1
/**
2
 * \file psa/crypto.h
3
 * \brief Platform Security Architecture cryptography module
4
 */
5
/*
6
 *  Copyright The Mbed TLS Contributors
7
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8
 */
9

10
#ifndef PSA_CRYPTO_H
11
#define PSA_CRYPTO_H
12

13
#if defined(MBEDTLS_PSA_CRYPTO_PLATFORM_FILE)
14
#include MBEDTLS_PSA_CRYPTO_PLATFORM_FILE
15
#else
16
#include "crypto_platform.h"
17
#endif
18

19
#include <stddef.h>
20

21
#ifdef __DOXYGEN_ONLY__
22
/* This __DOXYGEN_ONLY__ block contains mock definitions for things that
23
 * must be defined in the crypto_platform.h header. These mock definitions
24
 * are present in this file as a convenience to generate pretty-printed
25
 * documentation that includes those definitions. */
26

27
/** \defgroup platform Implementation-specific definitions
28
 * @{
29
 */
30

31
/**@}*/
32
#endif /* __DOXYGEN_ONLY__ */
33

34
#ifdef __cplusplus
35
extern "C" {
36
#endif
37

38
/* The file "crypto_types.h" declares types that encode errors,
39
 * algorithms, key types, policies, etc. */
40
#include "crypto_types.h"
41

42
/** \defgroup version API version
43
 * @{
44
 */
45

46
/**
47
 * The major version of this implementation of the PSA Crypto API
48
 */
49
#define PSA_CRYPTO_API_VERSION_MAJOR 1
50

51
/**
52
 * The minor version of this implementation of the PSA Crypto API
53
 */
54
#define PSA_CRYPTO_API_VERSION_MINOR 0
55

56
/**@}*/
57

58
/* The file "crypto_values.h" declares macros to build and analyze values
59
 * of integral types defined in "crypto_types.h". */
60
#include "crypto_values.h"
61

62
/* The file "crypto_sizes.h" contains definitions for size calculation
63
 * macros whose definitions are implementation-specific. */
64
#include "crypto_sizes.h"
65

66
/* The file "crypto_struct.h" contains definitions for
67
 * implementation-specific structs that are declared above. */
68
#if defined(MBEDTLS_PSA_CRYPTO_STRUCT_FILE)
69
#include MBEDTLS_PSA_CRYPTO_STRUCT_FILE
70
#else
71
#include "crypto_struct.h"
72
#endif
73

74
/** \defgroup initialization Library initialization
75
 * @{
76
 */
77

78
/**
79
 * \brief Library initialization.
80
 *
81
 * Applications must call this function before calling any other
82
 * function in this module.
83
 *
84
 * Applications may call this function more than once. Once a call
85
 * succeeds, subsequent calls are guaranteed to succeed.
86
 *
87
 * If the application calls other functions before calling psa_crypto_init(),
88
 * the behavior is undefined. Implementations are encouraged to either perform
89
 * the operation as if the library had been initialized or to return
90
 * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
91
 * implementations should not return a success status if the lack of
92
 * initialization may have security implications, for example due to improper
93
 * seeding of the random number generator.
94
 *
95
 * \retval #PSA_SUCCESS \emptydescription
96
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
97
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
98
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
99
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
100
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
101
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
102
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
103
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
104
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
105
 */
106
psa_status_t psa_crypto_init(void);
107

108
/**@}*/
109

110
/** \addtogroup attributes
111
 * @{
112
 */
113

114
/** \def PSA_KEY_ATTRIBUTES_INIT
115
 *
116
 * This macro returns a suitable initializer for a key attribute structure
117
 * of type #psa_key_attributes_t.
118
 */
119

120
/** Return an initial value for a key attributes structure.
121
 */
122
#if !(defined(__cplusplus) && defined(_MSC_VER))
123
static psa_key_attributes_t psa_key_attributes_init(void);
124
#endif
125

126
/** Declare a key as persistent and set its key identifier.
127
 *
128
 * If the attribute structure currently declares the key as volatile (which
129
 * is the default content of an attribute structure), this function sets
130
 * the lifetime attribute to #PSA_KEY_LIFETIME_PERSISTENT.
131
 *
132
 * This function does not access storage, it merely stores the given
133
 * value in the structure.
134
 * The persistent key will be written to storage when the attribute
135
 * structure is passed to a key creation function such as
136
 * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
137
 * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
138
 * or psa_copy_key().
139
 *
140
 * This function may be declared as `static` (i.e. without external
141
 * linkage). This function may be provided as a function-like macro,
142
 * but in this case it must evaluate each of its arguments exactly once.
143
 *
144
 * \param[out] attributes  The attribute structure to write to.
145
 * \param key              The persistent identifier for the key.
146
 *                         This can be any value in the range from
147
 *                         #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX
148
 *                         inclusive.
149
 */
150
static void psa_set_key_id(psa_key_attributes_t *attributes,
151
                           mbedtls_svc_key_id_t key);
152

153
#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
154
/** Set the owner identifier of a key.
155
 *
156
 * When key identifiers encode key owner identifiers, psa_set_key_id() does
157
 * not allow to define in key attributes the owner of volatile keys as
158
 * psa_set_key_id() enforces the key to be persistent.
159
 *
160
 * This function allows to set in key attributes the owner identifier of a
161
 * key. It is intended to be used for volatile keys. For persistent keys,
162
 * it is recommended to use the PSA Cryptography API psa_set_key_id() to define
163
 * the owner of a key.
164
 *
165
 * \param[out] attributes  The attribute structure to write to.
166
 * \param owner            The key owner identifier.
167
 */
168
static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
169
                                     mbedtls_key_owner_id_t owner);
170
#endif
171

172
/** Set the location of a persistent key.
173
 *
174
 * To make a key persistent, you must give it a persistent key identifier
175
 * with psa_set_key_id(). By default, a key that has a persistent identifier
176
 * is stored in the default storage area identifier by
177
 * #PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage
178
 * area, or to explicitly declare the key as volatile.
179
 *
180
 * This function does not access storage, it merely stores the given
181
 * value in the structure.
182
 * The persistent key will be written to storage when the attribute
183
 * structure is passed to a key creation function such as
184
 * psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
185
 * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
186
 * or psa_copy_key().
187
 *
188
 * This function may be declared as `static` (i.e. without external
189
 * linkage). This function may be provided as a function-like macro,
190
 * but in this case it must evaluate each of its arguments exactly once.
191
 *
192
 * \param[out] attributes       The attribute structure to write to.
193
 * \param lifetime              The lifetime for the key.
194
 *                              If this is #PSA_KEY_LIFETIME_VOLATILE, the
195
 *                              key will be volatile, and the key identifier
196
 *                              attribute is reset to 0.
197
 */
198
static void psa_set_key_lifetime(psa_key_attributes_t *attributes,
199
                                 psa_key_lifetime_t lifetime);
200

201
/** Retrieve the key identifier from key attributes.
202
 *
203
 * This function may be declared as `static` (i.e. without external
204
 * linkage). This function may be provided as a function-like macro,
205
 * but in this case it must evaluate its argument exactly once.
206
 *
207
 * \param[in] attributes        The key attribute structure to query.
208
 *
209
 * \return The persistent identifier stored in the attribute structure.
210
 *         This value is unspecified if the attribute structure declares
211
 *         the key as volatile.
212
 */
213
static mbedtls_svc_key_id_t psa_get_key_id(
214
    const psa_key_attributes_t *attributes);
215

216
/** Retrieve the lifetime from key attributes.
217
 *
218
 * This function may be declared as `static` (i.e. without external
219
 * linkage). This function may be provided as a function-like macro,
220
 * but in this case it must evaluate its argument exactly once.
221
 *
222
 * \param[in] attributes        The key attribute structure to query.
223
 *
224
 * \return The lifetime value stored in the attribute structure.
225
 */
226
static psa_key_lifetime_t psa_get_key_lifetime(
227
    const psa_key_attributes_t *attributes);
228

229
/** Declare usage flags for a key.
230
 *
231
 * Usage flags are part of a key's usage policy. They encode what
232
 * kind of operations are permitted on the key. For more details,
233
 * refer to the documentation of the type #psa_key_usage_t.
234
 *
235
 * This function overwrites any usage flags
236
 * previously set in \p attributes.
237
 *
238
 * This function may be declared as `static` (i.e. without external
239
 * linkage). This function may be provided as a function-like macro,
240
 * but in this case it must evaluate each of its arguments exactly once.
241
 *
242
 * \param[out] attributes       The attribute structure to write to.
243
 * \param usage_flags           The usage flags to write.
244
 */
245
static void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
246
                                    psa_key_usage_t usage_flags);
247

248
/** Retrieve the usage flags from key attributes.
249
 *
250
 * This function may be declared as `static` (i.e. without external
251
 * linkage). This function may be provided as a function-like macro,
252
 * but in this case it must evaluate its argument exactly once.
253
 *
254
 * \param[in] attributes        The key attribute structure to query.
255
 *
256
 * \return The usage flags stored in the attribute structure.
257
 */
258
static psa_key_usage_t psa_get_key_usage_flags(
259
    const psa_key_attributes_t *attributes);
260

261
/** Declare the permitted algorithm policy for a key.
262
 *
263
 * The permitted algorithm policy of a key encodes which algorithm or
264
 * algorithms are permitted to be used with this key. The following
265
 * algorithm policies are supported:
266
 * - 0 does not allow any cryptographic operation with the key. The key
267
 *   may be used for non-cryptographic actions such as exporting (if
268
 *   permitted by the usage flags).
269
 * - An algorithm value permits this particular algorithm.
270
 * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified
271
 *   signature scheme with any hash algorithm.
272
 * - An algorithm built from #PSA_ALG_AT_LEAST_THIS_LENGTH_MAC allows
273
 *   any MAC algorithm from the same base class (e.g. CMAC) which
274
 *   generates/verifies a MAC length greater than or equal to the length
275
 *   encoded in the wildcard algorithm.
276
 * - An algorithm built from #PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG
277
 *   allows any AEAD algorithm from the same base class (e.g. CCM) which
278
 *   generates/verifies a tag length greater than or equal to the length
279
 *   encoded in the wildcard algorithm.
280
 *
281
 * This function overwrites any algorithm policy
282
 * previously set in \p attributes.
283
 *
284
 * This function may be declared as `static` (i.e. without external
285
 * linkage). This function may be provided as a function-like macro,
286
 * but in this case it must evaluate each of its arguments exactly once.
287
 *
288
 * \param[out] attributes       The attribute structure to write to.
289
 * \param alg                   The permitted algorithm policy to write.
290
 */
291
static void psa_set_key_algorithm(psa_key_attributes_t *attributes,
292
                                  psa_algorithm_t alg);
293

294

295
/** Retrieve the algorithm policy from key attributes.
296
 *
297
 * This function may be declared as `static` (i.e. without external
298
 * linkage). This function may be provided as a function-like macro,
299
 * but in this case it must evaluate its argument exactly once.
300
 *
301
 * \param[in] attributes        The key attribute structure to query.
302
 *
303
 * \return The algorithm stored in the attribute structure.
304
 */
305
static psa_algorithm_t psa_get_key_algorithm(
306
    const psa_key_attributes_t *attributes);
307

308
/** Declare the type of a key.
309
 *
310
 * This function overwrites any key type
311
 * previously set in \p attributes.
312
 *
313
 * This function may be declared as `static` (i.e. without external
314
 * linkage). This function may be provided as a function-like macro,
315
 * but in this case it must evaluate each of its arguments exactly once.
316
 *
317
 * \param[out] attributes       The attribute structure to write to.
318
 * \param type                  The key type to write.
319
 *                              If this is 0, the key type in \p attributes
320
 *                              becomes unspecified.
321
 */
322
static void psa_set_key_type(psa_key_attributes_t *attributes,
323
                             psa_key_type_t type);
324

325

326
/** Declare the size of a key.
327
 *
328
 * This function overwrites any key size previously set in \p attributes.
329
 *
330
 * This function may be declared as `static` (i.e. without external
331
 * linkage). This function may be provided as a function-like macro,
332
 * but in this case it must evaluate each of its arguments exactly once.
333
 *
334
 * \param[out] attributes       The attribute structure to write to.
335
 * \param bits                  The key size in bits.
336
 *                              If this is 0, the key size in \p attributes
337
 *                              becomes unspecified. Keys of size 0 are
338
 *                              not supported.
339
 */
340
static void psa_set_key_bits(psa_key_attributes_t *attributes,
341
                             size_t bits);
342

343
/** Retrieve the key type from key attributes.
344
 *
345
 * This function may be declared as `static` (i.e. without external
346
 * linkage). This function may be provided as a function-like macro,
347
 * but in this case it must evaluate its argument exactly once.
348
 *
349
 * \param[in] attributes        The key attribute structure to query.
350
 *
351
 * \return The key type stored in the attribute structure.
352
 */
353
#if !(defined(__cplusplus) && defined(_MSC_VER))
354
static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes);
355
#endif
356

357
/** Retrieve the key size from key attributes.
358
 *
359
 * This function may be declared as `static` (i.e. without external
360
 * linkage). This function may be provided as a function-like macro,
361
 * but in this case it must evaluate its argument exactly once.
362
 *
363
 * \param[in] attributes        The key attribute structure to query.
364
 *
365
 * \return The key size stored in the attribute structure, in bits.
366
 */
367
static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
368

369
/** Retrieve the attributes of a key.
370
 *
371
 * This function first resets the attribute structure as with
372
 * psa_reset_key_attributes(). It then copies the attributes of
373
 * the given key into the given attribute structure.
374
 *
375
 * \note This function may allocate memory or other resources.
376
 *       Once you have called this function on an attribute structure,
377
 *       you must call psa_reset_key_attributes() to free these resources.
378
 *
379
 * \param[in] key               Identifier of the key to query.
380
 * \param[in,out] attributes    On success, the attributes of the key.
381
 *                              On failure, equivalent to a
382
 *                              freshly-initialized structure.
383
 *
384
 * \retval #PSA_SUCCESS \emptydescription
385
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
386
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
387
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
388
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
389
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
390
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
391
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
392
 * \retval #PSA_ERROR_BAD_STATE
393
 *         The library has not been previously initialized by psa_crypto_init().
394
 *         It is implementation-dependent whether a failure to initialize
395
 *         results in this error code.
396
 */
397
psa_status_t psa_get_key_attributes(mbedtls_svc_key_id_t key,
398
                                    psa_key_attributes_t *attributes);
399

400
/** Reset a key attribute structure to a freshly initialized state.
401
 *
402
 * You must initialize the attribute structure as described in the
403
 * documentation of the type #psa_key_attributes_t before calling this
404
 * function. Once the structure has been initialized, you may call this
405
 * function at any time.
406
 *
407
 * This function frees any auxiliary resources that the structure
408
 * may contain.
409
 *
410
 * \param[in,out] attributes    The attribute structure to reset.
411
 */
412
void psa_reset_key_attributes(psa_key_attributes_t *attributes);
413

414
/**@}*/
415

416
/** \defgroup key_management Key management
417
 * @{
418
 */
419

420
/** Remove non-essential copies of key material from memory.
421
 *
422
 * If the key identifier designates a volatile key, this functions does not do
423
 * anything and returns successfully.
424
 *
425
 * If the key identifier designates a persistent key, then this function will
426
 * free all resources associated with the key in volatile memory. The key
427
 * data in persistent storage is not affected and the key can still be used.
428
 *
429
 * \param key Identifier of the key to purge.
430
 *
431
 * \retval #PSA_SUCCESS
432
 *         The key material will have been removed from memory if it is not
433
 *         currently required.
434
 * \retval #PSA_ERROR_INVALID_ARGUMENT
435
 *         \p key is not a valid key identifier.
436
 * \retval #PSA_ERROR_BAD_STATE
437
 *         The library has not been previously initialized by psa_crypto_init().
438
 *         It is implementation-dependent whether a failure to initialize
439
 *         results in this error code.
440
 */
441
psa_status_t psa_purge_key(mbedtls_svc_key_id_t key);
442

443
/** Make a copy of a key.
444
 *
445
 * Copy key material from one location to another.
446
 *
447
 * This function is primarily useful to copy a key from one location
448
 * to another, since it populates a key using the material from
449
 * another key which may have a different lifetime.
450
 *
451
 * This function may be used to share a key with a different party,
452
 * subject to implementation-defined restrictions on key sharing.
453
 *
454
 * The policy on the source key must have the usage flag
455
 * #PSA_KEY_USAGE_COPY set.
456
 * This flag is sufficient to permit the copy if the key has the lifetime
457
 * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
458
 * Some secure elements do not provide a way to copy a key without
459
 * making it extractable from the secure element. If a key is located
460
 * in such a secure element, then the key must have both usage flags
461
 * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
462
 * a copy of the key outside the secure element.
463
 *
464
 * The resulting key may only be used in a way that conforms to
465
 * both the policy of the original key and the policy specified in
466
 * the \p attributes parameter:
467
 * - The usage flags on the resulting key are the bitwise-and of the
468
 *   usage flags on the source policy and the usage flags in \p attributes.
469
 * - If both allow the same algorithm or wildcard-based
470
 *   algorithm policy, the resulting key has the same algorithm policy.
471
 * - If either of the policies allows an algorithm and the other policy
472
 *   allows a wildcard-based algorithm policy that includes this algorithm,
473
 *   the resulting key allows the same algorithm.
474
 * - If the policies do not allow any algorithm in common, this function
475
 *   fails with the status #PSA_ERROR_INVALID_ARGUMENT.
476
 *
477
 * The effect of this function on implementation-defined attributes is
478
 * implementation-defined.
479
 *
480
 * \param source_key        The key to copy. It must allow the usage
481
 *                          #PSA_KEY_USAGE_COPY. If a private or secret key is
482
 *                          being copied outside of a secure element it must
483
 *                          also allow #PSA_KEY_USAGE_EXPORT.
484
 * \param[in] attributes    The attributes for the new key.
485
 *                          They are used as follows:
486
 *                          - The key type and size may be 0. If either is
487
 *                            nonzero, it must match the corresponding
488
 *                            attribute of the source key.
489
 *                          - The key location (the lifetime and, for
490
 *                            persistent keys, the key identifier) is
491
 *                            used directly.
492
 *                          - The policy constraints (usage flags and
493
 *                            algorithm policy) are combined from
494
 *                            the source key and \p attributes so that
495
 *                            both sets of restrictions apply, as
496
 *                            described in the documentation of this function.
497
 * \param[out] target_key   On success, an identifier for the newly created
498
 *                          key. For persistent keys, this is the key
499
 *                          identifier defined in \p attributes.
500
 *                          \c 0 on failure.
501
 *
502
 * \retval #PSA_SUCCESS \emptydescription
503
 * \retval #PSA_ERROR_INVALID_HANDLE
504
 *         \p source_key is invalid.
505
 * \retval #PSA_ERROR_ALREADY_EXISTS
506
 *         This is an attempt to create a persistent key, and there is
507
 *         already a persistent key with the given identifier.
508
 * \retval #PSA_ERROR_INVALID_ARGUMENT
509
 *         The lifetime or identifier in \p attributes are invalid, or
510
 *         the policy constraints on the source and specified in
511
 *         \p attributes are incompatible, or
512
 *         \p attributes specifies a key type or key size
513
 *         which does not match the attributes of the source key.
514
 * \retval #PSA_ERROR_NOT_PERMITTED
515
 *         The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
516
 *         the source key is not exportable and its lifetime does not
517
 *         allow copying it to the target's lifetime.
518
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
519
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
520
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
521
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
522
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
523
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
524
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
525
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
526
 * \retval #PSA_ERROR_BAD_STATE
527
 *         The library has not been previously initialized by psa_crypto_init().
528
 *         It is implementation-dependent whether a failure to initialize
529
 *         results in this error code.
530
 */
531
psa_status_t psa_copy_key(mbedtls_svc_key_id_t source_key,
532
                          const psa_key_attributes_t *attributes,
533
                          mbedtls_svc_key_id_t *target_key);
534

535

536
/**
537
 * \brief Destroy a key.
538
 *
539
 * This function destroys a key from both volatile
540
 * memory and, if applicable, non-volatile storage. Implementations shall
541
 * make a best effort to ensure that the key material cannot be recovered.
542
 *
543
 * This function also erases any metadata such as policies and frees
544
 * resources associated with the key.
545
 *
546
 * If a key is currently in use in a multipart operation, then destroying the
547
 * key will cause the multipart operation to fail.
548
 *
549
 * \warning    We can only guarantee that the the key material will
550
 *             eventually be wiped from memory. With threading enabled
551
 *             and during concurrent execution, copies of the key material may
552
 *             still exist until all threads have finished using the key.
553
 *
554
 * \param key  Identifier of the key to erase. If this is \c 0, do nothing and
555
 *             return #PSA_SUCCESS.
556
 *
557
 * \retval #PSA_SUCCESS
558
 *         \p key was a valid identifier and the key material that it
559
 *         referred to has been erased. Alternatively, \p key is \c 0.
560
 * \retval #PSA_ERROR_NOT_PERMITTED
561
 *         The key cannot be erased because it is
562
 *         read-only, either due to a policy or due to physical restrictions.
563
 * \retval #PSA_ERROR_INVALID_HANDLE
564
 *         \p key is not a valid identifier nor \c 0.
565
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE
566
 *         There was a failure in communication with the cryptoprocessor.
567
 *         The key material may still be present in the cryptoprocessor.
568
 * \retval #PSA_ERROR_DATA_INVALID
569
 *         This error is typically a result of either storage corruption on a
570
 *         cleartext storage backend, or an attempt to read data that was
571
 *         written by an incompatible version of the library.
572
 * \retval #PSA_ERROR_STORAGE_FAILURE
573
 *         The storage is corrupted. Implementations shall make a best effort
574
 *         to erase key material even in this stage, however applications
575
 *         should be aware that it may be impossible to guarantee that the
576
 *         key material is not recoverable in such cases.
577
 * \retval #PSA_ERROR_CORRUPTION_DETECTED
578
 *         An unexpected condition which is not a storage corruption or
579
 *         a communication failure occurred. The cryptoprocessor may have
580
 *         been compromised.
581
 * \retval #PSA_ERROR_BAD_STATE
582
 *         The library has not been previously initialized by psa_crypto_init().
583
 *         It is implementation-dependent whether a failure to initialize
584
 *         results in this error code.
585
 */
586
psa_status_t psa_destroy_key(mbedtls_svc_key_id_t key);
587

588
/**@}*/
589

590
/** \defgroup import_export Key import and export
591
 * @{
592
 */
593

594
/**
595
 * \brief Import a key in binary format.
596
 *
597
 * This function supports any output from psa_export_key(). Refer to the
598
 * documentation of psa_export_public_key() for the format of public keys
599
 * and to the documentation of psa_export_key() for the format for
600
 * other key types.
601
 *
602
 * The key data determines the key size. The attributes may optionally
603
 * specify a key size; in this case it must match the size determined
604
 * from the key data. A key size of 0 in \p attributes indicates that
605
 * the key size is solely determined by the key data.
606
 *
607
 * Implementations must reject an attempt to import a key of size 0.
608
 *
609
 * This specification supports a single format for each key type.
610
 * Implementations may support other formats as long as the standard
611
 * format is supported. Implementations that support other formats
612
 * should ensure that the formats are clearly unambiguous so as to
613
 * minimize the risk that an invalid input is accidentally interpreted
614
 * according to a different format.
615
 *
616
 * \param[in] attributes    The attributes for the new key.
617
 *                          The key size is always determined from the
618
 *                          \p data buffer.
619
 *                          If the key size in \p attributes is nonzero,
620
 *                          it must be equal to the size from \p data.
621
 * \param[out] key          On success, an identifier to the newly created key.
622
 *                          For persistent keys, this is the key identifier
623
 *                          defined in \p attributes.
624
 *                          \c 0 on failure.
625
 * \param[in] data    Buffer containing the key data. The content of this
626
 *                    buffer is interpreted according to the type declared
627
 *                    in \p attributes.
628
 *                    All implementations must support at least the format
629
 *                    described in the documentation
630
 *                    of psa_export_key() or psa_export_public_key() for
631
 *                    the chosen type. Implementations may allow other
632
 *                    formats, but should be conservative: implementations
633
 *                    should err on the side of rejecting content if it
634
 *                    may be erroneous (e.g. wrong type or truncated data).
635
 * \param data_length Size of the \p data buffer in bytes.
636
 *
637
 * \retval #PSA_SUCCESS
638
 *         Success.
639
 *         If the key is persistent, the key material and the key's metadata
640
 *         have been saved to persistent storage.
641
 * \retval #PSA_ERROR_ALREADY_EXISTS
642
 *         This is an attempt to create a persistent key, and there is
643
 *         already a persistent key with the given identifier.
644
 * \retval #PSA_ERROR_NOT_SUPPORTED
645
 *         The key type or key size is not supported, either by the
646
 *         implementation in general or in this particular persistent location.
647
 * \retval #PSA_ERROR_INVALID_ARGUMENT
648
 *         The key attributes, as a whole, are invalid, or
649
 *         the key data is not correctly formatted, or
650
 *         the size in \p attributes is nonzero and does not match the size
651
 *         of the key data.
652
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
653
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
654
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
655
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
656
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
657
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
658
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
659
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
660
 * \retval #PSA_ERROR_BAD_STATE
661
 *         The library has not been previously initialized by psa_crypto_init().
662
 *         It is implementation-dependent whether a failure to initialize
663
 *         results in this error code.
664
 */
665
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
666
                            const uint8_t *data,
667
                            size_t data_length,
668
                            mbedtls_svc_key_id_t *key);
669

