| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 1 | /** | 
|  | 2 | * \file psa/crypto.h | 
|  | 3 | * \brief Platform Security Architecture cryptography module | 
|  | 4 | */ | 
| Jaeden Amero | cab5494 | 2018-07-25 13:26:13 +0100 | [diff] [blame] | 5 | /* | 
|  | 6 | *  Copyright (C) 2018, ARM Limited, All Rights Reserved | 
|  | 7 | *  SPDX-License-Identifier: Apache-2.0 | 
|  | 8 | * | 
|  | 9 | *  Licensed under the Apache License, Version 2.0 (the "License"); you may | 
|  | 10 | *  not use this file except in compliance with the License. | 
|  | 11 | *  You may obtain a copy of the License at | 
|  | 12 | * | 
|  | 13 | *  http://www.apache.org/licenses/LICENSE-2.0 | 
|  | 14 | * | 
|  | 15 | *  Unless required by applicable law or agreed to in writing, software | 
|  | 16 | *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | 
|  | 17 | *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
|  | 18 | *  See the License for the specific language governing permissions and | 
|  | 19 | *  limitations under the License. | 
|  | 20 | */ | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 21 |  | 
|  | 22 | #ifndef PSA_CRYPTO_H | 
|  | 23 | #define PSA_CRYPTO_H | 
|  | 24 |  | 
|  | 25 | #include "crypto_platform.h" | 
|  | 26 |  | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 27 | #include <stddef.h> | 
|  | 28 |  | 
| Gilles Peskine | 62a7e7e | 2018-02-07 21:54:47 +0100 | [diff] [blame] | 29 | #ifdef __DOXYGEN_ONLY__ | 
| Gilles Peskine | f5b9fa1 | 2018-03-07 16:40:18 +0100 | [diff] [blame] | 30 | /* This __DOXYGEN_ONLY__ block contains mock definitions for things that | 
|  | 31 | * must be defined in the crypto_platform.h header. These mock definitions | 
|  | 32 | * are present in this file as a convenience to generate pretty-printed | 
|  | 33 | * documentation that includes those definitions. */ | 
|  | 34 |  | 
| Gilles Peskine | 62a7e7e | 2018-02-07 21:54:47 +0100 | [diff] [blame] | 35 | /** \defgroup platform Implementation-specific definitions | 
|  | 36 | * @{ | 
|  | 37 | */ | 
|  | 38 |  | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 39 | /** \brief Key slot number. | 
|  | 40 | * | 
|  | 41 | * This type represents key slots. It must be an unsigned integral | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 42 | * type. The choice of type is implementation-dependent. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 43 | * 0 is not a valid key slot number. The meaning of other values is | 
|  | 44 | * implementation dependent. | 
|  | 45 | * | 
|  | 46 | * At any given point in time, each key slot either contains a | 
|  | 47 | * cryptographic object, or is empty. Key slots are persistent: | 
|  | 48 | * once set, the cryptographic object remains in the key slot until | 
|  | 49 | * explicitly destroyed. | 
|  | 50 | */ | 
|  | 51 | typedef _unsigned_integral_type_ psa_key_slot_t; | 
|  | 52 |  | 
| Gilles Peskine | 62a7e7e | 2018-02-07 21:54:47 +0100 | [diff] [blame] | 53 | /**@}*/ | 
| Gilles Peskine | f5b9fa1 | 2018-03-07 16:40:18 +0100 | [diff] [blame] | 54 | #endif /* __DOXYGEN_ONLY__ */ | 
| Gilles Peskine | 62a7e7e | 2018-02-07 21:54:47 +0100 | [diff] [blame] | 55 |  | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 56 | #ifdef __cplusplus | 
|  | 57 | extern "C" { | 
|  | 58 | #endif | 
|  | 59 |  | 
|  | 60 | /** \defgroup basic Basic definitions | 
|  | 61 | * @{ | 
|  | 62 | */ | 
|  | 63 |  | 
| Gilles Peskine | e9a0a9d | 2018-06-20 13:59:04 +0200 | [diff] [blame] | 64 | #if defined(PSA_SUCCESS) | 
|  | 65 | /* If PSA_SUCCESS is defined, assume that PSA crypto is being used | 
|  | 66 | * together with PSA IPC, which also defines the identifier | 
|  | 67 | * PSA_SUCCESS. We must not define PSA_SUCCESS ourselves in that case; | 
|  | 68 | * the other error code names don't clash. Also define psa_status_t as | 
|  | 69 | * an alias for the type used by PSA IPC. This is a temporary hack | 
| mohammad1603 | 13f4394 | 2018-08-05 12:09:44 +0300 | [diff] [blame] | 70 | * until we unify error reporting in PSA IPC and PSA crypto. | 
| Gilles Peskine | e9a0a9d | 2018-06-20 13:59:04 +0200 | [diff] [blame] | 71 | * | 
|  | 72 | * Note that psa_defs.h must be included before this header! | 
|  | 73 | */ | 
|  | 74 | typedef psa_error_t psa_status_t; | 
|  | 75 |  | 
|  | 76 | #else /* defined(PSA_SUCCESS) */ | 
|  | 77 |  | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 78 | /** | 
|  | 79 | * \brief Function return status. | 
|  | 80 | * | 
| Gilles Peskine | e9a0a9d | 2018-06-20 13:59:04 +0200 | [diff] [blame] | 81 | * This is either #PSA_SUCCESS (which is zero), indicating success, | 
|  | 82 | * or a nonzero value indicating that an error occurred. Errors are | 
|  | 83 | * encoded as one of the \c PSA_ERROR_xxx values defined here. | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 84 | */ | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 85 | typedef int32_t psa_status_t; | 
| Gilles Peskine | e9a0a9d | 2018-06-20 13:59:04 +0200 | [diff] [blame] | 86 |  | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 87 | /** The action was completed successfully. */ | 
|  | 88 | #define PSA_SUCCESS ((psa_status_t)0) | 
| Gilles Peskine | e9a0a9d | 2018-06-20 13:59:04 +0200 | [diff] [blame] | 89 |  | 
|  | 90 | #endif /* !defined(PSA_SUCCESS) */ | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 91 |  | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 92 | /** An error occurred that does not correspond to any defined | 
|  | 93 | * failure cause. | 
|  | 94 | * | 
|  | 95 | * Implementations may use this error code if none of the other standard | 
|  | 96 | * error codes are applicable. */ | 
|  | 97 | #define PSA_ERROR_UNKNOWN_ERROR         ((psa_status_t)1) | 
|  | 98 |  | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 99 | /** The requested operation or a parameter is not supported | 
|  | 100 | * by this implementation. | 
|  | 101 | * | 
|  | 102 | * Implementations should return this error code when an enumeration | 
|  | 103 | * parameter such as a key type, algorithm, etc. is not recognized. | 
|  | 104 | * If a combination of parameters is recognized and identified as | 
|  | 105 | * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 106 | #define PSA_ERROR_NOT_SUPPORTED         ((psa_status_t)2) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 107 |  | 
|  | 108 | /** The requested action is denied by a policy. | 
|  | 109 | * | 
|  | 110 | * Implementations should return this error code when the parameters | 
|  | 111 | * are recognized as valid and supported, and a policy explicitly | 
|  | 112 | * denies the requested operation. | 
|  | 113 | * | 
|  | 114 | * If a subset of the parameters of a function call identify a | 
|  | 115 | * forbidden operation, and another subset of the parameters are | 
|  | 116 | * not valid or not supported, it is unspecified whether the function | 
|  | 117 | * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or | 
|  | 118 | * #PSA_ERROR_INVALID_ARGUMENT. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 119 | #define PSA_ERROR_NOT_PERMITTED         ((psa_status_t)3) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 120 |  | 
|  | 121 | /** An output buffer is too small. | 
|  | 122 | * | 
| Gilles Peskine | be42f31 | 2018-07-13 14:38:15 +0200 | [diff] [blame] | 123 | * Applications can call the \c PSA_xxx_SIZE macro listed in the function | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 124 | * description to determine a sufficient buffer size. | 
|  | 125 | * | 
|  | 126 | * Implementations should preferably return this error code only | 
|  | 127 | * in cases when performing the operation with a larger output | 
|  | 128 | * buffer would succeed. However implementations may return this | 
|  | 129 | * error if a function has invalid or unsupported parameters in addition | 
|  | 130 | * to the parameters that determine the necessary output buffer size. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 131 | #define PSA_ERROR_BUFFER_TOO_SMALL      ((psa_status_t)4) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 132 |  | 
|  | 133 | /** A slot is occupied, but must be empty to carry out the | 
|  | 134 | * requested action. | 
|  | 135 | * | 
|  | 136 | * If the slot number is invalid (i.e. the requested action could | 
|  | 137 | * not be performed even after erasing the slot's content), | 
|  | 138 | * implementations shall return #PSA_ERROR_INVALID_ARGUMENT instead. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 139 | #define PSA_ERROR_OCCUPIED_SLOT         ((psa_status_t)5) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 140 |  | 
|  | 141 | /** A slot is empty, but must be occupied to carry out the | 
|  | 142 | * requested action. | 
|  | 143 | * | 
|  | 144 | * If the slot number is invalid (i.e. the requested action could | 
|  | 145 | * not be performed even after creating appropriate content in the slot), | 
|  | 146 | * implementations shall return #PSA_ERROR_INVALID_ARGUMENT instead. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 147 | #define PSA_ERROR_EMPTY_SLOT            ((psa_status_t)6) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 148 |  | 
|  | 149 | /** The requested action cannot be performed in the current state. | 
|  | 150 | * | 
|  | 151 | * Multipart operations return this error when one of the | 
|  | 152 | * functions is called out of sequence. Refer to the function | 
|  | 153 | * descriptions for permitted sequencing of functions. | 
|  | 154 | * | 
|  | 155 | * Implementations shall not return this error code to indicate | 
|  | 156 | * that a key slot is occupied when it needs to be free or vice versa, | 
|  | 157 | * but shall return #PSA_ERROR_OCCUPIED_SLOT or #PSA_ERROR_EMPTY_SLOT | 
|  | 158 | * as applicable. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 159 | #define PSA_ERROR_BAD_STATE             ((psa_status_t)7) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 160 |  | 
|  | 161 | /** The parameters passed to the function are invalid. | 
|  | 162 | * | 
|  | 163 | * Implementations may return this error any time a parameter or | 
|  | 164 | * combination of parameters are recognized as invalid. | 
|  | 165 | * | 
|  | 166 | * Implementations shall not return this error code to indicate | 
|  | 167 | * that a key slot is occupied when it needs to be free or vice versa, | 
|  | 168 | * but shall return #PSA_ERROR_OCCUPIED_SLOT or #PSA_ERROR_EMPTY_SLOT | 
|  | 169 | * as applicable. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 170 | #define PSA_ERROR_INVALID_ARGUMENT      ((psa_status_t)8) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 171 |  | 
|  | 172 | /** There is not enough runtime memory. | 
|  | 173 | * | 
|  | 174 | * If the action is carried out across multiple security realms, this | 
|  | 175 | * error can refer to available memory in any of the security realms. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 176 | #define PSA_ERROR_INSUFFICIENT_MEMORY   ((psa_status_t)9) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 177 |  | 
|  | 178 | /** There is not enough persistent storage. | 
|  | 179 | * | 
|  | 180 | * Functions that modify the key storage return this error code if | 
|  | 181 | * there is insufficient storage space on the host media. In addition, | 
|  | 182 | * many functions that do not otherwise access storage may return this | 
|  | 183 | * error code if the implementation requires a mandatory log entry for | 
|  | 184 | * the requested action and the log storage space is full. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 185 | #define PSA_ERROR_INSUFFICIENT_STORAGE  ((psa_status_t)10) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 186 |  | 
|  | 187 | /** There was a communication failure inside the implementation. | 
|  | 188 | * | 
|  | 189 | * This can indicate a communication failure between the application | 
|  | 190 | * and an external cryptoprocessor or between the cryptoprocessor and | 
|  | 191 | * an external volatile or persistent memory. A communication failure | 
|  | 192 | * may be transient or permanent depending on the cause. | 
|  | 193 | * | 
|  | 194 | * \warning If a function returns this error, it is undetermined | 
|  | 195 | * whether the requested action has completed or not. Implementations | 
|  | 196 | * should return #PSA_SUCCESS on successful completion whenver | 
|  | 197 | * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 198 | * if the requested action was completed successfully in an external | 
|  | 199 | * cryptoprocessor but there was a breakdown of communication before | 
|  | 200 | * the cryptoprocessor could report the status to the application. | 
|  | 201 | */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 202 | #define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)11) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 203 |  | 
|  | 204 | /** There was a storage failure that may have led to data loss. | 
|  | 205 | * | 
|  | 206 | * This error indicates that some persistent storage is corrupted. | 
|  | 207 | * It should not be used for a corruption of volatile memory | 
|  | 208 | * (use #PSA_ERROR_TAMPERING_DETECTED), for a communication error | 
|  | 209 | * between the cryptoprocessor and its external storage (use | 
|  | 210 | * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is | 
|  | 211 | * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE). | 
|  | 212 | * | 
|  | 213 | * Note that a storage failure does not indicate that any data that was | 
|  | 214 | * previously read is invalid. However this previously read data may no | 
|  | 215 | * longer be readable from storage. | 
|  | 216 | * | 
|  | 217 | * When a storage failure occurs, it is no longer possible to ensure | 
|  | 218 | * the global integrity of the keystore. Depending on the global | 
|  | 219 | * integrity guarantees offered by the implementation, access to other | 
|  | 220 | * data may or may not fail even if the data is still readable but | 
|  | 221 | * its integrity canont be guaranteed. | 
|  | 222 | * | 
|  | 223 | * Implementations should only use this error code to report a | 
|  | 224 | * permanent storage corruption. However application writers should | 
|  | 225 | * keep in mind that transient errors while reading the storage may be | 
|  | 226 | * reported using this error code. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 227 | #define PSA_ERROR_STORAGE_FAILURE       ((psa_status_t)12) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 228 |  | 
|  | 229 | /** A hardware failure was detected. | 
|  | 230 | * | 
|  | 231 | * A hardware failure may be transient or permanent depending on the | 
|  | 232 | * cause. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 233 | #define PSA_ERROR_HARDWARE_FAILURE      ((psa_status_t)13) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 234 |  | 
|  | 235 | /** A tampering attempt was detected. | 
|  | 236 | * | 
|  | 237 | * If an application receives this error code, there is no guarantee | 
|  | 238 | * that previously accessed or computed data was correct and remains | 
|  | 239 | * confidential. Applications should not perform any security function | 
|  | 240 | * and should enter a safe failure state. | 
|  | 241 | * | 
|  | 242 | * Implementations may return this error code if they detect an invalid | 
|  | 243 | * state that cannot happen during normal operation and that indicates | 
|  | 244 | * that the implementation's security guarantees no longer hold. Depending | 
|  | 245 | * on the implementation architecture and on its security and safety goals, | 
|  | 246 | * the implementation may forcibly terminate the application. | 
|  | 247 | * | 
|  | 248 | * This error code is intended as a last resort when a security breach | 
|  | 249 | * is detected and it is unsure whether the keystore data is still | 
|  | 250 | * protected. Implementations shall only return this error code | 
|  | 251 | * to report an alarm from a tampering detector, to indicate that | 
|  | 252 | * the confidentiality of stored data can no longer be guaranteed, | 
|  | 253 | * or to indicate that the integrity of previously returned data is now | 
|  | 254 | * considered compromised. Implementations shall not use this error code | 
|  | 255 | * to indicate a hardware failure that merely makes it impossible to | 
|  | 256 | * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE, | 
|  | 257 | * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE, | 
|  | 258 | * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code | 
|  | 259 | * instead). | 
|  | 260 | * | 
|  | 261 | * This error indicates an attack against the application. Implementations | 
|  | 262 | * shall not return this error code as a consequence of the behavior of | 
|  | 263 | * the application itself. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 264 | #define PSA_ERROR_TAMPERING_DETECTED    ((psa_status_t)14) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 265 |  | 
|  | 266 | /** There is not enough entropy to generate random data needed | 
|  | 267 | * for the requested action. | 
|  | 268 | * | 
|  | 269 | * This error indicates a failure of a hardware random generator. | 
|  | 270 | * Application writers should note that this error can be returned not | 
|  | 271 | * only by functions whose purpose is to generate random data, such | 
|  | 272 | * as key, IV or nonce generation, but also by functions that execute | 
|  | 273 | * an algorithm with a randomized result, as well as functions that | 
|  | 274 | * use randomization of intermediate computations as a countermeasure | 
|  | 275 | * to certain attacks. | 
|  | 276 | * | 
|  | 277 | * Implementations should avoid returning this error after psa_crypto_init() | 
|  | 278 | * has succeeded. Implementations should generate sufficient | 
|  | 279 | * entropy during initialization and subsequently use a cryptographically | 
|  | 280 | * secure pseudorandom generator (PRNG). However implementations may return | 
|  | 281 | * this error at any time if a policy requires the PRNG to be reseeded | 
|  | 282 | * during normal operation. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 283 | #define PSA_ERROR_INSUFFICIENT_ENTROPY  ((psa_status_t)15) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 284 |  | 
|  | 285 | /** The signature, MAC or hash is incorrect. | 
|  | 286 | * | 
|  | 287 | * Verification functions return this error if the verification | 
|  | 288 | * calculations completed successfully, and the value to be verified | 
|  | 289 | * was determined to be incorrect. | 
|  | 290 | * | 
|  | 291 | * If the value to verify has an invalid size, implementations may return | 
|  | 292 | * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 293 | #define PSA_ERROR_INVALID_SIGNATURE     ((psa_status_t)16) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 294 |  | 
|  | 295 | /** The decrypted padding is incorrect. | 
|  | 296 | * | 
|  | 297 | * \warning In some protocols, when decrypting data, it is essential that | 
|  | 298 | * the behavior of the application does not depend on whether the padding | 
|  | 299 | * is correct, down to precise timing. Applications should prefer | 
|  | 300 | * protocols that use authenticated encryption rather than plain | 
|  | 301 | * encryption. If the application must perform a decryption of | 
|  | 302 | * unauthenticated data, the application writer should take care not | 
|  | 303 | * to reveal whether the padding is invalid. | 
|  | 304 | * | 
|  | 305 | * Implementations should strive to make valid and invalid padding | 
|  | 306 | * as close as possible to indistinguishable to an external observer. | 
|  | 307 | * In particular, the timing of a decryption operation should not | 
|  | 308 | * depend on the validity of the padding. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 309 | #define PSA_ERROR_INVALID_PADDING       ((psa_status_t)17) | 
| itayzafrir | c2a7976 | 2018-06-18 16:20:16 +0300 | [diff] [blame] | 310 |  | 
| Gilles Peskine | eab56e4 | 2018-07-12 17:12:33 +0200 | [diff] [blame] | 311 | /** The generator has insufficient capacity left. | 
|  | 312 | * | 
|  | 313 | * Once a function returns this error, attempts to read from the | 
|  | 314 | * generator will always return this error. */ | 
| itayzafrir | f26dbfc | 2018-08-01 16:09:08 +0300 | [diff] [blame] | 315 | #define PSA_ERROR_INSUFFICIENT_CAPACITY ((psa_status_t)18) | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 316 |  | 
|  | 317 | /** | 
|  | 318 | * \brief Library initialization. | 
|  | 319 | * | 
|  | 320 | * Applications must call this function before calling any other | 
|  | 321 | * function in this module. | 
|  | 322 | * | 
|  | 323 | * Applications may call this function more than once. Once a call | 
|  | 324 | * succeeds, subsequent calls are guaranteed to succeed. | 
|  | 325 | * | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 326 | * If the application calls other functions before calling psa_crypto_init(), | 
|  | 327 | * the behavior is undefined. Implementations are encouraged to either perform | 
|  | 328 | * the operation as if the library had been initialized or to return | 
|  | 329 | * #PSA_ERROR_BAD_STATE or some other applicable error. In particular, | 
|  | 330 | * implementations should not return a success status if the lack of | 
|  | 331 | * initialization may have security implications, for example due to improper | 
|  | 332 | * seeding of the random number generator. | 
|  | 333 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 334 | * \retval #PSA_SUCCESS | 
|  | 335 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 336 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 337 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 338 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 339 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 340 | */ | 
|  | 341 | psa_status_t psa_crypto_init(void); | 
|  | 342 |  | 
| Gilles Peskine | 2905a7a | 2018-03-07 16:39:31 +0100 | [diff] [blame] | 343 | #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8) | 
|  | 344 | #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8) | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 345 |  | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 346 | /**@}*/ | 
|  | 347 |  | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 348 | /** \defgroup crypto_types Key and algorithm types | 
|  | 349 | * @{ | 
|  | 350 | */ | 
|  | 351 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 352 | /** \brief Encoding of a key type. | 
|  | 353 | */ | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 354 | typedef uint32_t psa_key_type_t; | 
|  | 355 |  | 
| Gilles Peskine | f5b9fa1 | 2018-03-07 16:40:18 +0100 | [diff] [blame] | 356 | /** An invalid key type value. | 
|  | 357 | * | 
|  | 358 | * Zero is not the encoding of any key type. | 
|  | 359 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 360 | #define PSA_KEY_TYPE_NONE                       ((psa_key_type_t)0x00000000) | 
| Gilles Peskine | f5b9fa1 | 2018-03-07 16:40:18 +0100 | [diff] [blame] | 361 |  | 
|  | 362 | /** Vendor-defined flag | 
|  | 363 | * | 
|  | 364 | * Key types defined by this standard will never have the | 
|  | 365 | * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types | 
|  | 366 | * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should | 
|  | 367 | * respect the bitwise structure used by standard encodings whenever practical. | 
|  | 368 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 369 | #define PSA_KEY_TYPE_VENDOR_FLAG                ((psa_key_type_t)0x80000000) | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 370 |  | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 371 | #define PSA_KEY_TYPE_CATEGORY_MASK              ((psa_key_type_t)0x70000000) | 
|  | 372 | #define PSA_KEY_TYPE_CATEGORY_SYMMETRIC         ((psa_key_type_t)0x40000000) | 
|  | 373 | #define PSA_KEY_TYPE_CATEGORY_RAW               ((psa_key_type_t)0x50000000) | 
|  | 374 | #define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY        ((psa_key_type_t)0x60000000) | 
|  | 375 | #define PSA_KEY_TYPE_CATEGORY_KEY_PAIR          ((psa_key_type_t)0x70000000) | 
|  | 376 |  | 
|  | 377 | #define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR         ((psa_key_type_t)0x10000000) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 378 |  | 
| Gilles Peskine | e877974 | 2018-08-10 16:10:56 +0200 | [diff] [blame] | 379 | /** Whether a key type is vendor-defined. */ | 
|  | 380 | #define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \ | 
|  | 381 | (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0) | 
|  | 382 |  | 
|  | 383 | /** Whether a key type is an unstructured array of bytes. | 
|  | 384 | * | 
|  | 385 | * This encompasses both symmetric keys and non-key data. | 
|  | 386 | */ | 
|  | 387 | #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \ | 
|  | 388 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK & ~(psa_key_type_t)0x10000000) == \ | 
|  | 389 | PSA_KEY_TYPE_CATEGORY_SYMMETRIC) | 
|  | 390 |  | 
|  | 391 | /** Whether a key type is asymmetric: either a key pair or a public key. */ | 
|  | 392 | #define PSA_KEY_TYPE_IS_ASYMMETRIC(type)                                \ | 
|  | 393 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK                               \ | 
|  | 394 | & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) ==                            \ | 
|  | 395 | PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY) | 
|  | 396 | /** Whether a key type is the public part of a key pair. */ | 
|  | 397 | #define PSA_KEY_TYPE_IS_PUBLIC_KEY(type)                                \ | 
|  | 398 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY) | 
|  | 399 | /** Whether a key type is a key pair containing a private part and a public | 
|  | 400 | * part. */ | 
|  | 401 | #define PSA_KEY_TYPE_IS_KEYPAIR(type)                                   \ | 
|  | 402 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR) | 
|  | 403 | /** The key pair type corresponding to a public key type. | 
|  | 404 | * | 
|  | 405 | * You may also pass a key pair type as \p type, it will be left unchanged. | 
|  | 406 | * | 
|  | 407 | * \param type      A public key type or key pair type. | 
|  | 408 | * | 
|  | 409 | * \return          The corresponding key pair type. | 
|  | 410 | *                  If \p type is not a public key or a key pair, | 
|  | 411 | *                  the return value is undefined. | 
|  | 412 | */ | 
|  | 413 | #define PSA_KEY_TYPE_KEYPAIR_OF_PUBLIC_KEY(type)        \ | 
|  | 414 | ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) | 
|  | 415 | /** The public key type corresponding to a key pair type. | 
|  | 416 | * | 
|  | 417 | * You may also pass a key pair type as \p type, it will be left unchanged. | 
|  | 418 | * | 
|  | 419 | * \param type      A public key type or key pair type. | 
|  | 420 | * | 
|  | 421 | * \return          The corresponding public key type. | 
|  | 422 | *                  If \p type is not a public key or a key pair, | 
|  | 423 | *                  the return value is undefined. | 
|  | 424 | */ | 
|  | 425 | #define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type)        \ | 
|  | 426 | ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) | 
| Gilles Peskine | e877974 | 2018-08-10 16:10:56 +0200 | [diff] [blame] | 427 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 428 | /** Raw data. | 
|  | 429 | * | 
|  | 430 | * A "key" of this type cannot be used for any cryptographic operation. | 
|  | 431 | * Applications may use this type to store arbitrary data in the keystore. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 432 | #define PSA_KEY_TYPE_RAW_DATA                   ((psa_key_type_t)0x50000001) | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 433 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 434 | /** HMAC key. | 
|  | 435 | * | 
|  | 436 | * The key policy determines which underlying hash algorithm the key can be | 
|  | 437 | * used for. | 
|  | 438 | * | 
|  | 439 | * HMAC keys should generally have the same size as the underlying hash. | 
| Gilles Peskine | be42f31 | 2018-07-13 14:38:15 +0200 | [diff] [blame] | 440 | * This size can be calculated with #PSA_HASH_SIZE(\c alg) where | 
|  | 441 | * \c alg is the HMAC algorithm or the underlying hash algorithm. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 442 | #define PSA_KEY_TYPE_HMAC                       ((psa_key_type_t)0x51000000) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 443 |  | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 444 | /** A secret for key derivation. | 
|  | 445 | * | 
|  | 446 | * The key policy determines which key derivation algorithm the key | 
|  | 447 | * can be used for. | 
|  | 448 | */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 449 | #define PSA_KEY_TYPE_DERIVE                     ((psa_key_type_t)0x52000000) | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 450 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 451 | /** Key for an cipher, AEAD or MAC algorithm based on the AES block cipher. | 
|  | 452 | * | 
|  | 453 | * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or | 
|  | 454 | * 32 bytes (AES-256). | 
|  | 455 | */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 456 | #define PSA_KEY_TYPE_AES                        ((psa_key_type_t)0x40000001) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 457 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 458 | /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES). | 
|  | 459 | * | 
|  | 460 | * The size of the key can be 8 bytes (single DES), 16 bytes (2-key 3DES) or | 
|  | 461 | * 24 bytes (3-key 3DES). | 
|  | 462 | * | 
|  | 463 | * Note that single DES and 2-key 3DES are weak and strongly | 
|  | 464 | * deprecated and should only be used to decrypt legacy data. 3-key 3DES | 
|  | 465 | * is weak and deprecated and should only be used in legacy protocols. | 
|  | 466 | */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 467 | #define PSA_KEY_TYPE_DES                        ((psa_key_type_t)0x40000002) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 468 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 469 | /** Key for an cipher, AEAD or MAC algorithm based on the | 
