * \param rng PRNG for salt generation (`NULL` if `salt_len` is zero). 1035*0957b409SSimon J. Gerraty * \param hf_data hash function used to hash the signed data. 1036*0957b409SSimon J. Gerraty * \param hf_mgf1 hash function to use with MGF1. 1037*0957b409SSimon J. Gerraty * \param hash hashed message. 1038*0957b409SSimon J. Gerraty * \param salt_len salt length (in bytes). 1039*0957b409SSimon J. Gerraty * \param sk RSA private key. 1040*0957b409SSimon J. Gerraty * \param x output buffer for the signature value. 1041*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1042*0957b409SSimon J. Gerraty */ 1043*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_pss_sign(const br_prng_class **rng, 1044*0957b409SSimon J. Gerraty const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 1045*0957b409SSimon J. Gerraty const unsigned char *hash_value, size_t salt_len, 1046*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, unsigned char *x); 1047*0957b409SSimon J. Gerraty 1048*0957b409SSimon J. Gerraty /** 1049*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (public-key operations). 1050*0957b409SSimon J. Gerraty * 1051*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (public-key operations) 1052*0957b409SSimon J. Gerraty * on the current system. 1053*0957b409SSimon J. Gerraty * 1054*0957b409SSimon J. Gerraty * \return the default implementation. 1055*0957b409SSimon J. Gerraty */ 1056*0957b409SSimon J. Gerraty br_rsa_public br_rsa_public_get_default(void); 1057*0957b409SSimon J. Gerraty 1058*0957b409SSimon J. Gerraty /** 1059*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (private-key operations). 1060*0957b409SSimon J. Gerraty * 1061*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (private-key operations) 1062*0957b409SSimon J. Gerraty * on the current system. 1063*0957b409SSimon J. Gerraty * 1064*0957b409SSimon J. Gerraty * \return the default implementation. 1065*0957b409SSimon J. Gerraty */ 1066*0957b409SSimon J. Gerraty br_rsa_private br_rsa_private_get_default(void); 1067*0957b409SSimon J. Gerraty 1068*0957b409SSimon J. Gerraty /** 1069*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature verification). 1070*0957b409SSimon J. Gerraty * 1071*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (signature verification) 1072*0957b409SSimon J. Gerraty * on the current system. 1073*0957b409SSimon J. Gerraty * 1074*0957b409SSimon J. Gerraty * \return the default implementation. 1075*0957b409SSimon J. Gerraty */ 1076*0957b409SSimon J. Gerraty br_rsa_pkcs1_vrfy br_rsa_pkcs1_vrfy_get_default(void); 1077*0957b409SSimon J. Gerraty 1078*0957b409SSimon J. Gerraty /** 1079*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (PSS signature verification). 1080*0957b409SSimon J. Gerraty * 1081*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (signature verification) 1082*0957b409SSimon J. Gerraty * on the current system. 1083*0957b409SSimon J. Gerraty * 1084*0957b409SSimon J. Gerraty * \return the default implementation. 1085*0957b409SSimon J. Gerraty */ 1086*0957b409SSimon J. Gerraty br_rsa_pss_vrfy br_rsa_pss_vrfy_get_default(void); 1087*0957b409SSimon J. Gerraty 1088*0957b409SSimon J. Gerraty /** 1089*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature generation). 1090*0957b409SSimon J. Gerraty * 1091*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (signature generation) 1092*0957b409SSimon J. Gerraty * on the current system. 1093*0957b409SSimon J. Gerraty * 1094*0957b409SSimon J. Gerraty * \return the default implementation. 1095*0957b409SSimon J. Gerraty */ 1096*0957b409SSimon J. Gerraty br_rsa_pkcs1_sign br_rsa_pkcs1_sign_get_default(void); 1097*0957b409SSimon J. Gerraty 1098*0957b409SSimon J. Gerraty /** 1099*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (PSS signature generation). 1100*0957b409SSimon J. Gerraty * 1101*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (signature generation) 1102*0957b409SSimon J. Gerraty * on the current system. 1103*0957b409SSimon J. Gerraty * 1104*0957b409SSimon J. Gerraty * \return the default implementation. 1105*0957b409SSimon J. Gerraty */ 1106*0957b409SSimon J. Gerraty br_rsa_pss_sign br_rsa_pss_sign_get_default(void); 1107*0957b409SSimon J. Gerraty 1108*0957b409SSimon J. Gerraty /** 1109*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (OAEP encryption). 1110*0957b409SSimon J. Gerraty * 1111*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (OAEP encryption) 1112*0957b409SSimon J. Gerraty * on the current system. 1113*0957b409SSimon J. Gerraty * 1114*0957b409SSimon J. Gerraty * \return the default implementation. 1115*0957b409SSimon J. Gerraty */ 1116*0957b409SSimon J. Gerraty br_rsa_oaep_encrypt br_rsa_oaep_encrypt_get_default(void); 1117*0957b409SSimon J. Gerraty 1118*0957b409SSimon J. Gerraty /** 1119*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (OAEP decryption). 