Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
godotengine
GitHub Repository: godotengine/godot
 Path: blob/master/thirdparty/mbedtls/include/psa/crypto_sizes.h
9904 views
1
/**

2
 * \file psa/crypto_sizes.h

3
 *

4
 * \brief PSA cryptography module: Mbed TLS buffer size macros

5
 *

6
 * \note This file may not be included directly. Applications must

7
 * include psa/crypto.h.

8
 *

9
 * This file contains the definitions of macros that are useful to

10
 * compute buffer sizes. The signatures and semantics of these macros

11
 * are standardized, but the definitions are not, because they depend on

12
 * the available algorithms and, in some cases, on permitted tolerances

13
 * on buffer sizes.

14
 *

15
 * In implementations with isolation between the application and the

16
 * cryptography module, implementers should take care to ensure that

17
 * the definitions that are exposed to applications match what the

18
 * module implements.

19
 *

20
 * Macros that compute sizes whose values do not depend on the

21
 * implementation are in crypto.h.

22
 */

23
/*

24
 *  Copyright The Mbed TLS Contributors

25
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

26
 */

27


28
#ifndef PSA_CRYPTO_SIZES_H

29
#define PSA_CRYPTO_SIZES_H

30


31
/*

32
 * Include the build-time configuration information header. Here, we do not

33
 * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which

34
 * is basically just an alias to it. This is to ease the maintenance of the

35
 * TF-PSA-Crypto repository which has a different build system and

36
 * configuration.

37
 */

38
#include "psa/build_info.h"

39


40
#define PSA_BITS_TO_BYTES(bits) (((bits) + 7u) / 8u)

41
#define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8u)

42
#define PSA_MAX_OF_THREE(a, b, c) ((a) <= (b) ? (b) <= (c) ? \

43
                                   (c) : (b) : (a) <= (c) ? (c) : (a))

44


45
#define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \

46
    (((length) + (block_size) - 1) / (block_size) * (block_size))

47


48
/** The size of the output of psa_hash_finish(), in bytes.

49
 *

50
 * This is also the hash size that psa_hash_verify() expects.

51
 *

52
 * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that

53
 *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm

54
 *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a

55
 *              hash algorithm).

56
 *

57
 * \return The hash size for the specified hash algorithm.

58
 *         If the hash algorithm is not recognized, return 0.

59
 */

60
#define PSA_HASH_LENGTH(alg)                                        \

61
    (                                                               \

62
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16u :           \

63
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20u :     \

64
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20u :         \

65
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28u :       \

66
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32u :       \

67
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48u :       \

68
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64u :       \

69
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28u :   \

70
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32u :   \

71
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28u :      \

72
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32u :      \

73
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48u :      \

74
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64u :      \

75
        0u)

76


77
/** The input block size of a hash algorithm, in bytes.

78
 *

79
 * Hash algorithms process their input data in blocks. Hash operations will

80
 * retain any partial blocks until they have enough input to fill the block or

81
 * until the operation is finished.

82
 * This affects the output from psa_hash_suspend().

83
 *

84
 * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that

85
 *              PSA_ALG_IS_HASH(\p alg) is true).

86
 *

87
 * \return      The block size in bytes for the specified hash algorithm.

88
 *              If the hash algorithm is not recognized, return 0.

89
 *              An implementation can return either 0 or the correct size for a

90
 *              hash algorithm that it recognizes, but does not support.

91
 */

92
#define PSA_HASH_BLOCK_LENGTH(alg)                                  \

93
    (                                                               \

94
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64u :           \

95
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64u :     \

96
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64u :         \

97
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64u :       \

98
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64u :       \

99
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128u :      \

100
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128u :      \

101
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128u :  \

102
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128u :  \

103
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144u :     \

104
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136u :     \

105
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104u :     \

106
        PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72u :      \

107
        0u)

108


109
/** \def PSA_HASH_MAX_SIZE

110
 *

111
 * Maximum size of a hash.

112
 *

113
 * This macro expands to a compile-time constant integer. This value

114
 * is the maximum size of a hash in bytes.