|  | 470 | * Camellia block cipher. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 471 | #define PSA_KEY_TYPE_CAMELLIA                   ((psa_key_type_t)0x40000003) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 472 |  | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 473 | /** Key for the RC4 stream cipher. | 
|  | 474 | * | 
|  | 475 | * Note that RC4 is weak and deprecated and should only be used in | 
|  | 476 | * legacy protocols. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 477 | #define PSA_KEY_TYPE_ARC4                       ((psa_key_type_t)0x40000004) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 478 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 479 | /** RSA public key. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 480 | #define PSA_KEY_TYPE_RSA_PUBLIC_KEY             ((psa_key_type_t)0x60010000) | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 481 | /** RSA key pair (private and public key). */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 482 | #define PSA_KEY_TYPE_RSA_KEYPAIR                ((psa_key_type_t)0x70010000) | 
| Gilles Peskine | 583b55d | 2018-08-22 18:21:32 +0200 | [diff] [blame] | 483 | /** Whether a key type is an RSA key (pair or public-only). */ | 
|  | 484 | #define PSA_KEY_TYPE_IS_RSA(type)                                       \ | 
|  | 485 | (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 486 |  | 
| Gilles Peskine | 06dc263 | 2018-03-08 07:47:25 +0100 | [diff] [blame] | 487 | /** DSA public key. */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 488 | #define PSA_KEY_TYPE_DSA_PUBLIC_KEY             ((psa_key_type_t)0x60020000) | 
| Gilles Peskine | 06dc263 | 2018-03-08 07:47:25 +0100 | [diff] [blame] | 489 | /** DSA key pair (private and public key). */ | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 490 | #define PSA_KEY_TYPE_DSA_KEYPAIR                ((psa_key_type_t)0x70020000) | 
| Gilles Peskine | 583b55d | 2018-08-22 18:21:32 +0200 | [diff] [blame] | 491 | /** Whether a key type is an DSA key (pair or public-only). */ | 
|  | 492 | #define PSA_KEY_TYPE_IS_DSA(type)                                       \ | 
|  | 493 | (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 494 |  | 
| Gilles Peskine | 78b3bb6 | 2018-08-10 16:03:41 +0200 | [diff] [blame] | 495 | #define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE        ((psa_key_type_t)0x60030000) | 
|  | 496 | #define PSA_KEY_TYPE_ECC_KEYPAIR_BASE           ((psa_key_type_t)0x70030000) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 497 | #define PSA_KEY_TYPE_ECC_CURVE_MASK             ((psa_key_type_t)0x0000ffff) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 498 | /** Elliptic curve key pair. */ | 
| Gilles Peskine | 06dc263 | 2018-03-08 07:47:25 +0100 | [diff] [blame] | 499 | #define PSA_KEY_TYPE_ECC_KEYPAIR(curve)         \ | 
|  | 500 | (PSA_KEY_TYPE_ECC_KEYPAIR_BASE | (curve)) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 501 | /** Elliptic curve public key. */ | 
| Gilles Peskine | 06dc263 | 2018-03-08 07:47:25 +0100 | [diff] [blame] | 502 | #define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve)              \ | 
|  | 503 | (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve)) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 504 |  | 
| Gilles Peskine | d8008d6 | 2018-06-29 19:51:51 +0200 | [diff] [blame] | 505 | /** Whether a key type is an elliptic curve key (pair or public-only). */ | 
| Gilles Peskine | c66ea6a | 2018-02-03 22:43:28 +0100 | [diff] [blame] | 506 | #define PSA_KEY_TYPE_IS_ECC(type)                                       \ | 
| Gilles Peskine | 06dc263 | 2018-03-08 07:47:25 +0100 | [diff] [blame] | 507 | ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(type) &                        \ | 
|  | 508 | ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE) | 
| Gilles Peskine | 55728b0 | 2018-07-16 23:08:16 +0200 | [diff] [blame] | 509 | #define PSA_KEY_TYPE_IS_ECC_KEYPAIR(type)                               \ | 
|  | 510 | (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \ | 
|  | 511 | PSA_KEY_TYPE_ECC_KEYPAIR_BASE) | 
|  | 512 | #define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type)                            \ | 
|  | 513 | (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) ==                         \ | 
|  | 514 | PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE) | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 515 |  | 
| Gilles Peskine | e1fed0d | 2018-06-18 20:45:45 +0200 | [diff] [blame] | 516 | /** The type of PSA elliptic curve identifiers. */ | 
|  | 517 | typedef uint16_t psa_ecc_curve_t; | 
|  | 518 | /** Extract the curve from an elliptic curve key type. */ | 
|  | 519 | #define PSA_KEY_TYPE_GET_CURVE(type)                             \ | 
|  | 520 | ((psa_ecc_curve_t) (PSA_KEY_TYPE_IS_ECC(type) ?              \ | 
|  | 521 | ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \ | 
|  | 522 | 0)) | 
|  | 523 |  | 
|  | 524 | /* The encoding of curve identifiers is currently aligned with the | 
|  | 525 | * TLS Supported Groups Registry (formerly known as the | 
|  | 526 | * TLS EC Named Curve Registry) | 
|  | 527 | * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 | 
| Gilles Peskine | 70ce2c6 | 2018-08-22 18:21:57 +0200 | [diff] [blame] | 528 | * The values are defined by RFC 8422 and RFC 7027. */ | 
| Gilles Peskine | e1fed0d | 2018-06-18 20:45:45 +0200 | [diff] [blame] | 529 | #define PSA_ECC_CURVE_SECT163K1         ((psa_ecc_curve_t) 0x0001) | 
|  | 530 | #define PSA_ECC_CURVE_SECT163R1         ((psa_ecc_curve_t) 0x0002) | 
|  | 531 | #define PSA_ECC_CURVE_SECT163R2         ((psa_ecc_curve_t) 0x0003) | 
|  | 532 | #define PSA_ECC_CURVE_SECT193R1         ((psa_ecc_curve_t) 0x0004) | 
|  | 533 | #define PSA_ECC_CURVE_SECT193R2         ((psa_ecc_curve_t) 0x0005) | 
|  | 534 | #define PSA_ECC_CURVE_SECT233K1         ((psa_ecc_curve_t) 0x0006) | 
|  | 535 | #define PSA_ECC_CURVE_SECT233R1         ((psa_ecc_curve_t) 0x0007) | 
|  | 536 | #define PSA_ECC_CURVE_SECT239K1         ((psa_ecc_curve_t) 0x0008) | 
|  | 537 | #define PSA_ECC_CURVE_SECT283K1         ((psa_ecc_curve_t) 0x0009) | 
|  | 538 | #define PSA_ECC_CURVE_SECT283R1         ((psa_ecc_curve_t) 0x000a) | 
|  | 539 | #define PSA_ECC_CURVE_SECT409K1         ((psa_ecc_curve_t) 0x000b) | 
|  | 540 | #define PSA_ECC_CURVE_SECT409R1         ((psa_ecc_curve_t) 0x000c) | 
|  | 541 | #define PSA_ECC_CURVE_SECT571K1         ((psa_ecc_curve_t) 0x000d) | 
|  | 542 | #define PSA_ECC_CURVE_SECT571R1         ((psa_ecc_curve_t) 0x000e) | 
|  | 543 | #define PSA_ECC_CURVE_SECP160K1         ((psa_ecc_curve_t) 0x000f) | 
|  | 544 | #define PSA_ECC_CURVE_SECP160R1         ((psa_ecc_curve_t) 0x0010) | 
|  | 545 | #define PSA_ECC_CURVE_SECP160R2         ((psa_ecc_curve_t) 0x0011) | 
|  | 546 | #define PSA_ECC_CURVE_SECP192K1         ((psa_ecc_curve_t) 0x0012) | 
|  | 547 | #define PSA_ECC_CURVE_SECP192R1         ((psa_ecc_curve_t) 0x0013) | 
|  | 548 | #define PSA_ECC_CURVE_SECP224K1         ((psa_ecc_curve_t) 0x0014) | 
|  | 549 | #define PSA_ECC_CURVE_SECP224R1         ((psa_ecc_curve_t) 0x0015) | 
|  | 550 | #define PSA_ECC_CURVE_SECP256K1         ((psa_ecc_curve_t) 0x0016) | 
|  | 551 | #define PSA_ECC_CURVE_SECP256R1         ((psa_ecc_curve_t) 0x0017) | 
|  | 552 | #define PSA_ECC_CURVE_SECP384R1         ((psa_ecc_curve_t) 0x0018) | 
|  | 553 | #define PSA_ECC_CURVE_SECP521R1         ((psa_ecc_curve_t) 0x0019) | 
|  | 554 | #define PSA_ECC_CURVE_BRAINPOOL_P256R1  ((psa_ecc_curve_t) 0x001a) | 
|  | 555 | #define PSA_ECC_CURVE_BRAINPOOL_P384R1  ((psa_ecc_curve_t) 0x001b) | 
|  | 556 | #define PSA_ECC_CURVE_BRAINPOOL_P512R1  ((psa_ecc_curve_t) 0x001c) | 
|  | 557 | #define PSA_ECC_CURVE_CURVE25519        ((psa_ecc_curve_t) 0x001d) | 
|  | 558 | #define PSA_ECC_CURVE_CURVE448          ((psa_ecc_curve_t) 0x001e) | 
| Gilles Peskine | e1fed0d | 2018-06-18 20:45:45 +0200 | [diff] [blame] | 559 |  | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 560 | /** The block size of a block cipher. | 
|  | 561 | * | 
|  | 562 | * \param type  A cipher key type (value of type #psa_key_type_t). | 
|  | 563 | * | 
|  | 564 | * \return      The block size for a block cipher, or 1 for a stream cipher. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 565 | *              The return value is undefined if \p type is not a supported | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 566 | *              cipher key type. | 
|  | 567 | * | 
|  | 568 | * \note It is possible to build stream cipher algorithms on top of a block | 
|  | 569 | *       cipher, for example CTR mode (#PSA_ALG_CTR). | 
|  | 570 | *       This macro only takes the key type into account, so it cannot be | 
|  | 571 | *       used to determine the size of the data that #psa_cipher_update() | 
|  | 572 | *       might buffer for future processing in general. | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 573 | * | 
|  | 574 | * \note This macro returns a compile-time constant if its argument is one. | 
|  | 575 | * | 
|  | 576 | * \warning This macro may evaluate its argument multiple times. | 
|  | 577 | */ | 
| Gilles Peskine | 03182e9 | 2018-03-07 16:40:52 +0100 | [diff] [blame] | 578 | #define PSA_BLOCK_CIPHER_BLOCK_SIZE(type)            \ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 579 | (                                                \ | 
|  | 580 | (type) == PSA_KEY_TYPE_AES ? 16 :            \ | 
|  | 581 | (type) == PSA_KEY_TYPE_DES ? 8 :             \ | 
|  | 582 | (type) == PSA_KEY_TYPE_CAMELLIA ? 16 :       \ | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 583 | (type) == PSA_KEY_TYPE_ARC4 ? 1 :            \ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 584 | 0) | 
|  | 585 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 586 | /** \brief Encoding of a cryptographic algorithm. | 
|  | 587 | * | 
|  | 588 | * For algorithms that can be applied to multiple key types, this type | 
|  | 589 | * does not encode the key type. For example, for symmetric ciphers | 
|  | 590 | * based on a block cipher, #psa_algorithm_t encodes the block cipher | 
|  | 591 | * mode and the padding mode while the block cipher itself is encoded | 
|  | 592 | * via #psa_key_type_t. | 
|  | 593 | */ | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 594 | typedef uint32_t psa_algorithm_t; | 
|  | 595 |  | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 596 | #define PSA_ALG_VENDOR_FLAG                     ((psa_algorithm_t)0x80000000) | 
|  | 597 | #define PSA_ALG_CATEGORY_MASK                   ((psa_algorithm_t)0x7f000000) | 
|  | 598 | #define PSA_ALG_CATEGORY_HASH                   ((psa_algorithm_t)0x01000000) | 
|  | 599 | #define PSA_ALG_CATEGORY_MAC                    ((psa_algorithm_t)0x02000000) | 
|  | 600 | #define PSA_ALG_CATEGORY_CIPHER                 ((psa_algorithm_t)0x04000000) | 
|  | 601 | #define PSA_ALG_CATEGORY_AEAD                   ((psa_algorithm_t)0x06000000) | 
|  | 602 | #define PSA_ALG_CATEGORY_SIGN                   ((psa_algorithm_t)0x10000000) | 
|  | 603 | #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION  ((psa_algorithm_t)0x12000000) | 
|  | 604 | #define PSA_ALG_CATEGORY_KEY_AGREEMENT          ((psa_algorithm_t)0x22000000) | 
|  | 605 | #define PSA_ALG_CATEGORY_KEY_DERIVATION         ((psa_algorithm_t)0x30000000) | 
| Gilles Peskine | e8f0e3d | 2018-09-18 11:52:10 +0200 | [diff] [blame] | 606 | #define PSA_ALG_CATEGORY_KEY_SELECTION          ((psa_algorithm_t)0x31000000) | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 607 |  | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 608 | #define PSA_ALG_IS_VENDOR_DEFINED(alg)                                  \ | 
|  | 609 | (((alg) & PSA_ALG_VENDOR_FLAG) != 0) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 610 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 611 | /** Whether the specified algorithm is a hash algorithm. | 
|  | 612 | * | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 613 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 614 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 615 | * \return 1 if \p alg is a hash algorithm, 0 otherwise. | 
|  | 616 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 617 | *         algorithm identifier. | 
|  | 618 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 619 | #define PSA_ALG_IS_HASH(alg)                                            \ | 
|  | 620 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 621 |  | 
|  | 622 | /** Whether the specified algorithm is a MAC algorithm. | 
|  | 623 | * | 
|  | 624 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 625 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 626 | * \return 1 if \p alg is a MAC algorithm, 0 otherwise. | 
|  | 627 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 628 | *         algorithm identifier. | 
|  | 629 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 630 | #define PSA_ALG_IS_MAC(alg)                                             \ | 
|  | 631 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 632 |  | 
|  | 633 | /** Whether the specified algorithm is a symmetric cipher algorithm. | 
|  | 634 | * | 
|  | 635 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 636 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 637 | * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise. | 
|  | 638 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 639 | *         algorithm identifier. | 
|  | 640 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 641 | #define PSA_ALG_IS_CIPHER(alg)                                          \ | 
|  | 642 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 643 |  | 
|  | 644 | /** Whether the specified algorithm is an authenticated encryption | 
|  | 645 | * with associated data (AEAD) algorithm. | 
|  | 646 | * | 
|  | 647 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 648 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 649 | * \return 1 if \p alg is an AEAD algorithm, 0 otherwise. | 
|  | 650 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 651 | *         algorithm identifier. | 
|  | 652 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 653 | #define PSA_ALG_IS_AEAD(alg)                                            \ | 
|  | 654 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 655 |  | 
|  | 656 | /** Whether the specified algorithm is a public-key signature algorithm. | 
|  | 657 | * | 
|  | 658 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 659 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 660 | * \return 1 if \p alg is a public-key signature algorithm, 0 otherwise. | 
|  | 661 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 662 | *         algorithm identifier. | 
|  | 663 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 664 | #define PSA_ALG_IS_SIGN(alg)                                            \ | 
|  | 665 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 666 |  | 
|  | 667 | /** Whether the specified algorithm is a public-key encryption algorithm. | 
|  | 668 | * | 
|  | 669 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 670 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 671 | * \return 1 if \p alg is a public-key encryption algorithm, 0 otherwise. | 
|  | 672 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 673 | *         algorithm identifier. | 
|  | 674 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 675 | #define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg)                           \ | 
|  | 676 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 677 |  | 
| Gilles Peskine | e8f0e3d | 2018-09-18 11:52:10 +0200 | [diff] [blame] | 678 | #define PSA_ALG_KEY_SELECTION_FLAG              ((psa_algorithm_t)0x01000000) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 679 | /** Whether the specified algorithm is a key agreement algorithm. | 
|  | 680 | * | 
|  | 681 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 682 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 683 | * \return 1 if \p alg is a key agreement algorithm, 0 otherwise. | 
|  | 684 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 685 | *         algorithm identifier. | 
|  | 686 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 687 | #define PSA_ALG_IS_KEY_AGREEMENT(alg)                                   \ | 
| Gilles Peskine | e8f0e3d | 2018-09-18 11:52:10 +0200 | [diff] [blame] | 688 | (((alg) & PSA_ALG_CATEGORY_MASK & ~PSA_ALG_KEY_SELECTION_FLAG) ==   \ | 
|  | 689 | PSA_ALG_CATEGORY_KEY_AGREEMENT) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 690 |  | 
|  | 691 | /** Whether the specified algorithm is a key derivation algorithm. | 
|  | 692 | * | 
|  | 693 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 694 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 695 | * \return 1 if \p alg is a key derivation algorithm, 0 otherwise. | 
|  | 696 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 697 | *         algorithm identifier. | 
|  | 698 | */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 699 | #define PSA_ALG_IS_KEY_DERIVATION(alg)                                  \ | 
|  | 700 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION) | 
|  | 701 |  | 
| Gilles Peskine | e8f0e3d | 2018-09-18 11:52:10 +0200 | [diff] [blame] | 702 | /** Whether the specified algorithm is a key selection algorithm. | 
|  | 703 | * | 
|  | 704 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 705 | * | 
|  | 706 | * \return 1 if \p alg is a key selection algorithm, 0 otherwise. | 
|  | 707 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
|  | 708 | *         algorithm identifier. | 
|  | 709 | */ | 
|  | 710 | #define PSA_ALG_IS_KEY_SELECTION(alg)                                   \ | 
|  | 711 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_SELECTION) | 
|  | 712 |  | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 713 | #define PSA_ALG_HASH_MASK                       ((psa_algorithm_t)0x000000ff) | 
|  | 714 | #define PSA_ALG_MD2                             ((psa_algorithm_t)0x01000001) | 
|  | 715 | #define PSA_ALG_MD4                             ((psa_algorithm_t)0x01000002) | 
|  | 716 | #define PSA_ALG_MD5                             ((psa_algorithm_t)0x01000003) | 
| Gilles Peskine | e3f694f | 2018-03-08 07:48:40 +0100 | [diff] [blame] | 717 | #define PSA_ALG_RIPEMD160                       ((psa_algorithm_t)0x01000004) | 
|  | 718 | #define PSA_ALG_SHA_1                           ((psa_algorithm_t)0x01000005) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 719 | /** SHA2-224 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 720 | #define PSA_ALG_SHA_224                         ((psa_algorithm_t)0x01000008) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 721 | /** SHA2-256 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 722 | #define PSA_ALG_SHA_256                         ((psa_algorithm_t)0x01000009) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 723 | /** SHA2-384 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 724 | #define PSA_ALG_SHA_384                         ((psa_algorithm_t)0x0100000a) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 725 | /** SHA2-512 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 726 | #define PSA_ALG_SHA_512                         ((psa_algorithm_t)0x0100000b) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 727 | /** SHA2-512/224 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 728 | #define PSA_ALG_SHA_512_224                     ((psa_algorithm_t)0x0100000c) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 729 | /** SHA2-512/256 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 730 | #define PSA_ALG_SHA_512_256                     ((psa_algorithm_t)0x0100000d) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 731 | /** SHA3-224 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 732 | #define PSA_ALG_SHA3_224                        ((psa_algorithm_t)0x01000010) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 733 | /** SHA3-256 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 734 | #define PSA_ALG_SHA3_256                        ((psa_algorithm_t)0x01000011) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 735 | /** SHA3-384 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 736 | #define PSA_ALG_SHA3_384                        ((psa_algorithm_t)0x01000012) | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 737 | /** SHA3-512 */ | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 738 | #define PSA_ALG_SHA3_512                        ((psa_algorithm_t)0x01000013) | 
|  | 739 |  | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 740 | #define PSA_ALG_MAC_SUBCATEGORY_MASK            ((psa_algorithm_t)0x00c00000) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 741 | #define PSA_ALG_HMAC_BASE                       ((psa_algorithm_t)0x02800000) | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 742 | /** Macro to build an HMAC algorithm. | 
|  | 743 | * | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 744 | * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256. | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 745 | * | 
| Gilles Peskine | ea4469f | 2018-06-28 13:57:23 +0200 | [diff] [blame] | 746 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 747 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 748 | * | 
| Gilles Peskine | ea4469f | 2018-06-28 13:57:23 +0200 | [diff] [blame] | 749 | * \return              The corresponding HMAC algorithm. | 
|  | 750 | * \return              Unspecified if \p alg is not a supported | 
|  | 751 | *                      hash algorithm. | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 752 | */ | 
|  | 753 | #define PSA_ALG_HMAC(hash_alg)                                  \ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 754 | (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 755 |  | 
| Gilles Peskine | 00709fa | 2018-08-22 18:25:41 +0200 | [diff] [blame] | 756 | #define PSA_ALG_HMAC_GET_HASH(hmac_alg)                             \ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 757 | (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK)) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 758 |  | 
|  | 759 | /** Whether the specified algorithm is an HMAC algorithm. | 
|  | 760 | * | 
|  | 761 | * HMAC is a family of MAC algorithms that are based on a hash function. | 
|  | 762 | * | 
|  | 763 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 764 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 765 | * \return 1 if \p alg is an HMAC algorithm, 0 otherwise. | 
|  | 766 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 767 | *         algorithm identifier. | 
|  | 768 | */ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 769 | #define PSA_ALG_IS_HMAC(alg)                                            \ | 
|  | 770 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \ | 
|  | 771 | PSA_ALG_HMAC_BASE) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 772 |  | 
| Gilles Peskine | e1f2d7d | 2018-08-21 14:54:54 +0200 | [diff] [blame] | 773 | /* In the encoding of a MAC algorithm, the bits corresponding to | 
|  | 774 | * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is | 
|  | 775 | * truncated. As an exception, the value 0 means the untruncated algorithm, | 
|  | 776 | * whatever its length is. The length is encoded in 6 bits, so it can | 
|  | 777 | * reach up to 63; the largest MAC is 64 bytes so its trivial truncation | 
|  | 778 | * to full length is correctly encoded as 0 and any non-trivial truncation | 
|  | 779 | * is correctly encoded as a value between 1 and 63. */ | 
| Gilles Peskine | d911eb7 | 2018-08-14 15:18:45 +0200 | [diff] [blame] | 780 | #define PSA_ALG_MAC_TRUNCATION_MASK             ((psa_algorithm_t)0x00003f00) | 
|  | 781 | #define PSA_MAC_TRUNCATION_OFFSET 8 | 
|  | 782 |  | 
|  | 783 | /** Macro to build a truncated MAC algorithm. | 
|  | 784 | * | 
|  | 785 | * A truncated MAC algorithm is identical to the corresponding MAC | 
|  | 786 | * algorithm except that the MAC value for the truncated algorithm | 
|  | 787 | * consists of only the first \p mac_length bytes of the MAC value | 
|  | 788 | * for the untruncated algorithm. | 
|  | 789 | * | 
|  | 790 | * \note    This macro may allow constructing algorithm identifiers that | 
|  | 791 | *          are not valid, either because the specified length is larger | 
|  | 792 | *          than the untruncated MAC or because the specified length is | 
|  | 793 | *          smaller than permitted by the implementation. | 
|  | 794 | * | 
|  | 795 | * \note    It is implementation-defined whether a truncated MAC that | 
|  | 796 | *          is truncated to the same length as the MAC of the untruncated | 
|  | 797 | *          algorithm is considered identical to the untruncated algorithm | 
|  | 798 | *          for policy comparison purposes. | 
|  | 799 | * | 
|  | 800 | * \param alg           A MAC algorithm identifier (value of type | 
|  | 801 | *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) | 
|  | 802 | *                      is true). This may be a truncated or untruncated | 
|  | 803 | *                      MAC algorithm. | 
|  | 804 | * \param mac_length    Desired length of the truncated MAC in bytes. | 
| Gilles Peskine | 6d72ff9 | 2018-08-21 14:55:08 +0200 | [diff] [blame] | 805 | *                      This must be at most the full length of the MAC | 
|  | 806 | *                      and must be at least an implementation-specified | 
|  | 807 | *                      minimum. The implementation-specified minimum | 
|  | 808 | *                      shall not be zero. | 
| Gilles Peskine | d911eb7 | 2018-08-14 15:18:45 +0200 | [diff] [blame] | 809 | * | 
|  | 810 | * \return              The corresponding MAC algorithm with the specified | 
|  | 811 | *                      length. | 
|  | 812 | * \return              Unspecified if \p alg is not a supported | 
|  | 813 | *                      MAC algorithm or if \p mac_length is too small or | 
|  | 814 | *                      too large for the specified MAC algorithm. | 
|  | 815 | */ | 
|  | 816 | #define PSA_ALG_TRUNCATED_MAC(alg, mac_length)                          \ | 
|  | 817 | (((alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) |                           \ | 
|  | 818 | ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK)) | 
|  | 819 |  | 
| Gilles Peskine | e0e9c7c | 2018-10-17 18:28:05 +0200 | [diff] [blame] | 820 | /** Macro to build the base MAC algorithm corresponding to a truncated | 
|  | 821 | * MAC algorithm. | 
|  | 822 | * | 
|  | 823 | * \param alg           A MAC algorithm identifier (value of type | 
|  | 824 | *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) | 
|  | 825 | *                      is true). This may be a truncated or untruncated | 
|  | 826 | *                      MAC algorithm. | 
|  | 827 | * | 
|  | 828 | * \return              The corresponding base MAC algorithm. | 
|  | 829 | * \return              Unspecified if \p alg is not a supported | 
|  | 830 | *                      MAC algorithm. | 
|  | 831 | */ | 
|  | 832 | #define PSA_ALG_FULL_LENGTH_MAC(alg)            \ | 
|  | 833 | ((alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) | 
|  | 834 |  | 
| Gilles Peskine | d911eb7 | 2018-08-14 15:18:45 +0200 | [diff] [blame] | 835 | /** Length to which a MAC algorithm is truncated. | 
|  | 836 | * | 
|  | 837 | * \param alg           A MAC algorithm identifier (value of type | 
|  | 838 | *                      #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) | 
|  | 839 | *                      is true). | 
|  | 840 | * | 
|  | 841 | * \return              Length of the truncated MAC in bytes. | 
|  | 842 | * \return              0 if \p alg is a non-truncated MAC algorithm. | 
|  | 843 | * \return              Unspecified if \p alg is not a supported | 
|  | 844 | *                      MAC algorithm. | 
|  | 845 | */ | 
|  | 846 | #define PSA_MAC_TRUNCATED_LENGTH(alg)           \ | 
|  | 847 | (((alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET) | 
|  | 848 |  | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 849 | #define PSA_ALG_CIPHER_MAC_BASE                 ((psa_algorithm_t)0x02c00000) | 
|  | 850 | #define PSA_ALG_CBC_MAC                         ((psa_algorithm_t)0x02c00001) | 
|  | 851 | #define PSA_ALG_CMAC                            ((psa_algorithm_t)0x02c00002) | 
|  | 852 | #define PSA_ALG_GMAC                            ((psa_algorithm_t)0x02c00003) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 853 |  | 
|  | 854 | /** Whether the specified algorithm is a MAC algorithm based on a block cipher. | 
|  | 855 | * | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 856 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 857 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 858 | * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise. | 
|  | 859 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 860 | *         algorithm identifier. | 
|  | 861 | */ | 
| Gilles Peskine | 9df2dc8 | 2018-08-22 18:24:17 +0200 | [diff] [blame] | 862 | #define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg)                                \ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 863 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \ | 
|  | 864 | PSA_ALG_CIPHER_MAC_BASE) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 865 |  | 
| Gilles Peskine | daea26f | 2018-08-21 14:02:45 +0200 | [diff] [blame] | 866 | #define PSA_ALG_CIPHER_STREAM_FLAG              ((psa_algorithm_t)0x00800000) | 
|  | 867 | #define PSA_ALG_CIPHER_FROM_BLOCK_FLAG          ((psa_algorithm_t)0x00400000) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 868 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 869 | /** Whether the specified algorithm is a stream cipher. | 
|  | 870 | * | 
|  | 871 | * A stream cipher is a symmetric cipher that encrypts or decrypts messages | 
