xref: /freebsd/contrib/bearssl/inc/bearssl_rsa.h (revision 02e9120893770924227138ba49df1edb3896112a)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #ifndef BR_BEARSSL_RSA_H__
26 #define BR_BEARSSL_RSA_H__
27 
28 #include <stddef.h>
29 #include <stdint.h>
30 
31 #include "bearssl_hash.h"
32 #include "bearssl_rand.h"
33 
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37 
38 /** \file bearssl_rsa.h
39  *
40  * # RSA
41  *
42  * This file documents the RSA implementations provided with BearSSL.
43  * Note that the SSL engine accesses these implementations through a
44  * configurable API, so it is possible to, for instance, run a SSL
45  * server which uses a RSA engine which is not based on this code.
46  *
47  * ## Key Elements
48  *
49  * RSA public and private keys consist in lists of big integers. All
50  * such integers are represented with big-endian unsigned notation:
51  * first byte is the most significant, and the value is positive (so
52  * there is no dedicated "sign bit"). Public and private key structures
53  * thus contain, for each such integer, a pointer to the first value byte
54  * (`unsigned char *`), and a length (`size_t`) which is the number of
55  * relevant bytes. As a general rule, minimal-length encoding is not
56  * enforced: values may have extra leading bytes of value 0.
57  *
58  * RSA public keys consist in two integers:
59  *
60  *   - the modulus (`n`);
61  *   - the public exponent (`e`).
62  *
63  * RSA private keys, as defined in
64  * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers:
65  *
66  *   - the modulus (`n`);
67  *   - the public exponent (`e`);
68  *   - the private exponent (`d`);
69  *   - the first prime factor (`p`);
70  *   - the second prime factor (`q`);
71  *   - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
72  *   - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
73  *   - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
74  *
75  * However, the implementations defined in BearSSL use only five of
76  * these integers: `p`, `q`, `dp`, `dq` and `iq`.
77  *
78  * ## Security Features and Limitations
79  *
80  * The implementations contained in BearSSL have the following limitations
81  * and features:
82  *
83  *   - They are constant-time. This means that the execution time and
84  *     memory access pattern may depend on the _lengths_ of the private
85  *     key components, but not on their value, nor on the value of
86  *     the operand. Note that this property is not achieved through
87  *     random masking, but "true" constant-time code.
88  *
89  *   - They support only private keys with two prime factors. RSA private
90  *     keys with three or more prime factors are nominally supported, but
91  *     rarely used; they may offer faster operations, at the expense of
92  *     more code and potentially a reduction in security if there are
93  *     "too many" prime factors.
94  *
95  *   - The public exponent may have arbitrary length. Of course, it is
96  *     a good idea to keep public exponents small, so that public key
97  *     operations are fast; but, contrary to some widely deployed
98  *     implementations, BearSSL has no problem with public exponents
99  *     longer than 32 bits.
100  *
101  *   - The two prime factors of the modulus need not have the same length
102  *     (but severely imbalanced factor lengths might reduce security).
103  *     Similarly, there is no requirement that the first factor (`p`)
104  *     be greater than the second factor (`q`).
105  *
106  *   - Prime factors and modulus must be smaller than a compile-time limit.
107  *     This is made necessary by the use of fixed-size stack buffers, and
108  *     the limit has been adjusted to keep stack usage under 2 kB for the
109  *     RSA operations. Currently, the maximum modulus size is 4096 bits,
110  *     and the maximum prime factor size is 2080 bits.
111  *
112  *   - The RSA functions themselves do not enforce lower size limits,
113  *     except that which is absolutely necessary for the operation to
114  *     mathematically make sense (e.g. a PKCS#1 v1.5 signature with
115  *     SHA-1 requires a modulus of at least 361 bits). It is up to users
116  *     of this code to enforce size limitations when appropriate (e.g.
117  *     the X.509 validation engine, by default, rejects RSA keys of
118  *     less than 1017 bits).
119  *
120  *   - Within the size constraints expressed above, arbitrary bit lengths
121  *     are supported. There is no requirement that prime factors or
122  *     modulus have a size multiple of 8 or 16.
123  *
124  *   - When verifying PKCS#1 v1.5 signatures, both variants of the hash
125  *     function identifying header (with and without the ASN.1 NULL) are
126  *     supported. When producing such signatures, the variant with the
127  *     ASN.1 NULL is used.
128  *
129  * ## Implementations
130  *
131  * Three RSA implementations are included:
132  *
133  *   - The **i32** implementation internally represents big integers
134  *     as arrays of 32-bit integers. It is perfunctory and portable,
135  *     but not very efficient.
136  *
137  *   - The **i31** implementation uses 32-bit integers, each containing
138  *     31 bits worth of integer data. The i31 implementation is somewhat
139  *     faster than the i32 implementation (the reduced integer size makes
140  *     carry propagation easier) for a similar code footprint, but uses
141  *     very slightly larger stack buffers (about 4% bigger).
142  *
143  *   - The **i62** implementation is similar to the i31 implementation,
144  *     except that it internally leverages the 64x64->128 multiplication
145  *     opcode. This implementation is available only on architectures
146  *     where such an opcode exists. It is much faster than i31.
147  *
148  *   - The **i15** implementation uses 16-bit integers, each containing
149  *     15 bits worth of integer data. Multiplication results fit on
150  *     32 bits, so this won't use the "widening" multiplication routine
151  *     on ARM Cortex M0/M0+, for much better performance and constant-time
152  *     execution.
153  */
154 
155 /**
156  * \brief RSA public key.
157  *
158  * The structure references the modulus and the public exponent. Both
159  * integers use unsigned big-endian representation; extra leading bytes
160  * of value 0 are allowed.
161  */
162 typedef struct {
163 	/** \brief Modulus. */
164 	unsigned char *n;
165 	/** \brief Modulus length (in bytes). */
166 	size_t nlen;
167 	/** \brief Public exponent. */
168 	unsigned char *e;
169 	/** \brief Public exponent length (in bytes). */
170 	size_t elen;
171 } br_rsa_public_key;
172 
173 /**
174  * \brief RSA private key.
175  *
176  * The structure references the private factors, reduced private
177  * exponents, and CRT coefficient. It also contains the bit length of
178  * the modulus. The big integers use unsigned big-endian representation;
179  * extra leading bytes of value 0 are allowed. However, the modulus bit
180  * length (`n_bitlen`) MUST be exact.
181  */
182 typedef struct {
183 	/** \brief Modulus bit length (in bits, exact value). */
184 	uint32_t n_bitlen;
185 	/** \brief First prime factor. */
186 	unsigned char *p;
187 	/** \brief First prime factor length (in bytes). */
188 	size_t plen;
189 	/** \brief Second prime factor. */
190 	unsigned char *q;
191 	/** \brief Second prime factor length (in bytes). */
192 	size_t qlen;
193 	/** \brief First reduced private exponent. */
194 	unsigned char *dp;
195 	/** \brief First reduced private exponent length (in bytes). */
196 	size_t dplen;
197 	/** \brief Second reduced private exponent. */
198 	unsigned char *dq;
199 	/** \brief Second reduced private exponent length (in bytes). */
200 	size_t dqlen;
201 	/** \brief CRT coefficient. */
202 	unsigned char *iq;
203 	/** \brief CRT coefficient length (in bytes). */
204 	size_t iqlen;
205 } br_rsa_private_key;
206 
207 /**
208  * \brief Type for a RSA public key engine.
209  *
210  * The public key engine performs the modular exponentiation of the
211  * provided value with the public exponent. The value is modified in
212  * place.
213  *
214  * The value length (`xlen`) is verified to have _exactly_ the same
215  * length as the modulus (actual modulus length, without extra leading
216  * zeros in the modulus representation in memory). If the length does
217  * not match, then this function returns 0 and `x[]` is unmodified.