115
 */

116
/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-224,

117
 * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for

118
 * HMAC-SHA3-512. */

119
/* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE,

120
 * see the note on MBEDTLS_MD_MAX_SIZE for details. */

121
#if defined(PSA_WANT_ALG_SHA3_224)

122
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 144u

123
#elif defined(PSA_WANT_ALG_SHA3_256)

124
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 136u

125
#elif defined(PSA_WANT_ALG_SHA_512)

126
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u

127
#elif defined(PSA_WANT_ALG_SHA_384)

128
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128u

129
#elif defined(PSA_WANT_ALG_SHA3_384)

130
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 104u

131
#elif defined(PSA_WANT_ALG_SHA3_512)

132
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 72u

133
#elif defined(PSA_WANT_ALG_SHA_256)

134
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u

135
#elif defined(PSA_WANT_ALG_SHA_224)

136
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u

137
#else /* SHA-1 or smaller */

138
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64u

139
#endif

140


141
#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA3_512)

142
#define PSA_HASH_MAX_SIZE 64u

143
#elif defined(PSA_WANT_ALG_SHA_384) || defined(PSA_WANT_ALG_SHA3_384)

144
#define PSA_HASH_MAX_SIZE 48u

145
#elif defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA3_256)

146
#define PSA_HASH_MAX_SIZE 32u

147
#elif defined(PSA_WANT_ALG_SHA_224) || defined(PSA_WANT_ALG_SHA3_224)

148
#define PSA_HASH_MAX_SIZE 28u

149
#else /* SHA-1 or smaller */

150
#define PSA_HASH_MAX_SIZE 20u

151
#endif

152


153
/** \def PSA_MAC_MAX_SIZE

154
 *

155
 * Maximum size of a MAC.

156
 *

157
 * This macro expands to a compile-time constant integer. This value

158
 * is the maximum size of a MAC in bytes.

159
 */

160
/* All non-HMAC MACs have a maximum size that's smaller than the

161
 * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */

162
/* Note that the encoding of truncated MAC algorithms limits this value

163
 * to 64 bytes.

164
 */

165
#define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE

166


167
/** The length of a tag for an AEAD algorithm, in bytes.

168
 *

169
 * This macro can be used to allocate a buffer of sufficient size to store the

170
 * tag output from psa_aead_finish().

171
 *

172
 * See also #PSA_AEAD_TAG_MAX_SIZE.

173
 *

174
 * \param key_type            The type of the AEAD key.

175
 * \param key_bits            The size of the AEAD key in bits.

176
 * \param alg                 An AEAD algorithm

177
 *                            (\c PSA_ALG_XXX value such that

178
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

179
 *

180
 * \return                    The tag length for the specified algorithm and key.

181
 *                            If the AEAD algorithm does not have an identified

182
 *                            tag that can be distinguished from the rest of

183
 *                            the ciphertext, return 0.

184
 *                            If the key type or AEAD algorithm is not

185
 *                            recognized, or the parameters are incompatible,

186
 *                            return 0.

187
 */

188
#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \

189
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \

190
     PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \

191
     ((void) (key_bits), 0u))

192


193
/** The maximum tag size for all supported AEAD algorithms, in bytes.

194
 *

195
 * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).

196
 */

197
#define PSA_AEAD_TAG_MAX_SIZE       16u

198


199
/* The maximum size of an RSA key on this implementation, in bits.

200
 * This is a vendor-specific macro.

201
 *

202
 * Mbed TLS does not set a hard limit on the size of RSA keys: any key

203
 * whose parameters fit in a bignum is accepted. However large keys can

204
 * induce a large memory usage and long computation times. Unlike other

205
 * auxiliary macros in this file and in crypto.h, which reflect how the

206
 * library is configured, this macro defines how the library is

207
 * configured. This implementation refuses to import or generate an

208
 * RSA key whose size is larger than the value defined here.

209
 *

210
 * Note that an implementation may set different size limits for different

211
 * operations, and does not need to accept all key sizes up to the limit. */

212
#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096u

213


214
/* The minimum size of an RSA key on this implementation, in bits.

215
 * This is a vendor-specific macro.

216
 *

217
 * Limits RSA key generation to a minimum due to avoid accidental misuse.

218
 * This value cannot be less than 128 bits.

219
 */

220
#if defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)

221
#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS MBEDTLS_RSA_GEN_KEY_MIN_BITS

222
#else

223
#define PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS 1024

224
#endif

225


226
/* The maximum size of an DH key on this implementation, in bits.

227
 * This is a vendor-specific macro.*/

228
#if defined(PSA_WANT_DH_RFC7919_8192)

229
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192u

230
#elif defined(PSA_WANT_DH_RFC7919_6144)

231
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 6144u

232
#elif defined(PSA_WANT_DH_RFC7919_4096)

233
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 4096u

234
#elif defined(PSA_WANT_DH_RFC7919_3072)

235
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 3072u

236
#elif defined(PSA_WANT_DH_RFC7919_2048)

237
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 2048u

238
#else

239
#define PSA_VENDOR_FFDH_MAX_KEY_BITS 0u

240
#endif

241


242
/* The maximum size of an ECC key on this implementation, in bits.

