CoCalc -- bearssl

GitHub Repository: freebsd/freebsd-src
Path: blob/main/contrib/bearssl/inc/bearssl_rsa.h
³⁹⁵⁸⁶ views
1
/*
2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining 
5
 * a copy of this software and associated documentation files (the
6
 * "Software"), to deal in the Software without restriction, including
7
 * without limitation the rights to use, copy, modify, merge, publish,
8
 * distribute, sublicense, and/or sell copies of the Software, and to
9
 * permit persons to whom the Software is furnished to do so, subject to
10
 * the following conditions:
11
 *
12
 * The above copyright notice and this permission notice shall be 
13
 * included in all copies or substantial portions of the Software.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
 * SOFTWARE.
23
 */
24

25
#ifndef BR_BEARSSL_RSA_H__
26
#define BR_BEARSSL_RSA_H__
27

28
#include <stddef.h>
29
#include <stdint.h>
30

31
#include "bearssl_hash.h"
32
#include "bearssl_rand.h"
33

34
#ifdef __cplusplus
35
extern "C" {
36
#endif
37

38
/** \file bearssl_rsa.h
39
 *
40
 * # RSA
41
 *
42
 * This file documents the RSA implementations provided with BearSSL.
43
 * Note that the SSL engine accesses these implementations through a
44
 * configurable API, so it is possible to, for instance, run a SSL
45
 * server which uses a RSA engine which is not based on this code.
46
 *
47
 * ## Key Elements
48
 *
49
 * RSA public and private keys consist in lists of big integers. All
50
 * such integers are represented with big-endian unsigned notation:
51
 * first byte is the most significant, and the value is positive (so
52
 * there is no dedicated "sign bit"). Public and private key structures
53
 * thus contain, for each such integer, a pointer to the first value byte
54
 * (`unsigned char *`), and a length (`size_t`) which is the number of
55
 * relevant bytes. As a general rule, minimal-length encoding is not
56
 * enforced: values may have extra leading bytes of value 0.
57
 *
58
 * RSA public keys consist in two integers:
59
 *
60
 *   - the modulus (`n`);
61
 *   - the public exponent (`e`).
62
 *
63
 * RSA private keys, as defined in
64
 * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers:
65
 *
66
 *   - the modulus (`n`);
67
 *   - the public exponent (`e`);
68
 *   - the private exponent (`d`);
69
 *   - the first prime factor (`p`);
70
 *   - the second prime factor (`q`);
71
 *   - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
72
 *   - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
73
 *   - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
74
 *
75
 * However, the implementations defined in BearSSL use only five of
76
 * these integers: `p`, `q`, `dp`, `dq` and `iq`.
77
 *
78
 * ## Security Features and Limitations
79
 *
80
 * The implementations contained in BearSSL have the following limitations
81
 * and features:
82
 *
83
 *   - They are constant-time. This means that the execution time and
84
 *     memory access pattern may depend on the _lengths_ of the private
85
 *     key components, but not on their value, nor on the value of
86
 *     the operand. Note that this property is not achieved through
87
 *     random masking, but "true" constant-time code.
88
 *
89
 *   - They support only private keys with two prime factors. RSA private
90
 *     keys with three or more prime factors are nominally supported, but
91
 *     rarely used; they may offer faster operations, at the expense of
92
 *     more code and potentially a reduction in security if there are
93
 *     "too many" prime factors.
94
 *
95
 *   - The public exponent may have arbitrary length. Of course, it is
96
 *     a good idea to keep public exponents small, so that public key
97
 *     operations are fast; but, contrary to some widely deployed
98
 *     implementations, BearSSL has no problem with public exponents
99
 *     longer than 32 bits.
100
 *
101
 *   - The two prime factors of the modulus need not have the same length
102
 *     (but severely imbalanced factor lengths might reduce security).
103
 *     Similarly, there is no requirement that the first factor (`p`)
104
 *     be greater than the second factor (`q`).
105
 *
106
 *   - Prime factors and modulus must be smaller than a compile-time limit.
107
 *     This is made necessary by the use of fixed-size stack buffers, and
108
 *     the limit has been adjusted to keep stack usage under 2 kB for the
109
 *     RSA operations. Currently, the maximum modulus size is 4096 bits,
110
 *     and the maximum prime factor size is 2080 bits.
111
 *
112
 *   - The RSA functions themselves do not enforce lower size limits,
113
 *     except that which is absolutely necessary for the operation to
114
 *     mathematically make sense (e.g. a PKCS#1 v1.5 signature with
115
 *     SHA-1 requires a modulus of at least 361 bits). It is up to users
116
 *     of this code to enforce size limitations when appropriate (e.g.
117
 *     the X.509 validation engine, by default, rejects RSA keys of
118
 *     less than 1017 bits).
119
 *
120
 *   - Within the size constraints expressed above, arbitrary bit lengths
121
 *     are supported. There is no requirement that prime factors or
122
 *     modulus have a size multiple of 8 or 16.
123
 *
124
 *   - When verifying PKCS#1 v1.5 signatures, both variants of the hash
125
 *     function identifying header (with and without the ASN.1 NULL) are
126
 *     supported. When producing such signatures, the variant with the
127
 *     ASN.1 NULL is used.
128
 *
129
 * ## Implementations
130
 *
131
 * Three RSA implementations are included:
132
 *
133
 *   - The **i32** implementation internally represents big integers
134
 *     as arrays of 32-bit integers. It is perfunctory and portable,
135
 *     but not very efficient.
136
 *
137
 *   - The **i31** implementation uses 32-bit integers, each containing
138
 *     31 bits worth of integer data. The i31 implementation is somewhat
139
 *     faster than the i32 implementation (the reduced integer size makes
140
 *     carry propagation easier) for a similar code footprint, but uses
141
 *     very slightly larger stack buffers (about 4% bigger).
142
 *
143
 *   - The **i62** implementation is similar to the i31 implementation,
144
 *     except that it internally leverages the 64x64->128 multiplication
145
 *     opcode. This implementation is available only on architectures
146
 *     where such an opcode exists. It is much faster than i31.
147
 *
148
 *   - The **i15** implementation uses 16-bit integers, each containing
149
 *     15 bits worth of integer data. Multiplication results fit on
150
 *     32 bits, so this won't use the "widening" multiplication routine
151
 *     on ARM Cortex M0/M0+, for much better performance and constant-time
152
 *     execution.
153
 */
154

155
/**
156
 * \brief RSA public key.
157
 *
158
 * The structure references the modulus and the public exponent. Both
159
 * integers use unsigned big-endian representation; extra leading bytes
160
 * of value 0 are allowed.
161
 */
162
typedef struct {
163
	/** \brief Modulus. */
164
	unsigned char *n;
165
	/** \brief Modulus length (in bytes). */
166
	size_t nlen;
167
	/** \brief Public exponent. */
168
	unsigned char *e;
169
	/** \brief Public exponent length (in bytes). */
170
	size_t elen;
171
} br_rsa_public_key;
172

173
/**
174
 * \brief RSA private key.
175
 *
176
 * The structure references the private factors, reduced private
177
 * exponents, and CRT coefficient. It also contains the bit length of
178
 * the modulus. The big integers use unsigned big-endian representation;
179
 * extra leading bytes of value 0 are allowed. However, the modulus bit
180
 * length (`n_bitlen`) MUST be exact.
181
 */
182
typedef struct {
183
	/** \brief Modulus bit length (in bits, exact value). */
184
	uint32_t n_bitlen;
185
	/** \brief First prime factor. */
186
	unsigned char *p;
187
	/** \brief First prime factor length (in bytes). */
188
	size_t plen;
189
	/** \brief Second prime factor. */
190
	unsigned char *q;
191
	/** \brief Second prime factor length (in bytes). */
192
	size_t qlen;
193
	/** \brief First reduced private exponent. */
194
	unsigned char *dp;
195
	/** \brief First reduced private exponent length (in bytes). */
196
	size_t dplen;
197
	/** \brief Second reduced private exponent. */
198
	unsigned char *dq;
199
	/** \brief Second reduced private exponent length (in bytes). */
200
	size_t dqlen;
201
	/** \brief CRT coefficient. */
202
	unsigned char *iq;
203
	/** \brief CRT coefficient length (in bytes). */
204
	size_t iqlen;
205
} br_rsa_private_key;
206

