TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_os / 5e0191a043cb620eb24717ab5cc5878d63f166c2 / . / lib / libmbedtls / mbedtls / include / psa / crypto.h
blob: 2bbcea3ee0f7f8aa93e3cdbde51aad599c9afd0b [file] [log] [blame]
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1/**
2 * \file psa/crypto.h
3 * \brief Platform Security Architecture cryptography module
4 */
5/*
6 * Copyright The Mbed TLS Contributors
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]8 */
9
10#ifndef PSA_CRYPTO_H
11#define PSA_CRYPTO_H
12
13#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
14#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
15#else
16#include "crypto_platform.h"
17#endif
18
19#include <stddef.h>
20
21#ifdef __DOXYGEN_ONLY__
22/* This __DOXYGEN_ONLY__ block contains mock definitions for things that
23 * must be defined in the crypto_platform.h header. These mock definitions
24 * are present in this file as a convenience to generate pretty-printed
25 * documentation that includes those definitions. */
26
27/** \defgroup platform Implementation-specific definitions
28 * @{
29 */
30
31/**@}*/
32#endif /* __DOXYGEN_ONLY__ */
33
34#ifdef __cplusplus
35extern "C" {
36#endif
37
38/* The file "crypto_types.h" declares types that encode errors,
39 * algorithms, key types, policies, etc. */
40#include "crypto_types.h"
41
42/** \defgroup version API version
43 * @{
44 */
45
46/**
47 * The major version of this implementation of the PSA Crypto API
48 */
49#define PSA_CRYPTO_API_VERSION_MAJOR 1
50
51/**
52 * The minor version of this implementation of the PSA Crypto API
53 */
54#define PSA_CRYPTO_API_VERSION_MINOR 0
55
56/**@}*/
57
58/* The file "crypto_values.h" declares macros to build and analyze values
59 * of integral types defined in "crypto_types.h". */
60#include "crypto_values.h"
61
62/** \defgroup initialization Library initialization
63 * @{
64 */
65
66/**
67 * \brief Library initialization.
68 *
69 * Applications must call this function before calling any other
70 * function in this module.
71 *
72 * Applications may call this function more than once. Once a call
73 * succeeds, subsequent calls are guaranteed to succeed.
74 *
75 * If the application calls other functions before calling psa_crypto_init(),
76 * the behavior is undefined. Implementations are encouraged to either perform
77 * the operation as if the library had been initialized or to return
78 * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
79 * implementations should not return a success status if the lack of
80 * initialization may have security implications, for example due to improper
81 * seeding of the random number generator.
82 *
83 * \retval #PSA_SUCCESS \emptydescription
84 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
85 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
86 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
87 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
88 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
89 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
90 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
91 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
92 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
93 */
94psa_status_t psa_crypto_init(void);
95
96/**@}*/
97
98/** \addtogroup attributes
99 * @{
100 */
101
102/** \def PSA_KEY_ATTRIBUTES_INIT
103 *
104 * This macro returns a suitable initializer for a key attribute structure
105 * of type #psa_key_attributes_t.
106 */
107
108/** Return an initial value for a key attributes structure.
109 */
110static psa_key_attributes_t psa_key_attributes_init(void);
111
112/** Declare a key as persistent and set its key identifier.
113 *
114 * If the attribute structure currently declares the key as volatile (which
115 * is the default content of an attribute structure), this function sets
116 * the lifetime attribute to #PSA_KEY_LIFETIME_PERSISTENT.
117 *
118 * This function does not access storage, it merely stores the given
119 * value in the structure.
120 * The persistent key will be written to storage when the attribute
121 * structure is passed to a key creation function such as
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]122 * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
123 * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]124 * or psa_copy_key().
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]125 *
126 * This function may be declared as `static` (i.e. without external
127 * linkage). This function may be provided as a function-like macro,
128 * but in this case it must evaluate each of its arguments exactly once.
129 *
130 * \param[out] attributes The attribute structure to write to.
131 * \param key The persistent identifier for the key.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]132 * This can be any value in the range from
133 * #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX
134 * inclusive.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]135 */
136static void psa_set_key_id(psa_key_attributes_t *attributes,
137 mbedtls_svc_key_id_t key);
138
139#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
140/** Set the owner identifier of a key.
141 *
142 * When key identifiers encode key owner identifiers, psa_set_key_id() does
143 * not allow to define in key attributes the owner of volatile keys as
144 * psa_set_key_id() enforces the key to be persistent.
145 *
146 * This function allows to set in key attributes the owner identifier of a
147 * key. It is intended to be used for volatile keys. For persistent keys,
148 * it is recommended to use the PSA Cryptography API psa_set_key_id() to define
149 * the owner of a key.
150 *
151 * \param[out] attributes The attribute structure to write to.
152 * \param owner The key owner identifier.
153 */
154static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
155 mbedtls_key_owner_id_t owner);
156#endif
157
158/** Set the location of a persistent key.
159 *
160 * To make a key persistent, you must give it a persistent key identifier
161 * with psa_set_key_id(). By default, a key that has a persistent identifier
162 * is stored in the default storage area identifier by
163 * #PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage
164 * area, or to explicitly declare the key as volatile.
165 *
166 * This function does not access storage, it merely stores the given
167 * value in the structure.
168 * The persistent key will be written to storage when the attribute
169 * structure is passed to a key creation function such as
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]170 * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
171 * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]172 * or psa_copy_key().
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]173 *
174 * This function may be declared as `static` (i.e. without external
175 * linkage). This function may be provided as a function-like macro,
176 * but in this case it must evaluate each of its arguments exactly once.
177 *
178 * \param[out] attributes The attribute structure to write to.
179 * \param lifetime The lifetime for the key.
180 * If this is #PSA_KEY_LIFETIME_VOLATILE, the
181 * key will be volatile, and the key identifier
182 * attribute is reset to 0.
183 */
184static void psa_set_key_lifetime(psa_key_attributes_t *attributes,
185 psa_key_lifetime_t lifetime);
186
187/** Retrieve the key identifier from key attributes.
188 *
189 * This function may be declared as `static` (i.e. without external
190 * linkage). This function may be provided as a function-like macro,
191 * but in this case it must evaluate its argument exactly once.
192 *
193 * \param[in] attributes The key attribute structure to query.
194 *
195 * \return The persistent identifier stored in the attribute structure.
196 * This value is unspecified if the attribute structure declares
197 * the key as volatile.
198 */
199static mbedtls_svc_key_id_t psa_get_key_id(
200 const psa_key_attributes_t *attributes);
201
202/** Retrieve the lifetime from key attributes.
203 *
204 * This function may be declared as `static` (i.e. without external
205 * linkage). This function may be provided as a function-like macro,
206 * but in this case it must evaluate its argument exactly once.
207 *
208 * \param[in] attributes The key attribute structure to query.
209 *
210 * \return The lifetime value stored in the attribute structure.
211 */
212static psa_key_lifetime_t psa_get_key_lifetime(
213 const psa_key_attributes_t *attributes);
214
215/** Declare usage flags for a key.
216 *
217 * Usage flags are part of a key's usage policy. They encode what
218 * kind of operations are permitted on the key. For more details,
219 * refer to the documentation of the type #psa_key_usage_t.
220 *
221 * This function overwrites any usage flags
222 * previously set in \p attributes.
223 *
224 * This function may be declared as `static` (i.e. without external
225 * linkage). This function may be provided as a function-like macro,
226 * but in this case it must evaluate each of its arguments exactly once.
227 *
228 * \param[out] attributes The attribute structure to write to.
229 * \param usage_flags The usage flags to write.
230 */
231static void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
232 psa_key_usage_t usage_flags);
233
234/** Retrieve the usage flags from key attributes.
235 *
236 * This function may be declared as `static` (i.e. without external
237 * linkage). This function may be provided as a function-like macro,
238 * but in this case it must evaluate its argument exactly once.
239 *
240 * \param[in] attributes The key attribute structure to query.
241 *
242 * \return The usage flags stored in the attribute structure.
243 */
244static psa_key_usage_t psa_get_key_usage_flags(
245 const psa_key_attributes_t *attributes);
246
247/** Declare the permitted algorithm policy for a key.
248 *
249 * The permitted algorithm policy of a key encodes which algorithm or
250 * algorithms are permitted to be used with this key. The following
251 * algorithm policies are supported:
252 * - 0 does not allow any cryptographic operation with the key. The key
253 * may be used for non-cryptographic actions such as exporting (if
254 * permitted by the usage flags).
255 * - An algorithm value permits this particular algorithm.
256 * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified
257 * signature scheme with any hash algorithm.
258 * - An algorithm built from #PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows
259 * any MAC algorithm from the same base class (e.g. CMAC) which
260 * generates/verifies a MAC length greater than or equal to the length
261 * encoded in the wildcard algorithm.
262 * - An algorithm built from #PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG
263 * allows any AEAD algorithm from the same base class (e.g. CCM) which
264 * generates/verifies a tag length greater than or equal to the length
265 * encoded in the wildcard algorithm.
266 *
267 * This function overwrites any algorithm policy
268 * previously set in \p attributes.
269 *
270 * This function may be declared as `static` (i.e. without external
271 * linkage). This function may be provided as a function-like macro,
272 * but in this case it must evaluate each of its arguments exactly once.
273 *
274 * \param[out] attributes The attribute structure to write to.
275 * \param alg The permitted algorithm policy to write.
276 */
277static void psa_set_key_algorithm(psa_key_attributes_t *attributes,
278 psa_algorithm_t alg);
279
280
281/** Retrieve the algorithm policy from key attributes.
282 *
283 * This function may be declared as `static` (i.e. without external
284 * linkage). This function may be provided as a function-like macro,
285 * but in this case it must evaluate its argument exactly once.
286 *
287 * \param[in] attributes The key attribute structure to query.
288 *
289 * \return The algorithm stored in the attribute structure.
290 */
291static psa_algorithm_t psa_get_key_algorithm(
292 const psa_key_attributes_t *attributes);
293
294/** Declare the type of a key.
295 *
296 * This function overwrites any key type
297 * previously set in \p attributes.
298 *
299 * This function may be declared as `static` (i.e. without external
300 * linkage). This function may be provided as a function-like macro,
301 * but in this case it must evaluate each of its arguments exactly once.
302 *
303 * \param[out] attributes The attribute structure to write to.
304 * \param type The key type to write.
305 * If this is 0, the key type in \p attributes
306 * becomes unspecified.
307 */
308static void psa_set_key_type(psa_key_attributes_t *attributes,
309 psa_key_type_t type);
310
311
312/** Declare the size of a key.
313 *
314 * This function overwrites any key size previously set in \p attributes.
315 *
316 * This function may be declared as `static` (i.e. without external
317 * linkage). This function may be provided as a function-like macro,
318 * but in this case it must evaluate each of its arguments exactly once.
319 *
320 * \param[out] attributes The attribute structure to write to.
321 * \param bits The key size in bits.
322 * If this is 0, the key size in \p attributes
323 * becomes unspecified. Keys of size 0 are
324 * not supported.
325 */
326static void psa_set_key_bits(psa_key_attributes_t *attributes,
327 size_t bits);
328
329/** Retrieve the key type from key attributes.
330 *
331 * This function may be declared as `static` (i.e. without external
332 * linkage). This function may be provided as a function-like macro,
333 * but in this case it must evaluate its argument exactly once.
334 *
335 * \param[in] attributes The key attribute structure to query.
336 *
337 * \return The key type stored in the attribute structure.
338 */
339static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes);
340
341/** Retrieve the key size from key attributes.
342 *
343 * This function may be declared as `static` (i.e. without external
344 * linkage). This function may be provided as a function-like macro,
345 * but in this case it must evaluate its argument exactly once.
346 *
347 * \param[in] attributes The key attribute structure to query.
348 *
349 * \return The key size stored in the attribute structure, in bits.
350 */
351static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
352
353/** Retrieve the attributes of a key.
354 *
355 * This function first resets the attribute structure as with
356 * psa_reset_key_attributes(). It then copies the attributes of
357 * the given key into the given attribute structure.
358 *
359 * \note This function may allocate memory or other resources.
360 * Once you have called this function on an attribute structure,
361 * you must call psa_reset_key_attributes() to free these resources.
362 *
363 * \param[in] key Identifier of the key to query.
364 * \param[in,out] attributes On success, the attributes of the key.
365 * On failure, equivalent to a
366 * freshly-initialized structure.
367 *
368 * \retval #PSA_SUCCESS \emptydescription
369 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
370 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
371 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
372 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
373 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
374 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
375 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
376 * \retval #PSA_ERROR_BAD_STATE
377 * The library has not been previously initialized by psa_crypto_init().
378 * It is implementation-dependent whether a failure to initialize
379 * results in this error code.
380 */
381psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
382 psa_key_attributes_t *attributes);
383
384/** Reset a key attribute structure to a freshly initialized state.
385 *
386 * You must initialize the attribute structure as described in the
387 * documentation of the type #psa_key_attributes_t before calling this
388 * function. Once the structure has been initialized, you may call this
389 * function at any time.
390 *
391 * This function frees any auxiliary resources that the structure
392 * may contain.
393 *
394 * \param[in,out] attributes The attribute structure to reset.
395 */
396void psa_reset_key_attributes(psa_key_attributes_t *attributes);
397
398/**@}*/
399
400/** \defgroup key_management Key management
401 * @{
402 */
403
404/** Remove non-essential copies of key material from memory.
405 *
406 * If the key identifier designates a volatile key, this functions does not do
407 * anything and returns successfully.
408 *
409 * If the key identifier designates a persistent key, then this function will
410 * free all resources associated with the key in volatile memory. The key
411 * data in persistent storage is not affected and the key can still be used.
412 *
413 * \param key Identifier of the key to purge.
414 *
415 * \retval #PSA_SUCCESS
416 * The key material will have been removed from memory if it is not
417 * currently required.
418 * \retval #PSA_ERROR_INVALID_ARGUMENT
419 * \p key is not a valid key identifier.
420 * \retval #PSA_ERROR_BAD_STATE
421 * The library has not been previously initialized by psa_crypto_init().
422 * It is implementation-dependent whether a failure to initialize
423 * results in this error code.
424 */
425psa_status_t psa_purge_key(mbedtls_svc_key_id_t key);
426
427/** Make a copy of a key.
428 *
429 * Copy key material from one location to another.
430 *
431 * This function is primarily useful to copy a key from one location
432 * to another, since it populates a key using the material from
433 * another key which may have a different lifetime.
434 *
435 * This function may be used to share a key with a different party,
436 * subject to implementation-defined restrictions on key sharing.
437 *
438 * The policy on the source key must have the usage flag
439 * #PSA_KEY_USAGE_COPY set.
440 * This flag is sufficient to permit the copy if the key has the lifetime
441 * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
442 * Some secure elements do not provide a way to copy a key without
443 * making it extractable from the secure element. If a key is located
444 * in such a secure element, then the key must have both usage flags
445 * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
446 * a copy of the key outside the secure element.
447 *
448 * The resulting key may only be used in a way that conforms to
449 * both the policy of the original key and the policy specified in
450 * the \p attributes parameter:
451 * - The usage flags on the resulting key are the bitwise-and of the
452 * usage flags on the source policy and the usage flags in \p attributes.
453 * - If both allow the same algorithm or wildcard-based
454 * algorithm policy, the resulting key has the same algorithm policy.
455 * - If either of the policies allows an algorithm and the other policy
456 * allows a wildcard-based algorithm policy that includes this algorithm,
457 * the resulting key allows the same algorithm.
458 * - If the policies do not allow any algorithm in common, this function
459 * fails with the status #PSA_ERROR_INVALID_ARGUMENT.
460 *
461 * The effect of this function on implementation-defined attributes is
462 * implementation-defined.
463 *
464 * \param source_key The key to copy. It must allow the usage
465 * #PSA_KEY_USAGE_COPY. If a private or secret key is
466 * being copied outside of a secure element it must
467 * also allow #PSA_KEY_USAGE_EXPORT.
468 * \param[in] attributes The attributes for the new key.
469 * They are used as follows:
470 * - The key type and size may be 0. If either is
471 * nonzero, it must match the corresponding
472 * attribute of the source key.
473 * - The key location (the lifetime and, for
474 * persistent keys, the key identifier) is
475 * used directly.
476 * - The policy constraints (usage flags and
477 * algorithm policy) are combined from
478 * the source key and \p attributes so that
479 * both sets of restrictions apply, as
480 * described in the documentation of this function.
481 * \param[out] target_key On success, an identifier for the newly created
482 * key. For persistent keys, this is the key
483 * identifier defined in \p attributes.
484 * \c 0 on failure.
485 *
486 * \retval #PSA_SUCCESS \emptydescription
487 * \retval #PSA_ERROR_INVALID_HANDLE
488 * \p source_key is invalid.
489 * \retval #PSA_ERROR_ALREADY_EXISTS
490 * This is an attempt to create a persistent key, and there is
491 * already a persistent key with the given identifier.
492 * \retval #PSA_ERROR_INVALID_ARGUMENT
493 * The lifetime or identifier in \p attributes are invalid, or
494 * the policy constraints on the source and specified in
495 * \p attributes are incompatible, or
496 * \p attributes specifies a key type or key size
497 * which does not match the attributes of the source key.
498 * \retval #PSA_ERROR_NOT_PERMITTED
499 * The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
500 * the source key is not exportable and its lifetime does not
501 * allow copying it to the target's lifetime.
502 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
503 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
504 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
505 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
506 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
507 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
508 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
509 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
510 * \retval #PSA_ERROR_BAD_STATE
511 * The library has not been previously initialized by psa_crypto_init().
512 * It is implementation-dependent whether a failure to initialize
513 * results in this error code.
514 */
515psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
516 const psa_key_attributes_t *attributes,
517 mbedtls_svc_key_id_t *target_key);
518
519
520/**
521 * \brief Destroy a key.
522 *
523 * This function destroys a key from both volatile
524 * memory and, if applicable, non-volatile storage. Implementations shall
525 * make a best effort to ensure that the key material cannot be recovered.
526 *
527 * This function also erases any metadata such as policies and frees
528 * resources associated with the key.
529 *
530 * If a key is currently in use in a multipart operation, then destroying the
531 * key will cause the multipart operation to fail.
532 *
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]533 * \warning We can only guarantee that the the key material will
534 * eventually be wiped from memory. With threading enabled
535 * and during concurrent execution, copies of the key material may
536 * still exist until all threads have finished using the key.
537 *
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]538 * \param key Identifier of the key to erase. If this is \c 0, do nothing and
539 * return #PSA_SUCCESS.
540 *
541 * \retval #PSA_SUCCESS
542 * \p key was a valid identifier and the key material that it
543 * referred to has been erased. Alternatively, \p key is \c 0.
544 * \retval #PSA_ERROR_NOT_PERMITTED
545 * The key cannot be erased because it is
546 * read-only, either due to a policy or due to physical restrictions.
547 * \retval #PSA_ERROR_INVALID_HANDLE
548 * \p key is not a valid identifier nor \c 0.
549 * \retval #PSA_ERROR_COMMUNICATION_FAILURE
550 * There was a failure in communication with the cryptoprocessor.
551 * The key material may still be present in the cryptoprocessor.
552 * \retval #PSA_ERROR_DATA_INVALID
553 * This error is typically a result of either storage corruption on a
554 * cleartext storage backend, or an attempt to read data that was
555 * written by an incompatible version of the library.
556 * \retval #PSA_ERROR_STORAGE_FAILURE
557 * The storage is corrupted. Implementations shall make a best effort
558 * to erase key material even in this stage, however applications
559 * should be aware that it may be impossible to guarantee that the
560 * key material is not recoverable in such cases.
561 * \retval #PSA_ERROR_CORRUPTION_DETECTED
562 * An unexpected condition which is not a storage corruption or
563 * a communication failure occurred. The cryptoprocessor may have
564 * been compromised.
565 * \retval #PSA_ERROR_BAD_STATE
566 * The library has not been previously initialized by psa_crypto_init().
567 * It is implementation-dependent whether a failure to initialize
568 * results in this error code.
569 */
570psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key);
571
572/**@}*/
573
574/** \defgroup import_export Key import and export
575 * @{
576 */
577
578/**
579 * \brief Import a key in binary format.
580 *
581 * This function supports any output from psa_export_key(). Refer to the
582 * documentation of psa_export_public_key() for the format of public keys
583 * and to the documentation of psa_export_key() for the format for
584 * other key types.
585 *
586 * The key data determines the key size. The attributes may optionally
587 * specify a key size; in this case it must match the size determined
588 * from the key data. A key size of 0 in \p attributes indicates that
589 * the key size is solely determined by the key data.
590 *
591 * Implementations must reject an attempt to import a key of size 0.
592 *
593 * This specification supports a single format for each key type.
594 * Implementations may support other formats as long as the standard
595 * format is supported. Implementations that support other formats
596 * should ensure that the formats are clearly unambiguous so as to
597 * minimize the risk that an invalid input is accidentally interpreted
598 * according to a different format.
599 *
600 * \param[in] attributes The attributes for the new key.
601 * The key size is always determined from the
602 * \p data buffer.
603 * If the key size in \p attributes is nonzero,
604 * it must be equal to the size from \p data.
605 * \param[out] key On success, an identifier to the newly created key.
606 * For persistent keys, this is the key identifier
607 * defined in \p attributes.
608 * \c 0 on failure.
609 * \param[in] data Buffer containing the key data. The content of this
610 * buffer is interpreted according to the type declared
611 * in \p attributes.
612 * All implementations must support at least the format
613 * described in the documentation
614 * of psa_export_key() or psa_export_public_key() for
615 * the chosen type. Implementations may allow other
616 * formats, but should be conservative: implementations
617 * should err on the side of rejecting content if it
618 * may be erroneous (e.g. wrong type or truncated data).
619 * \param data_length Size of the \p data buffer in bytes.
620 *
621 * \retval #PSA_SUCCESS
622 * Success.
623 * If the key is persistent, the key material and the key's metadata
624 * have been saved to persistent storage.
625 * \retval #PSA_ERROR_ALREADY_EXISTS
626 * This is an attempt to create a persistent key, and there is
627 * already a persistent key with the given identifier.
628 * \retval #PSA_ERROR_NOT_SUPPORTED
629 * The key type or key size is not supported, either by the
630 * implementation in general or in this particular persistent location.
631 * \retval #PSA_ERROR_INVALID_ARGUMENT
632 * The key attributes, as a whole, are invalid, or
633 * the key data is not correctly formatted, or
634 * the size in \p attributes is nonzero and does not match the size
635 * of the key data.
636 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
637 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
638 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
639 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
640 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
641 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
642 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
643 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
644 * \retval #PSA_ERROR_BAD_STATE
645 * The library has not been previously initialized by psa_crypto_init().
646 * It is implementation-dependent whether a failure to initialize
647 * results in this error code.
648 */
649psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
650 const uint8_t *data,
651 size_t data_length,
652 mbedtls_svc_key_id_t *key);
653
654
655
656/**
657 * \brief Export a key in binary format.
658 *
659 * The output of this function can be passed to psa_import_key() to
660 * create an equivalent object.