218  *
219  * It `xlen` is correct, then `x[]` is modified. Returned value is 1
220  * on success, 0 on error. Error conditions include an oversized `x[]`
221  * (the array has the same length as the modulus, but the numerical value
222  * is not lower than the modulus) and an invalid modulus (e.g. an even
223  * integer). If an error is reported, then the new contents of `x[]` are
224  * unspecified.
225  *
226  * \param x      operand to exponentiate.
227  * \param xlen   length of the operand (in bytes).
228  * \param pk     RSA public key.
229  * \return  1 on success, 0 on error.
230  */
231 typedef uint32_t (*br_rsa_public)(unsigned char *x, size_t xlen,
232 	const br_rsa_public_key *pk);
233 
234 /**
235  * \brief Type for a RSA signature verification engine (PKCS#1 v1.5).
236  *
237  * Parameters are:
238  *
239  *   - The signature itself. The provided array is NOT modified.
240  *
241  *   - The encoded OID for the hash function. The provided array must begin
242  *     with a single byte that contains the length of the OID value (in
243  *     bytes), followed by exactly that many bytes. This parameter may
244  *     also be `NULL`, in which case the raw hash value should be used
245  *     with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
246  *     to TLS-1.1, with a 36-byte hash value).
247  *
248  *   - The hash output length, in bytes.
249  *
250  *   - The public key.
251  *
252  *   - An output buffer for the hash value. The caller must still compare
253  *     it with the hash of the data over which the signature is computed.
254  *
255  * **Constraints:**
256  *
257  *   - Hash length MUST be no more than 64 bytes.
258  *
259  *   - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
260  *     must have a value in the 0..32 range, inclusive).
261  *
262  * This function verifies that the signature length (`xlen`) matches the
263  * modulus length (this function returns 0 on mismatch). If the modulus
264  * size exceeds the maximum supported RSA size, then the function also
265  * returns 0.
266  *
267  * Returned value is 1 on success, 0 on error.
268  *
269  * Implementations of this type need not be constant-time.
270  *
271  * \param x          signature buffer.
272  * \param xlen       signature length (in bytes).
273  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
274  * \param hash_len   expected hash value length (in bytes).
275  * \param pk         RSA public key.
276  * \param hash_out   output buffer for the hash value.
277  * \return  1 on success, 0 on error.
278  */
279 typedef uint32_t (*br_rsa_pkcs1_vrfy)(const unsigned char *x, size_t xlen,
280 	const unsigned char *hash_oid, size_t hash_len,
281 	const br_rsa_public_key *pk, unsigned char *hash_out);
282 
283 /**
284  * \brief Type for a RSA signature verification engine (PSS).
285  *
286  * Parameters are:
287  *
288  *   - The signature itself. The provided array is NOT modified.
289  *
290  *   - The hash function which was used to hash the message.
291  *
292  *   - The hash function to use with MGF1 within the PSS padding. This
293  *     is not necessarily the same hash function as the one which was
294  *     used to hash the signed message.
295  *
296  *   - The hashed message (as an array of bytes).
297  *
298  *   - The PSS salt length (in bytes).
299  *
300  *   - The public key.
301  *
302  * **Constraints:**
303  *
304  *   - Hash message length MUST be no more than 64 bytes.
305  *
306  * Note that, contrary to PKCS#1 v1.5 signature, the hash value of the
307  * signed data cannot be extracted from the signature; it must be
308  * provided to the verification function.
309  *
310  * This function verifies that the signature length (`xlen`) matches the
311  * modulus length (this function returns 0 on mismatch). If the modulus
312  * size exceeds the maximum supported RSA size, then the function also
313  * returns 0.
314  *
315  * Returned value is 1 on success, 0 on error.
316  *
317  * Implementations of this type need not be constant-time.
318  *
319  * \param x          signature buffer.
320  * \param xlen       signature length (in bytes).
321  * \param hf_data    hash function applied on the message.
322  * \param hf_mgf1    hash function to use with MGF1.
323  * \param hash       hash value of the signed message.
324  * \param salt_len   PSS salt length (in bytes).
325  * \param pk         RSA public key.
326  * \return  1 on success, 0 on error.
327  */
328 typedef uint32_t (*br_rsa_pss_vrfy)(const unsigned char *x, size_t xlen,
329 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
330 	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
331 
332 /**
333  * \brief Type for a RSA encryption engine (OAEP).
334  *
335  * Parameters are:
336  *
337  *   - A source of random bytes. The source must be already initialized.
338  *
339  *   - A hash function, used internally with the mask generation function
340  *     (MGF1).
341  *
342  *   - A label. The `label` pointer may be `NULL` if `label_len` is zero
343  *     (an empty label, which is the default in PKCS#1 v2.2).
344  *
345  *   - The public key.
346  *
347  *   - The destination buffer. Its maximum length (in bytes) is provided;
348  *     if that length is lower than the public key length, then an error
349  *     is reported.
350  *
351  *   - The source message.
352  *
353  * The encrypted message output has exactly the same length as the modulus
354  * (mathematical length, in bytes, not counting extra leading zeros in the
355  * modulus representation in the public key).
356  *
357  * The source message (`src`, length `src_len`) may overlap with the
358  * destination buffer (`dst`, length `dst_max_len`).
359  *
360  * This function returns the actual encrypted message length, in bytes;
361  * on error, zero is returned. An error is reported if the output buffer
362  * is not large enough, or the public is invalid, or the public key
363  * modulus exceeds the maximum supported RSA size.
364  *
365  * \param rnd           source of random bytes.
366  * \param dig           hash function to use with MGF1.
367  * \param label         label value (may be `NULL` if `label_len` is zero).
368  * \param label_len     label length, in bytes.
369  * \param pk            RSA public key.
370  * \param dst           destination buffer.
371  * \param dst_max_len   destination buffer length (maximum encrypted data size).
372  * \param src           message to encrypt.
373  * \param src_len       source message length (in bytes).
374  * \return  encrypted message length (in bytes), or 0 on error.
375  */
376 typedef size_t (*br_rsa_oaep_encrypt)(
377 	const br_prng_class **rnd, const br_hash_class *dig,
378 	const void *label, size_t label_len,
379 	const br_rsa_public_key *pk,
380 	void *dst, size_t dst_max_len,
381 	const void *src, size_t src_len);
382 
383 /**
384  * \brief Type for a RSA private key engine.
385  *
386  * The `x[]` buffer is modified in place, and its length is inferred from
387  * the modulus length (`x[]` is assumed to have a length of
388  * `(sk->n_bitlen+7)/8` bytes).
389  *
390  * Returned value is 1 on success, 0 on error.
391  *
392  * \param x    operand to exponentiate.
393  * \param sk   RSA private key.
394  * \return  1 on success, 0 on error.
395  */
396 typedef uint32_t (*br_rsa_private)(unsigned char *x,
397 	const br_rsa_private_key *sk);
398 
399 /**
400  * \brief Type for a RSA signature generation engine (PKCS#1 v1.5).
401  *
402  * Parameters are:
403  *
404  *   - The encoded OID for the hash function. The provided array must begin
405  *     with a single byte that contains the length of the OID value (in
406  *     bytes), followed by exactly that many bytes. This parameter may
407  *     also be `NULL`, in which case the raw hash value should be used
408  *     with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
409  *     to TLS-1.1, with a 36-byte hash value).
410  *
411  *   - The hash value computes over the data to sign (its length is
412  *     expressed in bytes).
413  *
414  *   - The RSA private key.
415  *
416  *   - The output buffer, that receives the signature.
417  *
418  * Returned value is 1 on success, 0 on error. Error conditions include
419  * a too small modulus for the provided hash OID and value, or some
420  * invalid key parameters. The signature length is exactly
421  * `(sk->n_bitlen+7)/8` bytes.
422  *
423  * This function is expected to be constant-time with regards to the
424  * private key bytes (lengths of the modulus and the individual factors
425  * may leak, though) and to the hashed data.
426  *
427  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
428  * \param hash       hash value.
429  * \param hash_len   hash value length (in bytes).
430  * \param sk         RSA private key.
