f3825d19949217ef9c5c9f6ea31b4cd32d299dac
2 * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 #ifndef BR_BEARSSL_RSA_H__
26 #define BR_BEARSSL_RSA_H__
31 #include "bearssl_rand.h"
37 /** \file bearssl_rsa.h
41 * This file documents the RSA implementations provided with BearSSL.
42 * Note that the SSL engine accesses these implementations through a
43 * configurable API, so it is possible to, for instance, run a SSL
44 * server which uses a RSA engine which is not based on this code.
48 * RSA public and private keys consist in lists of big integers. All
49 * such integers are represented with big-endian unsigned notation:
50 * first byte is the most significant, and the value is positive (so
51 * there is no dedicated "sign bit"). Public and private key structures
52 * thus contain, for each such integer, a pointer to the first value byte
53 * (`unsigned char *`), and a length (`size_t`) which is the number of
54 * relevant bytes. As a general rule, minimal-length encoding is not
55 * enforced: values may have extra leading bytes of value 0.
57 * RSA public keys consist in two integers:
59 * - the modulus (`n`);
60 * - the public exponent (`e`).
62 * RSA private keys, as defined in
63 * [PKCS#1](https://tools.ietf.org/html/rfc3447), contain eight integers:
65 * - the modulus (`n`);
66 * - the public exponent (`e`);
67 * - the private exponent (`d`);
68 * - the first prime factor (`p`);
69 * - the second prime factor (`q`);
70 * - the first reduced exponent (`dp`, which is `d` modulo `p-1`);
71 * - the second reduced exponent (`dq`, which is `d` modulo `q-1`);
72 * - the CRT coefficient (`iq`, the inverse of `q` modulo `p`).
74 * However, the implementations defined in BearSSL use only five of
75 * these integers: `p`, `q`, `dp`, `dq` and `iq`.
77 * ## Security Features and Limitations
79 * The implementations contained in BearSSL have the following limitations
82 * - They are constant-time. This means that the execution time and
83 * memory access pattern may depend on the _lengths_ of the private
84 * key components, but not on their value, nor on the value of
85 * the operand. Note that this property is not achieved through
86 * random masking, but "true" constant-time code.
88 * - They support only private keys with two prime factors. RSA private
89 * keys with three or more prime factors are nominally supported, but
90 * rarely used; they may offer faster operations, at the expense of
91 * more code and potentially a reduction in security if there are
92 * "too many" prime factors.
94 * - The public exponent may have arbitrary length. Of course, it is
95 * a good idea to keep public exponents small, so that public key
96 * operations are fast; but, contrary to some widely deployed
97 * implementations, BearSSL has no problem with public exponents
98 * longer than 32 bits.
100 * - The two prime factors of the modulus need not have the same length
101 * (but severely imbalanced factor lengths might reduce security).
102 * Similarly, there is no requirement that the first factor (`p`)
103 * be greater than the second factor (`q`).
105 * - Prime factors and modulus must be smaller than a compile-time limit.
106 * This is made necessary by the use of fixed-size stack buffers, and
107 * the limit has been adjusted to keep stack usage under 2 kB for the
108 * RSA operations. Currently, the maximum modulus size is 4096 bits,
109 * and the maximum prime factor size is 2080 bits.
111 * - The RSA functions themselves do not enforce lower size limits,
112 * except that which is absolutely necessary for the operation to
113 * mathematically make sense (e.g. a PKCS#1 v1.5 signature with
114 * SHA-1 requires a modulus of at least 361 bits). It is up to users
115 * of this code to enforce size limitations when appropriate (e.g.
116 * the X.509 validation engine, by default, rejects RSA keys of
117 * less than 1017 bits).
119 * - Within the size constraints expressed above, arbitrary bit lengths
120 * are supported. There is no requirement that prime factors or
121 * modulus have a size multiple of 8 or 16.
123 * - When verifying PKCS#1 v1.5 signatures, both variants of the hash
124 * function identifying header (with and without the ASN.1 NULL) are
125 * supported. When producing such signatures, the variant with the
126 * ASN.1 NULL is used.
130 * Three RSA implementations are included:
132 * - The **i32** implementation internally represents big integers
133 * as arrays of 32-bit integers. It is perfunctory and portable,
134 * but not very efficient.
136 * - The **i31** implementation uses 32-bit integers, each containing
137 * 31 bits worth of integer data. The i31 implementation is somewhat
138 * faster than the i32 implementation (the reduced integer size makes
139 * carry propagation easier) for a similar code footprint, but uses
140 * very slightly larger stack buffers (about 4% bigger).
142 * - The **i62** implementation is similar to the i31 implementation,
143 * except that it internally leverages the 64x64->128 multiplication
144 * opcode. This implementation is available only on architectures
145 * where such an opcode exists. It is much faster than i31.
147 * - The **i15** implementation uses 16-bit integers, each containing
148 * 15 bits worth of integer data. Multiplication results fit on
149 * 32 bits, so this won't use the "widening" multiplication routine
150 * on ARM Cortex M0/M0+, for much better performance and constant-time
155 * \brief RSA public key.
157 * The structure references the modulus and the public exponent. Both
158 * integers use unsigned big-endian representation; extra leading bytes
159 * of value 0 are allowed.
162 /** \brief Modulus. */
164 /** \brief Modulus length (in bytes). */
166 /** \brief Public exponent. */
168 /** \brief Public exponent length (in bytes). */
173 * \brief RSA private key.
175 * The structure references the private factors, reduced private
176 * exponents, and CRT coefficient. It also contains the bit length of
177 * the modulus. The big integers use unsigned big-endian representation;
178 * extra leading bytes of value 0 are allowed. However, the modulus bit
179 * length (`n_bitlen`) MUST be exact.
