Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1 | /** |
| 2 | * \file psa/crypto_values.h |
| 3 | * |
| 4 | * \brief PSA cryptography module: macros to build and analyze integer values. |
| 5 | * |
| 6 | * \note This file may not be included directly. Applications must |
| 7 | * include psa/crypto.h. Drivers must include the appropriate driver |
| 8 | * header file. |
| 9 | * |
| 10 | * This file contains portable definitions of macros to build and analyze |
| 11 | * values of integral types that encode properties of cryptographic keys, |
| 12 | * designations of cryptographic algorithms, and error codes returned by |
| 13 | * the library. |
| 14 | * |
| 15 | * This header file only defines preprocessor macros. |
| 16 | */ |
| 17 | /* |
Bence Szépkúti | 1e14827 | 2020-08-07 13:07:28 +0200 | [diff] [blame] | 18 | * Copyright The Mbed TLS Contributors |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 19 | * SPDX-License-Identifier: Apache-2.0 |
| 20 | * |
| 21 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 22 | * not use this file except in compliance with the License. |
| 23 | * You may obtain a copy of the License at |
| 24 | * |
| 25 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 26 | * |
| 27 | * Unless required by applicable law or agreed to in writing, software |
| 28 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 29 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 30 | * See the License for the specific language governing permissions and |
| 31 | * limitations under the License. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 32 | */ |
| 33 | |
| 34 | #ifndef PSA_CRYPTO_VALUES_H |
| 35 | #define PSA_CRYPTO_VALUES_H |
| 36 | |
| 37 | /** \defgroup error Error codes |
| 38 | * @{ |
| 39 | */ |
| 40 | |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 41 | /* PSA error codes */ |
| 42 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 43 | /** The action was completed successfully. */ |
| 44 | #define PSA_SUCCESS ((psa_status_t)0) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 45 | |
| 46 | /** An error occurred that does not correspond to any defined |
| 47 | * failure cause. |
| 48 | * |
| 49 | * Implementations may use this error code if none of the other standard |
| 50 | * error codes are applicable. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 51 | #define PSA_ERROR_GENERIC_ERROR ((psa_status_t)-132) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 52 | |
| 53 | /** The requested operation or a parameter is not supported |
| 54 | * by this implementation. |
| 55 | * |
| 56 | * Implementations should return this error code when an enumeration |
| 57 | * parameter such as a key type, algorithm, etc. is not recognized. |
| 58 | * If a combination of parameters is recognized and identified as |
| 59 | * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 60 | #define PSA_ERROR_NOT_SUPPORTED ((psa_status_t)-134) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 61 | |
| 62 | /** The requested action is denied by a policy. |
| 63 | * |
| 64 | * Implementations should return this error code when the parameters |
| 65 | * are recognized as valid and supported, and a policy explicitly |
| 66 | * denies the requested operation. |
| 67 | * |
| 68 | * If a subset of the parameters of a function call identify a |
| 69 | * forbidden operation, and another subset of the parameters are |
| 70 | * not valid or not supported, it is unspecified whether the function |
| 71 | * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or |
| 72 | * #PSA_ERROR_INVALID_ARGUMENT. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 73 | #define PSA_ERROR_NOT_PERMITTED ((psa_status_t)-133) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 74 | |
| 75 | /** An output buffer is too small. |
| 76 | * |
| 77 | * Applications can call the \c PSA_xxx_SIZE macro listed in the function |
| 78 | * description to determine a sufficient buffer size. |
| 79 | * |
| 80 | * Implementations should preferably return this error code only |
| 81 | * in cases when performing the operation with a larger output |
| 82 | * buffer would succeed. However implementations may return this |
| 83 | * error if a function has invalid or unsupported parameters in addition |
| 84 | * to the parameters that determine the necessary output buffer size. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 85 | #define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t)-138) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 86 | |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 87 | /** Asking for an item that already exists |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 88 | * |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 89 | * Implementations should return this error, when attempting |
| 90 | * to write an item (like a key) that already exists. */ |
| 91 | #define PSA_ERROR_ALREADY_EXISTS ((psa_status_t)-139) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 92 | |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 93 | /** Asking for an item that doesn't exist |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 94 | * |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 95 | * Implementations should return this error, if a requested item (like |
| 96 | * a key) does not exist. */ |
| 97 | #define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t)-140) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 98 | |
| 99 | /** The requested action cannot be performed in the current state. |
| 100 | * |
| 101 | * Multipart operations return this error when one of the |
| 102 | * functions is called out of sequence. Refer to the function |
| 103 | * descriptions for permitted sequencing of functions. |
| 104 | * |
| 105 | * Implementations shall not return this error code to indicate |
Adrian L. Shaw | 67e1c7a | 2019-05-14 15:24:21 +0100 | [diff] [blame] | 106 | * that a key either exists or not, |
| 107 | * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST |
Adrian L. Shaw | d56456c | 2019-05-15 11:36:13 +0100 | [diff] [blame] | 108 | * as applicable. |
| 109 | * |
| 110 | * Implementations shall not return this error code to indicate that a |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 111 | * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE |
Adrian L. Shaw | d56456c | 2019-05-15 11:36:13 +0100 | [diff] [blame] | 112 | * instead. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 113 | #define PSA_ERROR_BAD_STATE ((psa_status_t)-137) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 114 | |
| 115 | /** The parameters passed to the function are invalid. |
| 116 | * |
| 117 | * Implementations may return this error any time a parameter or |
| 118 | * combination of parameters are recognized as invalid. |
| 119 | * |
Adrian L. Shaw | d56456c | 2019-05-15 11:36:13 +0100 | [diff] [blame] | 120 | * Implementations shall not return this error code to indicate that a |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 121 | * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 122 | * instead. |
| 123 | */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 124 | #define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 125 | |
| 126 | /** There is not enough runtime memory. |
| 127 | * |
| 128 | * If the action is carried out across multiple security realms, this |
| 129 | * error can refer to available memory in any of the security realms. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 130 | #define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t)-141) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 131 | |
| 132 | /** There is not enough persistent storage. |
| 133 | * |
| 134 | * Functions that modify the key storage return this error code if |
| 135 | * there is insufficient storage space on the host media. In addition, |
| 136 | * many functions that do not otherwise access storage may return this |
| 137 | * error code if the implementation requires a mandatory log entry for |
| 138 | * the requested action and the log storage space is full. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 139 | #define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t)-142) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 140 | |
| 141 | /** There was a communication failure inside the implementation. |
| 142 | * |
| 143 | * This can indicate a communication failure between the application |
| 144 | * and an external cryptoprocessor or between the cryptoprocessor and |
| 145 | * an external volatile or persistent memory. A communication failure |
| 146 | * may be transient or permanent depending on the cause. |
| 147 | * |
| 148 | * \warning If a function returns this error, it is undetermined |
| 149 | * whether the requested action has completed or not. Implementations |
Gilles Peskine | be06133 | 2019-07-18 13:52:30 +0200 | [diff] [blame] | 150 | * should return #PSA_SUCCESS on successful completion whenever |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 151 | * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE |
| 152 | * if the requested action was completed successfully in an external |
| 153 | * cryptoprocessor but there was a breakdown of communication before |
| 154 | * the cryptoprocessor could report the status to the application. |
| 155 | */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 156 | #define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 157 | |
| 158 | /** There was a storage failure that may have led to data loss. |
| 159 | * |
| 160 | * This error indicates that some persistent storage is corrupted. |
| 161 | * It should not be used for a corruption of volatile memory |
Gilles Peskine | 4b3eb69 | 2019-05-16 21:35:18 +0200 | [diff] [blame] | 162 | * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 163 | * between the cryptoprocessor and its external storage (use |
| 164 | * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is |
| 165 | * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE). |
| 166 | * |
| 167 | * Note that a storage failure does not indicate that any data that was |
| 168 | * previously read is invalid. However this previously read data may no |
| 169 | * longer be readable from storage. |
| 170 | * |
| 171 | * When a storage failure occurs, it is no longer possible to ensure |
| 172 | * the global integrity of the keystore. Depending on the global |
| 173 | * integrity guarantees offered by the implementation, access to other |
| 174 | * data may or may not fail even if the data is still readable but |
Gilles Peskine | bf7a98b | 2019-02-22 16:42:11 +0100 | [diff] [blame] | 175 | * its integrity cannot be guaranteed. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 176 | * |
| 177 | * Implementations should only use this error code to report a |
| 178 | * permanent storage corruption. However application writers should |
| 179 | * keep in mind that transient errors while reading the storage may be |
| 180 | * reported using this error code. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 181 | #define PSA_ERROR_STORAGE_FAILURE ((psa_status_t)-146) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 182 | |
| 183 | /** A hardware failure was detected. |
| 184 | * |
| 185 | * A hardware failure may be transient or permanent depending on the |
| 186 | * cause. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 187 | #define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t)-147) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 188 | |
| 189 | /** A tampering attempt was detected. |
| 190 | * |
| 191 | * If an application receives this error code, there is no guarantee |
| 192 | * that previously accessed or computed data was correct and remains |
| 193 | * confidential. Applications should not perform any security function |
| 194 | * and should enter a safe failure state. |
| 195 | * |
| 196 | * Implementations may return this error code if they detect an invalid |
| 197 | * state that cannot happen during normal operation and that indicates |
| 198 | * that the implementation's security guarantees no longer hold. Depending |
| 199 | * on the implementation architecture and on its security and safety goals, |
| 200 | * the implementation may forcibly terminate the application. |
| 201 | * |
| 202 | * This error code is intended as a last resort when a security breach |
| 203 | * is detected and it is unsure whether the keystore data is still |
| 204 | * protected. Implementations shall only return this error code |
| 205 | * to report an alarm from a tampering detector, to indicate that |
| 206 | * the confidentiality of stored data can no longer be guaranteed, |
| 207 | * or to indicate that the integrity of previously returned data is now |
| 208 | * considered compromised. Implementations shall not use this error code |
| 209 | * to indicate a hardware failure that merely makes it impossible to |
| 210 | * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE, |
| 211 | * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE, |
| 212 | * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code |
| 213 | * instead). |
| 214 | * |
| 215 | * This error indicates an attack against the application. Implementations |
| 216 | * shall not return this error code as a consequence of the behavior of |
| 217 | * the application itself. */ |
Gilles Peskine | 4b3eb69 | 2019-05-16 21:35:18 +0200 | [diff] [blame] | 218 | #define PSA_ERROR_CORRUPTION_DETECTED ((psa_status_t)-151) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 219 | |
| 220 | /** There is not enough entropy to generate random data needed |
| 221 | * for the requested action. |
| 222 | * |
| 223 | * This error indicates a failure of a hardware random generator. |
| 224 | * Application writers should note that this error can be returned not |
| 225 | * only by functions whose purpose is to generate random data, such |
| 226 | * as key, IV or nonce generation, but also by functions that execute |
| 227 | * an algorithm with a randomized result, as well as functions that |
| 228 | * use randomization of intermediate computations as a countermeasure |
| 229 | * to certain attacks. |
| 230 | * |
| 231 | * Implementations should avoid returning this error after psa_crypto_init() |
| 232 | * has succeeded. Implementations should generate sufficient |
| 233 | * entropy during initialization and subsequently use a cryptographically |
| 234 | * secure pseudorandom generator (PRNG). However implementations may return |
| 235 | * this error at any time if a policy requires the PRNG to be reseeded |
| 236 | * during normal operation. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 237 | #define PSA_ERROR_INSUFFICIENT_ENTROPY ((psa_status_t)-148) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 238 | |