207
/**
208
 * \brief Type for a RSA public key engine.
209
 *
210
 * The public key engine performs the modular exponentiation of the
211
 * provided value with the public exponent. The value is modified in
212
 * place.
213
 *
214
 * The value length (`xlen`) is verified to have _exactly_ the same
215
 * length as the modulus (actual modulus length, without extra leading
216
 * zeros in the modulus representation in memory). If the length does
217
 * not match, then this function returns 0 and `x[]` is unmodified.
218
 * 
219
 * It `xlen` is correct, then `x[]` is modified. Returned value is 1
220
 * on success, 0 on error. Error conditions include an oversized `x[]`
221
 * (the array has the same length as the modulus, but the numerical value
222
 * is not lower than the modulus) and an invalid modulus (e.g. an even
223
 * integer). If an error is reported, then the new contents of `x[]` are
224
 * unspecified.
225
 *
226
 * \param x      operand to exponentiate.
227
 * \param xlen   length of the operand (in bytes).
228
 * \param pk     RSA public key.
229
 * \return  1 on success, 0 on error.
230
 */
231
typedef uint32_t (*br_rsa_public)(unsigned char *x, size_t xlen,
232
	const br_rsa_public_key *pk);
233

234
/**
235
 * \brief Type for a RSA signature verification engine (PKCS#1 v1.5).
236
 *
237
 * Parameters are:
238
 *
239
 *   - The signature itself. The provided array is NOT modified.
240
 *
241
 *   - The encoded OID for the hash function. The provided array must begin
242
 *     with a single byte that contains the length of the OID value (in
243
 *     bytes), followed by exactly that many bytes. This parameter may
244
 *     also be `NULL`, in which case the raw hash value should be used
245
 *     with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
246
 *     to TLS-1.1, with a 36-byte hash value).
247
 *
248
 *   - The hash output length, in bytes.
249
 *
250
 *   - The public key.
251
 *
252
 *   - An output buffer for the hash value. The caller must still compare
253
 *     it with the hash of the data over which the signature is computed.
254
 *
255
 * **Constraints:**
256
 *
257
 *   - Hash length MUST be no more than 64 bytes.
258
 *
259
 *   - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
260
 *     must have a value in the 0..32 range, inclusive).
261
 *
262
 * This function verifies that the signature length (`xlen`) matches the
263
 * modulus length (this function returns 0 on mismatch). If the modulus
264
 * size exceeds the maximum supported RSA size, then the function also
265
 * returns 0.
266
 *
267
 * Returned value is 1 on success, 0 on error.
268
 *
269
 * Implementations of this type need not be constant-time.
270
 *
271
 * \param x          signature buffer.
272
 * \param xlen       signature length (in bytes).
273
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
274
 * \param hash_len   expected hash value length (in bytes).
275
 * \param pk         RSA public key.
276
 * \param hash_out   output buffer for the hash value.
277
 * \return  1 on success, 0 on error.
278
 */
279
typedef uint32_t (*br_rsa_pkcs1_vrfy)(const unsigned char *x, size_t xlen,
280
	const unsigned char *hash_oid, size_t hash_len,
281
	const br_rsa_public_key *pk, unsigned char *hash_out);
282

283
/**
284
 * \brief Type for a RSA signature verification engine (PSS).
285
 *
286
 * Parameters are:
287
 *
288
 *   - The signature itself. The provided array is NOT modified.
289
 *
290
 *   - The hash function which was used to hash the message.
291
 *
292
 *   - The hash function to use with MGF1 within the PSS padding. This
293
 *     is not necessarily the same hash function as the one which was
294
 *     used to hash the signed message.
295
 *
296
 *   - The hashed message (as an array of bytes).
297
 *
298
 *   - The PSS salt length (in bytes).
299
 *
300
 *   - The public key.
301
 *
302
 * **Constraints:**
303
 *
304
 *   - Hash message length MUST be no more than 64 bytes.
305
 *
306
 * Note that, contrary to PKCS#1 v1.5 signature, the hash value of the
307
 * signed data cannot be extracted from the signature; it must be
308
 * provided to the verification function.
309
 *
310
 * This function verifies that the signature length (`xlen`) matches the
311
 * modulus length (this function returns 0 on mismatch). If the modulus
312
 * size exceeds the maximum supported RSA size, then the function also
313
 * returns 0.
314
 *
315
 * Returned value is 1 on success, 0 on error.
316
 *
317
 * Implementations of this type need not be constant-time.
318
 *
319
 * \param x          signature buffer.
320
 * \param xlen       signature length (in bytes).
321
 * \param hf_data    hash function applied on the message.
322
 * \param hf_mgf1    hash function to use with MGF1.
323
 * \param hash       hash value of the signed message.
324
 * \param salt_len   PSS salt length (in bytes).
325
 * \param pk         RSA public key.
326
 * \return  1 on success, 0 on error.
327
 */
328
typedef uint32_t (*br_rsa_pss_vrfy)(const unsigned char *x, size_t xlen,
329
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 
330
	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
331

332
/**
333
 * \brief Type for a RSA encryption engine (OAEP).
334
 *
335
 * Parameters are:
336
 *
337
 *   - A source of random bytes. The source must be already initialized.
338
 *
339
 *   - A hash function, used internally with the mask generation function
340
 *     (MGF1).
341
 *
342
 *   - A label. The `label` pointer may be `NULL` if `label_len` is zero
343
 *     (an empty label, which is the default in PKCS#1 v2.2).
344
 *
345
 *   - The public key.
346
 *
347
 *   - The destination buffer. Its maximum length (in bytes) is provided;
348
 *     if that length is lower than the public key length, then an error
349
 *     is reported.
350
 *
351
 *   - The source message.
352
 *
353
 * The encrypted message output has exactly the same length as the modulus
354
 * (mathematical length, in bytes, not counting extra leading zeros in the
355
 * modulus representation in the public key).
356
 *
357
 * The source message (`src`, length `src_len`) may overlap with the
358
 * destination buffer (`dst`, length `dst_max_len`).
359
 *
360
 * This function returns the actual encrypted message length, in bytes;
361
 * on error, zero is returned. An error is reported if the output buffer
362
 * is not large enough, or the public is invalid, or the public key
363
 * modulus exceeds the maximum supported RSA size.
364
 *
365
 * \param rnd           source of random bytes.
366
 * \param dig           hash function to use with MGF1.
367
 * \param label         label value (may be `NULL` if `label_len` is zero).
368
 * \param label_len     label length, in bytes.
369
 * \param pk            RSA public key.
370
 * \param dst           destination buffer.
371
 * \param dst_max_len   destination buffer length (maximum encrypted data size).
372
 * \param src           message to encrypt.
373
 * \param src_len       source message length (in bytes).
374
 * \return  encrypted message length (in bytes), or 0 on error.
375
 */
376
typedef size_t (*br_rsa_oaep_encrypt)(
377
	const br_prng_class **rnd, const br_hash_class *dig,
378
	const void *label, size_t label_len,
379
	const br_rsa_public_key *pk,
380
	void *dst, size_t dst_max_len,
381
	const void *src, size_t src_len);
382

383
/**
384
 * \brief Type for a RSA private key engine.
385
 *
386
 * The `x[]` buffer is modified in place, and its length is inferred from
387
 * the modulus length (`x[]` is assumed to have a length of
388
 * `(sk->n_bitlen+7)/8` bytes).
389
 *
390
 * Returned value is 1 on success, 0 on error.
391
 *
392
 * \param x    operand to exponentiate.
393
 * \param sk   RSA private key.
394
 * \return  1 on success, 0 on error.
395
 */
396
typedef uint32_t (*br_rsa_private)(unsigned char *x,
397
	const br_rsa_private_key *sk);
398

