Lines Matching +full:1 +full:x64 +full:- +full:bit
50 * such integers are represented with big-endian unsigned notation:
52 * there is no dedicated "sign bit"). Public and private key structures
55 * relevant bytes. As a general rule, minimal-length encoding is not
60 * - the modulus (`n`);
61 * - the public exponent (`e`).
64 * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers:
66 * - the modulus (`n`);
67 * - the public exponent (`e`);
68 * - the private exponent (`d`);
69 * - the first prime factor (`p`);
70 * - the second prime factor (`q`);
71 * - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
72 * - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
73 * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
83 * - They are constant-time. This means that the execution time and
87 * random masking, but "true" constant-time code.
89 * - They support only private keys with two prime factors. RSA private
95 * - The public exponent may have arbitrary length. Of course, it is
101 * - The two prime factors of the modulus need not have the same length
106 * - Prime factors and modulus must be smaller than a compile-time limit.
107 * This is made necessary by the use of fixed-size stack buffers, and
112 * - The RSA functions themselves do not enforce lower size limits,
114 * mathematically make sense (e.g. a PKCS#1 v1.5 signature with
115 * SHA-1 requires a modulus of at least 361 bits). It is up to users
120 * - Within the size constraints expressed above, arbitrary bit lengths
124 * - When verifying PKCS#1 v1.5 signatures, both variants of the hash
125 * function identifying header (with and without the ASN.1 NULL) are
127 * ASN.1 NULL is used.
133 * - The **i32** implementation internally represents big integers
134 * as arrays of 32-bit integers. It is perfunctory and portable,
137 * - The **i31** implementation uses 32-bit integers, each containing
143 * - The **i62** implementation is similar to the i31 implementation,
144 * except that it internally leverages the 64x64->128 multiplication
148 * - The **i15** implementation uses 16-bit integers, each containing
151 * on ARM Cortex M0/M0+, for much better performance and constant-time
159 * integers use unsigned big-endian representation; extra leading bytes
177 * exponents, and CRT coefficient. It also contains the bit length of
178 * the modulus. The big integers use unsigned big-endian representation;
179 * extra leading bytes of value 0 are allowed. However, the modulus bit
183 /** \brief Modulus bit length (in bits, exact value). */
219 * It `xlen` is correct, then `x[]` is modified. Returned value is 1
229 * \return 1 on success, 0 on error.
235 * \brief Type for a RSA signature verification engine (PKCS#1 v1.5).
239 * - The signature itself. The provided array is NOT modified.
241 * - The encoded OID for the hash function. The provided array must begin
245 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
246 * to TLS-1.1, with a 36-byte hash value).
248 * - The hash output length, in bytes.
250 * - The public key.
252 * - An output buffer for the hash value. The caller must still compare
257 * - Hash length MUST be no more than 64 bytes.
259 * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
267 * Returned value is 1 on success, 0 on error.
269 * Implementations of this type need not be constant-time.
277 * \return 1 on success, 0 on error.
288 * - The signature itself. The provided array is NOT modified.
290 * - The hash function which was used to hash the message.
292 * - The hash function to use with MGF1 within the PSS padding. This
296 * - The hashed message (as an array of bytes).
298 * - The PSS salt length (in bytes).
300 * - The public key.
304 * - Hash message length MUST be no more than 64 bytes.
306 * Note that, contrary to PKCS#1 v1.5 signature, the hash value of the
315 * Returned value is 1 on success, 0 on error.
317 * Implementations of this type need not be constant-time.
326 * \return 1 on success, 0 on error.
337 * - A source of random bytes. The source must be already initialized.
339 * - A hash function, used internally with the mask generation function
342 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
343 * (an empty label, which is the default in PKCS#1 v2.2).
345 * - The public key.
347 * - The destination buffer. Its maximum length (in bytes) is provided;
351 * - The source message.
388 * `(sk->n_bitlen+7)/8` bytes).
390 * Returned value is 1 on success, 0 on error.
394 * \return 1 on success, 0 on error.
400 * \brief Type for a RSA signature generation engine (PKCS#1 v1.5).
404 * - The encoded OID for the hash function. The provided array must begin
408 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
409 * to TLS-1.1, with a 36-byte hash value).
411 * - The hash value computes over the data to sign (its length is
414 * - The RSA private key.
416 * - The output buffer, that receives the signature.
418 * Returned value is 1 on success, 0 on error. Error conditions include
421 * `(sk->n_bitlen+7)/8` bytes.
423 * This function is expected to be constant-time with regards to the
432 * \return 1 on success, 0 on error.
443 * - An initialized PRNG for salt generation. If the salt length is
446 * tighter when a non-empty salt is used).
448 * - The hash function which was used to hash the message.
450 * - The hash function to use with MGF1 within the PSS padding. This
454 * - The hashed message.
456 * - The salt length, in bytes.
458 * - The RSA private key.
460 * - The output buffer, that receives the signature.
462 * Returned value is 1 on success, 0 on error. Error conditions include
465 * `(sk->n_bitlen+7)/8` bytes.
467 * This function is expected to be constant-time with regards to the
478 * \return 1 on success, 0 on error.
486 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
492 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
498 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
504 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
510 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
520 * - A hash function, used internally with the mask generation function
523 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
524 * (an empty label, which is the default in PKCS#1 v2.2).