|  | 872 | * by applying a bitwise-xor with a stream of bytes that is generated | 
|  | 873 | * from a key. | 
|  | 874 | * | 
|  | 875 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 876 | * | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 877 | * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise. | 
|  | 878 | *         This macro may return either 0 or 1 if \p alg is not a supported | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 879 | *         algorithm identifier or if it is not a symmetric cipher algorithm. | 
|  | 880 | */ | 
| Moran Peker | bed71a2 | 2018-04-22 20:19:20 +0300 | [diff] [blame] | 881 | #define PSA_ALG_IS_STREAM_CIPHER(alg)            \ | 
| Gilles Peskine | daea26f | 2018-08-21 14:02:45 +0200 | [diff] [blame] | 882 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \ | 
|  | 883 | (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG)) | 
|  | 884 |  | 
|  | 885 | /** The ARC4 stream cipher algorithm. | 
|  | 886 | */ | 
|  | 887 | #define PSA_ALG_ARC4                            ((psa_algorithm_t)0x04800001) | 
|  | 888 |  | 
|  | 889 | /** The CTR stream cipher mode. | 
|  | 890 | * | 
|  | 891 | * CTR is a stream cipher which is built from a block cipher. | 
|  | 892 | * The underlying block cipher is determined by the key type. | 
|  | 893 | * For example, to use AES-128-CTR, use this algorithm with | 
|  | 894 | * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes). | 
|  | 895 | */ | 
|  | 896 | #define PSA_ALG_CTR                             ((psa_algorithm_t)0x04c00001) | 
|  | 897 |  | 
|  | 898 | #define PSA_ALG_CFB                             ((psa_algorithm_t)0x04c00002) | 
|  | 899 |  | 
|  | 900 | #define PSA_ALG_OFB                             ((psa_algorithm_t)0x04c00003) | 
|  | 901 |  | 
|  | 902 | /** The XTS cipher mode. | 
|  | 903 | * | 
|  | 904 | * XTS is a cipher mode which is built from a block cipher. It requires at | 
|  | 905 | * least one full block of input, but beyond this minimum the input | 
|  | 906 | * does not need to be a whole number of blocks. | 
|  | 907 | */ | 
|  | 908 | #define PSA_ALG_XTS                             ((psa_algorithm_t)0x044000ff) | 
|  | 909 |  | 
|  | 910 | /** The CBC block cipher chaining mode, with no padding. | 
|  | 911 | * | 
|  | 912 | * The underlying block cipher is determined by the key type. | 
|  | 913 | * | 
|  | 914 | * This symmetric cipher mode can only be used with messages whose lengths | 
|  | 915 | * are whole number of blocks for the chosen block cipher. | 
|  | 916 | */ | 
|  | 917 | #define PSA_ALG_CBC_NO_PADDING                  ((psa_algorithm_t)0x04600100) | 
|  | 918 |  | 
|  | 919 | /** The CBC block cipher chaining mode with PKCS#7 padding. | 
|  | 920 | * | 
|  | 921 | * The underlying block cipher is determined by the key type. | 
|  | 922 | * | 
|  | 923 | * This is the padding method defined by PKCS#7 (RFC 2315) §10.3. | 
|  | 924 | */ | 
|  | 925 | #define PSA_ALG_CBC_PKCS7                       ((psa_algorithm_t)0x04600101) | 
| Moran Peker | bed71a2 | 2018-04-22 20:19:20 +0300 | [diff] [blame] | 926 |  | 
| Gilles Peskine | 23cc2ff | 2018-08-17 19:47:52 +0200 | [diff] [blame] | 927 | #define PSA_ALG_CCM                             ((psa_algorithm_t)0x06001001) | 
|  | 928 | #define PSA_ALG_GCM                             ((psa_algorithm_t)0x06001002) | 
|  | 929 |  | 
| Gilles Peskine | e1f2d7d | 2018-08-21 14:54:54 +0200 | [diff] [blame] | 930 | /* In the encoding of a AEAD algorithm, the bits corresponding to | 
|  | 931 | * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag. | 
|  | 932 | * The constants for default lengths follow this encoding. | 
|  | 933 | */ | 
| Gilles Peskine | 23cc2ff | 2018-08-17 19:47:52 +0200 | [diff] [blame] | 934 | #define PSA_ALG_AEAD_TAG_LENGTH_MASK            ((psa_algorithm_t)0x00003f00) | 
|  | 935 | #define PSA_AEAD_TAG_LENGTH_OFFSET 8 | 
|  | 936 |  | 
|  | 937 | /** Macro to build a shortened AEAD algorithm. | 
|  | 938 | * | 
|  | 939 | * A shortened AEAD algorithm is similar to the corresponding AEAD | 
|  | 940 | * algorithm, but has an authentication tag that consists of fewer bytes. | 
|  | 941 | * Depending on the algorithm, the tag length may affect the calculation | 
|  | 942 | * of the ciphertext. | 
|  | 943 | * | 
|  | 944 | * \param alg           A AEAD algorithm identifier (value of type | 
|  | 945 | *                      #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg) | 
|  | 946 | *                      is true). | 
| Gilles Peskine | 3111981 | 2018-08-21 14:47:48 +0200 | [diff] [blame] | 947 | * \param tag_length    Desired length of the authentication tag in bytes. | 
| Gilles Peskine | 23cc2ff | 2018-08-17 19:47:52 +0200 | [diff] [blame] | 948 | * | 
|  | 949 | * \return              The corresponding AEAD algorithm with the specified | 
|  | 950 | *                      length. | 
|  | 951 | * \return              Unspecified if \p alg is not a supported | 
|  | 952 | *                      AEAD algorithm or if \p tag_length is not valid | 
|  | 953 | *                      for the specified AEAD algorithm. | 
|  | 954 | */ | 
|  | 955 | #define PSA_ALG_AEAD_WITH_TAG_LENGTH(alg, tag_length)                   \ | 
|  | 956 | (((alg) & ~PSA_ALG_AEAD_TAG_LENGTH_MASK) |                          \ | 
|  | 957 | ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET &                      \ | 
|  | 958 | PSA_ALG_AEAD_TAG_LENGTH_MASK)) | 
| Gilles Peskine | 98f0a24 | 2018-02-06 18:57:29 +0100 | [diff] [blame] | 959 |  | 
| Gilles Peskine | 70f46e1 | 2018-08-20 15:07:53 +0200 | [diff] [blame] | 960 | /** Calculate the corresponding AEAD algorithm with the default tag length. | 
|  | 961 | * | 
|  | 962 | * \param alg   An AEAD algorithm (\c PSA_ALG_XXX value such that | 
|  | 963 | *              #PSA_ALG_IS_AEAD(\p alg) is true). | 
|  | 964 | * | 
|  | 965 | * \return      The corresponding AEAD algorithm with the default tag length | 
|  | 966 | *              for that algorithm. | 
|  | 967 | */ | 
|  | 968 | #define PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(alg)                       \ | 
|  | 969 | (                                                                   \ | 
|  | 970 | PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(alg, PSA_ALG_CCM)   \ | 
|  | 971 | PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(alg, PSA_ALG_GCM)   \ | 
|  | 972 | 0) | 
|  | 973 | #define PSA__ALG_AEAD_WITH_DEFAULT_TAG_LENGTH__CASE(alg, ref) \ | 
|  | 974 | PSA_ALG_AEAD_WITH_TAG_LENGTH(alg, 0) == \ | 
|  | 975 | PSA_ALG_AEAD_WITH_TAG_LENGTH(ref, 0) ?  \ | 
|  | 976 | ref : | 
|  | 977 |  | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 978 | #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE          ((psa_algorithm_t)0x10020000) | 
|  | 979 | /** RSA PKCS#1 v1.5 signature with hashing. | 
|  | 980 | * | 
|  | 981 | * This is the signature scheme defined by RFC 8017 | 
|  | 982 | * (PKCS#1: RSA Cryptography Specifications) under the name | 
|  | 983 | * RSASSA-PKCS1-v1_5. | 
|  | 984 | * | 
|  | 985 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 986 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 987 | * | 
|  | 988 | * \return              The corresponding RSA PKCS#1 v1.5 signature algorithm. | 
|  | 989 | * \return              Unspecified if \p alg is not a supported | 
|  | 990 | *                      hash algorithm. | 
|  | 991 | */ | 
| Gilles Peskine | a592623 | 2018-03-28 14:16:50 +0200 | [diff] [blame] | 992 | #define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)                             \ | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 993 | (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 994 | /** Raw PKCS#1 v1.5 signature. | 
|  | 995 | * | 
|  | 996 | * The input to this algorithm is the DigestInfo structure used by | 
|  | 997 | * RFC 8017 (PKCS#1: RSA Cryptography Specifications), §9.2 | 
|  | 998 | * steps 3–6. | 
|  | 999 | */ | 
|  | 1000 | #define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE | 
| Gilles Peskine | a592623 | 2018-03-28 14:16:50 +0200 | [diff] [blame] | 1001 | #define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg)                               \ | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1002 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1003 |  | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1004 | #define PSA_ALG_RSA_PSS_BASE               ((psa_algorithm_t)0x10030000) | 
|  | 1005 | /** RSA PSS signature with hashing. | 
|  | 1006 | * | 
|  | 1007 | * This is the signature scheme defined by RFC 8017 | 
|  | 1008 | * (PKCS#1: RSA Cryptography Specifications) under the name | 
| Gilles Peskine | a4d20bd | 2018-06-29 23:35:02 +0200 | [diff] [blame] | 1009 | * RSASSA-PSS, with the message generation function MGF1, and with | 
|  | 1010 | * a salt length equal to the length of the hash. The specified | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1011 | * hash algorithm is used to hash the input message, to create the | 
|  | 1012 | * salted hash, and for the mask generation. | 
|  | 1013 | * | 
|  | 1014 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1015 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1016 | * | 
|  | 1017 | * \return              The corresponding RSA PSS signature algorithm. | 
|  | 1018 | * \return              Unspecified if \p alg is not a supported | 
|  | 1019 | *                      hash algorithm. | 
|  | 1020 | */ | 
|  | 1021 | #define PSA_ALG_RSA_PSS(hash_alg)                               \ | 
|  | 1022 | (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1023 | #define PSA_ALG_IS_RSA_PSS(alg)                                 \ | 
|  | 1024 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE) | 
|  | 1025 |  | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1026 | #define PSA_ALG_DSA_BASE                        ((psa_algorithm_t)0x10040000) | 
|  | 1027 | /** DSA signature with hashing. | 
|  | 1028 | * | 
|  | 1029 | * This is the signature scheme defined by FIPS 186-4, | 
|  | 1030 | * with a random per-message secret number (*k*). | 
|  | 1031 | * | 
|  | 1032 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1033 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1034 | * | 
|  | 1035 | * \return              The corresponding DSA signature algorithm. | 
|  | 1036 | * \return              Unspecified if \p alg is not a supported | 
|  | 1037 | *                      hash algorithm. | 
|  | 1038 | */ | 
|  | 1039 | #define PSA_ALG_DSA(hash_alg)                             \ | 
|  | 1040 | (PSA_ALG_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1041 | #define PSA_ALG_DETERMINISTIC_DSA_BASE          ((psa_algorithm_t)0x10050000) | 
|  | 1042 | #define PSA_ALG_DSA_DETERMINISTIC_FLAG          ((psa_algorithm_t)0x00010000) | 
|  | 1043 | #define PSA_ALG_DETERMINISTIC_DSA(hash_alg)                             \ | 
|  | 1044 | (PSA_ALG_DETERMINISTIC_DSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1045 | #define PSA_ALG_IS_DSA(alg)                                             \ | 
|  | 1046 | (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) ==  \ | 
|  | 1047 | PSA_ALG_DSA_BASE) | 
|  | 1048 | #define PSA_ALG_DSA_IS_DETERMINISTIC(alg)               \ | 
|  | 1049 | (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0) | 
| Gilles Peskine | 55728b0 | 2018-07-16 23:08:16 +0200 | [diff] [blame] | 1050 | #define PSA_ALG_IS_DETERMINISTIC_DSA(alg)                       \ | 
|  | 1051 | (PSA_ALG_IS_DSA(alg) && PSA_ALG_DSA_IS_DETERMINISTIC(alg)) | 
|  | 1052 | #define PSA_ALG_IS_RANDOMIZED_DSA(alg)                          \ | 
|  | 1053 | (PSA_ALG_IS_DSA(alg) && !PSA_ALG_DSA_IS_DETERMINISTIC(alg)) | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1054 |  | 
|  | 1055 | #define PSA_ALG_ECDSA_BASE                      ((psa_algorithm_t)0x10060000) | 
|  | 1056 | /** ECDSA signature with hashing. | 
|  | 1057 | * | 
|  | 1058 | * This is the ECDSA signature scheme defined by ANSI X9.62, | 
|  | 1059 | * with a random per-message secret number (*k*). | 
|  | 1060 | * | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 1061 | * The representation of the signature as a byte string consists of | 
|  | 1062 | * the concatentation of the signature values *r* and *s*. Each of | 
|  | 1063 | * *r* and *s* is encoded as an *N*-octet string, where *N* is the length | 
|  | 1064 | * of the base point of the curve in octets. Each value is represented | 
|  | 1065 | * in big-endian order (most significant octet first). | 
|  | 1066 | * | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1067 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1068 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1069 | * | 
|  | 1070 | * \return              The corresponding ECDSA signature algorithm. | 
|  | 1071 | * \return              Unspecified if \p alg is not a supported | 
|  | 1072 | *                      hash algorithm. | 
|  | 1073 | */ | 
|  | 1074 | #define PSA_ALG_ECDSA(hash_alg)                                 \ | 
|  | 1075 | (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1076 | /** ECDSA signature without hashing. | 
|  | 1077 | * | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 1078 | * This is the same signature scheme as #PSA_ALG_ECDSA(), but | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1079 | * without specifying a hash algorithm. This algorithm may only be | 
|  | 1080 | * used to sign or verify a sequence of bytes that should be an | 
|  | 1081 | * already-calculated hash. Note that the input is padded with | 
|  | 1082 | * zeros on the left or truncated on the left as required to fit | 
|  | 1083 | * the curve size. | 
|  | 1084 | */ | 
|  | 1085 | #define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE | 
|  | 1086 | #define PSA_ALG_DETERMINISTIC_ECDSA_BASE        ((psa_algorithm_t)0x10070000) | 
|  | 1087 | /** Deterministic ECDSA signature with hashing. | 
|  | 1088 | * | 
|  | 1089 | * This is the deterministic ECDSA signature scheme defined by RFC 6979. | 
|  | 1090 | * | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 1091 | * The representation of a signature is the same as with #PSA_ALG_ECDSA(). | 
|  | 1092 | * | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1093 | * Note that when this algorithm is used for verification, signatures | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 1094 | * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1095 | * same private key are accepted. In other words, | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 1096 | * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from | 
|  | 1097 | * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification. | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1098 | * | 
|  | 1099 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1100 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1101 | * | 
|  | 1102 | * \return              The corresponding deterministic ECDSA signature | 
|  | 1103 | *                      algorithm. | 
|  | 1104 | * \return              Unspecified if \p alg is not a supported | 
|  | 1105 | *                      hash algorithm. | 
|  | 1106 | */ | 
|  | 1107 | #define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg)                           \ | 
|  | 1108 | (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1109 | #define PSA_ALG_IS_ECDSA(alg)                                           \ | 
|  | 1110 | (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_DSA_DETERMINISTIC_FLAG) ==  \ | 
|  | 1111 | PSA_ALG_ECDSA_BASE) | 
|  | 1112 | #define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)             \ | 
|  | 1113 | (((alg) & PSA_ALG_DSA_DETERMINISTIC_FLAG) != 0) | 
| Gilles Peskine | 55728b0 | 2018-07-16 23:08:16 +0200 | [diff] [blame] | 1114 | #define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)                             \ | 
|  | 1115 | (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) | 
|  | 1116 | #define PSA_ALG_IS_RANDOMIZED_ECDSA(alg)                                \ | 
|  | 1117 | (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1118 |  | 
| Gilles Peskine | 7ed29c5 | 2018-06-26 15:50:08 +0200 | [diff] [blame] | 1119 | /** Get the hash used by a hash-and-sign signature algorithm. | 
|  | 1120 | * | 
|  | 1121 | * A hash-and-sign algorithm is a signature algorithm which is | 
|  | 1122 | * composed of two phases: first a hashing phase which does not use | 
|  | 1123 | * the key and produces a hash of the input message, then a signing | 
|  | 1124 | * phase which only uses the hash and the key and not the message | 
|  | 1125 | * itself. | 
|  | 1126 | * | 
|  | 1127 | * \param alg   A signature algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1128 | *              #PSA_ALG_IS_SIGN(\p alg) is true). | 
| Gilles Peskine | 7ed29c5 | 2018-06-26 15:50:08 +0200 | [diff] [blame] | 1129 | * | 
|  | 1130 | * \return      The underlying hash algorithm if \p alg is a hash-and-sign | 
|  | 1131 | *              algorithm. | 
|  | 1132 | * \return      0 if \p alg is a signature algorithm that does not | 
|  | 1133 | *              follow the hash-and-sign structure. | 
|  | 1134 | * \return      Unspecified if \p alg is not a signature algorithm or | 
|  | 1135 | *              if it is not supported by the implementation. | 
|  | 1136 | */ | 
|  | 1137 | #define PSA_ALG_SIGN_GET_HASH(alg)                                     \ | 
| Gilles Peskine | a81d85b | 2018-06-26 16:10:23 +0200 | [diff] [blame] | 1138 | (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) ||   \ | 
|  | 1139 | PSA_ALG_IS_DSA(alg) || PSA_ALG_IS_ECDSA(alg) ?                    \ | 
| Gilles Peskine | 54622ae | 2018-06-29 22:24:24 +0200 | [diff] [blame] | 1140 | ((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 :        \ | 
| Gilles Peskine | 7ed29c5 | 2018-06-26 15:50:08 +0200 | [diff] [blame] | 1141 | ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :             \ | 
|  | 1142 | 0) | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1143 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1144 | /** RSA PKCS#1 v1.5 encryption. | 
|  | 1145 | */ | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1146 | #define PSA_ALG_RSA_PKCS1V15_CRYPT              ((psa_algorithm_t)0x12020000) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1147 |  | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1148 | #define PSA_ALG_RSA_OAEP_BASE                   ((psa_algorithm_t)0x12030000) | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1149 | /** RSA OAEP encryption. | 
|  | 1150 | * | 
|  | 1151 | * This is the encryption scheme defined by RFC 8017 | 
|  | 1152 | * (PKCS#1: RSA Cryptography Specifications) under the name | 
|  | 1153 | * RSAES-OAEP, with the message generation function MGF1. | 
|  | 1154 | * | 
|  | 1155 | * \param hash_alg      The hash algorithm (\c PSA_ALG_XXX value such that | 
|  | 1156 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true) to use | 
|  | 1157 | *                      for MGF1. | 
|  | 1158 | * | 
|  | 1159 | * \return              The corresponding RSA OAEP signature algorithm. | 
|  | 1160 | * \return              Unspecified if \p alg is not a supported | 
|  | 1161 | *                      hash algorithm. | 
|  | 1162 | */ | 
| Gilles Peskine | 55bf3d1 | 2018-06-26 15:53:48 +0200 | [diff] [blame] | 1163 | #define PSA_ALG_RSA_OAEP(hash_alg)                              \ | 
|  | 1164 | (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1165 | #define PSA_ALG_IS_RSA_OAEP(alg)                                \ | 
|  | 1166 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE) | 
| Gilles Peskine | 072ac56 | 2018-06-30 00:21:29 +0200 | [diff] [blame] | 1167 | #define PSA_ALG_RSA_OAEP_GET_HASH(alg)                          \ | 
|  | 1168 | (PSA_ALG_IS_RSA_OAEP(alg) ?                                 \ | 
|  | 1169 | ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH :      \ | 
|  | 1170 | 0) | 
| Gilles Peskine | d1e8e41 | 2018-06-07 09:49:39 +0200 | [diff] [blame] | 1171 |  | 
| Gilles Peskine | bef7f14 | 2018-07-12 17:22:21 +0200 | [diff] [blame] | 1172 | #define PSA_ALG_HKDF_BASE                       ((psa_algorithm_t)0x30000100) | 
|  | 1173 | /** Macro to build an HKDF algorithm. | 
|  | 1174 | * | 
|  | 1175 | * For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256. | 
|  | 1176 | * | 
|  | 1177 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
|  | 1178 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
|  | 1179 | * | 
|  | 1180 | * \return              The corresponding HKDF algorithm. | 
|  | 1181 | * \return              Unspecified if \p alg is not a supported | 
|  | 1182 | *                      hash algorithm. | 
|  | 1183 | */ | 
|  | 1184 | #define PSA_ALG_HKDF(hash_alg)                                  \ | 
|  | 1185 | (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1186 | /** Whether the specified algorithm is an HKDF algorithm. | 
|  | 1187 | * | 
|  | 1188 | * HKDF is a family of key derivation algorithms that are based on a hash | 
|  | 1189 | * function and the HMAC construction. | 
|  | 1190 | * | 
|  | 1191 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 1192 | * | 
|  | 1193 | * \return 1 if \c alg is an HKDF algorithm, 0 otherwise. | 
|  | 1194 | *         This macro may return either 0 or 1 if \c alg is not a supported | 
|  | 1195 | *         key derivation algorithm identifier. | 
|  | 1196 | */ | 
|  | 1197 | #define PSA_ALG_IS_HKDF(alg)                            \ | 
|  | 1198 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE) | 
|  | 1199 | #define PSA_ALG_HKDF_GET_HASH(hkdf_alg)                         \ | 
|  | 1200 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1201 |  | 
| Hanno Becker | 79250c2 | 2018-10-09 17:32:46 +0100 | [diff] [blame] | 1202 | #define PSA_ALG_TLS12_PRF_BASE                     ((psa_algorithm_t)0x30000200) | 
|  | 1203 | /** Macro to build a TLS-1.2 PRF algorithm. | 
|  | 1204 | * | 
| Hanno Becker | 2255a36 | 2018-11-16 16:05:13 +0000 | [diff] [blame] | 1205 | * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, | 
|  | 1206 | * specified in Section 5 of RFC 5246. It is based on HMAC and can be | 
|  | 1207 | * used with either SHA-256 or SHA-384. | 
|  | 1208 | * | 
|  | 1209 | * For the application to TLS-1.2, the salt and label arguments passed | 
|  | 1210 | * to psa_key_derivation() are what's called 'seed' and 'label' in RFC 5246, | 
|  | 1211 | * respectively. For example, for TLS key expansion, the salt is the | 
|  | 1212 | * concatenation of ServerHello.Random + ClientHello.Random, | 
|  | 1213 | * while the label is "key expansion". | 
|  | 1214 | * | 
| Hanno Becker | 79250c2 | 2018-10-09 17:32:46 +0100 | [diff] [blame] | 1215 | * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the | 
|  | 1216 | * TLS 1.2 PRF using HMAC-SHA-256. | 
|  | 1217 | * | 
|  | 1218 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
|  | 1219 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
|  | 1220 | * | 
|  | 1221 | * \return              The corresponding TLS-1.2 PRF algorithm. | 
|  | 1222 | * \return              Unspecified if \p alg is not a supported | 
|  | 1223 | *                      hash algorithm. | 
|  | 1224 | */ | 
|  | 1225 | #define PSA_ALG_TLS12_PRF(hash_alg)                                  \ | 
|  | 1226 | (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1227 |  | 
|  | 1228 | /** Whether the specified algorithm is a TLS-1.2 PRF algorithm. | 
|  | 1229 | * | 
| Hanno Becker | 79250c2 | 2018-10-09 17:32:46 +0100 | [diff] [blame] | 1230 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 1231 | * | 
|  | 1232 | * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise. | 
|  | 1233 | *         This macro may return either 0 or 1 if \c alg is not a supported | 
|  | 1234 | *         key derivation algorithm identifier. | 
|  | 1235 | */ | 
|  | 1236 | #define PSA_ALG_IS_TLS12_PRF(alg)                                    \ | 
|  | 1237 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE) | 
|  | 1238 | #define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg)                         \ | 
|  | 1239 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1240 |  | 
| Hanno Becker | 8dbfca4 | 2018-10-12 11:56:55 +0100 | [diff] [blame] | 1241 | #define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x30000300) | 
|  | 1242 | /** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm. | 
|  | 1243 | * | 
| Hanno Becker | 2255a36 | 2018-11-16 16:05:13 +0000 | [diff] [blame] | 1244 | * In a pure-PSK handshake in TLS 1.2, the master secret is derived | 
|  | 1245 | * from the PreSharedKey (PSK) through the application of padding | 
|  | 1246 | * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5). | 
|  | 1247 | * The latter is based on HMAC and can be used with either SHA-256 | 
|  | 1248 | * or SHA-384. | 
|  | 1249 | * | 
|  | 1250 | * For the application to TLS-1.2, the salt passed to psa_key_derivation() | 
|  | 1251 | * (and forwarded to the TLS-1.2 PRF) is the concatenation of the | 
|  | 1252 | * ClientHello.Random + ServerHello.Random, while the label is "master secret" | 
|  | 1253 | * or "extended master secret". | 
|  | 1254 | * | 
| Hanno Becker | 8dbfca4 | 2018-10-12 11:56:55 +0100 | [diff] [blame] | 1255 | * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the | 
|  | 1256 | * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256. | 
|  | 1257 | * | 
|  | 1258 | * \param hash_alg      A hash algorithm (\c PSA_ALG_XXX value such that | 
|  | 1259 | *                      #PSA_ALG_IS_HASH(\p hash_alg) is true). | 
|  | 1260 | * | 
|  | 1261 | * \return              The corresponding TLS-1.2 PSK to MS algorithm. | 
|  | 1262 | * \return              Unspecified if \p alg is not a supported | 
|  | 1263 | *                      hash algorithm. | 
|  | 1264 | */ | 
|  | 1265 | #define PSA_ALG_TLS12_PSK_TO_MS(hash_alg)                                  \ | 
|  | 1266 | (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1267 |  | 
|  | 1268 | /** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm. | 
|  | 1269 | * | 
| Hanno Becker | 8dbfca4 | 2018-10-12 11:56:55 +0100 | [diff] [blame] | 1270 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 1271 | * | 
|  | 1272 | * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise. | 
|  | 1273 | *         This macro may return either 0 or 1 if \c alg is not a supported | 
|  | 1274 | *         key derivation algorithm identifier. | 
|  | 1275 | */ | 
|  | 1276 | #define PSA_ALG_IS_TLS12_PSK_TO_MS(alg)                                    \ | 
|  | 1277 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE) | 
|  | 1278 | #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg)                         \ | 
|  | 1279 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) | 
|  | 1280 |  | 
| Gilles Peskine | e8f0e3d | 2018-09-18 11:52:10 +0200 | [diff] [blame] | 1281 | #define PSA_ALG_KEY_DERIVATION_MASK             ((psa_algorithm_t)0x010fffff) | 
|  | 1282 |  | 
|  | 1283 | /** Use a shared secret as is. | 
|  | 1284 | * | 
|  | 1285 | * Specify this algorithm as the selection component of a key agreement | 
|  | 1286 | * to use the raw result of the key agreement as key material. | 
|  | 1287 | * | 
|  | 1288 | * \warning The raw result of a key agreement algorithm such as finite-field | 
|  | 1289 | * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should | 
|  | 1290 | * not be used directly as key material. It can however be used as the secret | 
|  | 1291 | * input in a key derivation algorithm. | 
|  | 1292 | */ | 
|  | 1293 | #define PSA_ALG_SELECT_RAW                      ((psa_algorithm_t)0x31000001) | 
|  | 1294 |  | 
|  | 1295 | #define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg)                              \ | 
|  | 1296 | (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION) | 
|  | 1297 |  | 
|  | 1298 | #define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg)                              \ | 
|  | 1299 | ((alg) & ~PSA_ALG_KEY_DERIVATION_MASK) | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1300 |  | 
|  | 1301 | #define PSA_ALG_FFDH_BASE                       ((psa_algorithm_t)0x22100000) | 
|  | 1302 | /** The Diffie-Hellman key agreement algorithm. | 
|  | 1303 | * | 
| Gilles Peskine | 2607bca | 2018-10-25 22:21:03 +0200 | [diff] [blame] | 1304 | * This algorithm combines the finite-field Diffie-Hellman (DH) key | 
|  | 1305 | * agreement, also known as Diffie-Hellman-Merkle (DHM) key agreement, | 
|  | 1306 | * to produce a shared secret from a private key and the peer's | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1307 | * public key, with a key selection or key derivation algorithm to produce | 
|  | 1308 | * one or more shared keys and other shared cryptographic material. | 
|  | 1309 | * | 
| Gilles Peskine | 99d0259 | 2018-11-15 17:47:25 +0100 | [diff] [blame] | 1310 | * The shared secret produced by key agreement and passed as input to the | 
|  | 1311 | * derivation or selection algorithm \p kdf_alg is the shared secret | 
|  | 1312 | * `g^{ab}` in big-endian format. | 
|  | 1313 | * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p` | 
|  | 1314 | * in bits. | 
| Gilles Peskine | 79dd622 | 2018-10-25 22:22:11 +0200 | [diff] [blame] | 1315 | * | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1316 | * \param kdf_alg       A key derivation algorithm (\c PSA_ALG_XXX value such | 
|  | 1317 | *                      that #PSA_ALG_IS_KEY_DERIVATION(\p hash_alg) is true) | 
|  | 1318 | *                      or a key selection algorithm (\c PSA_ALG_XXX value such | 
| Gilles Peskine | 19643c5 | 2018-11-16 16:45:02 +0100 | [diff] [blame] | 1319 | *                      that #PSA_ALG_IS_KEY_SELECTION(\p hash_alg) is true). | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1320 | * | 
|  | 1321 | * \return              The Diffie-Hellman algorithm with the specified | 
|  | 1322 | *                      selection or derivation algorithm. | 
|  | 1323 | */ | 
|  | 1324 | #define PSA_ALG_FFDH(kdf_alg) \ | 
|  | 1325 | (PSA_ALG_FFDH_BASE | ((kdf_alg) & PSA_ALG_KEY_DERIVATION_MASK)) | 