1120*0957b409SSimon J. Gerraty * 1121*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (OAEP decryption) 1122*0957b409SSimon J. Gerraty * on the current system. 1123*0957b409SSimon J. Gerraty * 1124*0957b409SSimon J. Gerraty * \return the default implementation. 1125*0957b409SSimon J. Gerraty */ 1126*0957b409SSimon J. Gerraty br_rsa_oaep_decrypt br_rsa_oaep_decrypt_get_default(void); 1127*0957b409SSimon J. Gerraty 1128*0957b409SSimon J. Gerraty /** 1129*0957b409SSimon J. Gerraty * \brief RSA decryption helper, for SSL/TLS. 1130*0957b409SSimon J. Gerraty * 1131*0957b409SSimon J. Gerraty * This function performs the RSA decryption for a RSA-based key exchange 1132*0957b409SSimon J. Gerraty * in a SSL/TLS server. The provided RSA engine is used. The `data` 1133*0957b409SSimon J. Gerraty * parameter points to the value to decrypt, of length `len` bytes. On 1134*0957b409SSimon J. Gerraty * success, the 48-byte pre-master secret is copied into `data`, starting 1135*0957b409SSimon J. Gerraty * at the first byte of that buffer; on error, the contents of `data` 1136*0957b409SSimon J. Gerraty * become indeterminate. 1137*0957b409SSimon J. Gerraty * 1138*0957b409SSimon J. Gerraty * This function first checks that the provided value length (`len`) is 1139*0957b409SSimon J. Gerraty * not lower than 59 bytes, and matches the RSA modulus length; if neither 1140*0957b409SSimon J. Gerraty * of this property is met, then this function returns 0 and the buffer 1141*0957b409SSimon J. Gerraty * is unmodified. 1142*0957b409SSimon J. Gerraty * 1143*0957b409SSimon J. Gerraty * Otherwise, decryption and then padding verification are performed, both 1144*0957b409SSimon J. Gerraty * in constant-time. A decryption error, or a bad padding, or an 1145*0957b409SSimon J. Gerraty * incorrect decrypted value length are reported with a returned value of 1146*0957b409SSimon J. Gerraty * 0; on success, 1 is returned. The caller (SSL server engine) is supposed 1147*0957b409SSimon J. Gerraty * to proceed with a random pre-master secret in case of error. 1148*0957b409SSimon J. Gerraty * 1149*0957b409SSimon J. Gerraty * \param core RSA private key engine. 1150*0957b409SSimon J. Gerraty * \param sk RSA private key. 1151*0957b409SSimon J. Gerraty * \param data input/output buffer. 1152*0957b409SSimon J. Gerraty * \param len length (in bytes) of the data to decrypt. 1153*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1154*0957b409SSimon J. Gerraty */ 1155*0957b409SSimon J. Gerraty uint32_t br_rsa_ssl_decrypt(br_rsa_private core, const br_rsa_private_key *sk, 1156*0957b409SSimon J. Gerraty unsigned char *data, size_t len); 1157*0957b409SSimon J. Gerraty 1158*0957b409SSimon J. Gerraty /** 1159*0957b409SSimon J. Gerraty * \brief RSA encryption (OAEP) with the "i15" engine. 1160*0957b409SSimon J. Gerraty * 1161*0957b409SSimon J. Gerraty * \see br_rsa_oaep_encrypt 1162*0957b409SSimon J. Gerraty * 1163*0957b409SSimon J. Gerraty * \param rnd source of random bytes. 1164*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1165*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1166*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1167*0957b409SSimon J. Gerraty * \param pk RSA public key. 1168*0957b409SSimon J. Gerraty * \param dst destination buffer. 1169*0957b409SSimon J. Gerraty * \param dst_max_len destination buffer length (maximum encrypted data size). 1170*0957b409SSimon J. Gerraty * \param src message to encrypt. 1171*0957b409SSimon J. Gerraty * \param src_len source message length (in bytes). 1172*0957b409SSimon J. Gerraty * \return encrypted message length (in bytes), or 0 on error. 1173*0957b409SSimon J. Gerraty */ 1174*0957b409SSimon J. Gerraty size_t br_rsa_i15_oaep_encrypt( 1175*0957b409SSimon J. Gerraty const br_prng_class **rnd, const br_hash_class *dig, 1176*0957b409SSimon J. Gerraty const void *label, size_t label_len, 1177*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, 1178*0957b409SSimon J. Gerraty void *dst, size_t dst_max_len, 1179*0957b409SSimon J. Gerraty const void *src, size_t src_len); 1180*0957b409SSimon J. Gerraty 1181*0957b409SSimon J. Gerraty /** 1182*0957b409SSimon J. Gerraty * \brief RSA decryption (OAEP) with the "i15" engine. 1183*0957b409SSimon J. Gerraty * 1184*0957b409SSimon J. Gerraty * \see br_rsa_oaep_decrypt 1185*0957b409SSimon J. Gerraty * 1186*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1187*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1188*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1189*0957b409SSimon J. Gerraty * \param sk RSA private key. 1190*0957b409SSimon J. Gerraty * \param data input/output buffer. 1191*0957b409SSimon J. Gerraty * \param len encrypted/decrypted message length. 