431  * \param x          output buffer for the signature value.
432  * \return  1 on success, 0 on error.
433  */
434 typedef uint32_t (*br_rsa_pkcs1_sign)(const unsigned char *hash_oid,
435 	const unsigned char *hash, size_t hash_len,
436 	const br_rsa_private_key *sk, unsigned char *x);
437 
438 /**
439  * \brief Type for a RSA signature generation engine (PSS).
440  *
441  * Parameters are:
442  *
443  *   - An initialized PRNG for salt generation. If the salt length is
444  *     zero (`salt_len` parameter), then the PRNG is optional (this is
445  *     not the typical case, as the security proof of RSA/PSS is
446  *     tighter when a non-empty salt is used).
447  *
448  *   - The hash function which was used to hash the message.
449  *
450  *   - The hash function to use with MGF1 within the PSS padding. This
451  *     is not necessarily the same function as the one used to hash the
452  *     message.
453  *
454  *   - The hashed message.
455  *
456  *   - The salt length, in bytes.
457  *
458  *   - The RSA private key.
459  *
460  *   - The output buffer, that receives the signature.
461  *
462  * Returned value is 1 on success, 0 on error. Error conditions include
463  * a too small modulus for the provided hash and salt lengths, or some
464  * invalid key parameters. The signature length is exactly
465  * `(sk->n_bitlen+7)/8` bytes.
466  *
467  * This function is expected to be constant-time with regards to the
468  * private key bytes (lengths of the modulus and the individual factors
469  * may leak, though) and to the hashed data.
470  *
471  * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
472  * \param hf_data    hash function used to hash the signed data.
473  * \param hf_mgf1    hash function to use with MGF1.
474  * \param hash       hashed message.
475  * \param salt_len   salt length (in bytes).
476  * \param sk         RSA private key.
477  * \param x          output buffer for the signature value.
478  * \return  1 on success, 0 on error.
479  */
480 typedef uint32_t (*br_rsa_pss_sign)(const br_prng_class **rng,
481 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
482 	const unsigned char *hash_value, size_t salt_len,
483 	const br_rsa_private_key *sk, unsigned char *x);
484 
485 /**
486  * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
487  */
488 #define BR_HASH_OID_SHA1     \
489 	((const unsigned char *)"\x05\x2B\x0E\x03\x02\x1A")
490 
491 /**
492  * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
493  */
494 #define BR_HASH_OID_SHA224   \
495 	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04")
496 
497 /**
498  * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
499  */
500 #define BR_HASH_OID_SHA256   \
501 	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01")
502 
503 /**
504  * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
505  */
506 #define BR_HASH_OID_SHA384   \
507 	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02")
508 
509 /**
510  * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
511  */
512 #define BR_HASH_OID_SHA512   \
513 	((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03")
514 
515 /**
516  * \brief Type for a RSA decryption engine (OAEP).
517  *
518  * Parameters are:
519  *
520  *   - A hash function, used internally with the mask generation function
521  *     (MGF1).
522  *
523  *   - A label. The `label` pointer may be `NULL` if `label_len` is zero
524  *     (an empty label, which is the default in PKCS#1 v2.2).
525  *
526  *   - The private key.
527  *
528  *   - The source and destination buffer. The buffer initially contains
529  *     the encrypted message; the buffer contents are altered, and the
530  *     decrypted message is written at the start of that buffer
531  *     (decrypted message is always shorter than the encrypted message).
532  *
533  * If decryption fails in any way, then `*len` is unmodified, and the
534  * function returns 0. Otherwise, `*len` is set to the decrypted message
535  * length, and 1 is returned. The implementation is responsible for
536  * checking that the input message length matches the key modulus length,
537  * and that the padding is correct.
538  *
539  * Implementations MUST use constant-time check of the validity of the
540  * OAEP padding, at least until the leading byte and hash value have
541  * been checked. Whether overall decryption worked, and the length of
542  * the decrypted message, may leak.
543  *
544  * \param dig         hash function to use with MGF1.
545  * \param label       label value (may be `NULL` if `label_len` is zero).
546  * \param label_len   label length, in bytes.
547  * \param sk          RSA private key.
548  * \param data        input/output buffer.
549  * \param len         encrypted/decrypted message length.
550  * \return  1 on success, 0 on error.
551  */
552 typedef uint32_t (*br_rsa_oaep_decrypt)(
553 	const br_hash_class *dig, const void *label, size_t label_len,
554 	const br_rsa_private_key *sk, void *data, size_t *len);
555 
556 /*
557  * RSA "i32" engine. Integers are internally represented as arrays of
558  * 32-bit integers, and the core multiplication primitive is the
559  * 32x32->64 multiplication.
560  */
561 
562 /**
563  * \brief RSA public key engine "i32".
564  *
565  * \see br_rsa_public
566  *
567  * \param x      operand to exponentiate.
568  * \param xlen   length of the operand (in bytes).
569  * \param pk     RSA public key.
570  * \return  1 on success, 0 on error.
571  */
572 uint32_t br_rsa_i32_public(unsigned char *x, size_t xlen,
573 	const br_rsa_public_key *pk);
574 
575 /**
576  * \brief RSA signature verification engine "i32" (PKCS#1 v1.5 signatures).
577  *
578  * \see br_rsa_pkcs1_vrfy
579  *
580  * \param x          signature buffer.
581  * \param xlen       signature length (in bytes).
582  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
583  * \param hash_len   expected hash value length (in bytes).
584  * \param pk         RSA public key.
585  * \param hash_out   output buffer for the hash value.
586  * \return  1 on success, 0 on error.
587  */
588 uint32_t br_rsa_i32_pkcs1_vrfy(const unsigned char *x, size_t xlen,
589 	const unsigned char *hash_oid, size_t hash_len,
590 	const br_rsa_public_key *pk, unsigned char *hash_out);
591 
592 /**
593  * \brief RSA signature verification engine "i32" (PSS signatures).
594  *
595  * \see br_rsa_pss_vrfy
596  *
597  * \param x          signature buffer.
598  * \param xlen       signature length (in bytes).
599  * \param hf_data    hash function applied on the message.
600  * \param hf_mgf1    hash function to use with MGF1.
601  * \param hash       hash value of the signed message.
602  * \param salt_len   PSS salt length (in bytes).
603  * \param pk         RSA public key.
604  * \return  1 on success, 0 on error.
605  */
606 uint32_t br_rsa_i32_pss_vrfy(const unsigned char *x, size_t xlen,
607 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
608 	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
609 
610 /**
611  * \brief RSA private key engine "i32".
612  *
613  * \see br_rsa_private
614  *
615  * \param x    operand to exponentiate.
616  * \param sk   RSA private key.
617  * \return  1 on success, 0 on error.
618  */
619 uint32_t br_rsa_i32_private(unsigned char *x,
620 	const br_rsa_private_key *sk);
621 
622 /**
623  * \brief RSA signature generation engine "i32" (PKCS#1 v1.5 signatures).
624  *
625  * \see br_rsa_pkcs1_sign
626  *
627  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
628  * \param hash       hash value.
629  * \param hash_len   hash value length (in bytes).
630  * \param sk         RSA private key.
631  * \param x          output buffer for the hash value.
632  * \return  1 on success, 0 on error.
633  */
634 uint32_t br_rsa_i32_pkcs1_sign(const unsigned char *hash_oid,
635 	const unsigned char *hash, size_t hash_len,
636 	const br_rsa_private_key *sk, unsigned char *x);
637 
638 /**
639  * \brief RSA signature generation engine "i32" (PSS signatures).
640  *
641  * \see br_rsa_pss_sign
642  *
643  * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
644  * \param hf_data    hash function used to hash the signed data.
645  * \param hf_mgf1    hash function to use with MGF1.
646  * \param hash       hashed message.
647  * \param salt_len   salt length (in bytes).
648  * \param sk         RSA private key.
649  * \param x          output buffer for the signature value.
650  * \return  1 on success, 0 on error.