|  | 1326 | /** Whether the specified algorithm is a finite field Diffie-Hellman algorithm. | 
|  | 1327 | * | 
|  | 1328 | * This includes every supported key selection or key agreement algorithm | 
|  | 1329 | * for the output of the Diffie-Hellman calculation. | 
|  | 1330 | * | 
|  | 1331 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 1332 | * | 
|  | 1333 | * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise. | 
|  | 1334 | *         This macro may return either 0 or 1 if \c alg is not a supported | 
|  | 1335 | *         key agreement algorithm identifier. | 
|  | 1336 | */ | 
|  | 1337 | #define PSA_ALG_IS_FFDH(alg) \ | 
|  | 1338 | (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH_BASE) | 
|  | 1339 |  | 
|  | 1340 | #define PSA_ALG_ECDH_BASE                       ((psa_algorithm_t)0x22200000) | 
| Gilles Peskine | 2607bca | 2018-10-25 22:21:03 +0200 | [diff] [blame] | 1341 | /** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm. | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1342 | * | 
|  | 1343 | * This algorithm combines the elliptic curve Diffie-Hellman key | 
|  | 1344 | * agreement to produce a shared secret from a private key and the peer's | 
|  | 1345 | * public key, with a key selection or key derivation algorithm to produce | 
|  | 1346 | * one or more shared keys and other shared cryptographic material. | 
|  | 1347 | * | 
| Gilles Peskine | 7b5b4a0 | 2018-11-14 21:05:10 +0100 | [diff] [blame] | 1348 | * The shared secret produced by key agreement and passed as input to the | 
|  | 1349 | * derivation or selection algorithm \p kdf_alg is the x-coordinate of | 
| Gilles Peskine | 6c6a023 | 2018-11-15 17:44:43 +0100 | [diff] [blame] | 1350 | * the shared secret point. It is always `ceiling(m / 8)` bytes long where | 
|  | 1351 | * `m` is the bit size associated with the curve, i.e. the bit size of the | 
|  | 1352 | * order of the curve's coordinate field. When `m` is not a multiple of 8, | 
| Gilles Peskine | 7b5b4a0 | 2018-11-14 21:05:10 +0100 | [diff] [blame] | 1353 | * the byte containing the most significant bit of the shared secret | 
|  | 1354 | * is padded with zero bits. The byte order is either little-endian | 
|  | 1355 | * or big-endian depending on the curve type. | 
|  | 1356 | * | 
|  | 1357 | * - For Montgomery curves (curve types `PSA_ECC_CURVE_CURVEXXX`), | 
|  | 1358 | *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` | 
|  | 1359 | *   in little-endian byte order. | 
|  | 1360 | *   The bit size is 448 for Curve448 and 255 for Curve25519. | 
|  | 1361 | * - For Weierstrass curves over prime fields (curve types | 
|  | 1362 | *   `PSA_ECC_CURVE_SECPXXX` and `PSA_ECC_CURVE_BRAINPOOL_PXXX`), | 
|  | 1363 | *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` | 
|  | 1364 | *   in big-endian byte order. | 
| Gilles Peskine | 6c6a023 | 2018-11-15 17:44:43 +0100 | [diff] [blame] | 1365 | *   The bit size is `m = ceiling(log_2(p))` for the field `F_p`. | 
| Gilles Peskine | 7b5b4a0 | 2018-11-14 21:05:10 +0100 | [diff] [blame] | 1366 | * - For Weierstrass curves over binary fields (curve types | 
|  | 1367 | *   `PSA_ECC_CURVE_SECTXXX`), | 
|  | 1368 | *   the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` | 
|  | 1369 | *   in big-endian byte order. | 
| Gilles Peskine | 6c6a023 | 2018-11-15 17:44:43 +0100 | [diff] [blame] | 1370 | *   The bit size is `m` for the field `F_{2^m}`. | 
| Gilles Peskine | 79dd622 | 2018-10-25 22:22:11 +0200 | [diff] [blame] | 1371 | * | 
| Gilles Peskine | 93098fd | 2018-09-18 11:54:43 +0200 | [diff] [blame] | 1372 | * \param kdf_alg       A key derivation algorithm (\c PSA_ALG_XXX value such | 
|  | 1373 | *                      that #PSA_ALG_IS_KEY_DERIVATION(\p hash_alg) is true) | 
|  | 1374 | *                      or a selection algorithm (\c PSA_ALG_XXX value such | 
|  | 1375 | *                      that #PSA_ALG_IS_KEY_SELECTION(\p hash_alg) is true). | 
|  | 1376 | * | 
|  | 1377 | * \return              The Diffie-Hellman algorithm with the specified | 
|  | 1378 | *                      selection or derivation algorithm. | 
|  | 1379 | */ | 
|  | 1380 | #define PSA_ALG_ECDH(kdf_alg) \ | 
|  | 1381 | (PSA_ALG_ECDH_BASE | ((kdf_alg) & PSA_ALG_KEY_DERIVATION_MASK)) | 
|  | 1382 | /** Whether the specified algorithm is an elliptic curve Diffie-Hellman | 
|  | 1383 | * algorithm. | 
|  | 1384 | * | 
|  | 1385 | * This includes every supported key selection or key agreement algorithm | 
|  | 1386 | * for the output of the Diffie-Hellman calculation. | 
|  | 1387 | * | 
|  | 1388 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). | 
|  | 1389 | * | 
|  | 1390 | * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm, | 
|  | 1391 | *         0 otherwise. | 
|  | 1392 | *         This macro may return either 0 or 1 if \c alg is not a supported | 
|  | 1393 | *         key agreement algorithm identifier. | 
|  | 1394 | */ | 
|  | 1395 | #define PSA_ALG_IS_ECDH(alg) \ | 
|  | 1396 | (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH_BASE) | 
|  | 1397 |  | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1398 | /**@}*/ | 
|  | 1399 |  | 
|  | 1400 | /** \defgroup key_management Key management | 
|  | 1401 | * @{ | 
|  | 1402 | */ | 
|  | 1403 |  | 
|  | 1404 | /** | 
|  | 1405 | * \brief Import a key in binary format. | 
|  | 1406 | * | 
| Gilles Peskine | f5b9fa1 | 2018-03-07 16:40:18 +0100 | [diff] [blame] | 1407 | * This function supports any output from psa_export_key(). Refer to the | 
| Gilles Peskine | f793393 | 2018-10-31 14:07:52 +0100 | [diff] [blame] | 1408 | * documentation of psa_export_public_key() for the format of public keys | 
|  | 1409 | * and to the documentation of psa_export_key() for the format for | 
|  | 1410 | * other key types. | 
|  | 1411 | * | 
|  | 1412 | * This specification supports a single format for each key type. | 
|  | 1413 | * Implementations may support other formats as long as the standard | 
|  | 1414 | * format is supported. Implementations that support other formats | 
|  | 1415 | * should ensure that the formats are clearly unambiguous so as to | 
|  | 1416 | * minimize the risk that an invalid input is accidentally interpreted | 
|  | 1417 | * according to a different format. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1418 | * | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1419 | * \param key         Slot where the key will be stored. This must be a | 
|  | 1420 | *                    valid slot for a key of the chosen type. It must | 
|  | 1421 | *                    be unoccupied. | 
| Gilles Peskine | f793393 | 2018-10-31 14:07:52 +0100 | [diff] [blame] | 1422 | * \param type        Key type (a \c PSA_KEY_TYPE_XXX value). On a successful | 
|  | 1423 | *                    import, the key slot will contain a key of this type. | 
|  | 1424 | * \param[in] data    Buffer containing the key data. The content of this | 
|  | 1425 | *                    buffer is interpreted according to \p type. It must | 
|  | 1426 | *                    contain the format described in the documentation | 
|  | 1427 | *                    of psa_export_key() or psa_export_public_key() for | 
|  | 1428 | *                    the chosen type. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 1429 | * \param data_length Size of the \p data buffer in bytes. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1430 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1431 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1432 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1433 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1434 | *         The key type or key size is not supported, either by the | 
|  | 1435 | *         implementation in general or in this particular slot. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1436 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1437 | *         The key slot is invalid, | 
|  | 1438 | *         or the key data is not correctly formatted. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1439 | * \retval #PSA_ERROR_OCCUPIED_SLOT | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1440 | *         There is already a key in the specified slot. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1441 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 1442 | * \retval #PSA_ERROR_INSUFFICIENT_STORAGE | 
|  | 1443 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
| Darryl Green | d49a499 | 2018-06-18 17:27:26 +0100 | [diff] [blame] | 1444 | * \retval #PSA_ERROR_STORAGE_FAILURE | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1445 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1446 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1447 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1448 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1449 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1450 | *         results in this error code. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1451 | */ | 
|  | 1452 | psa_status_t psa_import_key(psa_key_slot_t key, | 
|  | 1453 | psa_key_type_t type, | 
|  | 1454 | const uint8_t *data, | 
|  | 1455 | size_t data_length); | 
|  | 1456 |  | 
|  | 1457 | /** | 
| Gilles Peskine | 154bd95 | 2018-04-19 08:38:16 +0200 | [diff] [blame] | 1458 | * \brief Destroy a key and restore the slot to its default state. | 
|  | 1459 | * | 
|  | 1460 | * This function destroys the content of the key slot from both volatile | 
|  | 1461 | * memory and, if applicable, non-volatile storage. Implementations shall | 
|  | 1462 | * make a best effort to ensure that any previous content of the slot is | 
|  | 1463 | * unrecoverable. | 
|  | 1464 | * | 
|  | 1465 | * This function also erases any metadata such as policies. It returns the | 
|  | 1466 | * specified slot to its default state. | 
|  | 1467 | * | 
|  | 1468 | * \param key           The key slot to erase. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1469 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1470 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1471 | *         The slot's content, if any, has been erased. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1472 | * \retval #PSA_ERROR_NOT_PERMITTED | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1473 | *         The slot holds content and cannot be erased because it is | 
|  | 1474 | *         read-only, either due to a policy or due to physical restrictions. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1475 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1476 | *         The specified slot number does not designate a valid slot. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1477 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1478 | *         There was an failure in communication with the cryptoprocessor. | 
|  | 1479 | *         The key material may still be present in the cryptoprocessor. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1480 | * \retval #PSA_ERROR_STORAGE_FAILURE | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1481 | *         The storage is corrupted. Implementations shall make a best effort | 
|  | 1482 | *         to erase key material even in this stage, however applications | 
|  | 1483 | *         should be aware that it may be impossible to guarantee that the | 
|  | 1484 | *         key material is not recoverable in such cases. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1485 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 65eb858 | 2018-04-19 08:28:58 +0200 | [diff] [blame] | 1486 | *         An unexpected condition which is not a storage corruption or | 
|  | 1487 | *         a communication failure occurred. The cryptoprocessor may have | 
|  | 1488 | *         been compromised. | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1489 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1490 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1491 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1492 | *         results in this error code. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1493 | */ | 
|  | 1494 | psa_status_t psa_destroy_key(psa_key_slot_t key); | 
|  | 1495 |  | 
|  | 1496 | /** | 
|  | 1497 | * \brief Get basic metadata about a key. | 
|  | 1498 | * | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1499 | * \param key           Slot whose content is queried. This must | 
|  | 1500 | *                      be an occupied key slot. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1501 | * \param[out] type     On success, the key type (a \c PSA_KEY_TYPE_XXX value). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1502 | *                      This may be a null pointer, in which case the key type | 
|  | 1503 | *                      is not written. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1504 | * \param[out] bits     On success, the key size in bits. | 
| Gilles Peskine | 9a1ba0d | 2018-03-21 20:49:16 +0100 | [diff] [blame] | 1505 | *                      This may be a null pointer, in which case the key size | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1506 | *                      is not written. | 
|  | 1507 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1508 | * \retval #PSA_SUCCESS | 
|  | 1509 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 1510 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1511 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1512 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1513 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1514 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1515 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1516 | *         results in this error code. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1517 | */ | 
|  | 1518 | psa_status_t psa_get_key_information(psa_key_slot_t key, | 
|  | 1519 | psa_key_type_t *type, | 
|  | 1520 | size_t *bits); | 
|  | 1521 |  | 
|  | 1522 | /** | 
|  | 1523 | * \brief Export a key in binary format. | 
|  | 1524 | * | 
|  | 1525 | * The output of this function can be passed to psa_import_key() to | 
|  | 1526 | * create an equivalent object. | 
|  | 1527 | * | 
| Gilles Peskine | f793393 | 2018-10-31 14:07:52 +0100 | [diff] [blame] | 1528 | * If the implementation of psa_import_key() supports other formats | 
|  | 1529 | * beyond the format specified here, the output from psa_export_key() | 
|  | 1530 | * must use the representation specified here, not the original | 
|  | 1531 | * representation. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1532 | * | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1533 | * For standard key types, the output format is as follows: | 
|  | 1534 | * | 
|  | 1535 | * - For symmetric keys (including MAC keys), the format is the | 
|  | 1536 | *   raw bytes of the key. | 
|  | 1537 | * - For DES, the key data consists of 8 bytes. The parity bits must be | 
|  | 1538 | *   correct. | 
|  | 1539 | * - For Triple-DES, the format is the concatenation of the | 
|  | 1540 | *   two or three DES keys. | 
| Gilles Peskine | 92b3073 | 2018-03-03 21:29:30 +0100 | [diff] [blame] | 1541 | * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEYPAIR), the format | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1542 | *   is the non-encrypted DER encoding of the representation defined by | 
|  | 1543 | *   PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0. | 
|  | 1544 | *   ``` | 
|  | 1545 | *   RSAPrivateKey ::= SEQUENCE { | 
| Gilles Peskine | 4f6c77b | 2018-08-11 01:17:53 +0200 | [diff] [blame] | 1546 | *       version             INTEGER,  -- must be 0 | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1547 | *       modulus             INTEGER,  -- n | 
|  | 1548 | *       publicExponent      INTEGER,  -- e | 
|  | 1549 | *       privateExponent     INTEGER,  -- d | 
|  | 1550 | *       prime1              INTEGER,  -- p | 
|  | 1551 | *       prime2              INTEGER,  -- q | 
|  | 1552 | *       exponent1           INTEGER,  -- d mod (p-1) | 
|  | 1553 | *       exponent2           INTEGER,  -- d mod (q-1) | 
|  | 1554 | *       coefficient         INTEGER,  -- (inverse of q) mod p | 
|  | 1555 | *   } | 
|  | 1556 | *   ``` | 
|  | 1557 | * - For DSA private keys (#PSA_KEY_TYPE_DSA_KEYPAIR), the format | 
|  | 1558 | *   is the non-encrypted DER encoding of the representation used by | 
| Gilles Peskine | c6290c0 | 2018-08-13 17:24:59 +0200 | [diff] [blame] | 1559 | *   OpenSSL and OpenSSH, whose structure is described in ASN.1 as follows: | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1560 | *   ``` | 
|  | 1561 | *   DSAPrivateKey ::= SEQUENCE { | 
| Gilles Peskine | 4f6c77b | 2018-08-11 01:17:53 +0200 | [diff] [blame] | 1562 | *       version             INTEGER,  -- must be 0 | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1563 | *       prime               INTEGER,  -- p | 
|  | 1564 | *       subprime            INTEGER,  -- q | 
|  | 1565 | *       generator           INTEGER,  -- g | 
|  | 1566 | *       public              INTEGER,  -- y | 
|  | 1567 | *       private             INTEGER,  -- x | 
|  | 1568 | *   } | 
|  | 1569 | *   ``` | 
|  | 1570 | * - For elliptic curve key pairs (key types for which | 
| Gilles Peskine | f76aa77 | 2018-10-29 19:24:33 +0100 | [diff] [blame] | 1571 | *   #PSA_KEY_TYPE_IS_ECC_KEYPAIR is true), the format is | 
| Gilles Peskine | 6c6a023 | 2018-11-15 17:44:43 +0100 | [diff] [blame] | 1572 | *   a representation of the private value as a `ceiling(m/8)`-byte string | 
|  | 1573 | *   where `m` is the bit size associated with the curve, i.e. the bit size | 
|  | 1574 | *   of the order of the curve's coordinate field. This byte string is | 
|  | 1575 | *   in little-endian order for Montgomery curves (curve types | 
|  | 1576 | *   `PSA_ECC_CURVE_CURVEXXX`), and in big-endian order for Weierstrass | 
|  | 1577 | *   curves (curve types `PSA_ECC_CURVE_SECTXXX`, `PSA_ECC_CURVE_SECPXXX` | 
|  | 1578 | *   and `PSA_ECC_CURVE_BRAINPOOL_PXXX`). | 
| Gilles Peskine | f76aa77 | 2018-10-29 19:24:33 +0100 | [diff] [blame] | 1579 | *   This is the content of the `privateKey` field of the `ECPrivateKey` | 
|  | 1580 | *   format defined by RFC 5915. | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1581 | * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is | 
|  | 1582 | *   true), the format is the same as for psa_export_public_key(). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1583 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1584 | * \param key               Slot whose content is to be exported. This must | 
|  | 1585 | *                          be an occupied key slot. | 
|  | 1586 | * \param[out] data         Buffer where the key data is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 1587 | * \param data_size         Size of the \p data buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1588 | * \param[out] data_length  On success, the number of bytes | 
|  | 1589 | *                          that make up the key data. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1590 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1591 | * \retval #PSA_SUCCESS | 
|  | 1592 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 1593 | * \retval #PSA_ERROR_NOT_PERMITTED | 
| Darryl Green | 9e2d7a0 | 2018-07-24 16:33:30 +0100 | [diff] [blame] | 1594 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | 1be949b | 2018-08-10 19:06:59 +0200 | [diff] [blame] | 1595 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
|  | 1596 | *         The size of the \p data buffer is too small. You can determine a | 
|  | 1597 | *         sufficient buffer size by calling | 
|  | 1598 | *         #PSA_KEY_EXPORT_MAX_SIZE(\c type, \c bits) | 
|  | 1599 | *         where \c type is the key type | 
|  | 1600 | *         and \c bits is the key size in bits. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1601 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1602 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1603 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1604 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1605 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1606 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1607 | *         results in this error code. | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 1608 | */ | 
|  | 1609 | psa_status_t psa_export_key(psa_key_slot_t key, | 
|  | 1610 | uint8_t *data, | 
|  | 1611 | size_t data_size, | 
|  | 1612 | size_t *data_length); | 
|  | 1613 |  | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1614 | /** | 
|  | 1615 | * \brief Export a public key or the public part of a key pair in binary format. | 
|  | 1616 | * | 
|  | 1617 | * The output of this function can be passed to psa_import_key() to | 
|  | 1618 | * create an object that is equivalent to the public key. | 
|  | 1619 | * | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1620 | * The format is the DER representation defined by RFC 5280 as | 
|  | 1621 | * `SubjectPublicKeyInfo`, with the `subjectPublicKey` format | 
|  | 1622 | * specified below. | 
|  | 1623 | * ``` | 
|  | 1624 | * SubjectPublicKeyInfo  ::=  SEQUENCE  { | 
|  | 1625 | *      algorithm          AlgorithmIdentifier, | 
|  | 1626 | *      subjectPublicKey   BIT STRING  } | 
|  | 1627 | * AlgorithmIdentifier  ::=  SEQUENCE  { | 
|  | 1628 | *      algorithm          OBJECT IDENTIFIER, | 
|  | 1629 | *      parameters         ANY DEFINED BY algorithm OPTIONAL  } | 
|  | 1630 | * ``` | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1631 | * | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1632 | * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), | 
|  | 1633 | *   the `subjectPublicKey` format is defined by RFC 3279 §2.3.1 as | 
|  | 1634 | *   `RSAPublicKey`, | 
|  | 1635 | *   with the OID `rsaEncryption`, | 
|  | 1636 | *   and with the parameters `NULL`. | 
|  | 1637 | *   ``` | 
|  | 1638 | *   pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) | 
|  | 1639 | *                                  rsadsi(113549) pkcs(1) 1 } | 
|  | 1640 | *   rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1 } | 
|  | 1641 | * | 
|  | 1642 | *   RSAPublicKey ::= SEQUENCE { | 
|  | 1643 | *      modulus            INTEGER,    -- n | 
|  | 1644 | *      publicExponent     INTEGER  }  -- e | 
|  | 1645 | *   ``` | 
|  | 1646 | * - For DSA public keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY), | 
|  | 1647 | *   the `subjectPublicKey` format is defined by RFC 3279 §2.3.2 as | 
|  | 1648 | *   `DSAPublicKey`, | 
|  | 1649 | *   with the OID `id-dsa`, | 
|  | 1650 | *   and with the parameters `DSS-Parms`. | 
|  | 1651 | *   ``` | 
|  | 1652 | *   id-dsa OBJECT IDENTIFIER ::= { | 
|  | 1653 | *      iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } | 
|  | 1654 | * | 
|  | 1655 | *   Dss-Parms  ::=  SEQUENCE  { | 
|  | 1656 | *      p                  INTEGER, | 
|  | 1657 | *      q                  INTEGER, | 
|  | 1658 | *      g                  INTEGER  } | 
|  | 1659 | *   DSAPublicKey ::= INTEGER -- public key, Y | 
|  | 1660 | *   ``` | 
|  | 1661 | * - For elliptic curve public keys (key types for which | 
|  | 1662 | *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), | 
|  | 1663 | *   the `subjectPublicKey` format is defined by RFC 3279 §2.3.5 as | 
| Gilles Peskine | 4f6c77b | 2018-08-11 01:17:53 +0200 | [diff] [blame] | 1664 | *   `ECPoint`, which contains the uncompressed | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1665 | *   representation defined by SEC1 §2.3.3. | 
|  | 1666 | *   The OID is `id-ecPublicKey`, | 
| Gilles Peskine | 4f6c77b | 2018-08-11 01:17:53 +0200 | [diff] [blame] | 1667 | *   and the parameters must be given as a `namedCurve` OID as specified in | 
| Gilles Peskine | c6290c0 | 2018-08-13 17:24:59 +0200 | [diff] [blame] | 1668 | *   RFC 5480 §2.1.1.1 or other applicable standards. | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1669 | *   ``` | 
|  | 1670 | *   ansi-X9-62 OBJECT IDENTIFIER ::= | 
|  | 1671 | *                           { iso(1) member-body(2) us(840) 10045 } | 
|  | 1672 | *   id-public-key-type OBJECT IDENTIFIER  ::= { ansi-X9.62 2 } | 
|  | 1673 | *   id-ecPublicKey OBJECT IDENTIFIER ::= { id-publicKeyType 1 } | 
|  | 1674 | * | 
| Gilles Peskine | 4f6c77b | 2018-08-11 01:17:53 +0200 | [diff] [blame] | 1675 | *   ECPoint ::= ... | 
|  | 1676 | *      -- first 8 bits: 0x04; | 
| Gilles Peskine | 6c6a023 | 2018-11-15 17:44:43 +0100 | [diff] [blame] | 1677 | *      -- then x_P as a `ceiling(m/8)`-byte string, big endian; | 
|  | 1678 | *      -- then y_P as a `ceiling(m/8)`-byte string, big endian; | 
|  | 1679 | *      -- where `m` is the bit size associated with the curve, | 
| Gilles Peskine | 7b5b4a0 | 2018-11-14 21:05:10 +0100 | [diff] [blame] | 1680 | *      --       i.e. the bit size of `q` for a curve over `F_q`. | 
| Gilles Peskine | 4e1e9be | 2018-08-10 18:57:40 +0200 | [diff] [blame] | 1681 | * | 
|  | 1682 | *   EcpkParameters ::= CHOICE { -- other choices are not allowed | 
|  | 1683 | *      namedCurve    OBJECT IDENTIFIER } | 
|  | 1684 | *   ``` | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1685 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1686 | * \param key               Slot whose content is to be exported. This must | 
|  | 1687 | *                          be an occupied key slot. | 
|  | 1688 | * \param[out] data         Buffer where the key data is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 1689 | * \param data_size         Size of the \p data buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1690 | * \param[out] data_length  On success, the number of bytes | 
|  | 1691 | *                          that make up the key data. | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1692 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1693 | * \retval #PSA_SUCCESS | 
|  | 1694 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 1695 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | 1be949b | 2018-08-10 19:06:59 +0200 | [diff] [blame] | 1696 | *         The key is neither a public key nor a key pair. | 
|  | 1697 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 1698 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
|  | 1699 | *         The size of the \p data buffer is too small. You can determine a | 
|  | 1700 | *         sufficient buffer size by calling | 
|  | 1701 | *         #PSA_KEY_EXPORT_MAX_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEYPAIR(\c type), \c bits) | 
|  | 1702 | *         where \c type is the key type | 
|  | 1703 | *         and \c bits is the key size in bits. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1704 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1705 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1706 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1707 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1708 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1709 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1710 | *         results in this error code. | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1711 | */ | 
|  | 1712 | psa_status_t psa_export_public_key(psa_key_slot_t key, | 
|  | 1713 | uint8_t *data, | 
|  | 1714 | size_t data_size, | 
|  | 1715 | size_t *data_length); | 
|  | 1716 |  | 
|  | 1717 | /**@}*/ | 
|  | 1718 |  | 
|  | 1719 | /** \defgroup policy Key policies | 
|  | 1720 | * @{ | 
|  | 1721 | */ | 
|  | 1722 |  | 
|  | 1723 | /** \brief Encoding of permitted usage on a key. */ | 
|  | 1724 | typedef uint32_t psa_key_usage_t; | 
|  | 1725 |  | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1726 | /** Whether the key may be exported. | 
|  | 1727 | * | 
|  | 1728 | * A public key or the public part of a key pair may always be exported | 
|  | 1729 | * regardless of the value of this permission flag. | 
|  | 1730 | * | 
|  | 1731 | * If a key does not have export permission, implementations shall not | 
|  | 1732 | * allow the key to be exported in plain form from the cryptoprocessor, | 
|  | 1733 | * whether through psa_export_key() or through a proprietary interface. | 
|  | 1734 | * The key may however be exportable in a wrapped form, i.e. in a form | 
|  | 1735 | * where it is encrypted by another key. | 
|  | 1736 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1737 | #define PSA_KEY_USAGE_EXPORT                    ((psa_key_usage_t)0x00000001) | 
|  | 1738 |  | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1739 | /** Whether the key may be used to encrypt a message. | 
|  | 1740 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1741 | * This flag allows the key to be used for a symmetric encryption operation, | 
|  | 1742 | * for an AEAD encryption-and-authentication operation, | 
|  | 1743 | * or for an asymmetric encryption operation, | 
|  | 1744 | * if otherwise permitted by the key's type and policy. | 
|  | 1745 | * | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1746 | * For a key pair, this concerns the public key. | 
|  | 1747 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1748 | #define PSA_KEY_USAGE_ENCRYPT                   ((psa_key_usage_t)0x00000100) | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1749 |  | 
|  | 1750 | /** Whether the key may be used to decrypt a message. | 
|  | 1751 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1752 | * This flag allows the key to be used for a symmetric decryption operation, | 
|  | 1753 | * for an AEAD decryption-and-verification operation, | 
|  | 1754 | * or for an asymmetric decryption operation, | 
|  | 1755 | * if otherwise permitted by the key's type and policy. | 
|  | 1756 | * | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1757 | * For a key pair, this concerns the private key. | 
|  | 1758 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1759 | #define PSA_KEY_USAGE_DECRYPT                   ((psa_key_usage_t)0x00000200) | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1760 |  | 
|  | 1761 | /** Whether the key may be used to sign a message. | 
|  | 1762 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1763 | * This flag allows the key to be used for a MAC calculation operation | 
