1*f0865ec9SKyle Evans /* 2*f0865ec9SKyle Evans * Copyright (C) 2021 - This file is part of libecc project 3*f0865ec9SKyle Evans * 4*f0865ec9SKyle Evans * Authors: 5*f0865ec9SKyle Evans * Ryad BENADJILA <ryadbenadjila@gmail.com> 6*f0865ec9SKyle Evans * Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr> 7*f0865ec9SKyle Evans * 8*f0865ec9SKyle Evans * This software is licensed under a dual BSD and GPL v2 license. 9*f0865ec9SKyle Evans * See LICENSE file at the root folder of the project. 10*f0865ec9SKyle Evans */ 11*f0865ec9SKyle Evans #ifndef __RSA_H__ 12*f0865ec9SKyle Evans #define __RSA_H__ 13*f0865ec9SKyle Evans 14*f0865ec9SKyle Evans /* 15*f0865ec9SKyle Evans * NOTE: although we only need libarith for RSA as we 16*f0865ec9SKyle Evans * manipulate a ring of integers, we include libsig for 17*f0865ec9SKyle Evans * the hash algorithms. 18*f0865ec9SKyle Evans */ 19*f0865ec9SKyle Evans #include <libecc/lib_ecc_config.h> 20*f0865ec9SKyle Evans 21*f0865ec9SKyle Evans /* The hash algorithms wrapper */ 22*f0865ec9SKyle Evans #include "../../hash/hash.h" 23*f0865ec9SKyle Evans 24*f0865ec9SKyle Evans /* We define hereafter the types and functions for RSA. 25*f0865ec9SKyle Evans * The notations are taken from RFC 8017 and should be compliant 26*f0865ec9SKyle Evans * with it. 27*f0865ec9SKyle Evans */ 28*f0865ec9SKyle Evans 29*f0865ec9SKyle Evans /* RSA public key, composed of: 30*f0865ec9SKyle Evans * n the RSA modulus, a positive integer 31*f0865ec9SKyle Evans * e the RSA public exponent, a positive integer 32*f0865ec9SKyle Evans */ 33*f0865ec9SKyle Evans typedef struct { 34*f0865ec9SKyle Evans nn n; 35*f0865ec9SKyle Evans nn e; 36*f0865ec9SKyle Evans } rsa_pub_key; 37*f0865ec9SKyle Evans 38*f0865ec9SKyle Evans /* RSA private key, composed of: 39*f0865ec9SKyle Evans * n the RSA modulus, a positive integer 40*f0865ec9SKyle Evans * d the RSA private exponent, a positive integer 41*f0865ec9SKyle Evans * p (OPTIONAL) the first factor, a positive integer 42*f0865ec9SKyle Evans * q (OPTIONAL) the secod factor, a positive integer 43*f0865ec9SKyle Evans * 44*f0865ec9SKyle Evans * OR when using CRT: 45*f0865ec9SKyle Evans * p the first factor, a positive integer 46*f0865ec9SKyle Evans * q the second factor, a positive integer 47*f0865ec9SKyle Evans * dP the first factor's CRT exponent, a positive integer 48*f0865ec9SKyle Evans * dQ the second factor's CRT exponent, a positive integer 49*f0865ec9SKyle Evans * qInv the (first) CRT coefficient, a positive integer 50*f0865ec9SKyle Evans * r_i the i-th factor, a positive integer 51*f0865ec9SKyle Evans * d_i the i-th factor's CRT exponent, a positive integer 52*f0865ec9SKyle Evans * t_i the i-th factor's CRT coefficient, a positive integer 53*f0865ec9SKyle Evans * u is the number of (r_i, d_i, t_i) triplets. 54*f0865ec9SKyle Evans */ 55*f0865ec9SKyle Evans typedef enum { 56*f0865ec9SKyle Evans RSA_SIMPLE = 0, 57*f0865ec9SKyle Evans RSA_SIMPLE_PQ = 1, 58*f0865ec9SKyle Evans RSA_CRT = 2, 59*f0865ec9SKyle Evans } rsa_priv_key_type; 60*f0865ec9SKyle Evans 61*f0865ec9SKyle Evans /*** RSA "simple" private key ***/ 62*f0865ec9SKyle Evans typedef struct { 63*f0865ec9SKyle Evans nn n; 64*f0865ec9SKyle Evans nn d; 65*f0865ec9SKyle Evans } rsa_priv_key_simple; 66*f0865ec9SKyle Evans 67*f0865ec9SKyle Evans /*** RSA "simple" private key with optional p and q ***/ 68*f0865ec9SKyle Evans typedef struct { 69*f0865ec9SKyle Evans nn n; 70*f0865ec9SKyle Evans nn d; 71*f0865ec9SKyle Evans nn p; 72*f0865ec9SKyle Evans nn q; 73*f0865ec9SKyle Evans } rsa_priv_key_simple_pq; 74*f0865ec9SKyle Evans 75*f0865ec9SKyle Evans /*** RSA CRT private key *******/ 76*f0865ec9SKyle Evans typedef struct { 77*f0865ec9SKyle Evans nn r; 78*f0865ec9SKyle Evans nn d; 79*f0865ec9SKyle Evans nn t; 80*f0865ec9SKyle Evans } rsa_priv_key_crt_coeffs; 