1192*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1193*0957b409SSimon J. Gerraty */ 1194*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_oaep_decrypt( 1195*0957b409SSimon J. Gerraty const br_hash_class *dig, const void *label, size_t label_len, 1196*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, void *data, size_t *len); 1197*0957b409SSimon J. Gerraty 1198*0957b409SSimon J. Gerraty /** 1199*0957b409SSimon J. Gerraty * \brief RSA encryption (OAEP) with the "i31" engine. 1200*0957b409SSimon J. Gerraty * 1201*0957b409SSimon J. Gerraty * \see br_rsa_oaep_encrypt 1202*0957b409SSimon J. Gerraty * 1203*0957b409SSimon J. Gerraty * \param rnd source of random bytes. 1204*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1205*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1206*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1207*0957b409SSimon J. Gerraty * \param pk RSA public key. 1208*0957b409SSimon J. Gerraty * \param dst destination buffer. 1209*0957b409SSimon J. Gerraty * \param dst_max_len destination buffer length (maximum encrypted data size). 1210*0957b409SSimon J. Gerraty * \param src message to encrypt. 1211*0957b409SSimon J. Gerraty * \param src_len source message length (in bytes). 1212*0957b409SSimon J. Gerraty * \return encrypted message length (in bytes), or 0 on error. 1213*0957b409SSimon J. Gerraty */ 1214*0957b409SSimon J. Gerraty size_t br_rsa_i31_oaep_encrypt( 1215*0957b409SSimon J. Gerraty const br_prng_class **rnd, const br_hash_class *dig, 1216*0957b409SSimon J. Gerraty const void *label, size_t label_len, 1217*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, 1218*0957b409SSimon J. Gerraty void *dst, size_t dst_max_len, 1219*0957b409SSimon J. Gerraty const void *src, size_t src_len); 1220*0957b409SSimon J. Gerraty 1221*0957b409SSimon J. Gerraty /** 1222*0957b409SSimon J. Gerraty * \brief RSA decryption (OAEP) with the "i31" engine. 1223*0957b409SSimon J. Gerraty * 1224*0957b409SSimon J. Gerraty * \see br_rsa_oaep_decrypt 1225*0957b409SSimon J. Gerraty * 1226*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1227*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1228*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1229*0957b409SSimon J. Gerraty * \param sk RSA private key. 1230*0957b409SSimon J. Gerraty * \param data input/output buffer. 1231*0957b409SSimon J. Gerraty * \param len encrypted/decrypted message length. 1232*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1233*0957b409SSimon J. Gerraty */ 1234*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_oaep_decrypt( 1235*0957b409SSimon J. Gerraty const br_hash_class *dig, const void *label, size_t label_len, 1236*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, void *data, size_t *len); 1237*0957b409SSimon J. Gerraty 1238*0957b409SSimon J. Gerraty /** 1239*0957b409SSimon J. Gerraty * \brief RSA encryption (OAEP) with the "i32" engine. 1240*0957b409SSimon J. Gerraty * 1241*0957b409SSimon J. Gerraty * \see br_rsa_oaep_encrypt 1242*0957b409SSimon J. Gerraty * 1243*0957b409SSimon J. Gerraty * \param rnd source of random bytes. 1244*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1245*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1246*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1247*0957b409SSimon J. Gerraty * \param pk RSA public key. 1248*0957b409SSimon J. Gerraty * \param dst destination buffer. 1249*0957b409SSimon J. Gerraty * \param dst_max_len destination buffer length (maximum encrypted data size). 1250*0957b409SSimon J. Gerraty * \param src message to encrypt. 1251*0957b409SSimon J. Gerraty * \param src_len source message length (in bytes). 1252*0957b409SSimon J. Gerraty * \return encrypted message length (in bytes), or 0 on error. 1253*0957b409SSimon J. Gerraty */ 1254*0957b409SSimon J. Gerraty size_t br_rsa_i32_oaep_encrypt( 1255*0957b409SSimon J. Gerraty const br_prng_class **rnd, const br_hash_class *dig, 1256*0957b409SSimon J. Gerraty const void *label, size_t label_len, 1257*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, 1258*0957b409SSimon J. Gerraty void *dst, size_t dst_max_len, 1259*0957b409SSimon J. Gerraty const void *src, size_t src_len); 1260*0957b409SSimon J. Gerraty 1261*0957b409SSimon J. Gerraty /** 1262*0957b409SSimon J. Gerraty * \brief RSA decryption (OAEP) with the "i32" engine. 1263*0957b409SSimon J. Gerraty * 1264*0957b409SSimon J. Gerraty * \see br_rsa_oaep_decrypt 1265*0957b409SSimon J. Gerraty * 1266*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1267*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1268*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1269*0957b409SSimon J. Gerraty * \param sk RSA private key. 1270*0957b409SSimon J. Gerraty * \param data input/output buffer. 1271*0957b409SSimon J. Gerraty * \param len encrypted/decrypted message length. 