182 /** \brief Modulus bit length (in bits, exact value). */
184 /** \brief First prime factor. */
186 /** \brief First prime factor length (in bytes). */
188 /** \brief Second prime factor. */
190 /** \brief Second prime factor length (in bytes). */
192 /** \brief First reduced private exponent. */
194 /** \brief First reduced private exponent length (in bytes). */
196 /** \brief Second reduced private exponent. */
198 /** \brief Second reduced private exponent length (in bytes). */
200 /** \brief CRT coefficient. */
202 /** \brief CRT coefficient length (in bytes). */
204 } br_rsa_private_key
;
207 * \brief Type for a RSA public key engine.
209 * The public key engine performs the modular exponentiation of the
210 * provided value with the public exponent. The value is modified in
213 * The value length (`xlen`) is verified to have _exactly_ the same
214 * length as the modulus (actual modulus length, without extra leading
215 * zeros in the modulus representation in memory). If the length does
216 * not match, then this function returns 0 and `x[]` is unmodified.
218 * It `xlen` is correct, then `x[]` is modified. Returned value is 1
219 * on success, 0 on error. Error conditions include an oversized `x[]`
220 * (the array has the same length as the modulus, but the numerical value
221 * is not lower than the modulus) and an invalid modulus (e.g. an even
222 * integer). If an error is reported, then the new contents of `x[]` are
225 * \param x operand to exponentiate.
226 * \param xlen length of the operand (in bytes).
227 * \param pk RSA public key.
228 * \return 1 on success, 0 on error.
230 typedef uint32_t (*br_rsa_public
)(unsigned char *x
, size_t xlen
,
231 const br_rsa_public_key
*pk
);
234 * \brief Type for a RSA signature verification engine (PKCS#1 v1.5).
238 * - The signature itself. The provided array is NOT modified.
240 * - The encoded OID for the hash function. The provided array must begin
241 * with a single byte that contains the length of the OID value (in
242 * bytes), followed by exactly that many bytes. This parameter may
243 * also be `NULL`, in which case the raw hash value should be used
244 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
245 * to TLS-1.1, with a 36-byte hash value).
247 * - The hash output length, in bytes.
251 * - An output buffer for the hash value. The caller must still compare
252 * it with the hash of the data over which the signature is computed.
256 * - Hash length MUST be no more than 64 bytes.
258 * - OID value length MUST be no more than 32 bytes (i.e. `hash_oid[0]`
259 * must have a value in the 0..32 range, inclusive).
261 * This function verifies that the signature length (`xlen`) matches the
262 * modulus length (this function returns 0 on mismatch). If the modulus
263 * size exceeds the maximum supported RSA size, then the function also
266 * Returned value is 1 on success, 0 on error.
268 * Implementations of this type need not be constant-time.
270 * \param x signature buffer.
271 * \param xlen signature length (in bytes).
272 * \param hash_oid encoded hash algorithm OID (or `NULL`).
273 * \param hash_len expected hash value length (in bytes).
274 * \param pk RSA public key.
275 * \param hash_out output buffer for the hash value.
276 * \return 1 on success, 0 on error.
278 typedef uint32_t (*br_rsa_pkcs1_vrfy
)(const unsigned char *x
, size_t xlen
,
279 const unsigned char *hash_oid
, size_t hash_len
,
280 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
283 * \brief Type for a RSA encryption engine (OAEP).
287 * - A source of random bytes. The source must be already initialized.
289 * - A hash function, used internally with the mask generation function
292 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
293 * (an empty label, which is the default in PKCS#1 v2.2).
297 * - The destination buffer. Its maximum length (in bytes) is provided;
298 * if that length is lower than the public key length, then an error
301 * - The source message.
303 * The encrypted message output has exactly the same length as the modulus
304 * (mathematical length, in bytes, not counting extra leading zeros in the
305 * modulus representation in the public key).
307 * The source message (`src`, length `src_len`) may overlap with the
308 * destination buffer (`dst`, length `dst_max_len`).
310 * This function returns the actual encrypted message length, in bytes;
311 * on error, zero is returned. An error is reported if the output buffer
312 * is not large enough, or the public is invalid, or the public key
313 * modulus exceeds the maximum supported RSA size.
315 * \param rnd source of random bytes.
316 * \param dig hash function to use with MGF1.
317 * \param label label value (may be `NULL` if `label_len` is zero).
318 * \param label_len label length, in bytes.
319 * \param pk RSA public key.
320 * \param dst destination buffer.
321 * \param dst_max_len destination buffer length (maximum encrypted data size).
322 * \param src message to encrypt.
323 * \param src_len source message length (in bytes).
324 * \return encrypted message length (in bytes), or 0 on error.
326 typedef size_t (*br_rsa_oaep_encrypt
)(
327 const br_prng_class
**rnd
, const br_hash_class
*dig
,
328 const void *label
, size_t label_len
,
329 const br_rsa_public_key
*pk
,
330 void *dst
, size_t dst_max_len
,
331 const void *src
, size_t src_len
);
334 * \brief Type for a RSA private key engine.
336 * The `x[]` buffer is modified in place, and its length is inferred from
337 * the modulus length (`x[]` is assumed to have a length of
338 * `(sk->n_bitlen+7)/8` bytes).
340 * Returned value is 1 on success, 0 on error.
342 * \param x operand to exponentiate.
343 * \param sk RSA private key.
344 * \return 1 on success, 0 on error.
346 typedef uint32_t (*br_rsa_private
)(unsigned char *x
,
347 const br_rsa_private_key
*sk
);
350 * \brief Type for a RSA signature generation engine (PKCS#1 v1.5).
354 * - The encoded OID for the hash function. The provided array must begin
355 * with a single byte that contains the length of the OID value (in
356 * bytes), followed by exactly that many bytes. This parameter may
357 * also be `NULL`, in which case the raw hash value should be used
358 * with the PKCS#1 v1.5 "type 1" padding (as used in SSL/TLS up
359 * to TLS-1.1, with a 36-byte hash value).