651  */
652 uint32_t br_rsa_i32_pss_sign(const br_prng_class **rng,
653 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
654 	const unsigned char *hash_value, size_t salt_len,
655 	const br_rsa_private_key *sk, unsigned char *x);
656 
657 /*
658  * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
659  * word. This uses slightly more stack space (about 4% more) and code
660  * space, but it quite faster.
661  */
662 
663 /**
664  * \brief RSA public key engine "i31".
665  *
666  * \see br_rsa_public
667  *
668  * \param x      operand to exponentiate.
669  * \param xlen   length of the operand (in bytes).
670  * \param pk     RSA public key.
671  * \return  1 on success, 0 on error.
672  */
673 uint32_t br_rsa_i31_public(unsigned char *x, size_t xlen,
674 	const br_rsa_public_key *pk);
675 
676 /**
677  * \brief RSA signature verification engine "i31" (PKCS#1 v1.5 signatures).
678  *
679  * \see br_rsa_pkcs1_vrfy
680  *
681  * \param x          signature buffer.
682  * \param xlen       signature length (in bytes).
683  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
684  * \param hash_len   expected hash value length (in bytes).
685  * \param pk         RSA public key.
686  * \param hash_out   output buffer for the hash value.
687  * \return  1 on success, 0 on error.
688  */
689 uint32_t br_rsa_i31_pkcs1_vrfy(const unsigned char *x, size_t xlen,
690 	const unsigned char *hash_oid, size_t hash_len,
691 	const br_rsa_public_key *pk, unsigned char *hash_out);
692 
693 /**
694  * \brief RSA signature verification engine "i31" (PSS signatures).
695  *
696  * \see br_rsa_pss_vrfy
697  *
698  * \param x          signature buffer.
699  * \param xlen       signature length (in bytes).
700  * \param hf_data    hash function applied on the message.
701  * \param hf_mgf1    hash function to use with MGF1.
702  * \param hash       hash value of the signed message.
703  * \param salt_len   PSS salt length (in bytes).
704  * \param pk         RSA public key.
705  * \return  1 on success, 0 on error.
706  */
707 uint32_t br_rsa_i31_pss_vrfy(const unsigned char *x, size_t xlen,
708 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
709 	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
710 
711 /**
712  * \brief RSA private key engine "i31".
713  *
714  * \see br_rsa_private
715  *
716  * \param x    operand to exponentiate.
717  * \param sk   RSA private key.
718  * \return  1 on success, 0 on error.
719  */
720 uint32_t br_rsa_i31_private(unsigned char *x,
721 	const br_rsa_private_key *sk);
722 
723 /**
724  * \brief RSA signature generation engine "i31" (PKCS#1 v1.5 signatures).
725  *
726  * \see br_rsa_pkcs1_sign
727  *
728  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
729  * \param hash       hash value.
730  * \param hash_len   hash value length (in bytes).
731  * \param sk         RSA private key.
732  * \param x          output buffer for the hash value.
733  * \return  1 on success, 0 on error.
734  */
735 uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid,
736 	const unsigned char *hash, size_t hash_len,
737 	const br_rsa_private_key *sk, unsigned char *x);
738 
739 /**
740  * \brief RSA signature generation engine "i31" (PSS signatures).
741  *
742  * \see br_rsa_pss_sign
743  *
744  * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
745  * \param hf_data    hash function used to hash the signed data.
746  * \param hf_mgf1    hash function to use with MGF1.
747  * \param hash       hashed message.
748  * \param salt_len   salt length (in bytes).
749  * \param sk         RSA private key.
750  * \param x          output buffer for the signature value.
751  * \return  1 on success, 0 on error.
752  */
753 uint32_t br_rsa_i31_pss_sign(const br_prng_class **rng,
754 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
755 	const unsigned char *hash_value, size_t salt_len,
756 	const br_rsa_private_key *sk, unsigned char *x);
757 
758 /*
759  * RSA "i62" engine. Similar to i31, but internal multiplication use
760  * 64x64->128 multiplications. This is available only on architecture
761  * that offer such an opcode.
762  */
763 
764 /**
765  * \brief RSA public key engine "i62".
766  *
767  * This function is defined only on architecture that offer a 64x64->128
768  * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer
769  * to that function.
770  *
771  * \see br_rsa_public
772  *
773  * \param x      operand to exponentiate.
774  * \param xlen   length of the operand (in bytes).
775  * \param pk     RSA public key.
776  * \return  1 on success, 0 on error.
777  */
778 uint32_t br_rsa_i62_public(unsigned char *x, size_t xlen,
779 	const br_rsa_public_key *pk);
780 
781 /**
782  * \brief RSA signature verification engine "i62" (PKCS#1 v1.5 signatures).
783  *
784  * This function is defined only on architecture that offer a 64x64->128
785  * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer
786  * to that function.
787  *
788  * \see br_rsa_pkcs1_vrfy
789  *
790  * \param x          signature buffer.
791  * \param xlen       signature length (in bytes).
792  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
793  * \param hash_len   expected hash value length (in bytes).
794  * \param pk         RSA public key.
795  * \param hash_out   output buffer for the hash value.
796  * \return  1 on success, 0 on error.
797  */
798 uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x, size_t xlen,
799 	const unsigned char *hash_oid, size_t hash_len,
800 	const br_rsa_public_key *pk, unsigned char *hash_out);
801 
802 /**
803  * \brief RSA signature verification engine "i62" (PSS signatures).
804  *
805  * This function is defined only on architecture that offer a 64x64->128
806  * opcode. Use `br_rsa_i62_pss_vrfy_get()` to dynamically obtain a pointer
807  * to that function.
808  *
809  * \see br_rsa_pss_vrfy
810  *
811  * \param x          signature buffer.
812  * \param xlen       signature length (in bytes).
813  * \param hf_data    hash function applied on the message.
814  * \param hf_mgf1    hash function to use with MGF1.
815  * \param hash       hash value of the signed message.
816  * \param salt_len   PSS salt length (in bytes).
817  * \param pk         RSA public key.
818  * \return  1 on success, 0 on error.
819  */
820 uint32_t br_rsa_i62_pss_vrfy(const unsigned char *x, size_t xlen,
821 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
822 	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
823 
824 /**
825  * \brief RSA private key engine "i62".
826  *
827  * This function is defined only on architecture that offer a 64x64->128
828  * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer
829  * to that function.
830  *
831  * \see br_rsa_private
832  *
833  * \param x    operand to exponentiate.
834  * \param sk   RSA private key.
835  * \return  1 on success, 0 on error.
836  */
837 uint32_t br_rsa_i62_private(unsigned char *x,
838 	const br_rsa_private_key *sk);
839 
840 /**
841  * \brief RSA signature generation engine "i62" (PKCS#1 v1.5 signatures).
842  *
843  * This function is defined only on architecture that offer a 64x64->128
844  * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer
845  * to that function.
846  *
847  * \see br_rsa_pkcs1_sign
848  *
849  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
850  * \param hash       hash value.
851  * \param hash_len   hash value length (in bytes).
852  * \param sk         RSA private key.
853  * \param x          output buffer for the hash value.
854  * \return  1 on success, 0 on error.
855  */
856 uint32_t br_rsa_i62_pkcs1_sign(const unsigned char *hash_oid,
857 	const unsigned char *hash, size_t hash_len,
858 	const br_rsa_private_key *sk, unsigned char *x);
859 
860 /**
861  * \brief RSA signature generation engine "i62" (PSS signatures).
862  *
863  * This function is defined only on architecture that offer a 64x64->128
864  * opcode. Use `br_rsa_i62_pss_sign_get()` to dynamically obtain a pointer
865  * to that function.
866  *
867  * \see br_rsa_pss_sign
868  *
869  * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
870  * \param hf_data    hash function used to hash the signed data.
871  * \param hf_mgf1    hash function to use with MGF1.
872  * \param hash       hashed message.
873  * \param salt_len   salt length (in bytes).
874  * \param sk         RSA private key.
