4 * \brief The RSA public-key cryptosystem
6 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: GPL-2.0
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 * This file is part of mbed TLS (https://tls.mbed.org)
28 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include MBEDTLS_CONFIG_FILE
37 #if defined(MBEDTLS_THREADING_C)
38 #include "threading.h"
44 #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */
45 #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */
46 #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */
47 #define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */
48 #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */
49 #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */
50 #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */
51 #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */
52 #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */
57 #define MBEDTLS_RSA_PUBLIC 0
58 #define MBEDTLS_RSA_PRIVATE 1
60 #define MBEDTLS_RSA_PKCS_V15 0
61 #define MBEDTLS_RSA_PKCS_V21 1
63 #define MBEDTLS_RSA_SIGN 1
64 #define MBEDTLS_RSA_CRYPT 2
66 #define MBEDTLS_RSA_SALT_LEN_ANY -1
69 * The above constants may be used even if the RSA module is compile out,
70 * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
72 #if defined(MBEDTLS_RSA_C)
79 * \brief RSA context structure
83 int ver
; /*!< always 0 */
84 size_t len
; /*!< size(N) in chars */
86 mbedtls_mpi N
; /*!< public modulus */
87 mbedtls_mpi E
; /*!< public exponent */
89 mbedtls_mpi D
; /*!< private exponent */
90 mbedtls_mpi P
; /*!< 1st prime factor */
91 mbedtls_mpi Q
; /*!< 2nd prime factor */
92 mbedtls_mpi DP
; /*!< D % (P - 1) */
93 mbedtls_mpi DQ
; /*!< D % (Q - 1) */
94 mbedtls_mpi QP
; /*!< 1 / (Q % P) */
96 mbedtls_mpi RN
; /*!< cached R^2 mod N */
97 mbedtls_mpi RP
; /*!< cached R^2 mod P */
98 mbedtls_mpi RQ
; /*!< cached R^2 mod Q */
100 mbedtls_mpi Vi
; /*!< cached blinding value */
101 mbedtls_mpi Vf
; /*!< cached un-blinding value */
103 int padding
; /*!< MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
104 MBEDTLS_RSA_PKCS_v21 for OAEP/PSS */
105 int hash_id
; /*!< Hash identifier of mbedtls_md_type_t as
106 specified in the mbedtls_md.h header file
107 for the EME-OAEP and EMSA-PSS
109 #if defined(MBEDTLS_THREADING_C)
110 mbedtls_threading_mutex_t mutex
; /*!< Thread-safety mutex */
116 * \brief Initialize an RSA context
118 * Note: Set padding to MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
119 * encryption scheme and the RSASSA-PSS signature scheme.
121 * \param ctx RSA context to be initialized
122 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
123 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
125 * \note The hash_id parameter is actually ignored
126 * when using MBEDTLS_RSA_PKCS_V15 padding.
128 * \note Choice of padding mode is strictly enforced for private key
129 * operations, since there might be security concerns in
130 * mixing padding modes. For public key operations it's merely
131 * a default value, which can be overriden by calling specific
132 * rsa_rsaes_xxx or rsa_rsassa_xxx functions.
134 * \note The chosen hash is always used for OEAP encryption.
135 * For PSS signatures, it's always used for making signatures,
136 * but can be overriden (and always is, if set to
137 * MBEDTLS_MD_NONE) for verifying them.
139 void mbedtls_rsa_init( mbedtls_rsa_context
*ctx
,
144 * \brief Set padding for an already initialized RSA context
145 * See \c mbedtls_rsa_init() for details.
147 * \param ctx RSA context to be set
148 * \param padding MBEDTLS_RSA_PKCS_V15 or MBEDTLS_RSA_PKCS_V21
149 * \param hash_id MBEDTLS_RSA_PKCS_V21 hash identifier
151 void mbedtls_rsa_set_padding( mbedtls_rsa_context
*ctx
, int padding
, int hash_id
);
154 * \brief Generate an RSA keypair
156 * \param ctx RSA context that will hold the key
157 * \param f_rng RNG function
158 * \param p_rng RNG parameter
159 * \param nbits size of the public key in bits
160 * \param exponent public exponent (e.g., 65537)
162 * \note mbedtls_rsa_init() must be called beforehand to setup
165 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
167 int mbedtls_rsa_gen_key( mbedtls_rsa_context
*ctx
,
168 int (*f_rng
)(void *, unsigned char *, size_t),
170 unsigned int nbits
, int exponent
);
173 * \brief Check a public RSA key
175 * \param ctx RSA context to be checked
177 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
179 int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context
*ctx
);
182 * \brief Check a private RSA key
184 * \param ctx RSA context to be checked
186 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
188 int mbedtls_rsa_check_privkey( const mbedtls_rsa_context
*ctx
);
191 * \brief Check a public-private RSA key pair.