361 * - The hash value computes over the data to sign (its length is
362 * expressed in bytes).
364 * - The RSA private key.
366 * - The output buffer, that receives the signature.
368 * Returned value is 1 on success, 0 on error. Error conditions include
369 * a too small modulus for the provided hash OID and value, or some
370 * invalid key parameters. The signature length is exactly
371 * `(sk->n_bitlen+7)/8` bytes.
373 * This function is expected to be constant-time with regards to the
374 * private key bytes (lengths of the modulus and the individual factors
375 * may leak, though) and to the hashed data.
377 * \param hash_oid encoded hash algorithm OID (or `NULL`).
378 * \param hash hash value.
379 * \param hash_len hash value length (in bytes).
380 * \param sk RSA private key.
381 * \param x output buffer for the signature value.
382 * \return 1 on success, 0 on error.
384 typedef uint32_t (*br_rsa_pkcs1_sign
)(const unsigned char *hash_oid
,
385 const unsigned char *hash
, size_t hash_len
,
386 const br_rsa_private_key
*sk
, unsigned char *x
);
389 * \brief Encoded OID for SHA-1 (in RSA PKCS#1 signatures).
391 #define BR_HASH_OID_SHA1 \
392 ((const unsigned char *)"\x05\x2B\x0E\x03\x02\x1A")
395 * \brief Encoded OID for SHA-224 (in RSA PKCS#1 signatures).
397 #define BR_HASH_OID_SHA224 \
398 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x04")
401 * \brief Encoded OID for SHA-256 (in RSA PKCS#1 signatures).
403 #define BR_HASH_OID_SHA256 \
404 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01")
407 * \brief Encoded OID for SHA-384 (in RSA PKCS#1 signatures).
409 #define BR_HASH_OID_SHA384 \
410 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x02")
413 * \brief Encoded OID for SHA-512 (in RSA PKCS#1 signatures).
415 #define BR_HASH_OID_SHA512 \
416 ((const unsigned char *)"\x09\x60\x86\x48\x01\x65\x03\x04\x02\x03")
419 * \brief Type for a RSA decryption engine (OAEP).
423 * - A hash function, used internally with the mask generation function
426 * - A label. The `label` pointer may be `NULL` if `label_len` is zero
427 * (an empty label, which is the default in PKCS#1 v2.2).
431 * - The source and destination buffer. The buffer initially contains
432 * the encrypted message; the buffer contents are altered, and the
433 * decrypted message is written at the start of that buffer
434 * (decrypted message is always shorter than the encrypted message).
436 * If decryption fails in any way, then `*len` is unmodified, and the
437 * function returns 0. Otherwise, `*len` is set to the decrypted message
438 * length, and 1 is returned. The implementation is responsible for
439 * checking that the input message length matches the key modulus length,
440 * and that the padding is correct.
442 * Implementations MUST use constant-time check of the validity of the
443 * OAEP padding, at least until the leading byte and hash value have
444 * been checked. Whether overall decryption worked, and the length of
445 * the decrypted message, may leak.
447 * \param dig hash function to use with MGF1.
448 * \param label label value (may be `NULL` if `label_len` is zero).
449 * \param label_len label length, in bytes.
450 * \param sk RSA private key.
451 * \param data input/output buffer.
452 * \param len encrypted/decrypted message length.
453 * \return 1 on success, 0 on error.
455 typedef uint32_t (*br_rsa_oaep_decrypt
)(
456 const br_hash_class
*dig
, const void *label
, size_t label_len
,
457 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
460 * RSA "i32" engine. Integers are internally represented as arrays of
461 * 32-bit integers, and the core multiplication primitive is the
462 * 32x32->64 multiplication.
466 * \brief RSA public key engine "i32".
470 * \param x operand to exponentiate.
471 * \param xlen length of the operand (in bytes).
472 * \param pk RSA public key.
473 * \return 1 on success, 0 on error.
475 uint32_t br_rsa_i32_public(unsigned char *x
, size_t xlen
,
476 const br_rsa_public_key
*pk
);
479 * \brief RSA signature verification engine "i32".
481 * \see br_rsa_pkcs1_vrfy
483 * \param x signature buffer.
484 * \param xlen signature length (in bytes).
485 * \param hash_oid encoded hash algorithm OID (or `NULL`).
486 * \param hash_len expected hash value length (in bytes).
487 * \param pk RSA public key.
488 * \param hash_out output buffer for the hash value.
489 * \return 1 on success, 0 on error.
491 uint32_t br_rsa_i32_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
492 const unsigned char *hash_oid
, size_t hash_len
,
493 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
496 * \brief RSA private key engine "i32".
498 * \see br_rsa_private
500 * \param x operand to exponentiate.
501 * \param sk RSA private key.
502 * \return 1 on success, 0 on error.
504 uint32_t br_rsa_i32_private(unsigned char *x
,
505 const br_rsa_private_key
*sk
);
508 * \brief RSA signature generation engine "i32".
510 * \see br_rsa_pkcs1_sign
512 * \param hash_oid encoded hash algorithm OID (or `NULL`).
513 * \param hash hash value.
514 * \param hash_len hash value length (in bytes).
515 * \param sk RSA private key.
516 * \param x output buffer for the hash value.
517 * \return 1 on success, 0 on error.
519 uint32_t br_rsa_i32_pkcs1_sign(const unsigned char *hash_oid
,
520 const unsigned char *hash
, size_t hash_len
,
521 const br_rsa_private_key
*sk
, unsigned char *x
);
524 * RSA "i31" engine. Similar to i32, but only 31 bits are used per 32-bit
525 * word. This uses slightly more stack space (about 4% more) and code
526 * space, but it quite faster.
530 * \brief RSA public key engine "i31".
534 * \param x operand to exponentiate.
535 * \param xlen length of the operand (in bytes).