| 239 | /** The signature, MAC or hash is incorrect. |
| 240 | * |
| 241 | * Verification functions return this error if the verification |
| 242 | * calculations completed successfully, and the value to be verified |
| 243 | * was determined to be incorrect. |
| 244 | * |
| 245 | * If the value to verify has an invalid size, implementations may return |
| 246 | * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 247 | #define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t)-149) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 248 | |
| 249 | /** The decrypted padding is incorrect. |
| 250 | * |
| 251 | * \warning In some protocols, when decrypting data, it is essential that |
| 252 | * the behavior of the application does not depend on whether the padding |
| 253 | * is correct, down to precise timing. Applications should prefer |
| 254 | * protocols that use authenticated encryption rather than plain |
| 255 | * encryption. If the application must perform a decryption of |
| 256 | * unauthenticated data, the application writer should take care not |
| 257 | * to reveal whether the padding is invalid. |
| 258 | * |
| 259 | * Implementations should strive to make valid and invalid padding |
| 260 | * as close as possible to indistinguishable to an external observer. |
| 261 | * In particular, the timing of a decryption operation should not |
| 262 | * depend on the validity of the padding. */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 263 | #define PSA_ERROR_INVALID_PADDING ((psa_status_t)-150) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 264 | |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 265 | /** Return this error when there's insufficient data when attempting |
| 266 | * to read from a resource. */ |
| 267 | #define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 268 | |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 269 | /** The key identifier is not valid. See also :ref:\`key-handles\`. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 270 | */ |
David Saada | b4ecc27 | 2019-02-14 13:48:10 +0200 | [diff] [blame] | 271 | #define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 272 | |
gabor-mezei-arm | 3d8b4f5 | 2020-11-09 16:36:46 +0100 | [diff] [blame] | 273 | /** Stored data has been corrupted. |
| 274 | * |
| 275 | * This error indicates that some persistent storage has suffered corruption. |
| 276 | * It does not indicate the following situations, which have specific error |
| 277 | * codes: |
| 278 | * |
| 279 | * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED. |
| 280 | * - A communication error between the cryptoprocessor and its external |
| 281 | * storage - use #PSA_ERROR_COMMUNICATION_FAILURE. |
| 282 | * - When the storage is in a valid state but is full - use |
| 283 | * #PSA_ERROR_INSUFFICIENT_STORAGE. |
| 284 | * - When the storage fails for other reasons - use |
| 285 | * #PSA_ERROR_STORAGE_FAILURE. |
| 286 | * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID. |
| 287 | * |
| 288 | * \note A storage corruption does not indicate that any data that was |
| 289 | * previously read is invalid. However this previously read data might no |
| 290 | * longer be readable from storage. |
| 291 | * |
| 292 | * When a storage failure occurs, it is no longer possible to ensure the |
| 293 | * global integrity of the keystore. |
| 294 | */ |
| 295 | #define PSA_ERROR_DATA_CORRUPT ((psa_status_t)-152) |
| 296 | |
gabor-mezei-arm | fe30924 | 2020-11-09 17:39:56 +0100 | [diff] [blame] | 297 | /** Data read from storage is not valid for the implementation. |
| 298 | * |
| 299 | * This error indicates that some data read from storage does not have a valid |
| 300 | * format. It does not indicate the following situations, which have specific |
| 301 | * error codes: |
| 302 | * |
| 303 | * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT |
| 304 | * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE |
| 305 | * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT |
| 306 | * |
| 307 | * This error is typically a result of either storage corruption on a |
| 308 | * cleartext storage backend, or an attempt to read data that was |
| 309 | * written by an incompatible version of the library. |
| 310 | */ |
| 311 | #define PSA_ERROR_DATA_INVALID ((psa_status_t)-153) |
| 312 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 313 | /**@}*/ |
| 314 | |
| 315 | /** \defgroup crypto_types Key and algorithm types |
| 316 | * @{ |
| 317 | */ |
| 318 | |
| 319 | /** An invalid key type value. |
| 320 | * |
| 321 | * Zero is not the encoding of any key type. |
| 322 | */ |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 323 | #define PSA_KEY_TYPE_NONE ((psa_key_type_t)0x0000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 324 | |
Andrew Thoelke | dd49cf9 | 2019-09-24 13:11:49 +0100 | [diff] [blame] | 325 | /** Vendor-defined key type flag. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 326 | * |
| 327 | * Key types defined by this standard will never have the |
| 328 | * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types |
| 329 | * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should |
| 330 | * respect the bitwise structure used by standard encodings whenever practical. |
| 331 | */ |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 332 | #define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x8000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 333 | |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 334 | #define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7000) |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 335 | #define PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x1000) |
| 336 | #define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x2000) |
| 337 | #define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x4000) |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 338 | #define PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x7000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 339 | |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 340 | #define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x3000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 341 | |
Andrew Thoelke | dd49cf9 | 2019-09-24 13:11:49 +0100 | [diff] [blame] | 342 | /** Whether a key type is vendor-defined. |
| 343 | * |
| 344 | * See also #PSA_KEY_TYPE_VENDOR_FLAG. |
| 345 | */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 346 | #define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \ |
| 347 | (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0) |
| 348 | |
| 349 | /** Whether a key type is an unstructured array of bytes. |
| 350 | * |
| 351 | * This encompasses both symmetric keys and non-key data. |
| 352 | */ |
| 353 | #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 354 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \ |
| 355 | ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 356 | |
| 357 | /** Whether a key type is asymmetric: either a key pair or a public key. */ |
| 358 | #define PSA_KEY_TYPE_IS_ASYMMETRIC(type) \ |
| 359 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK \ |
| 360 | & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) == \ |
| 361 | PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY) |
| 362 | /** Whether a key type is the public part of a key pair. */ |
| 363 | #define PSA_KEY_TYPE_IS_PUBLIC_KEY(type) \ |
| 364 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY) |
| 365 | /** Whether a key type is a key pair containing a private part and a public |
| 366 | * part. */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 367 | #define PSA_KEY_TYPE_IS_KEY_PAIR(type) \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 368 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR) |
| 369 | /** The key pair type corresponding to a public key type. |
| 370 | * |
| 371 | * You may also pass a key pair type as \p type, it will be left unchanged. |
| 372 | * |
| 373 | * \param type A public key type or key pair type. |
| 374 | * |
| 375 | * \return The corresponding key pair type. |
| 376 | * If \p type is not a public key or a key pair, |
| 377 | * the return value is undefined. |
| 378 | */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 379 | #define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type) \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 380 | ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) |
| 381 | /** The public key type corresponding to a key pair type. |
| 382 | * |
| 383 | * You may also pass a key pair type as \p type, it will be left unchanged. |
| 384 | * |
| 385 | * \param type A public key type or key pair type. |
| 386 | * |
| 387 | * \return The corresponding public key type. |
| 388 | * If \p type is not a public key or a key pair, |
| 389 | * the return value is undefined. |
| 390 | */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 391 | #define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 392 | ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) |
| 393 | |
| 394 | /** Raw data. |
| 395 | * |
| 396 | * A "key" of this type cannot be used for any cryptographic operation. |
| 397 | * Applications may use this type to store arbitrary data in the keystore. */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 398 | #define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x1001) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 399 | |
| 400 | /** HMAC key. |
| 401 | * |
| 402 | * The key policy determines which underlying hash algorithm the key can be |
| 403 | * used for. |
| 404 | * |
| 405 | * HMAC keys should generally have the same size as the underlying hash. |
gabor-mezei-arm | cbcec21 | 2020-12-18 14:23:51 +0100 | [diff] [blame] | 406 | * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 407 | * \c alg is the HMAC algorithm or the underlying hash algorithm. */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 408 | #define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 409 | |
| 410 | /** A secret for key derivation. |
| 411 | * |
| 412 | * The key policy determines which key derivation algorithm the key |
| 413 | * can be used for. |
| 414 | */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 415 | #define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 416 | |
Gilles Peskine | 737c6be | 2019-05-21 16:01:06 +0200 | [diff] [blame] | 417 | /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 418 | * |
| 419 | * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or |
| 420 | * 32 bytes (AES-256). |
| 421 | */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 422 | #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 423 | |
| 424 | /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES). |
| 425 | * |
| 426 | * The size of the key can be 8 bytes (single DES), 16 bytes (2-key 3DES) or |
| 427 | * 24 bytes (3-key 3DES). |
| 428 | * |
| 429 | * Note that single DES and 2-key 3DES are weak and strongly |
| 430 | * deprecated and should only be used to decrypt legacy data. 3-key 3DES |
| 431 | * is weak and deprecated and should only be used in legacy protocols. |
| 432 | */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 433 | #define PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 434 | |
Gilles Peskine | 737c6be | 2019-05-21 16:01:06 +0200 | [diff] [blame] | 435 | /** Key for a cipher, AEAD or MAC algorithm based on the |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 436 | * Camellia block cipher. */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 437 | #define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 438 | |
| 439 | /** Key for the RC4 stream cipher. |
| 440 | * |
| 441 | * Note that RC4 is weak and deprecated and should only be used in |
| 442 | * legacy protocols. */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 443 | #define PSA_KEY_TYPE_ARC4 ((psa_key_type_t)0x2002) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 444 | |
Gilles Peskine | 3e79c8e | 2019-05-06 15:20:04 +0200 | [diff] [blame] | 445 | /** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm. |
| 446 | * |
| 447 | * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539. |
| 448 | * |
| 449 | * Implementations must support 12-byte nonces, may support 8-byte nonces, |
| 450 | * and should reject other sizes. |
| 451 | */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 452 | #define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004) |
Gilles Peskine | 3e79c8e | 2019-05-06 15:20:04 +0200 | [diff] [blame] | 453 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 454 | /** RSA public key. */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 455 | #define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x4001) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 456 | /** RSA key pair (private and public key). */ |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 457 | #define PSA_KEY_TYPE_RSA_KEY_PAIR ((psa_key_type_t)0x7001) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 458 | /** Whether a key type is an RSA key (pair or public-only). */ |
| 459 | #define PSA_KEY_TYPE_IS_RSA(type) \ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 460 | (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 461 | |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 462 | #define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x4100) |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 463 | #define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE ((psa_key_type_t)0x7100) |
| 464 | #define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff) |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 465 | /** Elliptic curve key pair. |
| 466 | * |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 467 | * \param curve A value of type ::psa_ecc_family_t that |
| 468 | * identifies the ECC curve to be used. |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 469 | */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 470 | #define PSA_KEY_TYPE_ECC_KEY_PAIR(curve) \ |
| 471 | (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve)) |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 472 | /** Elliptic curve public key. |
| 473 | * |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 474 | * \param curve A value of type ::psa_ecc_family_t that |
| 475 | * identifies the ECC curve to be used. |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 476 | */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 477 | #define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) \ |
| 478 | (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve)) |