875  * \param x          output buffer for the signature value.
876  * \return  1 on success, 0 on error.
877  */
878 uint32_t br_rsa_i62_pss_sign(const br_prng_class **rng,
879 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
880 	const unsigned char *hash_value, size_t salt_len,
881 	const br_rsa_private_key *sk, unsigned char *x);
882 
883 /**
884  * \brief Get the RSA "i62" implementation (public key operations),
885  * if available.
886  *
887  * \return  the implementation, or 0.
888  */
889 br_rsa_public br_rsa_i62_public_get(void);
890 
891 /**
892  * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature verification),
893  * if available.
894  *
895  * \return  the implementation, or 0.
896  */
897 br_rsa_pkcs1_vrfy br_rsa_i62_pkcs1_vrfy_get(void);
898 
899 /**
900  * \brief Get the RSA "i62" implementation (PSS signature verification),
901  * if available.
902  *
903  * \return  the implementation, or 0.
904  */
905 br_rsa_pss_vrfy br_rsa_i62_pss_vrfy_get(void);
906 
907 /**
908  * \brief Get the RSA "i62" implementation (private key operations),
909  * if available.
910  *
911  * \return  the implementation, or 0.
912  */
913 br_rsa_private br_rsa_i62_private_get(void);
914 
915 /**
916  * \brief Get the RSA "i62" implementation (PKCS#1 v1.5 signature generation),
917  * if available.
918  *
919  * \return  the implementation, or 0.
920  */
921 br_rsa_pkcs1_sign br_rsa_i62_pkcs1_sign_get(void);
922 
923 /**
924  * \brief Get the RSA "i62" implementation (PSS signature generation),
925  * if available.
926  *
927  * \return  the implementation, or 0.
928  */
929 br_rsa_pss_sign br_rsa_i62_pss_sign_get(void);
930 
931 /**
932  * \brief Get the RSA "i62" implementation (OAEP encryption),
933  * if available.
934  *
935  * \return  the implementation, or 0.
936  */
937 br_rsa_oaep_encrypt br_rsa_i62_oaep_encrypt_get(void);
938 
939 /**
940  * \brief Get the RSA "i62" implementation (OAEP decryption),
941  * if available.
942  *
943  * \return  the implementation, or 0.
944  */
945 br_rsa_oaep_decrypt br_rsa_i62_oaep_decrypt_get(void);
946 
947 /*
948  * RSA "i15" engine. Integers are represented as 15-bit integers, so
949  * the code uses only 32-bit multiplication (no 64-bit result), which
950  * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
951  */
952 
953 /**
954  * \brief RSA public key engine "i15".
955  *
956  * \see br_rsa_public
957  *
958  * \param x      operand to exponentiate.
959  * \param xlen   length of the operand (in bytes).
960  * \param pk     RSA public key.
961  * \return  1 on success, 0 on error.
962  */
963 uint32_t br_rsa_i15_public(unsigned char *x, size_t xlen,
964 	const br_rsa_public_key *pk);
965 
966 /**
967  * \brief RSA signature verification engine "i15" (PKCS#1 v1.5 signatures).
968  *
969  * \see br_rsa_pkcs1_vrfy
970  *
971  * \param x          signature buffer.
972  * \param xlen       signature length (in bytes).
973  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
974  * \param hash_len   expected hash value length (in bytes).
975  * \param pk         RSA public key.
976  * \param hash_out   output buffer for the hash value.
977  * \return  1 on success, 0 on error.
978  */
979 uint32_t br_rsa_i15_pkcs1_vrfy(const unsigned char *x, size_t xlen,
980 	const unsigned char *hash_oid, size_t hash_len,
981 	const br_rsa_public_key *pk, unsigned char *hash_out);
982 
983 /**
984  * \brief RSA signature verification engine "i15" (PSS signatures).
985  *
986  * \see br_rsa_pss_vrfy
987  *
988  * \param x          signature buffer.
989  * \param xlen       signature length (in bytes).
990  * \param hf_data    hash function applied on the message.
991  * \param hf_mgf1    hash function to use with MGF1.
992  * \param hash       hash value of the signed message.
993  * \param salt_len   PSS salt length (in bytes).
994  * \param pk         RSA public key.
995  * \return  1 on success, 0 on error.
996  */
997 uint32_t br_rsa_i15_pss_vrfy(const unsigned char *x, size_t xlen,
998 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
999 	const void *hash, size_t salt_len, const br_rsa_public_key *pk);
1000 
1001 /**
1002  * \brief RSA private key engine "i15".
1003  *
1004  * \see br_rsa_private
1005  *
1006  * \param x    operand to exponentiate.
1007  * \param sk   RSA private key.
1008  * \return  1 on success, 0 on error.
1009  */
1010 uint32_t br_rsa_i15_private(unsigned char *x,
1011 	const br_rsa_private_key *sk);
1012 
1013 /**
1014  * \brief RSA signature generation engine "i15" (PKCS#1 v1.5 signatures).
1015  *
1016  * \see br_rsa_pkcs1_sign
1017  *
1018  * \param hash_oid   encoded hash algorithm OID (or `NULL`).
1019  * \param hash       hash value.
1020  * \param hash_len   hash value length (in bytes).
1021  * \param sk         RSA private key.
1022  * \param x          output buffer for the hash value.
1023  * \return  1 on success, 0 on error.
1024  */
1025 uint32_t br_rsa_i15_pkcs1_sign(const unsigned char *hash_oid,
1026 	const unsigned char *hash, size_t hash_len,
1027 	const br_rsa_private_key *sk, unsigned char *x);
1028 
1029 /**
1030  * \brief RSA signature generation engine "i15" (PSS signatures).
1031  *
1032  * \see br_rsa_pss_sign
1033  *
1034  * \param rng        PRNG for salt generation (`NULL` if `salt_len` is zero).
1035  * \param hf_data    hash function used to hash the signed data.
1036  * \param hf_mgf1    hash function to use with MGF1.
1037  * \param hash       hashed message.
1038  * \param salt_len   salt length (in bytes).
1039  * \param sk         RSA private key.
1040  * \param x          output buffer for the signature value.
1041  * \return  1 on success, 0 on error.
1042  */
1043 uint32_t br_rsa_i15_pss_sign(const br_prng_class **rng,
1044 	const br_hash_class *hf_data, const br_hash_class *hf_mgf1,
1045 	const unsigned char *hash_value, size_t salt_len,
1046 	const br_rsa_private_key *sk, unsigned char *x);
1047 
1048 /**
1049  * \brief Get "default" RSA implementation (public-key operations).
1050  *
1051  * This returns the preferred implementation of RSA (public-key operations)
1052  * on the current system.
1053  *
1054  * \return  the default implementation.
1055  */
1056 br_rsa_public br_rsa_public_get_default(void);
1057 
1058 /**
1059  * \brief Get "default" RSA implementation (private-key operations).
1060  *
1061  * This returns the preferred implementation of RSA (private-key operations)
1062  * on the current system.
1063  *
1064  * \return  the default implementation.
1065  */
1066 br_rsa_private br_rsa_private_get_default(void);
1067 
1068 /**
1069  * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature verification).
1070  *
1071  * This returns the preferred implementation of RSA (signature verification)
1072  * on the current system.
1073  *
1074  * \return  the default implementation.
1075  */
1076 br_rsa_pkcs1_vrfy br_rsa_pkcs1_vrfy_get_default(void);
1077 
1078 /**
1079  * \brief Get "default" RSA implementation (PSS signature verification).
1080  *
1081  * This returns the preferred implementation of RSA (signature verification)
1082  * on the current system.
1083  *
1084  * \return  the default implementation.
1085  */
1086 br_rsa_pss_vrfy br_rsa_pss_vrfy_get_default(void);
1087 
1088 /**
1089  * \brief Get "default" RSA implementation (PKCS#1 v1.5 signature generation).
1090  *
1091  * This returns the preferred implementation of RSA (signature generation)
1092  * on the current system.