1272*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1273*0957b409SSimon J. Gerraty */ 1274*0957b409SSimon J. Gerraty uint32_t br_rsa_i32_oaep_decrypt( 1275*0957b409SSimon J. Gerraty const br_hash_class *dig, const void *label, size_t label_len, 1276*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, void *data, size_t *len); 1277*0957b409SSimon J. Gerraty 1278*0957b409SSimon J. Gerraty /** 1279*0957b409SSimon J. Gerraty * \brief RSA encryption (OAEP) with the "i62" engine. 1280*0957b409SSimon J. Gerraty * 1281*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 1282*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer 1283*0957b409SSimon J. Gerraty * to that function. 1284*0957b409SSimon J. Gerraty * 1285*0957b409SSimon J. Gerraty * \see br_rsa_oaep_encrypt 1286*0957b409SSimon J. Gerraty * 1287*0957b409SSimon J. Gerraty * \param rnd source of random bytes. 1288*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1289*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1290*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1291*0957b409SSimon J. Gerraty * \param pk RSA public key. 1292*0957b409SSimon J. Gerraty * \param dst destination buffer. 1293*0957b409SSimon J. Gerraty * \param dst_max_len destination buffer length (maximum encrypted data size). 1294*0957b409SSimon J. Gerraty * \param src message to encrypt. 1295*0957b409SSimon J. Gerraty * \param src_len source message length (in bytes). 1296*0957b409SSimon J. Gerraty * \return encrypted message length (in bytes), or 0 on error. 1297*0957b409SSimon J. Gerraty */ 1298*0957b409SSimon J. Gerraty size_t br_rsa_i62_oaep_encrypt( 1299*0957b409SSimon J. Gerraty const br_prng_class **rnd, const br_hash_class *dig, 1300*0957b409SSimon J. Gerraty const void *label, size_t label_len, 1301*0957b409SSimon J. Gerraty const br_rsa_public_key *pk, 1302*0957b409SSimon J. Gerraty void *dst, size_t dst_max_len, 1303*0957b409SSimon J. Gerraty const void *src, size_t src_len); 1304*0957b409SSimon J. Gerraty 1305*0957b409SSimon J. Gerraty /** 1306*0957b409SSimon J. Gerraty * \brief RSA decryption (OAEP) with the "i62" engine. 1307*0957b409SSimon J. Gerraty * 1308*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 1309*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer 1310*0957b409SSimon J. Gerraty * to that function. 1311*0957b409SSimon J. Gerraty * 1312*0957b409SSimon J. Gerraty * \see br_rsa_oaep_decrypt 1313*0957b409SSimon J. Gerraty * 1314*0957b409SSimon J. Gerraty * \param dig hash function to use with MGF1. 1315*0957b409SSimon J. Gerraty * \param label label value (may be `NULL` if `label_len` is zero). 1316*0957b409SSimon J. Gerraty * \param label_len label length, in bytes. 1317*0957b409SSimon J. Gerraty * \param sk RSA private key. 1318*0957b409SSimon J. Gerraty * \param data input/output buffer. 1319*0957b409SSimon J. Gerraty * \param len encrypted/decrypted message length. 1320*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error. 1321*0957b409SSimon J. Gerraty */ 1322*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_oaep_decrypt( 1323*0957b409SSimon J. Gerraty const br_hash_class *dig, const void *label, size_t label_len, 1324*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, void *data, size_t *len); 1325*0957b409SSimon J. Gerraty 1326*0957b409SSimon J. Gerraty /** 1327*0957b409SSimon J. Gerraty * \brief Get buffer size to hold RSA private key elements. 1328*0957b409SSimon J. Gerraty * 1329*0957b409SSimon J. Gerraty * This macro returns the length (in bytes) of the buffer needed to 1330*0957b409SSimon J. Gerraty * receive the elements of a RSA private key, as generated by one of 1331*0957b409SSimon J. Gerraty * the `br_rsa_*_keygen()` functions. If the provided size is a constant 1332*0957b409SSimon J. Gerraty * expression, then the whole macro evaluates to a constant expression. 1333*0957b409SSimon J. Gerraty * 1334*0957b409SSimon J. Gerraty * \param size target key size (modulus size, in bits) 1335*0957b409SSimon J. Gerraty * \return the length of the private key buffer, in bytes. 1336*0957b409SSimon J. Gerraty */ 1337*0957b409SSimon J. Gerraty #define BR_RSA_KBUF_PRIV_SIZE(size) (5 * (((size) + 15) >> 4)) 1338*0957b409SSimon J. Gerraty 1339*0957b409SSimon J. Gerraty /** 1340*0957b409SSimon J. Gerraty * \brief Get buffer size to hold RSA public key elements. 1341*0957b409SSimon J. Gerraty * 1342*0957b409SSimon J. Gerraty * This macro returns the length (in bytes) of the buffer needed to 1343*0957b409SSimon J. Gerraty * receive the elements of a RSA public key, as generated by one of 1344*0957b409SSimon J. Gerraty * the `br_rsa_*_keygen()` functions. If the provided size is a constant 1345*0957b409SSimon J. Gerraty * expression, then the whole macro evaluates to a constant expression. 1346*0957b409SSimon J. Gerraty * 1347*0957b409SSimon J. Gerraty * \param size target key size (modulus size, in bits) 1348*0957b409SSimon J. Gerraty * \return the length of the public key buffer, in bytes. 