526 * - The private key.
528 * - The source and destination buffer. The buffer initially contains
535 * length, and 1 is returned. The implementation is responsible for
539 * Implementations MUST use constant-time check of the validity of the
550 * \return 1 on success, 0 on error.
558 * 32-bit integers, and the core multiplication primitive is the
559 * 32x32->64 multiplication.
570 * \return 1 on success, 0 on error.
576 * \brief RSA signature verification engine "i32" (PKCS#1 v1.5 signatures).
586 * \return 1 on success, 0 on error.
604 * \return 1 on success, 0 on error.
617 * \return 1 on success, 0 on error.
623 * \brief RSA signature generation engine "i32" (PKCS#1 v1.5 signatures).
632 * \return 1 on success, 0 on error.
650 * \return 1 on success, 0 on error.
658 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
671 * \return 1 on success, 0 on error.
677 * \brief RSA signature verification engine "i31" (PKCS#1 v1.5 signatures).
687 * \return 1 on success, 0 on error.
705 * \return 1 on success, 0 on error.
718 * \return 1 on success, 0 on error.
724 * \brief RSA signature generation engine "i31" (PKCS#1 v1.5 signatures).
733 * \return 1 on success, 0 on error.
751 * \return 1 on success, 0 on error.
760 * 64x64->128 multiplications. This is available only on architecture
767 * This function is defined only on architecture that offer a 64x64->128
776 * \return 1 on success, 0 on error.
782 * \brief RSA signature verification engine "i62" (PKCS#1 v1.5 signatures).
784 * This function is defined only on architecture that offer a 64x64->128
796 * \return 1 on success, 0 on error.
805 * This function is defined only on architecture that offer a 64x64->128
818 * \return 1 on success, 0 on error.
827 * This function is defined only on architecture that offer a 64x64->128
835 * \return 1 on success, 0 on error.
841 * \brief RSA signature generation engine "i62" (PKCS#1 v1.5 signatures).
843 * This function is defined only on architecture that offer a 64x64->128
854 * \return 1 on success, 0 on error.
863 * This function is defined only on architecture that offer a 64x64->128
876 * \return 1 on success, 0 on error.
892 * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature verification),
916 * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature generation),
948 * RSA "i15" engine. Integers are represented as 15-bit integers, so
949 * the code uses only 32-bit multiplication (no 64-bit result), which
950 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
961 * \return 1 on success, 0 on error.
967 * \brief RSA signature verification engine "i15" (PKCS#1 v1.5 signatures).
977 * \return 1 on success, 0 on error.
995 * \return 1 on success, 0 on error.
1008 * \return 1 on success, 0 on error.
1014 * \brief RSA signature generation engine "i15" (PKCS#1 v1.5 signatures).
1023 * \return 1 on success, 0 on error.
1041 * \return 1 on success, 0 on error.
1049 * \brief Get "default" RSA implementation (public-key operations).
1051 * This returns the preferred implementation of RSA (public-key operations)
1059 * \brief Get "default" RSA implementation (private-key operations).
1061 * This returns the preferred implementation of RSA (private-key operations)
1069 * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature verification).
1089 * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature generation).
1131 * This function performs the RSA decryption for a RSA-based key exchange
1134 * success, the 48-byte pre-master secret is copied into `data`, starting
1144 * in constant-time. A decryption error, or a bad padding, or an
1146 * 0; on success, 1 is returned. The caller (SSL server engine) is supposed
1147 * to proceed with a random pre-master secret in case of error.
1153 * \return 1 on success, 0 on error.
1192 * \return 1 on success, 0 on error.
1232 * \return 1 on success, 0 on error.
1272 * \return 1 on success, 0 on error.
1281 * This function is defined only on architecture that offer a 64x64->128
1308 * This function is defined only on architecture that offer a 64x64->128
1320 * \return 1 on success, 0 on error.
1355 * This function generates a new RSA key pair whose modulus has bit
1367 * greater than 1. If `pubexp` is zero, then the public exponent will
1373 * Returned value is 1 on success, 0 on error. An error is reported
1375 * if an invalid non-zero public exponent value is provided. Supported
1376 * range starts at 512 bits, and up to an implementation-defined
1388 * \return 1 on success, 0 on error (invalid parameters)
1408 * \return 1 on success, 0 on error (invalid parameters)
1428 * \return 1 on success, 0 on error (invalid parameters)
1439 * This function is defined only on architecture that offer a 64x64->128
1452 * \return 1 on success, 0 on error (invalid parameters)
1482 * encoded modulus (unsigned big-endian) is written on `n`, and the size
1532 * - Either `p` or `q` is not equal to 3 modulo 4.
1534 * - The public exponent does not fit on 32 bits.
1536 * - An internal limit is exceeded.
1538 * - The private key is invalid in some way.
1543 * than 1.
1583 * require also a copy of the complete private exponent (non-reduced),
1588 * - Both private factors `p` and `q` are equal to 3 modulo 4.
1590 * - The provided public exponent `pubexp` is correct, and, in particular,
1591 * is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1593 * - No internal storage limit is exceeded.
1599 * The encoded private exponent is written in `d` (unsigned big-endian