243
 * This is a vendor-specific macro. */

244
#if defined(PSA_WANT_ECC_SECP_R1_521)

245
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 521u

246
#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)

247
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 512u

248
#elif defined(PSA_WANT_ECC_MONTGOMERY_448)

249
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 448u

250
#elif defined(PSA_WANT_ECC_SECP_R1_384)

251
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u

252
#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)

253
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 384u

254
#elif defined(PSA_WANT_ECC_SECP_R1_256)

255
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u

256
#elif defined(PSA_WANT_ECC_SECP_K1_256)

257
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u

258
#elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)

259
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 256u

260
#elif defined(PSA_WANT_ECC_MONTGOMERY_255)

261
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 255u

262
#elif defined(PSA_WANT_ECC_SECP_R1_224)

263
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u

264
#elif defined(PSA_WANT_ECC_SECP_K1_224)

265
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 224u

266
#elif defined(PSA_WANT_ECC_SECP_R1_192)

267
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u

268
#elif defined(PSA_WANT_ECC_SECP_K1_192)

269
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 192u

270
#else

271
#define PSA_VENDOR_ECC_MAX_CURVE_BITS 0u

272
#endif

273


274
/** This macro returns the maximum supported length of the PSK for the

275
 * TLS-1.2 PSK-to-MS key derivation

276
 * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).

277
 *

278
 * The maximum supported length does not depend on the chosen hash algorithm.

279
 *

280
 * Quoting RFC 4279, Sect 5.3:

281
 * TLS implementations supporting these ciphersuites MUST support

282
 * arbitrary PSK identities up to 128 octets in length, and arbitrary

283
 * PSKs up to 64 octets in length.  Supporting longer identities and

284
 * keys is RECOMMENDED.

285
 *

286
 * Therefore, no implementation should define a value smaller than 64

287
 * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.

288
 */

289
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128u

290


291
/* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,

292
 * which is expected to work with P-256 curve only. */

293
#define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65u

294


295
/* The size of a serialized K.X coordinate to be used in

296
 * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256

297
 * curve. */

298
#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32u

299


300
/* The maximum number of iterations for PBKDF2 on this implementation, in bits.

301
 * This is a vendor-specific macro. This can be configured if necessary */

302
#define PSA_VENDOR_PBKDF2_MAX_ITERATIONS 0xffffffffU

303


304
/** The maximum size of a block cipher. */

305
#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16u

306


307
/** The size of the output of psa_mac_sign_finish(), in bytes.

308
 *

309
 * This is also the MAC size that psa_mac_verify_finish() expects.

310
 *

311
 * \warning This macro may evaluate its arguments multiple times or

312
 *          zero times, so you should not pass arguments that contain

313
 *          side effects.

314
 *

315
 * \param key_type      The type of the MAC key.

316
 * \param key_bits      The size of the MAC key in bits.

317
 * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that

318
 *                      #PSA_ALG_IS_MAC(\p alg) is true).

319
 *

320
 * \return              The MAC size for the specified algorithm with

321
 *                      the specified key parameters.

322
 * \return              0 if the MAC algorithm is not recognized.

323
 * \return              Either 0 or the correct size for a MAC algorithm that

324
 *                      the implementation recognizes, but does not support.

325
 * \return              Unspecified if the key parameters are not consistent

326
 *                      with the algorithm.

327
 */

328
#define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \

329
    ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \

330
     PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \

331
     PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \

332
     ((void) (key_type), (void) (key_bits), 0u))

333


334
/** The maximum size of the output of psa_aead_encrypt(), in bytes.

335
 *

336
 * If the size of the ciphertext buffer is at least this large, it is

337
 * guaranteed that psa_aead_encrypt() will not fail due to an

338
 * insufficient buffer size. Depending on the algorithm, the actual size of

339
 * the ciphertext may be smaller.

340
 *

341
 * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).

342
 *

343
 * \warning This macro may evaluate its arguments multiple times or

344
 *          zero times, so you should not pass arguments that contain

345
 *          side effects.

346
 *

347
 * \param key_type            A symmetric key type that is

348
 *                            compatible with algorithm \p alg.

349
 * \param alg                 An AEAD algorithm

350
 *                            (\c PSA_ALG_XXX value such that

351
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

352
 * \param plaintext_length    Size of the plaintext in bytes.

353
 *

354
 * \return                    The AEAD ciphertext size for the specified

355
 *                            algorithm.

356
 *                            If the key type or AEAD algorithm is not

357
 *                            recognized, or the parameters are incompatible,

358
 *                            return 0.

359
 */

360
#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \

361
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \

362
     (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \

363
     0u)

364


365
/** A sufficient output buffer size for psa_aead_encrypt(), for any of the

366
 *  supported key types and AEAD algorithms.