399
/**
400
 * \brief Type for a RSA signature generation engine (PKCS#1 v1.5).
401
 *
402
 * Parameters are:
403
 *
404
 *   - The encoded OID for the hash function. The provided array must begin
405
 *     with a single byte that contains the length of the OID value (in
406
 *     bytes), followed by exactly that many bytes. This parameter may
407
 *     also be `NULL`, in which case the raw hash value should be used
408
 *     with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
409
 *     to TLS-1.1, with a 36-byte hash value).
410
 *
411
 *   - The hash value computes over the data to sign (its length is
412
 *     expressed in bytes).
413
 *
414
 *   - The RSA private key.
415
 *
416
 *   - The output buffer, that receives the signature.
417
 *
418
 * Returned value is 1 on success, 0 on error. Error conditions include
419
 * a too small modulus for the provided hash OID and value, or some
420
 * invalid key parameters. The signature length is exactly
421
 * `(sk->n_bitlen+7)/8` bytes.
422
 *
423
 * This function is expected to be constant-time with regards to the
424
 * private key bytes (lengths of the modulus and the individual factors
425
 * may leak, though) and to the hashed data.
426
 *
427
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
428
 * \param hash       hash value.
429
 * \param hash_len   hash value length (in bytes).
430
 * \param sk         RSA private key.
431
 * \param x          output buffer for the signature value.
432
 * \return  1 on success, 0 on error.
433
 */
434
typedef uint32_t (*br_rsa_pkcs1_sign)(const unsigned char *hash_oid,
435
	const unsigned char *hash, size_t hash_len,
436
	const br_rsa_private_key *sk, unsigned char *x);
437

438
/**
439
 * \brief Type for a RSA signature generation engine (PSS).
440
 *
441
 * Parameters are:
442
 *
443
 *   - An initialized PRNG for salt generation. If the salt length is
444
 *     zero (`salt_len` parameter), then the PRNG is optional (this is
445
 *     not the typical case, as the security proof of RSA/PSS is
446
 *     tighter when a non-empty salt is used).
447
 *
448
 *   - The hash function which was used to hash the message.
449
 *
450
 *   - The hash function to use with MGF1 within the PSS padding. This
451
 *     is not necessarily the same function as the one used to hash the
452
 *     message.
453
 *
454
 *   - The hashed message.
455
 *
456
 *   - The salt length, in bytes.
457
 *
458
 *   - The RSA private key.
459
 *
460
 *   - The output buffer, that receives the signature.
461
 *
462
 * Returned value is 1 on success, 0 on error. Error conditions include
463
 * a too small modulus for the provided hash and salt lengths, or some
464
 * invalid key parameters. The signature length is exactly
465
 * `(sk->n_bitlen+7)/8` bytes.
466
 *
467
 * This function is expected to be constant-time with regards to the
468
 * private key bytes (lengths of the modulus and the individual factors
469
 * may leak, though) and to the hashed data.
470
 *
471
 * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
472
 * \param hf_data    hash function used to hash the signed data.
473
 * \param hf_mgf1    hash function to use with MGF1.
474
 * \param hash       hashed message.
475
 * \param salt_len   salt length (in bytes).
476
 * \param sk         RSA private key.
477
 * \param x          output buffer for the signature value.
478
 * \return  1 on success, 0 on error.
479
 */
480
typedef uint32_t (*br_rsa_pss_sign)(const br_prng_class **rng,
481
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
482
	const unsigned char *hash_value, size_t salt_len,
483
	const br_rsa_private_key *sk, unsigned char *x);
484

485
/**
486
 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
487
 */
488
#define BR_HASH_OID_SHA1     \
489
	((const unsigned char *)"\x05\x2B\x0E\x03\x02\x1A")
490

491
/**
492
 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
493
 */
494
#define BR_HASH_OID_SHA224   \
495
	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04")
496

497
/**
498
 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
499
 */
500
#define BR_HASH_OID_SHA256   \
501
	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01")
502

503
/**
504
 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
505
 */
506
#define BR_HASH_OID_SHA384   \
507
	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02")
508

509
/**
510
 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
511
 */
512
#define BR_HASH_OID_SHA512   \
513
	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03")
514

515
/**
516
 * \brief Type for a RSA decryption engine (OAEP).
517
 *
518
 * Parameters are:
519
 *
520
 *   - A hash function, used internally with the mask generation function
521
 *     (MGF1).
522
 *
523
 *   - A label. The `label` pointer may be `NULL` if `label_len` is zero
524
 *     (an empty label, which is the default in PKCS#1 v2.2).
525
 *
526
 *   - The private key.
527
 *
528
 *   - The source and destination buffer. The buffer initially contains
529
 *     the encrypted message; the buffer contents are altered, and the
530
 *     decrypted message is written at the start of that buffer
531
 *     (decrypted message is always shorter than the encrypted message).
532
 *
533
 * If decryption fails in any way, then `*len` is unmodified, and the
534
 * function returns 0. Otherwise, `*len` is set to the decrypted message
535
 * length, and 1 is returned. The implementation is responsible for
536
 * checking that the input message length matches the key modulus length,
537
 * and that the padding is correct.
538
 *
539
 * Implementations MUST use constant-time check of the validity of the
540
 * OAEP padding, at least until the leading byte and hash value have
541
 * been checked. Whether overall decryption worked, and the length of
542
 * the decrypted message, may leak.
543
 *
544
 * \param dig         hash function to use with MGF1.
545
 * \param label       label value (may be `NULL` if `label_len` is zero).
546
 * \param label_len   label length, in bytes.
547
 * \param sk          RSA private key.
548
 * \param data        input/output buffer.
549
 * \param len         encrypted/decrypted message length.
550
 * \return  1 on success, 0 on error.
551
 */
552
typedef uint32_t (*br_rsa_oaep_decrypt)(
553
	const br_hash_class *dig, const void *label, size_t label_len,
554
	const br_rsa_private_key *sk, void *data, size_t *len);
555

556
/*
557
 * RSA "i32" engine. Integers are internally represented as arrays of
558
 * 32-bit integers, and the core multiplication primitive is the
559
 * 32x32->64 multiplication.
560
 */
561

562
/**
563
 * \brief RSA public key engine "i32".
564
 *
565
 * \see br_rsa_public
566
 *
567
 * \param x      operand to exponentiate.
568
 * \param xlen   length of the operand (in bytes).
569
 * \param pk     RSA public key.
570
 * \return  1 on success, 0 on error.
571
 */
572
uint32_t br_rsa_i32_public(unsigned char *x, size_t xlen,
573
	const br_rsa_public_key *pk);
574

575
/**
576
 * \brief RSA signature verification engine "i32" (PKCS#1 v1.5 signatures).
577
 *
578
 * \see br_rsa_pkcs1_vrfy
579
 *
580
 * \param x          signature buffer.
581
 * \param xlen       signature length (in bytes).
582
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
583
 * \param hash_len   expected hash value length (in bytes).
584
 * \param pk         RSA public key.
585
 * \param hash_out   output buffer for the hash value.
586
 * \return  1 on success, 0 on error.
587
 */
588
uint32_t br_rsa_i32_pkcs1_vrfy(const unsigned char *x, size_t xlen,
589
	const unsigned char *hash_oid, size_t hash_len,
590
	const br_rsa_public_key *pk, unsigned char *hash_out);
591

592
/**
593
 * \brief RSA signature verification engine "i32" (PSS signatures).
594
 *
595
 * \see br_rsa_pss_vrfy
596
 *
597
 * \param x          signature buffer.
598
 * \param xlen       signature length (in bytes).
599
 * \param hf_data    hash function applied on the message.
600
 * \param hf_mgf1    hash function to use with MGF1.
601
 * \param hash       hash value of the signed message.
602
 * \param salt_len   PSS salt length (in bytes).
603
 * \param pk         RSA public key.
604
 * \return  1 on success, 0 on error.
605
 */
606
uint32_t br_rsa_i32_pss_vrfy(const unsigned char *x, size_t xlen,
607
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 
608
	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
609

610
/**
611
 * \brief RSA private key engine "i32".
612
 *
613
 * \see br_rsa_private
614
 *
615
 * \param x    operand to exponentiate.
616
 * \param sk   RSA private key.
617
 * \return  1 on success, 0 on error.
618
 */
619
uint32_t br_rsa_i32_private(unsigned char *x,
620
	const br_rsa_private_key *sk);
621

622
/**
623
 * \brief RSA signature generation engine "i32" (PKCS#1 v1.5 signatures).
624
 *
625
 * \see br_rsa_pkcs1_sign
626
 *
627
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
628
 * \param hash       hash value.
629
 * \param hash_len   hash value length (in bytes).
630
 * \param sk         RSA private key.
631
 * \param x          output buffer for the hash value.
632
 * \return  1 on success, 0 on error.
633
 */
634
uint32_t br_rsa_i32_pkcs1_sign(const unsigned char *hash_oid,
635
	const unsigned char *hash, size_t hash_len,
636
	const br_rsa_private_key *sk, unsigned char *x);
637