536 * \param pk RSA public key.
537 * \return 1 on success, 0 on error.
539 uint32_t br_rsa_i31_public(unsigned char *x
, size_t xlen
,
540 const br_rsa_public_key
*pk
);
543 * \brief RSA signature verification engine "i31".
545 * \see br_rsa_pkcs1_vrfy
547 * \param x signature buffer.
548 * \param xlen signature length (in bytes).
549 * \param hash_oid encoded hash algorithm OID (or `NULL`).
550 * \param hash_len expected hash value length (in bytes).
551 * \param pk RSA public key.
552 * \param hash_out output buffer for the hash value.
553 * \return 1 on success, 0 on error.
555 uint32_t br_rsa_i31_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
556 const unsigned char *hash_oid
, size_t hash_len
,
557 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
560 * \brief RSA private key engine "i31".
562 * \see br_rsa_private
564 * \param x operand to exponentiate.
565 * \param sk RSA private key.
566 * \return 1 on success, 0 on error.
568 uint32_t br_rsa_i31_private(unsigned char *x
,
569 const br_rsa_private_key
*sk
);
572 * \brief RSA signature generation engine "i31".
574 * \see br_rsa_pkcs1_sign
576 * \param hash_oid encoded hash algorithm OID (or `NULL`).
577 * \param hash hash value.
578 * \param hash_len hash value length (in bytes).
579 * \param sk RSA private key.
580 * \param x output buffer for the hash value.
581 * \return 1 on success, 0 on error.
583 uint32_t br_rsa_i31_pkcs1_sign(const unsigned char *hash_oid
,
584 const unsigned char *hash
, size_t hash_len
,
585 const br_rsa_private_key
*sk
, unsigned char *x
);
588 * RSA "i62" engine. Similar to i31, but internal multiplication use
589 * 64x64->128 multiplications. This is available only on architecture
590 * that offer such an opcode.
594 * \brief RSA public key engine "i62".
596 * This function is defined only on architecture that offer a 64x64->128
597 * opcode. Use `br_rsa_i62_public_get()` to dynamically obtain a pointer
602 * \param x operand to exponentiate.
603 * \param xlen length of the operand (in bytes).
604 * \param pk RSA public key.
605 * \return 1 on success, 0 on error.
607 uint32_t br_rsa_i62_public(unsigned char *x
, size_t xlen
,
608 const br_rsa_public_key
*pk
);
611 * \brief RSA signature verification engine "i62".
613 * This function is defined only on architecture that offer a 64x64->128
614 * opcode. Use `br_rsa_i62_pkcs1_vrfy_get()` to dynamically obtain a pointer
617 * \see br_rsa_pkcs1_vrfy
619 * \param x signature buffer.
620 * \param xlen signature length (in bytes).
621 * \param hash_oid encoded hash algorithm OID (or `NULL`).
622 * \param hash_len expected hash value length (in bytes).
623 * \param pk RSA public key.
624 * \param hash_out output buffer for the hash value.
625 * \return 1 on success, 0 on error.
627 uint32_t br_rsa_i62_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
628 const unsigned char *hash_oid
, size_t hash_len
,
629 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
632 * \brief RSA private key engine "i62".
634 * This function is defined only on architecture that offer a 64x64->128
635 * opcode. Use `br_rsa_i62_private_get()` to dynamically obtain a pointer
638 * \see br_rsa_private
640 * \param x operand to exponentiate.
641 * \param sk RSA private key.
642 * \return 1 on success, 0 on error.
644 uint32_t br_rsa_i62_private(unsigned char *x
,
645 const br_rsa_private_key
*sk
);
648 * \brief RSA signature generation engine "i62".
650 * This function is defined only on architecture that offer a 64x64->128
651 * opcode. Use `br_rsa_i62_pkcs1_sign_get()` to dynamically obtain a pointer
654 * \see br_rsa_pkcs1_sign
656 * \param hash_oid encoded hash algorithm OID (or `NULL`).
657 * \param hash hash value.
658 * \param hash_len hash value length (in bytes).
659 * \param sk RSA private key.
660 * \param x output buffer for the hash value.
661 * \return 1 on success, 0 on error.
663 uint32_t br_rsa_i62_pkcs1_sign(const unsigned char *hash_oid
,
664 const unsigned char *hash
, size_t hash_len
,
665 const br_rsa_private_key
*sk
, unsigned char *x
);
668 * \brief Get the RSA "i62" implementation (public key operations),
671 * \return the implementation, or 0.
673 br_rsa_public
br_rsa_i62_public_get(void);
676 * \brief Get the RSA "i62" implementation (PKCS#1 signature verification),
679 * \return the implementation, or 0.
681 br_rsa_pkcs1_vrfy
br_rsa_i62_pkcs1_vrfy_get(void);
684 * \brief Get the RSA "i62" implementation (private key operations),
687 * \return the implementation, or 0.
689 br_rsa_private
br_rsa_i62_private_get(void);
692 * \brief Get the RSA "i62" implementation (PKCS#1 signature generation),
695 * \return the implementation, or 0.
697 br_rsa_pkcs1_sign
br_rsa_i62_pkcs1_sign_get(void);
700 * \brief Get the RSA "i62" implementation (OAEP encryption),
703 * \return the implementation, or 0.
705 br_rsa_oaep_encrypt
br_rsa_i62_oaep_encrypt_get(void);
708 * \brief Get the RSA "i62" implementation (OAEP decryption),
711 * \return the implementation, or 0.
713 br_rsa_oaep_decrypt
br_rsa_i62_oaep_decrypt_get(void);
716 * RSA "i15" engine. Integers are represented as 15-bit integers, so
717 * the code uses only 32-bit multiplication (no 64-bit result), which
718 * is vastly faster (and constant-time) on the ARM Cortex M0/M0+.
722 * \brief RSA public key engine "i15".
726 * \param x operand to exponentiate.