670

671

672
/**
673
 * \brief Export a key in binary format.
674
 *
675
 * The output of this function can be passed to psa_import_key() to
676
 * create an equivalent object.
677
 *
678
 * If the implementation of psa_import_key() supports other formats
679
 * beyond the format specified here, the output from psa_export_key()
680
 * must use the representation specified here, not the original
681
 * representation.
682
 *
683
 * For standard key types, the output format is as follows:
684
 *
685
 * - For symmetric keys (including MAC keys), the format is the
686
 *   raw bytes of the key.
687
 * - For DES, the key data consists of 8 bytes. The parity bits must be
688
 *   correct.
689
 * - For Triple-DES, the format is the concatenation of the
690
 *   two or three DES keys.
691
 * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
692
 *   is the non-encrypted DER encoding of the representation defined by
693
 *   PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
694
 *   ```
695
 *   RSAPrivateKey ::= SEQUENCE {
696
 *       version             INTEGER,  -- must be 0
697
 *       modulus             INTEGER,  -- n
698
 *       publicExponent      INTEGER,  -- e
699
 *       privateExponent     INTEGER,  -- d
700
 *       prime1              INTEGER,  -- p
701
 *       prime2              INTEGER,  -- q
702
 *       exponent1           INTEGER,  -- d mod (p-1)
703
 *       exponent2           INTEGER,  -- d mod (q-1)
704
 *       coefficient         INTEGER,  -- (inverse of q) mod p
705
 *   }
706
 *   ```
707
 * - For elliptic curve key pairs (key types for which
708
 *   #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
709
 *   a representation of the private value as a `ceiling(m/8)`-byte string
710
 *   where `m` is the bit size associated with the curve, i.e. the bit size
711
 *   of the order of the curve's coordinate field. This byte string is
712
 *   in little-endian order for Montgomery curves (curve types
713
 *   `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
714
 *   curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
715
 *   and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
716
 *   For Weierstrass curves, this is the content of the `privateKey` field of
717
 *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
718
 *   the format is defined by RFC 7748, and output is masked according to §5.
719
 *   For twisted Edwards curves, the private key is as defined by RFC 8032
720
 *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
721
 * - For Diffie-Hellman key exchange key pairs (key types for which
722
 *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
723
 *   format is the representation of the private key `x` as a big-endian byte
724
 *   string. The length of the byte string is the private key size in bytes
725
 *   (leading zeroes are not stripped).
726
 * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
727
 *   true), the format is the same as for psa_export_public_key().
728
 *
729
 * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
730
 *
731
 * \param key               Identifier of the key to export. It must allow the
732
 *                          usage #PSA_KEY_USAGE_EXPORT, unless it is a public
733
 *                          key.
734
 * \param[out] data         Buffer where the key data is to be written.
735
 * \param data_size         Size of the \p data buffer in bytes.
736
 * \param[out] data_length  On success, the number of bytes
737
 *                          that make up the key data.
738
 *
739
 * \retval #PSA_SUCCESS \emptydescription
740
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
741
 * \retval #PSA_ERROR_NOT_PERMITTED
742
 *         The key does not have the #PSA_KEY_USAGE_EXPORT flag.
743
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
744
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
745
 *         The size of the \p data buffer is too small. You can determine a
746
 *         sufficient buffer size by calling
747
 *         #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
748
 *         where \c type is the key type
749
 *         and \c bits is the key size in bits.
750
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
751
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
752
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
753
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
754
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
755
 * \retval #PSA_ERROR_BAD_STATE
756
 *         The library has not been previously initialized by psa_crypto_init().
757
 *         It is implementation-dependent whether a failure to initialize
758
 *         results in this error code.
759
 */
760
psa_status_t psa_export_key(mbedtls_svc_key_id_t key,
761
                            uint8_t *data,
762
                            size_t data_size,
763
                            size_t *data_length);
764

765
/**
766
 * \brief Export a public key or the public part of a key pair in binary format.
767
 *
768
 * The output of this function can be passed to psa_import_key() to
769
 * create an object that is equivalent to the public key.
770
 *
771
 * This specification supports a single format for each key type.
772
 * Implementations may support other formats as long as the standard
773
 * format is supported. Implementations that support other formats
774
 * should ensure that the formats are clearly unambiguous so as to
775
 * minimize the risk that an invalid input is accidentally interpreted
776
 * according to a different format.
777
 *
778
 * For standard key types, the output format is as follows:
779
 * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
780
 *   the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
781
 *   ```
782
 *   RSAPublicKey ::= SEQUENCE {
783
 *      modulus            INTEGER,    -- n
784
 *      publicExponent     INTEGER  }  -- e
785
 *   ```
786
 * - For elliptic curve keys on a twisted Edwards curve (key types for which
787
 *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true and #PSA_KEY_TYPE_ECC_GET_FAMILY
788
 *   returns #PSA_ECC_FAMILY_TWISTED_EDWARDS), the public key is as defined
789
 *   by RFC 8032
790
 *   (a 32-byte string for Edwards25519, a 57-byte string for Edwards448).
791
 * - For other elliptic curve public keys (key types for which
792
 *   #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
793
 *   representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
794
 *   Let `m` be the bit size associated with the curve, i.e. the bit size of
795
 *   `q` for a curve over `F_q`. The representation consists of:
796
 *      - The byte 0x04;
797
 *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
798
 *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
799
 * - For Diffie-Hellman key exchange public keys (key types for which
800
 *   #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
801
 *   the format is the representation of the public key `y = g^x mod p` as a
802
 *   big-endian byte string. The length of the byte string is the length of the
803
 *   base prime `p` in bytes.
804
 *
805
 * Exporting a public key object or the public part of a key pair is
806
 * always permitted, regardless of the key's usage flags.
807
 *
808
 * \param key               Identifier of the key to export.
809
 * \param[out] data         Buffer where the key data is to be written.
810
 * \param data_size         Size of the \p data buffer in bytes.
811
 * \param[out] data_length  On success, the number of bytes
812
 *                          that make up the key data.
813
 *
814
 * \retval #PSA_SUCCESS \emptydescription
815
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
816
 * \retval #PSA_ERROR_INVALID_ARGUMENT
817
 *         The key is neither a public key nor a key pair.
818
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
819
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
820
 *         The size of the \p data buffer is too small. You can determine a
821
 *         sufficient buffer size by calling
822
 *         #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
823
 *         where \c type is the key type
824
 *         and \c bits is the key size in bits.
825
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
826
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
827
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
828
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
829
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
830
 * \retval #PSA_ERROR_BAD_STATE
831
 *         The library has not been previously initialized by psa_crypto_init().
832
 *         It is implementation-dependent whether a failure to initialize
833
 *         results in this error code.
834
 */
835
psa_status_t psa_export_public_key(mbedtls_svc_key_id_t key,
836
                                   uint8_t *data,
837
                                   size_t data_size,
838
                                   size_t *data_length);
839

840

841

842
/**@}*/
843

844
/** \defgroup hash Message digests
845
 * @{
846
 */
847

848
/** Calculate the hash (digest) of a message.
849
 *
850
 * \note To verify the hash of a message against an
851
 *       expected value, use psa_hash_compare() instead.
852
 *
853
 * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
854
 *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
855
 * \param[in] input         Buffer containing the message to hash.
856
 * \param input_length      Size of the \p input buffer in bytes.
857
 * \param[out] hash         Buffer where the hash is to be written.
858
 * \param hash_size         Size of the \p hash buffer in bytes.
859
 * \param[out] hash_length  On success, the number of bytes
860
 *                          that make up the hash value. This is always
861
 *                          #PSA_HASH_LENGTH(\p alg).
862
 *
863
 * \retval #PSA_SUCCESS
864
 *         Success.
865
 * \retval #PSA_ERROR_NOT_SUPPORTED
866
 *         \p alg is not supported or is not a hash algorithm.
867
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
868
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
869
 *         \p hash_size is too small
870
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
871
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
872
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
873
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
874
 * \retval #PSA_ERROR_BAD_STATE
875
 *         The library has not been previously initialized by psa_crypto_init().
876
 *         It is implementation-dependent whether a failure to initialize
877
 *         results in this error code.
878
 */
879
psa_status_t psa_hash_compute(psa_algorithm_t alg,
880
                              const uint8_t *input,
881
                              size_t input_length,
882
                              uint8_t *hash,
883
                              size_t hash_size,
884
                              size_t *hash_length);
885

886
/** Calculate the hash (digest) of a message and compare it with a
887
 * reference value.
888
 *
889
 * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
890
 *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
891
 * \param[in] input         Buffer containing the message to hash.
892
 * \param input_length      Size of the \p input buffer in bytes.
893
 * \param[in] hash          Buffer containing the expected hash value.
894
 * \param hash_length       Size of the \p hash buffer in bytes.
895
 *
896
 * \retval #PSA_SUCCESS
897
 *         The expected hash is identical to the actual hash of the input.
898
 * \retval #PSA_ERROR_INVALID_SIGNATURE
899
 *         The hash of the message was calculated successfully, but it
900
 *         differs from the expected hash.
901
 * \retval #PSA_ERROR_NOT_SUPPORTED
902
 *         \p alg is not supported or is not a hash algorithm.
903
 * \retval #PSA_ERROR_INVALID_ARGUMENT
904
 *         \p input_length or \p hash_length do not match the hash size for \p alg
905
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
906
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
907
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
908
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
909
 * \retval #PSA_ERROR_BAD_STATE
910
 *         The library has not been previously initialized by psa_crypto_init().
911
 *         It is implementation-dependent whether a failure to initialize
912
 *         results in this error code.
913
 */
914
psa_status_t psa_hash_compare(psa_algorithm_t alg,
915
                              const uint8_t *input,
916
                              size_t input_length,
917
                              const uint8_t *hash,
918
                              size_t hash_length);
919

920
/** The type of the state data structure for multipart hash operations.
921
 *
922
 * Before calling any function on a hash operation object, the application must
923
 * initialize it by any of the following means:
924
 * - Set the structure to all-bits-zero, for example:
925
 *   \code
926
 *   psa_hash_operation_t operation;
927
 *   memset(&operation, 0, sizeof(operation));
928
 *   \endcode
929
 * - Initialize the structure to logical zero values, for example:
930
 *   \code
931
 *   psa_hash_operation_t operation = {0};
932
 *   \endcode
933
 * - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT,
934
 *   for example:
935
 *   \code
936
 *   psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
937
 *   \endcode
938
 * - Assign the result of the function psa_hash_operation_init()
939
 *   to the structure, for example:
940
 *   \code
941
 *   psa_hash_operation_t operation;
942
 *   operation = psa_hash_operation_init();
943
 *   \endcode
944
 *
945
 * This is an implementation-defined \c struct. Applications should not
946
 * make any assumptions about the content of this structure.
947
 * Implementation details can change in future versions without notice. */
948
typedef struct psa_hash_operation_s psa_hash_operation_t;
949

950
/** \def PSA_HASH_OPERATION_INIT
951
 *
952
 * This macro returns a suitable initializer for a hash operation object
953
 * of type #psa_hash_operation_t.
954
 */
955

956
/** Return an initial value for a hash operation object.
957
 */
958
#if !(defined(__cplusplus) && defined(_MSC_VER))
959
static psa_hash_operation_t psa_hash_operation_init(void);
960
#endif
961

962
/** Set up a multipart hash operation.
963
 *
964
 * The sequence of operations to calculate a hash (message digest)
965
 * is as follows:
966
 * -# Allocate an operation object which will be passed to all the functions
967
 *    listed here.
968
 * -# Initialize the operation object with one of the methods described in the
969
 *    documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
970
 * -# Call psa_hash_setup() to specify the algorithm.
971
 * -# Call psa_hash_update() zero, one or more times, passing a fragment
972
 *    of the message each time. The hash that is calculated is the hash
973
 *    of the concatenation of these messages in order.
974
 * -# To calculate the hash, call psa_hash_finish().
975
 *    To compare the hash with an expected value, call psa_hash_verify().
976
 *
977
 * If an error occurs at any step after a call to psa_hash_setup(), the
978
 * operation will need to be reset by a call to psa_hash_abort(). The
979
 * application may call psa_hash_abort() at any time after the operation
980
 * has been initialized.
981
 *
982
 * After a successful call to psa_hash_setup(), the application must
983
 * eventually terminate the operation. The following events terminate an
984
 * operation:
985
 * - A successful call to psa_hash_finish() or psa_hash_verify().
986
 * - A call to psa_hash_abort().
987
 *
988
 * \param[in,out] operation The operation object to set up. It must have
989
 *                          been initialized as per the documentation for
990
 *                          #psa_hash_operation_t and not yet in use.
991
 * \param alg               The hash algorithm to compute (\c PSA_ALG_XXX value
992
 *                          such that #PSA_ALG_IS_HASH(\p alg) is true).
993
 *
994
 * \retval #PSA_SUCCESS
995
 *         Success.
996
 * \retval #PSA_ERROR_NOT_SUPPORTED
997
 *         \p alg is not a supported hash algorithm.
998
 * \retval #PSA_ERROR_INVALID_ARGUMENT
999
 *         \p alg is not a hash algorithm.
1000
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1001
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1002
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1003
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1004
 * \retval #PSA_ERROR_BAD_STATE
1005
 *         The operation state is not valid (it must be inactive), or
1006
 *         the library has not been previously initialized by psa_crypto_init().
1007
 *         It is implementation-dependent whether a failure to initialize
1008
 *         results in this error code.
1009
 */
1010
psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
1011
                            psa_algorithm_t alg);
1012

1013
/** Add a message fragment to a multipart hash operation.
1014
 *
1015
 * The application must call psa_hash_setup() before calling this function.
1016
 *
1017
 * If this function returns an error status, the operation enters an error
1018
 * state and must be aborted by calling psa_hash_abort().
1019
 *
1020
 * \param[in,out] operation Active hash operation.
1021
 * \param[in] input         Buffer containing the message fragment to hash.
1022
 * \param input_length      Size of the \p input buffer in bytes.
1023
 *
1024
 * \retval #PSA_SUCCESS
1025
 *         Success.
1026
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1027
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1028
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1029
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1030
 * \retval #PSA_ERROR_BAD_STATE
1031
 *         The operation state is not valid (it must be active), or
1032
 *         the library has not been previously initialized by psa_crypto_init().
1033
 *         It is implementation-dependent whether a failure to initialize
1034
 *         results in this error code.
1035
 */
1036
psa_status_t psa_hash_update(psa_hash_operation_t *operation,
1037
                             const uint8_t *input,
1038
                             size_t input_length);
1039

1040
/** Finish the calculation of the hash of a message.
1041
 *
1042
 * The application must call psa_hash_setup() before calling this function.
1043
 * This function calculates the hash of the message formed by concatenating
1044
 * the inputs passed to preceding calls to psa_hash_update().
1045
 *
1046
 * When this function returns successfully, the operation becomes inactive.
1047
 * If this function returns an error status, the operation enters an error
1048
 * state and must be aborted by calling psa_hash_abort().
1049
 *
1050
 * \warning Applications should not call this function if they expect
1051
 *          a specific value for the hash. Call psa_hash_verify() instead.
1052
 *          Beware that comparing integrity or authenticity data such as
1053
 *          hash values with a function such as \c memcmp is risky
1054
 *          because the time taken by the comparison may leak information
1055
 *          about the hashed data which could allow an attacker to guess
1056
 *          a valid hash and thereby bypass security controls.
1057
 *
1058
 * \param[in,out] operation     Active hash operation.
1059
 * \param[out] hash             Buffer where the hash is to be written.
1060
 * \param hash_size             Size of the \p hash buffer in bytes.
1061
 * \param[out] hash_length      On success, the number of bytes
1062
 *                              that make up the hash value. This is always
1063
 *                              #PSA_HASH_LENGTH(\c alg) where \c alg is the
1064
 *                              hash algorithm that is calculated.
1065
 *
1066
 * \retval #PSA_SUCCESS
1067
 *         Success.
1068
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1069
 *         The size of the \p hash buffer is too small. You can determine a
1070
 *         sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
1071
 *         where \c alg is the hash algorithm that is calculated.
1072
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1073
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1074
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1075
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1076
 * \retval #PSA_ERROR_BAD_STATE
1077
 *         The operation state is not valid (it must be active), or
1078
 *         the library has not been previously initialized by psa_crypto_init().
1079
 *         It is implementation-dependent whether a failure to initialize
1080
 *         results in this error code.
1081
 */
1082
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
1083
                             uint8_t *hash,
1084
                             size_t hash_size,
1085
                             size_t *hash_length);
1086

1087
/** Finish the calculation of the hash of a message and compare it with
1088
 * an expected value.
1089
 *
1090
 * The application must call psa_hash_setup() before calling this function.
1091
 * This function calculates the hash of the message formed by concatenating
1092
 * the inputs passed to preceding calls to psa_hash_update(). It then
1093
 * compares the calculated hash with the expected hash passed as a
1094
 * parameter to this function.
1095
 *
1096
 * When this function returns successfully, the operation becomes inactive.
1097
 * If this function returns an error status, the operation enters an error
1098
 * state and must be aborted by calling psa_hash_abort().
1099
 *
1100
 * \note Implementations shall make the best effort to ensure that the
1101
 * comparison between the actual hash and the expected hash is performed
1102
 * in constant time.
1103
 *
1104
 * \param[in,out] operation     Active hash operation.
1105
 * \param[in] hash              Buffer containing the expected hash value.
1106
 * \param hash_length           Size of the \p hash buffer in bytes.
1107
 *
1108
 * \retval #PSA_SUCCESS
1109
 *         The expected hash is identical to the actual hash of the message.
1110
 * \retval #PSA_ERROR_INVALID_SIGNATURE
1111
 *         The hash of the message was calculated successfully, but it
1112
 *         differs from the expected hash.
1113
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1114
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1115
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1116
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1117
 * \retval #PSA_ERROR_BAD_STATE
1118
 *         The operation state is not valid (it must be active), or
1119
 *         the library has not been previously initialized by psa_crypto_init().
1120
 *         It is implementation-dependent whether a failure to initialize
1121
 *         results in this error code.
1122
 */
1123
psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
1124
                             const uint8_t *hash,
1125
                             size_t hash_length);
1126

1127
/** Abort a hash operation.
1128
 *
1129
 * Aborting an operation frees all associated resources except for the
1130
 * \p operation structure itself. Once aborted, the operation object
1131
 * can be reused for another operation by calling
1132
 * psa_hash_setup() again.
1133
 *
1134
 * You may call this function any time after the operation object has
1135
 * been initialized by one of the methods described in #psa_hash_operation_t.
1136
 *
1137
 * In particular, calling psa_hash_abort() after the operation has been
1138
 * terminated by a call to psa_hash_abort(), psa_hash_finish() or
1139
 * psa_hash_verify() is safe and has no effect.
1140
 *
1141
 * \param[in,out] operation     Initialized hash operation.
1142
 *
1143
 * \retval #PSA_SUCCESS \emptydescription
1144
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1145
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1146
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1147
 * \retval #PSA_ERROR_BAD_STATE
1148
 *         The library has not been previously initialized by psa_crypto_init().
1149
 *         It is implementation-dependent whether a failure to initialize
1150
 *         results in this error code.
1151
 */
1152
psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
1153

1154
/** Clone a hash operation.
1155
 *
1156
 * This function copies the state of an ongoing hash operation to
1157
 * a new operation object. In other words, this function is equivalent
1158
 * to calling psa_hash_setup() on \p target_operation with the same
1159
 * algorithm that \p source_operation was set up for, then
1160
 * psa_hash_update() on \p target_operation with the same input that
1161
 * that was passed to \p source_operation. After this function returns, the
1162
 * two objects are independent, i.e. subsequent calls involving one of
1163
 * the objects do not affect the other object.
1164
 *
1165
 * \param[in] source_operation      The active hash operation to clone.
1166
 * \param[in,out] target_operation  The operation object to set up.
1167
 *                                  It must be initialized but not active.
1168
 *
1169
 * \retval #PSA_SUCCESS \emptydescription
1170
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1171
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1172
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1173
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1174
 * \retval #PSA_ERROR_BAD_STATE
1175
 *         The \p source_operation state is not valid (it must be active), or
1176
 *         the \p target_operation state is not valid (it must be inactive), or
1177
 *         the library has not been previously initialized by psa_crypto_init().
1178
 *         It is implementation-dependent whether a failure to initialize
1179
 *         results in this error code.
1180
 */
1181
psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
1182
                            psa_hash_operation_t *target_operation);
1183

1184
/**@}*/
1185

1186
/** \defgroup MAC Message authentication codes
1187
 * @{
1188
 */
1189

1190
/** Calculate the MAC (message authentication code) of a message.
1191
 *
1192
 * \note To verify the MAC of a message against an
1193
 *       expected value, use psa_mac_verify() instead.
1194
 *       Beware that comparing integrity or authenticity data such as
1195
 *       MAC values with a function such as \c memcmp is risky
1196
 *       because the time taken by the comparison may leak information
1197
 *       about the MAC value which could allow an attacker to guess
1198
 *       a valid MAC and thereby bypass security controls.
1199
 *
1200
 * \param key               Identifier of the key to use for the operation. It
1201
 *                          must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
1202
 * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
1203
 *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
1204
 * \param[in] input         Buffer containing the input message.
1205
 * \param input_length      Size of the \p input buffer in bytes.
1206
 * \param[out] mac          Buffer where the MAC value is to be written.
1207
 * \param mac_size          Size of the \p mac buffer in bytes.
1208
 * \param[out] mac_length   On success, the number of bytes
1209
 *                          that make up the MAC value.
1210
 *
1211
 * \retval #PSA_SUCCESS
1212
 *         Success.
1213
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1214
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1215
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1216
 *         \p key is not compatible with \p alg.
1217
 * \retval #PSA_ERROR_NOT_SUPPORTED
1218
 *         \p alg is not supported or is not a MAC algorithm.
1219
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1220
 *         \p mac_size is too small
1221
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1222
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1223
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1224
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1225
 * \retval #PSA_ERROR_STORAGE_FAILURE
1226
 *         The key could not be retrieved from storage.
1227
 * \retval #PSA_ERROR_BAD_STATE
1228
 *         The library has not been previously initialized by psa_crypto_init().
1229
 *         It is implementation-dependent whether a failure to initialize
1230
 *         results in this error code.
1231
 */
1232
psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
1233
                             psa_algorithm_t alg,
1234
                             const uint8_t *input,
1235
                             size_t input_length,
1236
                             uint8_t *mac,
1237
                             size_t mac_size,
1238
                             size_t *mac_length);
1239

1240
/** Calculate the MAC of a message and compare it with a reference value.
1241
 *
1242
 * \param key               Identifier of the key to use for the operation. It
1243
 *                          must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
1244
 * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
1245
 *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
1246
 * \param[in] input         Buffer containing the input message.
1247
 * \param input_length      Size of the \p input buffer in bytes.
1248
 * \param[in] mac           Buffer containing the expected MAC value.
1249
 * \param mac_length        Size of the \p mac buffer in bytes.
1250
 *
1251
 * \retval #PSA_SUCCESS
1252
 *         The expected MAC is identical to the actual MAC of the input.
1253
 * \retval #PSA_ERROR_INVALID_SIGNATURE
1254
 *         The MAC of the message was calculated successfully, but it
1255
 *         differs from the expected value.
1256
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1257
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1258
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1259
 *         \p key is not compatible with \p alg.
1260
 * \retval #PSA_ERROR_NOT_SUPPORTED
1261
 *         \p alg is not supported or is not a MAC algorithm.
1262
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1263
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1264
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1265
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1266
 * \retval #PSA_ERROR_STORAGE_FAILURE
1267
 *         The key could not be retrieved from storage.
1268
 * \retval #PSA_ERROR_BAD_STATE
1269
 *         The library has not been previously initialized by psa_crypto_init().
1270
 *         It is implementation-dependent whether a failure to initialize
1271
 *         results in this error code.
1272
 */
1273
psa_status_t psa_mac_verify(mbedtls_svc_key_id_t key,
1274
                            psa_algorithm_t alg,
1275
                            const uint8_t *input,
1276
                            size_t input_length,
1277
                            const uint8_t *mac,
1278
                            size_t mac_length);
1279

1280
/** The type of the state data structure for multipart MAC operations.
1281
 *
1282
 * Before calling any function on a MAC operation object, the application must
1283
 * initialize it by any of the following means:
1284
 * - Set the structure to all-bits-zero, for example:
1285
 *   \code
1286
 *   psa_mac_operation_t operation;
1287
 *   memset(&operation, 0, sizeof(operation));
1288
 *   \endcode
1289
 * - Initialize the structure to logical zero values, for example:
1290
 *   \code
1291
 *   psa_mac_operation_t operation = {0};
1292
 *   \endcode
1293
 * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
1294
 *   for example:
1295
 *   \code
1296
 *   psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
1297
 *   \endcode
1298
 * - Assign the result of the function psa_mac_operation_init()
1299
 *   to the structure, for example:
1300
 *   \code
1301
 *   psa_mac_operation_t operation;
1302
 *   operation = psa_mac_operation_init();
1303
 *   \endcode
1304
 *
1305
 *
1306
 * This is an implementation-defined \c struct. Applications should not
1307
 * make any assumptions about the content of this structure.
1308
 * Implementation details can change in future versions without notice. */
1309
typedef struct psa_mac_operation_s psa_mac_operation_t;
1310