367
 *

368
 * If the size of the ciphertext buffer is at least this large, it is guaranteed

369
 * that psa_aead_encrypt() will not fail due to an insufficient buffer size.

370
 *

371
 * \note This macro returns a compile-time constant if its arguments are

372
 *       compile-time constants.

373
 *

374
 * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,

375
 * \p plaintext_length).

376
 *

377
 * \param plaintext_length    Size of the plaintext in bytes.

378
 *

379
 * \return                    A sufficient output buffer size for any of the

380
 *                            supported key types and AEAD algorithms.

381
 *

382
 */

383
#define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \

384
    ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)

385


386


387
/** The maximum size of the output of psa_aead_decrypt(), in bytes.

388
 *

389
 * If the size of the plaintext buffer is at least this large, it is

390
 * guaranteed that psa_aead_decrypt() will not fail due to an

391
 * insufficient buffer size. Depending on the algorithm, the actual size of

392
 * the plaintext may be smaller.

393
 *

394
 * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).

395
 *

396
 * \warning This macro may evaluate its arguments multiple times or

397
 *          zero times, so you should not pass arguments that contain

398
 *          side effects.

399
 *

400
 * \param key_type            A symmetric key type that is

401
 *                            compatible with algorithm \p alg.

402
 * \param alg                 An AEAD algorithm

403
 *                            (\c PSA_ALG_XXX value such that

404
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

405
 * \param ciphertext_length   Size of the plaintext in bytes.

406
 *

407
 * \return                    The AEAD ciphertext size for the specified

408
 *                            algorithm.

409
 *                            If the key type or AEAD algorithm is not

410
 *                            recognized, or the parameters are incompatible,

411
 *                            return 0.

412
 */

413
#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \

414
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \

415
     (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \

416
     (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \

417
     0u)

418


419
/** A sufficient output buffer size for psa_aead_decrypt(), for any of the

420
 *  supported key types and AEAD algorithms.

421
 *

422
 * If the size of the plaintext buffer is at least this large, it is guaranteed

423
 * that psa_aead_decrypt() will not fail due to an insufficient buffer size.

424
 *

425
 * \note This macro returns a compile-time constant if its arguments are

426
 *       compile-time constants.

427
 *

428
 * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,

429
 * \p ciphertext_length).

430
 *

431
 * \param ciphertext_length   Size of the ciphertext in bytes.

432
 *

433
 * \return                    A sufficient output buffer size for any of the

434
 *                            supported key types and AEAD algorithms.

435
 *

436
 */

437
#define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \

438
    (ciphertext_length)

439


440
/** The default nonce size for an AEAD algorithm, in bytes.

441
 *

442
 * This macro can be used to allocate a buffer of sufficient size to

443
 * store the nonce output from #psa_aead_generate_nonce().

444
 *

445
 * See also #PSA_AEAD_NONCE_MAX_SIZE.

446
 *

447
 * \note This is not the maximum size of nonce supported as input to

448
 *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),

449
 *       just the default size that is generated by #psa_aead_generate_nonce().

450
 *

451
 * \warning This macro may evaluate its arguments multiple times or

452
 *          zero times, so you should not pass arguments that contain

453
 *          side effects.

454
 *

455
 * \param key_type  A symmetric key type that is compatible with

456
 *                  algorithm \p alg.

457
 *

458
 * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that

459
 *                  #PSA_ALG_IS_AEAD(\p alg) is true).

460
 *

461
 * \return The default nonce size for the specified key type and algorithm.

462
 *         If the key type or AEAD algorithm is not recognized,

463
 *         or the parameters are incompatible, return 0.

464
 */

465
#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \

466
    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \

467
     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13u : \

468
     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12u : \

469
     0u : \

470
     (key_type) == PSA_KEY_TYPE_CHACHA20 && \

471
     MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12u : \

472
     0u)

473


474
/** The maximum default nonce size among all supported pairs of key types and

475
 *  AEAD algorithms, in bytes.

476
 *

477
 * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()

478
 * may return.

479
 *

480
 * \note This is not the maximum size of nonce supported as input to

481
 *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),

482
 *       just the largest size that may be generated by

483
 *       #psa_aead_generate_nonce().

484
 */

485
#define PSA_AEAD_NONCE_MAX_SIZE 13u

486


487
/** A sufficient output buffer size for psa_aead_update().

488
 *

489
 * If the size of the output buffer is at least this large, it is

490
 * guaranteed that psa_aead_update() will not fail due to an

491
 * insufficient buffer size. The actual size of the output may be smaller

492
 * in any given call.

493
 *

494
 * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).

495
 *

496
 * \warning This macro may evaluate its arguments multiple times or

497
 *          zero times, so you should not pass arguments that contain

498
 *          side effects.