661 *
662 * If the implementation of psa_import_key() supports other formats
663 * beyond the format specified here, the output from psa_export_key()
664 * must use the representation specified here, not the original
665 * representation.
666 *
667 * For standard key types, the output format is as follows:
668 *
669 * - For symmetric keys (including MAC keys), the format is the
670 * raw bytes of the key.
671 * - For DES, the key data consists of 8 bytes. The parity bits must be
672 * correct.
673 * - For Triple-DES, the format is the concatenation of the
674 * two or three DES keys.
675 * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
676 * is the non-encrypted DER encoding of the representation defined by
677 * PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
678 * ```
679 * RSAPrivateKey ::= SEQUENCE {
680 * version INTEGER, -- must be 0
681 * modulus INTEGER, -- n
682 * publicExponent INTEGER, -- e
683 * privateExponent INTEGER, -- d
684 * prime1 INTEGER, -- p
685 * prime2 INTEGER, -- q
686 * exponent1 INTEGER, -- d mod (p-1)
687 * exponent2 INTEGER, -- d mod (q-1)
688 * coefficient INTEGER, -- (inverse of q) mod p
689 * }
690 * ```
691 * - For elliptic curve key pairs (key types for which
692 * #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
693 * a representation of the private value as a `ceiling(m/8)`-byte string
694 * where `m` is the bit size associated with the curve, i.e. the bit size
695 * of the order of the curve's coordinate field. This byte string is
696 * in little-endian order for Montgomery curves (curve types
697 * `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
698 * curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
699 * and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
700 * For Weierstrass curves, this is the content of the `privateKey` field of
701 * the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves,
702 * the format is defined by RFC 7748, and output is masked according to §5.
703 * For twisted Edwards curves, the private key is as defined by RFC 8032
704 * (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
705 * - For Diffie-Hellman key exchange key pairs (key types for which
706 * #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
707 * format is the representation of the private key `x` as a big-endian byte
708 * string. The length of the byte string is the private key size in bytes
709 * (leading zeroes are not stripped).
710 * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
711 * true), the format is the same as for psa_export_public_key().
712 *
713 * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
714 *
715 * \param key Identifier of the key to export. It must allow the
716 * usage #PSA_KEY_USAGE_EXPORT, unless it is a public
717 * key.
718 * \param[out] data Buffer where the key data is to be written.
719 * \param data_size Size of the \p data buffer in bytes.
720 * \param[out] data_length On success, the number of bytes
721 * that make up the key data.
722 *
723 * \retval #PSA_SUCCESS \emptydescription
724 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
725 * \retval #PSA_ERROR_NOT_PERMITTED
726 * The key does not have the #PSA_KEY_USAGE_EXPORT flag.
727 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
728 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
729 * The size of the \p data buffer is too small. You can determine a
730 * sufficient buffer size by calling
731 * #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
732 * where \c type is the key type
733 * and \c bits is the key size in bits.
734 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
735 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
736 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
737 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
738 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
739 * \retval #PSA_ERROR_BAD_STATE
740 * The library has not been previously initialized by psa_crypto_init().
741 * It is implementation-dependent whether a failure to initialize
742 * results in this error code.
743 */
744psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
745 uint8_t *data,
746 size_t data_size,
747 size_t *data_length);
748
749/**
750 * \brief Export a public key or the public part of a key pair in binary format.
751 *
752 * The output of this function can be passed to psa_import_key() to
753 * create an object that is equivalent to the public key.
754 *
755 * This specification supports a single format for each key type.
756 * Implementations may support other formats as long as the standard
757 * format is supported. Implementations that support other formats
758 * should ensure that the formats are clearly unambiguous so as to
759 * minimize the risk that an invalid input is accidentally interpreted
760 * according to a different format.
761 *
762 * For standard key types, the output format is as follows:
763 * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
764 * the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
765 * ```
766 * RSAPublicKey ::= SEQUENCE {
767 * modulus INTEGER, -- n
768 * publicExponent INTEGER } -- e
769 * ```
770 * - For elliptic curve keys on a twisted Edwards curve (key types for which
771 * #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY
772 * returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined
773 * by RFC 8032
774 * (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
775 * - For other elliptic curve public keys (key types for which
776 * #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
777 * representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
778 * Let `m` be the bit size associated with the curve, i.e. the bit size of
779 * `q` for a curve over `F_q`. The representation consists of:
780 * - The byte 0x04;
781 * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
782 * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
783 * - For Diffie-Hellman key exchange public keys (key types for which
784 * #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
785 * the format is the representation of the public key `y = g^x mod p` as a
786 * big-endian byte string. The length of the byte string is the length of the
787 * base prime `p` in bytes.
788 *
789 * Exporting a public key object or the public part of a key pair is
790 * always permitted, regardless of the key's usage flags.
791 *
792 * \param key Identifier of the key to export.
793 * \param[out] data Buffer where the key data is to be written.
794 * \param data_size Size of the \p data buffer in bytes.
795 * \param[out] data_length On success, the number of bytes
796 * that make up the key data.
797 *
798 * \retval #PSA_SUCCESS \emptydescription
799 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
800 * \retval #PSA_ERROR_INVALID_ARGUMENT
801 * The key is neither a public key nor a key pair.
802 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
803 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
804 * The size of the \p data buffer is too small. You can determine a
805 * sufficient buffer size by calling
806 * #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
807 * where \c type is the key type
808 * and \c bits is the key size in bits.
809 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
810 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
811 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
812 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
813 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
814 * \retval #PSA_ERROR_BAD_STATE
815 * The library has not been previously initialized by psa_crypto_init().
816 * It is implementation-dependent whether a failure to initialize
817 * results in this error code.
818 */
819psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
820 uint8_t *data,
821 size_t data_size,
822 size_t *data_length);
823
824
825
826/**@}*/
827
828/** \defgroup hash Message digests
829 * @{
830 */
831
832/** Calculate the hash (digest) of a message.
833 *
834 * \note To verify the hash of a message against an
835 * expected value, use psa_hash_compare() instead.
836 *
837 * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
838 * such that #PSA_ALG_IS_HASH(\p alg) is true).
839 * \param[in] input Buffer containing the message to hash.
840 * \param input_length Size of the \p input buffer in bytes.
841 * \param[out] hash Buffer where the hash is to be written.
842 * \param hash_size Size of the \p hash buffer in bytes.
843 * \param[out] hash_length On success, the number of bytes
844 * that make up the hash value. This is always
845 * #PSA_HASH_LENGTH(\p alg).
846 *
847 * \retval #PSA_SUCCESS
848 * Success.
849 * \retval #PSA_ERROR_NOT_SUPPORTED
850 * \p alg is not supported or is not a hash algorithm.
851 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
852 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
853 * \p hash_size is too small
854 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
855 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
856 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
857 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
858 * \retval #PSA_ERROR_BAD_STATE
859 * The library has not been previously initialized by psa_crypto_init().
860 * It is implementation-dependent whether a failure to initialize
861 * results in this error code.
862 */
863psa_status_t psa_hash_compute(psa_algorithm_t alg,
864 const uint8_t *input,
865 size_t input_length,
866 uint8_t *hash,
867 size_t hash_size,
868 size_t *hash_length);
869
870/** Calculate the hash (digest) of a message and compare it with a
871 * reference value.
872 *
873 * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
874 * such that #PSA_ALG_IS_HASH(\p alg) is true).
875 * \param[in] input Buffer containing the message to hash.
876 * \param input_length Size of the \p input buffer in bytes.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]877 * \param[in] hash Buffer containing the expected hash value.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]878 * \param hash_length Size of the \p hash buffer in bytes.
879 *
880 * \retval #PSA_SUCCESS
881 * The expected hash is identical to the actual hash of the input.
882 * \retval #PSA_ERROR_INVALID_SIGNATURE
883 * The hash of the message was calculated successfully, but it
884 * differs from the expected hash.
885 * \retval #PSA_ERROR_NOT_SUPPORTED
886 * \p alg is not supported or is not a hash algorithm.
887 * \retval #PSA_ERROR_INVALID_ARGUMENT
888 * \p input_length or \p hash_length do not match the hash size for \p alg
889 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
890 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
891 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
892 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
893 * \retval #PSA_ERROR_BAD_STATE
894 * The library has not been previously initialized by psa_crypto_init().
895 * It is implementation-dependent whether a failure to initialize
896 * results in this error code.
897 */
898psa_status_t psa_hash_compare(psa_algorithm_t alg,
899 const uint8_t *input,
900 size_t input_length,
901 const uint8_t *hash,
902 size_t hash_length);
903
904/** The type of the state data structure for multipart hash operations.
905 *
906 * Before calling any function on a hash operation object, the application must
907 * initialize it by any of the following means:
908 * - Set the structure to all-bits-zero, for example:
909 * \code
910 * psa_hash_operation_t operation;
911 * memset(&operation, 0, sizeof(operation));
912 * \endcode
913 * - Initialize the structure to logical zero values, for example:
914 * \code
915 * psa_hash_operation_t operation = {0};
916 * \endcode
917 * - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT,
918 * for example:
919 * \code
920 * psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
921 * \endcode
922 * - Assign the result of the function psa_hash_operation_init()
923 * to the structure, for example:
924 * \code
925 * psa_hash_operation_t operation;
926 * operation = psa_hash_operation_init();
927 * \endcode
928 *
929 * This is an implementation-defined \c struct. Applications should not
930 * make any assumptions about the content of this structure.
931 * Implementation details can change in future versions without notice. */
932typedef struct psa_hash_operation_s psa_hash_operation_t;
933
934/** \def PSA_HASH_OPERATION_INIT
935 *
936 * This macro returns a suitable initializer for a hash operation object
937 * of type #psa_hash_operation_t.
938 */
939
940/** Return an initial value for a hash operation object.
941 */
942static psa_hash_operation_t psa_hash_operation_init(void);
943
944/** Set up a multipart hash operation.
945 *
946 * The sequence of operations to calculate a hash (message digest)
947 * is as follows:
948 * -# Allocate an operation object which will be passed to all the functions
949 * listed here.
950 * -# Initialize the operation object with one of the methods described in the
951 * documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
952 * -# Call psa_hash_setup() to specify the algorithm.
953 * -# Call psa_hash_update() zero, one or more times, passing a fragment
954 * of the message each time. The hash that is calculated is the hash
955 * of the concatenation of these messages in order.
956 * -# To calculate the hash, call psa_hash_finish().
957 * To compare the hash with an expected value, call psa_hash_verify().
958 *
959 * If an error occurs at any step after a call to psa_hash_setup(), the
960 * operation will need to be reset by a call to psa_hash_abort(). The
961 * application may call psa_hash_abort() at any time after the operation
962 * has been initialized.
963 *
964 * After a successful call to psa_hash_setup(), the application must
965 * eventually terminate the operation. The following events terminate an
966 * operation:
967 * - A successful call to psa_hash_finish() or psa_hash_verify().
968 * - A call to psa_hash_abort().
969 *
970 * \param[in,out] operation The operation object to set up. It must have
971 * been initialized as per the documentation for
972 * #psa_hash_operation_t and not yet in use.
973 * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
974 * such that #PSA_ALG_IS_HASH(\p alg) is true).
975 *
976 * \retval #PSA_SUCCESS
977 * Success.
978 * \retval #PSA_ERROR_NOT_SUPPORTED
979 * \p alg is not a supported hash algorithm.
980 * \retval #PSA_ERROR_INVALID_ARGUMENT
981 * \p alg is not a hash algorithm.
982 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
983 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
984 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
985 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
986 * \retval #PSA_ERROR_BAD_STATE
987 * The operation state is not valid (it must be inactive), or
988 * the library has not been previously initialized by psa_crypto_init().
989 * It is implementation-dependent whether a failure to initialize
990 * results in this error code.
991 */
992psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
993 psa_algorithm_t alg);
994
995/** Add a message fragment to a multipart hash operation.
996 *
997 * The application must call psa_hash_setup() before calling this function.
998 *
999 * If this function returns an error status, the operation enters an error
1000 * state and must be aborted by calling psa_hash_abort().
1001 *
1002 * \param[in,out] operation Active hash operation.
1003 * \param[in] input Buffer containing the message fragment to hash.
1004 * \param input_length Size of the \p input buffer in bytes.
1005 *
1006 * \retval #PSA_SUCCESS
1007 * Success.
1008 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1009 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1010 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1011 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1012 * \retval #PSA_ERROR_BAD_STATE
1013 * The operation state is not valid (it must be active), or
1014 * the library has not been previously initialized by psa_crypto_init().
1015 * It is implementation-dependent whether a failure to initialize
1016 * results in this error code.
1017 */
1018psa_status_t psa_hash_update(psa_hash_operation_t *operation,
1019 const uint8_t *input,
1020 size_t input_length);
1021
1022/** Finish the calculation of the hash of a message.
1023 *
1024 * The application must call psa_hash_setup() before calling this function.
1025 * This function calculates the hash of the message formed by concatenating
1026 * the inputs passed to preceding calls to psa_hash_update().
1027 *
1028 * When this function returns successfully, the operation becomes inactive.
1029 * If this function returns an error status, the operation enters an error
1030 * state and must be aborted by calling psa_hash_abort().
1031 *
1032 * \warning Applications should not call this function if they expect
1033 * a specific value for the hash. Call psa_hash_verify() instead.
1034 * Beware that comparing integrity or authenticity data such as
1035 * hash values with a function such as \c memcmp is risky
1036 * because the time taken by the comparison may leak information
1037 * about the hashed data which could allow an attacker to guess
1038 * a valid hash and thereby bypass security controls.
1039 *
1040 * \param[in,out] operation Active hash operation.
1041 * \param[out] hash Buffer where the hash is to be written.
1042 * \param hash_size Size of the \p hash buffer in bytes.
1043 * \param[out] hash_length On success, the number of bytes
1044 * that make up the hash value. This is always
1045 * #PSA_HASH_LENGTH(\c alg) where \c alg is the
1046 * hash algorithm that is calculated.
1047 *
1048 * \retval #PSA_SUCCESS
1049 * Success.
1050 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1051 * The size of the \p hash buffer is too small. You can determine a
1052 * sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
1053 * where \c alg is the hash algorithm that is calculated.
1054 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1055 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1056 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1057 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1058 * \retval #PSA_ERROR_BAD_STATE
1059 * The operation state is not valid (it must be active), or
1060 * the library has not been previously initialized by psa_crypto_init().
1061 * It is implementation-dependent whether a failure to initialize
1062 * results in this error code.
1063 */
1064psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
1065 uint8_t *hash,
1066 size_t hash_size,
1067 size_t *hash_length);
1068
1069/** Finish the calculation of the hash of a message and compare it with
1070 * an expected value.
1071 *
1072 * The application must call psa_hash_setup() before calling this function.
1073 * This function calculates the hash of the message formed by concatenating
1074 * the inputs passed to preceding calls to psa_hash_update(). It then
1075 * compares the calculated hash with the expected hash passed as a
1076 * parameter to this function.
1077 *
1078 * When this function returns successfully, the operation becomes inactive.
1079 * If this function returns an error status, the operation enters an error
1080 * state and must be aborted by calling psa_hash_abort().
1081 *
1082 * \note Implementations shall make the best effort to ensure that the
1083 * comparison between the actual hash and the expected hash is performed
1084 * in constant time.
1085 *
1086 * \param[in,out] operation Active hash operation.
1087 * \param[in] hash Buffer containing the expected hash value.
1088 * \param hash_length Size of the \p hash buffer in bytes.
1089 *
1090 * \retval #PSA_SUCCESS
1091 * The expected hash is identical to the actual hash of the message.
1092 * \retval #PSA_ERROR_INVALID_SIGNATURE
1093 * The hash of the message was calculated successfully, but it
1094 * differs from the expected hash.
1095 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1096 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1097 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1098 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1099 * \retval #PSA_ERROR_BAD_STATE
1100 * The operation state is not valid (it must be active), or
1101 * the library has not been previously initialized by psa_crypto_init().
1102 * It is implementation-dependent whether a failure to initialize
1103 * results in this error code.
1104 */
1105psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
1106 const uint8_t *hash,
1107 size_t hash_length);
1108
1109/** Abort a hash operation.
1110 *
1111 * Aborting an operation frees all associated resources except for the
1112 * \p operation structure itself. Once aborted, the operation object
1113 * can be reused for another operation by calling
1114 * psa_hash_setup() again.
1115 *
1116 * You may call this function any time after the operation object has
1117 * been initialized by one of the methods described in #psa_hash_operation_t.
1118 *
1119 * In particular, calling psa_hash_abort() after the operation has been
1120 * terminated by a call to psa_hash_abort(), psa_hash_finish() or
1121 * psa_hash_verify() is safe and has no effect.
1122 *
1123 * \param[in,out] operation Initialized hash operation.
1124 *
1125 * \retval #PSA_SUCCESS \emptydescription
1126 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1127 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1128 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1129 * \retval #PSA_ERROR_BAD_STATE
1130 * The library has not been previously initialized by psa_crypto_init().
1131 * It is implementation-dependent whether a failure to initialize
1132 * results in this error code.
1133 */
1134psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
1135
1136/** Clone a hash operation.
1137 *
1138 * This function copies the state of an ongoing hash operation to
1139 * a new operation object. In other words, this function is equivalent
1140 * to calling psa_hash_setup() on \p target_operation with the same
1141 * algorithm that \p source_operation was set up for, then
1142 * psa_hash_update() on \p target_operation with the same input that
1143 * that was passed to \p source_operation. After this function returns, the
1144 * two objects are independent, i.e. subsequent calls involving one of
1145 * the objects do not affect the other object.
1146 *
1147 * \param[in] source_operation The active hash operation to clone.
1148 * \param[in,out] target_operation The operation object to set up.
1149 * It must be initialized but not active.
1150 *
1151 * \retval #PSA_SUCCESS \emptydescription
1152 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1153 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1154 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1155 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1156 * \retval #PSA_ERROR_BAD_STATE
1157 * The \p source_operation state is not valid (it must be active), or
1158 * the \p target_operation state is not valid (it must be inactive), or
1159 * the library has not been previously initialized by psa_crypto_init().
1160 * It is implementation-dependent whether a failure to initialize
1161 * results in this error code.
1162 */
1163psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
1164 psa_hash_operation_t *target_operation);
1165
1166/**@}*/
1167
1168/** \defgroup MAC Message authentication codes
1169 * @{
1170 */
1171
1172/** Calculate the MAC (message authentication code) of a message.
1173 *
1174 * \note To verify the MAC of a message against an
1175 * expected value, use psa_mac_verify() instead.
1176 * Beware that comparing integrity or authenticity data such as
1177 * MAC values with a function such as \c memcmp is risky
1178 * because the time taken by the comparison may leak information
1179 * about the MAC value which could allow an attacker to guess
1180 * a valid MAC and thereby bypass security controls.
1181 *
1182 * \param key Identifier of the key to use for the operation. It
1183 * must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
1184 * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1185 * such that #PSA_ALG_IS_MAC(\p alg) is true).
1186 * \param[in] input Buffer containing the input message.
1187 * \param input_length Size of the \p input buffer in bytes.
1188 * \param[out] mac Buffer where the MAC value is to be written.
1189 * \param mac_size Size of the \p mac buffer in bytes.
1190 * \param[out] mac_length On success, the number of bytes
1191 * that make up the MAC value.
1192 *
1193 * \retval #PSA_SUCCESS
1194 * Success.
1195 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1196 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1197 * \retval #PSA_ERROR_INVALID_ARGUMENT
1198 * \p key is not compatible with \p alg.
1199 * \retval #PSA_ERROR_NOT_SUPPORTED
1200 * \p alg is not supported or is not a MAC algorithm.
1201 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1202 * \p mac_size is too small
1203 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1204 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1205 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1206 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1207 * \retval #PSA_ERROR_STORAGE_FAILURE
1208 * The key could not be retrieved from storage.
1209 * \retval #PSA_ERROR_BAD_STATE
1210 * The library has not been previously initialized by psa_crypto_init().
1211 * It is implementation-dependent whether a failure to initialize
1212 * results in this error code.
1213 */
1214psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
1215 psa_algorithm_t alg,
1216 const uint8_t *input,
1217 size_t input_length,
1218 uint8_t *mac,
1219 size_t mac_size,
1220 size_t *mac_length);
1221
1222/** Calculate the MAC of a message and compare it with a reference value.
1223 *
1224 * \param key Identifier of the key to use for the operation. It
1225 * must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
1226 * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1227 * such that #PSA_ALG_IS_MAC(\p alg) is true).
1228 * \param[in] input Buffer containing the input message.
1229 * \param input_length Size of the \p input buffer in bytes.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]1230 * \param[in] mac Buffer containing the expected MAC value.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]1231 * \param mac_length Size of the \p mac buffer in bytes.
1232 *
1233 * \retval #PSA_SUCCESS
1234 * The expected MAC is identical to the actual MAC of the input.
1235 * \retval #PSA_ERROR_INVALID_SIGNATURE
1236 * The MAC of the message was calculated successfully, but it
1237 * differs from the expected value.
1238 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1239 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1240 * \retval #PSA_ERROR_INVALID_ARGUMENT
1241 * \p key is not compatible with \p alg.
1242 * \retval #PSA_ERROR_NOT_SUPPORTED
1243 * \p alg is not supported or is not a MAC algorithm.
1244 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1245 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1246 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1247 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1248 * \retval #PSA_ERROR_STORAGE_FAILURE
1249 * The key could not be retrieved from storage.
1250 * \retval #PSA_ERROR_BAD_STATE
1251 * The library has not been previously initialized by psa_crypto_init().
1252 * It is implementation-dependent whether a failure to initialize
1253 * results in this error code.
1254 */
1255psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
1256 psa_algorithm_t alg,
1257 const uint8_t *input,
1258 size_t input_length,
1259 const uint8_t *mac,
1260 size_t mac_length);
1261
1262/** The type of the state data structure for multipart MAC operations.
1263 *
1264 * Before calling any function on a MAC operation object, the application must
1265 * initialize it by any of the following means:
1266 * - Set the structure to all-bits-zero, for example:
1267 * \code
1268 * psa_mac_operation_t operation;
1269 * memset(&operation, 0, sizeof(operation));
1270 * \endcode
1271 * - Initialize the structure to logical zero values, for example:
1272 * \code
1273 * psa_mac_operation_t operation = {0};
1274 * \endcode
1275 * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
1276 * for example:
1277 * \code
1278 * psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
1279 * \endcode
1280 * - Assign the result of the function psa_mac_operation_init()
1281 * to the structure, for example:
1282 * \code
1283 * psa_mac_operation_t operation;
1284 * operation = psa_mac_operation_init();
1285 * \endcode
1286 *
1287 *
1288 * This is an implementation-defined \c struct. Applications should not
1289 * make any assumptions about the content of this structure.
1290 * Implementation details can change in future versions without notice. */
1291typedef struct psa_mac_operation_s psa_mac_operation_t;
1292
1293/** \def PSA_MAC_OPERATION_INIT
1294 *
1295 * This macro returns a suitable initializer for a MAC operation object of type
1296 * #psa_mac_operation_t.