1311
/** \def PSA_MAC_OPERATION_INIT
1312
 *
1313
 * This macro returns a suitable initializer for a MAC operation object of type
1314
 * #psa_mac_operation_t.
1315
 */
1316

1317
/** Return an initial value for a MAC operation object.
1318
 */
1319
#if !(defined(__cplusplus) && defined(_MSC_VER))
1320
static psa_mac_operation_t psa_mac_operation_init(void);
1321
#endif
1322

1323
/** Set up a multipart MAC calculation operation.
1324
 *
1325
 * This function sets up the calculation of the MAC
1326
 * (message authentication code) of a byte string.
1327
 * To verify the MAC of a message against an
1328
 * expected value, use psa_mac_verify_setup() instead.
1329
 *
1330
 * The sequence of operations to calculate a MAC is as follows:
1331
 * -# Allocate an operation object which will be passed to all the functions
1332
 *    listed here.
1333
 * -# Initialize the operation object with one of the methods described in the
1334
 *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1335
 * -# Call psa_mac_sign_setup() to specify the algorithm and key.
1336
 * -# Call psa_mac_update() zero, one or more times, passing a fragment
1337
 *    of the message each time. The MAC that is calculated is the MAC
1338
 *    of the concatenation of these messages in order.
1339
 * -# At the end of the message, call psa_mac_sign_finish() to finish
1340
 *    calculating the MAC value and retrieve it.
1341
 *
1342
 * If an error occurs at any step after a call to psa_mac_sign_setup(), the
1343
 * operation will need to be reset by a call to psa_mac_abort(). The
1344
 * application may call psa_mac_abort() at any time after the operation
1345
 * has been initialized.
1346
 *
1347
 * After a successful call to psa_mac_sign_setup(), the application must
1348
 * eventually terminate the operation through one of the following methods:
1349
 * - A successful call to psa_mac_sign_finish().
1350
 * - A call to psa_mac_abort().
1351
 *
1352
 * \param[in,out] operation The operation object to set up. It must have
1353
 *                          been initialized as per the documentation for
1354
 *                          #psa_mac_operation_t and not yet in use.
1355
 * \param key               Identifier of the key to use for the operation. It
1356
 *                          must remain valid until the operation terminates.
1357
 *                          It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
1358
 * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
1359
 *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
1360
 *
1361
 * \retval #PSA_SUCCESS
1362
 *         Success.
1363
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1364
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1365
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1366
 *         \p key is not compatible with \p alg.
1367
 * \retval #PSA_ERROR_NOT_SUPPORTED
1368
 *         \p alg is not supported or is not a MAC algorithm.
1369
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1370
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1371
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1372
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1373
 * \retval #PSA_ERROR_STORAGE_FAILURE
1374
 *         The key could not be retrieved from storage.
1375
 * \retval #PSA_ERROR_BAD_STATE
1376
 *         The operation state is not valid (it must be inactive), or
1377
 *         the library has not been previously initialized by psa_crypto_init().
1378
 *         It is implementation-dependent whether a failure to initialize
1379
 *         results in this error code.
1380
 */
1381
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
1382
                                mbedtls_svc_key_id_t key,
1383
                                psa_algorithm_t alg);
1384

1385
/** Set up a multipart MAC verification operation.
1386
 *
1387
 * This function sets up the verification of the MAC
1388
 * (message authentication code) of a byte string against an expected value.
1389
 *
1390
 * The sequence of operations to verify a MAC is as follows:
1391
 * -# Allocate an operation object which will be passed to all the functions
1392
 *    listed here.
1393
 * -# Initialize the operation object with one of the methods described in the
1394
 *    documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1395
 * -# Call psa_mac_verify_setup() to specify the algorithm and key.
1396
 * -# Call psa_mac_update() zero, one or more times, passing a fragment
1397
 *    of the message each time. The MAC that is calculated is the MAC
1398
 *    of the concatenation of these messages in order.
1399
 * -# At the end of the message, call psa_mac_verify_finish() to finish
1400
 *    calculating the actual MAC of the message and verify it against
1401
 *    the expected value.
1402
 *
1403
 * If an error occurs at any step after a call to psa_mac_verify_setup(), the
1404
 * operation will need to be reset by a call to psa_mac_abort(). The
1405
 * application may call psa_mac_abort() at any time after the operation
1406
 * has been initialized.
1407
 *
1408
 * After a successful call to psa_mac_verify_setup(), the application must
1409
 * eventually terminate the operation through one of the following methods:
1410
 * - A successful call to psa_mac_verify_finish().
1411
 * - A call to psa_mac_abort().
1412
 *
1413
 * \param[in,out] operation The operation object to set up. It must have
1414
 *                          been initialized as per the documentation for
1415
 *                          #psa_mac_operation_t and not yet in use.
1416
 * \param key               Identifier of the key to use for the operation. It
1417
 *                          must remain valid until the operation terminates.
1418
 *                          It must allow the usage
1419
 *                          PSA_KEY_USAGE_VERIFY_MESSAGE.
1420
 * \param alg               The MAC algorithm to compute (\c PSA_ALG_XXX value
1421
 *                          such that #PSA_ALG_IS_MAC(\p alg) is true).
1422
 *
1423
 * \retval #PSA_SUCCESS
1424
 *         Success.
1425
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1426
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1427
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1428
 *         \c key is not compatible with \c alg.
1429
 * \retval #PSA_ERROR_NOT_SUPPORTED
1430
 *         \c alg is not supported or is not a MAC algorithm.
1431
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1432
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1433
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1434
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1435
 * \retval #PSA_ERROR_STORAGE_FAILURE
1436
 *         The key could not be retrieved from storage.
1437
 * \retval #PSA_ERROR_BAD_STATE
1438
 *         The operation state is not valid (it must be inactive), or
1439
 *         the library has not been previously initialized by psa_crypto_init().
1440
 *         It is implementation-dependent whether a failure to initialize
1441
 *         results in this error code.
1442
 */
1443
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
1444
                                  mbedtls_svc_key_id_t key,
1445
                                  psa_algorithm_t alg);
1446

1447
/** Add a message fragment to a multipart MAC operation.
1448
 *
1449
 * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
1450
 * before calling this function.
1451
 *
1452
 * If this function returns an error status, the operation enters an error
1453
 * state and must be aborted by calling psa_mac_abort().
1454
 *
1455
 * \param[in,out] operation Active MAC operation.
1456
 * \param[in] input         Buffer containing the message fragment to add to
1457
 *                          the MAC calculation.
1458
 * \param input_length      Size of the \p input buffer in bytes.
1459
 *
1460
 * \retval #PSA_SUCCESS
1461
 *         Success.
1462
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1463
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1464
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1465
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1466
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1467
 * \retval #PSA_ERROR_BAD_STATE
1468
 *         The operation state is not valid (it must be active), or
1469
 *         the library has not been previously initialized by psa_crypto_init().
1470
 *         It is implementation-dependent whether a failure to initialize
1471
 *         results in this error code.
1472
 */
1473
psa_status_t psa_mac_update(psa_mac_operation_t *operation,
1474
                            const uint8_t *input,
1475
                            size_t input_length);
1476

1477
/** Finish the calculation of the MAC of a message.
1478
 *
1479
 * The application must call psa_mac_sign_setup() before calling this function.
1480
 * This function calculates the MAC of the message formed by concatenating
1481
 * the inputs passed to preceding calls to psa_mac_update().
1482
 *
1483
 * When this function returns successfully, the operation becomes inactive.
1484
 * If this function returns an error status, the operation enters an error
1485
 * state and must be aborted by calling psa_mac_abort().
1486
 *
1487
 * \warning Applications should not call this function if they expect
1488
 *          a specific value for the MAC. Call psa_mac_verify_finish() instead.
1489
 *          Beware that comparing integrity or authenticity data such as
1490
 *          MAC values with a function such as \c memcmp is risky
1491
 *          because the time taken by the comparison may leak information
1492
 *          about the MAC value which could allow an attacker to guess
1493
 *          a valid MAC and thereby bypass security controls.
1494
 *
1495
 * \param[in,out] operation Active MAC operation.
1496
 * \param[out] mac          Buffer where the MAC value is to be written.
1497
 * \param mac_size          Size of the \p mac buffer in bytes.
1498
 * \param[out] mac_length   On success, the number of bytes
1499
 *                          that make up the MAC value. This is always
1500
 *                          #PSA_MAC_LENGTH(\c key_type, \c key_bits, \c alg)
1501
 *                          where \c key_type and \c key_bits are the type and
1502
 *                          bit-size respectively of the key and \c alg is the
1503
 *                          MAC algorithm that is calculated.
1504
 *
1505
 * \retval #PSA_SUCCESS
1506
 *         Success.
1507
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1508
 *         The size of the \p mac buffer is too small. You can determine a
1509
 *         sufficient buffer size by calling PSA_MAC_LENGTH().
1510
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1511
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1512
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1513
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1514
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1515
 * \retval #PSA_ERROR_BAD_STATE
1516
 *         The operation state is not valid (it must be an active mac sign
1517
 *         operation), or the library has not been previously initialized
1518
 *         by psa_crypto_init().
1519
 *         It is implementation-dependent whether a failure to initialize
1520
 *         results in this error code.
1521
 */
1522
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
1523
                                 uint8_t *mac,
1524
                                 size_t mac_size,
1525
                                 size_t *mac_length);
1526

1527
/** Finish the calculation of the MAC of a message and compare it with
1528
 * an expected value.
1529
 *
1530
 * The application must call psa_mac_verify_setup() before calling this function.
1531
 * This function calculates the MAC of the message formed by concatenating
1532
 * the inputs passed to preceding calls to psa_mac_update(). It then
1533
 * compares the calculated MAC with the expected MAC passed as a
1534
 * parameter to this function.
1535
 *
1536
 * When this function returns successfully, the operation becomes inactive.
1537
 * If this function returns an error status, the operation enters an error
1538
 * state and must be aborted by calling psa_mac_abort().
1539
 *
1540
 * \note Implementations shall make the best effort to ensure that the
1541
 * comparison between the actual MAC and the expected MAC is performed
1542
 * in constant time.
1543
 *
1544
 * \param[in,out] operation Active MAC operation.
1545
 * \param[in] mac           Buffer containing the expected MAC value.
1546
 * \param mac_length        Size of the \p mac buffer in bytes.
1547
 *
1548
 * \retval #PSA_SUCCESS
1549
 *         The expected MAC is identical to the actual MAC of the message.
1550
 * \retval #PSA_ERROR_INVALID_SIGNATURE
1551
 *         The MAC of the message was calculated successfully, but it
1552
 *         differs from the expected MAC.
1553
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1554
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1555
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1556
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1557
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1558
 * \retval #PSA_ERROR_BAD_STATE
1559
 *         The operation state is not valid (it must be an active mac verify
1560
 *         operation), or the library has not been previously initialized
1561
 *         by psa_crypto_init().
1562
 *         It is implementation-dependent whether a failure to initialize
1563
 *         results in this error code.
1564
 */
1565
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
1566
                                   const uint8_t *mac,
1567
                                   size_t mac_length);
1568

1569
/** Abort a MAC operation.
1570
 *
1571
 * Aborting an operation frees all associated resources except for the
1572
 * \p operation structure itself. Once aborted, the operation object
1573
 * can be reused for another operation by calling
1574
 * psa_mac_sign_setup() or psa_mac_verify_setup() again.
1575
 *
1576
 * You may call this function any time after the operation object has
1577
 * been initialized by one of the methods described in #psa_mac_operation_t.
1578
 *
1579
 * In particular, calling psa_mac_abort() after the operation has been
1580
 * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
1581
 * psa_mac_verify_finish() is safe and has no effect.
1582
 *
1583
 * \param[in,out] operation Initialized MAC operation.
1584
 *
1585
 * \retval #PSA_SUCCESS \emptydescription
1586
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1587
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1588
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1589
 * \retval #PSA_ERROR_BAD_STATE
1590
 *         The library has not been previously initialized by psa_crypto_init().
1591
 *         It is implementation-dependent whether a failure to initialize
1592
 *         results in this error code.
1593
 */
1594
psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
1595

1596
/**@}*/
1597

1598
/** \defgroup cipher Symmetric ciphers
1599
 * @{
1600
 */
1601

1602
/** Encrypt a message using a symmetric cipher.
1603
 *
1604
 * This function encrypts a message with a random IV (initialization
1605
 * vector). Use the multipart operation interface with a
1606
 * #psa_cipher_operation_t object to provide other forms of IV.
1607
 *
1608
 * \param key                   Identifier of the key to use for the operation.
1609
 *                              It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
1610
 * \param alg                   The cipher algorithm to compute
1611
 *                              (\c PSA_ALG_XXX value such that
1612
 *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
1613
 * \param[in] input             Buffer containing the message to encrypt.
1614
 * \param input_length          Size of the \p input buffer in bytes.
1615
 * \param[out] output           Buffer where the output is to be written.
1616
 *                              The output contains the IV followed by
1617
 *                              the ciphertext proper.
1618
 * \param output_size           Size of the \p output buffer in bytes.
1619
 * \param[out] output_length    On success, the number of bytes
1620
 *                              that make up the output.
1621
 *
1622
 * \retval #PSA_SUCCESS
1623
 *         Success.
1624
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1625
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1626
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1627
 *         \p key is not compatible with \p alg.
1628
 * \retval #PSA_ERROR_NOT_SUPPORTED
1629
 *         \p alg is not supported or is not a cipher algorithm.
1630
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
1631
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1632
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1633
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1634
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1635
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1636
 * \retval #PSA_ERROR_BAD_STATE
1637
 *         The library has not been previously initialized by psa_crypto_init().
1638
 *         It is implementation-dependent whether a failure to initialize
1639
 *         results in this error code.
1640
 */
1641
psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key,
1642
                                psa_algorithm_t alg,
1643
                                const uint8_t *input,
1644
                                size_t input_length,
1645
                                uint8_t *output,
1646
                                size_t output_size,
1647
                                size_t *output_length);
1648

1649
/** Decrypt a message using a symmetric cipher.
1650
 *
1651
 * This function decrypts a message encrypted with a symmetric cipher.
1652
 *
1653
 * \param key                   Identifier of the key to use for the operation.
1654
 *                              It must remain valid until the operation
1655
 *                              terminates. It must allow the usage
1656
 *                              #PSA_KEY_USAGE_DECRYPT.
1657
 * \param alg                   The cipher algorithm to compute
1658
 *                              (\c PSA_ALG_XXX value such that
1659
 *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
1660
 * \param[in] input             Buffer containing the message to decrypt.
1661
 *                              This consists of the IV followed by the
1662
 *                              ciphertext proper.
1663
 * \param input_length          Size of the \p input buffer in bytes.
1664
 * \param[out] output           Buffer where the plaintext is to be written.
1665
 * \param output_size           Size of the \p output buffer in bytes.
1666
 * \param[out] output_length    On success, the number of bytes
1667
 *                              that make up the output.
1668
 *
1669
 * \retval #PSA_SUCCESS
1670
 *         Success.
1671
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1672
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1673
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1674
 *         \p key is not compatible with \p alg.
1675
 * \retval #PSA_ERROR_NOT_SUPPORTED
1676
 *         \p alg is not supported or is not a cipher algorithm.
1677
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
1678
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1679
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1680
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1681
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1682
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1683
 * \retval #PSA_ERROR_BAD_STATE
1684
 *         The library has not been previously initialized by psa_crypto_init().
1685
 *         It is implementation-dependent whether a failure to initialize
1686
 *         results in this error code.
1687
 */
1688
psa_status_t psa_cipher_decrypt(mbedtls_svc_key_id_t key,
1689
                                psa_algorithm_t alg,
1690
                                const uint8_t *input,
1691
                                size_t input_length,
1692
                                uint8_t *output,
1693
                                size_t output_size,
1694
                                size_t *output_length);
1695

1696
/** The type of the state data structure for multipart cipher operations.
1697
 *
1698
 * Before calling any function on a cipher operation object, the application
1699
 * must initialize it by any of the following means:
1700
 * - Set the structure to all-bits-zero, for example:
1701
 *   \code
1702
 *   psa_cipher_operation_t operation;
1703
 *   memset(&operation, 0, sizeof(operation));
1704
 *   \endcode
1705
 * - Initialize the structure to logical zero values, for example:
1706
 *   \code
1707
 *   psa_cipher_operation_t operation = {0};
1708
 *   \endcode
1709
 * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
1710
 *   for example:
1711
 *   \code
1712
 *   psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
1713
 *   \endcode
1714
 * - Assign the result of the function psa_cipher_operation_init()
1715
 *   to the structure, for example:
1716
 *   \code
1717
 *   psa_cipher_operation_t operation;
1718
 *   operation = psa_cipher_operation_init();
1719
 *   \endcode
1720
 *
1721
 * This is an implementation-defined \c struct. Applications should not
1722
 * make any assumptions about the content of this structure.
1723
 * Implementation details can change in future versions without notice. */
1724
typedef struct psa_cipher_operation_s psa_cipher_operation_t;
1725

1726
/** \def PSA_CIPHER_OPERATION_INIT
1727
 *
1728
 * This macro returns a suitable initializer for a cipher operation object of
1729
 * type #psa_cipher_operation_t.
1730
 */
1731

1732
/** Return an initial value for a cipher operation object.
1733
 */
1734
#if !(defined(__cplusplus) && defined(_MSC_VER))
1735
static psa_cipher_operation_t psa_cipher_operation_init(void);
1736
#endif
1737

1738
/** Set the key for a multipart symmetric encryption operation.
1739
 *
1740
 * The sequence of operations to encrypt a message with a symmetric cipher
1741
 * is as follows:
1742
 * -# Allocate an operation object which will be passed to all the functions
1743
 *    listed here.
1744
 * -# Initialize the operation object with one of the methods described in the
1745
 *    documentation for #psa_cipher_operation_t, e.g.
1746
 *    #PSA_CIPHER_OPERATION_INIT.
1747
 * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
1748
 * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
1749
 *    generate or set the IV (initialization vector). You should use
1750
 *    psa_cipher_generate_iv() unless the protocol you are implementing
1751
 *    requires a specific IV value.
1752
 * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1753
 *    of the message each time.
1754
 * -# Call psa_cipher_finish().
1755
 *
1756
 * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
1757
 * the operation will need to be reset by a call to psa_cipher_abort(). The
1758
 * application may call psa_cipher_abort() at any time after the operation
1759
 * has been initialized.
1760
 *
1761
 * After a successful call to psa_cipher_encrypt_setup(), the application must
1762
 * eventually terminate the operation. The following events terminate an
1763
 * operation:
1764
 * - A successful call to psa_cipher_finish().
1765
 * - A call to psa_cipher_abort().
1766
 *
1767
 * \param[in,out] operation     The operation object to set up. It must have
1768
 *                              been initialized as per the documentation for
1769
 *                              #psa_cipher_operation_t and not yet in use.
1770
 * \param key                   Identifier of the key to use for the operation.
1771
 *                              It must remain valid until the operation
1772
 *                              terminates. It must allow the usage
1773
 *                              #PSA_KEY_USAGE_ENCRYPT.
1774
 * \param alg                   The cipher algorithm to compute
1775
 *                              (\c PSA_ALG_XXX value such that
1776
 *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
1777
 *
1778
 * \retval #PSA_SUCCESS
1779
 *         Success.
1780
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1781
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1782
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1783
 *         \p key is not compatible with \p alg.
1784
 * \retval #PSA_ERROR_NOT_SUPPORTED
1785
 *         \p alg is not supported or is not a cipher algorithm.
1786
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1787
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1788
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1789
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1790
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1791
 * \retval #PSA_ERROR_BAD_STATE
1792
 *         The operation state is not valid (it must be inactive), or
1793
 *         the library has not been previously initialized by psa_crypto_init().
1794
 *         It is implementation-dependent whether a failure to initialize
1795
 *         results in this error code.
1796
 */
1797
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
1798
                                      mbedtls_svc_key_id_t key,
1799
                                      psa_algorithm_t alg);
1800

1801
/** Set the key for a multipart symmetric decryption operation.
1802
 *
1803
 * The sequence of operations to decrypt a message with a symmetric cipher
1804
 * is as follows:
1805
 * -# Allocate an operation object which will be passed to all the functions
1806
 *    listed here.
1807
 * -# Initialize the operation object with one of the methods described in the
1808
 *    documentation for #psa_cipher_operation_t, e.g.
1809
 *    #PSA_CIPHER_OPERATION_INIT.
1810
 * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
1811
 * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
1812
 *    decryption. If the IV is prepended to the ciphertext, you can call
1813
 *    psa_cipher_update() on a buffer containing the IV followed by the
1814
 *    beginning of the message.
1815
 * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1816
 *    of the message each time.
1817
 * -# Call psa_cipher_finish().
1818
 *
1819
 * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
1820
 * the operation will need to be reset by a call to psa_cipher_abort(). The
1821
 * application may call psa_cipher_abort() at any time after the operation
1822
 * has been initialized.
1823
 *
1824
 * After a successful call to psa_cipher_decrypt_setup(), the application must
1825
 * eventually terminate the operation. The following events terminate an
1826
 * operation:
1827
 * - A successful call to psa_cipher_finish().
1828
 * - A call to psa_cipher_abort().
1829
 *
1830
 * \param[in,out] operation     The operation object to set up. It must have
1831
 *                              been initialized as per the documentation for
1832
 *                              #psa_cipher_operation_t and not yet in use.
1833
 * \param key                   Identifier of the key to use for the operation.
1834
 *                              It must remain valid until the operation
1835
 *                              terminates. It must allow the usage
1836
 *                              #PSA_KEY_USAGE_DECRYPT.
1837
 * \param alg                   The cipher algorithm to compute
1838
 *                              (\c PSA_ALG_XXX value such that
1839
 *                              #PSA_ALG_IS_CIPHER(\p alg) is true).
1840
 *
1841
 * \retval #PSA_SUCCESS
1842
 *         Success.
1843
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
1844
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
1845
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1846
 *         \p key is not compatible with \p alg.
1847
 * \retval #PSA_ERROR_NOT_SUPPORTED
1848
 *         \p alg is not supported or is not a cipher algorithm.
1849
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1850
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1851
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1852
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1853
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1854
 * \retval #PSA_ERROR_BAD_STATE
1855
 *         The operation state is not valid (it must be inactive), or
1856
 *         the library has not been previously initialized by psa_crypto_init().
1857
 *         It is implementation-dependent whether a failure to initialize
1858
 *         results in this error code.
1859
 */
1860
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
1861
                                      mbedtls_svc_key_id_t key,
1862
                                      psa_algorithm_t alg);
1863

1864
/** Generate an IV for a symmetric encryption operation.
1865
 *
1866
 * This function generates a random IV (initialization vector), nonce
1867
 * or initial counter value for the encryption operation as appropriate
1868
 * for the chosen algorithm, key type and key size.
1869
 *
1870
 * The application must call psa_cipher_encrypt_setup() before
1871
 * calling this function.
1872
 *
1873
 * If this function returns an error status, the operation enters an error
1874
 * state and must be aborted by calling psa_cipher_abort().
1875
 *
1876
 * \param[in,out] operation     Active cipher operation.
1877
 * \param[out] iv               Buffer where the generated IV is to be written.
1878
 * \param iv_size               Size of the \p iv buffer in bytes.
1879
 * \param[out] iv_length        On success, the number of bytes of the
1880
 *                              generated IV.
1881
 *
1882
 * \retval #PSA_SUCCESS
1883
 *         Success.
1884
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1885
 *         The size of the \p iv buffer is too small.
1886
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1887
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1888
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1889
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1890
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1891
 * \retval #PSA_ERROR_BAD_STATE
1892
 *         The operation state is not valid (it must be active, with no IV set),
1893
 *         or the library has not been previously initialized
1894
 *         by psa_crypto_init().
1895
 *         It is implementation-dependent whether a failure to initialize
1896
 *         results in this error code.
1897
 */
1898
psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
1899
                                    uint8_t *iv,
1900
                                    size_t iv_size,
1901
                                    size_t *iv_length);
1902

1903
/** Set the IV for a symmetric encryption or decryption operation.
1904
 *
1905
 * This function sets the IV (initialization vector), nonce
1906
 * or initial counter value for the encryption or decryption operation.
1907
 *
1908
 * The application must call psa_cipher_encrypt_setup() before
1909
 * calling this function.
1910
 *
1911
 * If this function returns an error status, the operation enters an error
1912
 * state and must be aborted by calling psa_cipher_abort().
1913
 *
1914
 * \note When encrypting, applications should use psa_cipher_generate_iv()
1915
 * instead of this function, unless implementing a protocol that requires
1916
 * a non-random IV.
1917
 *
1918
 * \param[in,out] operation     Active cipher operation.
1919
 * \param[in] iv                Buffer containing the IV to use.
1920
 * \param iv_length             Size of the IV in bytes.
1921
 *
1922
 * \retval #PSA_SUCCESS
1923
 *         Success.
1924
 * \retval #PSA_ERROR_INVALID_ARGUMENT
1925
 *         The size of \p iv is not acceptable for the chosen algorithm,
1926
 *         or the chosen algorithm does not use an IV.
1927
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1928
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1929
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1930
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1931
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1932
 * \retval #PSA_ERROR_BAD_STATE
1933
 *         The operation state is not valid (it must be an active cipher
1934
 *         encrypt operation, with no IV set), or the library has not been
1935
 *         previously initialized by psa_crypto_init().
1936
 *         It is implementation-dependent whether a failure to initialize
1937
 *         results in this error code.
1938
 */
1939
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
1940
                               const uint8_t *iv,
1941
                               size_t iv_length);
1942