81*f0865ec9SKyle Evans 82*f0865ec9SKyle Evans /* A maximum of 5 triplets are allowed in our implementation */ 83*f0865ec9SKyle Evans #define MAX_CRT_COEFFS 5 84*f0865ec9SKyle Evans typedef struct { 85*f0865ec9SKyle Evans nn p; 86*f0865ec9SKyle Evans nn q; 87*f0865ec9SKyle Evans nn dP; 88*f0865ec9SKyle Evans nn dQ; 89*f0865ec9SKyle Evans nn qInv; 90*f0865ec9SKyle Evans /* u is the number of additional CRT (r, d, t) triplets */ 91*f0865ec9SKyle Evans u8 u; 92*f0865ec9SKyle Evans rsa_priv_key_crt_coeffs coeffs[MAX_CRT_COEFFS]; 93*f0865ec9SKyle Evans } rsa_priv_key_crt; 94*f0865ec9SKyle Evans 95*f0865ec9SKyle Evans typedef struct { 96*f0865ec9SKyle Evans rsa_priv_key_type type; 97*f0865ec9SKyle Evans union { 98*f0865ec9SKyle Evans rsa_priv_key_simple s; 99*f0865ec9SKyle Evans rsa_priv_key_simple_pq s_pq; 100*f0865ec9SKyle Evans rsa_priv_key_crt crt; 101*f0865ec9SKyle Evans } key; 102*f0865ec9SKyle Evans } rsa_priv_key; 103*f0865ec9SKyle Evans 104*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_i2osp(nn_src_t x, u8 *buf, u32 buflen); 105*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_os2ip(nn_t x, const u8 *buf, u32 buflen); 106*f0865ec9SKyle Evans 107*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_import_pub_key(rsa_pub_key *pub, const u8 *n, 108*f0865ec9SKyle Evans u16 nlen, const u8 *e, u16 elen); 109*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_import_simple_priv_key(rsa_priv_key *priv, 110*f0865ec9SKyle Evans const u8 *n, u16 nlen, const u8 *d, 111*f0865ec9SKyle Evans u16 dlen, const u8 *p, u16 plen, const u8 *q, u16 qlen); 112*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_import_crt_priv_key(rsa_priv_key *priv, 113*f0865ec9SKyle Evans const u8 *p, u16 plen, 114*f0865ec9SKyle Evans const u8 *q, u16 qlen, 115*f0865ec9SKyle Evans const u8 *dP, u16 dPlen, 116*f0865ec9SKyle Evans const u8 *dQ, u16 dQlen, 117*f0865ec9SKyle Evans const u8 *qInv, u16 qInvlen, 118*f0865ec9SKyle Evans const u8 **coeffs, u16 *coeffslens, u8 u); 119*f0865ec9SKyle Evans 120*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaep(const rsa_pub_key *pub, nn_src_t m, nn_t c); 121*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsadp(const rsa_priv_key *priv, nn_src_t c, nn_t m); 122*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsadp_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, nn_src_t c, nn_t m); 123*f0865ec9SKyle Evans 124*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsasp1(const rsa_priv_key *priv, nn_src_t m, nn_t s); 125*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsasp1_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, nn_src_t m, nn_t s); 126*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsavp1(const rsa_pub_key *pub, nn_src_t s, nn_t m); 127*f0865ec9SKyle Evans 128*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int emsa_pkcs1_v1_5_encode(const u8 *m, u32 mlen, u8 *em, u16 emlen, 129*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type); 130*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int emsa_pss_encode(const u8 *m, u32 mlen, u8 *em, u32 embits, 131*f0865ec9SKyle Evans u16 *eminlen, 132*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 133*f0865ec9SKyle Evans u32 saltlen, const u8 *forced_salt); 134*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int emsa_pss_verify(const u8 *m, u32 mlen, const u8 *em, 135*f0865ec9SKyle Evans u32 embits, u16 emlen, 136*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 137*f0865ec9SKyle Evans u32 slen); 138*f0865ec9SKyle Evans 139*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_pkcs1_v1_5_encrypt(const rsa_pub_key *pub, const u8 *m, u32 mlen, 140*f0865ec9SKyle Evans u8 *c, u32 *clen, u32 modbits, 141*f0865ec9SKyle Evans const u8 *forced_seed, u32 seedlen); 142*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_pkcs1_v1_5_decrypt(const