499
 *

500
 * \param key_type            A symmetric key type that is

501
 *                            compatible with algorithm \p alg.

502
 * \param alg                 An AEAD algorithm

503
 *                            (\c PSA_ALG_XXX value such that

504
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

505
 * \param input_length        Size of the input in bytes.

506
 *

507
 * \return                    A sufficient output buffer size for the specified

508
 *                            algorithm.

509
 *                            If the key type or AEAD algorithm is not

510
 *                            recognized, or the parameters are incompatible,

511
 *                            return 0.

512
 */

513
/* For all the AEAD modes defined in this specification, it is possible

514
 * to emit output without delay. However, hardware may not always be

515
 * capable of this. So for modes based on a block cipher, allow the

516
 * implementation to delay the output until it has a full block. */

517
#define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \

518
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \

519
     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \

520
     PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \

521
     (input_length) : \

522
     0u)

523


524
/** A sufficient output buffer size for psa_aead_update(), for any of the

525
 *  supported key types and AEAD algorithms.

526
 *

527
 * If the size of the output buffer is at least this large, it is guaranteed

528
 * that psa_aead_update() will not fail due to an insufficient buffer size.

529
 *

530
 * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).

531
 *

532
 * \param input_length      Size of the input in bytes.

533
 */

534
#define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \

535
    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))

536


537
/** A sufficient ciphertext buffer size for psa_aead_finish().

538
 *

539
 * If the size of the ciphertext buffer is at least this large, it is

540
 * guaranteed that psa_aead_finish() will not fail due to an

541
 * insufficient ciphertext buffer size. The actual size of the output may

542
 * be smaller in any given call.

543
 *

544
 * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.

545
 *

546
 * \param key_type            A symmetric key type that is

547
                              compatible with algorithm \p alg.

548
 * \param alg                 An AEAD algorithm

549
 *                            (\c PSA_ALG_XXX value such that

550
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

551
 *

552
 * \return                    A sufficient ciphertext buffer size for the

553
 *                            specified algorithm.

554
 *                            If the key type or AEAD algorithm is not

555
 *                            recognized, or the parameters are incompatible,

556
 *                            return 0.

557
 */

558
#define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \

559
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \

560
     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \

561
     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \

562
     0u)

563


564
/** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the

565
 *  supported key types and AEAD algorithms.

566
 *

567
 * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).

568
 */

569
#define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)

570


571
/** A sufficient plaintext buffer size for psa_aead_verify().

572
 *

573
 * If the size of the plaintext buffer is at least this large, it is

574
 * guaranteed that psa_aead_verify() will not fail due to an

575
 * insufficient plaintext buffer size. The actual size of the output may

576
 * be smaller in any given call.

577
 *

578
 * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.

579
 *

580
 * \param key_type            A symmetric key type that is

581
 *                            compatible with algorithm \p alg.

582
 * \param alg                 An AEAD algorithm

583
 *                            (\c PSA_ALG_XXX value such that

584
 *                            #PSA_ALG_IS_AEAD(\p alg) is true).

585
 *

586
 * \return                    A sufficient plaintext buffer size for the

587
 *                            specified algorithm.

588
 *                            If the key type or AEAD algorithm is not

589
 *                            recognized, or the parameters are incompatible,

590
 *                            return 0.

591
 */

592
#define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \

593
    (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \

594
     PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \

595
     PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \

596
     0u)

597


598
/** A sufficient plaintext buffer size for psa_aead_verify(), for any of the

599
 *  supported key types and AEAD algorithms.

600
 *

601
 * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).

602
 */

603
#define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)

604


605
#define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \

606
    (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \

607
     2u * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1u :   \

608
     11u /*PKCS#1v1.5*/)

609


610
/**

611
 * \brief ECDSA signature size for a given curve bit size

612
 *

613
 * \param curve_bits    Curve size in bits.

614
 * \return              Signature size in bytes.

615
 *

616
 * \note This macro returns a compile-time constant if its argument is one.

617
 */

618
#define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \

619
    (PSA_BITS_TO_BYTES(curve_bits) * 2u)

620


621
/** Sufficient signature buffer size for psa_sign_hash().

622
 *

623
 * This macro returns a sufficient buffer size for a signature using a key

624
 * of the specified type and size, with the specified algorithm.

625
 * Note that the actual size of the signature may be smaller

626
 * (some algorithms produce a variable-size signature).

627
 *

628
 * \warning This function may call its arguments multiple times or

629
 *          zero times, so you should not pass arguments that contain

630
 *          side effects.

631
 *

632
 * \param key_type  An asymmetric key type (this may indifferently be a

633
 *                  key pair type or a public key type).