1349*0957b409SSimon J. Gerraty */ 1350*0957b409SSimon J. Gerraty #define BR_RSA_KBUF_PUB_SIZE(size) (4 + (((size) + 7) >> 3)) 1351*0957b409SSimon J. Gerraty 1352*0957b409SSimon J. Gerraty /** 1353*0957b409SSimon J. Gerraty * \brief Type for RSA key pair generator implementation. 1354*0957b409SSimon J. Gerraty * 1355*0957b409SSimon J. Gerraty * This function generates a new RSA key pair whose modulus has bit 1356*0957b409SSimon J. Gerraty * length `size` bits. The private key elements are written in the 1357*0957b409SSimon J. Gerraty * `kbuf_priv` buffer, and pointer values and length fields to these 1358*0957b409SSimon J. Gerraty * elements are populated in the provided private key structure `sk`. 1359*0957b409SSimon J. Gerraty * Similarly, the public key elements are written in `kbuf_pub`, with 1360*0957b409SSimon J. Gerraty * pointers and lengths set in `pk`. 1361*0957b409SSimon J. Gerraty * 1362*0957b409SSimon J. Gerraty * If `pk` is `NULL`, then `kbuf_pub` may be `NULL`, and only the 1363*0957b409SSimon J. Gerraty * private key is set. 1364*0957b409SSimon J. Gerraty * 1365*0957b409SSimon J. Gerraty * If `pubexp` is not zero, then its value will be used as public 1366*0957b409SSimon J. Gerraty * exponent. Valid RSA public exponent values are odd integers 1367*0957b409SSimon J. Gerraty * greater than 1. If `pubexp` is zero, then the public exponent will 1368*0957b409SSimon J. Gerraty * have value 3. 1369*0957b409SSimon J. Gerraty * 1370*0957b409SSimon J. Gerraty * The provided PRNG (`rng_ctx`) must have already been initialized 1371*0957b409SSimon J. Gerraty * and seeded. 1372*0957b409SSimon J. Gerraty * 1373*0957b409SSimon J. Gerraty * Returned value is 1 on success, 0 on error. An error is reported 1374*0957b409SSimon J. Gerraty * if the requested range is outside of the supported key sizes, or 1375*0957b409SSimon J. Gerraty * if an invalid non-zero public exponent value is provided. Supported 1376*0957b409SSimon J. Gerraty * range starts at 512 bits, and up to an implementation-defined 1377*0957b409SSimon J. Gerraty * maximum (by default 4096 bits). Note that key sizes up to 768 bits 1378*0957b409SSimon J. Gerraty * have been broken in practice, and sizes lower than 2048 bits are 1379*0957b409SSimon J. Gerraty * usually considered to be weak and should not be used. 1380*0957b409SSimon J. Gerraty * 1381*0957b409SSimon J. Gerraty * \param rng_ctx source PRNG context (already initialized) 1382*0957b409SSimon J. Gerraty * \param sk RSA private key structure (destination) 1383*0957b409SSimon J. Gerraty * \param kbuf_priv buffer for private key elements 1384*0957b409SSimon J. Gerraty * \param pk RSA public key structure (destination), or `NULL` 1385*0957b409SSimon J. Gerraty * \param kbuf_pub buffer for public key elements, or `NULL` 1386*0957b409SSimon J. Gerraty * \param size target RSA modulus size (in bits) 1387*0957b409SSimon J. Gerraty * \param pubexp public exponent to use, or zero 1388*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error (invalid parameters) 1389*0957b409SSimon J. Gerraty */ 1390*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_keygen)( 1391*0957b409SSimon J. Gerraty const br_prng_class **rng_ctx, 1392*0957b409SSimon J. Gerraty br_rsa_private_key *sk, void *kbuf_priv, 1393*0957b409SSimon J. Gerraty br_rsa_public_key *pk, void *kbuf_pub, 1394*0957b409SSimon J. Gerraty unsigned size, uint32_t pubexp); 1395*0957b409SSimon J. Gerraty 1396*0957b409SSimon J. Gerraty /** 1397*0957b409SSimon J. Gerraty * \brief RSA key pair generation with the "i15" engine. 1398*0957b409SSimon J. Gerraty * 1399*0957b409SSimon J. Gerraty * \see br_rsa_keygen 1400*0957b409SSimon J. Gerraty * 1401*0957b409SSimon J. Gerraty * \param rng_ctx source PRNG context (already initialized) 1402*0957b409SSimon J. Gerraty * \param sk RSA private key structure (destination) 1403*0957b409SSimon J. Gerraty * \param kbuf_priv buffer for private key elements 1404*0957b409SSimon J. Gerraty * \param pk RSA public key structure (destination), or `NULL` 1405*0957b409SSimon J. Gerraty * \param kbuf_pub buffer for public key elements, or `NULL` 1406*0957b409SSimon J. Gerraty * \param size target RSA modulus size (in bits) 1407*0957b409SSimon J. Gerraty * \param pubexp public exponent to use, or zero 1408*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error (invalid parameters) 1409*0957b409SSimon J. Gerraty */ 1410*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_keygen( 1411*0957b409SSimon J. Gerraty const br_prng_class **rng_ctx, 1412*0957b409SSimon J. Gerraty br_rsa_private_key *sk, void *kbuf_priv, 1413*0957b409SSimon J. Gerraty br_rsa_public_key *pk, void *kbuf_pub, 1414*0957b409SSimon J. Gerraty unsigned size, uint32_t pubexp); 1415*0957b409SSimon J. Gerraty 1416*0957b409SSimon J. Gerraty /** 1417*0957b409SSimon J. Gerraty * \brief RSA key pair generation with the "i31" engine. 