rsa_priv_key *priv, const u8 *c, u32 clen, 143*f0865ec9SKyle Evans u8 *m, u32 *mlen, u32 modbits); 144*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_pkcs1_v1_5_decrypt_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, const u8 *c, u32 clen, 145*f0865ec9SKyle Evans u8 *m, u32 *mlen, u32 modbits); 146*f0865ec9SKyle Evans 147*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_oaep_encrypt(const rsa_pub_key *pub, const u8 *m, u32 mlen, 148*f0865ec9SKyle Evans u8 *c, u32 *clen, u32 modbits, const u8 *label, u32 label_len, 149*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 150*f0865ec9SKyle Evans const u8 *forced_seed, u32 seedlen); 151*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_oaep_decrypt(const rsa_priv_key *priv, const u8 *c, u32 clen, 152*f0865ec9SKyle Evans u8 *m, u32 *mlen, u32 modbits, const u8 *label, u32 label_len, 153*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type); 154*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsaes_oaep_decrypt_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, const u8 *c, u32 clen, 155*f0865ec9SKyle Evans u8 *m, u32 *mlen, u32 modbits, const u8 *label, u32 label_len, 156*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type); 157*f0865ec9SKyle Evans 158*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pkcs1_v1_5_sign(const rsa_priv_key *priv, const u8 *m, u32 mlen, 159*f0865ec9SKyle Evans u8 *s, u16 *slen, u32 modbits, gen_hash_alg_type rsa_hash_type); 160*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pkcs1_v1_5_sign_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, const u8 *m, u32 mlen, 161*f0865ec9SKyle Evans u8 *s, u16 *slen, u32 modbits, gen_hash_alg_type rsa_hash_type); 162*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pkcs1_v1_5_verify(const rsa_pub_key *pub, const u8 *m, u32 mlen, 163*f0865ec9SKyle Evans const u8 *s, u16 slen, u32 modbits, gen_hash_alg_type rsa_hash_type); 164*f0865ec9SKyle Evans 165*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pss_sign(const rsa_priv_key *priv, const u8 *m, u32 mlen, 166*f0865ec9SKyle Evans u8 *s, u16 *slen, u32 modbits, 167*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 168*f0865ec9SKyle Evans u32 saltlen, const u8 *forced_salt); 169*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pss_sign_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, const u8 *m, u32 mlen, 170*f0865ec9SKyle Evans u8 *s, u16 *slen, u32 modbits, 171*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 172*f0865ec9SKyle Evans u32 saltlen, const u8 *forced_salt); 173*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsassa_pss_verify(const rsa_pub_key *pub, const u8 *m, u32 mlen, 174*f0865ec9SKyle Evans const u8 *s, u16 slen, u32 modbits, 175*f0865ec9SKyle Evans gen_hash_alg_type rsa_hash_type, gen_hash_alg_type mgf_hash_type, 176*f0865ec9SKyle Evans u32 saltlen); 177*f0865ec9SKyle Evans 178*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_iso9796_2_sign_recover(const rsa_priv_key *priv, const u8 *m, u32 mlen, u32 *m1len, 179*f0865ec9SKyle Evans u32 *m2len, u8 *s, u16 *slen, 180*f0865ec9SKyle Evans u32 modbits, gen_hash_alg_type gen_hash_type); 181*f0865ec9SKyle Evans 182*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_iso9796_2_sign_recover_hardened(const rsa_priv_key *priv, const rsa_pub_key *pub, 183*f0865ec9SKyle Evans const u8 *m, u32 mlen, u32 *m1len, u32 *m2len, u8 *s, u16 *slen, 184*f0865ec9SKyle Evans u32 modbits, gen_hash_alg_type gen_hash_type); 185*f0865ec9SKyle Evans ATTRIBUTE_WARN_UNUSED_RET int rsa_iso9796_2_verify_recover(const rsa_pub_key *pub, const u8 *m2, u32 m2len, u8 *m1, u32 *m1len, 186*f0865ec9SKyle Evans const u8 *s, u16 slen, u32 modbits, gen_hash_alg_type gen_hash_type); 187*f0865ec9SKyle Evans #endif /* __RSA_H__ */ 188