638
/**
639
 * \brief RSA signature generation engine "i32" (PSS signatures).
640
 *
641
 * \see br_rsa_pss_sign
642
 *
643
 * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
644
 * \param hf_data    hash function used to hash the signed data.
645
 * \param hf_mgf1    hash function to use with MGF1.
646
 * \param hash       hashed message.
647
 * \param salt_len   salt length (in bytes).
648
 * \param sk         RSA private key.
649
 * \param x          output buffer for the signature value.
650
 * \return  1 on success, 0 on error.
651
 */
652
uint32_t br_rsa_i32_pss_sign(const br_prng_class **rng,
653
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
654
	const unsigned char *hash_value, size_t salt_len,
655
	const br_rsa_private_key *sk, unsigned char *x);
656

657
/*
658
 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
659
 * word. This uses slightly more stack space (about 4% more) and code
660
 * space, but it quite faster.
661
 */
662

663
/**
664
 * \brief RSA public key engine "i31".
665
 *
666
 * \see br_rsa_public
667
 *
668
 * \param x      operand to exponentiate.
669
 * \param xlen   length of the operand (in bytes).
670
 * \param pk     RSA public key.
671
 * \return  1 on success, 0 on error.
672
 */
673
uint32_t br_rsa_i31_public(unsigned char *x, size_t xlen,
674
	const br_rsa_public_key *pk);
675

676
/**
677
 * \brief RSA signature verification engine "i31" (PKCS#1 v1.5 signatures).
678
 *
679
 * \see br_rsa_pkcs1_vrfy
680
 *
681
 * \param x          signature buffer.
682
 * \param xlen       signature length (in bytes).
683
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
684
 * \param hash_len   expected hash value length (in bytes).
685
 * \param pk         RSA public key.
686
 * \param hash_out   output buffer for the hash value.
687
 * \return  1 on success, 0 on error.
688
 */
689
uint32_t br_rsa_i31_pkcs1_vrfy(const unsigned char *x, size_t xlen,
690
	const unsigned char *hash_oid, size_t hash_len,
691
	const br_rsa_public_key *pk, unsigned char *hash_out);
692

693
/**
694
 * \brief RSA signature verification engine "i31" (PSS signatures).
695
 *
696
 * \see br_rsa_pss_vrfy
697
 *
698
 * \param x          signature buffer.
699
 * \param xlen       signature length (in bytes).
700
 * \param hf_data    hash function applied on the message.
701
 * \param hf_mgf1    hash function to use with MGF1.
702
 * \param hash       hash value of the signed message.
703
 * \param salt_len   PSS salt length (in bytes).
704
 * \param pk         RSA public key.
705
 * \return  1 on success, 0 on error.
706
 */
707
uint32_t br_rsa_i31_pss_vrfy(const unsigned char *x, size_t xlen,
708
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 
709
	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
710

711
/**
712
 * \brief RSA private key engine "i31".
713
 *
714
 * \see br_rsa_private
715
 *
716
 * \param x    operand to exponentiate.
717
 * \param sk   RSA private key.
718
 * \return  1 on success, 0 on error.
719
 */
720
uint32_t br_rsa_i31_private(unsigned char *x,
721
	const br_rsa_private_key *sk);
722

723
/**
724
 * \brief RSA signature generation engine "i31" (PKCS#1 v1.5 signatures).
725
 *
726
 * \see br_rsa_pkcs1_sign
727
 *
728
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
729
 * \param hash       hash value.
730
 * \param hash_len   hash value length (in bytes).
731
 * \param sk         RSA private key.
732
 * \param x          output buffer for the hash value.
733
 * \return  1 on success, 0 on error.
734
 */
735
uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid,
736
	const unsigned char *hash, size_t hash_len,
737
	const br_rsa_private_key *sk, unsigned char *x);
738

739
/**
740
 * \brief RSA signature generation engine "i31" (PSS signatures).
741
 *
742
 * \see br_rsa_pss_sign
743
 *
744
 * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
745
 * \param hf_data    hash function used to hash the signed data.
746
 * \param hf_mgf1    hash function to use with MGF1.
747
 * \param hash       hashed message.
748
 * \param salt_len   salt length (in bytes).
749
 * \param sk         RSA private key.
750
 * \param x          output buffer for the signature value.
751
 * \return  1 on success, 0 on error.
752
 */
753
uint32_t br_rsa_i31_pss_sign(const br_prng_class **rng,
754
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
755
	const unsigned char *hash_value, size_t salt_len,
756
	const br_rsa_private_key *sk, unsigned char *x);
757

758
/*
759
 * RSA "i62" engine. Similar to i31, but internal multiplication use
760
 * 64x64->128 multiplications. This is available only on architecture
761
 * that offer such an opcode.
762
 */
763

764
/**
765
 * \brief RSA public key engine "i62".
766
 *
767
 * This function is defined only on architecture that offer a 64x64->128
768
 * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer
769
 * to that function.
770
 *
771
 * \see br_rsa_public
772
 *
773
 * \param x      operand to exponentiate.
774
 * \param xlen   length of the operand (in bytes).
775
 * \param pk     RSA public key.
776
 * \return  1 on success, 0 on error.
777
 */
778
uint32_t br_rsa_i62_public(unsigned char *x, size_t xlen,
779
	const br_rsa_public_key *pk);
780

781
/**
782
 * \brief RSA signature verification engine "i62" (PKCS#1 v1.5 signatures).
783
 *
784
 * This function is defined only on architecture that offer a 64x64->128
785
 * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer
786
 * to that function.
787
 *
788
 * \see br_rsa_pkcs1_vrfy
789
 *
790
 * \param x          signature buffer.
791
 * \param xlen       signature length (in bytes).
792
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
793
 * \param hash_len   expected hash value length (in bytes).
794
 * \param pk         RSA public key.
795
 * \param hash_out   output buffer for the hash value.
796
 * \return  1 on success, 0 on error.
797
 */
798
uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x, size_t xlen,
799
	const unsigned char *hash_oid, size_t hash_len,
800
	const br_rsa_public_key *pk, unsigned char *hash_out);
801

802
/**
803
 * \brief RSA signature verification engine "i62" (PSS signatures).
804
 *
805
 * This function is defined only on architecture that offer a 64x64->128
806
 * opcode. Use `br_rsa_i62_pss_vrfy_get()` to dynamically obtain a pointer
807
 * to that function.
808
 *
809
 * \see br_rsa_pss_vrfy
810
 *
811
 * \param x          signature buffer.
812
 * \param xlen       signature length (in bytes).
813
 * \param hf_data    hash function applied on the message.
814
 * \param hf_mgf1    hash function to use with MGF1.
815
 * \param hash       hash value of the signed message.
816
 * \param salt_len   PSS salt length (in bytes).
817
 * \param pk         RSA public key.
818
 * \return  1 on success, 0 on error.
819
 */
820
uint32_t br_rsa_i62_pss_vrfy(const unsigned char *x, size_t xlen,
821
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 
822
	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
823

824
/**
825
 * \brief RSA private key engine "i62".
826
 *
827
 * This function is defined only on architecture that offer a 64x64->128
828
 * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer
829
 * to that function.
830
 *
831
 * \see br_rsa_private
832
 *
833
 * \param x    operand to exponentiate.
834
 * \param sk   RSA private key.
835
 * \return  1 on success, 0 on error.
836
 */
837
uint32_t br_rsa_i62_private(unsigned char *x,
838
	const br_rsa_private_key *sk);
839

840
/**
841
 * \brief RSA signature generation engine "i62" (PKCS#1 v1.5 signatures).
842
 *
843
 * This function is defined only on architecture that offer a 64x64->128
844
 * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer
845
 * to that function.
846
 *
847
 * \see br_rsa_pkcs1_sign
848
 *
849
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
850
 * \param hash       hash value.
851
 * \param hash_len   hash value length (in bytes).
852
 * \param sk         RSA private key.
853
 * \param x          output buffer for the hash value.
854
 * \return  1 on success, 0 on error.
855
 */
856
uint32_t br_rsa_i62_pkcs1_sign(const unsigned char *hash_oid,
857
	const unsigned char *hash, size_t hash_len,
858
	const br_rsa_private_key *sk, unsigned char *x);
859