1093  *
1094  * \return  the default implementation.
1095  */
1096 br_rsa_pkcs1_sign br_rsa_pkcs1_sign_get_default(void);
1097 
1098 /**
1099  * \brief Get "default" RSA implementation (PSS signature generation).
1100  *
1101  * This returns the preferred implementation of RSA (signature generation)
1102  * on the current system.
1103  *
1104  * \return  the default implementation.
1105  */
1106 br_rsa_pss_sign br_rsa_pss_sign_get_default(void);
1107 
1108 /**
1109  * \brief Get "default" RSA implementation (OAEP encryption).
1110  *
1111  * This returns the preferred implementation of RSA (OAEP encryption)
1112  * on the current system.
1113  *
1114  * \return  the default implementation.
1115  */
1116 br_rsa_oaep_encrypt br_rsa_oaep_encrypt_get_default(void);
1117 
1118 /**
1119  * \brief Get "default" RSA implementation (OAEP decryption).
1120  *
1121  * This returns the preferred implementation of RSA (OAEP decryption)
1122  * on the current system.
1123  *
1124  * \return  the default implementation.
1125  */
1126 br_rsa_oaep_decrypt br_rsa_oaep_decrypt_get_default(void);
1127 
1128 /**
1129  * \brief RSA decryption helper, for SSL/TLS.
1130  *
1131  * This function performs the RSA decryption for a RSA-based key exchange
1132  * in a SSL/TLS server. The provided RSA engine is used. The `data`
1133  * parameter points to the value to decrypt, of length `len` bytes. On
1134  * success, the 48-byte pre-master secret is copied into `data`, starting
1135  * at the first byte of that buffer; on error, the contents of `data`
1136  * become indeterminate.
1137  *
1138  * This function first checks that the provided value length (`len`) is
1139  * not lower than 59 bytes, and matches the RSA modulus length; if neither
1140  * of this property is met, then this function returns 0 and the buffer
1141  * is unmodified.
1142  *
1143  * Otherwise, decryption and then padding verification are performed, both
1144  * in constant-time. A decryption error, or a bad padding, or an
1145  * incorrect decrypted value length are reported with a returned value of
1146  * 0; on success, 1 is returned. The caller (SSL server engine) is supposed
1147  * to proceed with a random pre-master secret in case of error.
1148  *
1149  * \param core   RSA private key engine.
1150  * \param sk     RSA private key.
1151  * \param data   input/output buffer.
1152  * \param len    length (in bytes) of the data to decrypt.
1153  * \return  1 on success, 0 on error.
1154  */
1155 uint32_t br_rsa_ssl_decrypt(br_rsa_private core, const br_rsa_private_key *sk,
1156 	unsigned char *data, size_t len);
1157 
1158 /**
1159  * \brief RSA encryption (OAEP) with the "i15" engine.
1160  *
1161  * \see br_rsa_oaep_encrypt
1162  *
1163  * \param rnd           source of random bytes.
1164  * \param dig           hash function to use with MGF1.
1165  * \param label         label value (may be `NULL` if `label_len` is zero).
1166  * \param label_len     label length, in bytes.
1167  * \param pk            RSA public key.
1168  * \param dst           destination buffer.
1169  * \param dst_max_len   destination buffer length (maximum encrypted data size).
1170  * \param src           message to encrypt.
1171  * \param src_len       source message length (in bytes).
1172  * \return  encrypted message length (in bytes), or 0 on error.
1173  */
1174 size_t br_rsa_i15_oaep_encrypt(
1175 	const br_prng_class **rnd, const br_hash_class *dig,
1176 	const void *label, size_t label_len,
1177 	const br_rsa_public_key *pk,
1178 	void *dst, size_t dst_max_len,
1179 	const void *src, size_t src_len);
1180 
1181 /**
1182  * \brief RSA decryption (OAEP) with the "i15" engine.
1183  *
1184  * \see br_rsa_oaep_decrypt
1185  *
1186  * \param dig         hash function to use with MGF1.
1187  * \param label       label value (may be `NULL` if `label_len` is zero).
1188  * \param label_len   label length, in bytes.
1189  * \param sk          RSA private key.
1190  * \param data        input/output buffer.
1191  * \param len         encrypted/decrypted message length.
1192  * \return  1 on success, 0 on error.
1193  */
1194 uint32_t br_rsa_i15_oaep_decrypt(
1195 	const br_hash_class *dig, const void *label, size_t label_len,
1196 	const br_rsa_private_key *sk, void *data, size_t *len);
1197 
1198 /**
1199  * \brief RSA encryption (OAEP) with the "i31" engine.
1200  *
1201  * \see br_rsa_oaep_encrypt
1202  *
1203  * \param rnd           source of random bytes.
1204  * \param dig           hash function to use with MGF1.
1205  * \param label         label value (may be `NULL` if `label_len` is zero).
1206  * \param label_len     label length, in bytes.
1207  * \param pk            RSA public key.
1208  * \param dst           destination buffer.
1209  * \param dst_max_len   destination buffer length (maximum encrypted data size).
1210  * \param src           message to encrypt.
1211  * \param src_len       source message length (in bytes).
1212  * \return  encrypted message length (in bytes), or 0 on error.
1213  */
1214 size_t br_rsa_i31_oaep_encrypt(
1215 	const br_prng_class **rnd, const br_hash_class *dig,
1216 	const void *label, size_t label_len,
1217 	const br_rsa_public_key *pk,
1218 	void *dst, size_t dst_max_len,
1219 	const void *src, size_t src_len);
1220 
1221 /**
1222  * \brief RSA decryption (OAEP) with the "i31" engine.
1223  *
1224  * \see br_rsa_oaep_decrypt
1225  *
1226  * \param dig         hash function to use with MGF1.
1227  * \param label       label value (may be `NULL` if `label_len` is zero).
1228  * \param label_len   label length, in bytes.
1229  * \param sk          RSA private key.
1230  * \param data        input/output buffer.
1231  * \param len         encrypted/decrypted message length.
1232  * \return  1 on success, 0 on error.
1233  */
1234 uint32_t br_rsa_i31_oaep_decrypt(
1235 	const br_hash_class *dig, const void *label, size_t label_len,
1236 	const br_rsa_private_key *sk, void *data, size_t *len);
1237 
1238 /**
1239  * \brief RSA encryption (OAEP) with the "i32" engine.
1240  *
1241  * \see br_rsa_oaep_encrypt
1242  *
1243  * \param rnd           source of random bytes.
1244  * \param dig           hash function to use with MGF1.
1245  * \param label         label value (may be `NULL` if `label_len` is zero).
1246  * \param label_len     label length, in bytes.
1247  * \param pk            RSA public key.
1248  * \param dst           destination buffer.
1249  * \param dst_max_len   destination buffer length (maximum encrypted data size).
1250  * \param src           message to encrypt.
1251  * \param src_len       source message length (in bytes).
1252  * \return  encrypted message length (in bytes), or 0 on error.
1253  */
1254 size_t br_rsa_i32_oaep_encrypt(
1255 	const br_prng_class **rnd, const br_hash_class *dig,
1256 	const void *label, size_t label_len,
1257 	const br_rsa_public_key *pk,
1258 	void *dst, size_t dst_max_len,
1259 	const void *src, size_t src_len);
1260 
1261 /**
1262  * \brief RSA decryption (OAEP) with the "i32" engine.
1263  *
1264  * \see br_rsa_oaep_decrypt
1265  *
1266  * \param dig         hash function to use with MGF1.
1267  * \param label       label value (may be `NULL` if `label_len` is zero).
1268  * \param label_len   label length, in bytes.
1269  * \param sk          RSA private key.
1270  * \param data        input/output buffer.
1271  * \param len         encrypted/decrypted message length.
1272  * \return  1 on success, 0 on error.
1273  */
1274 uint32_t br_rsa_i32_oaep_decrypt(
1275 	const br_hash_class *dig, const void *label, size_t label_len,
1276 	const br_rsa_private_key *sk, void *data, size_t *len);
1277 
1278 /**
1279  * \brief RSA encryption (OAEP) with the "i62" engine.