1943
/** Encrypt or decrypt a message fragment in an active cipher operation.
1944
 *
1945
 * Before calling this function, you must:
1946
 * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
1947
 *    The choice of setup function determines whether this function
1948
 *    encrypts or decrypts its input.
1949
 * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
1950
 *    (recommended when encrypting) or psa_cipher_set_iv().
1951
 *
1952
 * If this function returns an error status, the operation enters an error
1953
 * state and must be aborted by calling psa_cipher_abort().
1954
 *
1955
 * \param[in,out] operation     Active cipher operation.
1956
 * \param[in] input             Buffer containing the message fragment to
1957
 *                              encrypt or decrypt.
1958
 * \param input_length          Size of the \p input buffer in bytes.
1959
 * \param[out] output           Buffer where the output is to be written.
1960
 * \param output_size           Size of the \p output buffer in bytes.
1961
 * \param[out] output_length    On success, the number of bytes
1962
 *                              that make up the returned output.
1963
 *
1964
 * \retval #PSA_SUCCESS
1965
 *         Success.
1966
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1967
 *         The size of the \p output buffer is too small.
1968
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
1969
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
1970
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
1971
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
1972
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
1973
 * \retval #PSA_ERROR_BAD_STATE
1974
 *         The operation state is not valid (it must be active, with an IV set
1975
 *         if required for the algorithm), or the library has not been
1976
 *         previously initialized by psa_crypto_init().
1977
 *         It is implementation-dependent whether a failure to initialize
1978
 *         results in this error code.
1979
 */
1980
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
1981
                               const uint8_t *input,
1982
                               size_t input_length,
1983
                               uint8_t *output,
1984
                               size_t output_size,
1985
                               size_t *output_length);
1986

1987
/** Finish encrypting or decrypting a message in a cipher operation.
1988
 *
1989
 * The application must call psa_cipher_encrypt_setup() or
1990
 * psa_cipher_decrypt_setup() before calling this function. The choice
1991
 * of setup function determines whether this function encrypts or
1992
 * decrypts its input.
1993
 *
1994
 * This function finishes the encryption or decryption of the message
1995
 * formed by concatenating the inputs passed to preceding calls to
1996
 * psa_cipher_update().
1997
 *
1998
 * When this function returns successfully, the operation becomes inactive.
1999
 * If this function returns an error status, the operation enters an error
2000
 * state and must be aborted by calling psa_cipher_abort().
2001
 *
2002
 * \param[in,out] operation     Active cipher operation.
2003
 * \param[out] output           Buffer where the output is to be written.
2004
 * \param output_size           Size of the \p output buffer in bytes.
2005
 * \param[out] output_length    On success, the number of bytes
2006
 *                              that make up the returned output.
2007
 *
2008
 * \retval #PSA_SUCCESS
2009
 *         Success.
2010
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2011
 *         The total input size passed to this operation is not valid for
2012
 *         this particular algorithm. For example, the algorithm is a based
2013
 *         on block cipher and requires a whole number of blocks, but the
2014
 *         total input size is not a multiple of the block size.
2015
 * \retval #PSA_ERROR_INVALID_PADDING
2016
 *         This is a decryption operation for an algorithm that includes
2017
 *         padding, and the ciphertext does not contain valid padding.
2018
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2019
 *         The size of the \p output buffer is too small.
2020
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2021
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2022
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2023
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2024
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2025
 * \retval #PSA_ERROR_BAD_STATE
2026
 *         The operation state is not valid (it must be active, with an IV set
2027
 *         if required for the algorithm), or the library has not been
2028
 *         previously initialized by psa_crypto_init().
2029
 *         It is implementation-dependent whether a failure to initialize
2030
 *         results in this error code.
2031
 */
2032
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
2033
                               uint8_t *output,
2034
                               size_t output_size,
2035
                               size_t *output_length);
2036

2037
/** Abort a cipher operation.
2038
 *
2039
 * Aborting an operation frees all associated resources except for the
2040
 * \p operation structure itself. Once aborted, the operation object
2041
 * can be reused for another operation by calling
2042
 * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
2043
 *
2044
 * You may call this function any time after the operation object has
2045
 * been initialized as described in #psa_cipher_operation_t.
2046
 *
2047
 * In particular, calling psa_cipher_abort() after the operation has been
2048
 * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
2049
 * is safe and has no effect.
2050
 *
2051
 * \param[in,out] operation     Initialized cipher operation.
2052
 *
2053
 * \retval #PSA_SUCCESS \emptydescription
2054
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2055
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2056
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2057
 * \retval #PSA_ERROR_BAD_STATE
2058
 *         The library has not been previously initialized by psa_crypto_init().
2059
 *         It is implementation-dependent whether a failure to initialize
2060
 *         results in this error code.
2061
 */
2062
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
2063

2064
/**@}*/
2065

2066
/** \defgroup aead Authenticated encryption with associated data (AEAD)
2067
 * @{
2068
 */
2069

2070
/** Process an authenticated encryption operation.
2071
 *
2072
 * \param key                     Identifier of the key to use for the
2073
 *                                operation. It must allow the usage
2074
 *                                #PSA_KEY_USAGE_ENCRYPT.
2075
 * \param alg                     The AEAD algorithm to compute
2076
 *                                (\c PSA_ALG_XXX value such that
2077
 *                                #PSA_ALG_IS_AEAD(\p alg) is true).
2078
 * \param[in] nonce               Nonce or IV to use.
2079
 * \param nonce_length            Size of the \p nonce buffer in bytes.
2080
 * \param[in] additional_data     Additional data that will be authenticated
2081
 *                                but not encrypted.
2082
 * \param additional_data_length  Size of \p additional_data in bytes.
2083
 * \param[in] plaintext           Data that will be authenticated and
2084
 *                                encrypted.
2085
 * \param plaintext_length        Size of \p plaintext in bytes.
2086
 * \param[out] ciphertext         Output buffer for the authenticated and
2087
 *                                encrypted data. The additional data is not
2088
 *                                part of this output. For algorithms where the
2089
 *                                encrypted data and the authentication tag
2090
 *                                are defined as separate outputs, the
2091
 *                                authentication tag is appended to the
2092
 *                                encrypted data.
2093
 * \param ciphertext_size         Size of the \p ciphertext buffer in bytes.
2094
 *                                This must be appropriate for the selected
2095
 *                                algorithm and key:
2096
 *                                - A sufficient output size is
2097
 *                                  #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
2098
 *                                  \p alg, \p plaintext_length) where
2099
 *                                  \c key_type is the type of \p key.
2100
 *                                - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
2101
 *                                  plaintext_length) evaluates to the maximum
2102
 *                                  ciphertext size of any supported AEAD
2103
 *                                  encryption.
2104
 * \param[out] ciphertext_length  On success, the size of the output
2105
 *                                in the \p ciphertext buffer.
2106
 *
2107
 * \retval #PSA_SUCCESS
2108
 *         Success.
2109
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2110
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2111
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2112
 *         \p key is not compatible with \p alg.
2113
 * \retval #PSA_ERROR_NOT_SUPPORTED
2114
 *         \p alg is not supported or is not an AEAD algorithm.
2115
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2116
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2117
 *         \p ciphertext_size is too small.
2118
 *         #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
2119
 *         \p plaintext_length) or
2120
 *         #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
2121
 *         determine the required buffer size.
2122
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2123
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2124
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2125
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2126
 * \retval #PSA_ERROR_BAD_STATE
2127
 *         The library has not been previously initialized by psa_crypto_init().
2128
 *         It is implementation-dependent whether a failure to initialize
2129
 *         results in this error code.
2130
 */
2131
psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
2132
                              psa_algorithm_t alg,
2133
                              const uint8_t *nonce,
2134
                              size_t nonce_length,
2135
                              const uint8_t *additional_data,
2136
                              size_t additional_data_length,
2137
                              const uint8_t *plaintext,
2138
                              size_t plaintext_length,
2139
                              uint8_t *ciphertext,
2140
                              size_t ciphertext_size,
2141
                              size_t *ciphertext_length);
2142

2143
/** Process an authenticated decryption operation.
2144
 *
2145
 * \param key                     Identifier of the key to use for the
2146
 *                                operation. It must allow the usage
2147
 *                                #PSA_KEY_USAGE_DECRYPT.
2148
 * \param alg                     The AEAD algorithm to compute
2149
 *                                (\c PSA_ALG_XXX value such that
2150
 *                                #PSA_ALG_IS_AEAD(\p alg) is true).
2151
 * \param[in] nonce               Nonce or IV to use.
2152
 * \param nonce_length            Size of the \p nonce buffer in bytes.
2153
 * \param[in] additional_data     Additional data that has been authenticated
2154
 *                                but not encrypted.
2155
 * \param additional_data_length  Size of \p additional_data in bytes.
2156
 * \param[in] ciphertext          Data that has been authenticated and
2157
 *                                encrypted. For algorithms where the
2158
 *                                encrypted data and the authentication tag
2159
 *                                are defined as separate inputs, the buffer
2160
 *                                must contain the encrypted data followed
2161
 *                                by the authentication tag.
2162
 * \param ciphertext_length       Size of \p ciphertext in bytes.
2163
 * \param[out] plaintext          Output buffer for the decrypted data.
2164
 * \param plaintext_size          Size of the \p plaintext buffer in bytes.
2165
 *                                This must be appropriate for the selected
2166
 *                                algorithm and key:
2167
 *                                - A sufficient output size is
2168
 *                                  #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
2169
 *                                  \p alg, \p ciphertext_length) where
2170
 *                                  \c key_type is the type of \p key.
2171
 *                                - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
2172
 *                                  ciphertext_length) evaluates to the maximum
2173
 *                                  plaintext size of any supported AEAD
2174
 *                                  decryption.
2175
 * \param[out] plaintext_length   On success, the size of the output
2176
 *                                in the \p plaintext buffer.
2177
 *
2178
 * \retval #PSA_SUCCESS
2179
 *         Success.
2180
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2181
 * \retval #PSA_ERROR_INVALID_SIGNATURE
2182
 *         The ciphertext is not authentic.
2183
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2184
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2185
 *         \p key is not compatible with \p alg.
2186
 * \retval #PSA_ERROR_NOT_SUPPORTED
2187
 *         \p alg is not supported or is not an AEAD algorithm.
2188
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2189
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2190
 *         \p plaintext_size is too small.
2191
 *         #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
2192
 *         \p ciphertext_length) or
2193
 *         #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
2194
 *         to determine the required buffer size.
2195
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2196
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2197
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2198
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2199
 * \retval #PSA_ERROR_BAD_STATE
2200
 *         The library has not been previously initialized by psa_crypto_init().
2201
 *         It is implementation-dependent whether a failure to initialize
2202
 *         results in this error code.
2203
 */
2204
psa_status_t psa_aead_decrypt(mbedtls_svc_key_id_t key,
2205
                              psa_algorithm_t alg,
2206
                              const uint8_t *nonce,
2207
                              size_t nonce_length,
2208
                              const uint8_t *additional_data,
2209
                              size_t additional_data_length,
2210
                              const uint8_t *ciphertext,
2211
                              size_t ciphertext_length,
2212
                              uint8_t *plaintext,
2213
                              size_t plaintext_size,
2214
                              size_t *plaintext_length);
2215

2216
/** The type of the state data structure for multipart AEAD operations.
2217
 *
2218
 * Before calling any function on an AEAD operation object, the application
2219
 * must initialize it by any of the following means:
2220
 * - Set the structure to all-bits-zero, for example:
2221
 *   \code
2222
 *   psa_aead_operation_t operation;
2223
 *   memset(&operation, 0, sizeof(operation));
2224
 *   \endcode
2225
 * - Initialize the structure to logical zero values, for example:
2226
 *   \code
2227
 *   psa_aead_operation_t operation = {0};
2228
 *   \endcode
2229
 * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
2230
 *   for example:
2231
 *   \code
2232
 *   psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
2233
 *   \endcode
2234
 * - Assign the result of the function psa_aead_operation_init()
2235
 *   to the structure, for example:
2236
 *   \code
2237
 *   psa_aead_operation_t operation;
2238
 *   operation = psa_aead_operation_init();
2239
 *   \endcode
2240
 *
2241
 * This is an implementation-defined \c struct. Applications should not
2242
 * make any assumptions about the content of this structure.
2243
 * Implementation details can change in future versions without notice. */
2244
typedef struct psa_aead_operation_s psa_aead_operation_t;
2245

2246
/** \def PSA_AEAD_OPERATION_INIT
2247
 *
2248
 * This macro returns a suitable initializer for an AEAD operation object of
2249
 * type #psa_aead_operation_t.
2250
 */
2251

2252
/** Return an initial value for an AEAD operation object.
2253
 */
2254
#if !(defined(__cplusplus) && defined(_MSC_VER))
2255
static psa_aead_operation_t psa_aead_operation_init(void);
2256
#endif
2257

2258
/** Set the key for a multipart authenticated encryption operation.
2259
 *
2260
 * The sequence of operations to encrypt a message with authentication
2261
 * is as follows:
2262
 * -# Allocate an operation object which will be passed to all the functions
2263
 *    listed here.
2264
 * -# Initialize the operation object with one of the methods described in the
2265
 *    documentation for #psa_aead_operation_t, e.g.
2266
 *    #PSA_AEAD_OPERATION_INIT.
2267
 * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
2268
 * -# If needed, call psa_aead_set_lengths() to specify the length of the
2269
 *    inputs to the subsequent calls to psa_aead_update_ad() and
2270
 *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
2271
 *    for details.
2272
 * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
2273
 *    generate or set the nonce. You should use
2274
 *    psa_aead_generate_nonce() unless the protocol you are implementing
2275
 *    requires a specific nonce value.
2276
 * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2277
 *    of the non-encrypted additional authenticated data each time.
2278
 * -# Call psa_aead_update() zero, one or more times, passing a fragment
2279
 *    of the message to encrypt each time.
2280
 * -# Call psa_aead_finish().
2281
 *
2282
 * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
2283
 * the operation will need to be reset by a call to psa_aead_abort(). The
2284
 * application may call psa_aead_abort() at any time after the operation
2285
 * has been initialized.
2286
 *
2287
 * After a successful call to psa_aead_encrypt_setup(), the application must
2288
 * eventually terminate the operation. The following events terminate an
2289
 * operation:
2290
 * - A successful call to psa_aead_finish().
2291
 * - A call to psa_aead_abort().
2292
 *
2293
 * \param[in,out] operation     The operation object to set up. It must have
2294
 *                              been initialized as per the documentation for
2295
 *                              #psa_aead_operation_t and not yet in use.
2296
 * \param key                   Identifier of the key to use for the operation.
2297
 *                              It must remain valid until the operation
2298
 *                              terminates. It must allow the usage
2299
 *                              #PSA_KEY_USAGE_ENCRYPT.
2300
 * \param alg                   The AEAD algorithm to compute
2301
 *                              (\c PSA_ALG_XXX value such that
2302
 *                              #PSA_ALG_IS_AEAD(\p alg) is true).
2303
 *
2304
 * \retval #PSA_SUCCESS
2305
 *         Success.
2306
 * \retval #PSA_ERROR_BAD_STATE
2307
 *         The operation state is not valid (it must be inactive), or
2308
 *         the library has not been previously initialized by psa_crypto_init().
2309
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2310
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2311
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2312
 *         \p key is not compatible with \p alg.
2313
 * \retval #PSA_ERROR_NOT_SUPPORTED
2314
 *         \p alg is not supported or is not an AEAD algorithm.
2315
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2316
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2317
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2318
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2319
 * \retval #PSA_ERROR_STORAGE_FAILURE
2320
 *         The library has not been previously initialized by psa_crypto_init().
2321
 *         It is implementation-dependent whether a failure to initialize
2322
 *         results in this error code.
2323
 */
2324
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
2325
                                    mbedtls_svc_key_id_t key,
2326
                                    psa_algorithm_t alg);
2327

2328
/** Set the key for a multipart authenticated decryption operation.
2329
 *
2330
 * The sequence of operations to decrypt a message with authentication
2331
 * is as follows:
2332
 * -# Allocate an operation object which will be passed to all the functions
2333
 *    listed here.
2334
 * -# Initialize the operation object with one of the methods described in the
2335
 *    documentation for #psa_aead_operation_t, e.g.
2336
 *    #PSA_AEAD_OPERATION_INIT.
2337
 * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
2338
 * -# If needed, call psa_aead_set_lengths() to specify the length of the
2339
 *    inputs to the subsequent calls to psa_aead_update_ad() and
2340
 *    psa_aead_update(). See the documentation of psa_aead_set_lengths()
2341
 *    for details.
2342
 * -# Call psa_aead_set_nonce() with the nonce for the decryption.
2343
 * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2344
 *    of the non-encrypted additional authenticated data each time.
2345
 * -# Call psa_aead_update() zero, one or more times, passing a fragment
2346
 *    of the ciphertext to decrypt each time.
2347
 * -# Call psa_aead_verify().
2348
 *
2349
 * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
2350
 * the operation will need to be reset by a call to psa_aead_abort(). The
2351
 * application may call psa_aead_abort() at any time after the operation
2352
 * has been initialized.
2353
 *
2354
 * After a successful call to psa_aead_decrypt_setup(), the application must
2355
 * eventually terminate the operation. The following events terminate an
2356
 * operation:
2357
 * - A successful call to psa_aead_verify().
2358
 * - A call to psa_aead_abort().
2359
 *
2360
 * \param[in,out] operation     The operation object to set up. It must have
2361
 *                              been initialized as per the documentation for
2362
 *                              #psa_aead_operation_t and not yet in use.
2363
 * \param key                   Identifier of the key to use for the operation.
2364
 *                              It must remain valid until the operation
2365
 *                              terminates. It must allow the usage
2366
 *                              #PSA_KEY_USAGE_DECRYPT.
2367
 * \param alg                   The AEAD algorithm to compute
2368
 *                              (\c PSA_ALG_XXX value such that
2369
 *                              #PSA_ALG_IS_AEAD(\p alg) is true).
2370
 *
2371
 * \retval #PSA_SUCCESS
2372
 *         Success.
2373
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2374
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2375
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2376
 *         \p key is not compatible with \p alg.
2377
 * \retval #PSA_ERROR_NOT_SUPPORTED
2378
 *         \p alg is not supported or is not an AEAD algorithm.
2379
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2380
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2381
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2382
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2383
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2384
 * \retval #PSA_ERROR_BAD_STATE
2385
 *         The operation state is not valid (it must be inactive), or the
2386
 *         library has not been previously initialized by psa_crypto_init().
2387
 *         It is implementation-dependent whether a failure to initialize
2388
 *         results in this error code.
2389
 */
2390
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
2391
                                    mbedtls_svc_key_id_t key,
2392
                                    psa_algorithm_t alg);
2393

2394
/** Generate a random nonce for an authenticated encryption operation.
2395
 *
2396
 * This function generates a random nonce for the authenticated encryption
2397
 * operation with an appropriate size for the chosen algorithm, key type
2398
 * and key size.
2399
 *
2400
 * The application must call psa_aead_encrypt_setup() before
2401
 * calling this function.
2402
 *
2403
 * If this function returns an error status, the operation enters an error
2404
 * state and must be aborted by calling psa_aead_abort().
2405
 *
2406
 * \param[in,out] operation     Active AEAD operation.
2407
 * \param[out] nonce            Buffer where the generated nonce is to be
2408
 *                              written.
2409
 * \param nonce_size            Size of the \p nonce buffer in bytes.
2410
 * \param[out] nonce_length     On success, the number of bytes of the
2411
 *                              generated nonce.
2412
 *
2413
 * \retval #PSA_SUCCESS
2414
 *         Success.
2415
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2416
 *         The size of the \p nonce buffer is too small.
2417
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2418
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2419
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2420
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2421
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2422
 * \retval #PSA_ERROR_BAD_STATE
2423
 *         The operation state is not valid (it must be an active aead encrypt
2424
 *         operation, with no nonce set), or the library has not been
2425
 *         previously initialized by psa_crypto_init().
2426
 *         It is implementation-dependent whether a failure to initialize
2427
 *         results in this error code.
2428
 */
2429
psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
2430
                                     uint8_t *nonce,
2431
                                     size_t nonce_size,
2432
                                     size_t *nonce_length);
2433

2434
/** Set the nonce for an authenticated encryption or decryption operation.
2435
 *
2436
 * This function sets the nonce for the authenticated
2437
 * encryption or decryption operation.
2438
 *
2439
 * The application must call psa_aead_encrypt_setup() or
2440
 * psa_aead_decrypt_setup() before calling this function.
2441
 *
2442
 * If this function returns an error status, the operation enters an error
2443
 * state and must be aborted by calling psa_aead_abort().
2444
 *
2445
 * \note When encrypting, applications should use psa_aead_generate_nonce()
2446
 * instead of this function, unless implementing a protocol that requires
2447
 * a non-random IV.
2448
 *
2449
 * \param[in,out] operation     Active AEAD operation.
2450
 * \param[in] nonce             Buffer containing the nonce to use.
2451
 * \param nonce_length          Size of the nonce in bytes.
2452
 *
2453
 * \retval #PSA_SUCCESS
2454
 *         Success.
2455
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2456
 *         The size of \p nonce is not acceptable for the chosen algorithm.
2457
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2458
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2459
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2460
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2461
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2462
 * \retval #PSA_ERROR_BAD_STATE
2463
 *         The operation state is not valid (it must be active, with no nonce
2464
 *         set), or the library has not been previously initialized
2465
 *         by psa_crypto_init().
2466
 *         It is implementation-dependent whether a failure to initialize
2467
 *         results in this error code.
2468
 */
2469
psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
2470
                                const uint8_t *nonce,
2471
                                size_t nonce_length);
2472

2473
/** Declare the lengths of the message and additional data for AEAD.
2474
 *
2475
 * The application must call this function before calling
2476
 * psa_aead_update_ad() or psa_aead_update() if the algorithm for
2477
 * the operation requires it. If the algorithm does not require it,
2478
 * calling this function is optional, but if this function is called
2479
 * then the implementation must enforce the lengths.
2480
 *
2481
 * You may call this function before or after setting the nonce with
2482
 * psa_aead_set_nonce() or psa_aead_generate_nonce().
2483
 *
2484
 * - For #PSA_ALG_CCM, calling this function is required.
2485
 * - For the other AEAD algorithms defined in this specification, calling
2486
 *   this function is not required.
2487
 * - For vendor-defined algorithm, refer to the vendor documentation.
2488
 *
2489
 * If this function returns an error status, the operation enters an error
2490
 * state and must be aborted by calling psa_aead_abort().
2491
 *
2492
 * \param[in,out] operation     Active AEAD operation.
2493
 * \param ad_length             Size of the non-encrypted additional
2494
 *                              authenticated data in bytes.
2495
 * \param plaintext_length      Size of the plaintext to encrypt in bytes.
2496
 *
2497
 * \retval #PSA_SUCCESS
2498
 *         Success.
2499
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2500
 *         At least one of the lengths is not acceptable for the chosen
2501
 *         algorithm.
2502
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2503
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2504
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2505
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2506
 * \retval #PSA_ERROR_BAD_STATE
2507
 *         The operation state is not valid (it must be active, and
2508
 *         psa_aead_update_ad() and psa_aead_update() must not have been
2509
 *         called yet), or the library has not been previously initialized
2510
 *         by psa_crypto_init().
2511
 *         It is implementation-dependent whether a failure to initialize
2512
 *         results in this error code.
2513
 */
2514
psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
2515
                                  size_t ad_length,
2516
                                  size_t plaintext_length);
2517

2518
/** Pass additional data to an active AEAD operation.
2519
 *
2520
 * Additional data is authenticated, but not encrypted.
2521
 *
2522
 * You may call this function multiple times to pass successive fragments
2523
 * of the additional data. You may not call this function after passing
2524
 * data to encrypt or decrypt with psa_aead_update().
2525
 *
2526
 * Before calling this function, you must:
2527
 * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2528
 * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2529
 *
2530
 * If this function returns an error status, the operation enters an error
2531
 * state and must be aborted by calling psa_aead_abort().
2532
 *
2533
 * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2534
 *          there is no guarantee that the input is valid. Therefore, until
2535
 *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
2536
 *          treat the input as untrusted and prepare to undo any action that
2537
 *          depends on the input if psa_aead_verify() returns an error status.
2538
 *
2539
 * \param[in,out] operation     Active AEAD operation.
2540
 * \param[in] input             Buffer containing the fragment of
2541
 *                              additional data.
2542
 * \param input_length          Size of the \p input buffer in bytes.
2543
 *
2544
 * \retval #PSA_SUCCESS
2545
 *         Success.
2546
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2547
 *         The total input length overflows the additional data length that
2548
 *         was previously specified with psa_aead_set_lengths().
2549
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2550
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2551
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2552
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2553
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2554
 * \retval #PSA_ERROR_BAD_STATE
2555
 *         The operation state is not valid (it must be active, have a nonce
2556
 *         set, have lengths set if required by the algorithm, and
2557
 *         psa_aead_update() must not have been called yet), or the library
2558
 *         has not been previously initialized by psa_crypto_init().
2559
 *         It is implementation-dependent whether a failure to initialize
2560
 *         results in this error code.
2561
 */
2562
psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
2563
                                const uint8_t *input,
2564
                                size_t input_length);
2565