860
/**
861
 * \brief RSA signature generation engine "i62" (PSS signatures).
862
 *
863
 * This function is defined only on architecture that offer a 64x64->128
864
 * opcode. Use `br_rsa_i62_pss_sign_get()` to dynamically obtain a pointer
865
 * to that function.
866
 *
867
 * \see br_rsa_pss_sign
868
 *
869
 * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
870
 * \param hf_data    hash function used to hash the signed data.
871
 * \param hf_mgf1    hash function to use with MGF1.
872
 * \param hash       hashed message.
873
 * \param salt_len   salt length (in bytes).
874
 * \param sk         RSA private key.
875
 * \param x          output buffer for the signature value.
876
 * \return  1 on success, 0 on error.
877
 */
878
uint32_t br_rsa_i62_pss_sign(const br_prng_class **rng,
879
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
880
	const unsigned char *hash_value, size_t salt_len,
881
	const br_rsa_private_key *sk, unsigned char *x);
882

883
/**
884
 * \brief Get the RSA "i62" implementation (public key operations),
885
 * if available.
886
 *
887
 * \return  the implementation, or 0.
888
 */
889
br_rsa_public br_rsa_i62_public_get(void);
890

891
/**
892
 * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature verification),
893
 * if available.
894
 *
895
 * \return  the implementation, or 0.
896
 */
897
br_rsa_pkcs1_vrfy br_rsa_i62_pkcs1_vrfy_get(void);
898

899
/**
900
 * \brief Get the RSA "i62" implementation (PSS signature verification),
901
 * if available.
902
 *
903
 * \return  the implementation, or 0.
904
 */
905
br_rsa_pss_vrfy br_rsa_i62_pss_vrfy_get(void);
906

907
/**
908
 * \brief Get the RSA "i62" implementation (private key operations),
909
 * if available.
910
 *
911
 * \return  the implementation, or 0.
912
 */
913
br_rsa_private br_rsa_i62_private_get(void);
914

915
/**
916
 * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature generation),
917
 * if available.
918
 *
919
 * \return  the implementation, or 0.
920
 */
921
br_rsa_pkcs1_sign br_rsa_i62_pkcs1_sign_get(void);
922

923
/**
924
 * \brief Get the RSA "i62" implementation (PSS signature generation),
925
 * if available.
926
 *
927
 * \return  the implementation, or 0.
928
 */
929
br_rsa_pss_sign br_rsa_i62_pss_sign_get(void);
930

931
/**
932
 * \brief Get the RSA "i62" implementation (OAEP encryption),
933
 * if available.
934
 *
935
 * \return  the implementation, or 0.
936
 */
937
br_rsa_oaep_encrypt br_rsa_i62_oaep_encrypt_get(void);
938

939
/**
940
 * \brief Get the RSA "i62" implementation (OAEP decryption),
941
 * if available.
942
 *
943
 * \return  the implementation, or 0.
944
 */
945
br_rsa_oaep_decrypt br_rsa_i62_oaep_decrypt_get(void);
946

947
/*
948
 * RSA "i15" engine. Integers are represented as 15-bit integers, so
949
 * the code uses only 32-bit multiplication (no 64-bit result), which
950
 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
951
 */
952

953
/**
954
 * \brief RSA public key engine "i15".
955
 *
956
 * \see br_rsa_public
957
 *
958
 * \param x      operand to exponentiate.
959
 * \param xlen   length of the operand (in bytes).
960
 * \param pk     RSA public key.
961
 * \return  1 on success, 0 on error.
962
 */
963
uint32_t br_rsa_i15_public(unsigned char *x, size_t xlen,
964
	const br_rsa_public_key *pk);
965

966
/**
967
 * \brief RSA signature verification engine "i15" (PKCS#1 v1.5 signatures).
968
 *
969
 * \see br_rsa_pkcs1_vrfy
970
 *
971
 * \param x          signature buffer.
972
 * \param xlen       signature length (in bytes).
973
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
974
 * \param hash_len   expected hash value length (in bytes).
975
 * \param pk         RSA public key.
976
 * \param hash_out   output buffer for the hash value.
977
 * \return  1 on success, 0 on error.
978
 */
979
uint32_t br_rsa_i15_pkcs1_vrfy(const unsigned char *x, size_t xlen,
980
	const unsigned char *hash_oid, size_t hash_len,
981
	const br_rsa_public_key *pk, unsigned char *hash_out);
982

983
/**
984
 * \brief RSA signature verification engine "i15" (PSS signatures).
985
 *
986
 * \see br_rsa_pss_vrfy
987
 *
988
 * \param x          signature buffer.
989
 * \param xlen       signature length (in bytes).
990
 * \param hf_data    hash function applied on the message.
991
 * \param hf_mgf1    hash function to use with MGF1.
992
 * \param hash       hash value of the signed message.
993
 * \param salt_len   PSS salt length (in bytes).
994
 * \param pk         RSA public key.
995
 * \return  1 on success, 0 on error.
996
 */
997
uint32_t br_rsa_i15_pss_vrfy(const unsigned char *x, size_t xlen,
998
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1, 
999
	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
1000

1001
/**
1002
 * \brief RSA private key engine "i15".
1003
 *
1004
 * \see br_rsa_private
1005
 *
1006
 * \param x    operand to exponentiate.
1007
 * \param sk   RSA private key.
1008
 * \return  1 on success, 0 on error.
1009
 */
1010
uint32_t br_rsa_i15_private(unsigned char *x,
1011
	const br_rsa_private_key *sk);
1012

1013
/**
1014
 * \brief RSA signature generation engine "i15" (PKCS#1 v1.5 signatures).
1015
 *
1016
 * \see br_rsa_pkcs1_sign
1017
 *
1018
 * \param hash_oid   encoded hash algorithm OID (or `NULL`).
1019
 * \param hash       hash value.
1020
 * \param hash_len   hash value length (in bytes).
1021
 * \param sk         RSA private key.
1022
 * \param x          output buffer for the hash value.
1023
 * \return  1 on success, 0 on error.
1024
 */
1025
uint32_t br_rsa_i15_pkcs1_sign(const unsigned char *hash_oid,
1026
	const unsigned char *hash, size_t hash_len,
1027
	const br_rsa_private_key *sk, unsigned char *x);
1028

1029
/**
1030
 * \brief RSA signature generation engine "i15" (PSS signatures).
1031
 *
1032
 * \see br_rsa_pss_sign
1033
 *
1034
 * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
1035
 * \param hf_data    hash function used to hash the signed data.
1036
 * \param hf_mgf1    hash function to use with MGF1.
1037
 * \param hash       hashed message.
1038
 * \param salt_len   salt length (in bytes).
1039
 * \param sk         RSA private key.
1040
 * \param x          output buffer for the signature value.
1041
 * \return  1 on success, 0 on error.
1042
 */
1043
uint32_t br_rsa_i15_pss_sign(const br_prng_class **rng,
1044
	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
1045
	const unsigned char *hash_value, size_t salt_len,
1046
	const br_rsa_private_key *sk, unsigned char *x);
1047

1048
/**
1049
 * \brief Get "default" RSA implementation (public-key operations).
1050
 *
1051
 * This returns the preferred implementation of RSA (public-key operations)
1052
 * on the current system.
1053
 *
1054
 * \return  the default implementation.
1055
 */
1056
br_rsa_public br_rsa_public_get_default(void);
1057

1058
/**
1059
 * \brief Get "default" RSA implementation (private-key operations).
1060
 *
1061
 * This returns the preferred implementation of RSA (private-key operations)
1062
 * on the current system.
1063
 *
1064
 * \return  the default implementation.
1065
 */
1066
br_rsa_private br_rsa_private_get_default(void);
1067

1068
/**
1069
 * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature verification).
1070
 *
1071
 * This returns the preferred implementation of RSA (signature verification)
1072
 * on the current system.
1073
 *
1074
 * \return  the default implementation.
1075
 */
1076
br_rsa_pkcs1_vrfy br_rsa_pkcs1_vrfy_get_default(void);
1077

1078
/**
1079
 * \brief Get "default" RSA implementation (PSS signature verification).
1080
 *
1081
 * This returns the preferred implementation of RSA (signature verification)
1082
 * on the current system.
1083
 *
1084
 * \return  the default implementation.
1085
 */
1086
br_rsa_pss_vrfy br_rsa_pss_vrfy_get_default(void);
1087