|  | 1764 | * or for an asymmetric signature operation, | 
|  | 1765 | * if otherwise permitted by the key's type and policy. | 
|  | 1766 | * | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1767 | * For a key pair, this concerns the private key. | 
|  | 1768 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1769 | #define PSA_KEY_USAGE_SIGN                      ((psa_key_usage_t)0x00000400) | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1770 |  | 
|  | 1771 | /** Whether the key may be used to verify a message signature. | 
|  | 1772 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 1773 | * This flag allows the key to be used for a MAC verification operation | 
|  | 1774 | * or for an asymmetric signature verification operation, | 
|  | 1775 | * if otherwise permitted by by the key's type and policy. | 
|  | 1776 | * | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1777 | * For a key pair, this concerns the public key. | 
|  | 1778 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1779 | #define PSA_KEY_USAGE_VERIFY                    ((psa_key_usage_t)0x00000800) | 
|  | 1780 |  | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 1781 | /** Whether the key may be used to derive other keys. | 
|  | 1782 | */ | 
|  | 1783 | #define PSA_KEY_USAGE_DERIVE                    ((psa_key_usage_t)0x00001000) | 
|  | 1784 |  | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1785 | /** The type of the key policy data structure. | 
|  | 1786 | * | 
|  | 1787 | * This is an implementation-defined \c struct. Applications should not | 
|  | 1788 | * make any assumptions about the content of this structure except | 
|  | 1789 | * as directed by the documentation of a specific implementation. */ | 
|  | 1790 | typedef struct psa_key_policy_s psa_key_policy_t; | 
|  | 1791 |  | 
|  | 1792 | /** \brief Initialize a key policy structure to a default that forbids all | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1793 | * usage of the key. | 
|  | 1794 | * | 
|  | 1795 | * \param[out] policy   The policy object to initialize. | 
|  | 1796 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1797 | void psa_key_policy_init(psa_key_policy_t *policy); | 
|  | 1798 |  | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1799 | /** \brief Set the standard fields of a policy structure. | 
|  | 1800 | * | 
|  | 1801 | * Note that this function does not make any consistency check of the | 
|  | 1802 | * parameters. The values are only checked when applying the policy to | 
|  | 1803 | * a key slot with psa_set_key_policy(). | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1804 | * | 
|  | 1805 | * \param[out] policy   The policy object to modify. | 
|  | 1806 | * \param usage         The permitted uses for the key. | 
|  | 1807 | * \param alg           The algorithm that the key may be used for. | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1808 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1809 | void psa_key_policy_set_usage(psa_key_policy_t *policy, | 
|  | 1810 | psa_key_usage_t usage, | 
|  | 1811 | psa_algorithm_t alg); | 
|  | 1812 |  | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1813 | /** \brief Retrieve the usage field of a policy structure. | 
|  | 1814 | * | 
|  | 1815 | * \param[in] policy    The policy object to query. | 
|  | 1816 | * | 
|  | 1817 | * \return The permitted uses for a key with this policy. | 
|  | 1818 | */ | 
| Gilles Peskine | aa7bc47 | 2018-07-12 00:54:56 +0200 | [diff] [blame] | 1819 | psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy); | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1820 |  | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1821 | /** \brief Retrieve the algorithm field of a policy structure. | 
|  | 1822 | * | 
|  | 1823 | * \param[in] policy    The policy object to query. | 
|  | 1824 | * | 
|  | 1825 | * \return The permitted algorithm for a key with this policy. | 
|  | 1826 | */ | 
| Gilles Peskine | aa7bc47 | 2018-07-12 00:54:56 +0200 | [diff] [blame] | 1827 | psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy); | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1828 |  | 
|  | 1829 | /** \brief Set the usage policy on a key slot. | 
|  | 1830 | * | 
|  | 1831 | * This function must be called on an empty key slot, before importing, | 
|  | 1832 | * generating or creating a key in the slot. Changing the policy of an | 
|  | 1833 | * existing key is not permitted. | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1834 | * | 
|  | 1835 | * Implementations may set restrictions on supported key policies | 
|  | 1836 | * depending on the key type and the key slot. | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1837 | * | 
|  | 1838 | * \param key           The key slot whose policy is to be changed. | 
|  | 1839 | * \param[in] policy    The policy object to query. | 
|  | 1840 | * | 
|  | 1841 | * \retval #PSA_SUCCESS | 
|  | 1842 | * \retval #PSA_ERROR_OCCUPIED_SLOT | 
|  | 1843 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 1844 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 1845 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1846 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1847 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1848 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1849 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1850 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1851 | *         results in this error code. | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1852 | */ | 
|  | 1853 | psa_status_t psa_set_key_policy(psa_key_slot_t key, | 
|  | 1854 | const psa_key_policy_t *policy); | 
|  | 1855 |  | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1856 | /** \brief Get the usage policy for a key slot. | 
| Gilles Peskine | 6ac73a9 | 2018-07-12 19:47:19 +0200 | [diff] [blame] | 1857 | * | 
|  | 1858 | * \param key           The key slot whose policy is being queried. | 
|  | 1859 | * \param[out] policy   On success, the key's policy. | 
|  | 1860 | * | 
|  | 1861 | * \retval #PSA_SUCCESS | 
|  | 1862 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1863 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1864 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1865 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1866 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1867 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1868 | *         results in this error code. | 
| Gilles Peskine | 7e19853 | 2018-03-08 07:50:30 +0100 | [diff] [blame] | 1869 | */ | 
| Gilles Peskine | 7698bcf | 2018-03-03 21:30:44 +0100 | [diff] [blame] | 1870 | psa_status_t psa_get_key_policy(psa_key_slot_t key, | 
|  | 1871 | psa_key_policy_t *policy); | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 1872 |  | 
|  | 1873 | /**@}*/ | 
|  | 1874 |  | 
| Gilles Peskine | 609b6a5 | 2018-03-03 21:31:50 +0100 | [diff] [blame] | 1875 | /** \defgroup persistence Key lifetime | 
|  | 1876 | * @{ | 
|  | 1877 | */ | 
|  | 1878 |  | 
|  | 1879 | /** Encoding of key lifetimes. | 
|  | 1880 | */ | 
|  | 1881 | typedef uint32_t psa_key_lifetime_t; | 
|  | 1882 |  | 
|  | 1883 | /** A volatile key slot retains its content as long as the application is | 
|  | 1884 | * running. It is guaranteed to be erased on a power reset. | 
|  | 1885 | */ | 
|  | 1886 | #define PSA_KEY_LIFETIME_VOLATILE               ((psa_key_lifetime_t)0x00000000) | 
|  | 1887 |  | 
|  | 1888 | /** A persistent key slot retains its content as long as it is not explicitly | 
|  | 1889 | * destroyed. | 
|  | 1890 | */ | 
|  | 1891 | #define PSA_KEY_LIFETIME_PERSISTENT             ((psa_key_lifetime_t)0x00000001) | 
|  | 1892 |  | 
|  | 1893 | /** A write-once key slot may not be modified once a key has been set. | 
|  | 1894 | * It will retain its content as long as the device remains operational. | 
|  | 1895 | */ | 
|  | 1896 | #define PSA_KEY_LIFETIME_WRITE_ONCE             ((psa_key_lifetime_t)0x7fffffff) | 
|  | 1897 |  | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1898 | /** \brief Retrieve the lifetime of a key slot. | 
|  | 1899 | * | 
|  | 1900 | * The assignment of lifetimes to slots is implementation-dependent. | 
| Gilles Peskine | 8ca5602 | 2018-04-17 14:07:59 +0200 | [diff] [blame] | 1901 | * | 
| Gilles Peskine | 9bb53d7 | 2018-04-17 14:09:24 +0200 | [diff] [blame] | 1902 | * \param key           Slot to query. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 1903 | * \param[out] lifetime On success, the lifetime value. | 
| Gilles Peskine | 8ca5602 | 2018-04-17 14:07:59 +0200 | [diff] [blame] | 1904 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1905 | * \retval #PSA_SUCCESS | 
| mohammad1603 | 804cd71 | 2018-03-20 22:44:08 +0200 | [diff] [blame] | 1906 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1907 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| mohammad1603 | a7d245a | 2018-04-17 00:40:08 -0700 | [diff] [blame] | 1908 | *         The key slot is invalid. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1909 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1910 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1911 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1912 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1913 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1914 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1915 | *         results in this error code. | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1916 | */ | 
| Gilles Peskine | 609b6a5 | 2018-03-03 21:31:50 +0100 | [diff] [blame] | 1917 | psa_status_t psa_get_key_lifetime(psa_key_slot_t key, | 
|  | 1918 | psa_key_lifetime_t *lifetime); | 
|  | 1919 |  | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1920 | /** \brief Change the lifetime of a key slot. | 
|  | 1921 | * | 
|  | 1922 | * Whether the lifetime of a key slot can be changed at all, and if so | 
| Gilles Peskine | 1906798 | 2018-03-20 17:54:53 +0100 | [diff] [blame] | 1923 | * whether the lifetime of an occupied key slot can be changed, is | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1924 | * implementation-dependent. | 
| Gilles Peskine | 8ca5602 | 2018-04-17 14:07:59 +0200 | [diff] [blame] | 1925 | * | 
| Darryl Green | d49a499 | 2018-06-18 17:27:26 +0100 | [diff] [blame] | 1926 | * When creating a persistent key, you must call this function before creating | 
|  | 1927 | * the key material with psa_import_key(), psa_generate_key() or | 
|  | 1928 | * psa_generator_import_key(). To open an existing persistent key, you must | 
|  | 1929 | * call this function with the correct lifetime value before using the slot | 
|  | 1930 | * for a cryptographic operation. Once a slot's lifetime has been set, | 
|  | 1931 | * the lifetime remains associated with the slot until a subsequent call to | 
|  | 1932 | * psa_set_key_lifetime(), until the key is wiped with psa_destroy_key or | 
|  | 1933 | * until the application terminates (or disconnects from the cryptography | 
|  | 1934 | * service, if the implementation offers such a possibility). | 
|  | 1935 | * | 
| Gilles Peskine | 9bb53d7 | 2018-04-17 14:09:24 +0200 | [diff] [blame] | 1936 | * \param key           Slot whose lifetime is to be changed. | 
|  | 1937 | * \param lifetime      The lifetime value to set for the given key slot. | 
| Gilles Peskine | 8ca5602 | 2018-04-17 14:07:59 +0200 | [diff] [blame] | 1938 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1939 | * \retval #PSA_SUCCESS | 
| mohammad1603 | 804cd71 | 2018-03-20 22:44:08 +0200 | [diff] [blame] | 1940 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1941 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| mohammad1603 | 804cd71 | 2018-03-20 22:44:08 +0200 | [diff] [blame] | 1942 | *         The key slot is invalid, | 
| mohammad1603 | a7d245a | 2018-04-17 00:40:08 -0700 | [diff] [blame] | 1943 | *         or the lifetime value is invalid. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1944 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | f0c9dd3 | 2018-04-17 14:11:07 +0200 | [diff] [blame] | 1945 | *         The implementation does not support the specified lifetime value, | 
|  | 1946 | *         at least for the specified key slot. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1947 | * \retval #PSA_ERROR_OCCUPIED_SLOT | 
| Gilles Peskine | f0c9dd3 | 2018-04-17 14:11:07 +0200 | [diff] [blame] | 1948 | *         The slot contains a key, and the implementation does not support | 
|  | 1949 | *         changing the lifetime of an occupied slot. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 1950 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 1951 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 1952 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 1953 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 1954 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 1955 | *         It is implementation-dependent whether a failure to initialize | 
|  | 1956 | *         results in this error code. | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1957 | */ | 
|  | 1958 | psa_status_t psa_set_key_lifetime(psa_key_slot_t key, | 
| mohammad1603 | ea05009 | 2018-04-17 00:31:34 -0700 | [diff] [blame] | 1959 | psa_key_lifetime_t lifetime); | 
| Gilles Peskine | d393e18 | 2018-03-08 07:49:16 +0100 | [diff] [blame] | 1960 |  | 
| Gilles Peskine | 609b6a5 | 2018-03-03 21:31:50 +0100 | [diff] [blame] | 1961 | /**@}*/ | 
|  | 1962 |  | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 1963 | /** \defgroup hash Message digests | 
|  | 1964 | * @{ | 
|  | 1965 | */ | 
|  | 1966 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1967 | /** The type of the state data structure for multipart hash operations. | 
|  | 1968 | * | 
| Gilles Peskine | 92b3073 | 2018-03-03 21:29:30 +0100 | [diff] [blame] | 1969 | * This is an implementation-defined \c struct. Applications should not | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1970 | * make any assumptions about the content of this structure except | 
|  | 1971 | * as directed by the documentation of a specific implementation. */ | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 1972 | typedef struct psa_hash_operation_s psa_hash_operation_t; | 
|  | 1973 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1974 | /** The size of the output of psa_hash_finish(), in bytes. | 
|  | 1975 | * | 
|  | 1976 | * This is also the hash size that psa_hash_verify() expects. | 
|  | 1977 | * | 
|  | 1978 | * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 1979 | *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm | 
| Gilles Peskine | be42f31 | 2018-07-13 14:38:15 +0200 | [diff] [blame] | 1980 | *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a | 
| Gilles Peskine | 3585596 | 2018-04-19 08:39:16 +0200 | [diff] [blame] | 1981 | *              hash algorithm). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 1982 | * | 
|  | 1983 | * \return The hash size for the specified hash algorithm. | 
|  | 1984 | *         If the hash algorithm is not recognized, return 0. | 
|  | 1985 | *         An implementation may return either 0 or the correct size | 
|  | 1986 | *         for a hash algorithm that it recognizes, but does not support. | 
|  | 1987 | */ | 
| Gilles Peskine | 7ed29c5 | 2018-06-26 15:50:08 +0200 | [diff] [blame] | 1988 | #define PSA_HASH_SIZE(alg)                                      \ | 
|  | 1989 | (                                                           \ | 
| Gilles Peskine | 00709fa | 2018-08-22 18:25:41 +0200 | [diff] [blame] | 1990 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD2 ? 16 :            \ | 
|  | 1991 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD4 ? 16 :            \ | 
|  | 1992 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16 :            \ | 
|  | 1993 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20 :      \ | 
|  | 1994 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20 :          \ | 
|  | 1995 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28 :        \ | 
|  | 1996 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32 :        \ | 
|  | 1997 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48 :        \ | 
|  | 1998 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64 :        \ | 
|  | 1999 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28 :    \ | 
|  | 2000 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32 :    \ | 
|  | 2001 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28 :       \ | 
|  | 2002 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32 :       \ | 
|  | 2003 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48 :       \ | 
|  | 2004 | PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 :       \ | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2005 | 0) | 
|  | 2006 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2007 | /** Start a multipart hash operation. | 
|  | 2008 | * | 
|  | 2009 | * The sequence of operations to calculate a hash (message digest) | 
|  | 2010 | * is as follows: | 
|  | 2011 | * -# Allocate an operation object which will be passed to all the functions | 
|  | 2012 | *    listed here. | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2013 | * -# Call psa_hash_setup() to specify the algorithm. | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2014 | * -# Call psa_hash_update() zero, one or more times, passing a fragment | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2015 | *    of the message each time. The hash that is calculated is the hash | 
|  | 2016 | *    of the concatenation of these messages in order. | 
|  | 2017 | * -# To calculate the hash, call psa_hash_finish(). | 
|  | 2018 | *    To compare the hash with an expected value, call psa_hash_verify(). | 
|  | 2019 | * | 
|  | 2020 | * The application may call psa_hash_abort() at any time after the operation | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2021 | * has been initialized with psa_hash_setup(). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2022 | * | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2023 | * After a successful call to psa_hash_setup(), the application must | 
| Gilles Peskine | ed52297 | 2018-03-20 17:54:15 +0100 | [diff] [blame] | 2024 | * eventually terminate the operation. The following events terminate an | 
|  | 2025 | * operation: | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2026 | * - A failed call to psa_hash_update(). | 
| Gilles Peskine | 1906798 | 2018-03-20 17:54:53 +0100 | [diff] [blame] | 2027 | * - A call to psa_hash_finish(), psa_hash_verify() or psa_hash_abort(). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2028 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2029 | * \param[out] operation    The operation object to use. | 
|  | 2030 | * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value | 
|  | 2031 | *                          such that #PSA_ALG_IS_HASH(\p alg) is true). | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2032 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2033 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2034 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2035 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2036 | *         \p alg is not supported or is not a hash algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2037 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2038 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2039 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2040 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2041 | */ | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2042 | psa_status_t psa_hash_setup(psa_hash_operation_t *operation, | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2043 | psa_algorithm_t alg); | 
|  | 2044 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2045 | /** Add a message fragment to a multipart hash operation. | 
|  | 2046 | * | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2047 | * The application must call psa_hash_setup() before calling this function. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2048 | * | 
|  | 2049 | * If this function returns an error status, the operation becomes inactive. | 
|  | 2050 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2051 | * \param[in,out] operation Active hash operation. | 
|  | 2052 | * \param[in] input         Buffer containing the message fragment to hash. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2053 | * \param input_length      Size of the \p input buffer in bytes. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2054 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2055 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2056 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2057 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2058 | *         The operation state is not valid (not started, or already completed). | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2059 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2060 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2061 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2062 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2063 | */ | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2064 | psa_status_t psa_hash_update(psa_hash_operation_t *operation, | 
|  | 2065 | const uint8_t *input, | 
|  | 2066 | size_t input_length); | 
|  | 2067 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2068 | /** Finish the calculation of the hash of a message. | 
|  | 2069 | * | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2070 | * The application must call psa_hash_setup() before calling this function. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2071 | * This function calculates the hash of the message formed by concatenating | 
|  | 2072 | * the inputs passed to preceding calls to psa_hash_update(). | 
|  | 2073 | * | 
|  | 2074 | * When this function returns, the operation becomes inactive. | 
|  | 2075 | * | 
|  | 2076 | * \warning Applications should not call this function if they expect | 
|  | 2077 | *          a specific value for the hash. Call psa_hash_verify() instead. | 
|  | 2078 | *          Beware that comparing integrity or authenticity data such as | 
|  | 2079 | *          hash values with a function such as \c memcmp is risky | 
|  | 2080 | *          because the time taken by the comparison may leak information | 
|  | 2081 | *          about the hashed data which could allow an attacker to guess | 
|  | 2082 | *          a valid hash and thereby bypass security controls. | 
|  | 2083 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2084 | * \param[in,out] operation     Active hash operation. | 
|  | 2085 | * \param[out] hash             Buffer where the hash is to be written. | 
|  | 2086 | * \param hash_size             Size of the \p hash buffer in bytes. | 
|  | 2087 | * \param[out] hash_length      On success, the number of bytes | 
|  | 2088 | *                              that make up the hash value. This is always | 
| Gilles Peskine | be42f31 | 2018-07-13 14:38:15 +0200 | [diff] [blame] | 2089 | *                              #PSA_HASH_SIZE(\c alg) where \c alg is the | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2090 | *                              hash algorithm that is calculated. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2091 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2092 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2093 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2094 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2095 | *         The operation state is not valid (not started, or already completed). | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2096 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2097 | *         The size of the \p hash buffer is too small. You can determine a | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2098 | *         sufficient buffer size by calling #PSA_HASH_SIZE(\c alg) | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2099 | *         where \c alg is the hash algorithm that is calculated. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2100 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2101 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2102 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2103 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2104 | */ | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2105 | psa_status_t psa_hash_finish(psa_hash_operation_t *operation, | 
|  | 2106 | uint8_t *hash, | 
|  | 2107 | size_t hash_size, | 
|  | 2108 | size_t *hash_length); | 
|  | 2109 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2110 | /** Finish the calculation of the hash of a message and compare it with | 
|  | 2111 | * an expected value. | 
|  | 2112 | * | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2113 | * The application must call psa_hash_setup() before calling this function. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2114 | * This function calculates the hash of the message formed by concatenating | 
|  | 2115 | * the inputs passed to preceding calls to psa_hash_update(). It then | 
|  | 2116 | * compares the calculated hash with the expected hash passed as a | 
|  | 2117 | * parameter to this function. | 
|  | 2118 | * | 
|  | 2119 | * When this function returns, the operation becomes inactive. | 
|  | 2120 | * | 
| Gilles Peskine | 1906798 | 2018-03-20 17:54:53 +0100 | [diff] [blame] | 2121 | * \note Implementations shall make the best effort to ensure that the | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2122 | * comparison between the actual hash and the expected hash is performed | 
|  | 2123 | * in constant time. | 
|  | 2124 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2125 | * \param[in,out] operation     Active hash operation. | 
|  | 2126 | * \param[in] hash              Buffer containing the expected hash value. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2127 | * \param hash_length           Size of the \p hash buffer in bytes. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2128 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2129 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2130 | *         The expected hash is identical to the actual hash of the message. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2131 | * \retval #PSA_ERROR_INVALID_SIGNATURE | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2132 | *         The hash of the message was calculated successfully, but it | 
|  | 2133 | *         differs from the expected hash. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2134 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2135 | *         The operation state is not valid (not started, or already completed). | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2136 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2137 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2138 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2139 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2140 | */ | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2141 | psa_status_t psa_hash_verify(psa_hash_operation_t *operation, | 
|  | 2142 | const uint8_t *hash, | 
|  | 2143 | size_t hash_length); | 
|  | 2144 |  | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2145 | /** Abort a hash operation. | 
|  | 2146 | * | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2147 | * Aborting an operation frees all associated resources except for the | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2148 | * \p operation structure itself. Once aborted, the operation object | 
|  | 2149 | * can be reused for another operation by calling | 
|  | 2150 | * psa_hash_setup() again. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2151 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2152 | * You may call this function any time after the operation object has | 
|  | 2153 | * been initialized by any of the following methods: | 
|  | 2154 | * - A call to psa_hash_setup(), whether it succeeds or not. | 
|  | 2155 | * - Initializing the \c struct to all-bits-zero. | 
|  | 2156 | * - Initializing the \c struct to logical zeros, e.g. | 
|  | 2157 | *   `psa_hash_operation_t operation = {0}`. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2158 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2159 | * In particular, calling psa_hash_abort() after the operation has been | 
|  | 2160 | * terminated by a call to psa_hash_abort(), psa_hash_finish() or | 
|  | 2161 | * psa_hash_verify() is safe and has no effect. | 
|  | 2162 | * | 
|  | 2163 | * \param[in,out] operation     Initialized hash operation. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2164 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2165 | * \retval #PSA_SUCCESS | 
|  | 2166 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2167 | *         \p operation is not an active hash operation. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2168 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2169 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2170 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2171 | */ | 
|  | 2172 | psa_status_t psa_hash_abort(psa_hash_operation_t *operation); | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 2173 |  | 
|  | 2174 | /**@}*/ | 
|  | 2175 |  | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2176 | /** \defgroup MAC Message authentication codes | 
|  | 2177 | * @{ | 
|  | 2178 | */ | 
|  | 2179 |  | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2180 | /** The type of the state data structure for multipart MAC operations. | 
|  | 2181 | * | 
| Gilles Peskine | 92b3073 | 2018-03-03 21:29:30 +0100 | [diff] [blame] | 2182 | * This is an implementation-defined \c struct. Applications should not | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2183 | * make any assumptions about the content of this structure except | 