2566
/** Encrypt or decrypt a message fragment in an active AEAD operation.
2567
 *
2568
 * Before calling this function, you must:
2569
 * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2570
 *    The choice of setup function determines whether this function
2571
 *    encrypts or decrypts its input.
2572
 * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2573
 * 3. Call psa_aead_update_ad() to pass all the additional data.
2574
 *
2575
 * If this function returns an error status, the operation enters an error
2576
 * state and must be aborted by calling psa_aead_abort().
2577
 *
2578
 * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2579
 *          there is no guarantee that the input is valid. Therefore, until
2580
 *          you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
2581
 *          - Do not use the output in any way other than storing it in a
2582
 *            confidential location. If you take any action that depends
2583
 *            on the tentative decrypted data, this action will need to be
2584
 *            undone if the input turns out not to be valid. Furthermore,
2585
 *            if an adversary can observe that this action took place
2586
 *            (for example through timing), they may be able to use this
2587
 *            fact as an oracle to decrypt any message encrypted with the
2588
 *            same key.
2589
 *          - In particular, do not copy the output anywhere but to a
2590
 *            memory or storage space that you have exclusive access to.
2591
 *
2592
 * This function does not require the input to be aligned to any
2593
 * particular block boundary. If the implementation can only process
2594
 * a whole block at a time, it must consume all the input provided, but
2595
 * it may delay the end of the corresponding output until a subsequent
2596
 * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
2597
 * provides sufficient input. The amount of data that can be delayed
2598
 * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
2599
 *
2600
 * \param[in,out] operation     Active AEAD operation.
2601
 * \param[in] input             Buffer containing the message fragment to
2602
 *                              encrypt or decrypt.
2603
 * \param input_length          Size of the \p input buffer in bytes.
2604
 * \param[out] output           Buffer where the output is to be written.
2605
 * \param output_size           Size of the \p output buffer in bytes.
2606
 *                              This must be appropriate for the selected
2607
 *                                algorithm and key:
2608
 *                                - A sufficient output size is
2609
 *                                  #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
2610
 *                                  \c alg, \p input_length) where
2611
 *                                  \c key_type is the type of key and \c alg is
2612
 *                                  the algorithm that were used to set up the
2613
 *                                  operation.
2614
 *                                - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
2615
 *                                  input_length) evaluates to the maximum
2616
 *                                  output size of any supported AEAD
2617
 *                                  algorithm.
2618
 * \param[out] output_length    On success, the number of bytes
2619
 *                              that make up the returned output.
2620
 *
2621
 * \retval #PSA_SUCCESS
2622
 *         Success.
2623
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2624
 *         The size of the \p output buffer is too small.
2625
 *         #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
2626
 *         #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
2627
 *         determine the required buffer size.
2628
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2629
 *         The total length of input to psa_aead_update_ad() so far is
2630
 *         less than the additional data length that was previously
2631
 *         specified with psa_aead_set_lengths(), or
2632
 *         the total input length overflows the plaintext length that
2633
 *         was previously specified with psa_aead_set_lengths().
2634
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2635
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2636
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2637
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2638
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2639
 * \retval #PSA_ERROR_BAD_STATE
2640
 *         The operation state is not valid (it must be active, have a nonce
2641
 *         set, and have lengths set if required by the algorithm), or the
2642
 *         library has not been previously initialized by psa_crypto_init().
2643
 *         It is implementation-dependent whether a failure to initialize
2644
 *         results in this error code.
2645
 */
2646
psa_status_t psa_aead_update(psa_aead_operation_t *operation,
2647
                             const uint8_t *input,
2648
                             size_t input_length,
2649
                             uint8_t *output,
2650
                             size_t output_size,
2651
                             size_t *output_length);
2652

2653
/** Finish encrypting a message in an AEAD operation.
2654
 *
2655
 * The operation must have been set up with psa_aead_encrypt_setup().
2656
 *
2657
 * This function finishes the authentication of the additional data
2658
 * formed by concatenating the inputs passed to preceding calls to
2659
 * psa_aead_update_ad() with the plaintext formed by concatenating the
2660
 * inputs passed to preceding calls to psa_aead_update().
2661
 *
2662
 * This function has two output buffers:
2663
 * - \p ciphertext contains trailing ciphertext that was buffered from
2664
 *   preceding calls to psa_aead_update().
2665
 * - \p tag contains the authentication tag.
2666
 *
2667
 * When this function returns successfully, the operation becomes inactive.
2668
 * If this function returns an error status, the operation enters an error
2669
 * state and must be aborted by calling psa_aead_abort().
2670
 *
2671
 * \param[in,out] operation     Active AEAD operation.
2672
 * \param[out] ciphertext       Buffer where the last part of the ciphertext
2673
 *                              is to be written.
2674
 * \param ciphertext_size       Size of the \p ciphertext buffer in bytes.
2675
 *                              This must be appropriate for the selected
2676
 *                              algorithm and key:
2677
 *                              - A sufficient output size is
2678
 *                                #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
2679
 *                                \c alg) where \c key_type is the type of key
2680
 *                                and \c alg is the algorithm that were used to
2681
 *                                set up the operation.
2682
 *                              - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
2683
 *                                the maximum output size of any supported AEAD
2684
 *                                algorithm.
2685
 * \param[out] ciphertext_length On success, the number of bytes of
2686
 *                              returned ciphertext.
2687
 * \param[out] tag              Buffer where the authentication tag is
2688
 *                              to be written.
2689
 * \param tag_size              Size of the \p tag buffer in bytes.
2690
 *                              This must be appropriate for the selected
2691
 *                              algorithm and key:
2692
 *                              - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
2693
 *                                key_type, \c key_bits, \c alg) where
2694
 *                                \c key_type and \c key_bits are the type and
2695
 *                                bit-size of the key, and \c alg is the
2696
 *                                algorithm that were used in the call to
2697
 *                                psa_aead_encrypt_setup().
2698
 *                              - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
2699
 *                                maximum tag size of any supported AEAD
2700
 *                                algorithm.
2701
 * \param[out] tag_length       On success, the number of bytes
2702
 *                              that make up the returned tag.
2703
 *
2704
 * \retval #PSA_SUCCESS
2705
 *         Success.
2706
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2707
 *         The size of the \p ciphertext or \p tag buffer is too small.
2708
 *         #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
2709
 *         #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
2710
 *         required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
2711
 *         \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
2712
 *         determine the required \p tag buffer size.
2713
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2714
 *         The total length of input to psa_aead_update_ad() so far is
2715
 *         less than the additional data length that was previously
2716
 *         specified with psa_aead_set_lengths(), or
2717
 *         the total length of input to psa_aead_update() so far is
2718
 *         less than the plaintext length that was previously
2719
 *         specified with psa_aead_set_lengths().
2720
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2721
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2722
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2723
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2724
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2725
 * \retval #PSA_ERROR_BAD_STATE
2726
 *         The operation state is not valid (it must be an active encryption
2727
 *         operation with a nonce set), or the library has not been previously
2728
 *         initialized by psa_crypto_init().
2729
 *         It is implementation-dependent whether a failure to initialize
2730
 *         results in this error code.
2731
 */
2732
psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
2733
                             uint8_t *ciphertext,
2734
                             size_t ciphertext_size,
2735
                             size_t *ciphertext_length,
2736
                             uint8_t *tag,
2737
                             size_t tag_size,
2738
                             size_t *tag_length);
2739

2740
/** Finish authenticating and decrypting a message in an AEAD operation.
2741
 *
2742
 * The operation must have been set up with psa_aead_decrypt_setup().
2743
 *
2744
 * This function finishes the authenticated decryption of the message
2745
 * components:
2746
 *
2747
 * -  The additional data consisting of the concatenation of the inputs
2748
 *    passed to preceding calls to psa_aead_update_ad().
2749
 * -  The ciphertext consisting of the concatenation of the inputs passed to
2750
 *    preceding calls to psa_aead_update().
2751
 * -  The tag passed to this function call.
2752
 *
2753
 * If the authentication tag is correct, this function outputs any remaining
2754
 * plaintext and reports success. If the authentication tag is not correct,
2755
 * this function returns #PSA_ERROR_INVALID_SIGNATURE.
2756
 *
2757
 * When this function returns successfully, the operation becomes inactive.
2758
 * If this function returns an error status, the operation enters an error
2759
 * state and must be aborted by calling psa_aead_abort().
2760
 *
2761
 * \note Implementations shall make the best effort to ensure that the
2762
 * comparison between the actual tag and the expected tag is performed
2763
 * in constant time.
2764
 *
2765
 * \param[in,out] operation     Active AEAD operation.
2766
 * \param[out] plaintext        Buffer where the last part of the plaintext
2767
 *                              is to be written. This is the remaining data
2768
 *                              from previous calls to psa_aead_update()
2769
 *                              that could not be processed until the end
2770
 *                              of the input.
2771
 * \param plaintext_size        Size of the \p plaintext buffer in bytes.
2772
 *                              This must be appropriate for the selected algorithm and key:
2773
 *                              - A sufficient output size is
2774
 *                                #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
2775
 *                                \c alg) where \c key_type is the type of key
2776
 *                                and \c alg is the algorithm that were used to
2777
 *                                set up the operation.
2778
 *                              - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
2779
 *                                the maximum output size of any supported AEAD
2780
 *                                algorithm.
2781
 * \param[out] plaintext_length On success, the number of bytes of
2782
 *                              returned plaintext.
2783
 * \param[in] tag               Buffer containing the authentication tag.
2784
 * \param tag_length            Size of the \p tag buffer in bytes.
2785
 *
2786
 * \retval #PSA_SUCCESS
2787
 *         Success.
2788
 * \retval #PSA_ERROR_INVALID_SIGNATURE
2789
 *         The calculations were successful, but the authentication tag is
2790
 *         not correct.
2791
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2792
 *         The size of the \p plaintext buffer is too small.
2793
 *         #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
2794
 *         #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
2795
 *         required buffer size.
2796
 * \retval #PSA_ERROR_INVALID_ARGUMENT
2797
 *         The total length of input to psa_aead_update_ad() so far is
2798
 *         less than the additional data length that was previously
2799
 *         specified with psa_aead_set_lengths(), or
2800
 *         the total length of input to psa_aead_update() so far is
2801
 *         less than the plaintext length that was previously
2802
 *         specified with psa_aead_set_lengths().
2803
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2804
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2805
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2806
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2807
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2808
 * \retval #PSA_ERROR_BAD_STATE
2809
 *         The operation state is not valid (it must be an active decryption
2810
 *         operation with a nonce set), or the library has not been previously
2811
 *         initialized by psa_crypto_init().
2812
 *         It is implementation-dependent whether a failure to initialize
2813
 *         results in this error code.
2814
 */
2815
psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
2816
                             uint8_t *plaintext,
2817
                             size_t plaintext_size,
2818
                             size_t *plaintext_length,
2819
                             const uint8_t *tag,
2820
                             size_t tag_length);
2821

2822
/** Abort an AEAD operation.
2823
 *
2824
 * Aborting an operation frees all associated resources except for the
2825
 * \p operation structure itself. Once aborted, the operation object
2826
 * can be reused for another operation by calling
2827
 * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
2828
 *
2829
 * You may call this function any time after the operation object has
2830
 * been initialized as described in #psa_aead_operation_t.
2831
 *
2832
 * In particular, calling psa_aead_abort() after the operation has been
2833
 * terminated by a call to psa_aead_abort(), psa_aead_finish() or
2834
 * psa_aead_verify() is safe and has no effect.
2835
 *
2836
 * \param[in,out] operation     Initialized AEAD operation.
2837
 *
2838
 * \retval #PSA_SUCCESS \emptydescription
2839
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2840
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2841
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2842
 * \retval #PSA_ERROR_BAD_STATE
2843
 *         The library has not been previously initialized by psa_crypto_init().
2844
 *         It is implementation-dependent whether a failure to initialize
2845
 *         results in this error code.
2846
 */
2847
psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
2848

2849
/**@}*/
2850

2851
/** \defgroup asymmetric Asymmetric cryptography
2852
 * @{
2853
 */
2854

2855
/**
2856
 * \brief Sign a message with a private key. For hash-and-sign algorithms,
2857
 *        this includes the hashing step.
2858
 *
2859
 * \note To perform a multi-part hash-and-sign signature algorithm, first use
2860
 *       a multi-part hash operation and then pass the resulting hash to
2861
 *       psa_sign_hash(). PSA_ALG_GET_HASH(\p alg) can be used to determine the
2862
 *       hash algorithm to use.
2863
 *
2864
 * \param[in]  key              Identifier of the key to use for the operation.
2865
 *                              It must be an asymmetric key pair. The key must
2866
 *                              allow the usage #PSA_KEY_USAGE_SIGN_MESSAGE.
2867
 * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
2868
 *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
2869
 *                              is true), that is compatible with the type of
2870
 *                              \p key.
2871
 * \param[in]  input            The input message to sign.
2872
 * \param[in]  input_length     Size of the \p input buffer in bytes.
2873
 * \param[out] signature        Buffer where the signature is to be written.
2874
 * \param[in]  signature_size   Size of the \p signature buffer in bytes. This
2875
 *                              must be appropriate for the selected
2876
 *                              algorithm and key:
2877
 *                              - The required signature size is
2878
 *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2879
 *                                where \c key_type and \c key_bits are the type and
2880
 *                                bit-size respectively of key.
2881
 *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
2882
 *                                maximum signature size of any supported
2883
 *                                signature algorithm.
2884
 * \param[out] signature_length On success, the number of bytes that make up
2885
 *                              the returned signature value.
2886
 *
2887
 * \retval #PSA_SUCCESS \emptydescription
2888
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2889
 * \retval #PSA_ERROR_NOT_PERMITTED
2890
 *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
2891
 *         or it does not permit the requested algorithm.
2892
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2893
 *         The size of the \p signature buffer is too small. You can
2894
 *         determine a sufficient buffer size by calling
2895
 *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2896
 *         where \c key_type and \c key_bits are the type and bit-size
2897
 *         respectively of \p key.
2898
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
2899
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
2900
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2901
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2902
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2903
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2904
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2905
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
2906
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
2907
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
2908
 * \retval #PSA_ERROR_BAD_STATE
2909
 *         The library has not been previously initialized by psa_crypto_init().
2910
 *         It is implementation-dependent whether a failure to initialize
2911
 *         results in this error code.
2912
 */
2913
psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
2914
                              psa_algorithm_t alg,
2915
                              const uint8_t *input,
2916
                              size_t input_length,
2917
                              uint8_t *signature,
2918
                              size_t signature_size,
2919
                              size_t *signature_length);
2920

2921
/** \brief Verify the signature of a message with a public key, using
2922
 *         a hash-and-sign verification algorithm.
2923
 *
2924
 * \note To perform a multi-part hash-and-sign signature verification
2925
 *       algorithm, first use a multi-part hash operation to hash the message
2926
 *       and then pass the resulting hash to psa_verify_hash().
2927
 *       PSA_ALG_GET_HASH(\p alg) can be used to determine the hash algorithm
2928
 *       to use.
2929
 *
2930
 * \param[in]  key              Identifier of the key to use for the operation.
2931
 *                              It must be a public key or an asymmetric key
2932
 *                              pair. The key must allow the usage
2933
 *                              #PSA_KEY_USAGE_VERIFY_MESSAGE.
2934
 * \param[in]  alg              An asymmetric signature algorithm (PSA_ALG_XXX
2935
 *                              value such that #PSA_ALG_IS_SIGN_MESSAGE(\p alg)
2936
 *                              is true), that is compatible with the type of
2937
 *                              \p key.
2938
 * \param[in]  input            The message whose signature is to be verified.
2939
 * \param[in]  input_length     Size of the \p input buffer in bytes.
2940
 * \param[in] signature         Buffer containing the signature to verify.
2941
 * \param[in]  signature_length Size of the \p signature buffer in bytes.
2942
 *
2943
 * \retval #PSA_SUCCESS \emptydescription
2944
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2945
 * \retval #PSA_ERROR_NOT_PERMITTED
2946
 *         The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
2947
 *         or it does not permit the requested algorithm.
2948
 * \retval #PSA_ERROR_INVALID_SIGNATURE
2949
 *         The calculation was performed successfully, but the passed signature
2950
 *         is not a valid signature.
2951
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
2952
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
2953
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
2954
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
2955
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
2956
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
2957
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
2958
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
2959
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
2960
 * \retval #PSA_ERROR_BAD_STATE
2961
 *         The library has not been previously initialized by psa_crypto_init().
2962
 *         It is implementation-dependent whether a failure to initialize
2963
 *         results in this error code.
2964
 */
2965
psa_status_t psa_verify_message(mbedtls_svc_key_id_t key,
2966
                                psa_algorithm_t alg,
2967
                                const uint8_t *input,
2968
                                size_t input_length,
2969
                                const uint8_t *signature,
2970
                                size_t signature_length);
2971

2972
/**
2973
 * \brief Sign a hash or short message with a private key.
2974
 *
2975
 * Note that to perform a hash-and-sign signature algorithm, you must
2976
 * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
2977
 * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
2978
 * Then pass the resulting hash as the \p hash
2979
 * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
2980
 * to determine the hash algorithm to use.
2981
 *
2982
 * \param key                   Identifier of the key to use for the operation.
2983
 *                              It must be an asymmetric key pair. The key must
2984
 *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
2985
 * \param alg                   A signature algorithm (PSA_ALG_XXX
2986
 *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
2987
 *                              is true), that is compatible with
2988
 *                              the type of \p key.
2989
 * \param[in] hash              The hash or message to sign.
2990
 * \param hash_length           Size of the \p hash buffer in bytes.
2991
 * \param[out] signature        Buffer where the signature is to be written.
2992
 * \param signature_size        Size of the \p signature buffer in bytes.
2993
 * \param[out] signature_length On success, the number of bytes
2994
 *                              that make up the returned signature value.
2995
 *
2996
 * \retval #PSA_SUCCESS \emptydescription
2997
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
2998
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
2999
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3000
 *         The size of the \p signature buffer is too small. You can
3001
 *         determine a sufficient buffer size by calling
3002
 *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3003
 *         where \c key_type and \c key_bits are the type and bit-size
3004
 *         respectively of \p key.
3005
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3006
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3007
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3008
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3009
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3010
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3011
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3012
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
3013
 * \retval #PSA_ERROR_BAD_STATE
3014
 *         The library has not been previously initialized by psa_crypto_init().
3015
 *         It is implementation-dependent whether a failure to initialize
3016
 *         results in this error code.
3017
 */
3018
psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
3019
                           psa_algorithm_t alg,
3020
                           const uint8_t *hash,
3021
                           size_t hash_length,
3022
                           uint8_t *signature,
3023
                           size_t signature_size,
3024
                           size_t *signature_length);
3025

3026
/**
3027
 * \brief Verify the signature of a hash or short message using a public key.
3028
 *
3029
 * Note that to perform a hash-and-sign signature algorithm, you must
3030
 * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
3031
 * and psa_hash_finish(), or alternatively by calling psa_hash_compute().
3032
 * Then pass the resulting hash as the \p hash
3033
 * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
3034
 * to determine the hash algorithm to use.
3035
 *
3036
 * \param key               Identifier of the key to use for the operation. It
3037
 *                          must be a public key or an asymmetric key pair. The
3038
 *                          key must allow the usage
3039
 *                          #PSA_KEY_USAGE_VERIFY_HASH.
3040
 * \param alg               A signature algorithm (PSA_ALG_XXX
3041
 *                          value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
3042
 *                          is true), that is compatible with
3043
 *                          the type of \p key.
3044
 * \param[in] hash          The hash or message whose signature is to be
3045
 *                          verified.
3046
 * \param hash_length       Size of the \p hash buffer in bytes.
3047
 * \param[in] signature     Buffer containing the signature to verify.
3048
 * \param signature_length  Size of the \p signature buffer in bytes.
3049
 *
3050
 * \retval #PSA_SUCCESS
3051
 *         The signature is valid.
3052
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3053
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3054
 * \retval #PSA_ERROR_INVALID_SIGNATURE
3055
 *         The calculation was performed successfully, but the passed
3056
 *         signature is not a valid signature.
3057
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3058
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3059
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3060
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3061
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3062
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3063
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3064
 * \retval #PSA_ERROR_BAD_STATE
3065
 *         The library has not been previously initialized by psa_crypto_init().
3066
 *         It is implementation-dependent whether a failure to initialize
3067
 *         results in this error code.
3068
 */
3069
psa_status_t psa_verify_hash(mbedtls_svc_key_id_t key,
3070
                             psa_algorithm_t alg,
3071
                             const uint8_t *hash,
3072
                             size_t hash_length,
3073
                             const uint8_t *signature,
3074
                             size_t signature_length);
3075

3076
/**
3077
 * \brief Encrypt a short message with a public key.
3078
 *
3079
 * \param key                   Identifier of the key to use for the operation.
3080
 *                              It must be a public key or an asymmetric key
3081
 *                              pair. It must allow the usage
3082
 *                              #PSA_KEY_USAGE_ENCRYPT.
3083
 * \param alg                   An asymmetric encryption algorithm that is
3084
 *                              compatible with the type of \p key.
3085
 * \param[in] input             The message to encrypt.
3086
 * \param input_length          Size of the \p input buffer in bytes.
3087
 * \param[in] salt              A salt or label, if supported by the
3088
 *                              encryption algorithm.
3089
 *                              If the algorithm does not support a
3090
 *                              salt, pass \c NULL.
3091
 *                              If the algorithm supports an optional
3092
 *                              salt and you do not want to pass a salt,
3093
 *                              pass \c NULL.
3094
 *
3095
 *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
3096
 *                                supported.
3097
 * \param salt_length           Size of the \p salt buffer in bytes.
3098
 *                              If \p salt is \c NULL, pass 0.
3099
 * \param[out] output           Buffer where the encrypted message is to
3100
 *                              be written.
3101
 * \param output_size           Size of the \p output buffer in bytes.
3102
 * \param[out] output_length    On success, the number of bytes
3103
 *                              that make up the returned output.
3104
 *
3105
 * \retval #PSA_SUCCESS \emptydescription
3106
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3107
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3108
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3109
 *         The size of the \p output buffer is too small. You can
3110
 *         determine a sufficient buffer size by calling
3111
 *         #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3112
 *         where \c key_type and \c key_bits are the type and bit-size
3113
 *         respectively of \p key.
3114
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3115
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3116
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3117
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3118
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3119
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3120
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3121
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
3122
 * \retval #PSA_ERROR_BAD_STATE
3123
 *         The library has not been previously initialized by psa_crypto_init().
3124
 *         It is implementation-dependent whether a failure to initialize
3125
 *         results in this error code.
3126
 */
3127
psa_status_t psa_asymmetric_encrypt(mbedtls_svc_key_id_t key,
3128
                                    psa_algorithm_t alg,
3129
                                    const uint8_t *input,
3130
                                    size_t input_length,
3131
                                    const uint8_t *salt,
3132
                                    size_t salt_length,
3133
                                    uint8_t *output,
3134
                                    size_t output_size,
3135
                                    size_t *output_length);
3136

3137
/**
3138
 * \brief Decrypt a short message with a private key.
3139
 *
3140
 * \param key                   Identifier of the key to use for the operation.
3141
 *                              It must be an asymmetric key pair. It must
3142
 *                              allow the usage #PSA_KEY_USAGE_DECRYPT.
3143
 * \param alg                   An asymmetric encryption algorithm that is
3144
 *                              compatible with the type of \p key.
3145
 * \param[in] input             The message to decrypt.
3146
 * \param input_length          Size of the \p input buffer in bytes.
3147
 * \param[in] salt              A salt or label, if supported by the
3148
 *                              encryption algorithm.
3149
 *                              If the algorithm does not support a
3150
 *                              salt, pass \c NULL.
3151
 *                              If the algorithm supports an optional
3152
 *                              salt and you do not want to pass a salt,
3153
 *                              pass \c NULL.
3154
 *
3155
 *                              - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
3156
 *                                supported.
3157
 * \param salt_length           Size of the \p salt buffer in bytes.
3158
 *                              If \p salt is \c NULL, pass 0.
3159
 * \param[out] output           Buffer where the decrypted message is to
3160
 *                              be written.
3161
 * \param output_size           Size of the \c output buffer in bytes.
3162
 * \param[out] output_length    On success, the number of bytes
3163
 *                              that make up the returned output.
3164
 *
3165
 * \retval #PSA_SUCCESS \emptydescription
3166
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3167
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3168
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3169
 *         The size of the \p output buffer is too small. You can
3170
 *         determine a sufficient buffer size by calling
3171
 *         #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3172
 *         where \c key_type and \c key_bits are the type and bit-size
3173
 *         respectively of \p key.
3174
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
3175
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
3176
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3177
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3178
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3179
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3180
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3181
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
3182
 * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
3183
 * \retval #PSA_ERROR_BAD_STATE
3184
 *         The library has not been previously initialized by psa_crypto_init().
3185
 *         It is implementation-dependent whether a failure to initialize
3186
 *         results in this error code.
3187
 */
3188
psa_status_t psa_asymmetric_decrypt(mbedtls_svc_key_id_t key,
3189
                                    psa_algorithm_t alg,
3190
                                    const uint8_t *input,
3191
                                    size_t input_length,
3192
                                    const uint8_t *salt,
3193
                                    size_t salt_length,
3194
                                    uint8_t *output,
3195
                                    size_t output_size,
3196
                                    size_t *output_length);
3197