1088
/**
1089
 * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature generation).
1090
 *
1091
 * This returns the preferred implementation of RSA (signature generation)
1092
 * on the current system.
1093
 *
1094
 * \return  the default implementation.
1095
 */
1096
br_rsa_pkcs1_sign br_rsa_pkcs1_sign_get_default(void);
1097

1098
/**
1099
 * \brief Get "default" RSA implementation (PSS signature generation).
1100
 *
1101
 * This returns the preferred implementation of RSA (signature generation)
1102
 * on the current system.
1103
 *
1104
 * \return  the default implementation.
1105
 */
1106
br_rsa_pss_sign br_rsa_pss_sign_get_default(void);
1107

1108
/**
1109
 * \brief Get "default" RSA implementation (OAEP encryption).
1110
 *
1111
 * This returns the preferred implementation of RSA (OAEP encryption)
1112
 * on the current system.
1113
 *
1114
 * \return  the default implementation.
1115
 */
1116
br_rsa_oaep_encrypt br_rsa_oaep_encrypt_get_default(void);
1117

1118
/**
1119
 * \brief Get "default" RSA implementation (OAEP decryption).
1120
 *
1121
 * This returns the preferred implementation of RSA (OAEP decryption)
1122
 * on the current system.
1123
 *
1124
 * \return  the default implementation.
1125
 */
1126
br_rsa_oaep_decrypt br_rsa_oaep_decrypt_get_default(void);
1127

1128
/**
1129
 * \brief RSA decryption helper, for SSL/TLS.
1130
 *
1131
 * This function performs the RSA decryption for a RSA-based key exchange
1132
 * in a SSL/TLS server. The provided RSA engine is used. The `data`
1133
 * parameter points to the value to decrypt, of length `len` bytes. On
1134
 * success, the 48-byte pre-master secret is copied into `data`, starting
1135
 * at the first byte of that buffer; on error, the contents of `data`
1136
 * become indeterminate.
1137
 *
1138
 * This function first checks that the provided value length (`len`) is
1139
 * not lower than 59 bytes, and matches the RSA modulus length; if neither
1140
 * of this property is met, then this function returns 0 and the buffer
1141
 * is unmodified.
1142
 *
1143
 * Otherwise, decryption and then padding verification are performed, both
1144
 * in constant-time. A decryption error, or a bad padding, or an
1145
 * incorrect decrypted value length are reported with a returned value of
1146
 * 0; on success, 1 is returned. The caller (SSL server engine) is supposed
1147
 * to proceed with a random pre-master secret in case of error.
1148
 *
1149
 * \param core   RSA private key engine.
1150
 * \param sk     RSA private key.
1151
 * \param data   input/output buffer.
1152
 * \param len    length (in bytes) of the data to decrypt.
1153
 * \return  1 on success, 0 on error.
1154
 */
1155
uint32_t br_rsa_ssl_decrypt(br_rsa_private core, const br_rsa_private_key *sk,
1156
	unsigned char *data, size_t len);
1157

1158
/**
1159
 * \brief RSA encryption (OAEP) with the "i15" engine.
1160
 *
1161
 * \see br_rsa_oaep_encrypt
1162
 *
1163
 * \param rnd           source of random bytes.
1164
 * \param dig           hash function to use with MGF1.
1165
 * \param label         label value (may be `NULL` if `label_len` is zero).
1166
 * \param label_len     label length, in bytes.
1167
 * \param pk            RSA public key.
1168
 * \param dst           destination buffer.
1169
 * \param dst_max_len   destination buffer length (maximum encrypted data size).
1170
 * \param src           message to encrypt.
1171
 * \param src_len       source message length (in bytes).
1172
 * \return  encrypted message length (in bytes), or 0 on error.
1173
 */
1174
size_t br_rsa_i15_oaep_encrypt(
1175
	const br_prng_class **rnd, const br_hash_class *dig,
1176
	const void *label, size_t label_len,
1177
	const br_rsa_public_key *pk,
1178
	void *dst, size_t dst_max_len,
1179
	const void *src, size_t src_len);
1180

1181
/**
1182
 * \brief RSA decryption (OAEP) with the "i15" engine.
1183
 *
1184
 * \see br_rsa_oaep_decrypt
1185
 *
1186
 * \param dig         hash function to use with MGF1.
1187
 * \param label       label value (may be `NULL` if `label_len` is zero).
1188
 * \param label_len   label length, in bytes.
1189
 * \param sk          RSA private key.
1190
 * \param data        input/output buffer.
1191
 * \param len         encrypted/decrypted message length.
1192
 * \return  1 on success, 0 on error.
1193
 */
1194
uint32_t br_rsa_i15_oaep_decrypt(
1195
	const br_hash_class *dig, const void *label, size_t label_len,
1196
	const br_rsa_private_key *sk, void *data, size_t *len);
1197

1198
/**
1199
 * \brief RSA encryption (OAEP) with the "i31" engine.
1200
 *
1201
 * \see br_rsa_oaep_encrypt
1202
 *
1203
 * \param rnd           source of random bytes.
1204
 * \param dig           hash function to use with MGF1.
1205
 * \param label         label value (may be `NULL` if `label_len` is zero).
1206
 * \param label_len     label length, in bytes.
1207
 * \param pk            RSA public key.
1208
 * \param dst           destination buffer.
1209
 * \param dst_max_len   destination buffer length (maximum encrypted data size).
1210
 * \param src           message to encrypt.
1211
 * \param src_len       source message length (in bytes).
1212
 * \return  encrypted message length (in bytes), or 0 on error.
1213
 */
1214
size_t br_rsa_i31_oaep_encrypt(
1215
	const br_prng_class **rnd, const br_hash_class *dig,
1216
	const void *label, size_t label_len,
1217
	const br_rsa_public_key *pk,
1218
	void *dst, size_t dst_max_len,
1219
	const void *src, size_t src_len);
1220

1221
/**
1222
 * \brief RSA decryption (OAEP) with the "i31" engine.
1223
 *
1224
 * \see br_rsa_oaep_decrypt
1225
 *
1226
 * \param dig         hash function to use with MGF1.
1227
 * \param label       label value (may be `NULL` if `label_len` is zero).
1228
 * \param label_len   label length, in bytes.
1229
 * \param sk          RSA private key.
1230
 * \param data        input/output buffer.
1231
 * \param len         encrypted/decrypted message length.
1232
 * \return  1 on success, 0 on error.
1233
 */
1234
uint32_t br_rsa_i31_oaep_decrypt(
1235
	const br_hash_class *dig, const void *label, size_t label_len,
1236
	const br_rsa_private_key *sk, void *data, size_t *len);
1237

1238
/**
1239
 * \brief RSA encryption (OAEP) with the "i32" engine.
1240
 *
1241
 * \see br_rsa_oaep_encrypt
1242
 *
1243
 * \param rnd           source of random bytes.
1244
 * \param dig           hash function to use with MGF1.
1245
 * \param label         label value (may be `NULL` if `label_len` is zero).
1246
 * \param label_len     label length, in bytes.
1247
 * \param pk            RSA public key.
1248
 * \param dst           destination buffer.
1249
 * \param dst_max_len   destination buffer length (maximum encrypted data size).
1250
 * \param src           message to encrypt.
1251
 * \param src_len       source message length (in bytes).
1252
 * \return  encrypted message length (in bytes), or 0 on error.
1253
 */
1254
size_t br_rsa_i32_oaep_encrypt(
1255
	const br_prng_class **rnd, const br_hash_class *dig,
1256
	const void *label, size_t label_len,
1257
	const br_rsa_public_key *pk,
1258
	void *dst, size_t dst_max_len,
1259
	const void *src, size_t src_len);
1260

1261
/**
1262
 * \brief RSA decryption (OAEP) with the "i32" engine.
1263
 *
1264
 * \see br_rsa_oaep_decrypt
1265
 *
1266
 * \param dig         hash function to use with MGF1.
1267
 * \param label       label value (may be `NULL` if `label_len` is zero).
1268
 * \param label_len   label length, in bytes.
1269
 * \param sk          RSA private key.
1270
 * \param data        input/output buffer.
1271
 * \param len         encrypted/decrypted message length.
1272
 * \return  1 on success, 0 on error.
1273
 */
1274
uint32_t br_rsa_i32_oaep_decrypt(
1275
	const br_hash_class *dig, const void *label, size_t label_len,
1276
	const br_rsa_private_key *sk, void *data, size_t *len);
1277