727 * \param xlen length of the operand (in bytes).
728 * \param pk RSA public key.
729 * \return 1 on success, 0 on error.
731 uint32_t br_rsa_i15_public(unsigned char *x
, size_t xlen
,
732 const br_rsa_public_key
*pk
);
735 * \brief RSA signature verification engine "i15".
737 * \see br_rsa_pkcs1_vrfy
739 * \param x signature buffer.
740 * \param xlen signature length (in bytes).
741 * \param hash_oid encoded hash algorithm OID (or `NULL`).
742 * \param hash_len expected hash value length (in bytes).
743 * \param pk RSA public key.
744 * \param hash_out output buffer for the hash value.
745 * \return 1 on success, 0 on error.
747 uint32_t br_rsa_i15_pkcs1_vrfy(const unsigned char *x
, size_t xlen
,
748 const unsigned char *hash_oid
, size_t hash_len
,
749 const br_rsa_public_key
*pk
, unsigned char *hash_out
);
752 * \brief RSA private key engine "i15".
754 * \see br_rsa_private
756 * \param x operand to exponentiate.
757 * \param sk RSA private key.
758 * \return 1 on success, 0 on error.
760 uint32_t br_rsa_i15_private(unsigned char *x
,
761 const br_rsa_private_key
*sk
);
764 * \brief RSA signature generation engine "i15".
766 * \see br_rsa_pkcs1_sign
768 * \param hash_oid encoded hash algorithm OID (or `NULL`).
769 * \param hash hash value.
770 * \param hash_len hash value length (in bytes).
771 * \param sk RSA private key.
772 * \param x output buffer for the hash value.
773 * \return 1 on success, 0 on error.
775 uint32_t br_rsa_i15_pkcs1_sign(const unsigned char *hash_oid
,
776 const unsigned char *hash
, size_t hash_len
,
777 const br_rsa_private_key
*sk
, unsigned char *x
);
780 * \brief Get "default" RSA implementation (public-key operations).
782 * This returns the preferred implementation of RSA (public-key operations)
783 * on the current system.
785 * \return the default implementation.
787 br_rsa_public
br_rsa_public_get_default(void);
790 * \brief Get "default" RSA implementation (private-key operations).
792 * This returns the preferred implementation of RSA (private-key operations)
793 * on the current system.
795 * \return the default implementation.
797 br_rsa_private
br_rsa_private_get_default(void);
800 * \brief Get "default" RSA implementation (PKCS#1 signature verification).
802 * This returns the preferred implementation of RSA (signature verification)
803 * on the current system.
805 * \return the default implementation.
807 br_rsa_pkcs1_vrfy
br_rsa_pkcs1_vrfy_get_default(void);
810 * \brief Get "default" RSA implementation (PKCS#1 signature generation).
812 * This returns the preferred implementation of RSA (signature generation)
813 * on the current system.
815 * \return the default implementation.
817 br_rsa_pkcs1_sign
br_rsa_pkcs1_sign_get_default(void);
820 * \brief Get "default" RSA implementation (OAEP encryption).
822 * This returns the preferred implementation of RSA (OAEP encryption)
823 * on the current system.
825 * \return the default implementation.
827 br_rsa_oaep_encrypt
br_rsa_oaep_encrypt_get_default(void);
830 * \brief Get "default" RSA implementation (OAEP decryption).
832 * This returns the preferred implementation of RSA (OAEP decryption)
833 * on the current system.
835 * \return the default implementation.
837 br_rsa_oaep_decrypt
br_rsa_oaep_decrypt_get_default(void);
840 * \brief RSA decryption helper, for SSL/TLS.
842 * This function performs the RSA decryption for a RSA-based key exchange
843 * in a SSL/TLS server. The provided RSA engine is used. The `data`
844 * parameter points to the value to decrypt, of length `len` bytes. On
845 * success, the 48-byte pre-master secret is copied into `data`, starting
846 * at the first byte of that buffer; on error, the contents of `data`
847 * become indeterminate.
849 * This function first checks that the provided value length (`len`) is
850 * not lower than 59 bytes, and matches the RSA modulus length; if neither
851 * of this property is met, then this function returns 0 and the buffer
854 * Otherwise, decryption and then padding verification are performed, both
855 * in constant-time. A decryption error, or a bad padding, or an
856 * incorrect decrypted value length are reported with a returned value of
857 * 0; on success, 1 is returned. The caller (SSL server engine) is supposed
858 * to proceed with a random pre-master secret in case of error.
860 * \param core RSA private key engine.
861 * \param sk RSA private key.
862 * \param data input/output buffer.
863 * \param len length (in bytes) of the data to decrypt.
864 * \return 1 on success, 0 on error.
866 uint32_t br_rsa_ssl_decrypt(br_rsa_private core
, const br_rsa_private_key
*sk
,
867 unsigned char *data
, size_t len
);
870 * \brief RSA encryption (OAEP) with the "i15" engine.
872 * \see br_rsa_oaep_encrypt
874 * \param rnd source of random bytes.
875 * \param dig hash function to use with MGF1.
876 * \param label label value (may be `NULL` if `label_len` is zero).
877 * \param label_len label length, in bytes.
878 * \param pk RSA public key.
879 * \param dst destination buffer.
880 * \param dst_max_len destination buffer length (maximum encrypted data size).
881 * \param src message to encrypt.
882 * \param src_len source message length (in bytes).
883 * \return encrypted message length (in bytes), or 0 on error.
885 size_t br_rsa_i15_oaep_encrypt(
886 const br_prng_class
**rnd
, const br_hash_class
*dig
,
887 const void *label
, size_t label_len
,
888 const br_rsa_public_key
*pk
,
889 void *dst
, size_t dst_max_len
,
890 const void *src
, size_t src_len
);
893 * \brief RSA decryption (OAEP) with the "i15" engine.