| 479 | |
| 480 | /** Whether a key type is an elliptic curve key (pair or public-only). */ |
| 481 | #define PSA_KEY_TYPE_IS_ECC(type) \ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 482 | ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 483 | ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE) |
Gilles Peskine | 5e9c9cc | 2018-12-12 14:02:48 +0100 | [diff] [blame] | 484 | /** Whether a key type is an elliptic curve key pair. */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 485 | #define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type) \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 486 | (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 487 | PSA_KEY_TYPE_ECC_KEY_PAIR_BASE) |
Gilles Peskine | 5e9c9cc | 2018-12-12 14:02:48 +0100 | [diff] [blame] | 488 | /** Whether a key type is an elliptic curve public key. */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 489 | #define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type) \ |
| 490 | (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \ |
| 491 | PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE) |
| 492 | |
| 493 | /** Extract the curve from an elliptic curve key type. */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 494 | #define PSA_KEY_TYPE_ECC_GET_FAMILY(type) \ |
| 495 | ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ? \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 496 | ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \ |
| 497 | 0)) |
| 498 | |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 499 | /** SEC Koblitz curves over prime fields. |
| 500 | * |
| 501 | * This family comprises the following curves: |
| 502 | * secp192k1, secp224k1, secp256k1. |
| 503 | * They are defined in _Standards for Efficient Cryptography_, |
| 504 | * _SEC 2: Recommended Elliptic Curve Domain Parameters_. |
| 505 | * https://www.secg.org/sec2-v2.pdf |
| 506 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 507 | #define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 508 | |
| 509 | /** SEC random curves over prime fields. |
| 510 | * |
| 511 | * This family comprises the following curves: |
| 512 | * secp192k1, secp224r1, secp256r1, secp384r1, secp521r1. |
| 513 | * They are defined in _Standards for Efficient Cryptography_, |
| 514 | * _SEC 2: Recommended Elliptic Curve Domain Parameters_. |
| 515 | * https://www.secg.org/sec2-v2.pdf |
| 516 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 517 | #define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 518 | /* SECP160R2 (SEC2 v1, obsolete) */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 519 | #define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 520 | |
| 521 | /** SEC Koblitz curves over binary fields. |
| 522 | * |
| 523 | * This family comprises the following curves: |
| 524 | * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1. |
| 525 | * They are defined in _Standards for Efficient Cryptography_, |
| 526 | * _SEC 2: Recommended Elliptic Curve Domain Parameters_. |
| 527 | * https://www.secg.org/sec2-v2.pdf |
| 528 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 529 | #define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 530 | |
| 531 | /** SEC random curves over binary fields. |
| 532 | * |
| 533 | * This family comprises the following curves: |
| 534 | * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1. |
| 535 | * They are defined in _Standards for Efficient Cryptography_, |
| 536 | * _SEC 2: Recommended Elliptic Curve Domain Parameters_. |
| 537 | * https://www.secg.org/sec2-v2.pdf |
| 538 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 539 | #define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 540 | |
| 541 | /** SEC additional random curves over binary fields. |
| 542 | * |
| 543 | * This family comprises the following curve: |
| 544 | * sect163r2. |
| 545 | * It is defined in _Standards for Efficient Cryptography_, |
| 546 | * _SEC 2: Recommended Elliptic Curve Domain Parameters_. |
| 547 | * https://www.secg.org/sec2-v2.pdf |
| 548 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 549 | #define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 550 | |
| 551 | /** Brainpool P random curves. |
| 552 | * |
| 553 | * This family comprises the following curves: |
| 554 | * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1, |
| 555 | * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1. |
| 556 | * It is defined in RFC 5639. |
| 557 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 558 | #define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 559 | |
| 560 | /** Curve25519 and Curve448. |
| 561 | * |
| 562 | * This family comprises the following Montgomery curves: |
| 563 | * - 255-bit: Bernstein et al., |
| 564 | * _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006. |
| 565 | * The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve. |
| 566 | * - 448-bit: Hamburg, |
| 567 | * _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015. |
| 568 | * The algorithm #PSA_ALG_ECDH performs X448 when used with this curve. |
| 569 | */ |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 570 | #define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t) 0x41) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 571 | |
Gilles Peskine | 7cfcb3f | 2019-12-04 18:58:44 +0100 | [diff] [blame] | 572 | #define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE ((psa_key_type_t)0x4200) |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 573 | #define PSA_KEY_TYPE_DH_KEY_PAIR_BASE ((psa_key_type_t)0x7200) |
| 574 | #define PSA_KEY_TYPE_DH_GROUP_MASK ((psa_key_type_t)0x00ff) |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 575 | /** Diffie-Hellman key pair. |
| 576 | * |
Paul Elliott | 75e2703 | 2020-06-03 15:17:39 +0100 | [diff] [blame] | 577 | * \param group A value of type ::psa_dh_family_t that identifies the |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 578 | * Diffie-Hellman group to be used. |
| 579 | */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 580 | #define PSA_KEY_TYPE_DH_KEY_PAIR(group) \ |
| 581 | (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group)) |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 582 | /** Diffie-Hellman public key. |
| 583 | * |
Paul Elliott | 75e2703 | 2020-06-03 15:17:39 +0100 | [diff] [blame] | 584 | * \param group A value of type ::psa_dh_family_t that identifies the |
Andrew Thoelke | 214064e | 2019-09-25 22:16:21 +0100 | [diff] [blame] | 585 | * Diffie-Hellman group to be used. |
| 586 | */ |
Gilles Peskine | dcaefae | 2019-05-16 12:55:35 +0200 | [diff] [blame] | 587 | #define PSA_KEY_TYPE_DH_PUBLIC_KEY(group) \ |
| 588 | (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group)) |
| 589 | |
| 590 | /** Whether a key type is a Diffie-Hellman key (pair or public-only). */ |
| 591 | #define PSA_KEY_TYPE_IS_DH(type) \ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 592 | ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \ |
Gilles Peskine | dcaefae | 2019-05-16 12:55:35 +0200 | [diff] [blame] | 593 | ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE) |
| 594 | /** Whether a key type is a Diffie-Hellman key pair. */ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 595 | #define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type) \ |
Gilles Peskine | dcaefae | 2019-05-16 12:55:35 +0200 | [diff] [blame] | 596 | (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \ |
Gilles Peskine | c93b80c | 2019-05-16 19:39:54 +0200 | [diff] [blame] | 597 | PSA_KEY_TYPE_DH_KEY_PAIR_BASE) |
Gilles Peskine | dcaefae | 2019-05-16 12:55:35 +0200 | [diff] [blame] | 598 | /** Whether a key type is a Diffie-Hellman public key. */ |
| 599 | #define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type) \ |
| 600 | (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \ |
| 601 | PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE) |
| 602 | |
| 603 | /** Extract the group from a Diffie-Hellman key type. */ |
Paul Elliott | 75e2703 | 2020-06-03 15:17:39 +0100 | [diff] [blame] | 604 | #define PSA_KEY_TYPE_DH_GET_FAMILY(type) \ |
| 605 | ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ? \ |
Gilles Peskine | dcaefae | 2019-05-16 12:55:35 +0200 | [diff] [blame] | 606 | ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) : \ |
| 607 | 0)) |
| 608 | |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 609 | /** Diffie-Hellman groups defined in RFC 7919 Appendix A. |
| 610 | * |
| 611 | * This family includes groups with the following key sizes (in bits): |
| 612 | * 2048, 3072, 4096, 6144, 8192. A given implementation may support |
| 613 | * all of these sizes or only a subset. |
| 614 | */ |
Paul Elliott | 75e2703 | 2020-06-03 15:17:39 +0100 | [diff] [blame] | 615 | #define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t) 0x03) |
Gilles Peskine | 228abc5 | 2019-12-03 17:24:19 +0100 | [diff] [blame] | 616 | |
Gilles Peskine | 2eea95c | 2019-12-02 17:44:12 +0100 | [diff] [blame] | 617 | #define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) \ |
Gilles Peskine | f65ed6f | 2019-12-04 17:18:41 +0100 | [diff] [blame] | 618 | (((type) >> 8) & 7) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 619 | /** The block size of a block cipher. |
| 620 | * |
| 621 | * \param type A cipher key type (value of type #psa_key_type_t). |
| 622 | * |
| 623 | * \return The block size for a block cipher, or 1 for a stream cipher. |
| 624 | * The return value is undefined if \p type is not a supported |
| 625 | * cipher key type. |
| 626 | * |
| 627 | * \note It is possible to build stream cipher algorithms on top of a block |
| 628 | * cipher, for example CTR mode (#PSA_ALG_CTR). |
| 629 | * This macro only takes the key type into account, so it cannot be |
| 630 | * used to determine the size of the data that #psa_cipher_update() |
| 631 | * might buffer for future processing in general. |
| 632 | * |
| 633 | * \note This macro returns a compile-time constant if its argument is one. |
| 634 | * |
| 635 | * \warning This macro may evaluate its argument multiple times. |
| 636 | */ |
gabor-mezei-arm | cbcec21 | 2020-12-18 14:23:51 +0100 | [diff] [blame] | 637 | #define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type) \ |
Gilles Peskine | 2eea95c | 2019-12-02 17:44:12 +0100 | [diff] [blame] | 638 | (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \ |
gabor-mezei-arm | cbcec21 | 2020-12-18 14:23:51 +0100 | [diff] [blame] | 639 | 1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \ |
Gilles Peskine | 2eea95c | 2019-12-02 17:44:12 +0100 | [diff] [blame] | 640 | 0u) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 641 | |
Andrew Thoelke | dd49cf9 | 2019-09-24 13:11:49 +0100 | [diff] [blame] | 642 | /** Vendor-defined algorithm flag. |
| 643 | * |
| 644 | * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG |
| 645 | * bit set. Vendors who define additional algorithms must use an encoding with |
| 646 | * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure |
| 647 | * used by standard encodings whenever practical. |
| 648 | */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 649 | #define PSA_ALG_VENDOR_FLAG ((psa_algorithm_t)0x80000000) |
Andrew Thoelke | dd49cf9 | 2019-09-24 13:11:49 +0100 | [diff] [blame] | 650 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 651 | #define PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000) |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 652 | #define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000) |
| 653 | #define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 654 | #define PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000) |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 655 | #define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000) |
| 656 | #define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000) |
| 657 | #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000) |
| 658 | #define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000) |
| 659 | #define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 660 | |
Andrew Thoelke | dd49cf9 | 2019-09-24 13:11:49 +0100 | [diff] [blame] | 661 | /** Whether an algorithm is vendor-defined. |
| 662 | * |
| 663 | * See also #PSA_ALG_VENDOR_FLAG. |
| 664 | */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 665 | #define PSA_ALG_IS_VENDOR_DEFINED(alg) \ |
| 666 | (((alg) & PSA_ALG_VENDOR_FLAG) != 0) |
| 667 | |
| 668 | /** Whether the specified algorithm is a hash algorithm. |
| 669 | * |
| 670 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 671 | * |
| 672 | * \return 1 if \p alg is a hash algorithm, 0 otherwise. |
| 673 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 674 | * algorithm identifier. |
| 675 | */ |
| 676 | #define PSA_ALG_IS_HASH(alg) \ |
| 677 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH) |
| 678 | |
| 679 | /** Whether the specified algorithm is a MAC algorithm. |
| 680 | * |
| 681 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 682 | * |
| 683 | * \return 1 if \p alg is a MAC algorithm, 0 otherwise. |
| 684 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 685 | * algorithm identifier. |
| 686 | */ |
| 687 | #define PSA_ALG_IS_MAC(alg) \ |
| 688 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC) |
| 689 | |
| 690 | /** Whether the specified algorithm is a symmetric cipher algorithm. |
| 691 | * |
| 692 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 693 | * |
| 694 | * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise. |
| 695 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 696 | * algorithm identifier. |
| 697 | */ |
| 698 | #define PSA_ALG_IS_CIPHER(alg) \ |
| 699 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER) |
| 700 | |
| 701 | /** Whether the specified algorithm is an authenticated encryption |
| 702 | * with associated data (AEAD) algorithm. |
| 703 | * |
| 704 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 705 | * |
| 706 | * \return 1 if \p alg is an AEAD algorithm, 0 otherwise. |
| 707 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 708 | * algorithm identifier. |
| 709 | */ |
| 710 | #define PSA_ALG_IS_AEAD(alg) \ |
| 711 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD) |
| 712 | |
Gilles Peskine | 4eb05a4 | 2020-05-26 17:07:16 +0200 | [diff] [blame] | 713 | /** Whether the specified algorithm is an asymmetric signature algorithm, |
Gilles Peskine | 6cc0a20 | 2020-05-05 16:05:26 +0200 | [diff] [blame] | 714 | * also known as public-key signature algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 715 | * |
| 716 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 717 | * |
