Platform Security Architecture — cryptography and keystore interface  beta 2 — 2019-02-22
crypto_sizes.h
Go to the documentation of this file.
1 
23 /*
24  * Copyright (C) 2018, ARM Limited, All Rights Reserved
25  * SPDX-License-Identifier: Apache-2.0
26  *
27  * Licensed under the Apache License, Version 2.0 (the "License"); you may
28  * not use this file except in compliance with the License.
29  * You may obtain a copy of the License at
30  *
31  * http://www.apache.org/licenses/LICENSE-2.0
32  *
33  * Unless required by applicable law or agreed to in writing, software
34  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
35  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
36  * See the License for the specific language governing permissions and
37  * limitations under the License.
38  *
39  * This file is part of mbed TLS (https://tls.mbed.org)
40  */
41 
42 #ifndef PSA_CRYPTO_SIZES_H
43 #define PSA_CRYPTO_SIZES_H
44 
45 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
46  * in each of its header files. */
47 #if !defined(MBEDTLS_CONFIG_FILE)
48 #include "../mbedtls/config.h"
49 #else
50 #include MBEDTLS_CONFIG_FILE
51 #endif
52 
53 #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
54 #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
55 
70 #define PSA_HASH_SIZE(alg) \
71  ( \
72  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD2 ? 16 : \
73  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD4 ? 16 : \
74  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16 : \
75  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20 : \
76  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20 : \
77  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28 : \
78  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32 : \
79  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48 : \
80  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64 : \
81  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28 : \
82  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32 : \
83  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28 : \
84  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32 : \
85  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48 : \
86  PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 : \
87  0)
88 
97 /* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
98  * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
99  * HMAC-SHA3-512. */
100 #if defined(MBEDTLS_SHA512_C)
101 #define PSA_HASH_MAX_SIZE 64
102 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
103 #else
104 #define PSA_HASH_MAX_SIZE 32
105 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
106 #endif
107 
116 /* All non-HMAC MACs have a maximum size that's smaller than the
117  * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
118 /* Note that the encoding of truncated MAC algorithms limits this value
119  * to 64 bytes.
120  */
121 #define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
122 
138 #define PSA_AEAD_TAG_LENGTH(alg) \
139  (PSA_ALG_IS_AEAD(alg) ? \
140  (((alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> PSA_AEAD_TAG_LENGTH_OFFSET) : \
141  0)
142 
143 /* The maximum size of an RSA key on this implementation, in bits.
144  * This is a vendor-specific macro.
145  *
146  * Mbed TLS does not set a hard limit on the size of RSA keys: any key
147  * whose parameters fit in a bignum is accepted. However large keys can
148  * induce a large memory usage and long computation times. Unlike other
149  * auxiliary macros in this file and in crypto.h, which reflect how the
150  * library is configured, this macro defines how the library is
151  * configured. This implementation refuses to import or generate an
152  * RSA key whose size is larger than the value defined here.
153  *
154  * Note that an implementation may set different size limits for different
155  * operations, and does not need to accept all key sizes up to the limit. */
156 #define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
157 
158 /* The maximum size of an ECC key on this implementation, in bits.