1280  *
1281  * This function is defined only on architecture that offer a 64x64->128
1282  * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer
1283  * to that function.
1284  *
1285  * \see br_rsa_oaep_encrypt
1286  *
1287  * \param rnd           source of random bytes.
1288  * \param dig           hash function to use with MGF1.
1289  * \param label         label value (may be `NULL` if `label_len` is zero).
1290  * \param label_len     label length, in bytes.
1291  * \param pk            RSA public key.
1292  * \param dst           destination buffer.
1293  * \param dst_max_len   destination buffer length (maximum encrypted data size).
1294  * \param src           message to encrypt.
1295  * \param src_len       source message length (in bytes).
1296  * \return  encrypted message length (in bytes), or 0 on error.
1297  */
1298 size_t br_rsa_i62_oaep_encrypt(
1299 	const br_prng_class **rnd, const br_hash_class *dig,
1300 	const void *label, size_t label_len,
1301 	const br_rsa_public_key *pk,
1302 	void *dst, size_t dst_max_len,
1303 	const void *src, size_t src_len);
1304 
1305 /**
1306  * \brief RSA decryption (OAEP) with the "i62" engine.
1307  *
1308  * This function is defined only on architecture that offer a 64x64->128
1309  * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer
1310  * to that function.
1311  *
1312  * \see br_rsa_oaep_decrypt
1313  *
1314  * \param dig         hash function to use with MGF1.
1315  * \param label       label value (may be `NULL` if `label_len` is zero).
1316  * \param label_len   label length, in bytes.
1317  * \param sk          RSA private key.
1318  * \param data        input/output buffer.
1319  * \param len         encrypted/decrypted message length.
1320  * \return  1 on success, 0 on error.
1321  */
1322 uint32_t br_rsa_i62_oaep_decrypt(
1323 	const br_hash_class *dig, const void *label, size_t label_len,
1324 	const br_rsa_private_key *sk, void *data, size_t *len);
1325 
1326 /**
1327  * \brief Get buffer size to hold RSA private key elements.
1328  *
1329  * This macro returns the length (in bytes) of the buffer needed to
1330  * receive the elements of a RSA private key, as generated by one of
1331  * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1332  * expression, then the whole macro evaluates to a constant expression.
1333  *
1334  * \param size   target key size (modulus size, in bits)
1335  * \return  the length of the private key buffer, in bytes.
1336  */
1337 #define BR_RSA_KBUF_PRIV_SIZE(size)    (5 * (((size) + 15) >> 4))
1338 
1339 /**
1340  * \brief Get buffer size to hold RSA public key elements.
1341  *
1342  * This macro returns the length (in bytes) of the buffer needed to
1343  * receive the elements of a RSA public key, as generated by one of
1344  * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1345  * expression, then the whole macro evaluates to a constant expression.
1346  *
1347  * \param size   target key size (modulus size, in bits)
1348  * \return  the length of the public key buffer, in bytes.
1349  */
1350 #define BR_RSA_KBUF_PUB_SIZE(size)     (4 + (((size) + 7) >> 3))
1351 
1352 /**
1353  * \brief Type for RSA key pair generator implementation.
1354  *
1355  * This function generates a new RSA key pair whose modulus has bit
1356  * length `size` bits. The private key elements are written in the
1357  * `kbuf_priv` buffer, and pointer values and length fields to these
1358  * elements are populated in the provided private key structure `sk`.
1359  * Similarly, the public key elements are written in `kbuf_pub`, with
1360  * pointers and lengths set in `pk`.
1361  *
1362  * If `pk` is `NULL`, then `kbuf_pub` may be `NULL`, and only the
1363  * private key is set.
1364  *
1365  * If `pubexp` is not zero, then its value will be used as public
1366  * exponent. Valid RSA public exponent values are odd integers
1367  * greater than 1. If `pubexp` is zero, then the public exponent will
1368  * have value 3.
1369  *
1370  * The provided PRNG (`rng_ctx`) must have already been initialized
1371  * and seeded.
1372  *
1373  * Returned value is 1 on success, 0 on error. An error is reported
1374  * if the requested range is outside of the supported key sizes, or
1375  * if an invalid non-zero public exponent value is provided. Supported
1376  * range starts at 512 bits, and up to an implementation-defined
1377  * maximum (by default 4096 bits). Note that key sizes up to 768 bits
1378  * have been broken in practice, and sizes lower than 2048 bits are
1379  * usually considered to be weak and should not be used.
1380  *
1381  * \param rng_ctx     source PRNG context (already initialized)
1382  * \param sk          RSA private key structure (destination)
1383  * \param kbuf_priv   buffer for private key elements
1384  * \param pk          RSA public key structure (destination), or `NULL`
1385  * \param kbuf_pub    buffer for public key elements, or `NULL`
1386  * \param size        target RSA modulus size (in bits)
1387  * \param pubexp      public exponent to use, or zero
1388  * \return  1 on success, 0 on error (invalid parameters)
1389  */
1390 typedef uint32_t (*br_rsa_keygen)(
1391 	const br_prng_class **rng_ctx,
1392 	br_rsa_private_key *sk, void *kbuf_priv,
1393 	br_rsa_public_key *pk, void *kbuf_pub,
1394 	unsigned size, uint32_t pubexp);
1395 
1396 /**
1397  * \brief RSA key pair generation with the "i15" engine.
1398  *
1399  * \see br_rsa_keygen
1400  *
1401  * \param rng_ctx     source PRNG context (already initialized)
1402  * \param sk          RSA private key structure (destination)
1403  * \param kbuf_priv   buffer for private key elements
1404  * \param pk          RSA public key structure (destination), or `NULL`
1405  * \param kbuf_pub    buffer for public key elements, or `NULL`
1406  * \param size        target RSA modulus size (in bits)
1407  * \param pubexp      public exponent to use, or zero
1408  * \return  1 on success, 0 on error (invalid parameters)
1409  */
1410 uint32_t br_rsa_i15_keygen(
1411 	const br_prng_class **rng_ctx,
1412 	br_rsa_private_key *sk, void *kbuf_priv,
1413 	br_rsa_public_key *pk, void *kbuf_pub,
1414 	unsigned size, uint32_t pubexp);
1415 
1416 /**
1417  * \brief RSA key pair generation with the "i31" engine.
1418  *
1419  * \see br_rsa_keygen
1420  *
1421  * \param rng_ctx     source PRNG context (already initialized)
1422  * \param sk          RSA private key structure (destination)
1423  * \param kbuf_priv   buffer for private key elements
1424  * \param pk          RSA public key structure (destination), or `NULL`
1425  * \param kbuf_pub    buffer for public key elements, or `NULL`
1426  * \param size        target RSA modulus size (in bits)
1427  * \param pubexp      public exponent to use, or zero
1428  * \return  1 on success, 0 on error (invalid parameters)
1429  */
1430 uint32_t br_rsa_i31_keygen(
1431 	const br_prng_class **rng_ctx,
1432 	br_rsa_private_key *sk, void *kbuf_priv,
1433 	br_rsa_public_key *pk, void *kbuf_pub,
1434 	unsigned size, uint32_t pubexp);
1435 
1436 /**
1437  * \brief RSA key pair generation with the "i62" engine.
1438  *
1439  * This function is defined only on architecture that offer a 64x64->128
1440  * opcode. Use `br_rsa_i62_keygen_get()` to dynamically obtain a pointer
1441  * to that function.