1297 */
1298
1299/** Return an initial value for a MAC operation object.
1300 */
1301static psa_mac_operation_t psa_mac_operation_init(void);
1302
1303/** Set up a multipart MAC calculation operation.
1304 *
1305 * This function sets up the calculation of the MAC
1306 * (message authentication code) of a byte string.
1307 * To verify the MAC of a message against an
1308 * expected value, use psa_mac_verify_setup() instead.
1309 *
1310 * The sequence of operations to calculate a MAC is as follows:
1311 * -# Allocate an operation object which will be passed to all the functions
1312 * listed here.
1313 * -# Initialize the operation object with one of the methods described in the
1314 * documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1315 * -# Call psa_mac_sign_setup() to specify the algorithm and key.
1316 * -# Call psa_mac_update() zero, one or more times, passing a fragment
1317 * of the message each time. The MAC that is calculated is the MAC
1318 * of the concatenation of these messages in order.
1319 * -# At the end of the message, call psa_mac_sign_finish() to finish
1320 * calculating the MAC value and retrieve it.
1321 *
1322 * If an error occurs at any step after a call to psa_mac_sign_setup(), the
1323 * operation will need to be reset by a call to psa_mac_abort(). The
1324 * application may call psa_mac_abort() at any time after the operation
1325 * has been initialized.
1326 *
1327 * After a successful call to psa_mac_sign_setup(), the application must
1328 * eventually terminate the operation through one of the following methods:
1329 * - A successful call to psa_mac_sign_finish().
1330 * - A call to psa_mac_abort().
1331 *
1332 * \param[in,out] operation The operation object to set up. It must have
1333 * been initialized as per the documentation for
1334 * #psa_mac_operation_t and not yet in use.
1335 * \param key Identifier of the key to use for the operation. It
1336 * must remain valid until the operation terminates.
1337 * It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
1338 * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1339 * such that #PSA_ALG_IS_MAC(\p alg) is true).
1340 *
1341 * \retval #PSA_SUCCESS
1342 * Success.
1343 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1344 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1345 * \retval #PSA_ERROR_INVALID_ARGUMENT
1346 * \p key is not compatible with \p alg.
1347 * \retval #PSA_ERROR_NOT_SUPPORTED
1348 * \p alg is not supported or is not a MAC algorithm.
1349 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1350 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1351 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1352 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1353 * \retval #PSA_ERROR_STORAGE_FAILURE
1354 * The key could not be retrieved from storage.
1355 * \retval #PSA_ERROR_BAD_STATE
1356 * The operation state is not valid (it must be inactive), or
1357 * the library has not been previously initialized by psa_crypto_init().
1358 * It is implementation-dependent whether a failure to initialize
1359 * results in this error code.
1360 */
1361psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
1362 mbedtls_svc_key_id_t key,
1363 psa_algorithm_t alg);
1364
1365/** Set up a multipart MAC verification operation.
1366 *
1367 * This function sets up the verification of the MAC
1368 * (message authentication code) of a byte string against an expected value.
1369 *
1370 * The sequence of operations to verify a MAC is as follows:
1371 * -# Allocate an operation object which will be passed to all the functions
1372 * listed here.
1373 * -# Initialize the operation object with one of the methods described in the
1374 * documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1375 * -# Call psa_mac_verify_setup() to specify the algorithm and key.
1376 * -# Call psa_mac_update() zero, one or more times, passing a fragment
1377 * of the message each time. The MAC that is calculated is the MAC
1378 * of the concatenation of these messages in order.
1379 * -# At the end of the message, call psa_mac_verify_finish() to finish
1380 * calculating the actual MAC of the message and verify it against
1381 * the expected value.
1382 *
1383 * If an error occurs at any step after a call to psa_mac_verify_setup(), the
1384 * operation will need to be reset by a call to psa_mac_abort(). The
1385 * application may call psa_mac_abort() at any time after the operation
1386 * has been initialized.
1387 *
1388 * After a successful call to psa_mac_verify_setup(), the application must
1389 * eventually terminate the operation through one of the following methods:
1390 * - A successful call to psa_mac_verify_finish().
1391 * - A call to psa_mac_abort().
1392 *
1393 * \param[in,out] operation The operation object to set up. It must have
1394 * been initialized as per the documentation for
1395 * #psa_mac_operation_t and not yet in use.
1396 * \param key Identifier of the key to use for the operation. It
1397 * must remain valid until the operation terminates.
1398 * It must allow the usage
1399 * PSA_KEY_USAGE_VERIFY_MESSAGE.
1400 * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1401 * such that #PSA_ALG_IS_MAC(\p alg) is true).
1402 *
1403 * \retval #PSA_SUCCESS
1404 * Success.
1405 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1406 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1407 * \retval #PSA_ERROR_INVALID_ARGUMENT
1408 * \c key is not compatible with \c alg.
1409 * \retval #PSA_ERROR_NOT_SUPPORTED
1410 * \c alg is not supported or is not a MAC algorithm.
1411 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1412 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1413 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1414 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1415 * \retval #PSA_ERROR_STORAGE_FAILURE
1416 * The key could not be retrieved from storage.
1417 * \retval #PSA_ERROR_BAD_STATE
1418 * The operation state is not valid (it must be inactive), or
1419 * the library has not been previously initialized by psa_crypto_init().
1420 * It is implementation-dependent whether a failure to initialize
1421 * results in this error code.
1422 */
1423psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
1424 mbedtls_svc_key_id_t key,
1425 psa_algorithm_t alg);
1426
1427/** Add a message fragment to a multipart MAC operation.
1428 *
1429 * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
1430 * before calling this function.
1431 *
1432 * If this function returns an error status, the operation enters an error
1433 * state and must be aborted by calling psa_mac_abort().
1434 *
1435 * \param[in,out] operation Active MAC operation.
1436 * \param[in] input Buffer containing the message fragment to add to
1437 * the MAC calculation.
1438 * \param input_length Size of the \p input buffer in bytes.
1439 *
1440 * \retval #PSA_SUCCESS
1441 * Success.
1442 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1443 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1444 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1445 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1446 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1447 * \retval #PSA_ERROR_BAD_STATE
1448 * The operation state is not valid (it must be active), or
1449 * the library has not been previously initialized by psa_crypto_init().
1450 * It is implementation-dependent whether a failure to initialize
1451 * results in this error code.
1452 */
1453psa_status_t psa_mac_update(psa_mac_operation_t *operation,
1454 const uint8_t *input,
1455 size_t input_length);
1456
1457/** Finish the calculation of the MAC of a message.
1458 *
1459 * The application must call psa_mac_sign_setup() before calling this function.
1460 * This function calculates the MAC of the message formed by concatenating
1461 * the inputs passed to preceding calls to psa_mac_update().
1462 *
1463 * When this function returns successfully, the operation becomes inactive.
1464 * If this function returns an error status, the operation enters an error
1465 * state and must be aborted by calling psa_mac_abort().
1466 *
1467 * \warning Applications should not call this function if they expect
1468 * a specific value for the MAC. Call psa_mac_verify_finish() instead.
1469 * Beware that comparing integrity or authenticity data such as
1470 * MAC values with a function such as \c memcmp is risky
1471 * because the time taken by the comparison may leak information
1472 * about the MAC value which could allow an attacker to guess
1473 * a valid MAC and thereby bypass security controls.
1474 *
1475 * \param[in,out] operation Active MAC operation.
1476 * \param[out] mac Buffer where the MAC value is to be written.
1477 * \param mac_size Size of the \p mac buffer in bytes.
1478 * \param[out] mac_length On success, the number of bytes
1479 * that make up the MAC value. This is always
1480 * #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg)
1481 * where \c key_type and \c key_bits are the type and
1482 * bit-size respectively of the key and \c alg is the
1483 * MAC algorithm that is calculated.
1484 *
1485 * \retval #PSA_SUCCESS
1486 * Success.
1487 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1488 * The size of the \p mac buffer is too small. You can determine a
1489 * sufficient buffer size by calling PSA_MAC_LENGTH().
1490 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1491 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1492 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1493 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1494 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1495 * \retval #PSA_ERROR_BAD_STATE
1496 * The operation state is not valid (it must be an active mac sign
1497 * operation), or the library has not been previously initialized
1498 * by psa_crypto_init().
1499 * It is implementation-dependent whether a failure to initialize
1500 * results in this error code.
1501 */
1502psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
1503 uint8_t *mac,
1504 size_t mac_size,
1505 size_t *mac_length);
1506
1507/** Finish the calculation of the MAC of a message and compare it with
1508 * an expected value.
1509 *
1510 * The application must call psa_mac_verify_setup() before calling this function.
1511 * This function calculates the MAC of the message formed by concatenating
1512 * the inputs passed to preceding calls to psa_mac_update(). It then
1513 * compares the calculated MAC with the expected MAC passed as a
1514 * parameter to this function.
1515 *
1516 * When this function returns successfully, the operation becomes inactive.
1517 * If this function returns an error status, the operation enters an error
1518 * state and must be aborted by calling psa_mac_abort().
1519 *
1520 * \note Implementations shall make the best effort to ensure that the
1521 * comparison between the actual MAC and the expected MAC is performed
1522 * in constant time.
1523 *
1524 * \param[in,out] operation Active MAC operation.
1525 * \param[in] mac Buffer containing the expected MAC value.
1526 * \param mac_length Size of the \p mac buffer in bytes.
1527 *
1528 * \retval #PSA_SUCCESS
1529 * The expected MAC is identical to the actual MAC of the message.
1530 * \retval #PSA_ERROR_INVALID_SIGNATURE
1531 * The MAC of the message was calculated successfully, but it
1532 * differs from the expected MAC.
1533 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1534 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1535 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1536 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1537 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1538 * \retval #PSA_ERROR_BAD_STATE
1539 * The operation state is not valid (it must be an active mac verify
1540 * operation), or the library has not been previously initialized
1541 * by psa_crypto_init().
1542 * It is implementation-dependent whether a failure to initialize
1543 * results in this error code.
1544 */
1545psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
1546 const uint8_t *mac,
1547 size_t mac_length);
1548
1549/** Abort a MAC operation.
1550 *
1551 * Aborting an operation frees all associated resources except for the
1552 * \p operation structure itself. Once aborted, the operation object
1553 * can be reused for another operation by calling
1554 * psa_mac_sign_setup() or psa_mac_verify_setup() again.
1555 *
1556 * You may call this function any time after the operation object has
1557 * been initialized by one of the methods described in #psa_mac_operation_t.
1558 *
1559 * In particular, calling psa_mac_abort() after the operation has been
1560 * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
1561 * psa_mac_verify_finish() is safe and has no effect.
1562 *
1563 * \param[in,out] operation Initialized MAC operation.
1564 *
1565 * \retval #PSA_SUCCESS \emptydescription
1566 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1567 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1568 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1569 * \retval #PSA_ERROR_BAD_STATE
1570 * The library has not been previously initialized by psa_crypto_init().
1571 * It is implementation-dependent whether a failure to initialize
1572 * results in this error code.
1573 */
1574psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
1575
1576/**@}*/
1577
1578/** \defgroup cipher Symmetric ciphers
1579 * @{
1580 */
1581
1582/** Encrypt a message using a symmetric cipher.
1583 *
1584 * This function encrypts a message with a random IV (initialization
1585 * vector). Use the multipart operation interface with a
1586 * #psa_cipher_operation_t object to provide other forms of IV.
1587 *
1588 * \param key Identifier of the key to use for the operation.
1589 * It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
1590 * \param alg The cipher algorithm to compute
1591 * (\c PSA_ALG_XXX value such that
1592 * #PSA_ALG_IS_CIPHER(\p alg) is true).
1593 * \param[in] input Buffer containing the message to encrypt.
1594 * \param input_length Size of the \p input buffer in bytes.
1595 * \param[out] output Buffer where the output is to be written.
1596 * The output contains the IV followed by
1597 * the ciphertext proper.
1598 * \param output_size Size of the \p output buffer in bytes.
1599 * \param[out] output_length On success, the number of bytes
1600 * that make up the output.
1601 *
1602 * \retval #PSA_SUCCESS
1603 * Success.
1604 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1605 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1606 * \retval #PSA_ERROR_INVALID_ARGUMENT
1607 * \p key is not compatible with \p alg.
1608 * \retval #PSA_ERROR_NOT_SUPPORTED
1609 * \p alg is not supported or is not a cipher algorithm.
1610 * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
1611 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1612 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1613 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1614 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1615 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1616 * \retval #PSA_ERROR_BAD_STATE
1617 * The library has not been previously initialized by psa_crypto_init().
1618 * It is implementation-dependent whether a failure to initialize
1619 * results in this error code.
1620 */
1621psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
1622 psa_algorithm_t alg,
1623 const uint8_t *input,
1624 size_t input_length,
1625 uint8_t *output,
1626 size_t output_size,
1627 size_t *output_length);
1628
1629/** Decrypt a message using a symmetric cipher.
1630 *
1631 * This function decrypts a message encrypted with a symmetric cipher.
1632 *
1633 * \param key Identifier of the key to use for the operation.
1634 * It must remain valid until the operation
1635 * terminates. It must allow the usage
1636 * #PSA_KEY_USAGE_DECRYPT.
1637 * \param alg The cipher algorithm to compute
1638 * (\c PSA_ALG_XXX value such that
1639 * #PSA_ALG_IS_CIPHER(\p alg) is true).
1640 * \param[in] input Buffer containing the message to decrypt.
1641 * This consists of the IV followed by the
1642 * ciphertext proper.
1643 * \param input_length Size of the \p input buffer in bytes.
1644 * \param[out] output Buffer where the plaintext is to be written.
1645 * \param output_size Size of the \p output buffer in bytes.
1646 * \param[out] output_length On success, the number of bytes
1647 * that make up the output.
1648 *
1649 * \retval #PSA_SUCCESS
1650 * Success.
1651 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1652 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1653 * \retval #PSA_ERROR_INVALID_ARGUMENT
1654 * \p key is not compatible with \p alg.
1655 * \retval #PSA_ERROR_NOT_SUPPORTED
1656 * \p alg is not supported or is not a cipher algorithm.
1657 * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
1658 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1659 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1660 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1661 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1662 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1663 * \retval #PSA_ERROR_BAD_STATE
1664 * The library has not been previously initialized by psa_crypto_init().
1665 * It is implementation-dependent whether a failure to initialize
1666 * results in this error code.
1667 */
1668psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
1669 psa_algorithm_t alg,
1670 const uint8_t *input,
1671 size_t input_length,
1672 uint8_t *output,
1673 size_t output_size,
1674 size_t *output_length);
1675
1676/** The type of the state data structure for multipart cipher operations.
1677 *
1678 * Before calling any function on a cipher operation object, the application
1679 * must initialize it by any of the following means:
1680 * - Set the structure to all-bits-zero, for example:
1681 * \code
1682 * psa_cipher_operation_t operation;
1683 * memset(&operation, 0, sizeof(operation));
1684 * \endcode
1685 * - Initialize the structure to logical zero values, for example:
1686 * \code
1687 * psa_cipher_operation_t operation = {0};
1688 * \endcode
1689 * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
1690 * for example:
1691 * \code
1692 * psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
1693 * \endcode
1694 * - Assign the result of the function psa_cipher_operation_init()
1695 * to the structure, for example:
1696 * \code
1697 * psa_cipher_operation_t operation;
1698 * operation = psa_cipher_operation_init();
1699 * \endcode
1700 *
1701 * This is an implementation-defined \c struct. Applications should not
1702 * make any assumptions about the content of this structure.
1703 * Implementation details can change in future versions without notice. */
1704typedef struct psa_cipher_operation_s psa_cipher_operation_t;
1705
1706/** \def PSA_CIPHER_OPERATION_INIT
1707 *
1708 * This macro returns a suitable initializer for a cipher operation object of
1709 * type #psa_cipher_operation_t.
1710 */
1711
1712/** Return an initial value for a cipher operation object.
1713 */
1714static psa_cipher_operation_t psa_cipher_operation_init(void);
1715
1716/** Set the key for a multipart symmetric encryption operation.
1717 *
1718 * The sequence of operations to encrypt a message with a symmetric cipher
1719 * is as follows:
1720 * -# Allocate an operation object which will be passed to all the functions
1721 * listed here.
1722 * -# Initialize the operation object with one of the methods described in the
1723 * documentation for #psa_cipher_operation_t, e.g.
1724 * #PSA_CIPHER_OPERATION_INIT.
1725 * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
1726 * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
1727 * generate or set the IV (initialization vector). You should use
1728 * psa_cipher_generate_iv() unless the protocol you are implementing
1729 * requires a specific IV value.
1730 * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1731 * of the message each time.
1732 * -# Call psa_cipher_finish().
1733 *
1734 * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
1735 * the operation will need to be reset by a call to psa_cipher_abort(). The
1736 * application may call psa_cipher_abort() at any time after the operation
1737 * has been initialized.
1738 *
1739 * After a successful call to psa_cipher_encrypt_setup(), the application must
1740 * eventually terminate the operation. The following events terminate an
1741 * operation:
1742 * - A successful call to psa_cipher_finish().
1743 * - A call to psa_cipher_abort().
1744 *
1745 * \param[in,out] operation The operation object to set up. It must have
1746 * been initialized as per the documentation for
1747 * #psa_cipher_operation_t and not yet in use.
1748 * \param key Identifier of the key to use for the operation.
1749 * It must remain valid until the operation
1750 * terminates. It must allow the usage
1751 * #PSA_KEY_USAGE_ENCRYPT.
1752 * \param alg The cipher algorithm to compute
1753 * (\c PSA_ALG_XXX value such that
1754 * #PSA_ALG_IS_CIPHER(\p alg) is true).
1755 *
1756 * \retval #PSA_SUCCESS
1757 * Success.
1758 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1759 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1760 * \retval #PSA_ERROR_INVALID_ARGUMENT
1761 * \p key is not compatible with \p alg.
1762 * \retval #PSA_ERROR_NOT_SUPPORTED
1763 * \p alg is not supported or is not a cipher algorithm.
1764 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1765 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1766 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1767 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1768 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1769 * \retval #PSA_ERROR_BAD_STATE
1770 * The operation state is not valid (it must be inactive), or
1771 * the library has not been previously initialized by psa_crypto_init().
1772 * It is implementation-dependent whether a failure to initialize
1773 * results in this error code.
1774 */
1775psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
1776 mbedtls_svc_key_id_t key,
1777 psa_algorithm_t alg);
1778
1779/** Set the key for a multipart symmetric decryption operation.
1780 *
1781 * The sequence of operations to decrypt a message with a symmetric cipher
1782 * is as follows:
1783 * -# Allocate an operation object which will be passed to all the functions
1784 * listed here.
1785 * -# Initialize the operation object with one of the methods described in the
1786 * documentation for #psa_cipher_operation_t, e.g.
1787 * #PSA_CIPHER_OPERATION_INIT.
1788 * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
1789 * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
1790 * decryption. If the IV is prepended to the ciphertext, you can call
1791 * psa_cipher_update() on a buffer containing the IV followed by the
1792 * beginning of the message.
1793 * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1794 * of the message each time.
1795 * -# Call psa_cipher_finish().
1796 *
1797 * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
1798 * the operation will need to be reset by a call to psa_cipher_abort(). The
1799 * application may call psa_cipher_abort() at any time after the operation
1800 * has been initialized.
1801 *
1802 * After a successful call to psa_cipher_decrypt_setup(), the application must
1803 * eventually terminate the operation. The following events terminate an
1804 * operation:
1805 * - A successful call to psa_cipher_finish().
1806 * - A call to psa_cipher_abort().
1807 *
1808 * \param[in,out] operation The operation object to set up. It must have
1809 * been initialized as per the documentation for
1810 * #psa_cipher_operation_t and not yet in use.
1811 * \param key Identifier of the key to use for the operation.
1812 * It must remain valid until the operation
1813 * terminates. It must allow the usage
1814 * #PSA_KEY_USAGE_DECRYPT.
1815 * \param alg The cipher algorithm to compute
1816 * (\c PSA_ALG_XXX value such that
1817 * #PSA_ALG_IS_CIPHER(\p alg) is true).
1818 *
1819 * \retval #PSA_SUCCESS
1820 * Success.
1821 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1822 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1823 * \retval #PSA_ERROR_INVALID_ARGUMENT
1824 * \p key is not compatible with \p alg.
1825 * \retval #PSA_ERROR_NOT_SUPPORTED
1826 * \p alg is not supported or is not a cipher algorithm.
1827 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1828 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1829 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1830 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1831 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1832 * \retval #PSA_ERROR_BAD_STATE
1833 * The operation state is not valid (it must be inactive), or
1834 * the library has not been previously initialized by psa_crypto_init().
1835 * It is implementation-dependent whether a failure to initialize
1836 * results in this error code.
1837 */
1838psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
1839 mbedtls_svc_key_id_t key,
1840 psa_algorithm_t alg);
1841
1842/** Generate an IV for a symmetric encryption operation.
1843 *
1844 * This function generates a random IV (initialization vector), nonce
1845 * or initial counter value for the encryption operation as appropriate
1846 * for the chosen algorithm, key type and key size.
1847 *
1848 * The application must call psa_cipher_encrypt_setup() before
1849 * calling this function.
1850 *
1851 * If this function returns an error status, the operation enters an error
1852 * state and must be aborted by calling psa_cipher_abort().
1853 *
1854 * \param[in,out] operation Active cipher operation.
1855 * \param[out] iv Buffer where the generated IV is to be written.
1856 * \param iv_size Size of the \p iv buffer in bytes.
1857 * \param[out] iv_length On success, the number of bytes of the
1858 * generated IV.
1859 *
1860 * \retval #PSA_SUCCESS
1861 * Success.
1862 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1863 * The size of the \p iv buffer is too small.
1864 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1865 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1866 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1867 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1868 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1869 * \retval #PSA_ERROR_BAD_STATE
1870 * The operation state is not valid (it must be active, with no IV set),
1871 * or the library has not been previously initialized
1872 * by psa_crypto_init().
1873 * It is implementation-dependent whether a failure to initialize
1874 * results in this error code.
1875 */
1876psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
1877 uint8_t *iv,
1878 size_t iv_size,
1879 size_t *iv_length);
1880
1881/** Set the IV for a symmetric encryption or decryption operation.
1882 *
1883 * This function sets the IV (initialization vector), nonce
1884 * or initial counter value for the encryption or decryption operation.
1885 *
1886 * The application must call psa_cipher_encrypt_setup() before
1887 * calling this function.
1888 *
1889 * If this function returns an error status, the operation enters an error
1890 * state and must be aborted by calling psa_cipher_abort().
1891 *
1892 * \note When encrypting, applications should use psa_cipher_generate_iv()
1893 * instead of this function, unless implementing a protocol that requires
1894 * a non-random IV.
1895 *
1896 * \param[in,out] operation Active cipher operation.
1897 * \param[in] iv Buffer containing the IV to use.
1898 * \param iv_length Size of the IV in bytes.
1899 *
1900 * \retval #PSA_SUCCESS
1901 * Success.