634
 * \param key_bits  The size of the key in bits.

635
 * \param alg       The signature algorithm.

636
 *

637
 * \return If the parameters are valid and supported, return

638
 *         a buffer size in bytes that guarantees that

639
 *         psa_sign_hash() will not fail with

640
 *         #PSA_ERROR_BUFFER_TOO_SMALL.

641
 *         If the parameters are a valid combination that is not supported,

642
 *         return either a sensible size or 0.

643
 *         If the parameters are not valid, the

644
 *         return value is unspecified.

645
 */

646
#define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \

647
    (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void) alg, PSA_BITS_TO_BYTES(key_bits)) : \

648
     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \

649
     ((void) alg, 0u))

650


651
#define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \

652
    PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)

653


654
/** \def PSA_SIGNATURE_MAX_SIZE

655
 *

656
 * Maximum size of an asymmetric signature.

657
 *

658
 * This macro expands to a compile-time constant integer. This value

659
 * is the maximum size of a signature in bytes.

660
 */

661
#define PSA_SIGNATURE_MAX_SIZE      1

662


663
#if (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)) && \

664
    (PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE > PSA_SIGNATURE_MAX_SIZE)

665
#undef PSA_SIGNATURE_MAX_SIZE

666
#define PSA_SIGNATURE_MAX_SIZE      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE

667
#endif

668
#if (defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) || defined(PSA_WANT_ALG_RSA_PSS)) && \

669
    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_SIGNATURE_MAX_SIZE)

670
#undef PSA_SIGNATURE_MAX_SIZE

671
#define PSA_SIGNATURE_MAX_SIZE      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS)

672
#endif

673


674
/** Sufficient output buffer size for psa_asymmetric_encrypt().

675
 *

676
 * This macro returns a sufficient buffer size for a ciphertext produced using

677
 * a key of the specified type and size, with the specified algorithm.

678
 * Note that the actual size of the ciphertext may be smaller, depending

679
 * on the algorithm.

680
 *

681
 * \warning This function may call its arguments multiple times or

682
 *          zero times, so you should not pass arguments that contain

683
 *          side effects.

684
 *

685
 * \param key_type  An asymmetric key type (this may indifferently be a

686
 *                  key pair type or a public key type).

687
 * \param key_bits  The size of the key in bits.

688
 * \param alg       The asymmetric encryption algorithm.

689
 *

690
 * \return If the parameters are valid and supported, return

691
 *         a buffer size in bytes that guarantees that

692
 *         psa_asymmetric_encrypt() will not fail with

693
 *         #PSA_ERROR_BUFFER_TOO_SMALL.

694
 *         If the parameters are a valid combination that is not supported,

695
 *         return either a sensible size or 0.

696
 *         If the parameters are not valid, the

697
 *         return value is unspecified.

698
 */

699
#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \

700
    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \

701
     ((void) alg, PSA_BITS_TO_BYTES(key_bits)) :                         \

702
     0u)

703


704
/** A sufficient output buffer size for psa_asymmetric_encrypt(), for any

705
 *  supported asymmetric encryption.

706
 *

707
 * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).

708
 */

709
/* This macro assumes that RSA is the only supported asymmetric encryption. */

710
#define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \

711
    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))

712


713
/** Sufficient output buffer size for psa_asymmetric_decrypt().

714
 *

715
 * This macro returns a sufficient buffer size for a plaintext produced using

716
 * a key of the specified type and size, with the specified algorithm.

717
 * Note that the actual size of the plaintext may be smaller, depending

718
 * on the algorithm.

719
 *

720
 * \warning This function may call its arguments multiple times or

721
 *          zero times, so you should not pass arguments that contain

722
 *          side effects.

723
 *

724
 * \param key_type  An asymmetric key type (this may indifferently be a

725
 *                  key pair type or a public key type).

726
 * \param key_bits  The size of the key in bits.

727
 * \param alg       The asymmetric encryption algorithm.

728
 *

729
 * \return If the parameters are valid and supported, return

730
 *         a buffer size in bytes that guarantees that

731
 *         psa_asymmetric_decrypt() will not fail with

732
 *         #PSA_ERROR_BUFFER_TOO_SMALL.

733
 *         If the parameters are a valid combination that is not supported,

734
 *         return either a sensible size or 0.

735
 *         If the parameters are not valid, the

736
 *         return value is unspecified.

737
 */

738
#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \

739
    (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \

740
     PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \

741
     0u)

742


743
/** A sufficient output buffer size for psa_asymmetric_decrypt(), for any

744
 *  supported asymmetric decryption.

745
 *

746
 * This macro assumes that RSA is the only supported asymmetric encryption.

747
 *

748
 * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).