159  * This is a vendor-specific macro. */
160 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
161 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521
162 #elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
163 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 512
164 #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
165 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 448
166 #elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
167 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
168 #elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
169 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
170 #elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
171 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
172 #elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
173 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
174 #elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
175 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
176 #elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
177 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 255
178 #elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
179 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
180 #elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
181 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
182 #elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
183 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
184 #elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
185 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
186 #else
187 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 0
188 #endif
189 
204 #define PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN 128
205 
214 #define PSA_ASYMMETRIC_SIGNATURE_MAX_SIZE \
215  PSA_BITS_TO_BYTES( \
216  PSA_VENDOR_RSA_MAX_KEY_BITS > PSA_VENDOR_ECC_MAX_CURVE_BITS ? \
217  PSA_VENDOR_RSA_MAX_KEY_BITS : \
218  PSA_VENDOR_ECC_MAX_CURVE_BITS \
219  )
220 
222 #define PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE 16
223 
241 #define PSA_MAC_FINAL_SIZE(key_type, key_bits, alg) \
242  ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) : \
243  PSA_ALG_IS_HMAC(alg) ? PSA_HASH_SIZE(PSA_ALG_HMAC_GET_HASH(alg)) : \
244  PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type) : \
245  ((void)(key_type), (void)(key_bits), 0))
246 
266 #define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) \
267  (PSA_AEAD_TAG_LENGTH(alg) != 0 ? \
268  (plaintext_length) + PSA_AEAD_TAG_LENGTH(alg) : \
269  0)
270 
289 #define PSA_AEAD_FINISH_OUTPUT_SIZE(alg) \
290  ((size_t)0)
291 
311 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg, ciphertext_length) \
312  (PSA_AEAD_TAG_LENGTH(alg) != 0 ? \
313  (plaintext_length) - PSA_AEAD_TAG_LENGTH(alg) : \
314  0)
315 
316 #define PSA_RSA_MINIMUM_PADDING_SIZE(alg) \
317  (PSA_ALG_IS_RSA_OAEP(alg) ? \
318  2 * PSA_HASH_FINAL_SIZE(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1 : \
319  11 /*PKCS#1v1.5*/)
320 
329 #define PSA_ECDSA_SIGNATURE_SIZE(curve_bits) \
330  (PSA_BITS_TO_BYTES(curve_bits) * 2)
331 
358 #define PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE(key_type, key_bits, alg) \
359  (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void)alg, PSA_BITS_TO_BYTES(key_bits)) : \
360  PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
361  ((void)alg, 0))
362 
389 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg) \
390  (PSA_KEY_TYPE_IS_RSA(key_type) ? \
391  ((void)alg, PSA_BITS_TO_BYTES(key_bits)) : \
392  0)
393 
420 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg) \
421  (PSA_KEY_TYPE_IS_RSA(key_type) ? \
422  PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) : \
423  0)
424 
425 /* Maximum size of the ASN.1 encoding of an INTEGER with the specified
426  * number of bits.
427  *
428  * This definition assumes that bits <= 2^19 - 9 so that the length field
429  * is at most 3 bytes. The length of the encoding is the length of the
430  * bit string padded to a whole number of bytes plus:
431  * - 1 type byte;
432  * - 1 to 3 length bytes;
433  * - 0 to 1 bytes of leading 0 due to the sign bit.
434  */
435 #define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits) \
436  ((bits) / 8 + 5)
437 
438 /* Maximum size of the export encoding of an RSA public key.
439  * Assumes that the public exponent is less than 2^32.
440  *
441  * SubjectPublicKeyInfo ::= SEQUENCE {
442  * algorithm AlgorithmIdentifier,
443  * subjectPublicKey BIT STRING } -- contains RSAPublicKey
444  * AlgorithmIdentifier ::= SEQUENCE {
445  * algorithm OBJECT IDENTIFIER,
446  * parameters NULL }
447  * RSAPublicKey ::= SEQUENCE {
448  * modulus INTEGER, -- n
449  * publicExponent INTEGER } -- e
450  *
451  * - 3 * 4 bytes of SEQUENCE overhead;
452  * - 1 + 1 + 9 bytes of algorithm (RSA OID);
453  * - 2 bytes of NULL;
454  * - 4 bytes of BIT STRING overhead;
455  * - n : INTEGER;
456  * - 7 bytes for the public exponent.
457  */
458 #define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) \
459  (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 36)
460 
461 /* Maximum size of the export encoding of an RSA key pair.
462  * Assumes thatthe public exponent is less than 2^32 and that the size
463  * difference between the two primes is at most 1 bit.
464  *
465  * RSAPrivateKey ::= SEQUENCE {
466  * version Version, -- 0
467  * modulus INTEGER, -- N-bit
468  * publicExponent INTEGER, -- 32-bit
469  * privateExponent INTEGER, -- N-bit
470  * prime1 INTEGER, -- N/2-bit
471  * prime2 INTEGER, -- N/2-bit
472  * exponent1 INTEGER, -- N/2-bit
473  * exponent2 INTEGER, -- N/2-bit
474  * coefficient INTEGER, -- N/2-bit
475  * }
476  *
477  * - 4 bytes of SEQUENCE overhead;
478  * - 3 bytes of version;
479  * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
480  * overapproximated as 9 half-size INTEGERS;
481  * - 7 bytes for the public exponent.