1442  *
1443  * \see br_rsa_keygen
1444  *
1445  * \param rng_ctx     source PRNG context (already initialized)
1446  * \param sk          RSA private key structure (destination)
1447  * \param kbuf_priv   buffer for private key elements
1448  * \param pk          RSA public key structure (destination), or `NULL`
1449  * \param kbuf_pub    buffer for public key elements, or `NULL`
1450  * \param size        target RSA modulus size (in bits)
1451  * \param pubexp      public exponent to use, or zero
1452  * \return  1 on success, 0 on error (invalid parameters)
1453  */
1454 uint32_t br_rsa_i62_keygen(
1455 	const br_prng_class **rng_ctx,
1456 	br_rsa_private_key *sk, void *kbuf_priv,
1457 	br_rsa_public_key *pk, void *kbuf_pub,
1458 	unsigned size, uint32_t pubexp);
1459 
1460 /**
1461  * \brief Get the RSA "i62" implementation (key pair generation),
1462  * if available.
1463  *
1464  * \return  the implementation, or 0.
1465  */
1466 br_rsa_keygen br_rsa_i62_keygen_get(void);
1467 
1468 /**
1469  * \brief Get "default" RSA implementation (key pair generation).
1470  *
1471  * This returns the preferred implementation of RSA (key pair generation)
1472  * on the current system.
1473  *
1474  * \return  the default implementation.
1475  */
1476 br_rsa_keygen br_rsa_keygen_get_default(void);
1477 
1478 /**
1479  * \brief Type for a modulus computing function.
1480  *
1481  * Such a function computes the public modulus from the private key. The
1482  * encoded modulus (unsigned big-endian) is written on `n`, and the size
1483  * (in bytes) is returned. If `n` is `NULL`, then the size is returned but
1484  * the modulus itself is not computed.
1485  *
1486  * If the key size exceeds an internal limit, 0 is returned.
1487  *
1488  * \param n    destination buffer (or `NULL`).
1489  * \param sk   RSA private key.
1490  * \return  the modulus length (in bytes), or 0.
1491  */
1492 typedef size_t (*br_rsa_compute_modulus)(void *n, const br_rsa_private_key *sk);
1493 
1494 /**
1495  * \brief Recompute RSA modulus ("i15" engine).
1496  *
1497  * \see br_rsa_compute_modulus
1498  *
1499  * \param n    destination buffer (or `NULL`).
1500  * \param sk   RSA private key.
1501  * \return  the modulus length (in bytes), or 0.
1502  */
1503 size_t br_rsa_i15_compute_modulus(void *n, const br_rsa_private_key *sk);
1504 
1505 /**
1506  * \brief Recompute RSA modulus ("i31" engine).
1507  *
1508  * \see br_rsa_compute_modulus
1509  *
1510  * \param n    destination buffer (or `NULL`).
1511  * \param sk   RSA private key.
1512  * \return  the modulus length (in bytes), or 0.
1513  */
1514 size_t br_rsa_i31_compute_modulus(void *n, const br_rsa_private_key *sk);
1515 
1516 /**
1517  * \brief Get "default" RSA implementation (recompute modulus).
1518  *
1519  * This returns the preferred implementation of RSA (recompute modulus)
1520  * on the current system.
1521  *
1522  * \return  the default implementation.
1523  */
1524 br_rsa_compute_modulus br_rsa_compute_modulus_get_default(void);
1525 
1526 /**
1527  * \brief Type for a public exponent computing function.
1528  *
1529  * Such a function recomputes the public exponent from the private key.
1530  * 0 is returned if any of the following occurs:
1531  *
1532  *   - Either `p` or `q` is not equal to 3 modulo 4.
1533  *
1534  *   - The public exponent does not fit on 32 bits.
1535  *
1536  *   - An internal limit is exceeded.
1537  *
1538  *   - The private key is invalid in some way.
1539  *
1540  * For all private keys produced by the key generator functions
1541  * (`br_rsa_keygen` type), this function succeeds and returns the true
1542  * public exponent. The public exponent is always an odd integer greater
1543  * than 1.
1544  *
1545  * \return  the public exponent, or 0.
1546  */
1547 typedef uint32_t (*br_rsa_compute_pubexp)(const br_rsa_private_key *sk);
1548 
1549 /**
1550  * \brief Recompute RSA public exponent ("i15" engine).
1551  *
1552  * \see br_rsa_compute_pubexp
1553  *
1554  * \return  the public exponent, or 0.
1555  */
1556 uint32_t br_rsa_i15_compute_pubexp(const br_rsa_private_key *sk);
1557 
1558 /**
1559  * \brief Recompute RSA public exponent ("i31" engine).
1560  *
1561  * \see br_rsa_compute_pubexp
1562  *
1563  * \return  the public exponent, or 0.
1564  */
1565 uint32_t br_rsa_i31_compute_pubexp(const br_rsa_private_key *sk);
1566 
1567 /**
1568  * \brief Get "default" RSA implementation (recompute public exponent).
1569  *
1570  * This returns the preferred implementation of RSA (recompute public
1571  * exponent) on the current system.
1572  *
1573  * \return  the default implementation.
1574  */
1575 br_rsa_compute_pubexp br_rsa_compute_pubexp_get_default(void);
1576 
1577 /**
1578  * \brief Type for a private exponent computing function.
1579  *
1580  * An RSA private key (`br_rsa_private_key`) contains two reduced
1581  * private exponents, which are sufficient to perform private key
1582  * operations. However, standard encoding formats for RSA private keys
1583  * require also a copy of the complete private exponent (non-reduced),
1584  * which this function recomputes.
1585  *
1586  * This function suceeds if all the following conditions hold:
1587  *
1588  *   - Both private factors `p` and `q` are equal to 3 modulo 4.
1589  *
1590  *   - The provided public exponent `pubexp` is correct, and, in particular,
1591  *     is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1592  *
1593  *   - No internal storage limit is exceeded.
1594  *
1595  * For all private keys produced by the key generator functions
1596  * (`br_rsa_keygen` type), this function succeeds. Note that the API
1597  * restricts the public exponent to a maximum size of 32 bits.
1598  *
1599  * The encoded private exponent is written in `d` (unsigned big-endian
1600  * convention), and the length (in bytes) is returned. If `d` is `NULL`,
1601  * then the exponent is not written anywhere, but the length is still
1602  * returned. On error, 0 is returned.
1603  *
1604  * Not all error conditions are detected when `d` is `NULL`; therefore, the
1605  * returned value shall be checked also when actually producing the value.
1606  *
1607  * \param d        destination buffer (or `NULL`).
1608  * \param sk       RSA private key.
1609  * \param pubexp   the public exponent.
1610  * \return  the private exponent length (in bytes), or 0.
1611  */
1612 typedef size_t (*br_rsa_compute_privexp)(void *d,
1613 	const br_rsa_private_key *sk, uint32_t pubexp);
1614 
1615 /**
1616  * \brief Recompute RSA private exponent ("i15" engine).
1617  *
1618  * \see br_rsa_compute_privexp
1619  *
1620  * \param d        destination buffer (or `NULL`).
1621  * \param sk       RSA private key.
1622  * \param pubexp   the public exponent.
1623  * \return  the private exponent length (in bytes), or 0.
1624  */
1625 size_t br_rsa_i15_compute_privexp(void *d,
1626 	const br_rsa_private_key *sk, uint32_t pubexp);
1627 
1628 /**
1629  * \brief Recompute RSA private exponent ("i31" engine).
1630  *
1631  * \see br_rsa_compute_privexp
1632  *
1633  * \param d        destination buffer (or `NULL`).
1634  * \param sk       RSA private key.
1635  * \param pubexp   the public exponent.
1636  * \return  the private exponent length (in bytes), or 0.
1637  */
1638 size_t br_rsa_i31_compute_privexp(void *d,
1639 	const br_rsa_private_key *sk, uint32_t pubexp);
1640 
1641 /**
1642  * \brief Get "default" RSA implementation (recompute private exponent).
1643  *
1644  * This returns the preferred implementation of RSA (recompute private
1645  * exponent) on the current system.
1646  *
1647  * \return  the default implementation.
1648  */
1649 br_rsa_compute_privexp br_rsa_compute_privexp_get_default(void);
1650 
1651 #ifdef __cplusplus
1652 }
1653 #endif
1654 
1655 #endif
1656