+/**
+ * \brief RSA encryption (OAEP) with the "i15" engine.
+ *
+ * \see br_rsa_oaep_encrypt
+ *
+ * \param rnd source of random bytes.
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param pk RSA public key.
+ * \param dst destination buffer.
+ * \param dst_max_len destination buffer length (maximum encrypted data size).
+ * \param src message to encrypt.
+ * \param src_len source message length (in bytes).
+ * \return encrypted message length (in bytes), or 0 on error.
+ */
+size_t br_rsa_i15_oaep_encrypt(
+ const br_prng_class **rnd, const br_hash_class *dig,
+ const void *label, size_t label_len,
+ const br_rsa_public_key *pk,
+ void *dst, size_t dst_max_len,
+ const void *src, size_t src_len);
+
+/**
+ * \brief RSA decryption (OAEP) with the "i15" engine.
+ *
+ * \see br_rsa_oaep_decrypt
+ *
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param sk RSA private key.
+ * \param data input/output buffer.
+ * \param len encrypted/decrypted message length.
+ * \return 1 on success, 0 on error.
+ */
+uint32_t br_rsa_i15_oaep_decrypt(
+ const br_hash_class *dig, const void *label, size_t label_len,
+ const br_rsa_private_key *sk, void *data, size_t *len);
+
+/**
+ * \brief RSA encryption (OAEP) with the "i31" engine.
+ *
+ * \see br_rsa_oaep_encrypt
+ *
+ * \param rnd source of random bytes.
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param pk RSA public key.
+ * \param dst destination buffer.
+ * \param dst_max_len destination buffer length (maximum encrypted data size).
+ * \param src message to encrypt.
+ * \param src_len source message length (in bytes).
+ * \return encrypted message length (in bytes), or 0 on error.
+ */
+size_t br_rsa_i31_oaep_encrypt(
+ const br_prng_class **rnd, const br_hash_class *dig,
+ const void *label, size_t label_len,
+ const br_rsa_public_key *pk,
+ void *dst, size_t dst_max_len,
+ const void *src, size_t src_len);
+
+/**
+ * \brief RSA decryption (OAEP) with the "i31" engine.
+ *
+ * \see br_rsa_oaep_decrypt
+ *
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param sk RSA private key.
+ * \param data input/output buffer.
+ * \param len encrypted/decrypted message length.
+ * \return 1 on success, 0 on error.
+ */
+uint32_t br_rsa_i31_oaep_decrypt(
+ const br_hash_class *dig, const void *label, size_t label_len,
+ const br_rsa_private_key *sk, void *data, size_t *len);
+
+/**
+ * \brief RSA encryption (OAEP) with the "i32" engine.
+ *
+ * \see br_rsa_oaep_encrypt
+ *
+ * \param rnd source of random bytes.
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param pk RSA public key.
+ * \param dst destination buffer.
+ * \param dst_max_len destination buffer length (maximum encrypted data size).
+ * \param src message to encrypt.
+ * \param src_len source message length (in bytes).
+ * \return encrypted message length (in bytes), or 0 on error.
+ */
+size_t br_rsa_i32_oaep_encrypt(
+ const br_prng_class **rnd, const br_hash_class *dig,
+ const void *label, size_t label_len,
+ const br_rsa_public_key *pk,
+ void *dst, size_t dst_max_len,
+ const void *src, size_t src_len);
+
+/**
+ * \brief RSA decryption (OAEP) with the "i32" engine.
+ *
+ * \see br_rsa_oaep_decrypt
+ *
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param sk RSA private key.
+ * \param data input/output buffer.
+ * \param len encrypted/decrypted message length.
+ * \return 1 on success, 0 on error.
+ */
+uint32_t br_rsa_i32_oaep_decrypt(
+ const br_hash_class *dig, const void *label, size_t label_len,
+ const br_rsa_private_key *sk, void *data, size_t *len);
+
+/**
+ * \brief RSA encryption (OAEP) with the "i62" engine.
+ *
+ * This function is defined only on architecture that offer a 64x64->128
+ * opcode. Use `br_rsa_i62_oaep_encrypt_get()` to dynamically obtain a pointer
+ * to that function.