Gilles Peskine | 6cc0a20 | 2020-05-05 16:05:26 +0200 | [diff] [blame] | 718 | * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 719 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 720 | * algorithm identifier. |
| 721 | */ |
| 722 | #define PSA_ALG_IS_SIGN(alg) \ |
| 723 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN) |
| 724 | |
Gilles Peskine | 6cc0a20 | 2020-05-05 16:05:26 +0200 | [diff] [blame] | 725 | /** Whether the specified algorithm is an asymmetric encryption algorithm, |
| 726 | * also known as public-key encryption algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 727 | * |
| 728 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 729 | * |
Gilles Peskine | 6cc0a20 | 2020-05-05 16:05:26 +0200 | [diff] [blame] | 730 | * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 731 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 732 | * algorithm identifier. |
| 733 | */ |
| 734 | #define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg) \ |
| 735 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION) |
| 736 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 737 | /** Whether the specified algorithm is a key agreement algorithm. |
| 738 | * |
| 739 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 740 | * |
| 741 | * \return 1 if \p alg is a key agreement algorithm, 0 otherwise. |
| 742 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 743 | * algorithm identifier. |
| 744 | */ |
| 745 | #define PSA_ALG_IS_KEY_AGREEMENT(alg) \ |
Gilles Peskine | 47e79fb | 2019-02-08 11:24:59 +0100 | [diff] [blame] | 746 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 747 | |
| 748 | /** Whether the specified algorithm is a key derivation algorithm. |
| 749 | * |
| 750 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 751 | * |
| 752 | * \return 1 if \p alg is a key derivation algorithm, 0 otherwise. |
| 753 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 754 | * algorithm identifier. |
| 755 | */ |
| 756 | #define PSA_ALG_IS_KEY_DERIVATION(alg) \ |
| 757 | (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION) |
| 758 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 759 | #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff) |
Adrian L. Shaw | 21e7145 | 2019-09-20 16:01:11 +0100 | [diff] [blame] | 760 | /** MD2 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 761 | #define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001) |
Adrian L. Shaw | 21e7145 | 2019-09-20 16:01:11 +0100 | [diff] [blame] | 762 | /** MD4 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 763 | #define PSA_ALG_MD4 ((psa_algorithm_t)0x02000002) |
Adrian L. Shaw | 21e7145 | 2019-09-20 16:01:11 +0100 | [diff] [blame] | 764 | /** MD5 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 765 | #define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003) |
Adrian L. Shaw | 21e7145 | 2019-09-20 16:01:11 +0100 | [diff] [blame] | 766 | /** PSA_ALG_RIPEMD160 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 767 | #define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004) |
Adrian L. Shaw | 21e7145 | 2019-09-20 16:01:11 +0100 | [diff] [blame] | 768 | /** SHA1 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 769 | #define PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 770 | /** SHA2-224 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 771 | #define PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 772 | /** SHA2-256 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 773 | #define PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 774 | /** SHA2-384 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 775 | #define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 776 | /** SHA2-512 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 777 | #define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 778 | /** SHA2-512/224 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 779 | #define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 780 | /** SHA2-512/256 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 781 | #define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 782 | /** SHA3-224 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 783 | #define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 784 | /** SHA3-256 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 785 | #define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 786 | /** SHA3-384 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 787 | #define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 788 | /** SHA3-512 */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 789 | #define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 790 | |
Gilles Peskine | 763fb9a | 2019-01-28 13:29:01 +0100 | [diff] [blame] | 791 | /** In a hash-and-sign algorithm policy, allow any hash algorithm. |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 792 | * |
Gilles Peskine | 763fb9a | 2019-01-28 13:29:01 +0100 | [diff] [blame] | 793 | * This value may be used to form the algorithm usage field of a policy |
| 794 | * for a signature algorithm that is parametrized by a hash. The key |
| 795 | * may then be used to perform operations using the same signature |
| 796 | * algorithm parametrized with any supported hash. |
| 797 | * |
| 798 | * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros: |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 799 | * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 800 | * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA. |
Gilles Peskine | 763fb9a | 2019-01-28 13:29:01 +0100 | [diff] [blame] | 801 | * Then you may create and use a key as follows: |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 802 | * - Set the key usage field using #PSA_ALG_ANY_HASH, for example: |
| 803 | * ``` |
Gilles Peskine | 89d8c5c | 2019-11-26 17:01:59 +0100 | [diff] [blame] | 804 | * psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY |
Gilles Peskine | 80b39ae | 2019-05-15 16:09:46 +0200 | [diff] [blame] | 805 | * psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH)); |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 806 | * ``` |
| 807 | * - Import or generate key material. |
Gilles Peskine | 89d8c5c | 2019-11-26 17:01:59 +0100 | [diff] [blame] | 808 | * - Call psa_sign_hash() or psa_verify_hash(), passing |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 809 | * an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each |
| 810 | * call to sign or verify a message may use a different hash. |
| 811 | * ``` |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 812 | * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...); |
| 813 | * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...); |
| 814 | * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...); |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 815 | * ``` |
| 816 | * |
| 817 | * This value may not be used to build other algorithms that are |
| 818 | * parametrized over a hash. For any valid use of this macro to build |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 819 | * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true. |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 820 | * |
| 821 | * This value may not be used to build an algorithm specification to |
| 822 | * perform an operation. It is only valid to build policies. |
| 823 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 824 | #define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff) |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 825 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 826 | #define PSA_ALG_MAC_SUBCATEGORY_MASK ((psa_algorithm_t)0x00c00000) |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 827 | #define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x03800000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 828 | /** Macro to build an HMAC algorithm. |
| 829 | * |
| 830 | * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256. |
| 831 | * |
| 832 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 833 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
| 834 | * |
| 835 | * \return The corresponding HMAC algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 836 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 837 | * hash algorithm. |
| 838 | */ |
| 839 | #define PSA_ALG_HMAC(hash_alg) \ |
| 840 | (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 841 | |
| 842 | #define PSA_ALG_HMAC_GET_HASH(hmac_alg) \ |
| 843 | (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK)) |
| 844 | |
| 845 | /** Whether the specified algorithm is an HMAC algorithm. |
| 846 | * |
| 847 | * HMAC is a family of MAC algorithms that are based on a hash function. |
| 848 | * |
| 849 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 850 | * |
| 851 | * \return 1 if \p alg is an HMAC algorithm, 0 otherwise. |
| 852 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 853 | * algorithm identifier. |
| 854 | */ |
| 855 | #define PSA_ALG_IS_HMAC(alg) \ |
| 856 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \ |
| 857 | PSA_ALG_HMAC_BASE) |
| 858 | |
| 859 | /* In the encoding of a MAC algorithm, the bits corresponding to |
| 860 | * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is |
| 861 | * truncated. As an exception, the value 0 means the untruncated algorithm, |
| 862 | * whatever its length is. The length is encoded in 6 bits, so it can |
| 863 | * reach up to 63; the largest MAC is 64 bytes so its trivial truncation |
| 864 | * to full length is correctly encoded as 0 and any non-trivial truncation |
| 865 | * is correctly encoded as a value between 1 and 63. */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 866 | #define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x003f0000) |
| 867 | #define PSA_MAC_TRUNCATION_OFFSET 16 |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 868 | |
| 869 | /** Macro to build a truncated MAC algorithm. |
| 870 | * |
| 871 | * A truncated MAC algorithm is identical to the corresponding MAC |
| 872 | * algorithm except that the MAC value for the truncated algorithm |
| 873 | * consists of only the first \p mac_length bytes of the MAC value |
| 874 | * for the untruncated algorithm. |
| 875 | * |
| 876 | * \note This macro may allow constructing algorithm identifiers that |
| 877 | * are not valid, either because the specified length is larger |
| 878 | * than the untruncated MAC or because the specified length is |
| 879 | * smaller than permitted by the implementation. |
| 880 | * |
| 881 | * \note It is implementation-defined whether a truncated MAC that |
| 882 | * is truncated to the same length as the MAC of the untruncated |
| 883 | * algorithm is considered identical to the untruncated algorithm |
| 884 | * for policy comparison purposes. |
| 885 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 886 | * \param mac_alg A MAC algorithm identifier (value of type |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 887 | * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) |
| 888 | * is true). This may be a truncated or untruncated |
| 889 | * MAC algorithm. |
| 890 | * \param mac_length Desired length of the truncated MAC in bytes. |
| 891 | * This must be at most the full length of the MAC |
| 892 | * and must be at least an implementation-specified |
| 893 | * minimum. The implementation-specified minimum |
| 894 | * shall not be zero. |
| 895 | * |
| 896 | * \return The corresponding MAC algorithm with the specified |
| 897 | * length. |
| 898 | * \return Unspecified if \p alg is not a supported |
| 899 | * MAC algorithm or if \p mac_length is too small or |
| 900 | * too large for the specified MAC algorithm. |
| 901 | */ |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 902 | #define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \ |
| 903 | (((mac_alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) | \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 904 | ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK)) |
| 905 | |
| 906 | /** Macro to build the base MAC algorithm corresponding to a truncated |
| 907 | * MAC algorithm. |
| 908 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 909 | * \param mac_alg A MAC algorithm identifier (value of type |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 910 | * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) |
| 911 | * is true). This may be a truncated or untruncated |
| 912 | * MAC algorithm. |
| 913 | * |
| 914 | * \return The corresponding base MAC algorithm. |
| 915 | * \return Unspecified if \p alg is not a supported |
| 916 | * MAC algorithm. |
| 917 | */ |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 918 | #define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \ |
| 919 | ((mac_alg) & ~PSA_ALG_MAC_TRUNCATION_MASK) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 920 | |
| 921 | /** Length to which a MAC algorithm is truncated. |
| 922 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 923 | * \param mac_alg A MAC algorithm identifier (value of type |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 924 | * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p alg) |
| 925 | * is true). |
| 926 | * |
| 927 | * \return Length of the truncated MAC in bytes. |
| 928 | * \return 0 if \p alg is a non-truncated MAC algorithm. |
| 929 | * \return Unspecified if \p alg is not a supported |
| 930 | * MAC algorithm. |
| 931 | */ |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 932 | #define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \ |
| 933 | (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 934 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 935 | #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000) |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 936 | /** The CBC-MAC construction over a block cipher |
| 937 | * |
| 938 | * \warning CBC-MAC is insecure in many cases. |
| 939 | * A more secure mode, such as #PSA_ALG_CMAC, is recommended. |
| 940 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 941 | #define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100) |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 942 | /** The CMAC construction over a block cipher */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 943 | #define PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 944 | |
| 945 | /** Whether the specified algorithm is a MAC algorithm based on a block cipher. |
| 946 | * |
| 947 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 948 | * |
| 949 | * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise. |
| 950 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 951 | * algorithm identifier. |
| 952 | */ |