3198
/**@}*/
3199

3200
/** \defgroup key_derivation Key derivation and pseudorandom generation
3201
 * @{
3202
 */
3203

3204
/** The type of the state data structure for key derivation operations.
3205
 *
3206
 * Before calling any function on a key derivation operation object, the
3207
 * application must initialize it by any of the following means:
3208
 * - Set the structure to all-bits-zero, for example:
3209
 *   \code
3210
 *   psa_key_derivation_operation_t operation;
3211
 *   memset(&operation, 0, sizeof(operation));
3212
 *   \endcode
3213
 * - Initialize the structure to logical zero values, for example:
3214
 *   \code
3215
 *   psa_key_derivation_operation_t operation = {0};
3216
 *   \endcode
3217
 * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
3218
 *   for example:
3219
 *   \code
3220
 *   psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
3221
 *   \endcode
3222
 * - Assign the result of the function psa_key_derivation_operation_init()
3223
 *   to the structure, for example:
3224
 *   \code
3225
 *   psa_key_derivation_operation_t operation;
3226
 *   operation = psa_key_derivation_operation_init();
3227
 *   \endcode
3228
 *
3229
 * This is an implementation-defined \c struct. Applications should not
3230
 * make any assumptions about the content of this structure.
3231
 * Implementation details can change in future versions without notice.
3232
 */
3233
typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
3234

3235
/** \def PSA_KEY_DERIVATION_OPERATION_INIT
3236
 *
3237
 * This macro returns a suitable initializer for a key derivation operation
3238
 * object of type #psa_key_derivation_operation_t.
3239
 */
3240

3241
/** Return an initial value for a key derivation operation object.
3242
 */
3243
#if !(defined(__cplusplus) && defined(_MSC_VER))
3244
static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
3245
#endif
3246

3247
/** Set up a key derivation operation.
3248
 *
3249
 * A key derivation algorithm takes some inputs and uses them to generate
3250
 * a byte stream in a deterministic way.
3251
 * This byte stream can be used to produce keys and other
3252
 * cryptographic material.
3253
 *
3254
 * To derive a key:
3255
 * -# Start with an initialized object of type #psa_key_derivation_operation_t.
3256
 * -# Call psa_key_derivation_setup() to select the algorithm.
3257
 * -# Provide the inputs for the key derivation by calling
3258
 *    psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
3259
 *    as appropriate. Which inputs are needed, in what order, and whether
3260
 *    they may be keys and if so of what type depends on the algorithm.
3261
 * -# Optionally set the operation's maximum capacity with
3262
 *    psa_key_derivation_set_capacity(). You may do this before, in the middle
3263
 *    of or after providing inputs. For some algorithms, this step is mandatory
3264
 *    because the output depends on the maximum capacity.
3265
 * -# To derive a key, call psa_key_derivation_output_key() or
3266
 *    psa_key_derivation_output_key_custom().
3267
 *    To derive a byte string for a different purpose, call
3268
 *    psa_key_derivation_output_bytes().
3269
 *    Successive calls to these functions use successive output bytes
3270
 *    calculated by the key derivation algorithm.
3271
 * -# Clean up the key derivation operation object with
3272
 *    psa_key_derivation_abort().
3273
 *
3274
 * If this function returns an error, the key derivation operation object is
3275
 * not changed.
3276
 *
3277
 * If an error occurs at any step after a call to psa_key_derivation_setup(),
3278
 * the operation will need to be reset by a call to psa_key_derivation_abort().
3279
 *
3280
 * Implementations must reject an attempt to derive a key of size 0.
3281
 *
3282
 * \param[in,out] operation       The key derivation operation object
3283
 *                                to set up. It must
3284
 *                                have been initialized but not set up yet.
3285
 * \param alg                     The key derivation algorithm to compute
3286
 *                                (\c PSA_ALG_XXX value such that
3287
 *                                #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
3288
 *
3289
 * \retval #PSA_SUCCESS
3290
 *         Success.
3291
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3292
 *         \c alg is not a key derivation algorithm.
3293
 * \retval #PSA_ERROR_NOT_SUPPORTED
3294
 *         \c alg is not supported or is not a key derivation algorithm.
3295
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3296
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3297
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3298
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3299
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3300
 * \retval #PSA_ERROR_BAD_STATE
3301
 *         The operation state is not valid (it must be inactive), or
3302
 *         the library has not been previously initialized by psa_crypto_init().
3303
 *         It is implementation-dependent whether a failure to initialize
3304
 *         results in this error code.
3305
 */
3306
psa_status_t psa_key_derivation_setup(
3307
    psa_key_derivation_operation_t *operation,
3308
    psa_algorithm_t alg);
3309

3310
/** Retrieve the current capacity of a key derivation operation.
3311
 *
3312
 * The capacity of a key derivation is the maximum number of bytes that it can
3313
 * return. When you get *N* bytes of output from a key derivation operation,
3314
 * this reduces its capacity by *N*.
3315
 *
3316
 * \param[in] operation     The operation to query.
3317
 * \param[out] capacity     On success, the capacity of the operation.
3318
 *
3319
 * \retval #PSA_SUCCESS \emptydescription
3320
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3321
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3322
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3323
 * \retval #PSA_ERROR_BAD_STATE
3324
 *         The operation state is not valid (it must be active), or
3325
 *         the library has not been previously initialized by psa_crypto_init().
3326
 *         It is implementation-dependent whether a failure to initialize
3327
 *         results in this error code.
3328
 */
3329
psa_status_t psa_key_derivation_get_capacity(
3330
    const psa_key_derivation_operation_t *operation,
3331
    size_t *capacity);
3332

3333
/** Set the maximum capacity of a key derivation operation.
3334
 *
3335
 * The capacity of a key derivation operation is the maximum number of bytes
3336
 * that the key derivation operation can return from this point onwards.
3337
 *
3338
 * \param[in,out] operation The key derivation operation object to modify.
3339
 * \param capacity          The new capacity of the operation.
3340
 *                          It must be less or equal to the operation's
3341
 *                          current capacity.
3342
 *
3343
 * \retval #PSA_SUCCESS \emptydescription
3344
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3345
 *         \p capacity is larger than the operation's current capacity.
3346
 *         In this case, the operation object remains valid and its capacity
3347
 *         remains unchanged.
3348
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3349
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3350
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3351
 * \retval #PSA_ERROR_BAD_STATE
3352
 *         The operation state is not valid (it must be active), or the
3353
 *         library has not been previously initialized by psa_crypto_init().
3354
 *         It is implementation-dependent whether a failure to initialize
3355
 *         results in this error code.
3356
 */
3357
psa_status_t psa_key_derivation_set_capacity(
3358
    psa_key_derivation_operation_t *operation,
3359
    size_t capacity);
3360

3361
/** Use the maximum possible capacity for a key derivation operation.
3362
 *
3363
 * Use this value as the capacity argument when setting up a key derivation
3364
 * to indicate that the operation should have the maximum possible capacity.
3365
 * The value of the maximum possible capacity depends on the key derivation
3366
 * algorithm.
3367
 */
3368
#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t) (-1))
3369

3370
/** Provide an input for key derivation or key agreement.
3371
 *
3372
 * Which inputs are required and in what order depends on the algorithm.
3373
 * Refer to the documentation of each key derivation or key agreement
3374
 * algorithm for information.
3375
 *
3376
 * This function passes direct inputs, which is usually correct for
3377
 * non-secret inputs. To pass a secret input, which should be in a key
3378
 * object, call psa_key_derivation_input_key() instead of this function.
3379
 * Refer to the documentation of individual step types
3380
 * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3381
 * for more information.
3382
 *
3383
 * If this function returns an error status, the operation enters an error
3384
 * state and must be aborted by calling psa_key_derivation_abort().
3385
 *
3386
 * \param[in,out] operation       The key derivation operation object to use.
3387
 *                                It must have been set up with
3388
 *                                psa_key_derivation_setup() and must not
3389
 *                                have produced any output yet.
3390
 * \param step                    Which step the input data is for.
3391
 * \param[in] data                Input data to use.
3392
 * \param data_length             Size of the \p data buffer in bytes.
3393
 *
3394
 * \retval #PSA_SUCCESS
3395
 *         Success.
3396
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3397
 *         \c step is not compatible with the operation's algorithm, or
3398
 *         \c step does not allow direct inputs.
3399
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3400
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3401
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3402
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3403
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3404
 * \retval #PSA_ERROR_BAD_STATE
3405
 *         The operation state is not valid for this input \p step, or
3406
 *         the library has not been previously initialized by psa_crypto_init().
3407
 *         It is implementation-dependent whether a failure to initialize
3408
 *         results in this error code.
3409
 */
3410
psa_status_t psa_key_derivation_input_bytes(
3411
    psa_key_derivation_operation_t *operation,
3412
    psa_key_derivation_step_t step,
3413
    const uint8_t *data,
3414
    size_t data_length);
3415

3416
/** Provide a numeric input for key derivation or key agreement.
3417
 *
3418
 * Which inputs are required and in what order depends on the algorithm.
3419
 * However, when an algorithm requires a particular order, numeric inputs
3420
 * usually come first as they tend to be configuration parameters.
3421
 * Refer to the documentation of each key derivation or key agreement
3422
 * algorithm for information.
3423
 *
3424
 * This function is used for inputs which are fixed-size non-negative
3425
 * integers.
3426
 *
3427
 * If this function returns an error status, the operation enters an error
3428
 * state and must be aborted by calling psa_key_derivation_abort().
3429
 *
3430
 * \param[in,out] operation       The key derivation operation object to use.
3431
 *                                It must have been set up with
3432
 *                                psa_key_derivation_setup() and must not
3433
 *                                have produced any output yet.
3434
 * \param step                    Which step the input data is for.
3435
 * \param[in] value               The value of the numeric input.
3436
 *
3437
 * \retval #PSA_SUCCESS
3438
 *         Success.
3439
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3440
 *         \c step is not compatible with the operation's algorithm, or
3441
 *         \c step does not allow numeric inputs.
3442
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3443
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3444
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3445
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3446
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3447
 * \retval #PSA_ERROR_BAD_STATE
3448
 *         The operation state is not valid for this input \p step, or
3449
 *         the library has not been previously initialized by psa_crypto_init().
3450
 *         It is implementation-dependent whether a failure to initialize
3451
 *         results in this error code.
3452
 */
3453
psa_status_t psa_key_derivation_input_integer(
3454
    psa_key_derivation_operation_t *operation,
3455
    psa_key_derivation_step_t step,
3456
    uint64_t value);
3457

3458
/** Provide an input for key derivation in the form of a key.
3459
 *
3460
 * Which inputs are required and in what order depends on the algorithm.
3461
 * Refer to the documentation of each key derivation or key agreement
3462
 * algorithm for information.
3463
 *
3464
 * This function obtains input from a key object, which is usually correct for
3465
 * secret inputs or for non-secret personalization strings kept in the key
3466
 * store. To pass a non-secret parameter which is not in the key store,
3467
 * call psa_key_derivation_input_bytes() instead of this function.
3468
 * Refer to the documentation of individual step types
3469
 * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3470
 * for more information.
3471
 *
3472
 * If this function returns an error status, the operation enters an error
3473
 * state and must be aborted by calling psa_key_derivation_abort().
3474
 *
3475
 * \param[in,out] operation       The key derivation operation object to use.
3476
 *                                It must have been set up with
3477
 *                                psa_key_derivation_setup() and must not
3478
 *                                have produced any output yet.
3479
 * \param step                    Which step the input data is for.
3480
 * \param key                     Identifier of the key. It must have an
3481
 *                                appropriate type for step and must allow the
3482
 *                                usage #PSA_KEY_USAGE_DERIVE or
3483
 *                                #PSA_KEY_USAGE_VERIFY_DERIVATION (see note)
3484
 *                                and the algorithm used by the operation.
3485
 *
3486
 * \note Once all inputs steps are completed, the operations will allow:
3487
 * - psa_key_derivation_output_bytes() if each input was either a direct input
3488
 *   or  a key with #PSA_KEY_USAGE_DERIVE set;
3489
 * - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom()
3490
 *   if the input for step
3491
 *   #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
3492
 *   was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
3493
 *   either a direct input or a key with #PSA_KEY_USAGE_DERIVE set;
3494
 * - psa_key_derivation_verify_bytes() if each input was either a direct input
3495
 *   or  a key with #PSA_KEY_USAGE_VERIFY_DERIVATION set;
3496
 * - psa_key_derivation_verify_key() under the same conditions as
3497
 *   psa_key_derivation_verify_bytes().
3498
 *
3499
 * \retval #PSA_SUCCESS
3500
 *         Success.
3501
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3502
 * \retval #PSA_ERROR_NOT_PERMITTED
3503
 *         The key allows neither #PSA_KEY_USAGE_DERIVE nor
3504
 *         #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
3505
 *         algorithm.
3506
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3507
 *         \c step is not compatible with the operation's algorithm, or
3508
 *         \c step does not allow key inputs of the given type
3509
 *         or does not allow key inputs at all.
3510
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3511
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3512
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3513
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3514
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3515
 * \retval #PSA_ERROR_BAD_STATE
3516
 *         The operation state is not valid for this input \p step, or
3517
 *         the library has not been previously initialized by psa_crypto_init().
3518
 *         It is implementation-dependent whether a failure to initialize
3519
 *         results in this error code.
3520
 */
3521
psa_status_t psa_key_derivation_input_key(
3522
    psa_key_derivation_operation_t *operation,
3523
    psa_key_derivation_step_t step,
3524
    mbedtls_svc_key_id_t key);
3525

3526
/** Perform a key agreement and use the shared secret as input to a key
3527
 * derivation.
3528
 *
3529
 * A key agreement algorithm takes two inputs: a private key \p private_key
3530
 * a public key \p peer_key.
3531
 * The result of this function is passed as input to a key derivation.
3532
 * The output of this key derivation can be extracted by reading from the
3533
 * resulting operation to produce keys and other cryptographic material.
3534
 *
3535
 * If this function returns an error status, the operation enters an error
3536
 * state and must be aborted by calling psa_key_derivation_abort().
3537
 *
3538
 * \param[in,out] operation       The key derivation operation object to use.
3539
 *                                It must have been set up with
3540
 *                                psa_key_derivation_setup() with a
3541
 *                                key agreement and derivation algorithm
3542
 *                                \c alg (\c PSA_ALG_XXX value such that
3543
 *                                #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
3544
 *                                and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
3545
 *                                is false).
3546
 *                                The operation must be ready for an
3547
 *                                input of the type given by \p step.
3548
 * \param step                    Which step the input data is for.
3549
 * \param private_key             Identifier of the private key to use. It must
3550
 *                                allow the usage #PSA_KEY_USAGE_DERIVE.
3551
 * \param[in] peer_key      Public key of the peer. The peer key must be in the
3552
 *                          same format that psa_import_key() accepts for the
3553
 *                          public key type corresponding to the type of
3554
 *                          private_key. That is, this function performs the
3555
 *                          equivalent of
3556
 *                          #psa_import_key(...,
3557
 *                          `peer_key`, `peer_key_length`) where
3558
 *                          with key attributes indicating the public key
3559
 *                          type corresponding to the type of `private_key`.
3560
 *                          For example, for EC keys, this means that peer_key
3561
 *                          is interpreted as a point on the curve that the
3562
 *                          private key is on. The standard formats for public
3563
 *                          keys are documented in the documentation of
3564
 *                          psa_export_public_key().
3565
 * \param peer_key_length         Size of \p peer_key in bytes.
3566
 *
3567
 * \retval #PSA_SUCCESS
3568
 *         Success.
3569
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
3570
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
3571
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3572
 *         \c private_key is not compatible with \c alg,
3573
 *         or \p peer_key is not valid for \c alg or not compatible with
3574
 *         \c private_key, or \c step does not allow an input resulting
3575
 *         from a key agreement.
3576
 * \retval #PSA_ERROR_NOT_SUPPORTED
3577
 *         \c alg is not supported or is not a key derivation algorithm.
3578
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3579
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3580
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3581
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3582
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3583
 * \retval #PSA_ERROR_BAD_STATE
3584
 *         The operation state is not valid for this key agreement \p step,
3585
 *         or the library has not been previously initialized by psa_crypto_init().
3586
 *         It is implementation-dependent whether a failure to initialize
3587
 *         results in this error code.
3588
 */
3589
psa_status_t psa_key_derivation_key_agreement(
3590
    psa_key_derivation_operation_t *operation,
3591
    psa_key_derivation_step_t step,
3592
    mbedtls_svc_key_id_t private_key,
3593
    const uint8_t *peer_key,
3594
    size_t peer_key_length);
3595

3596
/** Read some data from a key derivation operation.
3597
 *
3598
 * This function calculates output bytes from a key derivation algorithm and
3599
 * return those bytes.
3600
 * If you view the key derivation's output as a stream of bytes, this
3601
 * function destructively reads the requested number of bytes from the
3602
 * stream.
3603
 * The operation's capacity decreases by the number of bytes read.
3604
 *
3605
 * If this function returns an error status other than
3606
 * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3607
 * state and must be aborted by calling psa_key_derivation_abort().
3608
 *
3609
 * \param[in,out] operation The key derivation operation object to read from.
3610
 * \param[out] output       Buffer where the output will be written.
3611
 * \param output_length     Number of bytes to output.
3612
 *
3613
 * \retval #PSA_SUCCESS \emptydescription
3614
 * \retval #PSA_ERROR_NOT_PERMITTED
3615
 *         One of the inputs was a key whose policy didn't allow
3616
 *         #PSA_KEY_USAGE_DERIVE.
3617
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3618
 *                          The operation's capacity was less than
3619
 *                          \p output_length bytes. Note that in this case,
3620
 *                          no output is written to the output buffer.
3621
 *                          The operation's capacity is set to 0, thus
3622
 *                          subsequent calls to this function will not
3623
 *                          succeed, even with a smaller output buffer.
3624
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3625
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3626
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3627
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3628
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3629
 * \retval #PSA_ERROR_BAD_STATE
3630
 *         The operation state is not valid (it must be active and completed
3631
 *         all required input steps), or the library has not been previously
3632
 *         initialized by psa_crypto_init().
3633
 *         It is implementation-dependent whether a failure to initialize
3634
 *         results in this error code.
3635
 */
3636
psa_status_t psa_key_derivation_output_bytes(
3637
    psa_key_derivation_operation_t *operation,
3638
    uint8_t *output,
3639
    size_t output_length);
3640

3641
/** Derive a key from an ongoing key derivation operation.
3642
 *
3643
 * This function calculates output bytes from a key derivation algorithm
3644
 * and uses those bytes to generate a key deterministically.
3645
 * The key's location, usage policy, type and size are taken from
3646
 * \p attributes.
3647
 *
3648
 * If you view the key derivation's output as a stream of bytes, this
3649
 * function destructively reads as many bytes as required from the
3650
 * stream.
3651
 * The operation's capacity decreases by the number of bytes read.
3652
 *
3653
 * If this function returns an error status other than
3654
 * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3655
 * state and must be aborted by calling psa_key_derivation_abort().
3656
 *
3657
 * How much output is produced and consumed from the operation, and how
3658
 * the key is derived, depends on the key type and on the key size
3659
 * (denoted \c bits below):
3660
 *
3661
 * - For key types for which the key is an arbitrary sequence of bytes
3662
 *   of a given size, this function is functionally equivalent to
3663
 *   calling #psa_key_derivation_output_bytes
3664
 *   and passing the resulting output to #psa_import_key.
3665
 *   However, this function has a security benefit:
3666
 *   if the implementation provides an isolation boundary then
3667
 *   the key material is not exposed outside the isolation boundary.
3668
 *   As a consequence, for these key types, this function always consumes
3669
 *   exactly (\c bits / 8) bytes from the operation.
3670
 *   The following key types defined in this specification follow this scheme:
3671
 *
3672
 *     - #PSA_KEY_TYPE_AES;
3673
 *     - #PSA_KEY_TYPE_ARIA;
3674
 *     - #PSA_KEY_TYPE_CAMELLIA;
3675
 *     - #PSA_KEY_TYPE_DERIVE;
3676
 *     - #PSA_KEY_TYPE_HMAC;
3677
 *     - #PSA_KEY_TYPE_PASSWORD_HASH.
3678
 *
3679
 * - For ECC keys on a Montgomery elliptic curve
3680
 *   (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3681
 *   Montgomery curve), this function always draws a byte string whose
3682
 *   length is determined by the curve, and sets the mandatory bits
3683
 *   accordingly. That is:
3684
 *
3685
 *     - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
3686
 *       string and process it as specified in RFC 7748 &sect;5.
3687
 *     - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
3688
 *       string and process it as specified in RFC 7748 &sect;5.
3689
 *
3690
 * - For key types for which the key is represented by a single sequence of
3691
 *   \c bits bits with constraints as to which bit sequences are acceptable,
3692
 *   this function draws a byte string of length (\c bits / 8) bytes rounded
3693
 *   up to the nearest whole number of bytes. If the resulting byte string
3694
 *   is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
3695
 *   This process is repeated until an acceptable byte string is drawn.
3696
 *   The byte string drawn from the operation is interpreted as specified
3697
 *   for the output produced by psa_export_key().
3698
 *   The following key types defined in this specification follow this scheme:
3699
 *
3700
 *     - #PSA_KEY_TYPE_DES.
3701
 *       Force-set the parity bits, but discard forbidden weak keys.
3702
 *       For 2-key and 3-key triple-DES, the three keys are generated
3703
 *       successively (for example, for 3-key triple-DES,
3704
 *       if the first 8 bytes specify a weak key and the next 8 bytes do not,
3705
 *       discard the first 8 bytes, use the next 8 bytes as the first key,
3706
 *       and continue reading output from the operation to derive the other
3707
 *       two keys).
3708
 *     - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
3709
 *       where \c group designates any Diffie-Hellman group) and
3710
 *       ECC keys on a Weierstrass elliptic curve
3711
 *       (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3712
 *       Weierstrass curve).
3713
 *       For these key types, interpret the byte string as integer
3714
 *       in big-endian order. Discard it if it is not in the range
3715
 *       [0, *N* - 2] where *N* is the boundary of the private key domain
3716
 *       (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
3717
 *       or the order of the curve's base point for ECC).
3718
 *       Add 1 to the resulting integer and use this as the private key *x*.
3719
 *       This method allows compliance to NIST standards, specifically
3720
 *       the methods titled "key-pair generation by testing candidates"
3721
 *       in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
3722
 *       in FIPS 186-4 &sect;B.1.2 for DSA, and
3723
 *       in NIST SP 800-56A &sect;5.6.1.2.2 or
3724
 *       FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
3725
 *
3726
 * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
3727
 *   the way in which the operation output is consumed is
3728
 *   implementation-defined.
3729
 *
3730
 * In all cases, the data that is read is discarded from the operation.
3731
 * The operation's capacity is decreased by the number of bytes read.
3732
 *
3733
 * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
3734
 * the input to that step must be provided with psa_key_derivation_input_key().
3735
 * Future versions of this specification may include additional restrictions
3736
 * on the derived key based on the attributes and strength of the secret key.
3737
 *
3738
 * \note This function is equivalent to calling
3739
 *       psa_key_derivation_output_key_custom()
3740
 *       with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
3741
 *       and `custom_data_length == 0` (i.e. `custom_data` is empty).
3742
 *
3743
 * \param[in] attributes    The attributes for the new key.
3744
 *                          If the key type to be created is
3745
 *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3746
 *                          the policy must be the same as in the current
3747
 *                          operation.
3748
 * \param[in,out] operation The key derivation operation object to read from.
3749
 * \param[out] key          On success, an identifier for the newly created
3750
 *                          key. For persistent keys, this is the key
3751
 *                          identifier defined in \p attributes.
3752
 *                          \c 0 on failure.
3753
 *
3754
 * \retval #PSA_SUCCESS
3755
 *         Success.
3756
 *         If the key is persistent, the key material and the key's metadata
3757
 *         have been saved to persistent storage.
3758
 * \retval #PSA_ERROR_ALREADY_EXISTS
3759
 *         This is an attempt to create a persistent key, and there is
3760
 *         already a persistent key with the given identifier.
3761
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3762
 *         There was not enough data to create the desired key.
3763
 *         Note that in this case, no output is written to the output buffer.
3764
 *         The operation's capacity is set to 0, thus subsequent calls to
3765
 *         this function will not succeed, even with a smaller output buffer.
3766
 * \retval #PSA_ERROR_NOT_SUPPORTED
3767
 *         The key type or key size is not supported, either by the
3768
 *         implementation in general or in this particular location.
3769
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3770
 *         The provided key attributes are not valid for the operation.
3771
 * \retval #PSA_ERROR_NOT_PERMITTED
3772
 *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
3773
 *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3774
 *         key; or one of the inputs was a key whose policy didn't allow
3775
 *         #PSA_KEY_USAGE_DERIVE.
3776
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3777
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3778
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3779
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3780
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3781
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3782
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3783
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3784
 * \retval #PSA_ERROR_BAD_STATE
3785
 *         The operation state is not valid (it must be active and completed
3786
 *         all required input steps), or the library has not been previously
3787
 *         initialized by psa_crypto_init().
3788
 *         It is implementation-dependent whether a failure to initialize
3789
 *         results in this error code.
3790
 */
3791
psa_status_t psa_key_derivation_output_key(
3792
    const psa_key_attributes_t *attributes,
3793
    psa_key_derivation_operation_t *operation,
3794
    mbedtls_svc_key_id_t *key);
3795