749
 */

750
#define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \

751
    (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))

752


753
/* Maximum size of the ASN.1 encoding of an INTEGER with the specified

754
 * number of bits.

755
 *

756
 * This definition assumes that bits <= 2^19 - 9 so that the length field

757
 * is at most 3 bytes. The length of the encoding is the length of the

758
 * bit string padded to a whole number of bytes plus:

759
 * - 1 type byte;

760
 * - 1 to 3 length bytes;

761
 * - 0 to 1 bytes of leading 0 due to the sign bit.

762
 */

763
#define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \

764
    ((bits) / 8u + 5u)

765


766
/* Maximum size of the export encoding of an RSA public key.

767
 * Assumes that the public exponent is less than 2^32.

768
 *

769
 * RSAPublicKey  ::=  SEQUENCE  {

770
 *    modulus            INTEGER,    -- n

771
 *    publicExponent     INTEGER  }  -- e

772
 *

773
 * - 4 bytes of SEQUENCE overhead;

774
 * - n : INTEGER;

775
 * - 7 bytes for the public exponent.

776
 */

777
#define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \

778
    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11u)

779


780
/* Maximum size of the export encoding of an RSA key pair.

781
 * Assumes that the public exponent is less than 2^32 and that the size

782
 * difference between the two primes is at most 1 bit.

783
 *

784
 * RSAPrivateKey ::= SEQUENCE {

785
 *     version           Version,  -- 0

786
 *     modulus           INTEGER,  -- N-bit

787
 *     publicExponent    INTEGER,  -- 32-bit

788
 *     privateExponent   INTEGER,  -- N-bit

789
 *     prime1            INTEGER,  -- N/2-bit

790
 *     prime2            INTEGER,  -- N/2-bit

791
 *     exponent1         INTEGER,  -- N/2-bit

792
 *     exponent2         INTEGER,  -- N/2-bit

793
 *     coefficient       INTEGER,  -- N/2-bit

794
 * }

795
 *

796
 * - 4 bytes of SEQUENCE overhead;

797
 * - 3 bytes of version;

798
 * - 7 half-size INTEGERs plus 2 full-size INTEGERs,

799
 *   overapproximated as 9 half-size INTEGERS;

800
 * - 7 bytes for the public exponent.

801
 */

802
#define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \

803
    (9u * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2u + 1u) + 14u)

804


805
/* Maximum size of the export encoding of a DSA public key.

806
 *

807
 * SubjectPublicKeyInfo  ::=  SEQUENCE  {

808
 *      algorithm            AlgorithmIdentifier,

809
 *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey

810
 * AlgorithmIdentifier  ::=  SEQUENCE  {

811
 *      algorithm               OBJECT IDENTIFIER,

812
 *      parameters              Dss-Params  } -- SEQUENCE of 3 INTEGERs

813
 * DSAPublicKey  ::=  INTEGER -- public key, Y

814
 *

815
 * - 3 * 4 bytes of SEQUENCE overhead;

816
 * - 1 + 1 + 7 bytes of algorithm (DSA OID);

817
 * - 4 bytes of BIT STRING overhead;

818
 * - 3 full-size INTEGERs (p, g, y);

819
 * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).

820
 */

821
#define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \

822
    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 59u)

823


824
/* Maximum size of the export encoding of a DSA key pair.

825
 *

826
 * DSAPrivateKey ::= SEQUENCE {

827
 *     version             Version,  -- 0

828
 *     prime               INTEGER,  -- p

829
 *     subprime            INTEGER,  -- q

830
 *     generator           INTEGER,  -- g

831
 *     public              INTEGER,  -- y

832
 *     private             INTEGER,  -- x

833
 * }

834
 *

835
 * - 4 bytes of SEQUENCE overhead;

836
 * - 3 bytes of version;

837
 * - 3 full-size INTEGERs (p, g, y);

838
 * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).

839
 */

840
#define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \

841
    (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3u + 75u)

842


843
/* Maximum size of the export encoding of an ECC public key.

844
 *

845
 * The representation of an ECC public key is:

846
 *      - The byte 0x04;

847
 *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;

848
 *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;

849
 *      - where m is the bit size associated with the curve.

850
 *

851
 * - 1 byte + 2 * point size.

852
 */

853
#define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \

854
    (2u * PSA_BITS_TO_BYTES(key_bits) + 1u)

855


856
/* Maximum size of the export encoding of an ECC key pair.

857
 *

858
 * An ECC key pair is represented by the secret value.

859
 */

860
#define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \

861
    (PSA_BITS_TO_BYTES(key_bits))

862


863
/* Maximum size of the export encoding of an DH key pair.

864
 *

865
 * An DH key pair is represented by the secret value.