| 953 | #define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) \ |
| 954 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \ |
| 955 | PSA_ALG_CIPHER_MAC_BASE) |
| 956 | |
| 957 | #define PSA_ALG_CIPHER_STREAM_FLAG ((psa_algorithm_t)0x00800000) |
| 958 | #define PSA_ALG_CIPHER_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000) |
| 959 | |
| 960 | /** Whether the specified algorithm is a stream cipher. |
| 961 | * |
| 962 | * A stream cipher is a symmetric cipher that encrypts or decrypts messages |
| 963 | * by applying a bitwise-xor with a stream of bytes that is generated |
| 964 | * from a key. |
| 965 | * |
| 966 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 967 | * |
| 968 | * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise. |
| 969 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 970 | * algorithm identifier or if it is not a symmetric cipher algorithm. |
| 971 | */ |
| 972 | #define PSA_ALG_IS_STREAM_CIPHER(alg) \ |
| 973 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \ |
| 974 | (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG)) |
| 975 | |
Bence Szépkúti | 1de907d | 2020-12-07 18:20:28 +0100 | [diff] [blame] | 976 | /** The stream cipher mode of a stream cipher algorithm. |
| 977 | * |
| 978 | * The underlying stream cipher is determined by the key type. |
Bence Szépkúti | 99ffb2b | 2020-12-08 00:08:31 +0100 | [diff] [blame] | 979 | * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20. |
| 980 | * - To use ARC4, use a key type of #PSA_KEY_TYPE_ARC4. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 981 | */ |
Bence Szépkúti | 1de907d | 2020-12-07 18:20:28 +0100 | [diff] [blame] | 982 | #define PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100) |
Gilles Peskine | 3e79c8e | 2019-05-06 15:20:04 +0200 | [diff] [blame] | 983 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 984 | /** The CTR stream cipher mode. |
| 985 | * |
| 986 | * CTR is a stream cipher which is built from a block cipher. |
| 987 | * The underlying block cipher is determined by the key type. |
| 988 | * For example, to use AES-128-CTR, use this algorithm with |
| 989 | * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes). |
| 990 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 991 | #define PSA_ALG_CTR ((psa_algorithm_t)0x04c01000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 992 | |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 993 | /** The CFB stream cipher mode. |
| 994 | * |
| 995 | * The underlying block cipher is determined by the key type. |
| 996 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 997 | #define PSA_ALG_CFB ((psa_algorithm_t)0x04c01100) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 998 | |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 999 | /** The OFB stream cipher mode. |
| 1000 | * |
| 1001 | * The underlying block cipher is determined by the key type. |
| 1002 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1003 | #define PSA_ALG_OFB ((psa_algorithm_t)0x04c01200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1004 | |
| 1005 | /** The XTS cipher mode. |
| 1006 | * |
| 1007 | * XTS is a cipher mode which is built from a block cipher. It requires at |
| 1008 | * least one full block of input, but beyond this minimum the input |
| 1009 | * does not need to be a whole number of blocks. |
| 1010 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1011 | #define PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1012 | |
Steven Cooreman | ed3c9ec | 2020-07-06 14:08:59 +0200 | [diff] [blame] | 1013 | /** The Electronic Code Book (ECB) mode of a block cipher, with no padding. |
| 1014 | * |
Steven Cooreman | a6033e9 | 2020-08-25 11:47:50 +0200 | [diff] [blame] | 1015 | * \warning ECB mode does not protect the confidentiality of the encrypted data |
| 1016 | * except in extremely narrow circumstances. It is recommended that applications |
| 1017 | * only use ECB if they need to construct an operating mode that the |
| 1018 | * implementation does not provide. Implementations are encouraged to provide |
| 1019 | * the modes that applications need in preference to supporting direct access |
| 1020 | * to ECB. |
| 1021 | * |
Steven Cooreman | ed3c9ec | 2020-07-06 14:08:59 +0200 | [diff] [blame] | 1022 | * The underlying block cipher is determined by the key type. |
| 1023 | * |
Steven Cooreman | a6033e9 | 2020-08-25 11:47:50 +0200 | [diff] [blame] | 1024 | * This symmetric cipher mode can only be used with messages whose lengths are a |
| 1025 | * multiple of the block size of the chosen block cipher. |
| 1026 | * |
| 1027 | * ECB mode does not accept an initialization vector (IV). When using a |
| 1028 | * multi-part cipher operation with this algorithm, psa_cipher_generate_iv() |
| 1029 | * and psa_cipher_set_iv() must not be called. |
Steven Cooreman | ed3c9ec | 2020-07-06 14:08:59 +0200 | [diff] [blame] | 1030 | */ |
| 1031 | #define PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400) |
| 1032 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1033 | /** The CBC block cipher chaining mode, with no padding. |
| 1034 | * |
| 1035 | * The underlying block cipher is determined by the key type. |
| 1036 | * |
| 1037 | * This symmetric cipher mode can only be used with messages whose lengths |
| 1038 | * are whole number of blocks for the chosen block cipher. |
| 1039 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1040 | #define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1041 | |
| 1042 | /** The CBC block cipher chaining mode with PKCS#7 padding. |
| 1043 | * |
| 1044 | * The underlying block cipher is determined by the key type. |
| 1045 | * |
| 1046 | * This is the padding method defined by PKCS#7 (RFC 2315) §10.3. |
| 1047 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1048 | #define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1049 | |
Gilles Peskine | 679693e | 2019-05-06 15:10:16 +0200 | [diff] [blame] | 1050 | #define PSA_ALG_AEAD_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000) |
| 1051 | |
| 1052 | /** Whether the specified algorithm is an AEAD mode on a block cipher. |
| 1053 | * |
| 1054 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1055 | * |
| 1056 | * \return 1 if \p alg is an AEAD algorithm which is an AEAD mode based on |
| 1057 | * a block cipher, 0 otherwise. |
| 1058 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 1059 | * algorithm identifier. |
| 1060 | */ |
| 1061 | #define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) \ |
| 1062 | (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) == \ |
| 1063 | (PSA_ALG_CATEGORY_AEAD | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) |
| 1064 | |
Gilles Peskine | 9153ec0 | 2019-02-15 13:02:02 +0100 | [diff] [blame] | 1065 | /** The CCM authenticated encryption algorithm. |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 1066 | * |
| 1067 | * The underlying block cipher is determined by the key type. |
Gilles Peskine | 9153ec0 | 2019-02-15 13:02:02 +0100 | [diff] [blame] | 1068 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1069 | #define PSA_ALG_CCM ((psa_algorithm_t)0x05500100) |
Gilles Peskine | 9153ec0 | 2019-02-15 13:02:02 +0100 | [diff] [blame] | 1070 | |
| 1071 | /** The GCM authenticated encryption algorithm. |
Adrian L. Shaw | fd2aed4 | 2019-07-11 15:47:40 +0100 | [diff] [blame] | 1072 | * |
| 1073 | * The underlying block cipher is determined by the key type. |
Gilles Peskine | 9153ec0 | 2019-02-15 13:02:02 +0100 | [diff] [blame] | 1074 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1075 | #define PSA_ALG_GCM ((psa_algorithm_t)0x05500200) |
Gilles Peskine | 679693e | 2019-05-06 15:10:16 +0200 | [diff] [blame] | 1076 | |
| 1077 | /** The Chacha20-Poly1305 AEAD algorithm. |
| 1078 | * |
| 1079 | * The ChaCha20_Poly1305 construction is defined in RFC 7539. |
Gilles Peskine | 3e79c8e | 2019-05-06 15:20:04 +0200 | [diff] [blame] | 1080 | * |
| 1081 | * Implementations must support 12-byte nonces, may support 8-byte nonces, |
| 1082 | * and should reject other sizes. |
| 1083 | * |
| 1084 | * Implementations must support 16-byte tags and should reject other sizes. |
Gilles Peskine | 679693e | 2019-05-06 15:10:16 +0200 | [diff] [blame] | 1085 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1086 | #define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1087 | |
| 1088 | /* In the encoding of a AEAD algorithm, the bits corresponding to |
| 1089 | * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag. |
| 1090 | * The constants for default lengths follow this encoding. |
| 1091 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1092 | #define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x003f0000) |
| 1093 | #define PSA_AEAD_TAG_LENGTH_OFFSET 16 |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1094 | |
| 1095 | /** Macro to build a shortened AEAD algorithm. |
| 1096 | * |
| 1097 | * A shortened AEAD algorithm is similar to the corresponding AEAD |
| 1098 | * algorithm, but has an authentication tag that consists of fewer bytes. |
| 1099 | * Depending on the algorithm, the tag length may affect the calculation |
| 1100 | * of the ciphertext. |
| 1101 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 1102 | * \param aead_alg An AEAD algorithm identifier (value of type |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1103 | * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg) |
| 1104 | * is true). |
| 1105 | * \param tag_length Desired length of the authentication tag in bytes. |
| 1106 | * |
| 1107 | * \return The corresponding AEAD algorithm with the specified |
| 1108 | * length. |
| 1109 | * \return Unspecified if \p alg is not a supported |
| 1110 | * AEAD algorithm or if \p tag_length is not valid |
| 1111 | * for the specified AEAD algorithm. |
| 1112 | */ |
Bence Szépkúti | a63b20d | 2020-12-16 11:36:46 +0100 | [diff] [blame^] | 1113 | #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \ |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 1114 | (((aead_alg) & ~PSA_ALG_AEAD_TAG_LENGTH_MASK) | \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1115 | ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \ |
| 1116 | PSA_ALG_AEAD_TAG_LENGTH_MASK)) |
| 1117 | |
| 1118 | /** Calculate the corresponding AEAD algorithm with the default tag length. |
| 1119 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 1120 | * \param aead_alg An AEAD algorithm (\c PSA_ALG_XXX value such that |
| 1121 | * #PSA_ALG_IS_AEAD(\p alg) is true). |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1122 | * |
Gilles Peskine | 434899f | 2018-10-19 11:30:26 +0200 | [diff] [blame] | 1123 | * \return The corresponding AEAD algorithm with the default |
| 1124 | * tag length for that algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1125 | */ |
Bence Szépkúti | a63b20d | 2020-12-16 11:36:46 +0100 | [diff] [blame^] | 1126 | #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg) \ |
Unknown | e2e1995 | 2019-08-21 03:33:04 -0400 | [diff] [blame] | 1127 | ( \ |
Bence Szépkúti | a63b20d | 2020-12-16 11:36:46 +0100 | [diff] [blame^] | 1128 | PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CCM) \ |
| 1129 | PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_GCM) \ |
| 1130 | PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1131 | 0) |
Bence Szépkúti | a63b20d | 2020-12-16 11:36:46 +0100 | [diff] [blame^] | 1132 | #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, ref) \ |
| 1133 | PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, 0) == \ |
| 1134 | PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ? \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1135 | ref : |
| 1136 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1137 | #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1138 | /** RSA PKCS#1 v1.5 signature with hashing. |
| 1139 | * |
| 1140 | * This is the signature scheme defined by RFC 8017 |
| 1141 | * (PKCS#1: RSA Cryptography Specifications) under the name |
| 1142 | * RSASSA-PKCS1-v1_5. |
| 1143 | * |
| 1144 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1145 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 1146 | * This includes #PSA_ALG_ANY_HASH |
| 1147 | * when specifying the algorithm in a usage policy. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1148 | * |
| 1149 | * \return The corresponding RSA PKCS#1 v1.5 signature algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1150 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1151 | * hash algorithm. |
| 1152 | */ |
| 1153 | #define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg) \ |
| 1154 | (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1155 | /** Raw PKCS#1 v1.5 signature. |
| 1156 | * |
| 1157 | * The input to this algorithm is the DigestInfo structure used by |
| 1158 | * RFC 8017 (PKCS#1: RSA Cryptography Specifications), §9.2 |
| 1159 | * steps 3–6. |
| 1160 | */ |
| 1161 | #define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE |
| 1162 | #define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) \ |
| 1163 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE) |
| 1164 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1165 | #define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1166 | /** RSA PSS signature with hashing. |
| 1167 | * |
| 1168 | * This is the signature scheme defined by RFC 8017 |
| 1169 | * (PKCS#1: RSA Cryptography Specifications) under the name |
| 1170 | * RSASSA-PSS, with the message generation function MGF1, and with |
| 1171 | * a salt length equal to the length of the hash. The specified |
| 1172 | * hash algorithm is used to hash the input message, to create the |
| 1173 | * salted hash, and for the mask generation. |
| 1174 | * |
| 1175 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1176 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 1177 | * This includes #PSA_ALG_ANY_HASH |
| 1178 | * when specifying the algorithm in a usage policy. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1179 | * |
| 1180 | * \return The corresponding RSA PSS signature algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1181 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1182 | * hash algorithm. |
| 1183 | */ |
| 1184 | #define PSA_ALG_RSA_PSS(hash_alg) \ |
| 1185 | (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1186 | #define PSA_ALG_IS_RSA_PSS(alg) \ |
| 1187 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE) |
| 1188 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1189 | #define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1190 | /** ECDSA signature with hashing. |
| 1191 | * |
| 1192 | * This is the ECDSA signature scheme defined by ANSI X9.62, |