1278
/**
1279
 * \brief RSA encryption (OAEP) with the "i62" engine.
1280
 *
1281
 * This function is defined only on architecture that offer a 64x64->128
1282
 * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer
1283
 * to that function.
1284
 *
1285
 * \see br_rsa_oaep_encrypt
1286
 *
1287
 * \param rnd           source of random bytes.
1288
 * \param dig           hash function to use with MGF1.
1289
 * \param label         label value (may be `NULL` if `label_len` is zero).
1290
 * \param label_len     label length, in bytes.
1291
 * \param pk            RSA public key.
1292
 * \param dst           destination buffer.
1293
 * \param dst_max_len   destination buffer length (maximum encrypted data size).
1294
 * \param src           message to encrypt.
1295
 * \param src_len       source message length (in bytes).
1296
 * \return  encrypted message length (in bytes), or 0 on error.
1297
 */
1298
size_t br_rsa_i62_oaep_encrypt(
1299
	const br_prng_class **rnd, const br_hash_class *dig,
1300
	const void *label, size_t label_len,
1301
	const br_rsa_public_key *pk,
1302
	void *dst, size_t dst_max_len,
1303
	const void *src, size_t src_len);
1304

1305
/**
1306
 * \brief RSA decryption (OAEP) with the "i62" engine.
1307
 *
1308
 * This function is defined only on architecture that offer a 64x64->128
1309
 * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer
1310
 * to that function.
1311
 *
1312
 * \see br_rsa_oaep_decrypt
1313
 *
1314
 * \param dig         hash function to use with MGF1.
1315
 * \param label       label value (may be `NULL` if `label_len` is zero).
1316
 * \param label_len   label length, in bytes.
1317
 * \param sk          RSA private key.
1318
 * \param data        input/output buffer.
1319
 * \param len         encrypted/decrypted message length.
1320
 * \return  1 on success, 0 on error.
1321
 */
1322
uint32_t br_rsa_i62_oaep_decrypt(
1323
	const br_hash_class *dig, const void *label, size_t label_len,
1324
	const br_rsa_private_key *sk, void *data, size_t *len);
1325

1326
/**
1327
 * \brief Get buffer size to hold RSA private key elements.
1328
 *
1329
 * This macro returns the length (in bytes) of the buffer needed to
1330
 * receive the elements of a RSA private key, as generated by one of
1331
 * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1332
 * expression, then the whole macro evaluates to a constant expression.
1333
 *
1334
 * \param size   target key size (modulus size, in bits)
1335
 * \return  the length of the private key buffer, in bytes.
1336
 */
1337
#define BR_RSA_KBUF_PRIV_SIZE(size)    (5 * (((size) + 15) >> 4))
1338

1339
/**
1340
 * \brief Get buffer size to hold RSA public key elements.
1341
 *
1342
 * This macro returns the length (in bytes) of the buffer needed to
1343
 * receive the elements of a RSA public key, as generated by one of
1344
 * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1345
 * expression, then the whole macro evaluates to a constant expression.
1346
 *
1347
 * \param size   target key size (modulus size, in bits)
1348
 * \return  the length of the public key buffer, in bytes.
1349
 */
1350
#define BR_RSA_KBUF_PUB_SIZE(size)     (4 + (((size) + 7) >> 3))
1351

1352
/**
1353
 * \brief Type for RSA key pair generator implementation.
1354
 *
1355
 * This function generates a new RSA key pair whose modulus has bit
1356
 * length `size` bits. The private key elements are written in the
1357
 * `kbuf_priv` buffer, and pointer values and length fields to these
1358
 * elements are populated in the provided private key structure `sk`.
1359
 * Similarly, the public key elements are written in `kbuf_pub`, with
1360
 * pointers and lengths set in `pk`.
1361
 *
1362
 * If `pk` is `NULL`, then `kbuf_pub` may be `NULL`, and only the
1363
 * private key is set.
1364
 *
1365
 * If `pubexp` is not zero, then its value will be used as public
1366
 * exponent. Valid RSA public exponent values are odd integers
1367
 * greater than 1. If `pubexp` is zero, then the public exponent will
1368
 * have value 3.
1369
 *
1370
 * The provided PRNG (`rng_ctx`) must have already been initialized
1371
 * and seeded.
1372
 *
1373
 * Returned value is 1 on success, 0 on error. An error is reported
1374
 * if the requested range is outside of the supported key sizes, or
1375
 * if an invalid non-zero public exponent value is provided. Supported
1376
 * range starts at 512 bits, and up to an implementation-defined
1377
 * maximum (by default 4096 bits). Note that key sizes up to 768 bits
1378
 * have been broken in practice, and sizes lower than 2048 bits are
1379
 * usually considered to be weak and should not be used.
1380
 *
1381
 * \param rng_ctx     source PRNG context (already initialized)
1382
 * \param sk          RSA private key structure (destination)
1383
 * \param kbuf_priv   buffer for private key elements
1384
 * \param pk          RSA public key structure (destination), or `NULL`
1385
 * \param kbuf_pub    buffer for public key elements, or `NULL`
1386
 * \param size        target RSA modulus size (in bits)
1387
 * \param pubexp      public exponent to use, or zero
1388
 * \return  1 on success, 0 on error (invalid parameters)
1389
 */
1390
typedef uint32_t (*br_rsa_keygen)(
1391
	const br_prng_class **rng_ctx,
1392
	br_rsa_private_key *sk, void *kbuf_priv,
1393
	br_rsa_public_key *pk, void *kbuf_pub,
1394
	unsigned size, uint32_t pubexp);
1395

1396
/**
1397
 * \brief RSA key pair generation with the "i15" engine.
1398
 *
1399
 * \see br_rsa_keygen
1400
 *
1401
 * \param rng_ctx     source PRNG context (already initialized)
1402
 * \param sk          RSA private key structure (destination)
1403
 * \param kbuf_priv   buffer for private key elements
1404
 * \param pk          RSA public key structure (destination), or `NULL`
1405
 * \param kbuf_pub    buffer for public key elements, or `NULL`
1406
 * \param size        target RSA modulus size (in bits)
1407
 * \param pubexp      public exponent to use, or zero
1408
 * \return  1 on success, 0 on error (invalid parameters)
1409
 */
1410
uint32_t br_rsa_i15_keygen(
1411
	const br_prng_class **rng_ctx,
1412
	br_rsa_private_key *sk, void *kbuf_priv,
1413
	br_rsa_public_key *pk, void *kbuf_pub,
1414
	unsigned size, uint32_t pubexp);
1415

1416
/**
1417
 * \brief RSA key pair generation with the "i31" engine.
1418
 *
1419
 * \see br_rsa_keygen
1420
 *
1421
 * \param rng_ctx     source PRNG context (already initialized)
1422
 * \param sk          RSA private key structure (destination)
1423
 * \param kbuf_priv   buffer for private key elements
1424
 * \param pk          RSA public key structure (destination), or `NULL`
1425
 * \param kbuf_pub    buffer for public key elements, or `NULL`
1426
 * \param size        target RSA modulus size (in bits)
1427
 * \param pubexp      public exponent to use, or zero
1428
 * \return  1 on success, 0 on error (invalid parameters)
1429
 */
1430
uint32_t br_rsa_i31_keygen(
1431
	const br_prng_class **rng_ctx,
1432
	br_rsa_private_key *sk, void *kbuf_priv,
1433
	br_rsa_public_key *pk, void *kbuf_pub,
1434
	unsigned size, uint32_t pubexp);
1435

1436
/**
1437
 * \brief RSA key pair generation with the "i62" engine.
1438
 *
1439
 * This function is defined only on architecture that offer a 64x64->128
1440
 * opcode. Use `br_rsa_i62_keygen_get()` to dynamically obtain a pointer
1441
 * to that function.
1442
 *
1443
 * \see br_rsa_keygen
1444
 *
1445
 * \param rng_ctx     source PRNG context (already initialized)
1446
 * \param sk          RSA private key structure (destination)
1447
 * \param kbuf_priv   buffer for private key elements
1448
 * \param pk          RSA public key structure (destination), or `NULL`
1449
 * \param kbuf_pub    buffer for public key elements, or `NULL`
1450
 * \param size        target RSA modulus size (in bits)
1451
 * \param pubexp      public exponent to use, or zero
1452
 * \return  1 on success, 0 on error (invalid parameters)
1453
 */
1454
uint32_t br_rsa_i62_keygen(
1455
	const br_prng_class **rng_ctx,
1456
	br_rsa_private_key *sk, void *kbuf_priv,
1457
	br_rsa_public_key *pk, void *kbuf_pub,
1458
	unsigned size, uint32_t pubexp);
1459