|  | 2184 | * as directed by the documentation of a specific implementation. */ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2185 | typedef struct psa_mac_operation_s psa_mac_operation_t; | 
|  | 2186 |  | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2187 | /** Start a multipart MAC calculation operation. | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2188 | * | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2189 | * This function sets up the calculation of the MAC | 
|  | 2190 | * (message authentication code) of a byte string. | 
|  | 2191 | * To verify the MAC of a message against an | 
|  | 2192 | * expected value, use psa_mac_verify_setup() instead. | 
|  | 2193 | * | 
|  | 2194 | * The sequence of operations to calculate a MAC is as follows: | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2195 | * -# Allocate an operation object which will be passed to all the functions | 
|  | 2196 | *    listed here. | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2197 | * -# Call psa_mac_sign_setup() to specify the algorithm and key. | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2198 | *    The key remains associated with the operation even if the content | 
|  | 2199 | *    of the key slot changes. | 
|  | 2200 | * -# Call psa_mac_update() zero, one or more times, passing a fragment | 
|  | 2201 | *    of the message each time. The MAC that is calculated is the MAC | 
|  | 2202 | *    of the concatenation of these messages in order. | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2203 | * -# At the end of the message, call psa_mac_sign_finish() to finish | 
|  | 2204 | *    calculating the MAC value and retrieve it. | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2205 | * | 
|  | 2206 | * The application may call psa_mac_abort() at any time after the operation | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2207 | * has been initialized with psa_mac_sign_setup(). | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2208 | * | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2209 | * After a successful call to psa_mac_sign_setup(), the application must | 
|  | 2210 | * eventually terminate the operation through one of the following methods: | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2211 | * - A failed call to psa_mac_update(). | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2212 | * - A call to psa_mac_sign_finish() or psa_mac_abort(). | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2213 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2214 | * \param[out] operation    The operation object to use. | 
|  | 2215 | * \param key               Slot containing the key to use for the operation. | 
|  | 2216 | * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value | 
|  | 2217 | *                          such that #PSA_ALG_IS_MAC(alg) is true). | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2218 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2219 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2220 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2221 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2222 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2223 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2224 | *         \p key is not compatible with \p alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2225 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2226 | *         \p alg is not supported or is not a MAC algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2227 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2228 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2229 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2230 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2231 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2232 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2233 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2234 | *         results in this error code. | 
| Gilles Peskine | 7e4acc5 | 2018-02-16 21:24:11 +0100 | [diff] [blame] | 2235 | */ | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2236 | psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, | 
|  | 2237 | psa_key_slot_t key, | 
|  | 2238 | psa_algorithm_t alg); | 
|  | 2239 |  | 
|  | 2240 | /** Start a multipart MAC verification operation. | 
|  | 2241 | * | 
|  | 2242 | * This function sets up the verification of the MAC | 
|  | 2243 | * (message authentication code) of a byte string against an expected value. | 
|  | 2244 | * | 
|  | 2245 | * The sequence of operations to verify a MAC is as follows: | 
|  | 2246 | * -# Allocate an operation object which will be passed to all the functions | 
|  | 2247 | *    listed here. | 
|  | 2248 | * -# Call psa_mac_verify_setup() to specify the algorithm and key. | 
|  | 2249 | *    The key remains associated with the operation even if the content | 
|  | 2250 | *    of the key slot changes. | 
|  | 2251 | * -# Call psa_mac_update() zero, one or more times, passing a fragment | 
|  | 2252 | *    of the message each time. The MAC that is calculated is the MAC | 
|  | 2253 | *    of the concatenation of these messages in order. | 
|  | 2254 | * -# At the end of the message, call psa_mac_verify_finish() to finish | 
|  | 2255 | *    calculating the actual MAC of the message and verify it against | 
|  | 2256 | *    the expected value. | 
|  | 2257 | * | 
|  | 2258 | * The application may call psa_mac_abort() at any time after the operation | 
|  | 2259 | * has been initialized with psa_mac_verify_setup(). | 
|  | 2260 | * | 
|  | 2261 | * After a successful call to psa_mac_verify_setup(), the application must | 
|  | 2262 | * eventually terminate the operation through one of the following methods: | 
|  | 2263 | * - A failed call to psa_mac_update(). | 
|  | 2264 | * - A call to psa_mac_verify_finish() or psa_mac_abort(). | 
|  | 2265 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2266 | * \param[out] operation    The operation object to use. | 
|  | 2267 | * \param key               Slot containing the key to use for the operation. | 
|  | 2268 | * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value | 
|  | 2269 | *                          such that #PSA_ALG_IS_MAC(\p alg) is true). | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2270 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2271 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2272 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2273 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2274 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2275 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2276 | *         \c key is not compatible with \c alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2277 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2278 | *         \c alg is not supported or is not a MAC algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2279 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2280 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2281 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2282 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2283 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2284 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2285 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2286 | *         results in this error code. | 
| Gilles Peskine | 89167cb | 2018-07-08 20:12:23 +0200 | [diff] [blame] | 2287 | */ | 
|  | 2288 | psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, | 
|  | 2289 | psa_key_slot_t key, | 
|  | 2290 | psa_algorithm_t alg); | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2291 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2292 | /** Add a message fragment to a multipart MAC operation. | 
|  | 2293 | * | 
|  | 2294 | * The application must call psa_mac_sign_setup() or psa_mac_verify_setup() | 
|  | 2295 | * before calling this function. | 
|  | 2296 | * | 
|  | 2297 | * If this function returns an error status, the operation becomes inactive. | 
|  | 2298 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2299 | * \param[in,out] operation Active MAC operation. | 
|  | 2300 | * \param[in] input         Buffer containing the message fragment to add to | 
|  | 2301 | *                          the MAC calculation. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2302 | * \param input_length      Size of the \p input buffer in bytes. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2303 | * | 
|  | 2304 | * \retval #PSA_SUCCESS | 
|  | 2305 | *         Success. | 
|  | 2306 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2307 | *         The operation state is not valid (not started, or already completed). | 
|  | 2308 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2309 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2310 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2311 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2312 | */ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2313 | psa_status_t psa_mac_update(psa_mac_operation_t *operation, | 
|  | 2314 | const uint8_t *input, | 
|  | 2315 | size_t input_length); | 
|  | 2316 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2317 | /** Finish the calculation of the MAC of a message. | 
|  | 2318 | * | 
|  | 2319 | * The application must call psa_mac_sign_setup() before calling this function. | 
|  | 2320 | * This function calculates the MAC of the message formed by concatenating | 
|  | 2321 | * the inputs passed to preceding calls to psa_mac_update(). | 
|  | 2322 | * | 
|  | 2323 | * When this function returns, the operation becomes inactive. | 
|  | 2324 | * | 
|  | 2325 | * \warning Applications should not call this function if they expect | 
|  | 2326 | *          a specific value for the MAC. Call psa_mac_verify_finish() instead. | 
|  | 2327 | *          Beware that comparing integrity or authenticity data such as | 
|  | 2328 | *          MAC values with a function such as \c memcmp is risky | 
|  | 2329 | *          because the time taken by the comparison may leak information | 
|  | 2330 | *          about the MAC value which could allow an attacker to guess | 
|  | 2331 | *          a valid MAC and thereby bypass security controls. | 
|  | 2332 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2333 | * \param[in,out] operation Active MAC operation. | 
|  | 2334 | * \param[out] mac          Buffer where the MAC value is to be written. | 
|  | 2335 | * \param mac_size          Size of the \p mac buffer in bytes. | 
|  | 2336 | * \param[out] mac_length   On success, the number of bytes | 
|  | 2337 | *                          that make up the MAC value. This is always | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 2338 | *                          #PSA_MAC_FINAL_SIZE(\c key_type, \c key_bits, \c alg) | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2339 | *                          where \c key_type and \c key_bits are the type and | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 2340 | *                          bit-size respectively of the key and \c alg is the | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2341 | *                          MAC algorithm that is calculated. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2342 | * | 
|  | 2343 | * \retval #PSA_SUCCESS | 
|  | 2344 | *         Success. | 
|  | 2345 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2346 | *         The operation state is not valid (not started, or already completed). | 
|  | 2347 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2348 | *         The size of the \p mac buffer is too small. You can determine a | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2349 | *         sufficient buffer size by calling PSA_MAC_FINAL_SIZE(). | 
|  | 2350 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2351 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2352 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2353 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2354 | */ | 
| Gilles Peskine | acd4be3 | 2018-07-08 19:56:25 +0200 | [diff] [blame] | 2355 | psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation, | 
|  | 2356 | uint8_t *mac, | 
|  | 2357 | size_t mac_size, | 
|  | 2358 | size_t *mac_length); | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2359 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2360 | /** Finish the calculation of the MAC of a message and compare it with | 
|  | 2361 | * an expected value. | 
|  | 2362 | * | 
|  | 2363 | * The application must call psa_mac_verify_setup() before calling this function. | 
|  | 2364 | * This function calculates the MAC of the message formed by concatenating | 
|  | 2365 | * the inputs passed to preceding calls to psa_mac_update(). It then | 
|  | 2366 | * compares the calculated MAC with the expected MAC passed as a | 
|  | 2367 | * parameter to this function. | 
|  | 2368 | * | 
|  | 2369 | * When this function returns, the operation becomes inactive. | 
|  | 2370 | * | 
|  | 2371 | * \note Implementations shall make the best effort to ensure that the | 
|  | 2372 | * comparison between the actual MAC and the expected MAC is performed | 
|  | 2373 | * in constant time. | 
|  | 2374 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2375 | * \param[in,out] operation Active MAC operation. | 
|  | 2376 | * \param[in] mac           Buffer containing the expected MAC value. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2377 | * \param mac_length        Size of the \p mac buffer in bytes. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2378 | * | 
|  | 2379 | * \retval #PSA_SUCCESS | 
|  | 2380 | *         The expected MAC is identical to the actual MAC of the message. | 
|  | 2381 | * \retval #PSA_ERROR_INVALID_SIGNATURE | 
|  | 2382 | *         The MAC of the message was calculated successfully, but it | 
|  | 2383 | *         differs from the expected MAC. | 
|  | 2384 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2385 | *         The operation state is not valid (not started, or already completed). | 
|  | 2386 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2387 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2388 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2389 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2390 | */ | 
| Gilles Peskine | acd4be3 | 2018-07-08 19:56:25 +0200 | [diff] [blame] | 2391 | psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation, | 
|  | 2392 | const uint8_t *mac, | 
|  | 2393 | size_t mac_length); | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2394 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2395 | /** Abort a MAC operation. | 
|  | 2396 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2397 | * Aborting an operation frees all associated resources except for the | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2398 | * \p operation structure itself. Once aborted, the operation object | 
|  | 2399 | * can be reused for another operation by calling | 
|  | 2400 | * psa_mac_sign_setup() or psa_mac_verify_setup() again. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2401 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2402 | * You may call this function any time after the operation object has | 
|  | 2403 | * been initialized by any of the following methods: | 
|  | 2404 | * - A call to psa_mac_sign_setup() or psa_mac_verify_setup(), whether | 
|  | 2405 | *   it succeeds or not. | 
|  | 2406 | * - Initializing the \c struct to all-bits-zero. | 
|  | 2407 | * - Initializing the \c struct to logical zeros, e.g. | 
|  | 2408 | *   `psa_mac_operation_t operation = {0}`. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2409 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2410 | * In particular, calling psa_mac_abort() after the operation has been | 
|  | 2411 | * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or | 
|  | 2412 | * psa_mac_verify_finish() is safe and has no effect. | 
|  | 2413 | * | 
|  | 2414 | * \param[in,out] operation Initialized MAC operation. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2415 | * | 
|  | 2416 | * \retval #PSA_SUCCESS | 
|  | 2417 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2418 | *         \p operation is not an active MAC operation. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2419 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2420 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2421 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2422 | */ | 
| Gilles Peskine | 8c9def3 | 2018-02-08 10:02:12 +0100 | [diff] [blame] | 2423 | psa_status_t psa_mac_abort(psa_mac_operation_t *operation); | 
|  | 2424 |  | 
|  | 2425 | /**@}*/ | 
|  | 2426 |  | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2427 | /** \defgroup cipher Symmetric ciphers | 
|  | 2428 | * @{ | 
|  | 2429 | */ | 
|  | 2430 |  | 
|  | 2431 | /** The type of the state data structure for multipart cipher operations. | 
|  | 2432 | * | 
|  | 2433 | * This is an implementation-defined \c struct. Applications should not | 
|  | 2434 | * make any assumptions about the content of this structure except | 
|  | 2435 | * as directed by the documentation of a specific implementation. */ | 
|  | 2436 | typedef struct psa_cipher_operation_s psa_cipher_operation_t; | 
|  | 2437 |  | 
|  | 2438 | /** Set the key for a multipart symmetric encryption operation. | 
|  | 2439 | * | 
|  | 2440 | * The sequence of operations to encrypt a message with a symmetric cipher | 
|  | 2441 | * is as follows: | 
|  | 2442 | * -# Allocate an operation object which will be passed to all the functions | 
|  | 2443 | *    listed here. | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2444 | * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key. | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2445 | *    The key remains associated with the operation even if the content | 
|  | 2446 | *    of the key slot changes. | 
| itayzafrir | ed7382f | 2018-08-02 14:19:33 +0300 | [diff] [blame] | 2447 | * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2448 | *    generate or set the IV (initialization vector). You should use | 
| itayzafrir | ed7382f | 2018-08-02 14:19:33 +0300 | [diff] [blame] | 2449 | *    psa_cipher_generate_iv() unless the protocol you are implementing | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2450 | *    requires a specific IV value. | 
|  | 2451 | * -# Call psa_cipher_update() zero, one or more times, passing a fragment | 
|  | 2452 | *    of the message each time. | 
|  | 2453 | * -# Call psa_cipher_finish(). | 
|  | 2454 | * | 
|  | 2455 | * The application may call psa_cipher_abort() at any time after the operation | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2456 | * has been initialized with psa_cipher_encrypt_setup(). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2457 | * | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2458 | * After a successful call to psa_cipher_encrypt_setup(), the application must | 
| Gilles Peskine | ed52297 | 2018-03-20 17:54:15 +0100 | [diff] [blame] | 2459 | * eventually terminate the operation. The following events terminate an | 
|  | 2460 | * operation: | 
| itayzafrir | ed7382f | 2018-08-02 14:19:33 +0300 | [diff] [blame] | 2461 | * - A failed call to psa_cipher_generate_iv(), psa_cipher_set_iv() | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2462 | *   or psa_cipher_update(). | 
| Gilles Peskine | 1906798 | 2018-03-20 17:54:53 +0100 | [diff] [blame] | 2463 | * - A call to psa_cipher_finish() or psa_cipher_abort(). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2464 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2465 | * \param[out] operation        The operation object to use. | 
|  | 2466 | * \param key                   Slot containing the key to use for the operation. | 
|  | 2467 | * \param alg                   The cipher algorithm to compute | 
|  | 2468 | *                              (\c PSA_ALG_XXX value such that | 
|  | 2469 | *                              #PSA_ALG_IS_CIPHER(\p alg) is true). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2470 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2471 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2472 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2473 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2474 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2475 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2476 | *         \p key is not compatible with \p alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2477 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2478 | *         \p alg is not supported or is not a cipher algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2479 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2480 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2481 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2482 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2483 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2484 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2485 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2486 | *         results in this error code. | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2487 | */ | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2488 | psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, | 
|  | 2489 | psa_key_slot_t key, | 
|  | 2490 | psa_algorithm_t alg); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2491 |  | 
|  | 2492 | /** Set the key for a multipart symmetric decryption operation. | 
|  | 2493 | * | 
|  | 2494 | * The sequence of operations to decrypt a message with a symmetric cipher | 
|  | 2495 | * is as follows: | 
|  | 2496 | * -# Allocate an operation object which will be passed to all the functions | 
|  | 2497 | *    listed here. | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2498 | * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key. | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2499 | *    The key remains associated with the operation even if the content | 
|  | 2500 | *    of the key slot changes. | 
|  | 2501 | * -# Call psa_cipher_update() with the IV (initialization vector) for the | 
|  | 2502 | *    decryption. If the IV is prepended to the ciphertext, you can call | 
|  | 2503 | *    psa_cipher_update() on a buffer containing the IV followed by the | 
|  | 2504 | *    beginning of the message. | 
|  | 2505 | * -# Call psa_cipher_update() zero, one or more times, passing a fragment | 
|  | 2506 | *    of the message each time. | 
|  | 2507 | * -# Call psa_cipher_finish(). | 
|  | 2508 | * | 
|  | 2509 | * The application may call psa_cipher_abort() at any time after the operation | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2510 | * has been initialized with psa_cipher_decrypt_setup(). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2511 | * | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2512 | * After a successful call to psa_cipher_decrypt_setup(), the application must | 
| Gilles Peskine | ed52297 | 2018-03-20 17:54:15 +0100 | [diff] [blame] | 2513 | * eventually terminate the operation. The following events terminate an | 
|  | 2514 | * operation: | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2515 | * - A failed call to psa_cipher_update(). | 
| Gilles Peskine | 1906798 | 2018-03-20 17:54:53 +0100 | [diff] [blame] | 2516 | * - A call to psa_cipher_finish() or psa_cipher_abort(). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2517 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2518 | * \param[out] operation        The operation object to use. | 
|  | 2519 | * \param key                   Slot containing the key to use for the operation. | 
|  | 2520 | * \param alg                   The cipher algorithm to compute | 
|  | 2521 | *                              (\c PSA_ALG_XXX value such that | 
|  | 2522 | *                              #PSA_ALG_IS_CIPHER(\p alg) is true). | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2523 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2524 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2525 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2526 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2527 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2528 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2529 | *         \p key is not compatible with \p alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2530 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2531 | *         \p alg is not supported or is not a cipher algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2532 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2533 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2534 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2535 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2536 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2537 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2538 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2539 | *         results in this error code. | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2540 | */ | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2541 | psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, | 
|  | 2542 | psa_key_slot_t key, | 
|  | 2543 | psa_algorithm_t alg); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2544 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2545 | /** Generate an IV for a symmetric encryption operation. | 
|  | 2546 | * | 
|  | 2547 | * This function generates a random IV (initialization vector), nonce | 
|  | 2548 | * or initial counter value for the encryption operation as appropriate | 
|  | 2549 | * for the chosen algorithm, key type and key size. | 
|  | 2550 | * | 
|  | 2551 | * The application must call psa_cipher_encrypt_setup() before | 
|  | 2552 | * calling this function. | 
|  | 2553 | * | 
|  | 2554 | * If this function returns an error status, the operation becomes inactive. | 
|  | 2555 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2556 | * \param[in,out] operation     Active cipher operation. | 
|  | 2557 | * \param[out] iv               Buffer where the generated IV is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2558 | * \param iv_size               Size of the \p iv buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2559 | * \param[out] iv_length        On success, the number of bytes of the | 
|  | 2560 | *                              generated IV. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2561 | * | 
|  | 2562 | * \retval #PSA_SUCCESS | 
|  | 2563 | *         Success. | 
|  | 2564 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2565 | *         The operation state is not valid (not started, or IV already set). | 
|  | 2566 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 2567 | *         The size of the \p iv buffer is too small. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2568 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2569 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2570 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2571 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2572 | */ | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2573 | psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, | 
|  | 2574 | unsigned char *iv, | 
|  | 2575 | size_t iv_size, | 
|  | 2576 | size_t *iv_length); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2577 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2578 | /** Set the IV for a symmetric encryption or decryption operation. | 
|  | 2579 | * | 
|  | 2580 | * This function sets the random IV (initialization vector), nonce | 
|  | 2581 | * or initial counter value for the encryption or decryption operation. | 
|  | 2582 | * | 
|  | 2583 | * The application must call psa_cipher_encrypt_setup() before | 
|  | 2584 | * calling this function. | 
|  | 2585 | * | 
|  | 2586 | * If this function returns an error status, the operation becomes inactive. | 
|  | 2587 | * | 
|  | 2588 | * \note When encrypting, applications should use psa_cipher_generate_iv() | 
|  | 2589 | * instead of this function, unless implementing a protocol that requires | 
|  | 2590 | * a non-random IV. | 
|  | 2591 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2592 | * \param[in,out] operation     Active cipher operation. | 
|  | 2593 | * \param[in] iv                Buffer containing the IV to use. | 
|  | 2594 | * \param iv_length             Size of the IV in bytes. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2595 | * | 
|  | 2596 | * \retval #PSA_SUCCESS | 
|  | 2597 | *         Success. | 
|  | 2598 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2599 | *         The operation state is not valid (not started, or IV already set). | 
|  | 2600 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2601 | *         The size of \p iv is not acceptable for the chosen algorithm, | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2602 | *         or the chosen algorithm does not use an IV. | 
|  | 2603 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2604 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2605 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2606 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2607 | */ | 
| Gilles Peskine | fe11951 | 2018-07-08 21:39:34 +0200 | [diff] [blame] | 2608 | psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, | 
|  | 2609 | const unsigned char *iv, | 
|  | 2610 | size_t iv_length); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2611 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2612 | /** Encrypt or decrypt a message fragment in an active cipher operation. | 
|  | 2613 | * | 
| Gilles Peskine | 9ac9426 | 2018-07-12 20:15:32 +0200 | [diff] [blame] | 2614 | * Before calling this function, you must: | 
|  | 2615 | * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(). | 
|  | 2616 | *    The choice of setup function determines whether this function | 
|  | 2617 | *    encrypts or decrypts its input. | 
|  | 2618 | * 2. If the algorithm requires an IV, call psa_cipher_generate_iv() | 