| 1193 | * with a random per-message secret number (*k*). |
| 1194 | * |
| 1195 | * The representation of the signature as a byte string consists of |
| 1196 | * the concatentation of the signature values *r* and *s*. Each of |
| 1197 | * *r* and *s* is encoded as an *N*-octet string, where *N* is the length |
| 1198 | * of the base point of the curve in octets. Each value is represented |
| 1199 | * in big-endian order (most significant octet first). |
| 1200 | * |
| 1201 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1202 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 1203 | * This includes #PSA_ALG_ANY_HASH |
| 1204 | * when specifying the algorithm in a usage policy. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1205 | * |
| 1206 | * \return The corresponding ECDSA signature algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1207 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1208 | * hash algorithm. |
| 1209 | */ |
| 1210 | #define PSA_ALG_ECDSA(hash_alg) \ |
| 1211 | (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1212 | /** ECDSA signature without hashing. |
| 1213 | * |
| 1214 | * This is the same signature scheme as #PSA_ALG_ECDSA(), but |
| 1215 | * without specifying a hash algorithm. This algorithm may only be |
| 1216 | * used to sign or verify a sequence of bytes that should be an |
| 1217 | * already-calculated hash. Note that the input is padded with |
| 1218 | * zeros on the left or truncated on the left as required to fit |
| 1219 | * the curve size. |
| 1220 | */ |
| 1221 | #define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1222 | #define PSA_ALG_DETERMINISTIC_ECDSA_BASE ((psa_algorithm_t)0x06000700) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1223 | /** Deterministic ECDSA signature with hashing. |
| 1224 | * |
| 1225 | * This is the deterministic ECDSA signature scheme defined by RFC 6979. |
| 1226 | * |
| 1227 | * The representation of a signature is the same as with #PSA_ALG_ECDSA(). |
| 1228 | * |
| 1229 | * Note that when this algorithm is used for verification, signatures |
| 1230 | * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the |
| 1231 | * same private key are accepted. In other words, |
| 1232 | * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from |
| 1233 | * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification. |
| 1234 | * |
| 1235 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1236 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 1237 | * This includes #PSA_ALG_ANY_HASH |
| 1238 | * when specifying the algorithm in a usage policy. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1239 | * |
| 1240 | * \return The corresponding deterministic ECDSA signature |
| 1241 | * algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1242 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1243 | * hash algorithm. |
| 1244 | */ |
| 1245 | #define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) \ |
| 1246 | (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1247 | #define PSA_ALG_ECDSA_DETERMINISTIC_FLAG ((psa_algorithm_t)0x00000100) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1248 | #define PSA_ALG_IS_ECDSA(alg) \ |
Gilles Peskine | 972630e | 2019-11-29 11:55:48 +0100 | [diff] [blame] | 1249 | (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) == \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1250 | PSA_ALG_ECDSA_BASE) |
| 1251 | #define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg) \ |
Gilles Peskine | 972630e | 2019-11-29 11:55:48 +0100 | [diff] [blame] | 1252 | (((alg) & PSA_ALG_ECDSA_DETERMINISTIC_FLAG) != 0) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1253 | #define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) \ |
| 1254 | (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) |
| 1255 | #define PSA_ALG_IS_RANDOMIZED_ECDSA(alg) \ |
| 1256 | (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) |
| 1257 | |
Gilles Peskine | d35b489 | 2019-01-14 16:02:15 +0100 | [diff] [blame] | 1258 | /** Whether the specified algorithm is a hash-and-sign algorithm. |
| 1259 | * |
Gilles Peskine | 6cc0a20 | 2020-05-05 16:05:26 +0200 | [diff] [blame] | 1260 | * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms |
| 1261 | * structured in two parts: first the calculation of a hash in a way that |
| 1262 | * does not depend on the key, then the calculation of a signature from the |
Gilles Peskine | d35b489 | 2019-01-14 16:02:15 +0100 | [diff] [blame] | 1263 | * hash value and the key. |
| 1264 | * |
| 1265 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1266 | * |
| 1267 | * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise. |
| 1268 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 1269 | * algorithm identifier. |
| 1270 | */ |
| 1271 | #define PSA_ALG_IS_HASH_AND_SIGN(alg) \ |
| 1272 | (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \ |
Gilles Peskine | e38ab1a | 2019-05-16 13:51:50 +0200 | [diff] [blame] | 1273 | PSA_ALG_IS_ECDSA(alg)) |
Gilles Peskine | d35b489 | 2019-01-14 16:02:15 +0100 | [diff] [blame] | 1274 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1275 | /** Get the hash used by a hash-and-sign signature algorithm. |
| 1276 | * |
| 1277 | * A hash-and-sign algorithm is a signature algorithm which is |
| 1278 | * composed of two phases: first a hashing phase which does not use |
| 1279 | * the key and produces a hash of the input message, then a signing |
| 1280 | * phase which only uses the hash and the key and not the message |
| 1281 | * itself. |
| 1282 | * |
| 1283 | * \param alg A signature algorithm (\c PSA_ALG_XXX value such that |
| 1284 | * #PSA_ALG_IS_SIGN(\p alg) is true). |
| 1285 | * |
| 1286 | * \return The underlying hash algorithm if \p alg is a hash-and-sign |
| 1287 | * algorithm. |
| 1288 | * \return 0 if \p alg is a signature algorithm that does not |
| 1289 | * follow the hash-and-sign structure. |
| 1290 | * \return Unspecified if \p alg is not a signature algorithm or |
| 1291 | * if it is not supported by the implementation. |
| 1292 | */ |
| 1293 | #define PSA_ALG_SIGN_GET_HASH(alg) \ |
Gilles Peskine | d35b489 | 2019-01-14 16:02:15 +0100 | [diff] [blame] | 1294 | (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1295 | ((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \ |
| 1296 | ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \ |
| 1297 | 0) |
| 1298 | |
| 1299 | /** RSA PKCS#1 v1.5 encryption. |
| 1300 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1301 | #define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1302 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1303 | #define PSA_ALG_RSA_OAEP_BASE ((psa_algorithm_t)0x07000300) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1304 | /** RSA OAEP encryption. |
| 1305 | * |
| 1306 | * This is the encryption scheme defined by RFC 8017 |
| 1307 | * (PKCS#1: RSA Cryptography Specifications) under the name |
| 1308 | * RSAES-OAEP, with the message generation function MGF1. |
| 1309 | * |
| 1310 | * \param hash_alg The hash algorithm (\c PSA_ALG_XXX value such that |
| 1311 | * #PSA_ALG_IS_HASH(\p hash_alg) is true) to use |
| 1312 | * for MGF1. |
| 1313 | * |
Gilles Peskine | 9ff8d1f | 2020-05-05 16:00:17 +0200 | [diff] [blame] | 1314 | * \return The corresponding RSA OAEP encryption algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1315 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1316 | * hash algorithm. |
| 1317 | */ |
| 1318 | #define PSA_ALG_RSA_OAEP(hash_alg) \ |
| 1319 | (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1320 | #define PSA_ALG_IS_RSA_OAEP(alg) \ |
| 1321 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE) |
| 1322 | #define PSA_ALG_RSA_OAEP_GET_HASH(alg) \ |
| 1323 | (PSA_ALG_IS_RSA_OAEP(alg) ? \ |
| 1324 | ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \ |
| 1325 | 0) |
| 1326 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1327 | #define PSA_ALG_HKDF_BASE ((psa_algorithm_t)0x08000100) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1328 | /** Macro to build an HKDF algorithm. |
| 1329 | * |
| 1330 | * For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256. |
| 1331 | * |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1332 | * This key derivation algorithm uses the following inputs: |
Gilles Peskine | 03410b5 | 2019-05-16 16:05:19 +0200 | [diff] [blame] | 1333 | * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step. |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1334 | * It is optional; if omitted, the derivation uses an empty salt. |
Gilles Peskine | 03410b5 | 2019-05-16 16:05:19 +0200 | [diff] [blame] | 1335 | * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step. |
| 1336 | * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step. |
| 1337 | * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET. |
| 1338 | * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1339 | * starting to generate output. |
| 1340 | * |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1341 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1342 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
| 1343 | * |
| 1344 | * \return The corresponding HKDF algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1345 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1346 | * hash algorithm. |
| 1347 | */ |
| 1348 | #define PSA_ALG_HKDF(hash_alg) \ |
| 1349 | (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1350 | /** Whether the specified algorithm is an HKDF algorithm. |
| 1351 | * |
| 1352 | * HKDF is a family of key derivation algorithms that are based on a hash |
| 1353 | * function and the HMAC construction. |
| 1354 | * |
| 1355 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1356 | * |
| 1357 | * \return 1 if \c alg is an HKDF algorithm, 0 otherwise. |
| 1358 | * This macro may return either 0 or 1 if \c alg is not a supported |
| 1359 | * key derivation algorithm identifier. |
| 1360 | */ |
| 1361 | #define PSA_ALG_IS_HKDF(alg) \ |
| 1362 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE) |
| 1363 | #define PSA_ALG_HKDF_GET_HASH(hkdf_alg) \ |
| 1364 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) |
| 1365 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1366 | #define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x08000200) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1367 | /** Macro to build a TLS-1.2 PRF algorithm. |
| 1368 | * |
| 1369 | * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule, |
| 1370 | * specified in Section 5 of RFC 5246. It is based on HMAC and can be |
| 1371 | * used with either SHA-256 or SHA-384. |
| 1372 | * |
Gilles Peskine | ed87d31 | 2019-05-29 17:32:39 +0200 | [diff] [blame] | 1373 | * This key derivation algorithm uses the following inputs, which must be |
| 1374 | * passed in the order given here: |
| 1375 | * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1376 | * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. |
| 1377 | * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1378 | * |
| 1379 | * For the application to TLS-1.2 key expansion, the seed is the |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1380 | * concatenation of ServerHello.Random + ClientHello.Random, |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1381 | * and the label is "key expansion". |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1382 | * |
| 1383 | * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the |
| 1384 | * TLS 1.2 PRF using HMAC-SHA-256. |
| 1385 | * |
| 1386 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1387 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
| 1388 | * |
| 1389 | * \return The corresponding TLS-1.2 PRF algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1390 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1391 | * hash algorithm. |
| 1392 | */ |
| 1393 | #define PSA_ALG_TLS12_PRF(hash_alg) \ |
| 1394 | (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1395 | |
| 1396 | /** Whether the specified algorithm is a TLS-1.2 PRF algorithm. |
| 1397 | * |
| 1398 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1399 | * |
| 1400 | * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise. |
| 1401 | * This macro may return either 0 or 1 if \c alg is not a supported |
| 1402 | * key derivation algorithm identifier. |
| 1403 | */ |
| 1404 | #define PSA_ALG_IS_TLS12_PRF(alg) \ |
| 1405 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE) |
| 1406 | #define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg) \ |
| 1407 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) |
| 1408 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1409 | #define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x08000300) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1410 | /** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm. |
| 1411 | * |
| 1412 | * In a pure-PSK handshake in TLS 1.2, the master secret is derived |
| 1413 | * from the PreSharedKey (PSK) through the application of padding |
| 1414 | * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5). |
| 1415 | * The latter is based on HMAC and can be used with either SHA-256 |
| 1416 | * or SHA-384. |
| 1417 | * |
Gilles Peskine | ed87d31 | 2019-05-29 17:32:39 +0200 | [diff] [blame] | 1418 | * This key derivation algorithm uses the following inputs, which must be |
| 1419 | * passed in the order given here: |
| 1420 | * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed. |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1421 | * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key. |
| 1422 | * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label. |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1423 | * |
| 1424 | * For the application to TLS-1.2, the seed (which is |
| 1425 | * forwarded to the TLS-1.2 PRF) is the concatenation of the |
| 1426 | * ClientHello.Random + ServerHello.Random, |
| 1427 | * and the label is "master secret" or "extended master secret". |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1428 | * |
| 1429 | * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the |
| 1430 | * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256. |
| 1431 | * |
| 1432 | * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that |
| 1433 | * #PSA_ALG_IS_HASH(\p hash_alg) is true). |
| 1434 | * |
| 1435 | * \return The corresponding TLS-1.2 PSK to MS algorithm. |
Gilles Peskine | 3be6b7f | 2019-03-05 19:32:26 +0100 | [diff] [blame] | 1436 | * \return Unspecified if \p hash_alg is not a supported |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1437 | * hash algorithm. |
| 1438 | */ |
| 1439 | #define PSA_ALG_TLS12_PSK_TO_MS(hash_alg) \ |
| 1440 | (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK)) |