192 * Check each of the contexts, and make sure they match.
194 * \param pub RSA context holding the public key
195 * \param prv RSA context holding the private key
197 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
199 int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context
*pub
, const mbedtls_rsa_context
*prv
);
202 * \brief Do an RSA public key operation
204 * \param ctx RSA context
205 * \param input input buffer
206 * \param output output buffer
208 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
210 * \note This function does NOT take care of message
211 * padding. Also, be sure to set input[0] = 0 or ensure that
212 * input is smaller than N.
214 * \note The input and output buffers must be large
215 * enough (eg. 128 bytes if RSA-1024 is used).
217 int mbedtls_rsa_public( mbedtls_rsa_context
*ctx
,
218 const unsigned char *input
,
219 unsigned char *output
);
222 * \brief Do an RSA private key operation
224 * \param ctx RSA context
225 * \param f_rng RNG function (Needed for blinding)
226 * \param p_rng RNG parameter
227 * \param input input buffer
228 * \param output output buffer
230 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
232 * \note The input and output buffers must be large
233 * enough (eg. 128 bytes if RSA-1024 is used).
235 int mbedtls_rsa_private( mbedtls_rsa_context
*ctx
,
236 int (*f_rng
)(void *, unsigned char *, size_t),
238 const unsigned char *input
,
239 unsigned char *output
);
242 * \brief Generic wrapper to perform a PKCS#1 encryption using the
243 * mode from the context. Add the message padding, then do an
246 * \param ctx RSA context
247 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
248 * and MBEDTLS_RSA_PRIVATE)
249 * \param p_rng RNG parameter
250 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
251 * \param ilen contains the plaintext length
252 * \param input buffer holding the data to be encrypted
253 * \param output buffer that will hold the ciphertext
255 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
257 * \note The output buffer must be as large as the size
258 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
260 int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context
*ctx
,
261 int (*f_rng
)(void *, unsigned char *, size_t),
263 int mode
, size_t ilen
,
264 const unsigned char *input
,
265 unsigned char *output
);
268 * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
270 * \param ctx RSA context
271 * \param f_rng RNG function (Needed for padding and MBEDTLS_RSA_PRIVATE)
272 * \param p_rng RNG parameter
273 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
274 * \param ilen contains the plaintext length
275 * \param input buffer holding the data to be encrypted
276 * \param output buffer that will hold the ciphertext
278 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
280 * \note The output buffer must be as large as the size
281 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
283 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context
*ctx
,
284 int (*f_rng
)(void *, unsigned char *, size_t),
286 int mode
, size_t ilen
,
287 const unsigned char *input
,
288 unsigned char *output
);
291 * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
293 * \param ctx RSA context
294 * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding
295 * and MBEDTLS_RSA_PRIVATE)
296 * \param p_rng RNG parameter
297 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
298 * \param label buffer holding the custom label to use
299 * \param label_len contains the label length
300 * \param ilen contains the plaintext length
301 * \param input buffer holding the data to be encrypted
302 * \param output buffer that will hold the ciphertext
304 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
306 * \note The output buffer must be as large as the size
307 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
309 int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context
*ctx
,
310 int (*f_rng
)(void *, unsigned char *, size_t),
313 const unsigned char *label
, size_t label_len
,
315 const unsigned char *input
,
316 unsigned char *output
);
319 * \brief Generic wrapper to perform a PKCS#1 decryption using the
320 * mode from the context. Do an RSA operation, then remove
321 * the message padding
323 * \param ctx RSA context
324 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
325 * \param p_rng RNG parameter
326 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
327 * \param olen will contain the plaintext length
328 * \param input buffer holding the encrypted data
329 * \param output buffer that will hold the plaintext
330 * \param output_max_len maximum length of the output buffer
332 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
334 * \note The output buffer must be as large as the size
335 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
336 * an error is thrown.