1902 * \retval #PSA_ERROR_INVALID_ARGUMENT
1903 * The size of \p iv is not acceptable for the chosen algorithm,
1904 * or the chosen algorithm does not use an IV.
1905 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1906 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1907 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1908 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1909 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1910 * \retval #PSA_ERROR_BAD_STATE
1911 * The operation state is not valid (it must be an active cipher
1912 * encrypt operation, with no IV set), or the library has not been
1913 * previously initialized by psa_crypto_init().
1914 * It is implementation-dependent whether a failure to initialize
1915 * results in this error code.
1916 */
1917psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
1918 const uint8_t *iv,
1919 size_t iv_length);
1920
1921/** Encrypt or decrypt a message fragment in an active cipher operation.
1922 *
1923 * Before calling this function, you must:
1924 * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
1925 * The choice of setup function determines whether this function
1926 * encrypts or decrypts its input.
1927 * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
1928 * (recommended when encrypting) or psa_cipher_set_iv().
1929 *
1930 * If this function returns an error status, the operation enters an error
1931 * state and must be aborted by calling psa_cipher_abort().
1932 *
1933 * \param[in,out] operation Active cipher operation.
1934 * \param[in] input Buffer containing the message fragment to
1935 * encrypt or decrypt.
1936 * \param input_length Size of the \p input buffer in bytes.
1937 * \param[out] output Buffer where the output is to be written.
1938 * \param output_size Size of the \p output buffer in bytes.
1939 * \param[out] output_length On success, the number of bytes
1940 * that make up the returned output.
1941 *
1942 * \retval #PSA_SUCCESS
1943 * Success.
1944 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1945 * The size of the \p output buffer is too small.
1946 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1947 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1948 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1949 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1950 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1951 * \retval #PSA_ERROR_BAD_STATE
1952 * The operation state is not valid (it must be active, with an IV set
1953 * if required for the algorithm), or the library has not been
1954 * previously initialized by psa_crypto_init().
1955 * It is implementation-dependent whether a failure to initialize
1956 * results in this error code.
1957 */
1958psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
1959 const uint8_t *input,
1960 size_t input_length,
1961 uint8_t *output,
1962 size_t output_size,
1963 size_t *output_length);
1964
1965/** Finish encrypting or decrypting a message in a cipher operation.
1966 *
1967 * The application must call psa_cipher_encrypt_setup() or
1968 * psa_cipher_decrypt_setup() before calling this function. The choice
1969 * of setup function determines whether this function encrypts or
1970 * decrypts its input.
1971 *
1972 * This function finishes the encryption or decryption of the message
1973 * formed by concatenating the inputs passed to preceding calls to
1974 * psa_cipher_update().
1975 *
1976 * When this function returns successfully, the operation becomes inactive.
1977 * If this function returns an error status, the operation enters an error
1978 * state and must be aborted by calling psa_cipher_abort().
1979 *
1980 * \param[in,out] operation Active cipher operation.
1981 * \param[out] output Buffer where the output is to be written.
1982 * \param output_size Size of the \p output buffer in bytes.
1983 * \param[out] output_length On success, the number of bytes
1984 * that make up the returned output.
1985 *
1986 * \retval #PSA_SUCCESS
1987 * Success.
1988 * \retval #PSA_ERROR_INVALID_ARGUMENT
1989 * The total input size passed to this operation is not valid for
1990 * this particular algorithm. For example, the algorithm is a based
1991 * on block cipher and requires a whole number of blocks, but the
1992 * total input size is not a multiple of the block size.
1993 * \retval #PSA_ERROR_INVALID_PADDING
1994 * This is a decryption operation for an algorithm that includes
1995 * padding, and the ciphertext does not contain valid padding.
1996 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1997 * The size of the \p output buffer is too small.
1998 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1999 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2000 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2001 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2002 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2003 * \retval #PSA_ERROR_BAD_STATE
2004 * The operation state is not valid (it must be active, with an IV set
2005 * if required for the algorithm), or the library has not been
2006 * previously initialized by psa_crypto_init().
2007 * It is implementation-dependent whether a failure to initialize
2008 * results in this error code.
2009 */
2010psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
2011 uint8_t *output,
2012 size_t output_size,
2013 size_t *output_length);
2014
2015/** Abort a cipher operation.
2016 *
2017 * Aborting an operation frees all associated resources except for the
2018 * \p operation structure itself. Once aborted, the operation object
2019 * can be reused for another operation by calling
2020 * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
2021 *
2022 * You may call this function any time after the operation object has
2023 * been initialized as described in #psa_cipher_operation_t.
2024 *
2025 * In particular, calling psa_cipher_abort() after the operation has been
2026 * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
2027 * is safe and has no effect.
2028 *
2029 * \param[in,out] operation Initialized cipher operation.
2030 *
2031 * \retval #PSA_SUCCESS \emptydescription
2032 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2033 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2034 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2035 * \retval #PSA_ERROR_BAD_STATE
2036 * The library has not been previously initialized by psa_crypto_init().
2037 * It is implementation-dependent whether a failure to initialize
2038 * results in this error code.
2039 */
2040psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
2041
2042/**@}*/
2043
2044/** \defgroup aead Authenticated encryption with associated data (AEAD)
2045 * @{
2046 */
2047
2048/** Process an authenticated encryption operation.
2049 *
2050 * \param key Identifier of the key to use for the
2051 * operation. It must allow the usage
2052 * #PSA_KEY_USAGE_ENCRYPT.
2053 * \param alg The AEAD algorithm to compute
2054 * (\c PSA_ALG_XXX value such that
2055 * #PSA_ALG_IS_AEAD(\p alg) is true).
2056 * \param[in] nonce Nonce or IV to use.
2057 * \param nonce_length Size of the \p nonce buffer in bytes.
2058 * \param[in] additional_data Additional data that will be authenticated
2059 * but not encrypted.
2060 * \param additional_data_length Size of \p additional_data in bytes.
2061 * \param[in] plaintext Data that will be authenticated and
2062 * encrypted.
2063 * \param plaintext_length Size of \p plaintext in bytes.
2064 * \param[out] ciphertext Output buffer for the authenticated and
2065 * encrypted data. The additional data is not
2066 * part of this output. For algorithms where the
2067 * encrypted data and the authentication tag
2068 * are defined as separate outputs, the
2069 * authentication tag is appended to the
2070 * encrypted data.
2071 * \param ciphertext_size Size of the \p ciphertext buffer in bytes.
2072 * This must be appropriate for the selected
2073 * algorithm and key:
2074 * - A sufficient output size is
2075 * #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
2076 * \p alg, \p plaintext_length) where
2077 * \c key_type is the type of \p key.
2078 * - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
2079 * plaintext_length) evaluates to the maximum
2080 * ciphertext size of any supported AEAD
2081 * encryption.
2082 * \param[out] ciphertext_length On success, the size of the output
2083 * in the \p ciphertext buffer.
2084 *
2085 * \retval #PSA_SUCCESS
2086 * Success.
2087 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2088 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2089 * \retval #PSA_ERROR_INVALID_ARGUMENT
2090 * \p key is not compatible with \p alg.
2091 * \retval #PSA_ERROR_NOT_SUPPORTED
2092 * \p alg is not supported or is not an AEAD algorithm.
2093 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2094 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2095 * \p ciphertext_size is too small.
2096 * #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
2097 * \p plaintext_length) or
2098 * #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
2099 * determine the required buffer size.
2100 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2101 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2102 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2103 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2104 * \retval #PSA_ERROR_BAD_STATE
2105 * The library has not been previously initialized by psa_crypto_init().
2106 * It is implementation-dependent whether a failure to initialize
2107 * results in this error code.
2108 */
2109psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
2110 psa_algorithm_t alg,
2111 const uint8_t *nonce,
2112 size_t nonce_length,
2113 const uint8_t *additional_data,
2114 size_t additional_data_length,
2115 const uint8_t *plaintext,
2116 size_t plaintext_length,
2117 uint8_t *ciphertext,
2118 size_t ciphertext_size,
2119 size_t *ciphertext_length);
2120
2121/** Process an authenticated decryption operation.
2122 *
2123 * \param key Identifier of the key to use for the
2124 * operation. It must allow the usage
2125 * #PSA_KEY_USAGE_DECRYPT.
2126 * \param alg The AEAD algorithm to compute
2127 * (\c PSA_ALG_XXX value such that
2128 * #PSA_ALG_IS_AEAD(\p alg) is true).
2129 * \param[in] nonce Nonce or IV to use.
2130 * \param nonce_length Size of the \p nonce buffer in bytes.
2131 * \param[in] additional_data Additional data that has been authenticated
2132 * but not encrypted.
2133 * \param additional_data_length Size of \p additional_data in bytes.
2134 * \param[in] ciphertext Data that has been authenticated and
2135 * encrypted. For algorithms where the
2136 * encrypted data and the authentication tag
2137 * are defined as separate inputs, the buffer
2138 * must contain the encrypted data followed
2139 * by the authentication tag.
2140 * \param ciphertext_length Size of \p ciphertext in bytes.
2141 * \param[out] plaintext Output buffer for the decrypted data.
2142 * \param plaintext_size Size of the \p plaintext buffer in bytes.
2143 * This must be appropriate for the selected
2144 * algorithm and key:
2145 * - A sufficient output size is
2146 * #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
2147 * \p alg, \p ciphertext_length) where
2148 * \c key_type is the type of \p key.
2149 * - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
2150 * ciphertext_length) evaluates to the maximum
2151 * plaintext size of any supported AEAD
2152 * decryption.
2153 * \param[out] plaintext_length On success, the size of the output
2154 * in the \p plaintext buffer.
2155 *
2156 * \retval #PSA_SUCCESS
2157 * Success.
2158 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2159 * \retval #PSA_ERROR_INVALID_SIGNATURE
2160 * The ciphertext is not authentic.
2161 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2162 * \retval #PSA_ERROR_INVALID_ARGUMENT
2163 * \p key is not compatible with \p alg.
2164 * \retval #PSA_ERROR_NOT_SUPPORTED
2165 * \p alg is not supported or is not an AEAD algorithm.
2166 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2167 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2168 * \p plaintext_size is too small.
2169 * #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
2170 * \p ciphertext_length) or
2171 * #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
2172 * to determine the required buffer size.
2173 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2174 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2175 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2176 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2177 * \retval #PSA_ERROR_BAD_STATE
2178 * The library has not been previously initialized by psa_crypto_init().
2179 * It is implementation-dependent whether a failure to initialize
2180 * results in this error code.
2181 */
2182psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
2183 psa_algorithm_t alg,
2184 const uint8_t *nonce,
2185 size_t nonce_length,
2186 const uint8_t *additional_data,
2187 size_t additional_data_length,
2188 const uint8_t *ciphertext,
2189 size_t ciphertext_length,
2190 uint8_t *plaintext,
2191 size_t plaintext_size,
2192 size_t *plaintext_length);
2193
2194/** The type of the state data structure for multipart AEAD operations.
2195 *
2196 * Before calling any function on an AEAD operation object, the application
2197 * must initialize it by any of the following means:
2198 * - Set the structure to all-bits-zero, for example:
2199 * \code
2200 * psa_aead_operation_t operation;
2201 * memset(&operation, 0, sizeof(operation));
2202 * \endcode
2203 * - Initialize the structure to logical zero values, for example:
2204 * \code
2205 * psa_aead_operation_t operation = {0};
2206 * \endcode
2207 * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
2208 * for example:
2209 * \code
2210 * psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
2211 * \endcode
2212 * - Assign the result of the function psa_aead_operation_init()
2213 * to the structure, for example:
2214 * \code
2215 * psa_aead_operation_t operation;
2216 * operation = psa_aead_operation_init();
2217 * \endcode
2218 *
2219 * This is an implementation-defined \c struct. Applications should not
2220 * make any assumptions about the content of this structure.
2221 * Implementation details can change in future versions without notice. */
2222typedef struct psa_aead_operation_s psa_aead_operation_t;
2223
2224/** \def PSA_AEAD_OPERATION_INIT
2225 *
2226 * This macro returns a suitable initializer for an AEAD operation object of
2227 * type #psa_aead_operation_t.
2228 */
2229
2230/** Return an initial value for an AEAD operation object.
2231 */
2232static psa_aead_operation_t psa_aead_operation_init(void);
2233
2234/** Set the key for a multipart authenticated encryption operation.
2235 *
2236 * The sequence of operations to encrypt a message with authentication
2237 * is as follows:
2238 * -# Allocate an operation object which will be passed to all the functions
2239 * listed here.
2240 * -# Initialize the operation object with one of the methods described in the
2241 * documentation for #psa_aead_operation_t, e.g.
2242 * #PSA_AEAD_OPERATION_INIT.
2243 * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
2244 * -# If needed, call psa_aead_set_lengths() to specify the length of the
2245 * inputs to the subsequent calls to psa_aead_update_ad() and
2246 * psa_aead_update(). See the documentation of psa_aead_set_lengths()
2247 * for details.
2248 * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
2249 * generate or set the nonce. You should use
2250 * psa_aead_generate_nonce() unless the protocol you are implementing
2251 * requires a specific nonce value.
2252 * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2253 * of the non-encrypted additional authenticated data each time.
2254 * -# Call psa_aead_update() zero, one or more times, passing a fragment
2255 * of the message to encrypt each time.
2256 * -# Call psa_aead_finish().
2257 *
2258 * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
2259 * the operation will need to be reset by a call to psa_aead_abort(). The
2260 * application may call psa_aead_abort() at any time after the operation
2261 * has been initialized.
2262 *
2263 * After a successful call to psa_aead_encrypt_setup(), the application must
2264 * eventually terminate the operation. The following events terminate an
2265 * operation:
2266 * - A successful call to psa_aead_finish().
2267 * - A call to psa_aead_abort().
2268 *
2269 * \param[in,out] operation The operation object to set up. It must have
2270 * been initialized as per the documentation for
2271 * #psa_aead_operation_t and not yet in use.
2272 * \param key Identifier of the key to use for the operation.
2273 * It must remain valid until the operation
2274 * terminates. It must allow the usage
2275 * #PSA_KEY_USAGE_ENCRYPT.
2276 * \param alg The AEAD algorithm to compute
2277 * (\c PSA_ALG_XXX value such that
2278 * #PSA_ALG_IS_AEAD(\p alg) is true).
2279 *
2280 * \retval #PSA_SUCCESS
2281 * Success.
2282 * \retval #PSA_ERROR_BAD_STATE
2283 * The operation state is not valid (it must be inactive), or
2284 * the library has not been previously initialized by psa_crypto_init().
2285 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2286 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2287 * \retval #PSA_ERROR_INVALID_ARGUMENT
2288 * \p key is not compatible with \p alg.
2289 * \retval #PSA_ERROR_NOT_SUPPORTED
2290 * \p alg is not supported or is not an AEAD algorithm.
2291 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2292 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2293 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2294 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2295 * \retval #PSA_ERROR_STORAGE_FAILURE
2296 * The library has not been previously initialized by psa_crypto_init().
2297 * It is implementation-dependent whether a failure to initialize
2298 * results in this error code.
2299 */
2300psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
2301 mbedtls_svc_key_id_t key,
2302 psa_algorithm_t alg);
2303
2304/** Set the key for a multipart authenticated decryption operation.
2305 *
2306 * The sequence of operations to decrypt a message with authentication
2307 * is as follows:
2308 * -# Allocate an operation object which will be passed to all the functions
2309 * listed here.
2310 * -# Initialize the operation object with one of the methods described in the
2311 * documentation for #psa_aead_operation_t, e.g.
2312 * #PSA_AEAD_OPERATION_INIT.
2313 * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
2314 * -# If needed, call psa_aead_set_lengths() to specify the length of the
2315 * inputs to the subsequent calls to psa_aead_update_ad() and
2316 * psa_aead_update(). See the documentation of psa_aead_set_lengths()
2317 * for details.
2318 * -# Call psa_aead_set_nonce() with the nonce for the decryption.
2319 * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2320 * of the non-encrypted additional authenticated data each time.
2321 * -# Call psa_aead_update() zero, one or more times, passing a fragment
2322 * of the ciphertext to decrypt each time.
2323 * -# Call psa_aead_verify().
2324 *
2325 * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
2326 * the operation will need to be reset by a call to psa_aead_abort(). The
2327 * application may call psa_aead_abort() at any time after the operation
2328 * has been initialized.
2329 *
2330 * After a successful call to psa_aead_decrypt_setup(), the application must
2331 * eventually terminate the operation. The following events terminate an
2332 * operation:
2333 * - A successful call to psa_aead_verify().
2334 * - A call to psa_aead_abort().
2335 *
2336 * \param[in,out] operation The operation object to set up. It must have
2337 * been initialized as per the documentation for
2338 * #psa_aead_operation_t and not yet in use.
2339 * \param key Identifier of the key to use for the operation.
2340 * It must remain valid until the operation
2341 * terminates. It must allow the usage
2342 * #PSA_KEY_USAGE_DECRYPT.
2343 * \param alg The AEAD algorithm to compute
2344 * (\c PSA_ALG_XXX value such that
2345 * #PSA_ALG_IS_AEAD(\p alg) is true).
2346 *
2347 * \retval #PSA_SUCCESS
2348 * Success.
2349 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2350 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2351 * \retval #PSA_ERROR_INVALID_ARGUMENT
2352 * \p key is not compatible with \p alg.
2353 * \retval #PSA_ERROR_NOT_SUPPORTED
2354 * \p alg is not supported or is not an AEAD algorithm.
2355 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2356 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2357 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2358 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2359 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2360 * \retval #PSA_ERROR_BAD_STATE
2361 * The operation state is not valid (it must be inactive), or the
2362 * library has not been previously initialized by psa_crypto_init().
2363 * It is implementation-dependent whether a failure to initialize
2364 * results in this error code.
2365 */
2366psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
2367 mbedtls_svc_key_id_t key,
2368 psa_algorithm_t alg);
2369
2370/** Generate a random nonce for an authenticated encryption operation.
2371 *
2372 * This function generates a random nonce for the authenticated encryption
2373 * operation with an appropriate size for the chosen algorithm, key type
2374 * and key size.
2375 *
2376 * The application must call psa_aead_encrypt_setup() before
2377 * calling this function.
2378 *
2379 * If this function returns an error status, the operation enters an error
2380 * state and must be aborted by calling psa_aead_abort().
2381 *
2382 * \param[in,out] operation Active AEAD operation.
2383 * \param[out] nonce Buffer where the generated nonce is to be
2384 * written.
2385 * \param nonce_size Size of the \p nonce buffer in bytes.
2386 * \param[out] nonce_length On success, the number of bytes of the
2387 * generated nonce.
2388 *
2389 * \retval #PSA_SUCCESS
2390 * Success.
2391 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2392 * The size of the \p nonce buffer is too small.
2393 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2394 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2395 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2396 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2397 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2398 * \retval #PSA_ERROR_BAD_STATE
2399 * The operation state is not valid (it must be an active aead encrypt
2400 * operation, with no nonce set), or the library has not been
2401 * previously initialized by psa_crypto_init().
2402 * It is implementation-dependent whether a failure to initialize
2403 * results in this error code.
2404 */
2405psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
2406 uint8_t *nonce,
2407 size_t nonce_size,
2408 size_t *nonce_length);
2409
2410/** Set the nonce for an authenticated encryption or decryption operation.
2411 *
2412 * This function sets the nonce for the authenticated
2413 * encryption or decryption operation.
2414 *
2415 * The application must call psa_aead_encrypt_setup() or
2416 * psa_aead_decrypt_setup() before calling this function.
2417 *
2418 * If this function returns an error status, the operation enters an error
2419 * state and must be aborted by calling psa_aead_abort().
2420 *
2421 * \note When encrypting, applications should use psa_aead_generate_nonce()
2422 * instead of this function, unless implementing a protocol that requires
2423 * a non-random IV.
2424 *
2425 * \param[in,out] operation Active AEAD operation.
2426 * \param[in] nonce Buffer containing the nonce to use.
2427 * \param nonce_length Size of the nonce in bytes.
2428 *
2429 * \retval #PSA_SUCCESS
2430 * Success.
2431 * \retval #PSA_ERROR_INVALID_ARGUMENT
2432 * The size of \p nonce is not acceptable for the chosen algorithm.
2433 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2434 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2435 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2436 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2437 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2438 * \retval #PSA_ERROR_BAD_STATE
2439 * The operation state is not valid (it must be active, with no nonce
2440 * set), or the library has not been previously initialized
2441 * by psa_crypto_init().
2442 * It is implementation-dependent whether a failure to initialize
2443 * results in this error code.
2444 */
2445psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
2446 const uint8_t *nonce,
2447 size_t nonce_length);
2448
2449/** Declare the lengths of the message and additional data for AEAD.
2450 *
2451 * The application must call this function before calling
2452 * psa_aead_update_ad() or psa_aead_update() if the algorithm for
2453 * the operation requires it. If the algorithm does not require it,
2454 * calling this function is optional, but if this function is called
2455 * then the implementation must enforce the lengths.
2456 *
2457 * You may call this function before or after setting the nonce with
2458 * psa_aead_set_nonce() or psa_aead_generate_nonce().
2459 *
2460 * - For #PSA_ALG_CCM, calling this function is required.
2461 * - For the other AEAD algorithms defined in this specification, calling
2462 * this function is not required.
2463 * - For vendor-defined algorithm, refer to the vendor documentation.
2464 *
2465 * If this function returns an error status, the operation enters an error
2466 * state and must be aborted by calling psa_aead_abort().
2467 *
2468 * \param[in,out] operation Active AEAD operation.
2469 * \param ad_length Size of the non-encrypted additional
2470 * authenticated data in bytes.
2471 * \param plaintext_length Size of the plaintext to encrypt in bytes.
2472 *
2473 * \retval #PSA_SUCCESS
2474 * Success.
2475 * \retval #PSA_ERROR_INVALID_ARGUMENT
2476 * At least one of the lengths is not acceptable for the chosen
2477 * algorithm.
2478 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2479 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2480 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2481 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2482 * \retval #PSA_ERROR_BAD_STATE
2483 * The operation state is not valid (it must be active, and
2484 * psa_aead_update_ad() and psa_aead_update() must not have been
2485 * called yet), or the library has not been previously initialized
2486 * by psa_crypto_init().
2487 * It is implementation-dependent whether a failure to initialize
2488 * results in this error code.
2489 */
2490psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
2491 size_t ad_length,
2492 size_t plaintext_length);
2493
2494/** Pass additional data to an active AEAD operation.
2495 *
2496 * Additional data is authenticated, but not encrypted.
2497 *
2498 * You may call this function multiple times to pass successive fragments
2499 * of the additional data. You may not call this function after passing
2500 * data to encrypt or decrypt with psa_aead_update().
2501 *
2502 * Before calling this function, you must:
2503 * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2504 * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2505 *
2506 * If this function returns an error status, the operation enters an error
2507 * state and must be aborted by calling psa_aead_abort().