+ *
+ * \see br_rsa_oaep_encrypt
+ *
+ * \param rnd source of random bytes.
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param pk RSA public key.
+ * \param dst destination buffer.
+ * \param dst_max_len destination buffer length (maximum encrypted data size).
+ * \param src message to encrypt.
+ * \param src_len source message length (in bytes).
+ * \return encrypted message length (in bytes), or 0 on error.
+ */
+size_t br_rsa_i62_oaep_encrypt(
+ const br_prng_class **rnd, const br_hash_class *dig,
+ const void *label, size_t label_len,
+ const br_rsa_public_key *pk,
+ void *dst, size_t dst_max_len,
+ const void *src, size_t src_len);
+
+/**
+ * \brief RSA decryption (OAEP) with the "i62" engine.
+ *
+ * This function is defined only on architecture that offer a 64x64->128
+ * opcode. Use `br_rsa_i62_oaep_decrypt_get()` to dynamically obtain a pointer
+ * to that function.
+ *
+ * \see br_rsa_oaep_decrypt
+ *
+ * \param dig hash function to use with MGF1.
+ * \param label label value (may be `NULL` if `label_len` is zero).
+ * \param label_len label length, in bytes.
+ * \param sk RSA private key.
+ * \param data input/output buffer.
+ * \param len encrypted/decrypted message length.
+ * \return 1 on success, 0 on error.
+ */
+uint32_t br_rsa_i62_oaep_decrypt(
+ const br_hash_class *dig, const void *label, size_t label_len,
+ const br_rsa_private_key *sk, void *data, size_t *len);
+
+/**
+ * \brief Get buffer size to hold RSA private key elements.
+ *
+ * This macro returns the length (in bytes) of the buffer needed to
+ * receive the elements of a RSA private key, as generated by one of
+ * the `br_rsa_*_keygen()` functions. If the provided size is a constant
+ * expression, then the whole macro evaluates to a constant expression.
+ *
+ * \param size target key size (modulus size, in bits)
+ * \return the length of the private key buffer, in bytes.
+ */
+#define BR_RSA_KBUF_PRIV_SIZE(size) (5 * (((size) + 15) >> 4))
+
+/**
+ * \brief Get buffer size to hold RSA public key elements.
+ *
+ * This macro returns the length (in bytes) of the buffer needed to
+ * receive the elements of a RSA public key, as generated by one of
+ * the `br_rsa_*_keygen()` functions. If the provided size is a constant
+ * expression, then the whole macro evaluates to a constant expression.
+ *
+ * \param size target key size (modulus size, in bits)
+ * \return the length of the public key buffer, in bytes.
+ */
+#define BR_RSA_KBUF_PUB_SIZE(size) (4 + (((size) + 7) >> 3))
+
+/**
+ * \brief Type for RSA key pair generator implementation.
+ *
+ * This function generates a new RSA key pair whose modulus has bit
+ * length `size` bits. The private key elements are written in the
+ * `kbuf_priv` buffer, and pointer values and length fields to these
+ * elements are populated in the provided private key structure `sk`.
+ * Similarly, the public key elements are written in `kbuf_pub`, with
+ * pointers and lengths set in `pk`.
+ *
+ * If `sk` is `NULL`, then `kbuf_pub` may be `NULL`, and only the
+ * private key is set.
+ *
+ * If `pubexp` is not zero, then its value will be used as public
+ * exponent. Valid RSA public exponent values are odd integers
+ * greater than 1. If `pubexp` is zero, then the public exponent will
+ * have value 3.
+ *
+ * The provided PRNG (`rng_ctx`) must have already been initialized
+ * and seeded.
+ *
+ * Returned value is 1 on success, 0 on error. An error is reported
+ * if the requested range is outside of the supported key sizes, or
+ * if an invalid non-zero public exponent value is provided. Supported
+ * range starts at 512 bits, and up to an implementation-defined
+ * maximum (by default 4096 bits). Note that key sizes up to 768 bits
+ * have been broken in practice, and sizes lower than 2048 bits are
+ * usually considered to be weak and should not be used.