1460
/**
1461
 * \brief Get the RSA "i62" implementation (key pair generation),
1462
 * if available.
1463
 *
1464
 * \return  the implementation, or 0.
1465
 */
1466
br_rsa_keygen br_rsa_i62_keygen_get(void);
1467

1468
/**
1469
 * \brief Get "default" RSA implementation (key pair generation).
1470
 *
1471
 * This returns the preferred implementation of RSA (key pair generation)
1472
 * on the current system.
1473
 *
1474
 * \return  the default implementation.
1475
 */
1476
br_rsa_keygen br_rsa_keygen_get_default(void);
1477

1478
/**
1479
 * \brief Type for a modulus computing function.
1480
 *
1481
 * Such a function computes the public modulus from the private key. The
1482
 * encoded modulus (unsigned big-endian) is written on `n`, and the size
1483
 * (in bytes) is returned. If `n` is `NULL`, then the size is returned but
1484
 * the modulus itself is not computed.
1485
 *
1486
 * If the key size exceeds an internal limit, 0 is returned.
1487
 *
1488
 * \param n    destination buffer (or `NULL`).
1489
 * \param sk   RSA private key.
1490
 * \return  the modulus length (in bytes), or 0.
1491
 */
1492
typedef size_t (*br_rsa_compute_modulus)(void *n, const br_rsa_private_key *sk);
1493

1494
/**
1495
 * \brief Recompute RSA modulus ("i15" engine).
1496
 *
1497
 * \see br_rsa_compute_modulus
1498
 *
1499
 * \param n    destination buffer (or `NULL`).
1500
 * \param sk   RSA private key.
1501
 * \return  the modulus length (in bytes), or 0.
1502
 */
1503
size_t br_rsa_i15_compute_modulus(void *n, const br_rsa_private_key *sk);
1504

1505
/**
1506
 * \brief Recompute RSA modulus ("i31" engine).
1507
 *
1508
 * \see br_rsa_compute_modulus
1509
 *
1510
 * \param n    destination buffer (or `NULL`).
1511
 * \param sk   RSA private key.
1512
 * \return  the modulus length (in bytes), or 0.
1513
 */
1514
size_t br_rsa_i31_compute_modulus(void *n, const br_rsa_private_key *sk);
1515

1516
/**
1517
 * \brief Get "default" RSA implementation (recompute modulus).
1518
 *
1519
 * This returns the preferred implementation of RSA (recompute modulus)
1520
 * on the current system.
1521
 *
1522
 * \return  the default implementation.
1523
 */
1524
br_rsa_compute_modulus br_rsa_compute_modulus_get_default(void);
1525

1526
/**
1527
 * \brief Type for a public exponent computing function.
1528
 *
1529
 * Such a function recomputes the public exponent from the private key.
1530
 * 0 is returned if any of the following occurs:
1531
 *
1532
 *   - Either `p` or `q` is not equal to 3 modulo 4.
1533
 *
1534
 *   - The public exponent does not fit on 32 bits.
1535
 *
1536
 *   - An internal limit is exceeded.
1537
 *
1538
 *   - The private key is invalid in some way.
1539
 *
1540
 * For all private keys produced by the key generator functions
1541
 * (`br_rsa_keygen` type), this function succeeds and returns the true
1542
 * public exponent. The public exponent is always an odd integer greater
1543
 * than 1.
1544
 *
1545
 * \return  the public exponent, or 0.
1546
 */
1547
typedef uint32_t (*br_rsa_compute_pubexp)(const br_rsa_private_key *sk);
1548

1549
/**
1550
 * \brief Recompute RSA public exponent ("i15" engine).
1551
 *
1552
 * \see br_rsa_compute_pubexp
1553
 *
1554
 * \return  the public exponent, or 0.
1555
 */
1556
uint32_t br_rsa_i15_compute_pubexp(const br_rsa_private_key *sk);
1557

1558
/**
1559
 * \brief Recompute RSA public exponent ("i31" engine).
1560
 *
1561
 * \see br_rsa_compute_pubexp
1562
 *
1563
 * \return  the public exponent, or 0.
1564
 */
1565
uint32_t br_rsa_i31_compute_pubexp(const br_rsa_private_key *sk);
1566

1567
/**
1568
 * \brief Get "default" RSA implementation (recompute public exponent).
1569
 *
1570
 * This returns the preferred implementation of RSA (recompute public
1571
 * exponent) on the current system.
1572
 *
1573
 * \return  the default implementation.
1574
 */
1575
br_rsa_compute_pubexp br_rsa_compute_pubexp_get_default(void);
1576

1577
/**
1578
 * \brief Type for a private exponent computing function.
1579
 *
1580
 * An RSA private key (`br_rsa_private_key`) contains two reduced
1581
 * private exponents, which are sufficient to perform private key
1582
 * operations. However, standard encoding formats for RSA private keys
1583
 * require also a copy of the complete private exponent (non-reduced),
1584
 * which this function recomputes.
1585
 *
1586
 * This function suceeds if all the following conditions hold:
1587
 *
1588
 *   - Both private factors `p` and `q` are equal to 3 modulo 4.
1589
 *
1590
 *   - The provided public exponent `pubexp` is correct, and, in particular,
1591
 *     is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1592
 *
1593
 *   - No internal storage limit is exceeded.
1594
 *
1595
 * For all private keys produced by the key generator functions
1596
 * (`br_rsa_keygen` type), this function succeeds. Note that the API
1597
 * restricts the public exponent to a maximum size of 32 bits.
1598
 *
1599
 * The encoded private exponent is written in `d` (unsigned big-endian
1600
 * convention), and the length (in bytes) is returned. If `d` is `NULL`,
1601
 * then the exponent is not written anywhere, but the length is still
1602
 * returned. On error, 0 is returned.
1603
 *
1604
 * Not all error conditions are detected when `d` is `NULL`; therefore, the
1605
 * returned value shall be checked also when actually producing the value.
1606
 *
1607
 * \param d        destination buffer (or `NULL`).
1608
 * \param sk       RSA private key.
1609
 * \param pubexp   the public exponent.
1610
 * \return  the private exponent length (in bytes), or 0.
1611
 */
1612
typedef size_t (*br_rsa_compute_privexp)(void *d,
1613
	const br_rsa_private_key *sk, uint32_t pubexp);
1614

1615
/**
1616
 * \brief Recompute RSA private exponent ("i15" engine).
1617
 *
1618
 * \see br_rsa_compute_privexp
1619
 *
1620
 * \param d        destination buffer (or `NULL`).
1621
 * \param sk       RSA private key.
1622
 * \param pubexp   the public exponent.
1623
 * \return  the private exponent length (in bytes), or 0.
1624
 */
1625
size_t br_rsa_i15_compute_privexp(void *d,
1626
	const br_rsa_private_key *sk, uint32_t pubexp);
1627

1628
/**
1629
 * \brief Recompute RSA private exponent ("i31" engine).
1630
 *
1631
 * \see br_rsa_compute_privexp
1632
 *
1633
 * \param d        destination buffer (or `NULL`).
1634
 * \param sk       RSA private key.
1635
 * \param pubexp   the public exponent.
1636
 * \return  the private exponent length (in bytes), or 0.
1637
 */
1638
size_t br_rsa_i31_compute_privexp(void *d,
1639
	const br_rsa_private_key *sk, uint32_t pubexp);
1640

1641
/**
1642
 * \brief Get "default" RSA implementation (recompute private exponent).
1643
 *
1644
 * This returns the preferred implementation of RSA (recompute private
1645
 * exponent) on the current system.
1646
 *
1647
 * \return  the default implementation.
1648
 */
1649
br_rsa_compute_privexp br_rsa_compute_privexp_get_default(void);
1650

1651
#ifdef __cplusplus
1652
}
1653
#endif
1654

1655
#endif
1656

1657
Product

Resources

Company