895 * \see br_rsa_oaep_decrypt
897 * \param dig hash function to use with MGF1.
898 * \param label label value (may be `NULL` if `label_len` is zero).
899 * \param label_len label length, in bytes.
900 * \param sk RSA private key.
901 * \param data input/output buffer.
902 * \param len encrypted/decrypted message length.
903 * \return 1 on success, 0 on error.
905 uint32_t br_rsa_i15_oaep_decrypt(
906 const br_hash_class
*dig
, const void *label
, size_t label_len
,
907 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
910 * \brief RSA encryption (OAEP) with the "i31" engine.
912 * \see br_rsa_oaep_encrypt
914 * \param rnd source of random bytes.
915 * \param dig hash function to use with MGF1.
916 * \param label label value (may be `NULL` if `label_len` is zero).
917 * \param label_len label length, in bytes.
918 * \param pk RSA public key.
919 * \param dst destination buffer.
920 * \param dst_max_len destination buffer length (maximum encrypted data size).
921 * \param src message to encrypt.
922 * \param src_len source message length (in bytes).
923 * \return encrypted message length (in bytes), or 0 on error.
925 size_t br_rsa_i31_oaep_encrypt(
926 const br_prng_class
**rnd
, const br_hash_class
*dig
,
927 const void *label
, size_t label_len
,
928 const br_rsa_public_key
*pk
,
929 void *dst
, size_t dst_max_len
,
930 const void *src
, size_t src_len
);
933 * \brief RSA decryption (OAEP) with the "i31" engine.
935 * \see br_rsa_oaep_decrypt
937 * \param dig hash function to use with MGF1.
938 * \param label label value (may be `NULL` if `label_len` is zero).
939 * \param label_len label length, in bytes.
940 * \param sk RSA private key.
941 * \param data input/output buffer.
942 * \param len encrypted/decrypted message length.
943 * \return 1 on success, 0 on error.
945 uint32_t br_rsa_i31_oaep_decrypt(
946 const br_hash_class
*dig
, const void *label
, size_t label_len
,
947 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
950 * \brief RSA encryption (OAEP) with the "i32" engine.
952 * \see br_rsa_oaep_encrypt
954 * \param rnd source of random bytes.
955 * \param dig hash function to use with MGF1.
956 * \param label label value (may be `NULL` if `label_len` is zero).
957 * \param label_len label length, in bytes.
958 * \param pk RSA public key.
959 * \param dst destination buffer.
960 * \param dst_max_len destination buffer length (maximum encrypted data size).
961 * \param src message to encrypt.
962 * \param src_len source message length (in bytes).
963 * \return encrypted message length (in bytes), or 0 on error.
965 size_t br_rsa_i32_oaep_encrypt(
966 const br_prng_class
**rnd
, const br_hash_class
*dig
,
967 const void *label
, size_t label_len
,
968 const br_rsa_public_key
*pk
,
969 void *dst
, size_t dst_max_len
,
970 const void *src
, size_t src_len
);
973 * \brief RSA decryption (OAEP) with the "i32" engine.
975 * \see br_rsa_oaep_decrypt
977 * \param dig hash function to use with MGF1.
978 * \param label label value (may be `NULL` if `label_len` is zero).
979 * \param label_len label length, in bytes.
980 * \param sk RSA private key.
981 * \param data input/output buffer.
982 * \param len encrypted/decrypted message length.
983 * \return 1 on success, 0 on error.
985 uint32_t br_rsa_i32_oaep_decrypt(
986 const br_hash_class
*dig
, const void *label
, size_t label_len
,
987 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
990 * \brief RSA encryption (OAEP) with the "i62" engine.
992 * This function is defined only on architecture that offer a 64x64->128
993 * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer
996 * \see br_rsa_oaep_encrypt
998 * \param rnd source of random bytes.
999 * \param dig hash function to use with MGF1.
1000 * \param label label value (may be `NULL` if `label_len` is zero).
1001 * \param label_len label length, in bytes.
1002 * \param pk RSA public key.
1003 * \param dst destination buffer.
1004 * \param dst_max_len destination buffer length (maximum encrypted data size).
1005 * \param src message to encrypt.
1006 * \param src_len source message length (in bytes).
1007 * \return encrypted message length (in bytes), or 0 on error.
1009 size_t br_rsa_i62_oaep_encrypt(
1010 const br_prng_class
**rnd
, const br_hash_class
*dig
,
1011 const void *label
, size_t label_len
,
1012 const br_rsa_public_key
*pk
,
1013 void *dst
, size_t dst_max_len
,
1014 const void *src
, size_t src_len
);
1017 * \brief RSA decryption (OAEP) with the "i62" engine.
1019 * This function is defined only on architecture that offer a 64x64->128
1020 * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer
1023 * \see br_rsa_oaep_decrypt
1025 * \param dig hash function to use with MGF1.
1026 * \param label label value (may be `NULL` if `label_len` is zero).
1027 * \param label_len label length, in bytes.
1028 * \param sk RSA private key.
1029 * \param data input/output buffer.
1030 * \param len encrypted/decrypted message length.
1031 * \return 1 on success, 0 on error.
1033 uint32_t br_rsa_i62_oaep_decrypt(
1034 const br_hash_class
*dig
, const void *label
, size_t label_len
,
1035 const br_rsa_private_key
*sk
, void *data
, size_t *len
);
1038 * \brief Get buffer size to hold RSA private key elements.
1040 * This macro returns the length (in bytes) of the buffer needed to
1041 * receive the elements of a RSA private key, as generated by one of
1042 * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1043 * expression, then the whole macro evaluates to a constant expression.
1045 * \param size target key size (modulus size, in bits)
1046 * \return the length of the private key buffer, in bytes.
1048 #define BR_RSA_KBUF_PRIV_SIZE(size) (5 * (((size) + 15) >> 4))
1051 * \brief Get buffer size to hold RSA public key elements.