1418*0957b409SSimon J. Gerraty * 1419*0957b409SSimon J. Gerraty * \see br_rsa_keygen 1420*0957b409SSimon J. Gerraty * 1421*0957b409SSimon J. Gerraty * \param rng_ctx source PRNG context (already initialized) 1422*0957b409SSimon J. Gerraty * \param sk RSA private key structure (destination) 1423*0957b409SSimon J. Gerraty * \param kbuf_priv buffer for private key elements 1424*0957b409SSimon J. Gerraty * \param pk RSA public key structure (destination), or `NULL` 1425*0957b409SSimon J. Gerraty * \param kbuf_pub buffer for public key elements, or `NULL` 1426*0957b409SSimon J. Gerraty * \param size target RSA modulus size (in bits) 1427*0957b409SSimon J. Gerraty * \param pubexp public exponent to use, or zero 1428*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error (invalid parameters) 1429*0957b409SSimon J. Gerraty */ 1430*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_keygen( 1431*0957b409SSimon J. Gerraty const br_prng_class **rng_ctx, 1432*0957b409SSimon J. Gerraty br_rsa_private_key *sk, void *kbuf_priv, 1433*0957b409SSimon J. Gerraty br_rsa_public_key *pk, void *kbuf_pub, 1434*0957b409SSimon J. Gerraty unsigned size, uint32_t pubexp); 1435*0957b409SSimon J. Gerraty 1436*0957b409SSimon J. Gerraty /** 1437*0957b409SSimon J. Gerraty * \brief RSA key pair generation with the "i62" engine. 1438*0957b409SSimon J. Gerraty * 1439*0957b409SSimon J. Gerraty * This function is defined only on architecture that offer a 64x64->128 1440*0957b409SSimon J. Gerraty * opcode. Use `br_rsa_i62_keygen_get()` to dynamically obtain a pointer 1441*0957b409SSimon J. Gerraty * to that function. 1442*0957b409SSimon J. Gerraty * 1443*0957b409SSimon J. Gerraty * \see br_rsa_keygen 1444*0957b409SSimon J. Gerraty * 1445*0957b409SSimon J. Gerraty * \param rng_ctx source PRNG context (already initialized) 1446*0957b409SSimon J. Gerraty * \param sk RSA private key structure (destination) 1447*0957b409SSimon J. Gerraty * \param kbuf_priv buffer for private key elements 1448*0957b409SSimon J. Gerraty * \param pk RSA public key structure (destination), or `NULL` 1449*0957b409SSimon J. Gerraty * \param kbuf_pub buffer for public key elements, or `NULL` 1450*0957b409SSimon J. Gerraty * \param size target RSA modulus size (in bits) 1451*0957b409SSimon J. Gerraty * \param pubexp public exponent to use, or zero 1452*0957b409SSimon J. Gerraty * \return 1 on success, 0 on error (invalid parameters) 1453*0957b409SSimon J. Gerraty */ 1454*0957b409SSimon J. Gerraty uint32_t br_rsa_i62_keygen( 1455*0957b409SSimon J. Gerraty const br_prng_class **rng_ctx, 1456*0957b409SSimon J. Gerraty br_rsa_private_key *sk, void *kbuf_priv, 1457*0957b409SSimon J. Gerraty br_rsa_public_key *pk, void *kbuf_pub, 1458*0957b409SSimon J. Gerraty unsigned size, uint32_t pubexp); 1459*0957b409SSimon J. Gerraty 1460*0957b409SSimon J. Gerraty /** 1461*0957b409SSimon J. Gerraty * \brief Get the RSA "i62" implementation (key pair generation), 1462*0957b409SSimon J. Gerraty * if available. 1463*0957b409SSimon J. Gerraty * 1464*0957b409SSimon J. Gerraty * \return the implementation, or 0. 1465*0957b409SSimon J. Gerraty */ 1466*0957b409SSimon J. Gerraty br_rsa_keygen br_rsa_i62_keygen_get(void); 1467*0957b409SSimon J. Gerraty 1468*0957b409SSimon J. Gerraty /** 1469*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (key pair generation). 1470*0957b409SSimon J. Gerraty * 1471*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (key pair generation) 1472*0957b409SSimon J. Gerraty * on the current system. 1473*0957b409SSimon J. Gerraty * 1474*0957b409SSimon J. Gerraty * \return the default implementation. 1475*0957b409SSimon J. Gerraty */ 1476*0957b409SSimon J. Gerraty br_rsa_keygen br_rsa_keygen_get_default(void); 1477*0957b409SSimon J. Gerraty 1478*0957b409SSimon J. Gerraty /** 1479*0957b409SSimon J. Gerraty * \brief Type for a modulus computing function. 1480*0957b409SSimon J. Gerraty * 1481*0957b409SSimon J. Gerraty * Such a function computes the public modulus from the private key. The 1482*0957b409SSimon J. Gerraty * encoded modulus (unsigned big-endian) is written on `n`, and the size 1483*0957b409SSimon J. Gerraty * (in bytes) is returned. If `n` is `NULL`, then the size is returned but 1484*0957b409SSimon J. Gerraty * the modulus itself is not computed. 1485*0957b409SSimon J. Gerraty * 1486*0957b409SSimon J. Gerraty * If the key size exceeds an internal limit, 0 is returned. 1487*0957b409SSimon J. Gerraty * 1488*0957b409SSimon J. Gerraty * \param n destination buffer (or `NULL`). 1489*0957b409SSimon J. Gerraty * \param sk RSA private key. 1490*0957b409SSimon J. Gerraty * \return the modulus length (in bytes), or 0. 1491*0957b409SSimon J. Gerraty */ 1492*0957b409SSimon J. Gerraty typedef size_t (*br_rsa_compute_modulus)(void *n, const br_rsa_private_key *sk); 1493*0957b409SSimon J. Gerraty 1494*0957b409SSimon J. Gerraty /** 1495*0957b409SSimon J. Gerraty * \brief Recompute RSA modulus ("i15" engine). 