|  | 2619 | *    (recommended when encrypting) or psa_cipher_set_iv(). | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2620 | * | 
|  | 2621 | * If this function returns an error status, the operation becomes inactive. | 
|  | 2622 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2623 | * \param[in,out] operation     Active cipher operation. | 
|  | 2624 | * \param[in] input             Buffer containing the message fragment to | 
|  | 2625 | *                              encrypt or decrypt. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2626 | * \param input_length          Size of the \p input buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2627 | * \param[out] output           Buffer where the output is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2628 | * \param output_size           Size of the \p output buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2629 | * \param[out] output_length    On success, the number of bytes | 
|  | 2630 | *                              that make up the returned output. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2631 | * | 
|  | 2632 | * \retval #PSA_SUCCESS | 
|  | 2633 | *         Success. | 
|  | 2634 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2635 | *         The operation state is not valid (not started, IV required but | 
|  | 2636 | *         not set, or already completed). | 
|  | 2637 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
|  | 2638 | *         The size of the \p output buffer is too small. | 
|  | 2639 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2640 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2641 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2642 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2643 | */ | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2644 | psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, | 
|  | 2645 | const uint8_t *input, | 
| mohammad1603 | 503973b | 2018-03-12 15:59:30 +0200 | [diff] [blame] | 2646 | size_t input_length, | 
| Gilles Peskine | 2d27786 | 2018-06-18 15:41:12 +0200 | [diff] [blame] | 2647 | unsigned char *output, | 
|  | 2648 | size_t output_size, | 
| mohammad1603 | 503973b | 2018-03-12 15:59:30 +0200 | [diff] [blame] | 2649 | size_t *output_length); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2650 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2651 | /** Finish encrypting or decrypting a message in a cipher operation. | 
|  | 2652 | * | 
|  | 2653 | * The application must call psa_cipher_encrypt_setup() or | 
|  | 2654 | * psa_cipher_decrypt_setup() before calling this function. The choice | 
|  | 2655 | * of setup function determines whether this function encrypts or | 
|  | 2656 | * decrypts its input. | 
|  | 2657 | * | 
|  | 2658 | * This function finishes the encryption or decryption of the message | 
|  | 2659 | * formed by concatenating the inputs passed to preceding calls to | 
|  | 2660 | * psa_cipher_update(). | 
|  | 2661 | * | 
|  | 2662 | * When this function returns, the operation becomes inactive. | 
|  | 2663 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2664 | * \param[in,out] operation     Active cipher operation. | 
|  | 2665 | * \param[out] output           Buffer where the output is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2666 | * \param output_size           Size of the \p output buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2667 | * \param[out] output_length    On success, the number of bytes | 
|  | 2668 | *                              that make up the returned output. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2669 | * | 
|  | 2670 | * \retval #PSA_SUCCESS | 
|  | 2671 | *         Success. | 
|  | 2672 | * \retval #PSA_ERROR_BAD_STATE | 
|  | 2673 | *         The operation state is not valid (not started, IV required but | 
|  | 2674 | *         not set, or already completed). | 
|  | 2675 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
|  | 2676 | *         The size of the \p output buffer is too small. | 
|  | 2677 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2678 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2679 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2680 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2681 | */ | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2682 | psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, | 
| mohammad1603 | 503973b | 2018-03-12 15:59:30 +0200 | [diff] [blame] | 2683 | uint8_t *output, | 
| Moran Peker | 0071b87 | 2018-04-22 20:16:58 +0300 | [diff] [blame] | 2684 | size_t output_size, | 
| mohammad1603 | 503973b | 2018-03-12 15:59:30 +0200 | [diff] [blame] | 2685 | size_t *output_length); | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2686 |  | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2687 | /** Abort a cipher operation. | 
|  | 2688 | * | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2689 | * Aborting an operation frees all associated resources except for the | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2690 | * \p operation structure itself. Once aborted, the operation object | 
|  | 2691 | * can be reused for another operation by calling | 
|  | 2692 | * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2693 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2694 | * You may call this function any time after the operation object has | 
|  | 2695 | * been initialized by any of the following methods: | 
|  | 2696 | * - A call to psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup(), | 
|  | 2697 | *   whether it succeeds or not. | 
|  | 2698 | * - Initializing the \c struct to all-bits-zero. | 
|  | 2699 | * - Initializing the \c struct to logical zeros, e.g. | 
|  | 2700 | *   `psa_cipher_operation_t operation = {0}`. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2701 | * | 
| Gilles Peskine | b82ab6f | 2018-07-13 15:33:43 +0200 | [diff] [blame] | 2702 | * In particular, calling psa_cipher_abort() after the operation has been | 
|  | 2703 | * terminated by a call to psa_cipher_abort() or psa_cipher_finish() | 
|  | 2704 | * is safe and has no effect. | 
|  | 2705 | * | 
|  | 2706 | * \param[in,out] operation     Initialized cipher operation. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2707 | * | 
|  | 2708 | * \retval #PSA_SUCCESS | 
|  | 2709 | * \retval #PSA_ERROR_BAD_STATE | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2710 | *         \p operation is not an active cipher operation. | 
| Gilles Peskine | dcd1494 | 2018-07-12 00:30:52 +0200 | [diff] [blame] | 2711 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2712 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2713 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2714 | */ | 
| Gilles Peskine | 428dc5a | 2018-03-03 21:27:18 +0100 | [diff] [blame] | 2715 | psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation); | 
|  | 2716 |  | 
|  | 2717 | /**@}*/ | 
|  | 2718 |  | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2719 | /** \defgroup aead Authenticated encryption with associated data (AEAD) | 
|  | 2720 | * @{ | 
|  | 2721 | */ | 
|  | 2722 |  | 
| Gilles Peskine | 5e39dc9 | 2018-06-08 11:41:57 +0200 | [diff] [blame] | 2723 | /** The tag size for an AEAD algorithm, in bytes. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2724 | * | 
| Gilles Peskine | 5e39dc9 | 2018-06-08 11:41:57 +0200 | [diff] [blame] | 2725 | * \param alg                 An AEAD algorithm | 
|  | 2726 | *                            (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2727 | *                            #PSA_ALG_IS_AEAD(\p alg) is true). | 
| Gilles Peskine | 5e39dc9 | 2018-06-08 11:41:57 +0200 | [diff] [blame] | 2728 | * | 
|  | 2729 | * \return                    The tag size for the specified algorithm. | 
|  | 2730 | *                            If the AEAD algorithm does not have an identified | 
|  | 2731 | *                            tag that can be distinguished from the rest of | 
|  | 2732 | *                            the ciphertext, return 0. | 
|  | 2733 | *                            If the AEAD algorithm is not recognized, return 0. | 
|  | 2734 | *                            An implementation may return either 0 or a | 
|  | 2735 | *                            correct size for an AEAD algorithm that it | 
|  | 2736 | *                            recognizes, but does not support. | 
|  | 2737 | */ | 
| Gilles Peskine | 23cc2ff | 2018-08-17 19:47:52 +0200 | [diff] [blame] | 2738 | #define PSA_AEAD_TAG_LENGTH(alg)                                        \ | 
|  | 2739 | (PSA_ALG_IS_AEAD(alg) ?                                             \ | 
|  | 2740 | (((alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> PSA_AEAD_TAG_LENGTH_OFFSET) : \ | 
| Gilles Peskine | 5e39dc9 | 2018-06-08 11:41:57 +0200 | [diff] [blame] | 2741 | 0) | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2742 |  | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2743 | /** Process an authenticated encryption operation. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2744 | * | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2745 | * \param key                     Slot containing the key to use. | 
|  | 2746 | * \param alg                     The AEAD algorithm to compute | 
|  | 2747 | *                                (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2748 | *                                #PSA_ALG_IS_AEAD(\p alg) is true). | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2749 | * \param[in] nonce               Nonce or IV to use. | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2750 | * \param nonce_length            Size of the \p nonce buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2751 | * \param[in] additional_data     Additional data that will be authenticated | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2752 | *                                but not encrypted. | 
|  | 2753 | * \param additional_data_length  Size of \p additional_data in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2754 | * \param[in] plaintext           Data that will be authenticated and | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2755 | *                                encrypted. | 
|  | 2756 | * \param plaintext_length        Size of \p plaintext in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2757 | * \param[out] ciphertext         Output buffer for the authenticated and | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2758 | *                                encrypted data. The additional data is not | 
|  | 2759 | *                                part of this output. For algorithms where the | 
|  | 2760 | *                                encrypted data and the authentication tag | 
|  | 2761 | *                                are defined as separate outputs, the | 
|  | 2762 | *                                authentication tag is appended to the | 
|  | 2763 | *                                encrypted data. | 
|  | 2764 | * \param ciphertext_size         Size of the \p ciphertext buffer in bytes. | 
|  | 2765 | *                                This must be at least | 
|  | 2766 | *                                #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p alg, | 
|  | 2767 | *                                \p plaintext_length). | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2768 | * \param[out] ciphertext_length  On success, the size of the output | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2769 | *                                in the \b ciphertext buffer. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2770 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2771 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2772 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2773 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2774 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2775 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2776 | *         \p key is not compatible with \p alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2777 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2778 | *         \p alg is not supported or is not an AEAD algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2779 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2780 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2781 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2782 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2783 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2784 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2785 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2786 | *         results in this error code. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2787 | */ | 
| Gilles Peskine | 9fb0e01 | 2018-07-19 15:51:49 +0200 | [diff] [blame] | 2788 | psa_status_t psa_aead_encrypt(psa_key_slot_t key, | 
|  | 2789 | psa_algorithm_t alg, | 
|  | 2790 | const uint8_t *nonce, | 
|  | 2791 | size_t nonce_length, | 
|  | 2792 | const uint8_t *additional_data, | 
|  | 2793 | size_t additional_data_length, | 
|  | 2794 | const uint8_t *plaintext, | 
|  | 2795 | size_t plaintext_length, | 
|  | 2796 | uint8_t *ciphertext, | 
|  | 2797 | size_t ciphertext_size, | 
|  | 2798 | size_t *ciphertext_length); | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2799 |  | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2800 | /** Process an authenticated decryption operation. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2801 | * | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2802 | * \param key                     Slot containing the key to use. | 
|  | 2803 | * \param alg                     The AEAD algorithm to compute | 
|  | 2804 | *                                (\c PSA_ALG_XXX value such that | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2805 | *                                #PSA_ALG_IS_AEAD(\p alg) is true). | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2806 | * \param[in] nonce               Nonce or IV to use. | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2807 | * \param nonce_length            Size of the \p nonce buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2808 | * \param[in] additional_data     Additional data that has been authenticated | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2809 | *                                but not encrypted. | 
|  | 2810 | * \param additional_data_length  Size of \p additional_data in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2811 | * \param[in] ciphertext          Data that has been authenticated and | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2812 | *                                encrypted. For algorithms where the | 
|  | 2813 | *                                encrypted data and the authentication tag | 
|  | 2814 | *                                are defined as separate inputs, the buffer | 
|  | 2815 | *                                must contain the encrypted data followed | 
|  | 2816 | *                                by the authentication tag. | 
|  | 2817 | * \param ciphertext_length       Size of \p ciphertext in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2818 | * \param[out] plaintext          Output buffer for the decrypted data. | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2819 | * \param plaintext_size          Size of the \p plaintext buffer in bytes. | 
|  | 2820 | *                                This must be at least | 
|  | 2821 | *                                #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p alg, | 
|  | 2822 | *                                \p ciphertext_length). | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2823 | * \param[out] plaintext_length   On success, the size of the output | 
| mohammad1603 | fb5b9cb | 2018-06-06 13:44:27 +0300 | [diff] [blame] | 2824 | *                                in the \b plaintext buffer. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2825 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2826 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2827 | *         Success. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2828 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 2829 | * \retval #PSA_ERROR_INVALID_SIGNATURE | 
| Gilles Peskine | 1e7d8f1 | 2018-06-01 16:29:38 +0200 | [diff] [blame] | 2830 | *         The ciphertext is not authentic. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2831 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 2832 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2833 | *         \p key is not compatible with \p alg. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2834 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2835 | *         \p alg is not supported or is not an AEAD algorithm. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2836 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2837 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2838 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2839 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2840 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2841 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2842 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2843 | *         results in this error code. | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2844 | */ | 
| Gilles Peskine | 9fb0e01 | 2018-07-19 15:51:49 +0200 | [diff] [blame] | 2845 | psa_status_t psa_aead_decrypt(psa_key_slot_t key, | 
|  | 2846 | psa_algorithm_t alg, | 
|  | 2847 | const uint8_t *nonce, | 
|  | 2848 | size_t nonce_length, | 
|  | 2849 | const uint8_t *additional_data, | 
|  | 2850 | size_t additional_data_length, | 
|  | 2851 | const uint8_t *ciphertext, | 
|  | 2852 | size_t ciphertext_length, | 
|  | 2853 | uint8_t *plaintext, | 
|  | 2854 | size_t plaintext_size, | 
|  | 2855 | size_t *plaintext_length); | 
| Gilles Peskine | 3b55571 | 2018-03-03 21:27:57 +0100 | [diff] [blame] | 2856 |  | 
|  | 2857 | /**@}*/ | 
|  | 2858 |  | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2859 | /** \defgroup asymmetric Asymmetric cryptography | 
|  | 2860 | * @{ | 
|  | 2861 | */ | 
|  | 2862 |  | 
|  | 2863 | /** | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 2864 | * \brief ECDSA signature size for a given curve bit size | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 2865 | * | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 2866 | * \param curve_bits    Curve size in bits. | 
|  | 2867 | * \return              Signature size in bytes. | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 2868 | * | 
|  | 2869 | * \note This macro returns a compile-time constant if its argument is one. | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 2870 | */ | 
| Gilles Peskine | eae6eee | 2018-06-28 13:56:01 +0200 | [diff] [blame] | 2871 | #define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \ | 
|  | 2872 | (PSA_BITS_TO_BYTES(curve_bits) * 2) | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 2873 |  | 
| Gilles Peskine | 0189e75 | 2018-02-03 23:57:22 +0100 | [diff] [blame] | 2874 | /** | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2875 | * \brief Sign a hash or short message with a private key. | 
|  | 2876 | * | 
| Gilles Peskine | 08bac71 | 2018-06-26 16:14:46 +0200 | [diff] [blame] | 2877 | * Note that to perform a hash-and-sign signature algorithm, you must | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2878 | * first calculate the hash by calling psa_hash_setup(), psa_hash_update() | 
| Gilles Peskine | 08bac71 | 2018-06-26 16:14:46 +0200 | [diff] [blame] | 2879 | * and psa_hash_finish(). Then pass the resulting hash as the \p hash | 
|  | 2880 | * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) | 
|  | 2881 | * to determine the hash algorithm to use. | 
|  | 2882 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2883 | * \param key                   Key slot containing an asymmetric key pair. | 
|  | 2884 | * \param alg                   A signature algorithm that is compatible with | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2885 | *                              the type of \p key. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2886 | * \param[in] hash              The hash or message to sign. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2887 | * \param hash_length           Size of the \p hash buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2888 | * \param[out] signature        Buffer where the signature is to be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2889 | * \param signature_size        Size of the \p signature buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2890 | * \param[out] signature_length On success, the number of bytes | 
|  | 2891 | *                              that make up the returned signature value. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2892 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2893 | * \retval #PSA_SUCCESS | 
|  | 2894 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2895 | *         The size of the \p signature buffer is too small. You can | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2896 | *         determine a sufficient buffer size by calling | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2897 | *         #PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2898 | *         where \c key_type and \c key_bits are the type and bit-size | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2899 | *         respectively of \p key. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2900 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 2901 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 2902 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2903 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2904 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2905 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 2906 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2907 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2908 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2909 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2910 | *         results in this error code. | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2911 | */ | 
|  | 2912 | psa_status_t psa_asymmetric_sign(psa_key_slot_t key, | 
|  | 2913 | psa_algorithm_t alg, | 
|  | 2914 | const uint8_t *hash, | 
|  | 2915 | size_t hash_length, | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2916 | uint8_t *signature, | 
|  | 2917 | size_t signature_size, | 
|  | 2918 | size_t *signature_length); | 
|  | 2919 |  | 
|  | 2920 | /** | 
|  | 2921 | * \brief Verify the signature a hash or short message using a public key. | 
|  | 2922 | * | 
| Gilles Peskine | 08bac71 | 2018-06-26 16:14:46 +0200 | [diff] [blame] | 2923 | * Note that to perform a hash-and-sign signature algorithm, you must | 
| Gilles Peskine | da8191d1c | 2018-07-08 19:46:38 +0200 | [diff] [blame] | 2924 | * first calculate the hash by calling psa_hash_setup(), psa_hash_update() | 
| Gilles Peskine | 08bac71 | 2018-06-26 16:14:46 +0200 | [diff] [blame] | 2925 | * and psa_hash_finish(). Then pass the resulting hash as the \p hash | 
|  | 2926 | * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg) | 
|  | 2927 | * to determine the hash algorithm to use. | 
|  | 2928 | * | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2929 | * \param key               Key slot containing a public key or an | 
|  | 2930 | *                          asymmetric key pair. | 
|  | 2931 | * \param alg               A signature algorithm that is compatible with | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2932 | *                          the type of \p key. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2933 | * \param[in] hash          The hash or message whose signature is to be | 
| Gilles Peskine | 08bac71 | 2018-06-26 16:14:46 +0200 | [diff] [blame] | 2934 | *                          verified. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2935 | * \param hash_length       Size of the \p hash buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2936 | * \param[in] signature     Buffer containing the signature to verify. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2937 | * \param signature_length  Size of the \p signature buffer in bytes. | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2938 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2939 | * \retval #PSA_SUCCESS | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2940 | *         The signature is valid. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2941 | * \retval #PSA_ERROR_INVALID_SIGNATURE | 
| Gilles Peskine | 308b91d | 2018-02-08 09:47:44 +0100 | [diff] [blame] | 2942 | *         The calculation was perfomed successfully, but the passed | 
|  | 2943 | *         signature is not a valid signature. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2944 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 2945 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 2946 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 2947 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 2948 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 2949 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 2950 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 2951 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 2952 | *         It is implementation-dependent whether a failure to initialize | 
|  | 2953 | *         results in this error code. | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2954 | */ | 
|  | 2955 | psa_status_t psa_asymmetric_verify(psa_key_slot_t key, | 
|  | 2956 | psa_algorithm_t alg, | 
|  | 2957 | const uint8_t *hash, | 
|  | 2958 | size_t hash_length, | 
| Gilles Peskine | e9191ff | 2018-06-27 14:58:41 +0200 | [diff] [blame] | 2959 | const uint8_t *signature, | 
| Gilles Peskine | 526fab0 | 2018-06-27 18:19:40 +0200 | [diff] [blame] | 2960 | size_t signature_length); | 
| Gilles Peskine | 20035e3 | 2018-02-03 22:44:14 +0100 | [diff] [blame] | 2961 |  | 
| Gilles Peskine | 723feff | 2018-05-31 20:08:13 +0200 | [diff] [blame] | 2962 | #define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                               \ | 
| Gilles Peskine | 072ac56 | 2018-06-30 00:21:29 +0200 | [diff] [blame] | 2963 | (PSA_ALG_IS_RSA_OAEP(alg) ?                                         \ | 
|  | 2964 | 2 * PSA_HASH_FINAL_SIZE(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1 :      \ | 
| Gilles Peskine | 723feff | 2018-05-31 20:08:13 +0200 | [diff] [blame] | 2965 | 11 /*PKCS#1v1.5*/) | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 2966 |  | 
|  | 2967 | /** | 
|  | 2968 | * \brief Encrypt a short message with a public key. | 
|  | 2969 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2970 | * \param key                   Key slot containing a public key or an | 
|  | 2971 | *                              asymmetric key pair. | 
|  | 2972 | * \param alg                   An asymmetric encryption algorithm that is | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2973 | *                              compatible with the type of \p key. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2974 | * \param[in] input             The message to encrypt. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2975 | * \param input_length          Size of the \p input buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2976 | * \param[in] salt              A salt or label, if supported by the | 
|  | 2977 | *                              encryption algorithm. | 
|  | 2978 | *                              If the algorithm does not support a | 
|  | 2979 | *                              salt, pass \c NULL. | 
|  | 2980 | *                              If the algorithm supports an optional | 
|  | 2981 | *                              salt and you do not want to pass a salt, | 
|  | 2982 | *                              pass \c NULL. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 2983 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2984 | *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is | 
|  | 2985 | *                                supported. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2986 | * \param salt_length           Size of the \p salt buffer in bytes. | 
|  | 2987 | *                              If \p salt is \c NULL, pass 0. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2988 | * \param[out] output           Buffer where the encrypted message is to | 
|  | 2989 | *                              be written. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2990 | * \param output_size           Size of the \p output buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 2991 | * \param[out] output_length    On success, the number of bytes | 
|  | 2992 | *                              that make up the returned output. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 2993 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 2994 | * \retval #PSA_SUCCESS | 
|  | 2995 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 2996 | *         The size of the \p output buffer is too small. You can | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 2997 | *         determine a sufficient buffer size by calling | 
| Gilles Peskine | 7256e6c | 2018-07-12 00:34:26 +0200 | [diff] [blame] | 2998 | *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 2999 | *         where \c key_type and \c key_bits are the type and bit-size | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3000 | *         respectively of \p key. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 3001 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3002 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 3003 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3004 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3005 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3006 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 3007 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 3008 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3009 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3010 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3011 | *         results in this error code. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3012 | */ | 