1053 * This macro returns the length (in bytes) of the buffer needed to
1054 * receive the elements of a RSA public key, as generated by one of
1055 * the `br_rsa_*_keygen()` functions. If the provided size is a constant
1056 * expression, then the whole macro evaluates to a constant expression.
1058 * \param size target key size (modulus size, in bits)
1059 * \return the length of the public key buffer, in bytes.
1061 #define BR_RSA_KBUF_PUB_SIZE(size) (4 + (((size) + 7) >> 3))
1064 * \brief Type for RSA key pair generator implementation.
1066 * This function generates a new RSA key pair whose modulus has bit
1067 * length `size` bits. The private key elements are written in the
1068 * `kbuf_priv` buffer, and pointer values and length fields to these
1069 * elements are populated in the provided private key structure `sk`.
1070 * Similarly, the public key elements are written in `kbuf_pub`, with
1071 * pointers and lengths set in `pk`.
1073 * If `pk` is `NULL`, then `kbuf_pub` may be `NULL`, and only the
1074 * private key is set.
1076 * If `pubexp` is not zero, then its value will be used as public
1077 * exponent. Valid RSA public exponent values are odd integers
1078 * greater than 1. If `pubexp` is zero, then the public exponent will
1081 * The provided PRNG (`rng_ctx`) must have already been initialized
1084 * Returned value is 1 on success, 0 on error. An error is reported
1085 * if the requested range is outside of the supported key sizes, or
1086 * if an invalid non-zero public exponent value is provided. Supported
1087 * range starts at 512 bits, and up to an implementation-defined
1088 * maximum (by default 4096 bits). Note that key sizes up to 768 bits
1089 * have been broken in practice, and sizes lower than 2048 bits are
1090 * usually considered to be weak and should not be used.
1092 * \param rng_ctx source PRNG context (already initialized)
1093 * \param sk RSA private key structure (destination)
1094 * \param kbuf_priv buffer for private key elements
1095 * \param pk RSA public key structure (destination), or `NULL`
1096 * \param kbuf_pub buffer for public key elements, or `NULL`
1097 * \param size target RSA modulus size (in bits)
1098 * \param pubexp public exponent to use, or zero
1099 * \return 1 on success, 0 on error (invalid parameters)
1101 typedef uint32_t (*br_rsa_keygen
)(
1102 const br_prng_class
**rng_ctx
,
1103 br_rsa_private_key
*sk
, void *kbuf_priv
,
1104 br_rsa_public_key
*pk
, void *kbuf_pub
,
1105 unsigned size
, uint32_t pubexp
);
1108 * \brief RSA key pair generation with the "i15" engine.
1110 * \see br_rsa_keygen
1112 * \param rng_ctx source PRNG context (already initialized)
1113 * \param sk RSA private key structure (destination)
1114 * \param kbuf_priv buffer for private key elements
1115 * \param pk RSA public key structure (destination), or `NULL`
1116 * \param kbuf_pub buffer for public key elements, or `NULL`
1117 * \param size target RSA modulus size (in bits)
1118 * \param pubexp public exponent to use, or zero
1119 * \return 1 on success, 0 on error (invalid parameters)
1121 uint32_t br_rsa_i15_keygen(
1122 const br_prng_class
**rng_ctx
,
1123 br_rsa_private_key
*sk
, void *kbuf_priv
,
1124 br_rsa_public_key
*pk
, void *kbuf_pub
,
1125 unsigned size
, uint32_t pubexp
);
1128 * \brief RSA key pair generation with the "i31" engine.
1130 * \see br_rsa_keygen
1132 * \param rng_ctx source PRNG context (already initialized)
1133 * \param sk RSA private key structure (destination)
1134 * \param kbuf_priv buffer for private key elements
1135 * \param pk RSA public key structure (destination), or `NULL`
1136 * \param kbuf_pub buffer for public key elements, or `NULL`
1137 * \param size target RSA modulus size (in bits)
1138 * \param pubexp public exponent to use, or zero
1139 * \return 1 on success, 0 on error (invalid parameters)
1141 uint32_t br_rsa_i31_keygen(
1142 const br_prng_class
**rng_ctx
,
1143 br_rsa_private_key
*sk
, void *kbuf_priv
,
1144 br_rsa_public_key
*pk
, void *kbuf_pub
,
1145 unsigned size
, uint32_t pubexp
);
1148 * \brief RSA key pair generation with the "i62" engine.
1150 * This function is defined only on architecture that offer a 64x64->128
1151 * opcode. Use `br_rsa_i62_keygen_get()` to dynamically obtain a pointer
1154 * \see br_rsa_keygen
1156 * \param rng_ctx source PRNG context (already initialized)
1157 * \param sk RSA private key structure (destination)
1158 * \param kbuf_priv buffer for private key elements
1159 * \param pk RSA public key structure (destination), or `NULL`
1160 * \param kbuf_pub buffer for public key elements, or `NULL`
1161 * \param size target RSA modulus size (in bits)
1162 * \param pubexp public exponent to use, or zero
1163 * \return 1 on success, 0 on error (invalid parameters)
1165 uint32_t br_rsa_i62_keygen(
1166 const br_prng_class
**rng_ctx
,
1167 br_rsa_private_key
*sk
, void *kbuf_priv
,
1168 br_rsa_public_key
*pk
, void *kbuf_pub
,
1169 unsigned size
, uint32_t pubexp
);
1172 * \brief Get the RSA "i62" implementation (key pair generation),
1175 * \return the implementation, or 0.
1177 br_rsa_keygen
br_rsa_i62_keygen_get(void);
1180 * \brief Get "default" RSA implementation (key pair generation).
1182 * This returns the preferred implementation of RSA (key pair generation)
1183 * on the current system.
1185 * \return the default implementation.
1187 br_rsa_keygen
br_rsa_keygen_get_default(void);
1190 * \brief Type for a modulus computing function.