2508 *
2509 * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2510 * there is no guarantee that the input is valid. Therefore, until
2511 * you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
2512 * treat the input as untrusted and prepare to undo any action that
2513 * depends on the input if psa_aead_verify() returns an error status.
2514 *
2515 * \param[in,out] operation Active AEAD operation.
2516 * \param[in] input Buffer containing the fragment of
2517 * additional data.
2518 * \param input_length Size of the \p input buffer in bytes.
2519 *
2520 * \retval #PSA_SUCCESS
2521 * Success.
2522 * \retval #PSA_ERROR_INVALID_ARGUMENT
2523 * The total input length overflows the additional data length that
2524 * was previously specified with psa_aead_set_lengths().
2525 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2526 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2527 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2528 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2529 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2530 * \retval #PSA_ERROR_BAD_STATE
2531 * The operation state is not valid (it must be active, have a nonce
2532 * set, have lengths set if required by the algorithm, and
2533 * psa_aead_update() must not have been called yet), or the library
2534 * has not been previously initialized by psa_crypto_init().
2535 * It is implementation-dependent whether a failure to initialize
2536 * results in this error code.
2537 */
2538psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
2539 const uint8_t *input,
2540 size_t input_length);
2541
2542/** Encrypt or decrypt a message fragment in an active AEAD operation.
2543 *
2544 * Before calling this function, you must:
2545 * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2546 * The choice of setup function determines whether this function
2547 * encrypts or decrypts its input.
2548 * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2549 * 3. Call psa_aead_update_ad() to pass all the additional data.
2550 *
2551 * If this function returns an error status, the operation enters an error
2552 * state and must be aborted by calling psa_aead_abort().
2553 *
2554 * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2555 * there is no guarantee that the input is valid. Therefore, until
2556 * you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
2557 * - Do not use the output in any way other than storing it in a
2558 * confidential location. If you take any action that depends
2559 * on the tentative decrypted data, this action will need to be
2560 * undone if the input turns out not to be valid. Furthermore,
2561 * if an adversary can observe that this action took place
2562 * (for example through timing), they may be able to use this
2563 * fact as an oracle to decrypt any message encrypted with the
2564 * same key.
2565 * - In particular, do not copy the output anywhere but to a
2566 * memory or storage space that you have exclusive access to.
2567 *
2568 * This function does not require the input to be aligned to any
2569 * particular block boundary. If the implementation can only process
2570 * a whole block at a time, it must consume all the input provided, but
2571 * it may delay the end of the corresponding output until a subsequent
2572 * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
2573 * provides sufficient input. The amount of data that can be delayed
2574 * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
2575 *
2576 * \param[in,out] operation Active AEAD operation.
2577 * \param[in] input Buffer containing the message fragment to
2578 * encrypt or decrypt.
2579 * \param input_length Size of the \p input buffer in bytes.
2580 * \param[out] output Buffer where the output is to be written.
2581 * \param output_size Size of the \p output buffer in bytes.
2582 * This must be appropriate for the selected
2583 * algorithm and key:
2584 * - A sufficient output size is
2585 * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
2586 * \c alg, \p input_length) where
2587 * \c key_type is the type of key and \c alg is
2588 * the algorithm that were used to set up the
2589 * operation.
2590 * - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
2591 * input_length) evaluates to the maximum
2592 * output size of any supported AEAD
2593 * algorithm.
2594 * \param[out] output_length On success, the number of bytes
2595 * that make up the returned output.
2596 *
2597 * \retval #PSA_SUCCESS
2598 * Success.
2599 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2600 * The size of the \p output buffer is too small.
2601 * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
2602 * #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
2603 * determine the required buffer size.
2604 * \retval #PSA_ERROR_INVALID_ARGUMENT
2605 * The total length of input to psa_aead_update_ad() so far is
2606 * less than the additional data length that was previously
2607 * specified with psa_aead_set_lengths(), or
2608 * the total input length overflows the plaintext length that
2609 * was previously specified with psa_aead_set_lengths().
2610 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2611 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2612 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2613 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2614 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2615 * \retval #PSA_ERROR_BAD_STATE
2616 * The operation state is not valid (it must be active, have a nonce
2617 * set, and have lengths set if required by the algorithm), or the
2618 * library has not been previously initialized by psa_crypto_init().
2619 * It is implementation-dependent whether a failure to initialize
2620 * results in this error code.
2621 */
2622psa_status_t psa_aead_update(psa_aead_operation_t *operation,
2623 const uint8_t *input,
2624 size_t input_length,
2625 uint8_t *output,
2626 size_t output_size,
2627 size_t *output_length);
2628
2629/** Finish encrypting a message in an AEAD operation.
2630 *
2631 * The operation must have been set up with psa_aead_encrypt_setup().
2632 *
2633 * This function finishes the authentication of the additional data
2634 * formed by concatenating the inputs passed to preceding calls to
2635 * psa_aead_update_ad() with the plaintext formed by concatenating the
2636 * inputs passed to preceding calls to psa_aead_update().
2637 *
2638 * This function has two output buffers:
2639 * - \p ciphertext contains trailing ciphertext that was buffered from
2640 * preceding calls to psa_aead_update().
2641 * - \p tag contains the authentication tag.
2642 *
2643 * When this function returns successfully, the operation becomes inactive.
2644 * If this function returns an error status, the operation enters an error
2645 * state and must be aborted by calling psa_aead_abort().
2646 *
2647 * \param[in,out] operation Active AEAD operation.
2648 * \param[out] ciphertext Buffer where the last part of the ciphertext
2649 * is to be written.
2650 * \param ciphertext_size Size of the \p ciphertext buffer in bytes.
2651 * This must be appropriate for the selected
2652 * algorithm and key:
2653 * - A sufficient output size is
2654 * #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
2655 * \c alg) where \c key_type is the type of key
2656 * and \c alg is the algorithm that were used to
2657 * set up the operation.
2658 * - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
2659 * the maximum output size of any supported AEAD
2660 * algorithm.
2661 * \param[out] ciphertext_length On success, the number of bytes of
2662 * returned ciphertext.
2663 * \param[out] tag Buffer where the authentication tag is
2664 * to be written.
2665 * \param tag_size Size of the \p tag buffer in bytes.
2666 * This must be appropriate for the selected
2667 * algorithm and key:
2668 * - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
2669 * key_type, \c key_bits, \c alg) where
2670 * \c key_type and \c key_bits are the type and
2671 * bit-size of the key, and \c alg is the
2672 * algorithm that were used in the call to
2673 * psa_aead_encrypt_setup().
2674 * - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
2675 * maximum tag size of any supported AEAD
2676 * algorithm.
2677 * \param[out] tag_length On success, the number of bytes
2678 * that make up the returned tag.
2679 *
2680 * \retval #PSA_SUCCESS
2681 * Success.
2682 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2683 * The size of the \p ciphertext or \p tag buffer is too small.
2684 * #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
2685 * #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
2686 * required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
2687 * \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
2688 * determine the required \p tag buffer size.
2689 * \retval #PSA_ERROR_INVALID_ARGUMENT
2690 * The total length of input to psa_aead_update_ad() so far is
2691 * less than the additional data length that was previously
2692 * specified with psa_aead_set_lengths(), or
2693 * the total length of input to psa_aead_update() so far is
2694 * less than the plaintext length that was previously
2695 * specified with psa_aead_set_lengths().
2696 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2697 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2698 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2699 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2700 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2701 * \retval #PSA_ERROR_BAD_STATE
2702 * The operation state is not valid (it must be an active encryption
2703 * operation with a nonce set), or the library has not been previously
2704 * initialized by psa_crypto_init().
2705 * It is implementation-dependent whether a failure to initialize
2706 * results in this error code.
2707 */
2708psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
2709 uint8_t *ciphertext,
2710 size_t ciphertext_size,
2711 size_t *ciphertext_length,
2712 uint8_t *tag,
2713 size_t tag_size,
2714 size_t *tag_length);
2715
2716/** Finish authenticating and decrypting a message in an AEAD operation.
2717 *
2718 * The operation must have been set up with psa_aead_decrypt_setup().
2719 *
2720 * This function finishes the authenticated decryption of the message
2721 * components:
2722 *
2723 * - The additional data consisting of the concatenation of the inputs
2724 * passed to preceding calls to psa_aead_update_ad().
2725 * - The ciphertext consisting of the concatenation of the inputs passed to
2726 * preceding calls to psa_aead_update().
2727 * - The tag passed to this function call.
2728 *
2729 * If the authentication tag is correct, this function outputs any remaining
2730 * plaintext and reports success. If the authentication tag is not correct,
2731 * this function returns #PSA_ERROR_INVALID_SIGNATURE.
2732 *
2733 * When this function returns successfully, the operation becomes inactive.
2734 * If this function returns an error status, the operation enters an error
2735 * state and must be aborted by calling psa_aead_abort().
2736 *
2737 * \note Implementations shall make the best effort to ensure that the
2738 * comparison between the actual tag and the expected tag is performed
2739 * in constant time.
2740 *
2741 * \param[in,out] operation Active AEAD operation.
2742 * \param[out] plaintext Buffer where the last part of the plaintext
2743 * is to be written. This is the remaining data
2744 * from previous calls to psa_aead_update()
2745 * that could not be processed until the end
2746 * of the input.
2747 * \param plaintext_size Size of the \p plaintext buffer in bytes.
2748 * This must be appropriate for the selected algorithm and key:
2749 * - A sufficient output size is
2750 * #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
2751 * \c alg) where \c key_type is the type of key
2752 * and \c alg is the algorithm that were used to
2753 * set up the operation.
2754 * - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
2755 * the maximum output size of any supported AEAD
2756 * algorithm.
2757 * \param[out] plaintext_length On success, the number of bytes of
2758 * returned plaintext.
2759 * \param[in] tag Buffer containing the authentication tag.
2760 * \param tag_length Size of the \p tag buffer in bytes.
2761 *
2762 * \retval #PSA_SUCCESS
2763 * Success.
2764 * \retval #PSA_ERROR_INVALID_SIGNATURE
2765 * The calculations were successful, but the authentication tag is
2766 * not correct.
2767 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2768 * The size of the \p plaintext buffer is too small.
2769 * #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
2770 * #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
2771 * required buffer size.
2772 * \retval #PSA_ERROR_INVALID_ARGUMENT
2773 * The total length of input to psa_aead_update_ad() so far is
2774 * less than the additional data length that was previously
2775 * specified with psa_aead_set_lengths(), or
2776 * the total length of input to psa_aead_update() so far is
2777 * less than the plaintext length that was previously
2778 * specified with psa_aead_set_lengths().
2779 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2780 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2781 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2782 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2783 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2784 * \retval #PSA_ERROR_BAD_STATE
2785 * The operation state is not valid (it must be an active decryption
2786 * operation with a nonce set), or the library has not been previously
2787 * initialized by psa_crypto_init().
2788 * It is implementation-dependent whether a failure to initialize
2789 * results in this error code.
2790 */
2791psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
2792 uint8_t *plaintext,
2793 size_t plaintext_size,
2794 size_t *plaintext_length,
2795 const uint8_t *tag,
2796 size_t tag_length);
2797
2798/** Abort an AEAD operation.
2799 *
2800 * Aborting an operation frees all associated resources except for the
2801 * \p operation structure itself. Once aborted, the operation object
2802 * can be reused for another operation by calling
2803 * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
2804 *
2805 * You may call this function any time after the operation object has
2806 * been initialized as described in #psa_aead_operation_t.
2807 *
2808 * In particular, calling psa_aead_abort() after the operation has been
2809 * terminated by a call to psa_aead_abort(), psa_aead_finish() or
2810 * psa_aead_verify() is safe and has no effect.
2811 *
2812 * \param[in,out] operation Initialized AEAD operation.
2813 *
2814 * \retval #PSA_SUCCESS \emptydescription
2815 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2816 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2817 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2818 * \retval #PSA_ERROR_BAD_STATE
2819 * The library has not been previously initialized by psa_crypto_init().
2820 * It is implementation-dependent whether a failure to initialize
2821 * results in this error code.
2822 */
2823psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
2824
2825/**@}*/
2826
2827/** \defgroup asymmetric Asymmetric cryptography
2828 * @{
2829 */
2830
2831/**
2832 * \brief Sign a message with a private key. For hash-and-sign algorithms,
2833 * this includes the hashing step.
2834 *
2835 * \note To perform a multi-part hash-and-sign signature algorithm, first use
2836 * a multi-part hash operation and then pass the resulting hash to
2837 * psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
2838 * hash algorithm to use.
2839 *
2840 * \param[in] key Identifier of the key to use for the operation.
2841 * It must be an asymmetric key pair. The key must
2842 * allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
2843 * \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX
2844 * value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
2845 * is true), that is compatible with the type of
2846 * \p key.
2847 * \param[in] input The input message to sign.
2848 * \param[in] input_length Size of the \p input buffer in bytes.
2849 * \param[out] signature Buffer where the signature is to be written.
2850 * \param[in] signature_size Size of the \p signature buffer in bytes. This
2851 * must be appropriate for the selected
2852 * algorithm and key:
2853 * - The required signature size is
2854 * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2855 * where \c key_type and \c key_bits are the type and
2856 * bit-size respectively of key.
2857 * - #PSA_SIGNATURE_MAX_SIZE evaluates to the
2858 * maximum signature size of any supported
2859 * signature algorithm.
2860 * \param[out] signature_length On success, the number of bytes that make up
2861 * the returned signature value.
2862 *
2863 * \retval #PSA_SUCCESS \emptydescription
2864 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2865 * \retval #PSA_ERROR_NOT_PERMITTED
2866 * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
2867 * or it does not permit the requested algorithm.
2868 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2869 * The size of the \p signature buffer is too small. You can
2870 * determine a sufficient buffer size by calling
2871 * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2872 * where \c key_type and \c key_bits are the type and bit-size
2873 * respectively of \p key.
2874 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
2875 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
2876 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2877 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2878 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2879 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2880 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2881 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
2882 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
2883 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
2884 * \retval #PSA_ERROR_BAD_STATE
2885 * The library has not been previously initialized by psa_crypto_init().
2886 * It is implementation-dependent whether a failure to initialize
2887 * results in this error code.
2888 */
2889psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
2890 psa_algorithm_t alg,
2891 const uint8_t *input,
2892 size_t input_length,
2893 uint8_t *signature,
2894 size_t signature_size,
2895 size_t *signature_length);
2896
2897/** \brief Verify the signature of a message with a public key, using
2898 * a hash-and-sign verification algorithm.
2899 *
2900 * \note To perform a multi-part hash-and-sign signature verification
2901 * algorithm, first use a multi-part hash operation to hash the message
2902 * and then pass the resulting hash to psa_verify_hash().
2903 * PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
2904 * to use.
2905 *
2906 * \param[in] key Identifier of the key to use for the operation.
2907 * It must be a public key or an asymmetric key
2908 * pair. The key must allow the usage
2909 * #PSA_KEY_USAGE_VERIFY_MESSAGE.
2910 * \param[in] alg An asymmetric signature algorithm (PSA_ALG_XXX
2911 * value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
2912 * is true), that is compatible with the type of
2913 * \p key.
2914 * \param[in] input The message whose signature is to be verified.
2915 * \param[in] input_length Size of the \p input buffer in bytes.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]2916 * \param[in] signature Buffer containing the signature to verify.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]2917 * \param[in] signature_length Size of the \p signature buffer in bytes.
2918 *
2919 * \retval #PSA_SUCCESS \emptydescription
2920 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2921 * \retval #PSA_ERROR_NOT_PERMITTED
2922 * The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
2923 * or it does not permit the requested algorithm.
2924 * \retval #PSA_ERROR_INVALID_SIGNATURE
2925 * The calculation was performed successfully, but the passed signature
2926 * is not a valid signature.
2927 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
2928 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
2929 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2930 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2931 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2932 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2933 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2934 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
2935 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
2936 * \retval #PSA_ERROR_BAD_STATE
2937 * The library has not been previously initialized by psa_crypto_init().
2938 * It is implementation-dependent whether a failure to initialize
2939 * results in this error code.
2940 */
2941psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
2942 psa_algorithm_t alg,
2943 const uint8_t *input,
2944 size_t input_length,
2945 const uint8_t *signature,
2946 size_t signature_length);
2947
2948/**
2949 * \brief Sign a hash or short message with a private key.
2950 *
2951 * Note that to perform a hash-and-sign signature algorithm, you must
2952 * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
2953 * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
2954 * Then pass the resulting hash as the \p hash
2955 * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
2956 * to determine the hash algorithm to use.
2957 *
2958 * \param key Identifier of the key to use for the operation.
2959 * It must be an asymmetric key pair. The key must
2960 * allow the usage #PSA_KEY_USAGE_SIGN_HASH.
2961 * \param alg A signature algorithm (PSA_ALG_XXX
2962 * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
2963 * is true), that is compatible with
2964 * the type of \p key.
2965 * \param[in] hash The hash or message to sign.
2966 * \param hash_length Size of the \p hash buffer in bytes.
2967 * \param[out] signature Buffer where the signature is to be written.
2968 * \param signature_size Size of the \p signature buffer in bytes.
2969 * \param[out] signature_length On success, the number of bytes
2970 * that make up the returned signature value.
2971 *
2972 * \retval #PSA_SUCCESS \emptydescription
2973 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2974 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2975 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2976 * The size of the \p signature buffer is too small. You can
2977 * determine a sufficient buffer size by calling
2978 * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2979 * where \c key_type and \c key_bits are the type and bit-size
2980 * respectively of \p key.
2981 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
2982 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
2983 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2984 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2985 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2986 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2987 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2988 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
2989 * \retval #PSA_ERROR_BAD_STATE
2990 * The library has not been previously initialized by psa_crypto_init().
2991 * It is implementation-dependent whether a failure to initialize
2992 * results in this error code.
2993 */
2994psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
2995 psa_algorithm_t alg,
2996 const uint8_t *hash,
2997 size_t hash_length,
2998 uint8_t *signature,
2999 size_t signature_size,
3000 size_t *signature_length);
3001
3002/**
3003 * \brief Verify the signature of a hash or short message using a public key.
3004 *
3005 * Note that to perform a hash-and-sign signature algorithm, you must
3006 * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
3007 * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
3008 * Then pass the resulting hash as the \p hash
3009 * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
3010 * to determine the hash algorithm to use.
3011 *
3012 * \param key Identifier of the key to use for the operation. It
3013 * must be a public key or an asymmetric key pair. The
3014 * key must allow the usage
3015 * #PSA_KEY_USAGE_VERIFY_HASH.
3016 * \param alg A signature algorithm (PSA_ALG_XXX
3017 * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
3018 * is true), that is compatible with
3019 * the type of \p key.
3020 * \param[in] hash The hash or message whose signature is to be
3021 * verified.
3022 * \param hash_length Size of the \p hash buffer in bytes.
3023 * \param[in] signature Buffer containing the signature to verify.
3024 * \param signature_length Size of the \p signature buffer in bytes.
3025 *
3026 * \retval #PSA_SUCCESS
3027 * The signature is valid.
3028 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3029 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3030 * \retval #PSA_ERROR_INVALID_SIGNATURE
3031 * The calculation was performed successfully, but the passed
3032 * signature is not a valid signature.
3033 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3034 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3035 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3036 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3037 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3038 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3039 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3040 * \retval #PSA_ERROR_BAD_STATE
3041 * The library has not been previously initialized by psa_crypto_init().
3042 * It is implementation-dependent whether a failure to initialize
3043 * results in this error code.
3044 */
3045psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
3046 psa_algorithm_t alg,
3047 const uint8_t *hash,
3048 size_t hash_length,
3049 const uint8_t *signature,
3050 size_t signature_length);
3051
3052/**
3053 * \brief Encrypt a short message with a public key.
3054 *
3055 * \param key Identifier of the key to use for the operation.
3056 * It must be a public key or an asymmetric key
3057 * pair. It must allow the usage
3058 * #PSA_KEY_USAGE_ENCRYPT.
3059 * \param alg An asymmetric encryption algorithm that is
3060 * compatible with the type of \p key.
3061 * \param[in] input The message to encrypt.
3062 * \param input_length Size of the \p input buffer in bytes.
3063 * \param[in] salt A salt or label, if supported by the
3064 * encryption algorithm.
3065 * If the algorithm does not support a
3066 * salt, pass \c NULL.
3067 * If the algorithm supports an optional
3068 * salt and you do not want to pass a salt,
3069 * pass \c NULL.
3070 *
3071 * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
3072 * supported.
3073 * \param salt_length Size of the \p salt buffer in bytes.
3074 * If \p salt is \c NULL, pass 0.
3075 * \param[out] output Buffer where the encrypted message is to
3076 * be written.
3077 * \param output_size Size of the \p output buffer in bytes.
3078 * \param[out] output_length On success, the number of bytes
3079 * that make up the returned output.
3080 *
3081 * \retval #PSA_SUCCESS \emptydescription
3082 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3083 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3084 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3085 * The size of the \p output buffer is too small. You can
3086 * determine a sufficient buffer size by calling
3087 * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3088 * where \c key_type and \c key_bits are the type and bit-size
3089 * respectively of \p key.
3090 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3091 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3092 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3093 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3094 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3095 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3096 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3097 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
3098 * \retval #PSA_ERROR_BAD_STATE
3099 * The library has not been previously initialized by psa_crypto_init().
3100 * It is implementation-dependent whether a failure to initialize
3101 * results in this error code.
3102 */
3103psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
3104 psa_algorithm_t alg,
3105 const uint8_t *input,
3106 size_t input_length,
3107 const uint8_t *salt,
3108 size_t salt_length,
3109 uint8_t *output,
3110 size_t output_size,
3111 size_t *output_length);
3112
3113/**
3114 * \brief Decrypt a short message with a private key.
3115 *
3116 * \param key Identifier of the key to use for the operation.
3117 * It must be an asymmetric key pair. It must
3118 * allow the usage #PSA_KEY_USAGE_DECRYPT.
3119 * \param alg An asymmetric encryption algorithm that is
3120 * compatible with the type of \p key.
3121 * \param[in] input The message to decrypt.
3122 * \param input_length Size of the \p input buffer in bytes.
3123 * \param[in] salt A salt or label, if supported by the
3124 * encryption algorithm.
3125 * If the algorithm does not support a
3126 * salt, pass \c NULL.
3127 * If the algorithm supports an optional
3128 * salt and you do not want to pass a salt,
3129 * pass \c NULL.
3130 *
3131 * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
3132 * supported.
3133 * \param salt_length Size of the \p salt buffer in bytes.
3134 * If \p salt is \c NULL, pass 0.
3135 * \param[out] output Buffer where the decrypted message is to
3136 * be written.
3137 * \param output_size Size of the \c output buffer in bytes.
3138 * \param[out] output_length On success, the number of bytes
3139 * that make up the returned output.
3140 *
3141 * \retval #PSA_SUCCESS \emptydescription
3142 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3143 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3144 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3145 * The size of the \p output buffer is too small. You can
3146 * determine a sufficient buffer size by calling
3147 * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3148 * where \c key_type and \c key_bits are the type and bit-size
3149 * respectively of \p key.