482  */
483 #define PSA_KEY_EXPORT_RSA_KEYPAIR_MAX_SIZE(key_bits) \
484  (9 * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2 + 1) + 14)
485 
486 /* Maximum size of the export encoding of a DSA public key.
487  *
488  * SubjectPublicKeyInfo ::= SEQUENCE {
489  * algorithm AlgorithmIdentifier,
490  * subjectPublicKey BIT STRING } -- contains DSAPublicKey
491  * AlgorithmIdentifier ::= SEQUENCE {
492  * algorithm OBJECT IDENTIFIER,
493  * parameters Dss-Parms } -- SEQUENCE of 3 INTEGERs
494  * DSAPublicKey ::= INTEGER -- public key, Y
495  *
496  * - 3 * 4 bytes of SEQUENCE overhead;
497  * - 1 + 1 + 7 bytes of algorithm (DSA OID);
498  * - 4 bytes of BIT STRING overhead;
499  * - 3 full-size INTEGERs (p, g, y);
500  * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
501  */
502 #define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) \
503  (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 59)
504 
505 /* Maximum size of the export encoding of a DSA key pair.
506  *
507  * DSAPrivateKey ::= SEQUENCE {
508  * version Version, -- 0
509  * prime INTEGER, -- p
510  * subprime INTEGER, -- q
511  * generator INTEGER, -- g
512  * public INTEGER, -- y
513  * private INTEGER, -- x
514  * }
515  *
516  * - 4 bytes of SEQUENCE overhead;
517  * - 3 bytes of version;
518  * - 3 full-size INTEGERs (p, g, y);
519  * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
520  */
521 #define PSA_KEY_EXPORT_DSA_KEYPAIR_MAX_SIZE(key_bits) \
522  (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 75)
523 
524 /* Maximum size of the export encoding of an ECC public key.
525  *
526  * SubjectPublicKeyInfo ::= SEQUENCE {
527  * algorithm AlgorithmIdentifier,
528  * subjectPublicKey BIT STRING } -- contains ECPoint
529  * AlgorithmIdentifier ::= SEQUENCE {
530  * algorithm OBJECT IDENTIFIER,
531  * parameters OBJECT IDENTIFIER } -- namedCurve
532  * ECPoint ::= ...
533  * -- first 8 bits: 0x04;
534  * -- then x_P as a `ceiling(m/8)`-byte string, big endian;
535  * -- then y_P as a `ceiling(m/8)`-byte string, big endian;
536  * -- where `m` is the bit size associated with the curve.
537  *
538  * - 2 * 4 bytes of SEQUENCE overhead;
539  * - 1 + 1 + 7 bytes of algorithm (id-ecPublicKey OID);
540  * - 1 + 1 + 12 bytes of namedCurve OID;
541  * - 4 bytes of BIT STRING overhead;
542  * - 1 byte + 2 * point size in ECPoint.
543  */
544 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) \
545  (2 * PSA_BITS_TO_BYTES(key_bits) + 36)
546 
547 /* Maximum size of the export encoding of an ECC key pair.
548  *
549  * An ECC key pair is represented by the secret value.
550  */
551 #define PSA_KEY_EXPORT_ECC_KEYPAIR_MAX_SIZE(key_bits) \
552  (PSA_BITS_TO_BYTES(key_bits))
553 
610 #define PSA_KEY_EXPORT_MAX_SIZE(key_type, key_bits) \
611  (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
612  (key_type) == PSA_KEY_TYPE_RSA_KEYPAIR ? PSA_KEY_EXPORT_RSA_KEYPAIR_MAX_SIZE(key_bits) : \
613  (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
614  (key_type) == PSA_KEY_TYPE_DSA_KEYPAIR ? PSA_KEY_EXPORT_DSA_KEYPAIR_MAX_SIZE(key_bits) : \
615  (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
616  PSA_KEY_TYPE_IS_ECC_KEYPAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEYPAIR_MAX_SIZE(key_bits) : \
617  PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
618  0)
619 
620 #endif /* PSA_CRYPTO_SIZES_H */