| 1441 | |
| 1442 | /** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm. |
| 1443 | * |
| 1444 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1445 | * |
| 1446 | * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise. |
| 1447 | * This macro may return either 0 or 1 if \c alg is not a supported |
| 1448 | * key derivation algorithm identifier. |
| 1449 | */ |
| 1450 | #define PSA_ALG_IS_TLS12_PSK_TO_MS(alg) \ |
| 1451 | (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE) |
| 1452 | #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \ |
| 1453 | (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK)) |
| 1454 | |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1455 | #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff) |
| 1456 | #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1457 | |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1458 | /** Macro to build a combined algorithm that chains a key agreement with |
| 1459 | * a key derivation. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1460 | * |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1461 | * \param ka_alg A key agreement algorithm (\c PSA_ALG_XXX value such |
| 1462 | * that #PSA_ALG_IS_KEY_AGREEMENT(\p ka_alg) is true). |
| 1463 | * \param kdf_alg A key derivation algorithm (\c PSA_ALG_XXX value such |
| 1464 | * that #PSA_ALG_IS_KEY_DERIVATION(\p kdf_alg) is true). |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1465 | * |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1466 | * \return The corresponding key agreement and derivation |
| 1467 | * algorithm. |
| 1468 | * \return Unspecified if \p ka_alg is not a supported |
| 1469 | * key agreement algorithm or \p kdf_alg is not a |
| 1470 | * supported key derivation algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1471 | */ |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1472 | #define PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg) \ |
| 1473 | ((ka_alg) | (kdf_alg)) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1474 | |
| 1475 | #define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) \ |
| 1476 | (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION) |
| 1477 | |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1478 | #define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) \ |
| 1479 | (((alg) & PSA_ALG_KEY_AGREEMENT_MASK) | PSA_ALG_CATEGORY_KEY_AGREEMENT) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1480 | |
Gilles Peskine | 47e79fb | 2019-02-08 11:24:59 +0100 | [diff] [blame] | 1481 | /** Whether the specified algorithm is a raw key agreement algorithm. |
| 1482 | * |
| 1483 | * A raw key agreement algorithm is one that does not specify |
| 1484 | * a key derivation function. |
| 1485 | * Usually, raw key agreement algorithms are constructed directly with |
| 1486 | * a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are |
Ronald Cron | 9678355 | 2020-10-19 12:06:30 +0200 | [diff] [blame] | 1487 | * constructed with #PSA_ALG_KEY_AGREEMENT(). |
Gilles Peskine | 47e79fb | 2019-02-08 11:24:59 +0100 | [diff] [blame] | 1488 | * |
| 1489 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1490 | * |
| 1491 | * \return 1 if \p alg is a raw key agreement algorithm, 0 otherwise. |
| 1492 | * This macro may return either 0 or 1 if \p alg is not a supported |
| 1493 | * algorithm identifier. |
| 1494 | */ |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1495 | #define PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) \ |
Gilles Peskine | 47e79fb | 2019-02-08 11:24:59 +0100 | [diff] [blame] | 1496 | (PSA_ALG_IS_KEY_AGREEMENT(alg) && \ |
| 1497 | PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) == PSA_ALG_CATEGORY_KEY_DERIVATION) |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1498 | |
| 1499 | #define PSA_ALG_IS_KEY_DERIVATION_OR_AGREEMENT(alg) \ |
| 1500 | ((PSA_ALG_IS_KEY_DERIVATION(alg) || PSA_ALG_IS_KEY_AGREEMENT(alg))) |
| 1501 | |
| 1502 | /** The finite-field Diffie-Hellman (DH) key agreement algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1503 | * |
Gilles Peskine | 2e37c0d | 2019-03-05 19:32:02 +0100 | [diff] [blame] | 1504 | * The shared secret produced by key agreement is |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1505 | * `g^{ab}` in big-endian format. |
| 1506 | * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p` |
| 1507 | * in bits. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1508 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1509 | #define PSA_ALG_FFDH ((psa_algorithm_t)0x09010000) |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1510 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1511 | /** Whether the specified algorithm is a finite field Diffie-Hellman algorithm. |
| 1512 | * |
Gilles Peskine | 2e37c0d | 2019-03-05 19:32:02 +0100 | [diff] [blame] | 1513 | * This includes the raw finite field Diffie-Hellman algorithm as well as |
| 1514 | * finite-field Diffie-Hellman followed by any supporter key derivation |
| 1515 | * algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1516 | * |
| 1517 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1518 | * |
| 1519 | * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise. |
| 1520 | * This macro may return either 0 or 1 if \c alg is not a supported |
| 1521 | * key agreement algorithm identifier. |
| 1522 | */ |
| 1523 | #define PSA_ALG_IS_FFDH(alg) \ |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1524 | (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1525 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1526 | /** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm. |
| 1527 | * |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1528 | * The shared secret produced by key agreement is the x-coordinate of |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1529 | * the shared secret point. It is always `ceiling(m / 8)` bytes long where |
| 1530 | * `m` is the bit size associated with the curve, i.e. the bit size of the |
| 1531 | * order of the curve's coordinate field. When `m` is not a multiple of 8, |
| 1532 | * the byte containing the most significant bit of the shared secret |
| 1533 | * is padded with zero bits. The byte order is either little-endian |
| 1534 | * or big-endian depending on the curve type. |
| 1535 | * |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 1536 | * - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`), |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1537 | * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` |
| 1538 | * in little-endian byte order. |
| 1539 | * The bit size is 448 for Curve448 and 255 for Curve25519. |
| 1540 | * - For Weierstrass curves over prime fields (curve types |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 1541 | * `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`), |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1542 | * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` |
| 1543 | * in big-endian byte order. |
| 1544 | * The bit size is `m = ceiling(log_2(p))` for the field `F_p`. |
| 1545 | * - For Weierstrass curves over binary fields (curve types |
Paul Elliott | 8ff510a | 2020-06-02 17:19:28 +0100 | [diff] [blame] | 1546 | * `PSA_ECC_FAMILY_SECTXXX`), |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1547 | * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A` |
| 1548 | * in big-endian byte order. |
| 1549 | * The bit size is `m` for the field `F_{2^m}`. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1550 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1551 | #define PSA_ALG_ECDH ((psa_algorithm_t)0x09020000) |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1552 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1553 | /** Whether the specified algorithm is an elliptic curve Diffie-Hellman |
| 1554 | * algorithm. |
| 1555 | * |
Gilles Peskine | 2e37c0d | 2019-03-05 19:32:02 +0100 | [diff] [blame] | 1556 | * This includes the raw elliptic curve Diffie-Hellman algorithm as well as |
| 1557 | * elliptic curve Diffie-Hellman followed by any supporter key derivation |
| 1558 | * algorithm. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1559 | * |
| 1560 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1561 | * |
| 1562 | * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm, |
| 1563 | * 0 otherwise. |
| 1564 | * This macro may return either 0 or 1 if \c alg is not a supported |
| 1565 | * key agreement algorithm identifier. |
| 1566 | */ |
| 1567 | #define PSA_ALG_IS_ECDH(alg) \ |
Gilles Peskine | 6843c29 | 2019-01-18 16:44:49 +0100 | [diff] [blame] | 1568 | (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1569 | |
Gilles Peskine | 30f77cd | 2019-01-14 16:06:39 +0100 | [diff] [blame] | 1570 | /** Whether the specified algorithm encoding is a wildcard. |
| 1571 | * |
| 1572 | * Wildcard values may only be used to set the usage algorithm field in |
| 1573 | * a policy, not to perform an operation. |
| 1574 | * |
| 1575 | * \param alg An algorithm identifier (value of type #psa_algorithm_t). |
| 1576 | * |
| 1577 | * \return 1 if \c alg is a wildcard algorithm encoding. |
| 1578 | * \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for |
| 1579 | * an operation). |
| 1580 | * \return This macro may return either 0 or 1 if \c alg is not a supported |
| 1581 | * algorithm identifier. |
| 1582 | */ |
| 1583 | #define PSA_ALG_IS_WILDCARD(alg) \ |
| 1584 | (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \ |
| 1585 | PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \ |
| 1586 | (alg) == PSA_ALG_ANY_HASH) |
| 1587 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1588 | /**@}*/ |
| 1589 | |
| 1590 | /** \defgroup key_lifetimes Key lifetimes |
| 1591 | * @{ |
| 1592 | */ |
| 1593 | |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1594 | /** The default lifetime for volatile keys. |
| 1595 | * |
Ronald Cron | cf56a0a | 2020-08-04 09:51:30 +0200 | [diff] [blame] | 1596 | * A volatile key only exists as long as the identifier to it is not destroyed. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1597 | * The key material is guaranteed to be erased on a power reset. |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1598 | * |
| 1599 | * A key with this lifetime is typically stored in the RAM area of the |
| 1600 | * PSA Crypto subsystem. However this is an implementation choice. |
| 1601 | * If an implementation stores data about the key in a non-volatile memory, |
| 1602 | * it must release all the resources associated with the key and erase the |
| 1603 | * key material if the calling application terminates. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1604 | */ |
| 1605 | #define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000) |
| 1606 | |
Gilles Peskine | 5dcb74f | 2020-05-04 18:42:44 +0200 | [diff] [blame] | 1607 | /** The default lifetime for persistent keys. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1608 | * |
| 1609 | * A persistent key remains in storage until it is explicitly destroyed or |
| 1610 | * until the corresponding storage area is wiped. This specification does |
Gilles Peskine | d0107b9 | 2020-08-18 23:05:06 +0200 | [diff] [blame] | 1611 | * not define any mechanism to wipe a storage area, but integrations may |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1612 | * provide their own mechanism (for example to perform a factory reset, |
| 1613 | * to prepare for device refurbishment, or to uninstall an application). |
| 1614 | * |
| 1615 | * This lifetime value is the default storage area for the calling |
Gilles Peskine | d0107b9 | 2020-08-18 23:05:06 +0200 | [diff] [blame] | 1616 | * application. Integrations of Mbed TLS may support other persistent lifetimes. |
Gilles Peskine | 5dcb74f | 2020-05-04 18:42:44 +0200 | [diff] [blame] | 1617 | * See ::psa_key_lifetime_t for more information. |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1618 | */ |
| 1619 | #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001) |
| 1620 | |
Gilles Peskine | aff1181 | 2020-05-04 19:03:10 +0200 | [diff] [blame] | 1621 | /** The persistence level of volatile keys. |
| 1622 | * |
| 1623 | * See ::psa_key_persistence_t for more information. |
| 1624 | */ |
Gilles Peskine | bbb3c18 | 2020-05-04 18:42:06 +0200 | [diff] [blame] | 1625 | #define PSA_KEY_PERSISTENCE_VOLATILE ((psa_key_persistence_t)0x00) |
Gilles Peskine | aff1181 | 2020-05-04 19:03:10 +0200 | [diff] [blame] | 1626 | |
| 1627 | /** The default persistence level for persistent keys. |
| 1628 | * |
| 1629 | * See ::psa_key_persistence_t for more information. |
| 1630 | */ |
Gilles Peskine | ee04e69 | 2020-05-04 18:52:21 +0200 | [diff] [blame] | 1631 | #define PSA_KEY_PERSISTENCE_DEFAULT ((psa_key_persistence_t)0x01) |
Gilles Peskine | aff1181 | 2020-05-04 19:03:10 +0200 | [diff] [blame] | 1632 | |
| 1633 | /** A persistence level indicating that a key is never destroyed. |
| 1634 | * |
| 1635 | * See ::psa_key_persistence_t for more information. |
| 1636 | */ |
Gilles Peskine | bbb3c18 | 2020-05-04 18:42:06 +0200 | [diff] [blame] | 1637 | #define PSA_KEY_PERSISTENCE_READ_ONLY ((psa_key_persistence_t)0xff) |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1638 | |
| 1639 | #define PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) \ |
Gilles Peskine | 4cfa443 | 2020-05-06 13:44:32 +0200 | [diff] [blame] | 1640 | ((psa_key_persistence_t)((lifetime) & 0x000000ff)) |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1641 | |
| 1642 | #define PSA_KEY_LIFETIME_GET_LOCATION(lifetime) \ |
Gilles Peskine | 4cfa443 | 2020-05-06 13:44:32 +0200 | [diff] [blame] | 1643 | ((psa_key_location_t)((lifetime) >> 8)) |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1644 | |
| 1645 | /** Whether a key lifetime indicates that the key is volatile. |
| 1646 | * |
| 1647 | * A volatile key is automatically destroyed by the implementation when |
| 1648 | * the application instance terminates. In particular, a volatile key |
| 1649 | * is automatically destroyed on a power reset of the device. |
| 1650 | * |
| 1651 | * A key that is not volatile is persistent. Persistent keys are |
| 1652 | * preserved until the application explicitly destroys them or until an |
| 1653 | * implementation-specific device management event occurs (for example, |
| 1654 | * a factory reset). |
| 1655 | * |
| 1656 | * \param lifetime The lifetime value to query (value of type |
| 1657 | * ::psa_key_lifetime_t). |
| 1658 | * |
| 1659 | * \return \c 1 if the key is volatile, otherwise \c 0. |
| 1660 | */ |
| 1661 | #define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \ |
| 1662 | (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \ |
Steven Cooreman | db06445 | 2020-06-01 12:29:26 +0200 | [diff] [blame] | 1663 | PSA_KEY_PERSISTENCE_VOLATILE) |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1664 | |
Gilles Peskine | c4ee2f3 | 2020-05-04 19:07:18 +0200 | [diff] [blame] | 1665 | /** Construct a lifetime from a persistence level and a location. |
| 1666 | * |
| 1667 | * \param persistence The persistence level |
| 1668 | * (value of type ::psa_key_persistence_t). |
| 1669 | * \param location The location indicator |
| 1670 | * (value of type ::psa_key_location_t). |
| 1671 | * |
| 1672 | * \return The constructed lifetime value. |
| 1673 | */ |
| 1674 | #define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) \ |
| 1675 | ((location) << 8 | (persistence)) |
| 1676 | |
Gilles Peskine | aff1181 | 2020-05-04 19:03:10 +0200 | [diff] [blame] | 1677 | /** The local storage area for persistent keys. |
| 1678 | * |
| 1679 | * This storage area is available on all systems that can store persistent |
| 1680 | * keys without delegating the storage to a third-party cryptoprocessor. |
| 1681 | * |
| 1682 | * See ::psa_key_location_t for more information. |
| 1683 | */ |
Gilles Peskine | ee04e69 | 2020-05-04 18:52:21 +0200 | [diff] [blame] | 1684 | #define PSA_KEY_LOCATION_LOCAL_STORAGE ((psa_key_location_t)0x000000) |
Gilles Peskine | aff1181 | 2020-05-04 19:03:10 +0200 | [diff] [blame] | 1685 | |
Gilles Peskine | bbb3c18 | 2020-05-04 18:42:06 +0200 | [diff] [blame] | 1686 | #define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000) |
Gilles Peskine | 2d2bb1d | 2020-02-05 19:07:18 +0100 | [diff] [blame] | 1687 | |
Gilles Peskine | 4a231b8 | 2019-05-06 18:56:14 +0200 | [diff] [blame] | 1688 | /** The minimum value for a key identifier chosen by the application. |
| 1689 | */ |
Ronald Cron | 039a98b | 2020-07-23 16:07:42 +0200 | [diff] [blame] | 1690 | #define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001) |
Gilles Peskine | 280948a | 2019-05-16 15:27:14 +0200 | [diff] [blame] | 1691 | /** The maximum value for a key identifier chosen by the application. |
Gilles Peskine | 4a231b8 | 2019-05-06 18:56:14 +0200 | [diff] [blame] | 1692 | */ |
Ronald Cron | 039a98b | 2020-07-23 16:07:42 +0200 | [diff] [blame] | 1693 | #define PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff) |
Gilles Peskine | 280948a | 2019-05-16 15:27:14 +0200 | [diff] [blame] | 1694 | /** The minimum value for a key identifier chosen by the implementation. |
Gilles Peskine | 4a231b8 | 2019-05-06 18:56:14 +0200 | [diff] [blame] | 1695 | */ |
Ronald Cron | 039a98b | 2020-07-23 16:07:42 +0200 | [diff] [blame] | 1696 | #define PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000) |
Gilles Peskine | 280948a | 2019-05-16 15:27:14 +0200 | [diff] [blame] | 1697 | /** The maximum value for a key identifier chosen by the implementation. |
Gilles Peskine | 4a231b8 | 2019-05-06 18:56:14 +0200 | [diff] [blame] | 1698 | */ |
Ronald Cron | 039a98b | 2020-07-23 16:07:42 +0200 | [diff] [blame] | 1699 | #define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff) |
Gilles Peskine | 4a231b8 | 2019-05-06 18:56:14 +0200 | [diff] [blame] | 1700 | |
Ronald Cron | 7424f0d | 2020-09-14 16:17:41 +0200 | [diff] [blame] | 1701 | |
| 1702 | #if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) |
| 1703 | |
| 1704 | #define MBEDTLS_SVC_KEY_ID_INIT ( (psa_key_id_t)0 ) |
| 1705 | #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( id ) |
| 1706 | #define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( 0 ) |
| 1707 | |
| 1708 | /** Utility to initialize a key identifier at runtime. |
| 1709 | * |
| 1710 | * \param unused Unused parameter. |
| 1711 | * \param key_id Identifier of the key. |
| 1712 | */ |
| 1713 | static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( |
| 1714 | unsigned int unused, psa_key_id_t key_id ) |
| 1715 | { |
| 1716 | (void)unused; |
| 1717 | |
| 1718 | return( key_id ); |
| 1719 | } |
| 1720 | |
| 1721 | /** Compare two key identifiers. |
| 1722 | * |
| 1723 | * \param id1 First key identifier. |
| 1724 | * \param id2 Second key identifier. |
| 1725 | * |
| 1726 | * \return Non-zero if the two key identifier are equal, zero otherwise. |
| 1727 | */ |
| 1728 | static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, |
| 1729 | mbedtls_svc_key_id_t id2 ) |
| 1730 | { |
| 1731 | return( id1 == id2 ); |
| 1732 | } |
| 1733 | |
Ronald Cron | c4d1b51 | 2020-07-31 11:26:37 +0200 | [diff] [blame] | 1734 | /** Check whether a key identifier is null. |
| 1735 | * |
| 1736 | * \param key Key identifier. |
| 1737 | * |
| 1738 | * \return Non-zero if the key identifier is null, zero otherwise. |
| 1739 | */ |
| 1740 | static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) |
| 1741 | { |
| 1742 | return( key == 0 ); |
| 1743 | } |
| 1744 | |
Ronald Cron | 7424f0d | 2020-09-14 16:17:41 +0200 | [diff] [blame] | 1745 | #else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ |
| 1746 | |
| 1747 | #define MBEDTLS_SVC_KEY_ID_INIT ( (mbedtls_svc_key_id_t){ 0, 0 } ) |
| 1748 | #define MBEDTLS_SVC_KEY_ID_GET_KEY_ID( id ) ( ( id ).key_id ) |
| 1749 | #define MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( id ) ( ( id ).owner ) |
| 1750 | |
| 1751 | /** Utility to initialize a key identifier at runtime. |
| 1752 | * |
| 1753 | * \param owner_id Identifier of the key owner. |
| 1754 | * \param key_id Identifier of the key. |
| 1755 | */ |
| 1756 | static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( |
| 1757 | mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) |
| 1758 | { |
| 1759 | return( (mbedtls_svc_key_id_t){ .key_id = key_id, |
| 1760 | .owner = owner_id } ); |
| 1761 | } |
| 1762 | |
| 1763 | /** Compare two key identifiers. |
| 1764 | * |
| 1765 | * \param id1 First key identifier. |
| 1766 | * \param id2 Second key identifier. |
| 1767 | * |
| 1768 | * \return Non-zero if the two key identifier are equal, zero otherwise. |
| 1769 | */ |
| 1770 | static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, |
| 1771 | mbedtls_svc_key_id_t id2 ) |
| 1772 | { |
| 1773 | return( ( id1.key_id == id2.key_id ) && |
| 1774 | mbedtls_key_owner_id_equal( id1.owner, id2.owner ) ); |
| 1775 | } |
| 1776 | |
Ronald Cron | c4d1b51 | 2020-07-31 11:26:37 +0200 | [diff] [blame] | 1777 | /** Check whether a key identifier is null. |
| 1778 | * |
| 1779 | * \param key Key identifier. |
| 1780 | * |
| 1781 | * \return Non-zero if the key identifier is null, zero otherwise. |
| 1782 | */ |
| 1783 | static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) |
| 1784 | { |
| 1785 | return( ( key.key_id == 0 ) && ( key.owner == 0 ) ); |
| 1786 | } |
| 1787 | |
Ronald Cron | 7424f0d | 2020-09-14 16:17:41 +0200 | [diff] [blame] | 1788 | #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1789 | |
| 1790 | /**@}*/ |
| 1791 | |
| 1792 | /** \defgroup policy Key policies |
| 1793 | * @{ |
| 1794 | */ |
| 1795 | |
Gilles Peskine | 8e0206a | 2019-05-14 14:24:28 +0200 | [diff] [blame] | 1796 | /** Whether the key may be exported. |
| 1797 | * |
Gilles Peskine | d6a8f5f | 2019-05-14 16:25:50 +0200 | [diff] [blame] | 1798 | * A public key or the public part of a key pair may always be exported |
Gilles Peskine | 8e0206a | 2019-05-14 14:24:28 +0200 | [diff] [blame] | 1799 | * regardless of the value of this permission flag. |
| 1800 | * |
Gilles Peskine | d6a8f5f | 2019-05-14 16:25:50 +0200 | [diff] [blame] | 1801 | * If a key does not have export permission, implementations shall not |
| 1802 | * allow the key to be exported in plain form from the cryptoprocessor, |
| 1803 | * whether through psa_export_key() or through a proprietary interface. |
| 1804 | * The key may however be exportable in a wrapped form, i.e. in a form |
| 1805 | * where it is encrypted by another key. |
| 1806 | */ |
Gilles Peskine | 8e0206a | 2019-05-14 14:24:28 +0200 | [diff] [blame] | 1807 | #define PSA_KEY_USAGE_EXPORT ((psa_key_usage_t)0x00000001) |
| 1808 | |
| 1809 | /** Whether the key may be copied. |
| 1810 | * |
| 1811 | * This flag allows the use of psa_copy_key() to make a copy of the key |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1812 | * with the same policy or a more restrictive policy. |
| 1813 | * |
| 1814 | * For lifetimes for which the key is located in a secure element which |
| 1815 | * enforce the non-exportability of keys, copying a key outside the secure |
| 1816 | * element also requires the usage flag #PSA_KEY_USAGE_EXPORT. |
| 1817 | * Copying the key inside the secure element is permitted with just |
| 1818 | * #PSA_KEY_USAGE_COPY if the secure element supports it. |
| 1819 | * For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or |
| 1820 | * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY |
| 1821 | * is sufficient to permit the copy. |
| 1822 | */ |
| 1823 | #define PSA_KEY_USAGE_COPY ((psa_key_usage_t)0x00000002) |
| 1824 | |
| 1825 | /** Whether the key may be used to encrypt a message. |
| 1826 | * |
| 1827 | * This flag allows the key to be used for a symmetric encryption operation, |
| 1828 | * for an AEAD encryption-and-authentication operation, |
| 1829 | * or for an asymmetric encryption operation, |
| 1830 | * if otherwise permitted by the key's type and policy. |
| 1831 | * |
| 1832 | * For a key pair, this concerns the public key. |
| 1833 | */ |
| 1834 | #define PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t)0x00000100) |
| 1835 | |
| 1836 | /** Whether the key may be used to decrypt a message. |
| 1837 | * |
| 1838 | * This flag allows the key to be used for a symmetric decryption operation, |
| 1839 | * for an AEAD decryption-and-verification operation, |
| 1840 | * or for an asymmetric decryption operation, |
| 1841 | * if otherwise permitted by the key's type and policy. |
| 1842 | * |
| 1843 | * For a key pair, this concerns the private key. |
| 1844 | */ |
| 1845 | #define PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t)0x00000200) |
| 1846 | |
| 1847 | /** Whether the key may be used to sign a message. |
| 1848 | * |
| 1849 | * This flag allows the key to be used for a MAC calculation operation |
| 1850 | * or for an asymmetric signature operation, |
| 1851 | * if otherwise permitted by the key's type and policy. |
| 1852 | * |
| 1853 | * For a key pair, this concerns the private key. |
| 1854 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1855 | #define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1856 | |
| 1857 | /** Whether the key may be used to verify a message signature. |
| 1858 | * |
| 1859 | * This flag allows the key to be used for a MAC verification operation |
| 1860 | * or for an asymmetric signature verification operation, |
| 1861 | * if otherwise permitted by by the key's type and policy. |
| 1862 | * |
| 1863 | * For a key pair, this concerns the public key. |
| 1864 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1865 | #define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1866 | |
| 1867 | /** Whether the key may be used to derive other keys. |
| 1868 | */ |
Bence Szépkúti | a294551 | 2020-12-03 21:40:17 +0100 | [diff] [blame] | 1869 | #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000) |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1870 | |
| 1871 | /**@}*/ |
| 1872 | |
Gilles Peskine | b70a0fd | 2019-01-07 22:59:38 +0100 | [diff] [blame] | 1873 | /** \defgroup derivation Key derivation |
| 1874 | * @{ |
| 1875 | */ |
| 1876 | |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1877 | /** A secret input for key derivation. |
| 1878 | * |
Gilles Peskine | 224b0d6 | 2019-09-23 18:13:17 +0200 | [diff] [blame] | 1879 | * This should be a key of type #PSA_KEY_TYPE_DERIVE |
| 1880 | * (passed to psa_key_derivation_input_key()) |
| 1881 | * or the shared secret resulting from a key agreement |
| 1882 | * (obtained via psa_key_derivation_key_agreement()). |
Gilles Peskine | 178c9aa | 2019-09-24 18:21:06 +0200 | [diff] [blame] | 1883 | * |
| 1884 | * The secret can also be a direct input (passed to |
| 1885 | * key_derivation_input_bytes()). In this case, the derivation operation |
| 1886 | * may not be used to derive keys: the operation will only allow |
| 1887 | * psa_key_derivation_output_bytes(), not psa_key_derivation_output_key(). |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1888 | */ |
Gilles Peskine | cf7292e | 2019-05-16 17:53:40 +0200 | [diff] [blame] | 1889 | #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101) |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1890 | |
| 1891 | /** A label for key derivation. |
| 1892 | * |
Gilles Peskine | 224b0d6 | 2019-09-23 18:13:17 +0200 | [diff] [blame] | 1893 | * This should be a direct input. |
| 1894 | * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA. |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1895 | */ |
Gilles Peskine | cf7292e | 2019-05-16 17:53:40 +0200 | [diff] [blame] | 1896 | #define PSA_KEY_DERIVATION_INPUT_LABEL ((psa_key_derivation_step_t)0x0201) |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1897 | |
| 1898 | /** A salt for key derivation. |
| 1899 | * |
Gilles Peskine | 224b0d6 | 2019-09-23 18:13:17 +0200 | [diff] [blame] | 1900 | * This should be a direct input. |
| 1901 | * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA. |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1902 | */ |
Gilles Peskine | cf7292e | 2019-05-16 17:53:40 +0200 | [diff] [blame] | 1903 | #define PSA_KEY_DERIVATION_INPUT_SALT ((psa_key_derivation_step_t)0x0202) |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1904 | |
| 1905 | /** An information string for key derivation. |
| 1906 | * |
Gilles Peskine | 224b0d6 | 2019-09-23 18:13:17 +0200 | [diff] [blame] | 1907 | * This should be a direct input. |
| 1908 | * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA. |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1909 | */ |
Gilles Peskine | cf7292e | 2019-05-16 17:53:40 +0200 | [diff] [blame] | 1910 | #define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203) |
Gilles Peskine | 6cdfdb7 | 2019-01-08 10:31:27 +0100 | [diff] [blame] | 1911 | |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1912 | /** A seed for key derivation. |
| 1913 | * |
Gilles Peskine | 224b0d6 | 2019-09-23 18:13:17 +0200 | [diff] [blame] | 1914 | * This should be a direct input. |
| 1915 | * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA. |
Gilles Peskine | 2cb9e39 | 2019-05-21 15:58:13 +0200 | [diff] [blame] | 1916 | */ |
| 1917 | #define PSA_KEY_DERIVATION_INPUT_SEED ((psa_key_derivation_step_t)0x0204) |
| 1918 | |
Gilles Peskine | b70a0fd | 2019-01-07 22:59:38 +0100 | [diff] [blame] | 1919 | /**@}*/ |
| 1920 | |
Gilles Peskine | f3b731e | 2018-12-12 13:38:31 +0100 | [diff] [blame] | 1921 | #endif /* PSA_CRYPTO_VALUES_H */ |