1496*0957b409SSimon J. Gerraty * 1497*0957b409SSimon J. Gerraty * \see br_rsa_compute_modulus 1498*0957b409SSimon J. Gerraty * 1499*0957b409SSimon J. Gerraty * \param n destination buffer (or `NULL`). 1500*0957b409SSimon J. Gerraty * \param sk RSA private key. 1501*0957b409SSimon J. Gerraty * \return the modulus length (in bytes), or 0. 1502*0957b409SSimon J. Gerraty */ 1503*0957b409SSimon J. Gerraty size_t br_rsa_i15_compute_modulus(void *n, const br_rsa_private_key *sk); 1504*0957b409SSimon J. Gerraty 1505*0957b409SSimon J. Gerraty /** 1506*0957b409SSimon J. Gerraty * \brief Recompute RSA modulus ("i31" engine). 1507*0957b409SSimon J. Gerraty * 1508*0957b409SSimon J. Gerraty * \see br_rsa_compute_modulus 1509*0957b409SSimon J. Gerraty * 1510*0957b409SSimon J. Gerraty * \param n destination buffer (or `NULL`). 1511*0957b409SSimon J. Gerraty * \param sk RSA private key. 1512*0957b409SSimon J. Gerraty * \return the modulus length (in bytes), or 0. 1513*0957b409SSimon J. Gerraty */ 1514*0957b409SSimon J. Gerraty size_t br_rsa_i31_compute_modulus(void *n, const br_rsa_private_key *sk); 1515*0957b409SSimon J. Gerraty 1516*0957b409SSimon J. Gerraty /** 1517*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (recompute modulus). 1518*0957b409SSimon J. Gerraty * 1519*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (recompute modulus) 1520*0957b409SSimon J. Gerraty * on the current system. 1521*0957b409SSimon J. Gerraty * 1522*0957b409SSimon J. Gerraty * \return the default implementation. 1523*0957b409SSimon J. Gerraty */ 1524*0957b409SSimon J. Gerraty br_rsa_compute_modulus br_rsa_compute_modulus_get_default(void); 1525*0957b409SSimon J. Gerraty 1526*0957b409SSimon J. Gerraty /** 1527*0957b409SSimon J. Gerraty * \brief Type for a public exponent computing function. 1528*0957b409SSimon J. Gerraty * 1529*0957b409SSimon J. Gerraty * Such a function recomputes the public exponent from the private key. 1530*0957b409SSimon J. Gerraty * 0 is returned if any of the following occurs: 1531*0957b409SSimon J. Gerraty * 1532*0957b409SSimon J. Gerraty * - Either `p` or `q` is not equal to 3 modulo 4. 1533*0957b409SSimon J. Gerraty * 1534*0957b409SSimon J. Gerraty * - The public exponent does not fit on 32 bits. 1535*0957b409SSimon J. Gerraty * 1536*0957b409SSimon J. Gerraty * - An internal limit is exceeded. 1537*0957b409SSimon J. Gerraty * 1538*0957b409SSimon J. Gerraty * - The private key is invalid in some way. 1539*0957b409SSimon J. Gerraty * 1540*0957b409SSimon J. Gerraty * For all private keys produced by the key generator functions 1541*0957b409SSimon J. Gerraty * (`br_rsa_keygen` type), this function succeeds and returns the true 1542*0957b409SSimon J. Gerraty * public exponent. The public exponent is always an odd integer greater 1543*0957b409SSimon J. Gerraty * than 1. 1544*0957b409SSimon J. Gerraty * 1545*0957b409SSimon J. Gerraty * \return the public exponent, or 0. 1546*0957b409SSimon J. Gerraty */ 1547*0957b409SSimon J. Gerraty typedef uint32_t (*br_rsa_compute_pubexp)(const br_rsa_private_key *sk); 1548*0957b409SSimon J. Gerraty 1549*0957b409SSimon J. Gerraty /** 1550*0957b409SSimon J. Gerraty * \brief Recompute RSA public exponent ("i15" engine). 1551*0957b409SSimon J. Gerraty * 1552*0957b409SSimon J. Gerraty * \see br_rsa_compute_pubexp 1553*0957b409SSimon J. Gerraty * 1554*0957b409SSimon J. Gerraty * \return the public exponent, or 0. 1555*0957b409SSimon J. Gerraty */ 1556*0957b409SSimon J. Gerraty uint32_t br_rsa_i15_compute_pubexp(const br_rsa_private_key *sk); 1557*0957b409SSimon J. Gerraty 1558*0957b409SSimon J. Gerraty /** 1559*0957b409SSimon J. Gerraty * \brief Recompute RSA public exponent ("i31" engine). 1560*0957b409SSimon J. Gerraty * 1561*0957b409SSimon J. Gerraty * \see br_rsa_compute_pubexp 1562*0957b409SSimon J. Gerraty * 1563*0957b409SSimon J. Gerraty * \return the public exponent, or 0. 1564*0957b409SSimon J. Gerraty */ 1565*0957b409SSimon J. Gerraty uint32_t br_rsa_i31_compute_pubexp(const br_rsa_private_key *sk); 1566*0957b409SSimon J. Gerraty 1567*0957b409SSimon J. Gerraty /** 1568*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (recompute public exponent). 1569*0957b409SSimon J. Gerraty * 1570*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (recompute public 1571*0957b409SSimon J. Gerraty * exponent) on the current system. 1572*0957b409SSimon J. Gerraty * 1573*0957b409SSimon J. Gerraty * \return the default implementation. 1574*0957b409SSimon J. Gerraty */ 1575*0957b409SSimon J. Gerraty br_rsa_compute_pubexp br_rsa_compute_pubexp_get_default(void); 1576*0957b409SSimon J. Gerraty 1577*0957b409SSimon J. Gerraty /** 1578*0957b409SSimon J. Gerraty * \brief Type for a private exponent computing function. 