+ *
+ * \param rng_ctx source PRNG context (already initialized)
+ * \param sk RSA private key structure (destination)
+ * \param kbuf_priv buffer for private key elements
+ * \param pk RSA public key structure (destination), or `NULL`
+ * \param kbuf_pub buffer for public key elements, or `NULL`
+ * \param size target RSA modulus size (in bits)
+ * \param pubexp public exponent to use, or zero
+ * \return 1 on success, 0 on error (invalid parameters)
+ */
+typedef uint32_t (*br_rsa_keygen)(
+ const br_prng_class **rng_ctx,
+ br_rsa_private_key *sk, unsigned char *kbuf_priv,
+ br_rsa_public_key *pk, unsigned char *kbuf_pub,
+ unsigned size, uint32_t pubexp);
+
+/**
+ * \brief RSA key pair generation with the "i15" engine.
+ *
+ * \see br_rsa_keygen
+ *
+ * \param rng_ctx source PRNG context (already initialized)
+ * \param sk RSA private key structure (destination)
+ * \param kbuf_priv buffer for private key elements
+ * \param pk RSA public key structure (destination), or `NULL`
+ * \param kbuf_pub buffer for public key elements, or `NULL`
+ * \param size target RSA modulus size (in bits)
+ * \param pubexp public exponent to use, or zero
+ * \return 1 on success, 0 on error (invalid parameters)
+ */
+uint32_t br_rsa_i15_keygen(
+ const br_prng_class **rng_ctx,
+ br_rsa_private_key *sk, unsigned char *kbuf_priv,
+ br_rsa_public_key *pk, unsigned char *kbuf_pub,
+ unsigned size, uint32_t pubexp);
+
+/**
+ * \brief RSA key pair generation with the "i31" engine.
+ *
+ * \see br_rsa_keygen
+ *
+ * \param rng_ctx source PRNG context (already initialized)
+ * \param sk RSA private key structure (destination)
+ * \param kbuf_priv buffer for private key elements
+ * \param pk RSA public key structure (destination), or `NULL`
+ * \param kbuf_pub buffer for public key elements, or `NULL`
+ * \param size target RSA modulus size (in bits)
+ * \param pubexp public exponent to use, or zero
+ * \return 1 on success, 0 on error (invalid parameters)
+ */
+uint32_t br_rsa_i31_keygen(
+ const br_prng_class **rng_ctx,
+ br_rsa_private_key *sk, unsigned char *kbuf_priv,
+ br_rsa_public_key *pk, unsigned char *kbuf_pub,
+ unsigned size, uint32_t pubexp);
+
+/**
+ * \brief RSA key pair generation with the "i62" engine.
+ *
+ * This function is defined only on architecture that offer a 64x64->128
+ * opcode. Use `br_rsa_i62_keygen_get()` to dynamically obtain a pointer
+ * to that function.
+ *
+ * \see br_rsa_keygen
+ *
+ * \param rng_ctx source PRNG context (already initialized)
+ * \param sk RSA private key structure (destination)
+ * \param kbuf_priv buffer for private key elements
+ * \param pk RSA public key structure (destination), or `NULL`
+ * \param kbuf_pub buffer for public key elements, or `NULL`
+ * \param size target RSA modulus size (in bits)
+ * \param pubexp public exponent to use, or zero
+ * \return 1 on success, 0 on error (invalid parameters)
+ */
+uint32_t br_rsa_i62_keygen(
+ const br_prng_class **rng_ctx,
+ br_rsa_private_key *sk, unsigned char *kbuf_priv,
+ br_rsa_public_key *pk, unsigned char *kbuf_pub,
+ unsigned size, uint32_t pubexp);
+
+/**
+ * \brief Get the RSA "i62" implementation (key pair generation),
+ * if available.
+ *
+ * \return the implementation, or 0.
+ */
+br_rsa_keygen br_rsa_i62_keygen_get(void);
+
+/**
+ * \brief Get "default" RSA implementation (key pair generation).
+ *
+ * This returns the preferred implementation of RSA (key pair generation)
+ * on the current system.
+ *
+ * \return the default implementation.
+ */
+br_rsa_keygen br_rsa_keygen_get_default(void);
+
+#ifdef __cplusplus
+}
+#endif
+