|  | 3013 | psa_status_t psa_asymmetric_encrypt(psa_key_slot_t key, | 
|  | 3014 | psa_algorithm_t alg, | 
|  | 3015 | const uint8_t *input, | 
|  | 3016 | size_t input_length, | 
|  | 3017 | const uint8_t *salt, | 
|  | 3018 | size_t salt_length, | 
|  | 3019 | uint8_t *output, | 
|  | 3020 | size_t output_size, | 
|  | 3021 | size_t *output_length); | 
|  | 3022 |  | 
|  | 3023 | /** | 
|  | 3024 | * \brief Decrypt a short message with a private key. | 
|  | 3025 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3026 | * \param key                   Key slot containing an asymmetric key pair. | 
|  | 3027 | * \param alg                   An asymmetric encryption algorithm that is | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3028 | *                              compatible with the type of \p key. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3029 | * \param[in] input             The message to decrypt. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3030 | * \param input_length          Size of the \p input buffer in bytes. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3031 | * \param[in] salt              A salt or label, if supported by the | 
|  | 3032 | *                              encryption algorithm. | 
|  | 3033 | *                              If the algorithm does not support a | 
|  | 3034 | *                              salt, pass \c NULL. | 
|  | 3035 | *                              If the algorithm supports an optional | 
|  | 3036 | *                              salt and you do not want to pass a salt, | 
|  | 3037 | *                              pass \c NULL. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3038 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3039 | *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is | 
|  | 3040 | *                                supported. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3041 | * \param salt_length           Size of the \p salt buffer in bytes. | 
|  | 3042 | *                              If \p salt is \c NULL, pass 0. | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3043 | * \param[out] output           Buffer where the decrypted message is to | 
|  | 3044 | *                              be written. | 
|  | 3045 | * \param output_size           Size of the \c output buffer in bytes. | 
|  | 3046 | * \param[out] output_length    On success, the number of bytes | 
|  | 3047 | *                              that make up the returned output. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3048 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 3049 | * \retval #PSA_SUCCESS | 
|  | 3050 | * \retval #PSA_ERROR_BUFFER_TOO_SMALL | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3051 | *         The size of the \p output buffer is too small. You can | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3052 | *         determine a sufficient buffer size by calling | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 3053 | *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg) | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3054 | *         where \c key_type and \c key_bits are the type and bit-size | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3055 | *         respectively of \p key. | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 3056 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3057 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 3058 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3059 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3060 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3061 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 3062 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
|  | 3063 | * \retval #PSA_ERROR_INVALID_PADDING | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 3064 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3065 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3066 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3067 | *         results in this error code. | 
| Gilles Peskine | 6944f9a | 2018-03-28 14:18:39 +0200 | [diff] [blame] | 3068 | */ | 
|  | 3069 | psa_status_t psa_asymmetric_decrypt(psa_key_slot_t key, | 
|  | 3070 | psa_algorithm_t alg, | 
|  | 3071 | const uint8_t *input, | 
|  | 3072 | size_t input_length, | 
|  | 3073 | const uint8_t *salt, | 
|  | 3074 | size_t salt_length, | 
|  | 3075 | uint8_t *output, | 
|  | 3076 | size_t output_size, | 
|  | 3077 | size_t *output_length); | 
|  | 3078 |  | 
| Gilles Peskine | 2f9c4dc | 2018-01-28 13:16:24 +0100 | [diff] [blame] | 3079 | /**@}*/ | 
|  | 3080 |  | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 3081 | /** \defgroup generators Generators | 
| Gilles Peskine | eab56e4 | 2018-07-12 17:12:33 +0200 | [diff] [blame] | 3082 | * @{ | 
|  | 3083 | */ | 
|  | 3084 |  | 
|  | 3085 | /** The type of the state data structure for generators. | 
|  | 3086 | * | 
|  | 3087 | * Before calling any function on a generator, the application must | 
|  | 3088 | * initialize it by any of the following means: | 
|  | 3089 | * - Set the structure to all-bits-zero, for example: | 
|  | 3090 | *   \code | 
|  | 3091 | *   psa_crypto_generator_t generator; | 
|  | 3092 | *   memset(&generator, 0, sizeof(generator)); | 
|  | 3093 | *   \endcode | 
|  | 3094 | * - Initialize the structure to logical zero values, for example: | 
|  | 3095 | *   \code | 
|  | 3096 | *   psa_crypto_generator_t generator = {0}; | 
|  | 3097 | *   \endcode | 
|  | 3098 | * - Initialize the structure to the initializer #PSA_CRYPTO_GENERATOR_INIT, | 
|  | 3099 | *   for example: | 
|  | 3100 | *   \code | 
|  | 3101 | *   psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; | 
|  | 3102 | *   \endcode | 
|  | 3103 | * - Assign the result of the function psa_crypto_generator_init() | 
|  | 3104 | *   to the structure, for example: | 
|  | 3105 | *   \code | 
|  | 3106 | *   psa_crypto_generator_t generator; | 
|  | 3107 | *   generator = psa_crypto_generator_init(); | 
|  | 3108 | *   \endcode | 
|  | 3109 | * | 
|  | 3110 | * This is an implementation-defined \c struct. Applications should not | 
|  | 3111 | * make any assumptions about the content of this structure except | 
|  | 3112 | * as directed by the documentation of a specific implementation. | 
|  | 3113 | */ | 
|  | 3114 | typedef struct psa_crypto_generator_s psa_crypto_generator_t; | 
|  | 3115 |  | 
|  | 3116 | /** \def PSA_CRYPTO_GENERATOR_INIT | 
|  | 3117 | * | 
|  | 3118 | * This macro returns a suitable initializer for a generator object | 
|  | 3119 | * of type #psa_crypto_generator_t. | 
|  | 3120 | */ | 
|  | 3121 | #ifdef __DOXYGEN_ONLY__ | 
|  | 3122 | /* This is an example definition for documentation purposes. | 
|  | 3123 | * Implementations should define a suitable value in `crypto_struct.h`. | 
|  | 3124 | */ | 
|  | 3125 | #define PSA_CRYPTO_GENERATOR_INIT {0} | 
|  | 3126 | #endif | 
|  | 3127 |  | 
|  | 3128 | /** Return an initial value for a generator object. | 
|  | 3129 | */ | 
|  | 3130 | static psa_crypto_generator_t psa_crypto_generator_init(void); | 
|  | 3131 |  | 
|  | 3132 | /** Retrieve the current capacity of a generator. | 
|  | 3133 | * | 
|  | 3134 | * The capacity of a generator is the maximum number of bytes that it can | 
|  | 3135 | * return. Reading *N* bytes from a generator reduces its capacity by *N*. | 
|  | 3136 | * | 
|  | 3137 | * \param[in] generator     The generator to query. | 
|  | 3138 | * \param[out] capacity     On success, the capacity of the generator. | 
|  | 3139 | * | 
|  | 3140 | * \retval PSA_SUCCESS | 
|  | 3141 | * \retval PSA_ERROR_BAD_STATE | 
|  | 3142 | * \retval PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3143 | */ | 
|  | 3144 | psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator, | 
|  | 3145 | size_t *capacity); | 
|  | 3146 |  | 
|  | 3147 | /** Read some data from a generator. | 
|  | 3148 | * | 
|  | 3149 | * This function reads and returns a sequence of bytes from a generator. | 
|  | 3150 | * The data that is read is discarded from the generator. The generator's | 
|  | 3151 | * capacity is decreased by the number of bytes read. | 
|  | 3152 | * | 
|  | 3153 | * \param[in,out] generator The generator object to read from. | 
|  | 3154 | * \param[out] output       Buffer where the generator output will be | 
|  | 3155 | *                          written. | 
|  | 3156 | * \param output_length     Number of bytes to output. | 
|  | 3157 | * | 
|  | 3158 | * \retval PSA_SUCCESS | 
|  | 3159 | * \retval PSA_ERROR_INSUFFICIENT_CAPACITY | 
|  | 3160 | *                          There were fewer than \p output_length bytes | 
|  | 3161 | *                          in the generator. Note that in this case, no | 
|  | 3162 | *                          output is written to the output buffer. | 
|  | 3163 | *                          The generator's capacity is set to 0, thus | 
|  | 3164 | *                          subsequent calls to this function will not | 
|  | 3165 | *                          succeed, even with a smaller output buffer. | 
|  | 3166 | * \retval PSA_ERROR_BAD_STATE | 
|  | 3167 | * \retval PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3168 | * \retval PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3169 | * \retval PSA_ERROR_HARDWARE_FAILURE | 
|  | 3170 | * \retval PSA_ERROR_TAMPERING_DETECTED | 
|  | 3171 | */ | 
|  | 3172 | psa_status_t psa_generator_read(psa_crypto_generator_t *generator, | 
|  | 3173 | uint8_t *output, | 
|  | 3174 | size_t output_length); | 
|  | 3175 |  | 
|  | 3176 | /** Create a symmetric key from data read from a generator. | 
|  | 3177 | * | 
|  | 3178 | * This function reads a sequence of bytes from a generator and imports | 
|  | 3179 | * these bytes as a key. | 
|  | 3180 | * The data that is read is discarded from the generator. The generator's | 
|  | 3181 | * capacity is decreased by the number of bytes read. | 
|  | 3182 | * | 
|  | 3183 | * This function is equivalent to calling #psa_generator_read and | 
|  | 3184 | * passing the resulting output to #psa_import_key, but | 
|  | 3185 | * if the implementation provides an isolation boundary then | 
|  | 3186 | * the key material is not exposed outside the isolation boundary. | 
|  | 3187 | * | 
|  | 3188 | * \param key               Slot where the key will be stored. This must be a | 
|  | 3189 | *                          valid slot for a key of the chosen type. It must | 
|  | 3190 | *                          be unoccupied. | 
|  | 3191 | * \param type              Key type (a \c PSA_KEY_TYPE_XXX value). | 
|  | 3192 | *                          This must be a symmetric key type. | 
|  | 3193 | * \param bits              Key size in bits. | 
|  | 3194 | * \param[in,out] generator The generator object to read from. | 
|  | 3195 | * | 
|  | 3196 | * \retval PSA_SUCCESS | 
|  | 3197 | *         Success. | 
|  | 3198 | * \retval PSA_ERROR_INSUFFICIENT_CAPACITY | 
|  | 3199 | *                          There were fewer than \p output_length bytes | 
|  | 3200 | *                          in the generator. Note that in this case, no | 
|  | 3201 | *                          output is written to the output buffer. | 
|  | 3202 | *                          The generator's capacity is set to 0, thus | 
|  | 3203 | *                          subsequent calls to this function will not | 
|  | 3204 | *                          succeed, even with a smaller output buffer. | 
|  | 3205 | * \retval PSA_ERROR_NOT_SUPPORTED | 
|  | 3206 | *         The key type or key size is not supported, either by the | 
|  | 3207 | *         implementation in general or in this particular slot. | 
|  | 3208 | * \retval PSA_ERROR_BAD_STATE | 
|  | 3209 | * \retval PSA_ERROR_INVALID_ARGUMENT | 
|  | 3210 | *         The key slot is invalid. | 
|  | 3211 | * \retval PSA_ERROR_OCCUPIED_SLOT | 
|  | 3212 | *         There is already a key in the specified slot. | 
|  | 3213 | * \retval PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3214 | * \retval PSA_ERROR_INSUFFICIENT_STORAGE | 
|  | 3215 | * \retval PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3216 | * \retval PSA_ERROR_HARDWARE_FAILURE | 
|  | 3217 | * \retval PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 3218 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3219 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3220 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3221 | *         results in this error code. | 
| Gilles Peskine | eab56e4 | 2018-07-12 17:12:33 +0200 | [diff] [blame] | 3222 | */ | 
|  | 3223 | psa_status_t psa_generator_import_key(psa_key_slot_t key, | 
|  | 3224 | psa_key_type_t type, | 
|  | 3225 | size_t bits, | 
|  | 3226 | psa_crypto_generator_t *generator); | 
|  | 3227 |  | 
|  | 3228 | /** Abort a generator. | 
|  | 3229 | * | 
|  | 3230 | * Once a generator has been aborted, its capacity is zero. | 
|  | 3231 | * Aborting a generator frees all associated resources except for the | 
|  | 3232 | * \c generator structure itself. | 
|  | 3233 | * | 
|  | 3234 | * This function may be called at any time as long as the generator | 
|  | 3235 | * object has been initialized to #PSA_CRYPTO_GENERATOR_INIT, to | 
|  | 3236 | * psa_crypto_generator_init() or a zero value. In particular, it is valid | 
|  | 3237 | * to call psa_generator_abort() twice, or to call psa_generator_abort() | 
|  | 3238 | * on a generator that has not been set up. | 
|  | 3239 | * | 
|  | 3240 | * Once aborted, the generator object may be called. | 
|  | 3241 | * | 
|  | 3242 | * \param[in,out] generator    The generator to abort. | 
|  | 3243 | * | 
|  | 3244 | * \retval PSA_SUCCESS | 
|  | 3245 | * \retval PSA_ERROR_BAD_STATE | 
|  | 3246 | * \retval PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3247 | * \retval PSA_ERROR_HARDWARE_FAILURE | 
|  | 3248 | * \retval PSA_ERROR_TAMPERING_DETECTED | 
|  | 3249 | */ | 
|  | 3250 | psa_status_t psa_generator_abort(psa_crypto_generator_t *generator); | 
|  | 3251 |  | 
| Gilles Peskine | 8feb3a8 | 2018-09-18 12:06:11 +0200 | [diff] [blame] | 3252 | /** Use the maximum possible capacity for a generator. | 
|  | 3253 | * | 
|  | 3254 | * Use this value as the capacity argument when setting up a generator | 
|  | 3255 | * to indicate that the generator should have the maximum possible capacity. | 
|  | 3256 | * The value of the maximum possible capacity depends on the generator | 
|  | 3257 | * algorithm. | 
|  | 3258 | */ | 
|  | 3259 | #define PSA_GENERATOR_UNBRIDLED_CAPACITY ((size_t)(-1)) | 
|  | 3260 |  | 
| Gilles Peskine | eab56e4 | 2018-07-12 17:12:33 +0200 | [diff] [blame] | 3261 | /**@}*/ | 
|  | 3262 |  | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3263 | /** \defgroup derivation Key derivation | 
|  | 3264 | * @{ | 
|  | 3265 | */ | 
|  | 3266 |  | 
|  | 3267 | /** Set up a key derivation operation. | 
|  | 3268 | * | 
|  | 3269 | * A key derivation algorithm takes three inputs: a secret input \p key and | 
|  | 3270 | * two non-secret inputs \p label and p salt. | 
|  | 3271 | * The result of this function is a byte generator which can | 
|  | 3272 | * be used to produce keys and other cryptographic material. | 
|  | 3273 | * | 
|  | 3274 | * The role of \p label and \p salt is as follows: | 
| Gilles Peskine | bef7f14 | 2018-07-12 17:22:21 +0200 | [diff] [blame] | 3275 | * - For HKDF (#PSA_ALG_HKDF), \p salt is the salt used in the "extract" step | 
|  | 3276 | *   and \p label is the info string used in the "expand" step. | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3277 | * | 
|  | 3278 | * \param[in,out] generator       The generator object to set up. It must | 
| Gilles Peskine | 92587db | 2018-09-18 12:12:42 +0200 | [diff] [blame] | 3279 | *                                have been initialized to all-bits-zero, | 
|  | 3280 | *                                a logical zero (`{0}`), | 
|  | 3281 | *                                \c PSA_CRYPTO_GENERATOR_INIT or | 
|  | 3282 | *                                psa_crypto_generator_init(). | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3283 | * \param key                     Slot containing the secret key to use. | 
|  | 3284 | * \param alg                     The key derivation algorithm to compute | 
|  | 3285 | *                                (\c PSA_ALG_XXX value such that | 
|  | 3286 | *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true). | 
|  | 3287 | * \param[in] salt                Salt to use. | 
|  | 3288 | * \param salt_length             Size of the \p salt buffer in bytes. | 
|  | 3289 | * \param[in] label               Label to use. | 
|  | 3290 | * \param label_length            Size of the \p label buffer in bytes. | 
|  | 3291 | * \param capacity                The maximum number of bytes that the | 
|  | 3292 | *                                generator will be able to provide. | 
|  | 3293 | * | 
|  | 3294 | * \retval #PSA_SUCCESS | 
|  | 3295 | *         Success. | 
|  | 3296 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 3297 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 3298 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 3299 | *         \c key is not compatible with \c alg, | 
|  | 3300 | *         or \p capacity is too large for the specified algorithm and key. | 
|  | 3301 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3302 | *         \c alg is not supported or is not a key derivation algorithm. | 
|  | 3303 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3304 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3305 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3306 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 3307 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3308 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3309 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3310 | *         results in this error code. | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3311 | */ | 
|  | 3312 | psa_status_t psa_key_derivation(psa_crypto_generator_t *generator, | 
| Darryl Green | 8800136 | 2018-07-26 13:59:04 +0100 | [diff] [blame] | 3313 | psa_key_slot_t key, | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3314 | psa_algorithm_t alg, | 
|  | 3315 | const uint8_t *salt, | 
|  | 3316 | size_t salt_length, | 
|  | 3317 | const uint8_t *label, | 
|  | 3318 | size_t label_length, | 
|  | 3319 | size_t capacity); | 
|  | 3320 |  | 
| Gilles Peskine | 01d718c | 2018-09-18 12:01:02 +0200 | [diff] [blame] | 3321 | /** Set up a key agreement operation. | 
|  | 3322 | * | 
|  | 3323 | * A key agreement algorithm takes two inputs: a private key \p private_key | 
|  | 3324 | * a public key \p peer_key. | 
|  | 3325 | * The result of this function is a byte generator which can | 
|  | 3326 | * be used to produce keys and other cryptographic material. | 
|  | 3327 | * | 
| Gilles Peskine | 211a436 | 2018-10-25 22:22:31 +0200 | [diff] [blame] | 3328 | * The resulting generator always has the maximum capacity permitted by | 
|  | 3329 | * the algorithm. | 
|  | 3330 | * | 
| Gilles Peskine | 01d718c | 2018-09-18 12:01:02 +0200 | [diff] [blame] | 3331 | * \param[in,out] generator       The generator object to set up. It must | 
|  | 3332 | *                                have been initialized to all-bits-zero, | 
|  | 3333 | *                                a logical zero (`{0}`), | 
|  | 3334 | *                                \c PSA_CRYPTO_GENERATOR_INIT or | 
|  | 3335 | *                                psa_crypto_generator_init(). | 
|  | 3336 | * \param private_key             Slot containing the private key to use. | 
| Gilles Peskine | d171e78 | 2018-11-15 17:46:21 +0100 | [diff] [blame] | 3337 | * \param[in] peer_key            Public key of the peer. It must be | 
|  | 3338 | *                                in the same format that psa_import_key() | 
|  | 3339 | *                                accepts. The standard formats for public | 
|  | 3340 | *                                keys are documented in the documentation | 
|  | 3341 | *                                of psa_export_public_key(). | 
| Gilles Peskine | 01d718c | 2018-09-18 12:01:02 +0200 | [diff] [blame] | 3342 | * \param peer_key_length         Size of \p peer_key in bytes. | 
|  | 3343 | * \param alg                     The key agreement algorithm to compute | 
|  | 3344 | *                                (\c PSA_ALG_XXX value such that | 
|  | 3345 | *                                #PSA_ALG_IS_KEY_AGREEMENT(\p alg) is true). | 
|  | 3346 | * | 
|  | 3347 | * \retval #PSA_SUCCESS | 
|  | 3348 | *         Success. | 
|  | 3349 | * \retval #PSA_ERROR_EMPTY_SLOT | 
|  | 3350 | * \retval #PSA_ERROR_NOT_PERMITTED | 
|  | 3351 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 3352 | *         \c private_key is not compatible with \c alg, | 
|  | 3353 | *         or \p peer_key is not valid for \c alg or not compatible with | 
|  | 3354 | *         \c private_key. | 
|  | 3355 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3356 | *         \c alg is not supported or is not a key derivation algorithm. | 
|  | 3357 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3358 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3359 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3360 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
|  | 3361 | */ | 
|  | 3362 | psa_status_t psa_key_agreement(psa_crypto_generator_t *generator, | 
|  | 3363 | psa_key_slot_t private_key, | 
|  | 3364 | const uint8_t *peer_key, | 
|  | 3365 | size_t peer_key_length, | 
|  | 3366 | psa_algorithm_t alg); | 
|  | 3367 |  | 
| Gilles Peskine | ea0fb49 | 2018-07-12 17:17:20 +0200 | [diff] [blame] | 3368 | /**@}*/ | 
|  | 3369 |  | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 3370 | /** \defgroup random Random generation | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3371 | * @{ | 
|  | 3372 | */ | 
|  | 3373 |  | 
|  | 3374 | /** | 
|  | 3375 | * \brief Generate random bytes. | 
|  | 3376 | * | 
|  | 3377 | * \warning This function **can** fail! Callers MUST check the return status | 
|  | 3378 | *          and MUST NOT use the content of the output buffer if the return | 
|  | 3379 | *          status is not #PSA_SUCCESS. | 
|  | 3380 | * | 
|  | 3381 | * \note    To generate a key, use psa_generate_key() instead. | 
|  | 3382 | * | 
| Gilles Peskine | edd11a1 | 2018-07-12 01:08:58 +0200 | [diff] [blame] | 3383 | * \param[out] output       Output buffer for the generated data. | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3384 | * \param output_size       Number of bytes to generate and output. | 
|  | 3385 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 3386 | * \retval #PSA_SUCCESS | 
|  | 3387 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3388 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
|  | 3389 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3390 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3391 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 0adf0fc | 2018-09-06 16:24:41 +0300 | [diff] [blame] | 3392 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3393 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3394 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3395 | *         results in this error code. | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3396 | */ | 
|  | 3397 | psa_status_t psa_generate_random(uint8_t *output, | 
|  | 3398 | size_t output_size); | 
|  | 3399 |  | 
| Gilles Peskine | 4c317f4 | 2018-07-12 01:24:09 +0200 | [diff] [blame] | 3400 | /** Extra parameters for RSA key generation. | 
|  | 3401 | * | 
| Gilles Peskine | be42f31 | 2018-07-13 14:38:15 +0200 | [diff] [blame] | 3402 | * You may pass a pointer to a structure of this type as the \c extra | 
| Gilles Peskine | 4c317f4 | 2018-07-12 01:24:09 +0200 | [diff] [blame] | 3403 | * parameter to psa_generate_key(). | 
|  | 3404 | */ | 
|  | 3405 | typedef struct { | 
| Gilles Peskine | edd7687 | 2018-07-20 17:42:05 +0200 | [diff] [blame] | 3406 | uint32_t e; /**< Public exponent value. Default: 65537. */ | 
| Gilles Peskine | 4c317f4 | 2018-07-12 01:24:09 +0200 | [diff] [blame] | 3407 | } psa_generate_key_extra_rsa; | 
|  | 3408 |  | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3409 | /** | 
|  | 3410 | * \brief Generate a key or key pair. | 
|  | 3411 | * | 
| Gilles Peskine | 4e69d7a | 2018-06-19 20:19:14 +0200 | [diff] [blame] | 3412 | * \param key               Slot where the key will be stored. This must be a | 
|  | 3413 | *                          valid slot for a key of the chosen type. It must | 
|  | 3414 | *                          be unoccupied. | 
|  | 3415 | * \param type              Key type (a \c PSA_KEY_TYPE_XXX value). | 
|  | 3416 | * \param bits              Key size in bits. | 
| Gilles Peskine | 53d991e | 2018-07-12 01:14:59 +0200 | [diff] [blame] | 3417 | * \param[in] extra         Extra parameters for key generation. The | 
| Gilles Peskine | 4e69d7a | 2018-06-19 20:19:14 +0200 | [diff] [blame] | 3418 | *                          interpretation of this parameter depends on | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3419 | *                          \p type. All types support \c NULL to use | 
| Gilles Peskine | 3fa675c | 2018-07-12 01:31:03 +0200 | [diff] [blame] | 3420 | *                          default parameters. Implementation that support | 
|  | 3421 | *                          the generation of vendor-specific key types | 
|  | 3422 | *                          that allow extra parameters shall document | 
|  | 3423 | *                          the format of these extra parameters and | 
|  | 3424 | *                          the default values. For standard parameters, | 
|  | 3425 | *                          the meaning of \p extra is as follows: | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3426 | *                          - For a symmetric key type (a type such | 
| Gilles Peskine | 3fa675c | 2018-07-12 01:31:03 +0200 | [diff] [blame] | 3427 | *                            that #PSA_KEY_TYPE_IS_ASYMMETRIC(\p type) is | 
|  | 3428 | *                            false), \p extra must be \c NULL. | 
| Gilles Peskine | fa4070c | 2018-07-12 19:23:03 +0200 | [diff] [blame] | 3429 | *                          - For an elliptic curve key type (a type | 
| Gilles Peskine | 3fa675c | 2018-07-12 01:31:03 +0200 | [diff] [blame] | 3430 | *                            such that #PSA_KEY_TYPE_IS_ECC(\p type) is | 
|  | 3431 | *                            false), \p extra must be \c NULL. | 
| Gilles Peskine | dda3bd3 | 2018-07-12 19:40:46 +0200 | [diff] [blame] | 3432 | *                          - For an RSA key (\p type is | 
|  | 3433 | *                            #PSA_KEY_TYPE_RSA_KEYPAIR), \p extra is an | 
|  | 3434 | *                            optional #psa_generate_key_extra_rsa structure | 
| Gilles Peskine | 3fa675c | 2018-07-12 01:31:03 +0200 | [diff] [blame] | 3435 | *                            specifying the public exponent. The | 
|  | 3436 | *                            default public exponent used when \p extra | 
|  | 3437 | *                            is \c NULL is 65537. | 
| Gilles Peskine | 53d991e | 2018-07-12 01:14:59 +0200 | [diff] [blame] | 3438 | * \param extra_size        Size of the buffer that \p extra | 
|  | 3439 | *                          points to, in bytes. Note that if \p extra is | 
|  | 3440 | *                          \c NULL then \p extra_size must be zero. | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3441 | * | 
| Gilles Peskine | 2853849 | 2018-07-11 17:34:00 +0200 | [diff] [blame] | 3442 | * \retval #PSA_SUCCESS | 
|  | 3443 | * \retval #PSA_ERROR_NOT_SUPPORTED | 
|  | 3444 | * \retval #PSA_ERROR_INVALID_ARGUMENT | 
|  | 3445 | * \retval #PSA_ERROR_INSUFFICIENT_MEMORY | 
|  | 3446 | * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY | 
|  | 3447 | * \retval #PSA_ERROR_COMMUNICATION_FAILURE | 
|  | 3448 | * \retval #PSA_ERROR_HARDWARE_FAILURE | 
|  | 3449 | * \retval #PSA_ERROR_TAMPERING_DETECTED | 
| itayzafrir | 90d8c7a | 2018-09-12 11:44:52 +0300 | [diff] [blame] | 3450 | * \retval #PSA_ERROR_BAD_STATE | 
| itayzafrir | 1861709 | 2018-09-16 12:22:41 +0300 | [diff] [blame] | 3451 | *         The library has not been previously initialized by psa_crypto_init(). | 
|  | 3452 | *         It is implementation-dependent whether a failure to initialize | 
|  | 3453 | *         results in this error code. | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3454 | */ | 
|  | 3455 | psa_status_t psa_generate_key(psa_key_slot_t key, | 
|  | 3456 | psa_key_type_t type, | 
|  | 3457 | size_t bits, | 
| Gilles Peskine | 53d991e | 2018-07-12 01:14:59 +0200 | [diff] [blame] | 3458 | const void *extra, | 
|  | 3459 | size_t extra_size); | 
| Gilles Peskine | 9e7dc71 | 2018-03-28 14:18:50 +0200 | [diff] [blame] | 3460 |  | 
|  | 3461 | /**@}*/ | 
|  | 3462 |  | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 3463 | #ifdef __cplusplus | 
|  | 3464 | } | 
|  | 3465 | #endif | 
|  | 3466 |  | 
| Gilles Peskine | 0cad07c | 2018-06-27 19:49:02 +0200 | [diff] [blame] | 3467 | /* The file "crypto_sizes.h" contains definitions for size calculation | 
|  | 3468 | * macros whose definitions are implementation-specific. */ | 
|  | 3469 | #include "crypto_sizes.h" | 
|  | 3470 |  | 
| Gilles Peskine | 9ef733f | 2018-02-07 21:05:37 +0100 | [diff] [blame] | 3471 | /* The file "crypto_struct.h" contains definitions for | 
|  | 3472 | * implementation-specific structs that are declared above. */ | 
|  | 3473 | #include "crypto_struct.h" | 
|  | 3474 |  | 
|  | 3475 | /* The file "crypto_extra.h" contains vendor-specific definitions. This | 
|  | 3476 | * can include vendor-defined algorithms, extra functions, etc. */ | 
| Gilles Peskine | e59236f | 2018-01-27 23:32:46 +0100 | [diff] [blame] | 3477 | #include "crypto_extra.h" | 
|  | 3478 |  | 
|  | 3479 | #endif /* PSA_CRYPTO_H */ |