3796
/** Derive a key from an ongoing key derivation operation with custom
3797
 *  production parameters.
3798
 *
3799
 * See the description of psa_key_derivation_out_key() for the operation of
3800
 * this function with the default production parameters.
3801
 * Mbed TLS currently does not currently support any non-default production
3802
 * parameters.
3803
 *
3804
 * \note This function is experimental and may change in future minor
3805
 *       versions of Mbed TLS.
3806
 *
3807
 * \param[in] attributes    The attributes for the new key.
3808
 *                          If the key type to be created is
3809
 *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3810
 *                          the policy must be the same as in the current
3811
 *                          operation.
3812
 * \param[in,out] operation The key derivation operation object to read from.
3813
 * \param[in] custom        Customization parameters for the key generation.
3814
 *                          When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
3815
 *                          with \p custom_data_length = 0,
3816
 *                          this function is equivalent to
3817
 *                          psa_key_derivation_output_key().
3818
 * \param[in] custom_data   Variable-length data associated with \c custom.
3819
 * \param custom_data_length
3820
 *                          Length of `custom_data` in bytes.
3821
 * \param[out] key          On success, an identifier for the newly created
3822
 *                          key. For persistent keys, this is the key
3823
 *                          identifier defined in \p attributes.
3824
 *                          \c 0 on failure.
3825
 *
3826
 * \retval #PSA_SUCCESS
3827
 *         Success.
3828
 *         If the key is persistent, the key material and the key's metadata
3829
 *         have been saved to persistent storage.
3830
 * \retval #PSA_ERROR_ALREADY_EXISTS
3831
 *         This is an attempt to create a persistent key, and there is
3832
 *         already a persistent key with the given identifier.
3833
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3834
 *         There was not enough data to create the desired key.
3835
 *         Note that in this case, no output is written to the output buffer.
3836
 *         The operation's capacity is set to 0, thus subsequent calls to
3837
 *         this function will not succeed, even with a smaller output buffer.
3838
 * \retval #PSA_ERROR_NOT_SUPPORTED
3839
 *         The key type or key size is not supported, either by the
3840
 *         implementation in general or in this particular location.
3841
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3842
 *         The provided key attributes are not valid for the operation.
3843
 * \retval #PSA_ERROR_NOT_PERMITTED
3844
 *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
3845
 *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3846
 *         key; or one of the inputs was a key whose policy didn't allow
3847
 *         #PSA_KEY_USAGE_DERIVE.
3848
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3849
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3850
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3851
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3852
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3853
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3854
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3855
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3856
 * \retval #PSA_ERROR_BAD_STATE
3857
 *         The operation state is not valid (it must be active and completed
3858
 *         all required input steps), or the library has not been previously
3859
 *         initialized by psa_crypto_init().
3860
 *         It is implementation-dependent whether a failure to initialize
3861
 *         results in this error code.
3862
 */
3863
psa_status_t psa_key_derivation_output_key_custom(
3864
    const psa_key_attributes_t *attributes,
3865
    psa_key_derivation_operation_t *operation,
3866
    const psa_custom_key_parameters_t *custom,
3867
    const uint8_t *custom_data,
3868
    size_t custom_data_length,
3869
    mbedtls_svc_key_id_t *key);
3870

3871
#ifndef __cplusplus
3872
/* Omitted when compiling in C++, because one of the parameters is a
3873
 * pointer to a struct with a flexible array member, and that is not
3874
 * standard C++.
3875
 * https://github.com/Mbed-TLS/mbedtls/issues/9020
3876
 */
3877
/** Derive a key from an ongoing key derivation operation with custom
3878
 *  production parameters.
3879
 *
3880
 * \note
3881
 * This is a deprecated variant of psa_key_derivation_output_key_custom().
3882
 * It is equivalent except that the associated variable-length data
3883
 * is passed in `params->data` instead of a separate parameter.
3884
 * This function will be removed in a future version of Mbed TLS.
3885
 *
3886
 * \param[in] attributes    The attributes for the new key.
3887
 *                          If the key type to be created is
3888
 *                          #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
3889
 *                          the policy must be the same as in the current
3890
 *                          operation.
3891
 * \param[in,out] operation The key derivation operation object to read from.
3892
 * \param[in] params        Customization parameters for the key derivation.
3893
 *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
3894
 *                          with \p params_data_length = 0,
3895
 *                          this function is equivalent to
3896
 *                          psa_key_derivation_output_key().
3897
 *                          Mbed TLS currently only supports the default
3898
 *                          production parameters, i.e.
3899
 *                          #PSA_KEY_PRODUCTION_PARAMETERS_INIT,
3900
 *                          for all key types.
3901
 * \param params_data_length
3902
 *                          Length of `params->data` in bytes.
3903
 * \param[out] key          On success, an identifier for the newly created
3904
 *                          key. For persistent keys, this is the key
3905
 *                          identifier defined in \p attributes.
3906
 *                          \c 0 on failure.
3907
 *
3908
 * \retval #PSA_SUCCESS
3909
 *         Success.
3910
 *         If the key is persistent, the key material and the key's metadata
3911
 *         have been saved to persistent storage.
3912
 * \retval #PSA_ERROR_ALREADY_EXISTS
3913
 *         This is an attempt to create a persistent key, and there is
3914
 *         already a persistent key with the given identifier.
3915
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3916
 *         There was not enough data to create the desired key.
3917
 *         Note that in this case, no output is written to the output buffer.
3918
 *         The operation's capacity is set to 0, thus subsequent calls to
3919
 *         this function will not succeed, even with a smaller output buffer.
3920
 * \retval #PSA_ERROR_NOT_SUPPORTED
3921
 *         The key type or key size is not supported, either by the
3922
 *         implementation in general or in this particular location.
3923
 * \retval #PSA_ERROR_INVALID_ARGUMENT
3924
 *         The provided key attributes are not valid for the operation.
3925
 * \retval #PSA_ERROR_NOT_PERMITTED
3926
 *         The #PSA_KEY_DERIVATION_INPUT_SECRET or
3927
 *         #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
3928
 *         key; or one of the inputs was a key whose policy didn't allow
3929
 *         #PSA_KEY_USAGE_DERIVE.
3930
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3931
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
3932
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3933
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3934
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3935
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
3936
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
3937
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3938
 * \retval #PSA_ERROR_BAD_STATE
3939
 *         The operation state is not valid (it must be active and completed
3940
 *         all required input steps), or the library has not been previously
3941
 *         initialized by psa_crypto_init().
3942
 *         It is implementation-dependent whether a failure to initialize
3943
 *         results in this error code.
3944
 */
3945
psa_status_t psa_key_derivation_output_key_ext(
3946
    const psa_key_attributes_t *attributes,
3947
    psa_key_derivation_operation_t *operation,
3948
    const psa_key_production_parameters_t *params,
3949
    size_t params_data_length,
3950
    mbedtls_svc_key_id_t *key);
3951
#endif /* !__cplusplus */
3952

3953
/** Compare output data from a key derivation operation to an expected value.
3954
 *
3955
 * This function calculates output bytes from a key derivation algorithm and
3956
 * compares those bytes to an expected value in constant time.
3957
 * If you view the key derivation's output as a stream of bytes, this
3958
 * function destructively reads the expected number of bytes from the
3959
 * stream before comparing them.
3960
 * The operation's capacity decreases by the number of bytes read.
3961
 *
3962
 * This is functionally equivalent to the following code:
3963
 * \code
3964
 * psa_key_derivation_output_bytes(operation, tmp, output_length);
3965
 * if (memcmp(output, tmp, output_length) != 0)
3966
 *     return PSA_ERROR_INVALID_SIGNATURE;
3967
 * \endcode
3968
 * except (1) it works even if the key's policy does not allow outputting the
3969
 * bytes, and (2) the comparison will be done in constant time.
3970
 *
3971
 * If this function returns an error status other than
3972
 * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
3973
 * the operation enters an error state and must be aborted by calling
3974
 * psa_key_derivation_abort().
3975
 *
3976
 * \param[in,out] operation The key derivation operation object to read from.
3977
 * \param[in] expected      Buffer containing the expected derivation output.
3978
 * \param expected_length   Length of the expected output; this is also the
3979
 *                          number of bytes that will be read.
3980
 *
3981
 * \retval #PSA_SUCCESS \emptydescription
3982
 * \retval #PSA_ERROR_INVALID_SIGNATURE
3983
 *         The output was read successfully, but it differs from the expected
3984
 *         output.
3985
 * \retval #PSA_ERROR_NOT_PERMITTED
3986
 *         One of the inputs was a key whose policy didn't allow
3987
 *         #PSA_KEY_USAGE_VERIFY_DERIVATION.
3988
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
3989
 *                          The operation's capacity was less than
3990
 *                          \p output_length bytes. Note that in this case,
3991
 *                          the operation's capacity is set to 0, thus
3992
 *                          subsequent calls to this function will not
3993
 *                          succeed, even with a smaller expected output.
3994
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
3995
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
3996
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
3997
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
3998
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
3999
 * \retval #PSA_ERROR_BAD_STATE
4000
 *         The operation state is not valid (it must be active and completed
4001
 *         all required input steps), or the library has not been previously
4002
 *         initialized by psa_crypto_init().
4003
 *         It is implementation-dependent whether a failure to initialize
4004
 *         results in this error code.
4005
 */
4006
psa_status_t psa_key_derivation_verify_bytes(
4007
    psa_key_derivation_operation_t *operation,
4008
    const uint8_t *expected,
4009
    size_t expected_length);
4010

4011
/** Compare output data from a key derivation operation to an expected value
4012
 * stored in a key object.
4013
 *
4014
 * This function calculates output bytes from a key derivation algorithm and
4015
 * compares those bytes to an expected value, provided as key of type
4016
 * #PSA_KEY_TYPE_PASSWORD_HASH.
4017
 * If you view the key derivation's output as a stream of bytes, this
4018
 * function destructively reads the number of bytes corresponding to the
4019
 * length of the expected value from the stream before comparing them.
4020
 * The operation's capacity decreases by the number of bytes read.
4021
 *
4022
 * This is functionally equivalent to exporting the key and calling
4023
 * psa_key_derivation_verify_bytes() on the result, except that it
4024
 * works even if the key cannot be exported.
4025
 *
4026
 * If this function returns an error status other than
4027
 * #PSA_ERROR_INSUFFICIENT_DATA or #PSA_ERROR_INVALID_SIGNATURE,
4028
 * the operation enters an error state and must be aborted by calling
4029
 * psa_key_derivation_abort().
4030
 *
4031
 * \param[in,out] operation The key derivation operation object to read from.
4032
 * \param[in] expected      A key of type #PSA_KEY_TYPE_PASSWORD_HASH
4033
 *                          containing the expected output. Its policy must
4034
 *                          include the #PSA_KEY_USAGE_VERIFY_DERIVATION flag
4035
 *                          and the permitted algorithm must match the
4036
 *                          operation. The value of this key was likely
4037
 *                          computed by a previous call to
4038
 *                          psa_key_derivation_output_key() or
4039
 *                          psa_key_derivation_output_key_custom().
4040
 *
4041
 * \retval #PSA_SUCCESS \emptydescription
4042
 * \retval #PSA_ERROR_INVALID_SIGNATURE
4043
 *         The output was read successfully, but if differs from the expected
4044
 *         output.
4045
 * \retval #PSA_ERROR_INVALID_HANDLE
4046
 *         The key passed as the expected value does not exist.
4047
 * \retval #PSA_ERROR_INVALID_ARGUMENT
4048
 *         The key passed as the expected value has an invalid type.
4049
 * \retval #PSA_ERROR_NOT_PERMITTED
4050
 *         The key passed as the expected value does not allow this usage or
4051
 *         this algorithm; or one of the inputs was a key whose policy didn't
4052
 *         allow #PSA_KEY_USAGE_VERIFY_DERIVATION.
4053
 * \retval #PSA_ERROR_INSUFFICIENT_DATA
4054
 *                          The operation's capacity was less than
4055
 *                          the length of the expected value. In this case,
4056
 *                          the operation's capacity is set to 0, thus
4057
 *                          subsequent calls to this function will not
4058
 *                          succeed, even with a smaller expected output.
4059
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4060
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4061
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4062
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4063
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4064
 * \retval #PSA_ERROR_BAD_STATE
4065
 *         The operation state is not valid (it must be active and completed
4066
 *         all required input steps), or the library has not been previously
4067
 *         initialized by psa_crypto_init().
4068
 *         It is implementation-dependent whether a failure to initialize
4069
 *         results in this error code.
4070
 */
4071
psa_status_t psa_key_derivation_verify_key(
4072
    psa_key_derivation_operation_t *operation,
4073
    psa_key_id_t expected);
4074

4075
/** Abort a key derivation operation.
4076
 *
4077
 * Aborting an operation frees all associated resources except for the \c
4078
 * operation structure itself. Once aborted, the operation object can be reused
4079
 * for another operation by calling psa_key_derivation_setup() again.
4080
 *
4081
 * This function may be called at any time after the operation
4082
 * object has been initialized as described in #psa_key_derivation_operation_t.
4083
 *
4084
 * In particular, it is valid to call psa_key_derivation_abort() twice, or to
4085
 * call psa_key_derivation_abort() on an operation that has not been set up.
4086
 *
4087
 * \param[in,out] operation    The operation to abort.
4088
 *
4089
 * \retval #PSA_SUCCESS \emptydescription
4090
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4091
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4092
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4093
 * \retval #PSA_ERROR_BAD_STATE
4094
 *         The library has not been previously initialized by psa_crypto_init().
4095
 *         It is implementation-dependent whether a failure to initialize
4096
 *         results in this error code.
4097
 */
4098
psa_status_t psa_key_derivation_abort(
4099
    psa_key_derivation_operation_t *operation);
4100

4101
/** Perform a key agreement and return the raw shared secret.
4102
 *
4103
 * \warning The raw result of a key agreement algorithm such as finite-field
4104
 * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
4105
 * not be used directly as key material. It should instead be passed as
4106
 * input to a key derivation algorithm. To chain a key agreement with
4107
 * a key derivation, use psa_key_derivation_key_agreement() and other
4108
 * functions from the key derivation interface.
4109
 *
4110
 * \param alg                     The key agreement algorithm to compute
4111
 *                                (\c PSA_ALG_XXX value such that
4112
 *                                #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
4113
 *                                is true).
4114
 * \param private_key             Identifier of the private key to use. It must
4115
 *                                allow the usage #PSA_KEY_USAGE_DERIVE.
4116
 * \param[in] peer_key            Public key of the peer. It must be
4117
 *                                in the same format that psa_import_key()
4118
 *                                accepts. The standard formats for public
4119
 *                                keys are documented in the documentation
4120
 *                                of psa_export_public_key().
4121
 * \param peer_key_length         Size of \p peer_key in bytes.
4122
 * \param[out] output             Buffer where the decrypted message is to
4123
 *                                be written.
4124
 * \param output_size             Size of the \c output buffer in bytes.
4125
 * \param[out] output_length      On success, the number of bytes
4126
 *                                that make up the returned output.
4127
 *
4128
 * \retval #PSA_SUCCESS
4129
 *         Success.
4130
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4131
 * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
4132
 * \retval #PSA_ERROR_INVALID_ARGUMENT
4133
 *         \p alg is not a key agreement algorithm, or
4134
 *         \p private_key is not compatible with \p alg,
4135
 *         or \p peer_key is not valid for \p alg or not compatible with
4136
 *         \p private_key.
4137
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
4138
 *         \p output_size is too small
4139
 * \retval #PSA_ERROR_NOT_SUPPORTED
4140
 *         \p alg is not a supported key agreement algorithm.
4141
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4142
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4143
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4144
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4145
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4146
 * \retval #PSA_ERROR_BAD_STATE
4147
 *         The library has not been previously initialized by psa_crypto_init().
4148
 *         It is implementation-dependent whether a failure to initialize
4149
 *         results in this error code.
4150
 */
4151
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
4152
                                   mbedtls_svc_key_id_t private_key,
4153
                                   const uint8_t *peer_key,
4154
                                   size_t peer_key_length,
4155
                                   uint8_t *output,
4156
                                   size_t output_size,
4157
                                   size_t *output_length);
4158

4159
/**@}*/
4160

4161
/** \defgroup random Random generation
4162
 * @{
4163
 */
4164

4165
/**
4166
 * \brief Generate random bytes.
4167
 *
4168
 * \warning This function **can** fail! Callers MUST check the return status
4169
 *          and MUST NOT use the content of the output buffer if the return
4170
 *          status is not #PSA_SUCCESS.
4171
 *
4172
 * \note    To generate a key, use psa_generate_key() instead.
4173
 *
4174
 * \param[out] output       Output buffer for the generated data.
4175
 * \param output_size       Number of bytes to generate and output.
4176
 *
4177
 * \retval #PSA_SUCCESS \emptydescription
4178
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4179
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4180
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4181
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4182
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4183
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4184
 * \retval #PSA_ERROR_BAD_STATE
4185
 *         The library has not been previously initialized by psa_crypto_init().
4186
 *         It is implementation-dependent whether a failure to initialize
4187
 *         results in this error code.
4188
 */
4189
psa_status_t psa_generate_random(uint8_t *output,
4190
                                 size_t output_size);
4191

4192
/**
4193
 * \brief Generate a key or key pair.
4194
 *
4195
 * The key is generated randomly.
4196
 * Its location, usage policy, type and size are taken from \p attributes.
4197
 *
4198
 * Implementations must reject an attempt to generate a key of size 0.
4199
 *
4200
 * The following type-specific considerations apply:
4201
 * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
4202
 *   the public exponent is 65537.
4203
 *   The modulus is a product of two probabilistic primes
4204
 *   between 2^{n-1} and 2^n where n is the bit size specified in the
4205
 *   attributes.
4206
 *
4207
 * \note This function is equivalent to calling psa_generate_key_custom()
4208
 *       with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
4209
 *       and `custom_data_length == 0` (i.e. `custom_data` is empty).
4210
 *
4211
 * \param[in] attributes    The attributes for the new key.
4212
 * \param[out] key          On success, an identifier for the newly created
4213
 *                          key. For persistent keys, this is the key
4214
 *                          identifier defined in \p attributes.
4215
 *                          \c 0 on failure.
4216
 *
4217
 * \retval #PSA_SUCCESS
4218
 *         Success.
4219
 *         If the key is persistent, the key material and the key's metadata
4220
 *         have been saved to persistent storage.
4221
 * \retval #PSA_ERROR_ALREADY_EXISTS
4222
 *         This is an attempt to create a persistent key, and there is
4223
 *         already a persistent key with the given identifier.
4224
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4225
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4226
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4227
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4228
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4229
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4230
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4231
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4232
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4233
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4234
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4235
 * \retval #PSA_ERROR_BAD_STATE
4236
 *         The library has not been previously initialized by psa_crypto_init().
4237
 *         It is implementation-dependent whether a failure to initialize
4238
 *         results in this error code.
4239
 */
4240
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
4241
                              mbedtls_svc_key_id_t *key);
4242

4243
/**
4244
 * \brief Generate a key or key pair using custom production parameters.
4245
 *
4246
 * See the description of psa_generate_key() for the operation of this
4247
 * function with the default production parameters. In addition, this function
4248
 * supports the following production customizations, described in more detail
4249
 * in the documentation of ::psa_custom_key_parameters_t:
4250
 *
4251
 * - RSA keys: generation with a custom public exponent.
4252
 *
4253
 * \note This function is experimental and may change in future minor
4254
 *       versions of Mbed TLS.
4255
 *
4256
 * \param[in] attributes    The attributes for the new key.
4257
 * \param[in] custom        Customization parameters for the key generation.
4258
 *                          When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
4259
 *                          with \p custom_data_length = 0,
4260
 *                          this function is equivalent to
4261
 *                          psa_generate_key().
4262
 * \param[in] custom_data   Variable-length data associated with \c custom.
4263
 * \param custom_data_length
4264
 *                          Length of `custom_data` in bytes.
4265
 * \param[out] key          On success, an identifier for the newly created
4266
 *                          key. For persistent keys, this is the key
4267
 *                          identifier defined in \p attributes.
4268
 *                          \c 0 on failure.
4269
 *
4270
 * \retval #PSA_SUCCESS
4271
 *         Success.
4272
 *         If the key is persistent, the key material and the key's metadata
4273
 *         have been saved to persistent storage.
4274
 * \retval #PSA_ERROR_ALREADY_EXISTS
4275
 *         This is an attempt to create a persistent key, and there is
4276
 *         already a persistent key with the given identifier.
4277
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4278
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4279
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4280
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4281
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4282
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4283
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4284
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4285
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4286
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4287
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4288
 * \retval #PSA_ERROR_BAD_STATE
4289
 *         The library has not been previously initialized by psa_crypto_init().
4290
 *         It is implementation-dependent whether a failure to initialize
4291
 *         results in this error code.
4292
 */
4293
psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
4294
                                     const psa_custom_key_parameters_t *custom,
4295
                                     const uint8_t *custom_data,
4296
                                     size_t custom_data_length,
4297
                                     mbedtls_svc_key_id_t *key);
4298

4299
#ifndef __cplusplus
4300
/* Omitted when compiling in C++, because one of the parameters is a
4301
 * pointer to a struct with a flexible array member, and that is not
4302
 * standard C++.
4303
 * https://github.com/Mbed-TLS/mbedtls/issues/9020
4304
 */
4305
/**
4306
 * \brief Generate a key or key pair using custom production parameters.
4307
 *
4308
 * \note
4309
 * This is a deprecated variant of psa_key_derivation_output_key_custom().
4310
 * It is equivalent except that the associated variable-length data
4311
 * is passed in `params->data` instead of a separate parameter.
4312
 * This function will be removed in a future version of Mbed TLS.
4313
 *
4314
 * \param[in] attributes    The attributes for the new key.
4315
 * \param[in] params        Customization parameters for the key generation.
4316
 *                          When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
4317
 *                          with \p params_data_length = 0,
4318
 *                          this function is equivalent to
4319
 *                          psa_generate_key().
4320
 * \param params_data_length
4321
 *                          Length of `params->data` in bytes.
4322
 * \param[out] key          On success, an identifier for the newly created
4323
 *                          key. For persistent keys, this is the key
4324
 *                          identifier defined in \p attributes.
4325
 *                          \c 0 on failure.
4326
 *
4327
 * \retval #PSA_SUCCESS
4328
 *         Success.
4329
 *         If the key is persistent, the key material and the key's metadata
4330
 *         have been saved to persistent storage.
4331
 * \retval #PSA_ERROR_ALREADY_EXISTS
4332
 *         This is an attempt to create a persistent key, and there is
4333
 *         already a persistent key with the given identifier.
4334
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4335
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4336
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4337
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4338
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4339
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4340
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4341
 * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
4342
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4343
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4344
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4345
 * \retval #PSA_ERROR_BAD_STATE
4346
 *         The library has not been previously initialized by psa_crypto_init().
4347
 *         It is implementation-dependent whether a failure to initialize
4348
 *         results in this error code.
4349
 */
4350
psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
4351
                                  const psa_key_production_parameters_t *params,
4352
                                  size_t params_data_length,
4353
                                  mbedtls_svc_key_id_t *key);
4354
#endif /* !__cplusplus */
4355

4356
/**@}*/
4357

4358
/** \defgroup interruptible_hash Interruptible sign/verify hash
4359
 * @{
4360
 */
4361

4362
/** The type of the state data structure for interruptible hash
4363
 *  signing operations.
4364
 *
4365
 * Before calling any function on a sign hash operation object, the
4366
 * application must initialize it by any of the following means:
4367
 * - Set the structure to all-bits-zero, for example:
4368
 *   \code
4369
 *   psa_sign_hash_interruptible_operation_t operation;
4370
 *   memset(&operation, 0, sizeof(operation));
4371
 *   \endcode
4372
 * - Initialize the structure to logical zero values, for example:
4373
 *   \code
4374
 *   psa_sign_hash_interruptible_operation_t operation = {0};
4375
 *   \endcode
4376
 * - Initialize the structure to the initializer
4377
 *   #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
4378
 *   \code
4379
 *   psa_sign_hash_interruptible_operation_t operation =
4380
 *   PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
4381
 *   \endcode
4382
 * - Assign the result of the function
4383
 *   psa_sign_hash_interruptible_operation_init() to the structure, for
4384
 *   example:
4385
 *   \code
4386
 *   psa_sign_hash_interruptible_operation_t operation;
4387
 *   operation = psa_sign_hash_interruptible_operation_init();
4388
 *   \endcode
4389
 *
4390
 * This is an implementation-defined \c struct. Applications should not
4391
 * make any assumptions about the content of this structure.
4392
 * Implementation details can change in future versions without notice. */
4393
typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
4394