338 int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context
*ctx
,
339 int (*f_rng
)(void *, unsigned char *, size_t),
341 int mode
, size_t *olen
,
342 const unsigned char *input
,
343 unsigned char *output
,
344 size_t output_max_len
);
347 * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
349 * \param ctx RSA context
350 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
351 * \param p_rng RNG parameter
352 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
353 * \param olen will contain the plaintext length
354 * \param input buffer holding the encrypted data
355 * \param output buffer that will hold the plaintext
356 * \param output_max_len maximum length of the output buffer
358 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
360 * \note The output buffer must be as large as the size
361 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
362 * an error is thrown.
364 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context
*ctx
,
365 int (*f_rng
)(void *, unsigned char *, size_t),
367 int mode
, size_t *olen
,
368 const unsigned char *input
,
369 unsigned char *output
,
370 size_t output_max_len
);
373 * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
375 * \param ctx RSA context
376 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
377 * \param p_rng RNG parameter
378 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
379 * \param label buffer holding the custom label to use
380 * \param label_len contains the label length
381 * \param olen will contain the plaintext length
382 * \param input buffer holding the encrypted data
383 * \param output buffer that will hold the plaintext
384 * \param output_max_len maximum length of the output buffer
386 * \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
388 * \note The output buffer must be as large as the size
389 * of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
390 * an error is thrown.
392 int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context
*ctx
,
393 int (*f_rng
)(void *, unsigned char *, size_t),
396 const unsigned char *label
, size_t label_len
,
398 const unsigned char *input
,
399 unsigned char *output
,
400 size_t output_max_len
);
403 * \brief Generic wrapper to perform a PKCS#1 signature using the
404 * mode from the context. Do a private RSA operation to sign
407 * \param ctx RSA context
408 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
409 * MBEDTLS_RSA_PRIVATE)
410 * \param p_rng RNG parameter
411 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
412 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
413 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
414 * \param hash buffer holding the message digest
415 * \param sig buffer that will hold the ciphertext
417 * \return 0 if the signing operation was successful,
418 * or an MBEDTLS_ERR_RSA_XXX error code
420 * \note The "sig" buffer must be as large as the size
421 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
423 * \note In case of PKCS#1 v2.1 encoding, see comments on
424 * \note \c mbedtls_rsa_rsassa_pss_sign() for details on md_alg and hash_id.
426 int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context
*ctx
,
427 int (*f_rng
)(void *, unsigned char *, size_t),
430 mbedtls_md_type_t md_alg
,
431 unsigned int hashlen
,
432 const unsigned char *hash
,
433 unsigned char *sig
);
436 * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
438 * \param ctx RSA context
439 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
440 * \param p_rng RNG parameter
441 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
442 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
443 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
444 * \param hash buffer holding the message digest
445 * \param sig buffer that will hold the ciphertext
447 * \return 0 if the signing operation was successful,
448 * or an MBEDTLS_ERR_RSA_XXX error code
450 * \note The "sig" buffer must be as large as the size
451 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
453 int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context
*ctx
,
454 int (*f_rng
)(void *, unsigned char *, size_t),
457 mbedtls_md_type_t md_alg
,
458 unsigned int hashlen
,
459 const unsigned char *hash
,
460 unsigned char *sig
);
463 * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
465 * \param ctx RSA context
466 * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for
467 * MBEDTLS_RSA_PRIVATE)
468 * \param p_rng RNG parameter
469 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
470 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
471 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
472 * \param hash buffer holding the message digest
473 * \param sig buffer that will hold the ciphertext
475 * \return 0 if the signing operation was successful,
476 * or an MBEDTLS_ERR_RSA_XXX error code
478 * \note The "sig" buffer must be as large as the size
479 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
481 * \note The hash_id in the RSA context is the one used for the
482 * encoding. md_alg in the function call is the type of hash
483 * that is encoded. According to RFC 3447 it is advised to
484 * keep both hashes the same.