1579*0957b409SSimon J. Gerraty * 1580*0957b409SSimon J. Gerraty * An RSA private key (`br_rsa_private_key`) contains two reduced 1581*0957b409SSimon J. Gerraty * private exponents, which are sufficient to perform private key 1582*0957b409SSimon J. Gerraty * operations. However, standard encoding formats for RSA private keys 1583*0957b409SSimon J. Gerraty * require also a copy of the complete private exponent (non-reduced), 1584*0957b409SSimon J. Gerraty * which this function recomputes. 1585*0957b409SSimon J. Gerraty * 1586*0957b409SSimon J. Gerraty * This function suceeds if all the following conditions hold: 1587*0957b409SSimon J. Gerraty * 1588*0957b409SSimon J. Gerraty * - Both private factors `p` and `q` are equal to 3 modulo 4. 1589*0957b409SSimon J. Gerraty * 1590*0957b409SSimon J. Gerraty * - The provided public exponent `pubexp` is correct, and, in particular, 1591*0957b409SSimon J. Gerraty * is odd, relatively prime to `p-1` and `q-1`, and greater than 1. 1592*0957b409SSimon J. Gerraty * 1593*0957b409SSimon J. Gerraty * - No internal storage limit is exceeded. 1594*0957b409SSimon J. Gerraty * 1595*0957b409SSimon J. Gerraty * For all private keys produced by the key generator functions 1596*0957b409SSimon J. Gerraty * (`br_rsa_keygen` type), this function succeeds. Note that the API 1597*0957b409SSimon J. Gerraty * restricts the public exponent to a maximum size of 32 bits. 1598*0957b409SSimon J. Gerraty * 1599*0957b409SSimon J. Gerraty * The encoded private exponent is written in `d` (unsigned big-endian 1600*0957b409SSimon J. Gerraty * convention), and the length (in bytes) is returned. If `d` is `NULL`, 1601*0957b409SSimon J. Gerraty * then the exponent is not written anywhere, but the length is still 1602*0957b409SSimon J. Gerraty * returned. On error, 0 is returned. 1603*0957b409SSimon J. Gerraty * 1604*0957b409SSimon J. Gerraty * Not all error conditions are detected when `d` is `NULL`; therefore, the 1605*0957b409SSimon J. Gerraty * returned value shall be checked also when actually producing the value. 1606*0957b409SSimon J. Gerraty * 1607*0957b409SSimon J. Gerraty * \param d destination buffer (or `NULL`). 1608*0957b409SSimon J. Gerraty * \param sk RSA private key. 1609*0957b409SSimon J. Gerraty * \param pubexp the public exponent. 1610*0957b409SSimon J. Gerraty * \return the private exponent length (in bytes), or 0. 1611*0957b409SSimon J. Gerraty */ 1612*0957b409SSimon J. Gerraty typedef size_t (*br_rsa_compute_privexp)(void *d, 1613*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, uint32_t pubexp); 1614*0957b409SSimon J. Gerraty 1615*0957b409SSimon J. Gerraty /** 1616*0957b409SSimon J. Gerraty * \brief Recompute RSA private exponent ("i15" engine). 1617*0957b409SSimon J. Gerraty * 1618*0957b409SSimon J. Gerraty * \see br_rsa_compute_privexp 1619*0957b409SSimon J. Gerraty * 1620*0957b409SSimon J. Gerraty * \param d destination buffer (or `NULL`). 1621*0957b409SSimon J. Gerraty * \param sk RSA private key. 1622*0957b409SSimon J. Gerraty * \param pubexp the public exponent. 1623*0957b409SSimon J. Gerraty * \return the private exponent length (in bytes), or 0. 1624*0957b409SSimon J. Gerraty */ 1625*0957b409SSimon J. Gerraty size_t br_rsa_i15_compute_privexp(void *d, 1626*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, uint32_t pubexp); 1627*0957b409SSimon J. Gerraty 1628*0957b409SSimon J. Gerraty /** 1629*0957b409SSimon J. Gerraty * \brief Recompute RSA private exponent ("i31" engine). 1630*0957b409SSimon J. Gerraty * 1631*0957b409SSimon J. Gerraty * \see br_rsa_compute_privexp 1632*0957b409SSimon J. Gerraty * 1633*0957b409SSimon J. Gerraty * \param d destination buffer (or `NULL`). 1634*0957b409SSimon J. Gerraty * \param sk RSA private key. 1635*0957b409SSimon J. Gerraty * \param pubexp the public exponent. 1636*0957b409SSimon J. Gerraty * \return the private exponent length (in bytes), or 0. 1637*0957b409SSimon J. Gerraty */ 1638*0957b409SSimon J. Gerraty size_t br_rsa_i31_compute_privexp(void *d, 1639*0957b409SSimon J. Gerraty const br_rsa_private_key *sk, uint32_t pubexp); 1640*0957b409SSimon J. Gerraty 1641*0957b409SSimon J. Gerraty /** 1642*0957b409SSimon J. Gerraty * \brief Get "default" RSA implementation (recompute private exponent). 1643*0957b409SSimon J. Gerraty * 1644*0957b409SSimon J. Gerraty * This returns the preferred implementation of RSA (recompute private 1645*0957b409SSimon J. Gerraty * exponent) on the current system. 1646*0957b409SSimon J. Gerraty * 1647*0957b409SSimon J. Gerraty * \return the default implementation. 1648*0957b409SSimon J. Gerraty */ 1649*0957b409SSimon J. Gerraty br_rsa_compute_privexp br_rsa_compute_privexp_get_default(void); 1650*0957b409SSimon J. Gerraty 1651*0957b409SSimon J. Gerraty #ifdef __cplusplus 1652*0957b409SSimon J. Gerraty } 1653*0957b409SSimon J. Gerraty #endif 1654*0957b409SSimon J. Gerraty 1655*0957b409SSimon J. Gerraty #endif 1656