3150 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3151 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3152 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3153 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3154 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3155 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3156 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3157 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
3158 * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
3159 * \retval #PSA_ERROR_BAD_STATE
3160 * The library has not been previously initialized by psa_crypto_init().
3161 * It is implementation-dependent whether a failure to initialize
3162 * results in this error code.
3163 */
3164psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
3165 psa_algorithm_t alg,
3166 const uint8_t *input,
3167 size_t input_length,
3168 const uint8_t *salt,
3169 size_t salt_length,
3170 uint8_t *output,
3171 size_t output_size,
3172 size_t *output_length);
3173
3174/**@}*/
3175
3176/** \defgroup key_derivation Key derivation and pseudorandom generation
3177 * @{
3178 */
3179
3180/** The type of the state data structure for key derivation operations.
3181 *
3182 * Before calling any function on a key derivation operation object, the
3183 * application must initialize it by any of the following means:
3184 * - Set the structure to all-bits-zero, for example:
3185 * \code
3186 * psa_key_derivation_operation_t operation;
3187 * memset(&operation, 0, sizeof(operation));
3188 * \endcode
3189 * - Initialize the structure to logical zero values, for example:
3190 * \code
3191 * psa_key_derivation_operation_t operation = {0};
3192 * \endcode
3193 * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
3194 * for example:
3195 * \code
3196 * psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
3197 * \endcode
3198 * - Assign the result of the function psa_key_derivation_operation_init()
3199 * to the structure, for example:
3200 * \code
3201 * psa_key_derivation_operation_t operation;
3202 * operation = psa_key_derivation_operation_init();
3203 * \endcode
3204 *
3205 * This is an implementation-defined \c struct. Applications should not
3206 * make any assumptions about the content of this structure.
3207 * Implementation details can change in future versions without notice.
3208 */
3209typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
3210
3211/** \def PSA_KEY_DERIVATION_OPERATION_INIT
3212 *
3213 * This macro returns a suitable initializer for a key derivation operation
3214 * object of type #psa_key_derivation_operation_t.
3215 */
3216
3217/** Return an initial value for a key derivation operation object.
3218 */
3219static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
3220
3221/** Set up a key derivation operation.
3222 *
3223 * A key derivation algorithm takes some inputs and uses them to generate
3224 * a byte stream in a deterministic way.
3225 * This byte stream can be used to produce keys and other
3226 * cryptographic material.
3227 *
3228 * To derive a key:
3229 * -# Start with an initialized object of type #psa_key_derivation_operation_t.
3230 * -# Call psa_key_derivation_setup() to select the algorithm.
3231 * -# Provide the inputs for the key derivation by calling
3232 * psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
3233 * as appropriate. Which inputs are needed, in what order, and whether
3234 * they may be keys and if so of what type depends on the algorithm.
3235 * -# Optionally set the operation's maximum capacity with
3236 * psa_key_derivation_set_capacity(). You may do this before, in the middle
3237 * of or after providing inputs. For some algorithms, this step is mandatory
3238 * because the output depends on the maximum capacity.
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3239 * -# To derive a key, call psa_key_derivation_output_key() or
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3240 * psa_key_derivation_output_key_custom().
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3241 * To derive a byte string for a different purpose, call
3242 * psa_key_derivation_output_bytes().
3243 * Successive calls to these functions use successive output bytes
3244 * calculated by the key derivation algorithm.
3245 * -# Clean up the key derivation operation object with
3246 * psa_key_derivation_abort().
3247 *
3248 * If this function returns an error, the key derivation operation object is
3249 * not changed.
3250 *
3251 * If an error occurs at any step after a call to psa_key_derivation_setup(),
3252 * the operation will need to be reset by a call to psa_key_derivation_abort().
3253 *
3254 * Implementations must reject an attempt to derive a key of size 0.
3255 *
3256 * \param[in,out] operation The key derivation operation object
3257 * to set up. It must
3258 * have been initialized but not set up yet.
3259 * \param alg The key derivation algorithm to compute
3260 * (\c PSA_ALG_XXX value such that
3261 * #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
3262 *
3263 * \retval #PSA_SUCCESS
3264 * Success.
3265 * \retval #PSA_ERROR_INVALID_ARGUMENT
3266 * \c alg is not a key derivation algorithm.
3267 * \retval #PSA_ERROR_NOT_SUPPORTED
3268 * \c alg is not supported or is not a key derivation algorithm.
3269 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3270 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3271 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3272 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3273 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3274 * \retval #PSA_ERROR_BAD_STATE
3275 * The operation state is not valid (it must be inactive), or
3276 * the library has not been previously initialized by psa_crypto_init().
3277 * It is implementation-dependent whether a failure to initialize
3278 * results in this error code.
3279 */
3280psa_status_t psa_key_derivation_setup(
3281 psa_key_derivation_operation_t *operation,
3282 psa_algorithm_t alg);
3283
3284/** Retrieve the current capacity of a key derivation operation.
3285 *
3286 * The capacity of a key derivation is the maximum number of bytes that it can
3287 * return. When you get *N* bytes of output from a key derivation operation,
3288 * this reduces its capacity by *N*.
3289 *
3290 * \param[in] operation The operation to query.
3291 * \param[out] capacity On success, the capacity of the operation.
3292 *
3293 * \retval #PSA_SUCCESS \emptydescription
3294 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3295 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3296 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3297 * \retval #PSA_ERROR_BAD_STATE
3298 * The operation state is not valid (it must be active), or
3299 * the library has not been previously initialized by psa_crypto_init().
3300 * It is implementation-dependent whether a failure to initialize
3301 * results in this error code.
3302 */
3303psa_status_t psa_key_derivation_get_capacity(
3304 const psa_key_derivation_operation_t *operation,
3305 size_t *capacity);
3306
3307/** Set the maximum capacity of a key derivation operation.
3308 *
3309 * The capacity of a key derivation operation is the maximum number of bytes
3310 * that the key derivation operation can return from this point onwards.
3311 *
3312 * \param[in,out] operation The key derivation operation object to modify.
3313 * \param capacity The new capacity of the operation.
3314 * It must be less or equal to the operation's
3315 * current capacity.
3316 *
3317 * \retval #PSA_SUCCESS \emptydescription
3318 * \retval #PSA_ERROR_INVALID_ARGUMENT
3319 * \p capacity is larger than the operation's current capacity.
3320 * In this case, the operation object remains valid and its capacity
3321 * remains unchanged.
3322 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3323 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3324 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3325 * \retval #PSA_ERROR_BAD_STATE
3326 * The operation state is not valid (it must be active), or the
3327 * library has not been previously initialized by psa_crypto_init().
3328 * It is implementation-dependent whether a failure to initialize
3329 * results in this error code.
3330 */
3331psa_status_t psa_key_derivation_set_capacity(
3332 psa_key_derivation_operation_t *operation,
3333 size_t capacity);
3334
3335/** Use the maximum possible capacity for a key derivation operation.
3336 *
3337 * Use this value as the capacity argument when setting up a key derivation
3338 * to indicate that the operation should have the maximum possible capacity.
3339 * The value of the maximum possible capacity depends on the key derivation
3340 * algorithm.
3341 */
3342#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t) (-1))
3343
3344/** Provide an input for key derivation or key agreement.
3345 *
3346 * Which inputs are required and in what order depends on the algorithm.
3347 * Refer to the documentation of each key derivation or key agreement
3348 * algorithm for information.
3349 *
3350 * This function passes direct inputs, which is usually correct for
3351 * non-secret inputs. To pass a secret input, which should be in a key
3352 * object, call psa_key_derivation_input_key() instead of this function.
3353 * Refer to the documentation of individual step types
3354 * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3355 * for more information.
3356 *
3357 * If this function returns an error status, the operation enters an error
3358 * state and must be aborted by calling psa_key_derivation_abort().
3359 *
3360 * \param[in,out] operation The key derivation operation object to use.
3361 * It must have been set up with
3362 * psa_key_derivation_setup() and must not
3363 * have produced any output yet.
3364 * \param step Which step the input data is for.
3365 * \param[in] data Input data to use.
3366 * \param data_length Size of the \p data buffer in bytes.
3367 *
3368 * \retval #PSA_SUCCESS
3369 * Success.
3370 * \retval #PSA_ERROR_INVALID_ARGUMENT
3371 * \c step is not compatible with the operation's algorithm, or
3372 * \c step does not allow direct inputs.
3373 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3374 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3375 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3376 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3377 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3378 * \retval #PSA_ERROR_BAD_STATE
3379 * The operation state is not valid for this input \p step, or
3380 * the library has not been previously initialized by psa_crypto_init().
3381 * It is implementation-dependent whether a failure to initialize
3382 * results in this error code.
3383 */
3384psa_status_t psa_key_derivation_input_bytes(
3385 psa_key_derivation_operation_t *operation,
3386 psa_key_derivation_step_t step,
3387 const uint8_t *data,
3388 size_t data_length);
3389
3390/** Provide a numeric input for key derivation or key agreement.
3391 *
3392 * Which inputs are required and in what order depends on the algorithm.
3393 * However, when an algorithm requires a particular order, numeric inputs
3394 * usually come first as they tend to be configuration parameters.
3395 * Refer to the documentation of each key derivation or key agreement
3396 * algorithm for information.
3397 *
3398 * This function is used for inputs which are fixed-size non-negative
3399 * integers.
3400 *
3401 * If this function returns an error status, the operation enters an error
3402 * state and must be aborted by calling psa_key_derivation_abort().
3403 *
3404 * \param[in,out] operation The key derivation operation object to use.
3405 * It must have been set up with
3406 * psa_key_derivation_setup() and must not
3407 * have produced any output yet.
3408 * \param step Which step the input data is for.
3409 * \param[in] value The value of the numeric input.
3410 *
3411 * \retval #PSA_SUCCESS
3412 * Success.
3413 * \retval #PSA_ERROR_INVALID_ARGUMENT
3414 * \c step is not compatible with the operation's algorithm, or
3415 * \c step does not allow numeric inputs.
3416 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3417 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3418 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3419 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3420 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3421 * \retval #PSA_ERROR_BAD_STATE
3422 * The operation state is not valid for this input \p step, or
3423 * the library has not been previously initialized by psa_crypto_init().
3424 * It is implementation-dependent whether a failure to initialize
3425 * results in this error code.
3426 */
3427psa_status_t psa_key_derivation_input_integer(
3428 psa_key_derivation_operation_t *operation,
3429 psa_key_derivation_step_t step,
3430 uint64_t value);
3431
3432/** Provide an input for key derivation in the form of a key.
3433 *
3434 * Which inputs are required and in what order depends on the algorithm.
3435 * Refer to the documentation of each key derivation or key agreement
3436 * algorithm for information.
3437 *
3438 * This function obtains input from a key object, which is usually correct for
3439 * secret inputs or for non-secret personalization strings kept in the key
3440 * store. To pass a non-secret parameter which is not in the key store,
3441 * call psa_key_derivation_input_bytes() instead of this function.
3442 * Refer to the documentation of individual step types
3443 * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3444 * for more information.
3445 *
3446 * If this function returns an error status, the operation enters an error
3447 * state and must be aborted by calling psa_key_derivation_abort().
3448 *
3449 * \param[in,out] operation The key derivation operation object to use.
3450 * It must have been set up with
3451 * psa_key_derivation_setup() and must not
3452 * have produced any output yet.
3453 * \param step Which step the input data is for.
3454 * \param key Identifier of the key. It must have an
3455 * appropriate type for step and must allow the
3456 * usage #PSA_KEY_USAGE_DERIVE or
3457 * #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
3458 * and the algorithm used by the operation.
3459 *
3460 * \note Once all inputs steps are completed, the operations will allow:
3461 * - psa_key_derivation_output_bytes() if each input was either a direct input
3462 * or a key with #PSA_KEY_USAGE_DERIVE set;
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3463 * - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom()
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3464 * if the input for step
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3465 * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
3466 * was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
3467 * either a direct input or a key with #PSA_KEY_USAGE_DERIVE set;
3468 * - psa_key_derivation_verify_bytes() if each input was either a direct input
3469 * or a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
3470 * - psa_key_derivation_verify_key() under the same conditions as
3471 * psa_key_derivation_verify_bytes().
3472 *
3473 * \retval #PSA_SUCCESS
3474 * Success.
3475 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3476 * \retval #PSA_ERROR_NOT_PERMITTED
3477 * The key allows neither #PSA_KEY_USAGE_DERIVE nor
3478 * #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
3479 * algorithm.
3480 * \retval #PSA_ERROR_INVALID_ARGUMENT
3481 * \c step is not compatible with the operation's algorithm, or
3482 * \c step does not allow key inputs of the given type
3483 * or does not allow key inputs at all.
3484 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3485 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3486 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3487 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3488 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3489 * \retval #PSA_ERROR_BAD_STATE
3490 * The operation state is not valid for this input \p step, or
3491 * the library has not been previously initialized by psa_crypto_init().
3492 * It is implementation-dependent whether a failure to initialize
3493 * results in this error code.
3494 */
3495psa_status_t psa_key_derivation_input_key(
3496 psa_key_derivation_operation_t *operation,
3497 psa_key_derivation_step_t step,
3498 mbedtls_svc_key_id_t key);
3499
3500/** Perform a key agreement and use the shared secret as input to a key
3501 * derivation.
3502 *
3503 * A key agreement algorithm takes two inputs: a private key \p private_key
3504 * a public key \p peer_key.
3505 * The result of this function is passed as input to a key derivation.
3506 * The output of this key derivation can be extracted by reading from the
3507 * resulting operation to produce keys and other cryptographic material.
3508 *
3509 * If this function returns an error status, the operation enters an error
3510 * state and must be aborted by calling psa_key_derivation_abort().
3511 *
3512 * \param[in,out] operation The key derivation operation object to use.
3513 * It must have been set up with
3514 * psa_key_derivation_setup() with a
3515 * key agreement and derivation algorithm
3516 * \c alg (\c PSA_ALG_XXX value such that
3517 * #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
3518 * and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
3519 * is false).
3520 * The operation must be ready for an
3521 * input of the type given by \p step.
3522 * \param step Which step the input data is for.
3523 * \param private_key Identifier of the private key to use. It must
3524 * allow the usage #PSA_KEY_USAGE_DERIVE.
3525 * \param[in] peer_key Public key of the peer. The peer key must be in the
3526 * same format that psa_import_key() accepts for the
3527 * public key type corresponding to the type of
3528 * private_key. That is, this function performs the
3529 * equivalent of
3530 * #psa_import_key(...,
3531 * `peer_key`, `peer_key_length`) where
3532 * with key attributes indicating the public key
3533 * type corresponding to the type of `private_key`.
3534 * For example, for EC keys, this means that peer_key
3535 * is interpreted as a point on the curve that the
3536 * private key is on. The standard formats for public
3537 * keys are documented in the documentation of
3538 * psa_export_public_key().
3539 * \param peer_key_length Size of \p peer_key in bytes.
3540 *
3541 * \retval #PSA_SUCCESS
3542 * Success.
3543 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3544 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3545 * \retval #PSA_ERROR_INVALID_ARGUMENT
3546 * \c private_key is not compatible with \c alg,
3547 * or \p peer_key is not valid for \c alg or not compatible with
3548 * \c private_key, or \c step does not allow an input resulting
3549 * from a key agreement.
3550 * \retval #PSA_ERROR_NOT_SUPPORTED
3551 * \c alg is not supported or is not a key derivation algorithm.
3552 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3553 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3554 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3555 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3556 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3557 * \retval #PSA_ERROR_BAD_STATE
3558 * The operation state is not valid for this key agreement \p step,
3559 * or the library has not been previously initialized by psa_crypto_init().
3560 * It is implementation-dependent whether a failure to initialize
3561 * results in this error code.
3562 */
3563psa_status_t psa_key_derivation_key_agreement(
3564 psa_key_derivation_operation_t *operation,
3565 psa_key_derivation_step_t step,
3566 mbedtls_svc_key_id_t private_key,
3567 const uint8_t *peer_key,
3568 size_t peer_key_length);
3569
3570/** Read some data from a key derivation operation.
3571 *
3572 * This function calculates output bytes from a key derivation algorithm and
3573 * return those bytes.
3574 * If you view the key derivation's output as a stream of bytes, this
3575 * function destructively reads the requested number of bytes from the
3576 * stream.
3577 * The operation's capacity decreases by the number of bytes read.
3578 *
3579 * If this function returns an error status other than
3580 * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3581 * state and must be aborted by calling psa_key_derivation_abort().
3582 *
3583 * \param[in,out] operation The key derivation operation object to read from.
3584 * \param[out] output Buffer where the output will be written.
3585 * \param output_length Number of bytes to output.
3586 *
3587 * \retval #PSA_SUCCESS \emptydescription
3588 * \retval #PSA_ERROR_NOT_PERMITTED
3589 * One of the inputs was a key whose policy didn't allow
3590 * #PSA_KEY_USAGE_DERIVE.
3591 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3592 * The operation's capacity was less than
3593 * \p output_length bytes. Note that in this case,
3594 * no output is written to the output buffer.
3595 * The operation's capacity is set to 0, thus
3596 * subsequent calls to this function will not
3597 * succeed, even with a smaller output buffer.
3598 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3599 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3600 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3601 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3602 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3603 * \retval #PSA_ERROR_BAD_STATE
3604 * The operation state is not valid (it must be active and completed
3605 * all required input steps), or the library has not been previously
3606 * initialized by psa_crypto_init().
3607 * It is implementation-dependent whether a failure to initialize
3608 * results in this error code.
3609 */
3610psa_status_t psa_key_derivation_output_bytes(
3611 psa_key_derivation_operation_t *operation,
3612 uint8_t *output,
3613 size_t output_length);
3614
3615/** Derive a key from an ongoing key derivation operation.
3616 *
3617 * This function calculates output bytes from a key derivation algorithm
3618 * and uses those bytes to generate a key deterministically.
3619 * The key's location, usage policy, type and size are taken from
3620 * \p attributes.
3621 *
3622 * If you view the key derivation's output as a stream of bytes, this
3623 * function destructively reads as many bytes as required from the
3624 * stream.
3625 * The operation's capacity decreases by the number of bytes read.
3626 *
3627 * If this function returns an error status other than
3628 * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3629 * state and must be aborted by calling psa_key_derivation_abort().
3630 *
3631 * How much output is produced and consumed from the operation, and how
3632 * the key is derived, depends on the key type and on the key size
3633 * (denoted \c bits below):
3634 *
3635 * - For key types for which the key is an arbitrary sequence of bytes
3636 * of a given size, this function is functionally equivalent to
3637 * calling #psa_key_derivation_output_bytes
3638 * and passing the resulting output to #psa_import_key.
3639 * However, this function has a security benefit:
3640 * if the implementation provides an isolation boundary then
3641 * the key material is not exposed outside the isolation boundary.
3642 * As a consequence, for these key types, this function always consumes
3643 * exactly (\c bits / 8) bytes from the operation.
3644 * The following key types defined in this specification follow this scheme:
3645 *
3646 * - #PSA_KEY_TYPE_AES;
3647 * - #PSA_KEY_TYPE_ARIA;
3648 * - #PSA_KEY_TYPE_CAMELLIA;
3649 * - #PSA_KEY_TYPE_DERIVE;
3650 * - #PSA_KEY_TYPE_HMAC;
3651 * - #PSA_KEY_TYPE_PASSWORD_HASH.
3652 *
3653 * - For ECC keys on a Montgomery elliptic curve
3654 * (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3655 * Montgomery curve), this function always draws a byte string whose
3656 * length is determined by the curve, and sets the mandatory bits
3657 * accordingly. That is:
3658 *
3659 * - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
3660 * string and process it as specified in RFC 7748 &sect;5.
3661 * - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
3662 * string and process it as specified in RFC 7748 &sect;5.
3663 *
3664 * - For key types for which the key is represented by a single sequence of
3665 * \c bits bits with constraints as to which bit sequences are acceptable,
3666 * this function draws a byte string of length (\c bits / 8) bytes rounded
3667 * up to the nearest whole number of bytes. If the resulting byte string
3668 * is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
3669 * This process is repeated until an acceptable byte string is drawn.
3670 * The byte string drawn from the operation is interpreted as specified
3671 * for the output produced by psa_export_key().
3672 * The following key types defined in this specification follow this scheme:
3673 *
3674 * - #PSA_KEY_TYPE_DES.
3675 * Force-set the parity bits, but discard forbidden weak keys.
3676 * For 2-key and 3-key triple-DES, the three keys are generated
3677 * successively (for example, for 3-key triple-DES,
3678 * if the first 8 bytes specify a weak key and the next 8 bytes do not,
3679 * discard the first 8 bytes, use the next 8 bytes as the first key,
3680 * and continue reading output from the operation to derive the other
3681 * two keys).
3682 * - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
3683 * where \c group designates any Diffie-Hellman group) and
3684 * ECC keys on a Weierstrass elliptic curve
3685 * (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3686 * Weierstrass curve).
3687 * For these key types, interpret the byte string as integer
3688 * in big-endian order. Discard it if it is not in the range
3689 * [0, *N* - 2] where *N* is the boundary of the private key domain
3690 * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
3691 * or the order of the curve's base point for ECC).
3692 * Add 1 to the resulting integer and use this as the private key *x*.
3693 * This method allows compliance to NIST standards, specifically
3694 * the methods titled "key-pair generation by testing candidates"
3695 * in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
3696 * in FIPS 186-4 &sect;B.1.2 for DSA, and
3697 * in NIST SP 800-56A &sect;5.6.1.2.2 or
3698 * FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
3699 *
3700 * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
3701 * the way in which the operation output is consumed is
3702 * implementation-defined.
3703 *
3704 * In all cases, the data that is read is discarded from the operation.
3705 * The operation's capacity is decreased by the number of bytes read.
3706 *
3707 * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
3708 * the input to that step must be provided with psa_key_derivation_input_key().
3709 * Future versions of this specification may include additional restrictions
3710 * on the derived key based on the attributes and strength of the secret key.
3711 *
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3712 * \note This function is equivalent to calling
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3713 * psa_key_derivation_output_key_custom()
3714 * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
3715 * and `custom_data_length == 0` (i.e. `custom_data` is empty).
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3716 *
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3717 * \param[in] attributes The attributes for the new key.
3718 * If the key type to be created is
3719 * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3720 * the policy must be the same as in the current
3721 * operation.
3722 * \param[in,out] operation The key derivation operation object to read from.
3723 * \param[out] key On success, an identifier for the newly created
3724 * key. For persistent keys, this is the key
3725 * identifier defined in \p attributes.
3726 * \c 0 on failure.
3727 *
3728 * \retval #PSA_SUCCESS
3729 * Success.
3730 * If the key is persistent, the key material and the key's metadata
3731 * have been saved to persistent storage.
3732 * \retval #PSA_ERROR_ALREADY_EXISTS
3733 * This is an attempt to create a persistent key, and there is
3734 * already a persistent key with the given identifier.
3735 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3736 * There was not enough data to create the desired key.
3737 * Note that in this case, no output is written to the output buffer.
3738 * The operation's capacity is set to 0, thus subsequent calls to
3739 * this function will not succeed, even with a smaller output buffer.