486 int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context
*ctx
,
487 int (*f_rng
)(void *, unsigned char *, size_t),
490 mbedtls_md_type_t md_alg
,
491 unsigned int hashlen
,
492 const unsigned char *hash
,
493 unsigned char *sig
);
496 * \brief Generic wrapper to perform a PKCS#1 verification using the
497 * mode from the context. Do a public RSA operation and check
500 * \param ctx points to an RSA public key
501 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
502 * \param p_rng RNG parameter
503 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
504 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
505 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
506 * \param hash buffer holding the message digest
507 * \param sig buffer holding the ciphertext
509 * \return 0 if the verify operation was successful,
510 * or an MBEDTLS_ERR_RSA_XXX error code
512 * \note The "sig" buffer must be as large as the size
513 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
515 * \note In case of PKCS#1 v2.1 encoding, see comments on
516 * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id.
518 int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context
*ctx
,
519 int (*f_rng
)(void *, unsigned char *, size_t),
522 mbedtls_md_type_t md_alg
,
523 unsigned int hashlen
,
524 const unsigned char *hash
,
525 const unsigned char *sig
);
528 * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
530 * \param ctx points to an RSA public key
531 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
532 * \param p_rng RNG parameter
533 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
534 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
535 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
536 * \param hash buffer holding the message digest
537 * \param sig buffer holding the ciphertext
539 * \return 0 if the verify operation was successful,
540 * or an MBEDTLS_ERR_RSA_XXX error code
542 * \note The "sig" buffer must be as large as the size
543 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
545 int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context
*ctx
,
546 int (*f_rng
)(void *, unsigned char *, size_t),
549 mbedtls_md_type_t md_alg
,
550 unsigned int hashlen
,
551 const unsigned char *hash
,
552 const unsigned char *sig
);
555 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
556 * (This is the "simple" version.)
558 * \param ctx points to an RSA public key
559 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
560 * \param p_rng RNG parameter
561 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
562 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
563 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
564 * \param hash buffer holding the message digest
565 * \param sig buffer holding the ciphertext
567 * \return 0 if the verify operation was successful,
568 * or an MBEDTLS_ERR_RSA_XXX error code
570 * \note The "sig" buffer must be as large as the size
571 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
573 * \note The hash_id in the RSA context is the one used for the
574 * verification. md_alg in the function call is the type of
575 * hash that is verified. According to RFC 3447 it is advised to
576 * keep both hashes the same. If hash_id in the RSA context is
577 * unset, the md_alg from the function call is used.
579 int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context
*ctx
,
580 int (*f_rng
)(void *, unsigned char *, size_t),
583 mbedtls_md_type_t md_alg
,
584 unsigned int hashlen
,
585 const unsigned char *hash
,
586 const unsigned char *sig
);
589 * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
590 * (This is the version with "full" options.)
592 * \param ctx points to an RSA public key
593 * \param f_rng RNG function (Only needed for MBEDTLS_RSA_PRIVATE)
594 * \param p_rng RNG parameter
595 * \param mode MBEDTLS_RSA_PUBLIC or MBEDTLS_RSA_PRIVATE
596 * \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
597 * \param hashlen message digest length (for MBEDTLS_MD_NONE only)
598 * \param hash buffer holding the message digest
599 * \param mgf1_hash_id message digest used for mask generation
600 * \param expected_salt_len Length of the salt used in padding, use
601 * MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length
602 * \param sig buffer holding the ciphertext
604 * \return 0 if the verify operation was successful,
605 * or an MBEDTLS_ERR_RSA_XXX error code
607 * \note The "sig" buffer must be as large as the size
608 * of ctx->N (eg. 128 bytes if RSA-1024 is used).
610 * \note The hash_id in the RSA context is ignored.
612 int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context
*ctx
,
613 int (*f_rng
)(void *, unsigned char *, size_t),
616 mbedtls_md_type_t md_alg
,
617 unsigned int hashlen
,
618 const unsigned char *hash
,
619 mbedtls_md_type_t mgf1_hash_id
,
620 int expected_salt_len
,
621 const unsigned char *sig
);
624 * \brief Copy the components of an RSA context
626 * \param dst Destination context
627 * \param src Source context
629 * \return 0 on success,
630 * MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure
632 int mbedtls_rsa_copy( mbedtls_rsa_context
*dst
, const mbedtls_rsa_context
*src
);
635 * \brief Free the components of an RSA key
637 * \param ctx RSA Context to free
639 void mbedtls_rsa_free( mbedtls_rsa_context
*ctx
);
642 * \brief Checkup routine
644 * \return 0 if successful, or 1 if the test failed
646 int mbedtls_rsa_self_test( int verbose
);
652 #endif /* MBEDTLS_RSA_C */