4395
/** The type of the state data structure for interruptible hash
4396
 *  verification operations.
4397
 *
4398
 * Before calling any function on a sign hash operation object, the
4399
 * application must initialize it by any of the following means:
4400
 * - Set the structure to all-bits-zero, for example:
4401
 *   \code
4402
 *   psa_verify_hash_interruptible_operation_t operation;
4403
 *   memset(&operation, 0, sizeof(operation));
4404
 *   \endcode
4405
 * - Initialize the structure to logical zero values, for example:
4406
 *   \code
4407
 *   psa_verify_hash_interruptible_operation_t operation = {0};
4408
 *   \endcode
4409
 * - Initialize the structure to the initializer
4410
 *   #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
4411
 *   \code
4412
 *   psa_verify_hash_interruptible_operation_t operation =
4413
 *   PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
4414
 *   \endcode
4415
 * - Assign the result of the function
4416
 *   psa_verify_hash_interruptible_operation_init() to the structure, for
4417
 *   example:
4418
 *   \code
4419
 *   psa_verify_hash_interruptible_operation_t operation;
4420
 *   operation = psa_verify_hash_interruptible_operation_init();
4421
 *   \endcode
4422
 *
4423
 * This is an implementation-defined \c struct. Applications should not
4424
 * make any assumptions about the content of this structure.
4425
 * Implementation details can change in future versions without notice. */
4426
typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
4427

4428
/**
4429
 * \brief                       Set the maximum number of ops allowed to be
4430
 *                              executed by an interruptible function in a
4431
 *                              single call.
4432
 *
4433
 * \warning                     This is a beta API, and thus subject to change
4434
 *                              at any point. It is not bound by the usual
4435
 *                              interface stability promises.
4436
 *
4437
 * \note                        The time taken to execute a single op is
4438
 *                              implementation specific and depends on
4439
 *                              software, hardware, the algorithm, key type and
4440
 *                              curve chosen. Even within a single operation,
4441
 *                              successive ops can take differing amounts of
4442
 *                              time. The only guarantee is that lower values
4443
 *                              for \p max_ops means functions will block for a
4444
 *                              lesser maximum amount of time. The functions
4445
 *                              \c psa_sign_interruptible_get_num_ops() and
4446
 *                              \c psa_verify_interruptible_get_num_ops() are
4447
 *                              provided to help with tuning this value.
4448
 *
4449
 * \note                        This value defaults to
4450
 *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
4451
 *                              means the whole operation will be done in one
4452
 *                              go, regardless of the number of ops required.
4453
 *
4454
 * \note                        If more ops are needed to complete a
4455
 *                              computation, #PSA_OPERATION_INCOMPLETE will be
4456
 *                              returned by the function performing the
4457
 *                              computation. It is then the caller's
4458
 *                              responsibility to either call again with the
4459
 *                              same operation context until it returns 0 or an
4460
 *                              error code; or to call the relevant abort
4461
 *                              function if the answer is no longer required.
4462
 *
4463
 * \note                        The interpretation of \p max_ops is also
4464
 *                              implementation defined. On a hard real time
4465
 *                              system, this can indicate a hard deadline, as a
4466
 *                              real-time system needs a guarantee of not
4467
 *                              spending more than X time, however care must be
4468
 *                              taken in such an implementation to avoid the
4469
 *                              situation whereby calls just return, not being
4470
 *                              able to do any actual work within the allotted
4471
 *                              time.  On a non-real-time system, the
4472
 *                              implementation can be more relaxed, but again
4473
 *                              whether this number should be interpreted as as
4474
 *                              hard or soft limit or even whether a less than
4475
 *                              or equals as regards to ops executed in a
4476
 *                              single call is implementation defined.
4477
 *
4478
 * \note                        For keys in local storage when no accelerator
4479
 *                              driver applies, please see also the
4480
 *                              documentation for \c mbedtls_ecp_set_max_ops(),
4481
 *                              which is the internal implementation in these
4482
 *                              cases.
4483
 *
4484
 * \warning                     With implementations that interpret this number
4485
 *                              as a hard limit, setting this number too small
4486
 *                              may result in an infinite loop, whereby each
4487
 *                              call results in immediate return with no ops
4488
 *                              done (as there is not enough time to execute
4489
 *                              any), and thus no result will ever be achieved.
4490
 *
4491
 * \note                        This only applies to functions whose
4492
 *                              documentation mentions they may return
4493
 *                              #PSA_OPERATION_INCOMPLETE.
4494
 *
4495
 * \param max_ops               The maximum number of ops to be executed in a
4496
 *                              single call. This can be a number from 0 to
4497
 *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
4498
 *                              is the least amount of work done per call.
4499
 */
4500
void psa_interruptible_set_max_ops(uint32_t max_ops);
4501

4502
/**
4503
 * \brief                       Get the maximum number of ops allowed to be
4504
 *                              executed by an interruptible function in a
4505
 *                              single call. This will return the last
4506
 *                              value set by
4507
 *                              \c psa_interruptible_set_max_ops() or
4508
 *                              #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
4509
 *                              that function has never been called.
4510
 *
4511
 * \warning                     This is a beta API, and thus subject to change
4512
 *                              at any point. It is not bound by the usual
4513
 *                              interface stability promises.
4514
 *
4515
 * \return                      Maximum number of ops allowed to be
4516
 *                              executed by an interruptible function in a
4517
 *                              single call.
4518
 */
4519
uint32_t psa_interruptible_get_max_ops(void);
4520

4521
/**
4522
 * \brief                       Get the number of ops that a hash signing
4523
 *                              operation has taken so far. If the operation
4524
 *                              has completed, then this will represent the
4525
 *                              number of ops required for the entire
4526
 *                              operation. After initialization or calling
4527
 *                              \c psa_sign_hash_interruptible_abort() on
4528
 *                              the operation, a value of 0 will be returned.
4529
 *
4530
 * \note                        This interface is guaranteed re-entrant and
4531
 *                              thus may be called from driver code.
4532
 *
4533
 * \warning                     This is a beta API, and thus subject to change
4534
 *                              at any point. It is not bound by the usual
4535
 *                              interface stability promises.
4536
 *
4537
 *                              This is a helper provided to help you tune the
4538
 *                              value passed to \c
4539
 *                              psa_interruptible_set_max_ops().
4540
 *
4541
 * \param operation             The \c psa_sign_hash_interruptible_operation_t
4542
 *                              to use. This must be initialized first.
4543
 *
4544
 * \return                      Number of ops that the operation has taken so
4545
 *                              far.
4546
 */
4547
uint32_t psa_sign_hash_get_num_ops(
4548
    const psa_sign_hash_interruptible_operation_t *operation);
4549

4550
/**
4551
 * \brief                       Get the number of ops that a hash verification
4552
 *                              operation has taken so far. If the operation
4553
 *                              has completed, then this will represent the
4554
 *                              number of ops required for the entire
4555
 *                              operation. After initialization or calling \c
4556
 *                              psa_verify_hash_interruptible_abort() on the
4557
 *                              operation, a value of 0 will be returned.
4558
 *
4559
 * \warning                     This is a beta API, and thus subject to change
4560
 *                              at any point. It is not bound by the usual
4561
 *                              interface stability promises.
4562
 *
4563
 *                              This is a helper provided to help you tune the
4564
 *                              value passed to \c
4565
 *                              psa_interruptible_set_max_ops().
4566
 *
4567
 * \param operation             The \c
4568
 *                              psa_verify_hash_interruptible_operation_t to
4569
 *                              use. This must be initialized first.
4570
 *
4571
 * \return                      Number of ops that the operation has taken so
4572
 *                              far.
4573
 */
4574
uint32_t psa_verify_hash_get_num_ops(
4575
    const psa_verify_hash_interruptible_operation_t *operation);
4576

4577
/**
4578
 * \brief                       Start signing a hash or short message with a
4579
 *                              private key, in an interruptible manner.
4580
 *
4581
 * \see                         \c psa_sign_hash_complete()
4582
 *
4583
 * \warning                     This is a beta API, and thus subject to change
4584
 *                              at any point. It is not bound by the usual
4585
 *                              interface stability promises.
4586
 *
4587
 * \note                        This function combined with \c
4588
 *                              psa_sign_hash_complete() is equivalent to
4589
 *                              \c psa_sign_hash() but
4590
 *                              \c psa_sign_hash_complete() can return early and
4591
 *                              resume according to the limit set with \c
4592
 *                              psa_interruptible_set_max_ops() to reduce the
4593
 *                              maximum time spent in a function call.
4594
 *
4595
 * \note                        Users should call \c psa_sign_hash_complete()
4596
 *                              repeatedly on the same context after a
4597
 *                              successful call to this function until \c
4598
 *                              psa_sign_hash_complete() either returns 0 or an
4599
 *                              error. \c psa_sign_hash_complete() will return
4600
 *                              #PSA_OPERATION_INCOMPLETE if there is more work
4601
 *                              to do. Alternatively users can call
4602
 *                              \c psa_sign_hash_abort() at any point if they no
4603
 *                              longer want the result.
4604
 *
4605
 * \note                        If this function returns an error status, the
4606
 *                              operation enters an error state and must be
4607
 *                              aborted by calling \c psa_sign_hash_abort().
4608
 *
4609
 * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
4610
 *                              to use. This must be initialized first.
4611
 *
4612
 * \param key                   Identifier of the key to use for the operation.
4613
 *                              It must be an asymmetric key pair. The key must
4614
 *                              allow the usage #PSA_KEY_USAGE_SIGN_HASH.
4615
 * \param alg                   A signature algorithm (\c PSA_ALG_XXX
4616
 *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
4617
 *                              is true), that is compatible with
4618
 *                              the type of \p key.
4619
 * \param[in] hash              The hash or message to sign.
4620
 * \param hash_length           Size of the \p hash buffer in bytes.
4621
 *
4622
 * \retval #PSA_SUCCESS
4623
 *         The operation started successfully - call \c psa_sign_hash_complete()
4624
 *         with the same context to complete the operation
4625
 *
4626
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4627
 * \retval #PSA_ERROR_NOT_PERMITTED
4628
 *         The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
4629
 *         not permit the requested algorithm.
4630
 * \retval #PSA_ERROR_BAD_STATE
4631
 *         An operation has previously been started on this context, and is
4632
 *         still in progress.
4633
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4634
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4635
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4636
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4637
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4638
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4639
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4640
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4641
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4642
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4643
 * \retval #PSA_ERROR_BAD_STATE
4644
 *         The library has not been previously initialized by psa_crypto_init().
4645
 *         It is implementation-dependent whether a failure to initialize
4646
 *         results in this error code.
4647
 */
4648
psa_status_t psa_sign_hash_start(
4649
    psa_sign_hash_interruptible_operation_t *operation,
4650
    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
4651
    const uint8_t *hash, size_t hash_length);
4652

4653
/**
4654
 * \brief                       Continue and eventually complete the action of
4655
 *                              signing a hash or short message with a private
4656
 *                              key, in an interruptible manner.
4657
 *
4658
 * \see                         \c psa_sign_hash_start()
4659
 *
4660
 * \warning                     This is a beta API, and thus subject to change
4661
 *                              at any point. It is not bound by the usual
4662
 *                              interface stability promises.
4663
 *
4664
 * \note                        This function combined with \c
4665
 *                              psa_sign_hash_start() is equivalent to
4666
 *                              \c psa_sign_hash() but this function can return
4667
 *                              early and resume according to the limit set with
4668
 *                              \c psa_interruptible_set_max_ops() to reduce the
4669
 *                              maximum time spent in a function call.
4670
 *
4671
 * \note                        Users should call this function on the same
4672
 *                              operation object repeatedly until it either
4673
 *                              returns 0 or an error. This function will return
4674
 *                              #PSA_OPERATION_INCOMPLETE if there is more work
4675
 *                              to do. Alternatively users can call
4676
 *                              \c psa_sign_hash_abort() at any point if they no
4677
 *                              longer want the result.
4678
 *
4679
 * \note                        When this function returns successfully, the
4680
 *                              operation becomes inactive. If this function
4681
 *                              returns an error status, the operation enters an
4682
 *                              error state and must be aborted by calling
4683
 *                              \c psa_sign_hash_abort().
4684
 *
4685
 * \param[in, out] operation    The \c psa_sign_hash_interruptible_operation_t
4686
 *                              to use. This must be initialized first, and have
4687
 *                              had \c psa_sign_hash_start() called with it
4688
 *                              first.
4689
 *
4690
 * \param[out] signature        Buffer where the signature is to be written.
4691
 * \param signature_size        Size of the \p signature buffer in bytes. This
4692
 *                              must be appropriate for the selected
4693
 *                              algorithm and key:
4694
 *                              - The required signature size is
4695
 *                                #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
4696
 *                                key_bits, \c alg) where \c key_type and \c
4697
 *                                key_bits are the type and bit-size
4698
 *                                respectively of key.
4699
 *                              - #PSA_SIGNATURE_MAX_SIZE evaluates to the
4700
 *                                maximum signature size of any supported
4701
 *                                signature algorithm.
4702
 * \param[out] signature_length On success, the number of bytes that make up
4703
 *                              the returned signature value.
4704
 *
4705
 * \retval #PSA_SUCCESS
4706
 *         Operation completed successfully
4707
 *
4708
 * \retval #PSA_OPERATION_INCOMPLETE
4709
 *         Operation was interrupted due to the setting of \c
4710
 *         psa_interruptible_set_max_ops(). There is still work to be done.
4711
 *         Call this function again with the same operation object.
4712
 *
4713
 * \retval #PSA_ERROR_BUFFER_TOO_SMALL
4714
 *         The size of the \p signature buffer is too small. You can
4715
 *         determine a sufficient buffer size by calling
4716
 *         #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \c alg)
4717
 *         where \c key_type and \c key_bits are the type and bit-size
4718
 *         respectively of \c key.
4719
 *
4720
 * \retval #PSA_ERROR_BAD_STATE
4721
 *         An operation was not previously started on this context via
4722
 *         \c psa_sign_hash_start().
4723
 *
4724
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4725
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4726
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4727
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4728
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4729
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4730
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4731
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4732
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4733
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4734
 * \retval #PSA_ERROR_BAD_STATE
4735
 *         The library has either not been previously initialized by
4736
 *         psa_crypto_init() or you did not previously call
4737
 *         psa_sign_hash_start() with this operation object. It is
4738
 *         implementation-dependent whether a failure to initialize results in
4739
 *         this error code.
4740
 */
4741
psa_status_t psa_sign_hash_complete(
4742
    psa_sign_hash_interruptible_operation_t *operation,
4743
    uint8_t *signature, size_t signature_size,
4744
    size_t *signature_length);
4745

4746
/**
4747
 * \brief                       Abort a sign hash operation.
4748
 *
4749
 * \warning                     This is a beta API, and thus subject to change
4750
 *                              at any point. It is not bound by the usual
4751
 *                              interface stability promises.
4752
 *
4753
 * \note                        This function is the only function that clears
4754
 *                              the number of ops completed as part of the
4755
 *                              operation. Please ensure you copy this value via
4756
 *                              \c psa_sign_hash_get_num_ops() if required
4757
 *                              before calling.
4758
 *
4759
 * \note                        Aborting an operation frees all associated
4760
 *                              resources except for the \p operation structure
4761
 *                              itself. Once aborted, the operation object can
4762
 *                              be reused for another operation by calling \c
4763
 *                              psa_sign_hash_start() again.
4764
 *
4765
 * \note                        You may call this function any time after the
4766
 *                              operation object has been initialized. In
4767
 *                              particular, calling \c psa_sign_hash_abort()
4768
 *                              after the operation has already been terminated
4769
 *                              by a call to \c psa_sign_hash_abort() or
4770
 *                              psa_sign_hash_complete() is safe.
4771
 *
4772
 * \param[in,out] operation     Initialized sign hash operation.
4773
 *
4774
 * \retval #PSA_SUCCESS
4775
 *         The operation was aborted successfully.
4776
 *
4777
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4778
 * \retval #PSA_ERROR_BAD_STATE
4779
 *         The library has not been previously initialized by psa_crypto_init().
4780
 *         It is implementation-dependent whether a failure to initialize
4781
 *         results in this error code.
4782
 */
4783
psa_status_t psa_sign_hash_abort(
4784
    psa_sign_hash_interruptible_operation_t *operation);
4785

4786
/**
4787
 * \brief                       Start reading and verifying a hash or short
4788
 *                              message, in an interruptible manner.
4789
 *
4790
 * \see                         \c psa_verify_hash_complete()
4791
 *
4792
 * \warning                     This is a beta API, and thus subject to change
4793
 *                              at any point. It is not bound by the usual
4794
 *                              interface stability promises.
4795
 *
4796
 * \note                        This function combined with \c
4797
 *                              psa_verify_hash_complete() is equivalent to
4798
 *                              \c psa_verify_hash() but \c
4799
 *                              psa_verify_hash_complete() can return early and
4800
 *                              resume according to the limit set with \c
4801
 *                              psa_interruptible_set_max_ops() to reduce the
4802
 *                              maximum time spent in a function.
4803
 *
4804
 * \note                        Users should call \c psa_verify_hash_complete()
4805
 *                              repeatedly on the same operation object after a
4806
 *                              successful call to this function until \c
4807
 *                              psa_verify_hash_complete() either returns 0 or
4808
 *                              an error. \c psa_verify_hash_complete() will
4809
 *                              return #PSA_OPERATION_INCOMPLETE if there is
4810
 *                              more work to do. Alternatively users can call
4811
 *                              \c psa_verify_hash_abort() at any point if they
4812
 *                              no longer want the result.
4813
 *
4814
 * \note                        If this function returns an error status, the
4815
 *                              operation enters an error state and must be
4816
 *                              aborted by calling \c psa_verify_hash_abort().
4817
 *
4818
 * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
4819
 *                              to use. This must be initialized first.
4820
 *
4821
 * \param key                   Identifier of the key to use for the operation.
4822
 *                              The key must allow the usage
4823
 *                              #PSA_KEY_USAGE_VERIFY_HASH.
4824
 * \param alg                   A signature algorithm (\c PSA_ALG_XXX
4825
 *                              value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
4826
 *                              is true), that is compatible with
4827
 *                              the type of \p key.
4828
 * \param[in] hash              The hash whose signature is to be verified.
4829
 * \param hash_length           Size of the \p hash buffer in bytes.
4830
 * \param[in] signature         Buffer containing the signature to verify.
4831
 * \param signature_length      Size of the \p signature buffer in bytes.
4832
 *
4833
 * \retval #PSA_SUCCESS
4834
 *         The operation started successfully - please call \c
4835
 *         psa_verify_hash_complete() with the same context to complete the
4836
 *         operation.
4837
 *
4838
 * \retval #PSA_ERROR_BAD_STATE
4839
 *         Another operation has already been started on this context, and is
4840
 *         still in progress.
4841
 *
4842
 * \retval #PSA_ERROR_NOT_PERMITTED
4843
 *         The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
4844
 *         not permit the requested algorithm.
4845
 *
4846
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4847
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4848
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4849
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4850
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4851
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4852
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4853
 * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
4854
 * \retval PSA_ERROR_DATA_INVALID \emptydescription
4855
 * \retval #PSA_ERROR_BAD_STATE
4856
 *         The library has not been previously initialized by psa_crypto_init().
4857
 *         It is implementation-dependent whether a failure to initialize
4858
 *         results in this error code.
4859
 */
4860
psa_status_t psa_verify_hash_start(
4861
    psa_verify_hash_interruptible_operation_t *operation,
4862
    mbedtls_svc_key_id_t key, psa_algorithm_t alg,
4863
    const uint8_t *hash, size_t hash_length,
4864
    const uint8_t *signature, size_t signature_length);
4865

4866
/**
4867
 * \brief                       Continue and eventually complete the action of
4868
 *                              reading and verifying a hash or short message
4869
 *                              signed with a private key, in an interruptible
4870
 *                              manner.
4871
 *
4872
 * \see                         \c psa_verify_hash_start()
4873
 *
4874
 * \warning                     This is a beta API, and thus subject to change
4875
 *                              at any point. It is not bound by the usual
4876
 *                              interface stability promises.
4877
 *
4878
 * \note                        This function combined with \c
4879
 *                              psa_verify_hash_start() is equivalent to
4880
 *                              \c psa_verify_hash() but this function can
4881
 *                              return early and resume according to the limit
4882
 *                              set with \c psa_interruptible_set_max_ops() to
4883
 *                              reduce the maximum time spent in a function
4884
 *                              call.
4885
 *
4886
 * \note                        Users should call this function on the same
4887
 *                              operation object repeatedly until it either
4888
 *                              returns 0 or an error. This function will return
4889
 *                              #PSA_OPERATION_INCOMPLETE if there is more work
4890
 *                              to do. Alternatively users can call
4891
 *                              \c psa_verify_hash_abort() at any point if they
4892
 *                              no longer want the result.
4893
 *
4894
 * \note                        When this function returns successfully, the
4895
 *                              operation becomes inactive. If this function
4896
 *                              returns an error status, the operation enters an
4897
 *                              error state and must be aborted by calling
4898
 *                              \c psa_verify_hash_abort().
4899
 *
4900
 * \param[in, out] operation    The \c psa_verify_hash_interruptible_operation_t
4901
 *                              to use. This must be initialized first, and have
4902
 *                              had \c psa_verify_hash_start() called with it
4903
 *                              first.
4904
 *
4905
 * \retval #PSA_SUCCESS
4906
 *         Operation completed successfully, and the passed signature is valid.
4907
 *
4908
 * \retval #PSA_OPERATION_INCOMPLETE
4909
 *         Operation was interrupted due to the setting of \c
4910
 *         psa_interruptible_set_max_ops(). There is still work to be done.
4911
 *         Call this function again with the same operation object.
4912
 *
4913
 * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
4914
 * \retval #PSA_ERROR_INVALID_SIGNATURE
4915
 *         The calculation was performed successfully, but the passed
4916
 *         signature is not a valid signature.
4917
 * \retval #PSA_ERROR_BAD_STATE
4918
 *         An operation was not previously started on this context via
4919
 *         \c psa_verify_hash_start().
4920
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4921
 * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
4922
 * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
4923
 * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
4924
 * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
4925
 * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
4926
 * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
4927
 * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
4928
 * \retval #PSA_ERROR_DATA_INVALID \emptydescription
4929
 * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
4930
 * \retval #PSA_ERROR_BAD_STATE
4931
 *         The library has either not been previously initialized by
4932
 *         psa_crypto_init() or you did not previously call
4933
 *         psa_verify_hash_start() on this object. It is
4934
 *         implementation-dependent whether a failure to initialize results in
4935
 *         this error code.
4936
 */
4937
psa_status_t psa_verify_hash_complete(
4938
    psa_verify_hash_interruptible_operation_t *operation);
4939

4940
/**
4941
 * \brief                     Abort a verify hash operation.
4942
 *
4943
 * \warning                   This is a beta API, and thus subject to change at
4944
 *                            any point. It is not bound by the usual interface
4945
 *                            stability promises.
4946
 *
4947
 * \note                      This function is the only function that clears the
4948
 *                            number of ops completed as part of the operation.
4949
 *                            Please ensure you copy this value via
4950
 *                            \c psa_verify_hash_get_num_ops() if required
4951
 *                            before calling.
4952
 *
4953
 * \note                      Aborting an operation frees all associated
4954
 *                            resources except for the operation structure
4955
 *                            itself. Once aborted, the operation object can be
4956
 *                            reused for another operation by calling \c
4957
 *                            psa_verify_hash_start() again.
4958
 *
4959
 * \note                      You may call this function any time after the
4960
 *                            operation object has been initialized.
4961
 *                            In particular, calling \c psa_verify_hash_abort()
4962
 *                            after the operation has already been terminated by
4963
 *                            a call to \c psa_verify_hash_abort() or
4964
 *                            psa_verify_hash_complete() is safe.
4965
 *
4966
 * \param[in,out] operation   Initialized verify hash operation.
4967
 *
4968
 * \retval #PSA_SUCCESS
4969
 *         The operation was aborted successfully.
4970
 *
4971
 * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
4972
 * \retval #PSA_ERROR_BAD_STATE
4973
 *         The library has not been previously initialized by psa_crypto_init().
4974
 *         It is implementation-dependent whether a failure to initialize
4975
 *         results in this error code.
4976
 */
4977
psa_status_t psa_verify_hash_abort(
4978
    psa_verify_hash_interruptible_operation_t *operation);
4979

4980

4981
/**@}*/
4982

4983
#ifdef __cplusplus
4984
}
4985
#endif
4986

4987
/* The file "crypto_extra.h" contains vendor-specific definitions. This
4988
 * can include vendor-defined algorithms, extra functions, etc. */
4989
#include "crypto_extra.h"
4990

4991
#endif /* PSA_CRYPTO_H */
4992

4993