1192 * Such a function computes the public modulus from the private key. The
1193 * encoded modulus (unsigned big-endian) is written on `n`, and the size
1194 * (in bytes) is returned. If `n` is `NULL`, then the size is returned but
1195 * the modulus itself is not computed.
1197 * If the key size exceeds an internal limit, 0 is returned.
1199 * \param n destination buffer (or `NULL`).
1200 * \param sk RSA private key.
1201 * \return the modulus length (in bytes), or 0.
1203 typedef size_t (*br_rsa_compute_modulus
)(void *n
, const br_rsa_private_key
*sk
);
1206 * \brief Recompute RSA modulus ("i15" engine).
1208 * \see br_rsa_compute_modulus
1210 * \param n destination buffer (or `NULL`).
1211 * \param sk RSA private key.
1212 * \return the modulus length (in bytes), or 0.
1214 size_t br_rsa_i15_compute_modulus(void *n
, const br_rsa_private_key
*sk
);
1217 * \brief Recompute RSA modulus ("i31" engine).
1219 * \see br_rsa_compute_modulus
1221 * \param n destination buffer (or `NULL`).
1222 * \param sk RSA private key.
1223 * \return the modulus length (in bytes), or 0.
1225 size_t br_rsa_i31_compute_modulus(void *n
, const br_rsa_private_key
*sk
);
1228 * \brief Get "default" RSA implementation (recompute modulus).
1230 * This returns the preferred implementation of RSA (recompute modulus)
1231 * on the current system.
1233 * \return the default implementation.
1235 br_rsa_compute_modulus
br_rsa_compute_modulus_get_default(void);
1238 * \brief Type for a public exponent computing function.
1240 * Such a function recomputes the public exponent from the private key.
1241 * 0 is returned if any of the following occurs:
1243 * - Either `p` or `q` is not equal to 3 modulo 4.
1245 * - The public exponent does not fit on 32 bits.
1247 * - An internal limit is exceeded.
1249 * - The private key is invalid in some way.
1251 * For all private keys produced by the key generator functions
1252 * (`br_rsa_keygen` type), this function succeeds and returns the true
1253 * public exponent. The public exponent is always an odd integer greater
1256 * \return the public exponent, or 0.
1258 typedef uint32_t (*br_rsa_compute_pubexp
)(const br_rsa_private_key
*sk
);
1261 * \brief Recompute RSA public exponent ("i15" engine).
1263 * \see br_rsa_compute_pubexp
1265 * \return the public exponent, or 0.
1267 uint32_t br_rsa_i15_compute_pubexp(const br_rsa_private_key
*sk
);
1270 * \brief Recompute RSA public exponent ("i31" engine).
1272 * \see br_rsa_compute_pubexp
1274 * \return the public exponent, or 0.
1276 uint32_t br_rsa_i31_compute_pubexp(const br_rsa_private_key
*sk
);
1279 * \brief Get "default" RSA implementation (recompute public exponent).
1281 * This returns the preferred implementation of RSA (recompute public
1282 * exponent) on the current system.
1284 * \return the default implementation.
1286 br_rsa_compute_pubexp
br_rsa_compute_pubexp_get_default(void);
1289 * \brief Type for a private exponent computing function.
1291 * An RSA private key (`br_rsa_private_key`) contains two reduced
1292 * private exponents, which are sufficient to perform private key
1293 * operations. However, standard encoding formats for RSA private keys
1294 * require also a copy of the complete private exponent (non-reduced),
1295 * which this function recomputes.
1297 * This function suceeds if all the following conditions hold:
1299 * - Both private factors `p` and `q` are equal to 3 modulo 4.
1301 * - The provided public exponent `pubexp` is correct, and, in particular,
1302 * is odd, relatively prime to `p-1` and `q-1`, and greater than 1.
1304 * - No internal storage limit is exceeded.
1306 * For all private keys produced by the key generator functions
1307 * (`br_rsa_keygen` type), this function succeeds. Note that the API
1308 * restricts the public exponent to a maximum size of 32 bits.
1310 * The encoded private exponent is written in `d` (unsigned big-endian
1311 * convention), and the length (in bytes) is returned. If `d` is `NULL`,
1312 * then the exponent is not written anywhere, but the length is still
1313 * returned. On error, 0 is returned.
1315 * Not all error conditions are detected when `d` is `NULL`; therefore, the
1316 * returned value shall be checked also when actually producing the value.
1318 * \param d destination buffer (or `NULL`).
1319 * \param sk RSA private key.
1320 * \return the private exponent length (in bytes), or 0.
1322 typedef size_t (*br_rsa_compute_privexp
)(void *d
,
1323 const br_rsa_private_key
*sk
, uint32_t pubexp
);
1326 * \brief Recompute RSA private exponent ("i15" engine).
1328 * \see br_rsa_compute_privexp
1330 * \param d destination buffer (or `NULL`).
1331 * \param sk RSA private key.
1332 * \return the private exponent length (in bytes), or 0.
1334 size_t br_rsa_i15_compute_privexp(void *d
,
1335 const br_rsa_private_key
*sk
, uint32_t pubexp
);
1338 * \brief Recompute RSA private exponent ("i31" engine).
1340 * \see br_rsa_compute_privexp
1342 * \param d destination buffer (or `NULL`).
1343 * \param sk RSA private key.
1344 * \return the private exponent length (in bytes), or 0.
1346 size_t br_rsa_i31_compute_privexp(void *d
,
1347 const br_rsa_private_key
*sk
, uint32_t pubexp
);
1350 * \brief Get "default" RSA implementation (recompute private exponent).
1352 * This returns the preferred implementation of RSA (recompute private
1353 * exponent) on the current system.
1355 * \return the default implementation.
1357 br_rsa_compute_privexp
br_rsa_compute_privexp_get_default(void);