3740 * \retval #PSA_ERROR_NOT_SUPPORTED
3741 * The key type or key size is not supported, either by the
3742 * implementation in general or in this particular location.
3743 * \retval #PSA_ERROR_INVALID_ARGUMENT
3744 * The provided key attributes are not valid for the operation.
3745 * \retval #PSA_ERROR_NOT_PERMITTED
3746 * The #PSA_KEY_DERIVATION_INPUT_SECRET or
3747 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3748 * key; or one of the inputs was a key whose policy didn't allow
3749 * #PSA_KEY_USAGE_DERIVE.
3750 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3751 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3752 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3753 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3754 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3755 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3756 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3757 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3758 * \retval #PSA_ERROR_BAD_STATE
3759 * The operation state is not valid (it must be active and completed
3760 * all required input steps), or the library has not been previously
3761 * initialized by psa_crypto_init().
3762 * It is implementation-dependent whether a failure to initialize
3763 * results in this error code.
3764 */
3765psa_status_t psa_key_derivation_output_key(
3766 const psa_key_attributes_t *attributes,
3767 psa_key_derivation_operation_t *operation,
3768 mbedtls_svc_key_id_t *key);
3769
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3770/** Derive a key from an ongoing key derivation operation with custom
3771 * production parameters.
3772 *
3773 * See the description of psa_key_derivation_out_key() for the operation of
3774 * this function with the default production parameters.
3775 * Mbed TLS currently does not currently support any non-default production
3776 * parameters.
3777 *
3778 * \note This function is experimental and may change in future minor
3779 * versions of Mbed TLS.
3780 *
3781 * \param[in] attributes The attributes for the new key.
3782 * If the key type to be created is
3783 * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3784 * the policy must be the same as in the current
3785 * operation.
3786 * \param[in,out] operation The key derivation operation object to read from.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3787 * \param[in] custom Customization parameters for the key generation.
3788 * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
3789 * with \p custom_data_length = 0,
3790 * this function is equivalent to
3791 * psa_key_derivation_output_key().
3792 * \param[in] custom_data Variable-length data associated with \c custom.
3793 * \param custom_data_length
3794 * Length of `custom_data` in bytes.
3795 * \param[out] key On success, an identifier for the newly created
3796 * key. For persistent keys, this is the key
3797 * identifier defined in \p attributes.
3798 * \c 0 on failure.
3799 *
3800 * \retval #PSA_SUCCESS
3801 * Success.
3802 * If the key is persistent, the key material and the key's metadata
3803 * have been saved to persistent storage.
3804 * \retval #PSA_ERROR_ALREADY_EXISTS
3805 * This is an attempt to create a persistent key, and there is
3806 * already a persistent key with the given identifier.
3807 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3808 * There was not enough data to create the desired key.
3809 * Note that in this case, no output is written to the output buffer.
3810 * The operation's capacity is set to 0, thus subsequent calls to
3811 * this function will not succeed, even with a smaller output buffer.
3812 * \retval #PSA_ERROR_NOT_SUPPORTED
3813 * The key type or key size is not supported, either by the
3814 * implementation in general or in this particular location.
3815 * \retval #PSA_ERROR_INVALID_ARGUMENT
3816 * The provided key attributes are not valid for the operation.
3817 * \retval #PSA_ERROR_NOT_PERMITTED
3818 * The #PSA_KEY_DERIVATION_INPUT_SECRET or
3819 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3820 * key; or one of the inputs was a key whose policy didn't allow
3821 * #PSA_KEY_USAGE_DERIVE.
3822 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3823 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3824 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3825 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3826 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3827 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3828 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3829 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3830 * \retval #PSA_ERROR_BAD_STATE
3831 * The operation state is not valid (it must be active and completed
3832 * all required input steps), or the library has not been previously
3833 * initialized by psa_crypto_init().
3834 * It is implementation-dependent whether a failure to initialize
3835 * results in this error code.
3836 */
3837psa_status_t psa_key_derivation_output_key_custom(
3838 const psa_key_attributes_t *attributes,
3839 psa_key_derivation_operation_t *operation,
3840 const psa_custom_key_parameters_t *custom,
3841 const uint8_t *custom_data,
3842 size_t custom_data_length,
3843 mbedtls_svc_key_id_t *key);
3844
3845#ifndef __cplusplus
3846/* Omitted when compiling in C++, because one of the parameters is a
3847 * pointer to a struct with a flexible array member, and that is not
3848 * standard C++.
3849 * https://github.com/Mbed-TLS/mbedtls/issues/9020
3850 */
3851/** Derive a key from an ongoing key derivation operation with custom
3852 * production parameters.
3853 *
3854 * \note
3855 * This is a deprecated variant of psa_key_derivation_output_key_custom().
3856 * It is equivalent except that the associated variable-length data
3857 * is passed in `params->data` instead of a separate parameter.
3858 * This function will be removed in a future version of Mbed TLS.
3859 *
3860 * \param[in] attributes The attributes for the new key.
3861 * If the key type to be created is
3862 * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3863 * the policy must be the same as in the current
3864 * operation.
3865 * \param[in,out] operation The key derivation operation object to read from.
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3866 * \param[in] params Customization parameters for the key derivation.
3867 * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
3868 * with \p params_data_length = 0,
3869 * this function is equivalent to
3870 * psa_key_derivation_output_key().
3871 * Mbed TLS currently only supports the default
3872 * production parameters, i.e.
3873 * #PSA_KEY_PRODUCTION_PARAMETERS_INIT,
3874 * for all key types.
3875 * \param params_data_length
3876 * Length of `params->data` in bytes.
3877 * \param[out] key On success, an identifier for the newly created
3878 * key. For persistent keys, this is the key
3879 * identifier defined in \p attributes.
3880 * \c 0 on failure.
3881 *
3882 * \retval #PSA_SUCCESS
3883 * Success.
3884 * If the key is persistent, the key material and the key's metadata
3885 * have been saved to persistent storage.
3886 * \retval #PSA_ERROR_ALREADY_EXISTS
3887 * This is an attempt to create a persistent key, and there is
3888 * already a persistent key with the given identifier.
3889 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3890 * There was not enough data to create the desired key.
3891 * Note that in this case, no output is written to the output buffer.
3892 * The operation's capacity is set to 0, thus subsequent calls to
3893 * this function will not succeed, even with a smaller output buffer.
3894 * \retval #PSA_ERROR_NOT_SUPPORTED
3895 * The key type or key size is not supported, either by the
3896 * implementation in general or in this particular location.
3897 * \retval #PSA_ERROR_INVALID_ARGUMENT
3898 * The provided key attributes are not valid for the operation.
3899 * \retval #PSA_ERROR_NOT_PERMITTED
3900 * The #PSA_KEY_DERIVATION_INPUT_SECRET or
3901 * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3902 * key; or one of the inputs was a key whose policy didn't allow
3903 * #PSA_KEY_USAGE_DERIVE.
3904 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3905 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3906 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3907 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3908 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3909 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3910 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3911 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3912 * \retval #PSA_ERROR_BAD_STATE
3913 * The operation state is not valid (it must be active and completed
3914 * all required input steps), or the library has not been previously
3915 * initialized by psa_crypto_init().
3916 * It is implementation-dependent whether a failure to initialize
3917 * results in this error code.
3918 */
3919psa_status_t psa_key_derivation_output_key_ext(
3920 const psa_key_attributes_t *attributes,
3921 psa_key_derivation_operation_t *operation,
3922 const psa_key_production_parameters_t *params,
3923 size_t params_data_length,
3924 mbedtls_svc_key_id_t *key);
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3925#endif /* !__cplusplus */
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]3926
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3927/** Compare output data from a key derivation operation to an expected value.
3928 *
3929 * This function calculates output bytes from a key derivation algorithm and
3930 * compares those bytes to an expected value in constant time.
3931 * If you view the key derivation's output as a stream of bytes, this
3932 * function destructively reads the expected number of bytes from the
3933 * stream before comparing them.
3934 * The operation's capacity decreases by the number of bytes read.
3935 *
3936 * This is functionally equivalent to the following code:
3937 * \code
3938 * psa_key_derivation_output_bytes(operation, tmp, output_length);
3939 * if (memcmp(output, tmp, output_length) != 0)
3940 * return PSA_ERROR_INVALID_SIGNATURE;
3941 * \endcode
3942 * except (1) it works even if the key's policy does not allow outputting the
3943 * bytes, and (2) the comparison will be done in constant time.
3944 *
3945 * If this function returns an error status other than
3946 * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
3947 * the operation enters an error state and must be aborted by calling
3948 * psa_key_derivation_abort().
3949 *
3950 * \param[in,out] operation The key derivation operation object to read from.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3951 * \param[in] expected Buffer containing the expected derivation output.
3952 * \param expected_length Length of the expected output; this is also the
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3953 * number of bytes that will be read.
3954 *
3955 * \retval #PSA_SUCCESS \emptydescription
3956 * \retval #PSA_ERROR_INVALID_SIGNATURE
3957 * The output was read successfully, but it differs from the expected
3958 * output.
3959 * \retval #PSA_ERROR_NOT_PERMITTED
3960 * One of the inputs was a key whose policy didn't allow
3961 * #PSA_KEY_USAGE_VERIFY_DERIVATION.
3962 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3963 * The operation's capacity was less than
3964 * \p output_length bytes. Note that in this case,
3965 * the operation's capacity is set to 0, thus
3966 * subsequent calls to this function will not
3967 * succeed, even with a smaller expected output.
3968 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3969 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3970 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3971 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3972 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3973 * \retval #PSA_ERROR_BAD_STATE
3974 * The operation state is not valid (it must be active and completed
3975 * all required input steps), or the library has not been previously
3976 * initialized by psa_crypto_init().
3977 * It is implementation-dependent whether a failure to initialize
3978 * results in this error code.
3979 */
3980psa_status_t psa_key_derivation_verify_bytes(
3981 psa_key_derivation_operation_t *operation,
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]3982 const uint8_t *expected,
3983 size_t expected_length);
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]3984
3985/** Compare output data from a key derivation operation to an expected value
3986 * stored in a key object.
3987 *
3988 * This function calculates output bytes from a key derivation algorithm and
3989 * compares those bytes to an expected value, provided as key of type
3990 * #PSA_KEY_TYPE_PASSWORD_HASH.
3991 * If you view the key derivation's output as a stream of bytes, this
3992 * function destructively reads the number of bytes corresponding to the
3993 * length of the expected value from the stream before comparing them.
3994 * The operation's capacity decreases by the number of bytes read.
3995 *
3996 * This is functionally equivalent to exporting the key and calling
3997 * psa_key_derivation_verify_bytes() on the result, except that it
3998 * works even if the key cannot be exported.
3999 *
4000 * If this function returns an error status other than
4001 * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
4002 * the operation enters an error state and must be aborted by calling
4003 * psa_key_derivation_abort().
4004 *
4005 * \param[in,out] operation The key derivation operation object to read from.
4006 * \param[in] expected A key of type #PSA_KEY_TYPE_PASSWORD_HASH
4007 * containing the expected output. Its policy must
4008 * include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
4009 * and the permitted algorithm must match the
4010 * operation. The value of this key was likely
4011 * computed by a previous call to
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4012 * psa_key_derivation_output_key() or
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]4013 * psa_key_derivation_output_key_custom().
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]4014 *
4015 * \retval #PSA_SUCCESS \emptydescription
4016 * \retval #PSA_ERROR_INVALID_SIGNATURE
4017 * The output was read successfully, but if differs from the expected
4018 * output.
4019 * \retval #PSA_ERROR_INVALID_HANDLE
4020 * The key passed as the expected value does not exist.
4021 * \retval #PSA_ERROR_INVALID_ARGUMENT
4022 * The key passed as the expected value has an invalid type.
4023 * \retval #PSA_ERROR_NOT_PERMITTED
4024 * The key passed as the expected value does not allow this usage or
4025 * this algorithm; or one of the inputs was a key whose policy didn't
4026 * allow #PSA_KEY_USAGE_VERIFY_DERIVATION.
4027 * \retval #PSA_ERROR_INSUFFICIENT_DATA
4028 * The operation's capacity was less than
4029 * the length of the expected value. In this case,
4030 * the operation's capacity is set to 0, thus
4031 * subsequent calls to this function will not
4032 * succeed, even with a smaller expected output.
4033 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4034 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4035 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4036 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4037 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4038 * \retval #PSA_ERROR_BAD_STATE
4039 * The operation state is not valid (it must be active and completed
4040 * all required input steps), or the library has not been previously
4041 * initialized by psa_crypto_init().
4042 * It is implementation-dependent whether a failure to initialize
4043 * results in this error code.
4044 */
4045psa_status_t psa_key_derivation_verify_key(
4046 psa_key_derivation_operation_t *operation,
4047 psa_key_id_t expected);
4048
4049/** Abort a key derivation operation.
4050 *
4051 * Aborting an operation frees all associated resources except for the \c
4052 * operation structure itself. Once aborted, the operation object can be reused
4053 * for another operation by calling psa_key_derivation_setup() again.
4054 *
4055 * This function may be called at any time after the operation
4056 * object has been initialized as described in #psa_key_derivation_operation_t.
4057 *
4058 * In particular, it is valid to call psa_key_derivation_abort() twice, or to
4059 * call psa_key_derivation_abort() on an operation that has not been set up.
4060 *
4061 * \param[in,out] operation The operation to abort.
4062 *
4063 * \retval #PSA_SUCCESS \emptydescription
4064 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4065 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4066 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4067 * \retval #PSA_ERROR_BAD_STATE
4068 * The library has not been previously initialized by psa_crypto_init().
4069 * It is implementation-dependent whether a failure to initialize
4070 * results in this error code.
4071 */
4072psa_status_t psa_key_derivation_abort(
4073 psa_key_derivation_operation_t *operation);
4074
4075/** Perform a key agreement and return the raw shared secret.
4076 *
4077 * \warning The raw result of a key agreement algorithm such as finite-field
4078 * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
4079 * not be used directly as key material. It should instead be passed as
4080 * input to a key derivation algorithm. To chain a key agreement with
4081 * a key derivation, use psa_key_derivation_key_agreement() and other
4082 * functions from the key derivation interface.
4083 *
4084 * \param alg The key agreement algorithm to compute
4085 * (\c PSA_ALG_XXX value such that
4086 * #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
4087 * is true).
4088 * \param private_key Identifier of the private key to use. It must
4089 * allow the usage #PSA_KEY_USAGE_DERIVE.
4090 * \param[in] peer_key Public key of the peer. It must be
4091 * in the same format that psa_import_key()
4092 * accepts. The standard formats for public
4093 * keys are documented in the documentation
4094 * of psa_export_public_key().
4095 * \param peer_key_length Size of \p peer_key in bytes.
4096 * \param[out] output Buffer where the decrypted message is to
4097 * be written.
4098 * \param output_size Size of the \c output buffer in bytes.
4099 * \param[out] output_length On success, the number of bytes
4100 * that make up the returned output.
4101 *
4102 * \retval #PSA_SUCCESS
4103 * Success.
4104 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4105 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
4106 * \retval #PSA_ERROR_INVALID_ARGUMENT
4107 * \p alg is not a key agreement algorithm, or
4108 * \p private_key is not compatible with \p alg,
4109 * or \p peer_key is not valid for \p alg or not compatible with
4110 * \p private_key.
4111 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
4112 * \p output_size is too small
4113 * \retval #PSA_ERROR_NOT_SUPPORTED
4114 * \p alg is not a supported key agreement algorithm.
4115 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4116 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4117 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4118 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4119 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4120 * \retval #PSA_ERROR_BAD_STATE
4121 * The library has not been previously initialized by psa_crypto_init().
4122 * It is implementation-dependent whether a failure to initialize
4123 * results in this error code.
4124 */
4125psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
4126 mbedtls_svc_key_id_t private_key,
4127 const uint8_t *peer_key,
4128 size_t peer_key_length,
4129 uint8_t *output,
4130 size_t output_size,
4131 size_t *output_length);
4132
4133/**@}*/
4134
4135/** \defgroup random Random generation
4136 * @{
4137 */
4138
4139/**
4140 * \brief Generate random bytes.
4141 *
4142 * \warning This function **can** fail! Callers MUST check the return status
4143 * and MUST NOT use the content of the output buffer if the return
4144 * status is not #PSA_SUCCESS.
4145 *
4146 * \note To generate a key, use psa_generate_key() instead.
4147 *
4148 * \param[out] output Output buffer for the generated data.
4149 * \param output_size Number of bytes to generate and output.
4150 *
4151 * \retval #PSA_SUCCESS \emptydescription
4152 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4153 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4154 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4155 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4156 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4157 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4158 * \retval #PSA_ERROR_BAD_STATE
4159 * The library has not been previously initialized by psa_crypto_init().
4160 * It is implementation-dependent whether a failure to initialize
4161 * results in this error code.
4162 */
4163psa_status_t psa_generate_random(uint8_t *output,
4164 size_t output_size);
4165
4166/**
4167 * \brief Generate a key or key pair.
4168 *
4169 * The key is generated randomly.
4170 * Its location, usage policy, type and size are taken from \p attributes.
4171 *
4172 * Implementations must reject an attempt to generate a key of size 0.
4173 *
4174 * The following type-specific considerations apply:
4175 * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
4176 * the public exponent is 65537.
4177 * The modulus is a product of two probabilistic primes
4178 * between 2^{n-1} and 2^n where n is the bit size specified in the
4179 * attributes.
4180 *
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]4181 * \note This function is equivalent to calling psa_generate_key_custom()
4182 * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
4183 * and `custom_data_length == 0` (i.e. `custom_data` is empty).
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4184 *
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]4185 * \param[in] attributes The attributes for the new key.
4186 * \param[out] key On success, an identifier for the newly created
4187 * key. For persistent keys, this is the key
4188 * identifier defined in \p attributes.
4189 * \c 0 on failure.
4190 *
4191 * \retval #PSA_SUCCESS
4192 * Success.
4193 * If the key is persistent, the key material and the key's metadata
4194 * have been saved to persistent storage.
4195 * \retval #PSA_ERROR_ALREADY_EXISTS
4196 * This is an attempt to create a persistent key, and there is
4197 * already a persistent key with the given identifier.
4198 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4199 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4200 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4201 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4202 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4203 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4204 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4205 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4206 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4207 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4208 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4209 * \retval #PSA_ERROR_BAD_STATE
4210 * The library has not been previously initialized by psa_crypto_init().
4211 * It is implementation-dependent whether a failure to initialize
4212 * results in this error code.
4213 */
4214psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
4215 mbedtls_svc_key_id_t *key);
4216
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4217/**
4218 * \brief Generate a key or key pair using custom production parameters.
4219 *
4220 * See the description of psa_generate_key() for the operation of this
4221 * function with the default production parameters. In addition, this function
4222 * supports the following production customizations, described in more detail
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]4223 * in the documentation of ::psa_custom_key_parameters_t:
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4224 *
4225 * - RSA keys: generation with a custom public exponent.
4226 *
4227 * \note This function is experimental and may change in future minor
4228 * versions of Mbed TLS.
4229 *
4230 * \param[in] attributes The attributes for the new key.
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]4231 * \param[in] custom Customization parameters for the key generation.
4232 * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
4233 * with \p custom_data_length = 0,
4234 * this function is equivalent to
4235 * psa_generate_key().
4236 * \param[in] custom_data Variable-length data associated with \c custom.
4237 * \param custom_data_length
4238 * Length of `custom_data` in bytes.
4239 * \param[out] key On success, an identifier for the newly created
4240 * key. For persistent keys, this is the key
4241 * identifier defined in \p attributes.
4242 * \c 0 on failure.
4243 *
4244 * \retval #PSA_SUCCESS
4245 * Success.
4246 * If the key is persistent, the key material and the key's metadata
4247 * have been saved to persistent storage.
4248 * \retval #PSA_ERROR_ALREADY_EXISTS
4249 * This is an attempt to create a persistent key, and there is
4250 * already a persistent key with the given identifier.
4251 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4252 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4253 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4254 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4255 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4256 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4257 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4258 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4259 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4260 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4261 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4262 * \retval #PSA_ERROR_BAD_STATE
4263 * The library has not been previously initialized by psa_crypto_init().
4264 * It is implementation-dependent whether a failure to initialize
4265 * results in this error code.
4266 */
4267psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
4268 const psa_custom_key_parameters_t *custom,
4269 const uint8_t *custom_data,
4270 size_t custom_data_length,
4271 mbedtls_svc_key_id_t *key);
4272
4273#ifndef __cplusplus
4274/* Omitted when compiling in C++, because one of the parameters is a
4275 * pointer to a struct with a flexible array member, and that is not
4276 * standard C++.
4277 * https://github.com/Mbed-TLS/mbedtls/issues/9020
4278 */
4279/**
4280 * \brief Generate a key or key pair using custom production parameters.
4281 *
4282 * \note
4283 * This is a deprecated variant of psa_key_derivation_output_key_custom().
4284 * It is equivalent except that the associated variable-length data
4285 * is passed in `params->data` instead of a separate parameter.
4286 * This function will be removed in a future version of Mbed TLS.
4287 *
4288 * \param[in] attributes The attributes for the new key.
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4289 * \param[in] params Customization parameters for the key generation.
4290 * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
4291 * with \p params_data_length = 0,
4292 * this function is equivalent to
4293 * psa_generate_key().
4294 * \param params_data_length
4295 * Length of `params->data` in bytes.
4296 * \param[out] key On success, an identifier for the newly created
4297 * key. For persistent keys, this is the key
4298 * identifier defined in \p attributes.
4299 * \c 0 on failure.
4300 *
4301 * \retval #PSA_SUCCESS
4302 * Success.
4303 * If the key is persistent, the key material and the key's metadata
4304 * have been saved to persistent storage.
4305 * \retval #PSA_ERROR_ALREADY_EXISTS
4306 * This is an attempt to create a persistent key, and there is
4307 * already a persistent key with the given identifier.
4308 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4309 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4310 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4311 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4312 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4313 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4314 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4315 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4316 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4317 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4318 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4319 * \retval #PSA_ERROR_BAD_STATE
4320 * The library has not been previously initialized by psa_crypto_init().
4321 * It is implementation-dependent whether a failure to initialize
4322 * results in this error code.
4323 */
4324psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
4325 const psa_key_production_parameters_t *params,
4326 size_t params_data_length,
4327 mbedtls_svc_key_id_t *key);
Sungbae Yoo4d211f32024-11-19 02:47:55 +0000[diff] [blame]4328#endif /* !__cplusplus */
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4329
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]4330/**@}*/
4331
4332/** \defgroup interruptible_hash Interruptible sign/verify hash
4333 * @{
4334 */
4335
4336/** The type of the state data structure for interruptible hash
4337 * signing operations.
4338 *
4339 * Before calling any function on a sign hash operation object, the
4340 * application must initialize it by any of the following means:
4341 * - Set the structure to all-bits-zero, for example:
4342 * \code
4343 * psa_sign_hash_interruptible_operation_t operation;
4344 * memset(&operation, 0, sizeof(operation));
4345 * \endcode
4346 * - Initialize the structure to logical zero values, for example:
4347 * \code
4348 * psa_sign_hash_interruptible_operation_t operation = {0};
4349 * \endcode
4350 * - Initialize the structure to the initializer
4351 * #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
4352 * \code
4353 * psa_sign_hash_interruptible_operation_t operation =
4354 * PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
4355 * \endcode
4356 * - Assign the result of the function
4357 * psa_sign_hash_interruptible_operation_init() to the structure, for
4358 * example:
4359 * \code
4360 * psa_sign_hash_interruptible_operation_t operation;
4361 * operation = psa_sign_hash_interruptible_operation_init();
4362 * \endcode
4363 *
4364 * This is an implementation-defined \c struct. Applications should not
4365 * make any assumptions about the content of this structure.
4366 * Implementation details can change in future versions without notice. */
4367typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
4368
4369/** The type of the state data structure for interruptible hash
4370 * verification operations.
4371 *
4372 * Before calling any function on a sign hash operation object, the
4373 * application must initialize it by any of the following means:
4374 * - Set the structure to all-bits-zero, for example:
4375 * \code
4376 * psa_verify_hash_interruptible_operation_t operation;
4377 * memset(&operation, 0, sizeof(operation));
4378 * \endcode
4379 * - Initialize the structure to logical zero values, for example:
4380 * \code
4381 * psa_verify_hash_interruptible_operation_t operation = {0};
4382 * \endcode
4383 * - Initialize the structure to the initializer
4384 * #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
4385 * \code
4386 * psa_verify_hash_interruptible_operation_t operation =
4387 * PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
4388 * \endcode
4389 * - Assign the result of the function
4390 * psa_verify_hash_interruptible_operation_init() to the structure, for
4391 * example:
4392 * \code
4393 * psa_verify_hash_interruptible_operation_t operation;
4394 * operation = psa_verify_hash_interruptible_operation_init();
4395 * \endcode
4396 *
4397 * This is an implementation-defined \c struct. Applications should not
4398 * make any assumptions about the content of this structure.
4399 * Implementation details can change in future versions without notice. */
4400typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
4401
4402/**
4403 * \brief Set the maximum number of ops allowed to be
4404 * executed by an interruptible function in a
4405 * single call.
4406 *
4407 * \warning This is a beta API, and thus subject to change
4408 * at any point. It is not bound by the usual
4409 * interface stability promises.
4410 *
4411 * \note The time taken to execute a single op is
4412 * implementation specific and depends on
4413 * software, hardware, the algorithm, key type and
4414 * curve chosen. Even within a single operation,
4415 * successive ops can take differing amounts of
4416 * time. The only guarantee is that lower values
4417 * for \p max_ops means functions will block for a
4418 * lesser maximum amount of time. The functions
4419 * \c psa_sign_interruptible_get_num_ops() and
4420 * \c psa_verify_interruptible_get_num_ops() are
4421 * provided to help with tuning this value.
4422 *
4423 * \note This value defaults to
4424 * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
4425 * means the whole operation will be done in one
4426 * go, regardless of the number of ops required.
4427 *
4428 * \note If more ops are needed to complete a
4429 * computation, #PSA_OPERATION_INCOMPLETE will be
4430 * returned by the function performing the
4431 * computation. It is then the caller's
4432 * responsibility to either call again with the
4433 * same operation context until it returns 0 or an
4434 * error code; or to call the relevant abort
4435 * function if the answer is no longer required.
4436 *
4437 * \note The interpretation of \p max_ops is also
4438 * implementation defined. On a hard real time
4439 * system, this can indicate a hard deadline, as a
4440 * real-time system needs a guarantee of not
4441 * spending more than X time, however care must be
4442 * taken in such an implementation to avoid the
4443 * situation whereby calls just return, not being
4444 * able to do any actual work within the allotted
4445 * time. On a non-real-time system, the
4446 * implementation can be more relaxed, but again
4447 * whether this number should be interpreted as as
4448 * hard or soft limit or even whether a less than
4449 * or equals as regards to ops executed in a
4450 * single call is implementation defined.
4451 *
4452 * \note For keys in local storage when no accelerator
4453 * driver applies, please see also the
4454 * documentation for \c mbedtls_ecp_set_max_ops(),
4455 * which is the internal implementation in these
4456 * cases.
4457 *
4458 * \warning With implementations that interpret this number
4459 * as a hard limit, setting this number too small
4460 * may result in an infinite loop, whereby each
4461 * call results in immediate return with no ops
4462 * done (as there is not enough time to execute
4463 * any), and thus no result will ever be achieved.
4464 *
4465 * \note This only applies to functions whose
4466 * documentation mentions they may return
4467 * #PSA_OPERATION_INCOMPLETE.
4468 *
4469 * \param max_ops The maximum number of ops to be executed in a
4470 * single call. This can be a number from 0 to
4471 * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
4472 * is the least amount of work done per call.
4473 */
4474void psa_interruptible_set_max_ops(uint32_t max_ops);
4475
4476/**
4477 * \brief Get the maximum number of ops allowed to be
4478 * executed by an interruptible function in a
4479 * single call. This will return the last
4480 * value set by
4481 * \c psa_interruptible_set_max_ops() or
4482 * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
4483 * that function has never been called.
4484 *
4485 * \warning This is a beta API, and thus subject to change
4486 * at any point. It is not bound by the usual
4487 * interface stability promises.
4488 *
4489 * \return Maximum number of ops allowed to be
4490 * executed by an interruptible function in a
4491 * single call.
4492 */
4493uint32_t psa_interruptible_get_max_ops(void);
4494
4495/**
4496 * \brief Get the number of ops that a hash signing
4497 * operation has taken so far. If the operation
4498 * has completed, then this will represent the
4499 * number of ops required for the entire
4500 * operation. After initialization or calling
4501 * \c psa_sign_hash_interruptible_abort() on
4502 * the operation, a value of 0 will be returned.
4503 *
4504 * \note This interface is guaranteed re-entrant and
4505 * thus may be called from driver code.
4506 *
4507 * \warning This is a beta API, and thus subject to change
4508 * at any point. It is not bound by the usual
4509 * interface stability promises.
4510 *
4511 * This is a helper provided to help you tune the
4512 * value passed to \c
4513 * psa_interruptible_set_max_ops().
4514 *
4515 * \param operation The \c psa_sign_hash_interruptible_operation_t
4516 * to use. This must be initialized first.
4517 *
4518 * \return Number of ops that the operation has taken so
4519 * far.
4520 */
4521uint32_t psa_sign_hash_get_num_ops(
4522 const psa_sign_hash_interruptible_operation_t *operation);
4523
4524/**
4525 * \brief Get the number of ops that a hash verification
4526 * operation has taken so far. If the operation
4527 * has completed, then this will represent the
4528 * number of ops required for the entire
4529 * operation. After initialization or calling \c
4530 * psa_verify_hash_interruptible_abort() on the
4531 * operation, a value of 0 will be returned.
4532 *
4533 * \warning This is a beta API, and thus subject to change
4534 * at any point. It is not bound by the usual
4535 * interface stability promises.
4536 *
4537 * This is a helper provided to help you tune the
4538 * value passed to \c
4539 * psa_interruptible_set_max_ops().
4540 *
4541 * \param operation The \c
4542 * psa_verify_hash_interruptible_operation_t to
4543 * use. This must be initialized first.
4544 *
4545 * \return Number of ops that the operation has taken so
4546 * far.
4547 */
4548uint32_t psa_verify_hash_get_num_ops(
4549 const psa_verify_hash_interruptible_operation_t *operation);
4550
4551/**
4552 * \brief Start signing a hash or short message with a
4553 * private key, in an interruptible manner.
4554 *
4555 * \see \c psa_sign_hash_complete()
4556 *
4557 * \warning This is a beta API, and thus subject to change
4558 * at any point. It is not bound by the usual
4559 * interface stability promises.
4560 *
4561 * \note This function combined with \c
4562 * psa_sign_hash_complete() is equivalent to
4563 * \c psa_sign_hash() but
4564 * \c psa_sign_hash_complete() can return early and
4565 * resume according to the limit set with \c
4566 * psa_interruptible_set_max_ops() to reduce the
4567 * maximum time spent in a function call.
4568 *
4569 * \note Users should call \c psa_sign_hash_complete()
4570 * repeatedly on the same context after a
4571 * successful call to this function until \c
4572 * psa_sign_hash_complete() either returns 0 or an
4573 * error. \c psa_sign_hash_complete() will return
4574 * #PSA_OPERATION_INCOMPLETE if there is more work
4575 * to do. Alternatively users can call
4576 * \c psa_sign_hash_abort() at any point if they no
4577 * longer want the result.
4578 *
4579 * \note If this function returns an error status, the
4580 * operation enters an error state and must be
4581 * aborted by calling \c psa_sign_hash_abort().
4582 *
4583 * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
4584 * to use. This must be initialized first.
4585 *
4586 * \param key Identifier of the key to use for the operation.
4587 * It must be an asymmetric key pair. The key must
4588 * allow the usage #PSA_KEY_USAGE_SIGN_HASH.
4589 * \param alg A signature algorithm (\c PSA_ALG_XXX
4590 * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
4591 * is true), that is compatible with
4592 * the type of \p key.
4593 * \param[in] hash The hash or message to sign.
4594 * \param hash_length Size of the \p hash buffer in bytes.
4595 *
4596 * \retval #PSA_SUCCESS
4597 * The operation started successfully - call \c psa_sign_hash_complete()
4598 * with the same context to complete the operation
4599 *
4600 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4601 * \retval #PSA_ERROR_NOT_PERMITTED
4602 * The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
4603 * not permit the requested algorithm.
4604 * \retval #PSA_ERROR_BAD_STATE
4605 * An operation has previously been started on this context, and is
4606 * still in progress.
4607 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4608 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4609 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4610 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4611 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4612 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4613 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4614 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4615 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4616 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4617 * \retval #PSA_ERROR_BAD_STATE
4618 * The library has not been previously initialized by psa_crypto_init().
4619 * It is implementation-dependent whether a failure to initialize
4620 * results in this error code.
4621 */
4622psa_status_t psa_sign_hash_start(
4623 psa_sign_hash_interruptible_operation_t *operation,
4624 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
4625 const uint8_t *hash, size_t hash_length);
4626
4627/**
4628 * \brief Continue and eventually complete the action of
4629 * signing a hash or short message with a private
4630 * key, in an interruptible manner.
4631 *
4632 * \see \c psa_sign_hash_start()
4633 *
4634 * \warning This is a beta API, and thus subject to change
4635 * at any point. It is not bound by the usual
4636 * interface stability promises.
4637 *
4638 * \note This function combined with \c
4639 * psa_sign_hash_start() is equivalent to
4640 * \c psa_sign_hash() but this function can return
4641 * early and resume according to the limit set with
4642 * \c psa_interruptible_set_max_ops() to reduce the
4643 * maximum time spent in a function call.
4644 *
4645 * \note Users should call this function on the same
4646 * operation object repeatedly until it either
4647 * returns 0 or an error. This function will return
4648 * #PSA_OPERATION_INCOMPLETE if there is more work
4649 * to do. Alternatively users can call
4650 * \c psa_sign_hash_abort() at any point if they no
4651 * longer want the result.
4652 *
4653 * \note When this function returns successfully, the
4654 * operation becomes inactive. If this function
4655 * returns an error status, the operation enters an
4656 * error state and must be aborted by calling
4657 * \c psa_sign_hash_abort().
4658 *
4659 * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
4660 * to use. This must be initialized first, and have
4661 * had \c psa_sign_hash_start() called with it
4662 * first.
4663 *
4664 * \param[out] signature Buffer where the signature is to be written.
4665 * \param signature_size Size of the \p signature buffer in bytes. This
4666 * must be appropriate for the selected
4667 * algorithm and key:
4668 * - The required signature size is
4669 * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
4670 * key_bits, \c alg) where \c key_type and \c
4671 * key_bits are the type and bit-size
4672 * respectively of key.
4673 * - #PSA_SIGNATURE_MAX_SIZE evaluates to the
4674 * maximum signature size of any supported
4675 * signature algorithm.
4676 * \param[out] signature_length On success, the number of bytes that make up
4677 * the returned signature value.
4678 *
4679 * \retval #PSA_SUCCESS
4680 * Operation completed successfully
4681 *
4682 * \retval #PSA_OPERATION_INCOMPLETE
4683 * Operation was interrupted due to the setting of \c
4684 * psa_interruptible_set_max_ops(). There is still work to be done.
4685 * Call this function again with the same operation object.
4686 *
4687 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
4688 * The size of the \p signature buffer is too small. You can
4689 * determine a sufficient buffer size by calling
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4690 * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg)
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]4691 * where \c key_type and \c key_bits are the type and bit-size
Tom Van Eyckb0563632024-06-13 16:20:14 +0200[diff] [blame]4692 * respectively of \c key.
Jens Wiklander32b31802023-10-06 16:59:46 +0200[diff] [blame]4693 *
4694 * \retval #PSA_ERROR_BAD_STATE
4695 * An operation was not previously started on this context via
4696 * \c psa_sign_hash_start().
4697 *
4698 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4699 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4700 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4701 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4702 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4703 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4704 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4705 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4706 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4707 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4708 * \retval #PSA_ERROR_BAD_STATE
4709 * The library has either not been previously initialized by
4710 * psa_crypto_init() or you did not previously call
4711 * psa_sign_hash_start() with this operation object. It is
4712 * implementation-dependent whether a failure to initialize results in
4713 * this error code.
4714 */
4715psa_status_t psa_sign_hash_complete(
4716 psa_sign_hash_interruptible_operation_t *operation,
4717 uint8_t *signature, size_t signature_size,
4718 size_t *signature_length);
4719
4720/**
4721 * \brief Abort a sign hash operation.
4722 *
4723 * \warning This is a beta API, and thus subject to change
4724 * at any point. It is not bound by the usual
4725 * interface stability promises.
4726 *
4727 * \note This function is the only function that clears
4728 * the number of ops completed as part of the
4729 * operation. Please ensure you copy this value via
4730 * \c psa_sign_hash_get_num_ops() if required
4731 * before calling.
4732 *
4733 * \note Aborting an operation frees all associated
4734 * resources except for the \p operation structure
4735 * itself. Once aborted, the operation object can
4736 * be reused for another operation by calling \c
4737 * psa_sign_hash_start() again.
4738 *
4739 * \note You may call this function any time after the
4740 * operation object has been initialized. In
4741 * particular, calling \c psa_sign_hash_abort()
4742 * after the operation has already been terminated
4743 * by a call to \c psa_sign_hash_abort() or
4744 * psa_sign_hash_complete() is safe.
4745 *
4746 * \param[in,out] operation Initialized sign hash operation.
4747 *
4748 * \retval #PSA_SUCCESS
4749 * The operation was aborted successfully.
4750 *
4751 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4752 * \retval #PSA_ERROR_BAD_STATE
4753 * The library has not been previously initialized by psa_crypto_init().
4754 * It is implementation-dependent whether a failure to initialize
4755 * results in this error code.
4756 */
4757psa_status_t psa_sign_hash_abort(
4758 psa_sign_hash_interruptible_operation_t *operation);
4759
4760/**
4761 * \brief Start reading and verifying a hash or short
4762 * message, in an interruptible manner.
4763 *
4764 * \see \c psa_verify_hash_complete()
4765 *
4766 * \warning This is a beta API, and thus subject to change
4767 * at any point. It is not bound by the usual
4768 * interface stability promises.
4769 *
4770 * \note This function combined with \c
4771 * psa_verify_hash_complete() is equivalent to
4772 * \c psa_verify_hash() but \c
4773 * psa_verify_hash_complete() can return early and
4774 * resume according to the limit set with \c
4775 * psa_interruptible_set_max_ops() to reduce the
4776 * maximum time spent in a function.
4777 *
4778 * \note Users should call \c psa_verify_hash_complete()
4779 * repeatedly on the same operation object after a
4780 * successful call to this function until \c
4781 * psa_verify_hash_complete() either returns 0 or
4782 * an error. \c psa_verify_hash_complete() will
4783 * return #PSA_OPERATION_INCOMPLETE if there is
4784 * more work to do. Alternatively users can call
4785 * \c psa_verify_hash_abort() at any point if they
4786 * no longer want the result.
4787 *
4788 * \note If this function returns an error status, the
4789 * operation enters an error state and must be
4790 * aborted by calling \c psa_verify_hash_abort().
4791 *
4792 * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
4793 * to use. This must be initialized first.
4794 *
4795 * \param key Identifier of the key to use for the operation.
4796 * The key must allow the usage
4797 * #PSA_KEY_USAGE_VERIFY_HASH.
4798 * \param alg A signature algorithm (\c PSA_ALG_XXX
4799 * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
4800 * is true), that is compatible with
4801 * the type of \p key.
4802 * \param[in] hash The hash whose signature is to be verified.
4803 * \param hash_length Size of the \p hash buffer in bytes.
4804 * \param[in] signature Buffer containing the signature to verify.
4805 * \param signature_length Size of the \p signature buffer in bytes.
4806 *
4807 * \retval #PSA_SUCCESS
4808 * The operation started successfully - please call \c
4809 * psa_verify_hash_complete() with the same context to complete the
4810 * operation.
4811 *
4812 * \retval #PSA_ERROR_BAD_STATE
4813 * Another operation has already been started on this context, and is
4814 * still in progress.
4815 *
4816 * \retval #PSA_ERROR_NOT_PERMITTED
4817 * The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
4818 * not permit the requested algorithm.
4819 *
4820 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4821 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4822 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4823 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4824 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4825 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4826 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4827 * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
4828 * \retval PSA_ERROR_DATA_INVALID \emptydescription
4829 * \retval #PSA_ERROR_BAD_STATE
4830 * The library has not been previously initialized by psa_crypto_init().
4831 * It is implementation-dependent whether a failure to initialize
4832 * results in this error code.
4833 */
4834psa_status_t psa_verify_hash_start(
4835 psa_verify_hash_interruptible_operation_t *operation,
4836 mbedtls_svc_key_id_t key, psa_algorithm_t alg,
4837 const uint8_t *hash, size_t hash_length,
4838 const uint8_t *signature, size_t signature_length);
4839
4840/**
4841 * \brief Continue and eventually complete the action of
4842 * reading and verifying a hash or short message
4843 * signed with a private key, in an interruptible
4844 * manner.
4845 *
4846 * \see \c psa_verify_hash_start()
4847 *
4848 * \warning This is a beta API, and thus subject to change
4849 * at any point. It is not bound by the usual
4850 * interface stability promises.
4851 *
4852 * \note This function combined with \c
4853 * psa_verify_hash_start() is equivalent to
4854 * \c psa_verify_hash() but this function can
4855 * return early and resume according to the limit
4856 * set with \c psa_interruptible_set_max_ops() to
4857 * reduce the maximum time spent in a function
4858 * call.
4859 *
4860 * \note Users should call this function on the same
4861 * operation object repeatedly until it either
4862 * returns 0 or an error. This function will return
4863 * #PSA_OPERATION_INCOMPLETE if there is more work
4864 * to do. Alternatively users can call
4865 * \c psa_verify_hash_abort() at any point if they
4866 * no longer want the result.
4867 *
4868 * \note When this function returns successfully, the
4869 * operation becomes inactive. If this function
4870 * returns an error status, the operation enters an
4871 * error state and must be aborted by calling
4872 * \c psa_verify_hash_abort().
4873 *
4874 * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
4875 * to use. This must be initialized first, and have
4876 * had \c psa_verify_hash_start() called with it
4877 * first.
4878 *
4879 * \retval #PSA_SUCCESS
4880 * Operation completed successfully, and the passed signature is valid.
4881 *
4882 * \retval #PSA_OPERATION_INCOMPLETE
4883 * Operation was interrupted due to the setting of \c
4884 * psa_interruptible_set_max_ops(). There is still work to be done.
4885 * Call this function again with the same operation object.
4886 *
4887 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4888 * \retval #PSA_ERROR_INVALID_SIGNATURE
4889 * The calculation was performed successfully, but the passed
4890 * signature is not a valid signature.
4891 * \retval #PSA_ERROR_BAD_STATE
4892 * An operation was not previously started on this context via
4893 * \c psa_verify_hash_start().
4894 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4895 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4896 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4897 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4898 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4899 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4900 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4901 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4902 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4903 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4904 * \retval #PSA_ERROR_BAD_STATE
4905 * The library has either not been previously initialized by
4906 * psa_crypto_init() or you did not previously call
4907 * psa_verify_hash_start() on this object. It is
4908 * implementation-dependent whether a failure to initialize results in
4909 * this error code.
4910 */
4911psa_status_t psa_verify_hash_complete(
4912 psa_verify_hash_interruptible_operation_t *operation);
4913
4914/**
4915 * \brief Abort a verify hash operation.
4916 *
4917 * \warning This is a beta API, and thus subject to change at
4918 * any point. It is not bound by the usual interface
4919 * stability promises.
4920 *
4921 * \note This function is the only function that clears the
4922 * number of ops completed as part of the operation.
4923 * Please ensure you copy this value via
4924 * \c psa_verify_hash_get_num_ops() if required
4925 * before calling.
4926 *
4927 * \note Aborting an operation frees all associated
4928 * resources except for the operation structure
4929 * itself. Once aborted, the operation object can be
4930 * reused for another operation by calling \c
4931 * psa_verify_hash_start() again.
4932 *
4933 * \note You may call this function any time after the
4934 * operation object has been initialized.
4935 * In particular, calling \c psa_verify_hash_abort()
4936 * after the operation has already been terminated by
4937 * a call to \c psa_verify_hash_abort() or
4938 * psa_verify_hash_complete() is safe.
4939 *
4940 * \param[in,out] operation Initialized verify hash operation.
4941 *
4942 * \retval #PSA_SUCCESS
4943 * The operation was aborted successfully.
4944 *
4945 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4946 * \retval #PSA_ERROR_BAD_STATE
4947 * The library has not been previously initialized by psa_crypto_init().
4948 * It is implementation-dependent whether a failure to initialize
4949 * results in this error code.
4950 */
4951psa_status_t psa_verify_hash_abort(
4952 psa_verify_hash_interruptible_operation_t *operation);
4953
4954
4955/**@}*/
4956
4957#ifdef __cplusplus
4958}
4959#endif
4960
4961/* The file "crypto_sizes.h" contains definitions for size calculation
4962 * macros whose definitions are implementation-specific. */
4963#include "crypto_sizes.h"
4964
4965/* The file "crypto_struct.h" contains definitions for
4966 * implementation-specific structs that are declared above. */
4967#if defined(MBEDTLS_PSA_CRYPTO_STRUCT_FILE)
4968#include MBEDTLS_PSA_CRYPTO_STRUCT_FILE
4969#else
4970#include "crypto_struct.h"
4971#endif
4972
4973/* The file "crypto_extra.h" contains vendor-specific definitions. This
4974 * can include vendor-defined algorithms, extra functions, etc. */
4975#include "crypto_extra.h"
4976
4977#endif /* PSA_CRYPTO_H */