866
 */

867
#define PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(key_bits)   \

868
    (PSA_BITS_TO_BYTES(key_bits))

869


870
/* Maximum size of the export encoding of an DH public key.

871
 */

872
#define PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(key_bits)   \

873
    (PSA_BITS_TO_BYTES(key_bits))

874


875
/** Sufficient output buffer size for psa_export_key() or

876
 * psa_export_public_key().

877
 *

878
 * This macro returns a compile-time constant if its arguments are

879
 * compile-time constants.

880
 *

881
 * \warning This macro may evaluate its arguments multiple times or

882
 *          zero times, so you should not pass arguments that contain

883
 *          side effects.

884
 *

885
 * The following code illustrates how to allocate enough memory to export

886
 * a key by querying the key type and size at runtime.

887
 * \code{c}

888
 * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;

889
 * psa_status_t status;

890
 * status = psa_get_key_attributes(key, &attributes);

891
 * if (status != PSA_SUCCESS) handle_error(...);

892
 * psa_key_type_t key_type = psa_get_key_type(&attributes);

893
 * size_t key_bits = psa_get_key_bits(&attributes);

894
 * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);

895
 * psa_reset_key_attributes(&attributes);

896
 * uint8_t *buffer = malloc(buffer_size);

897
 * if (buffer == NULL) handle_error(...);

898
 * size_t buffer_length;

899
 * status = psa_export_key(key, buffer, buffer_size, &buffer_length);

900
 * if (status != PSA_SUCCESS) handle_error(...);

901
 * \endcode

902
 *

903
 * \param key_type  A supported key type.

904
 * \param key_bits  The size of the key in bits.

905
 *

906
 * \return If the parameters are valid and supported, return

907
 *         a buffer size in bytes that guarantees that

908
 *         psa_export_key() or psa_export_public_key() will not fail with

909
 *         #PSA_ERROR_BUFFER_TOO_SMALL.

910
 *         If the parameters are a valid combination that is not supported,

911
 *         return either a sensible size or 0.

912
 *         If the parameters are not valid, the return value is unspecified.

913
 */

914
#define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \

915
    (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \

916
     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                                   \

917
     (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \

918
     (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \

919
     (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \

920
     (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \

921
     PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \

922
     PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \

923
     0u)

924


925
/** Sufficient output buffer size for psa_export_public_key().

926
 *

927
 * This macro returns a compile-time constant if its arguments are

928
 * compile-time constants.

929
 *

930
 * \warning This macro may evaluate its arguments multiple times or

931
 *          zero times, so you should not pass arguments that contain

932
 *          side effects.

933
 *

934
 * The following code illustrates how to allocate enough memory to export

935
 * a public key by querying the key type and size at runtime.

936
 * \code{c}

937
 * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;

938
 * psa_status_t status;

939
 * status = psa_get_key_attributes(key, &attributes);

940
 * if (status != PSA_SUCCESS) handle_error(...);

941
 * psa_key_type_t key_type = psa_get_key_type(&attributes);

942
 * size_t key_bits = psa_get_key_bits(&attributes);

943
 * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);

944
 * psa_reset_key_attributes(&attributes);

945
 * uint8_t *buffer = malloc(buffer_size);

946
 * if (buffer == NULL) handle_error(...);

947
 * size_t buffer_length;

948
 * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);

949
 * if (status != PSA_SUCCESS) handle_error(...);

950
 * \endcode

951
 *

952
 * \param key_type      A public key or key pair key type.

953
 * \param key_bits      The size of the key in bits.

954
 *

955
 * \return              If the parameters are valid and supported, return

956
 *                      a buffer size in bytes that guarantees that

957
 *                      psa_export_public_key() will not fail with

958
 *                      #PSA_ERROR_BUFFER_TOO_SMALL.

959
 *                      If the parameters are a valid combination that is not

960
 *                      supported, return either a sensible size or 0.

961
 *                      If the parameters are not valid,

962
 *                      the return value is unspecified.

963
 *

964
 *                      If the parameters are valid and supported,

965
 *                      return the same result as

966
 *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(

967
 *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),

968
 *                          \p key_bits).

969
 */

970
#define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \

971
    (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \

972
     PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \

973
     PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \

974
     0u)

975


976
/** Sufficient buffer size for exporting any asymmetric key pair.

977
 *

978
 * This macro expands to a compile-time constant integer. This value is

979
 * a sufficient buffer size when calling psa_export_key() to export any

980
 * asymmetric key pair, regardless of the exact key type and key size.

981
 *

982
 * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).

983
 */

984
#define PSA_EXPORT_KEY_PAIR_MAX_SIZE            1

985


986
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \

987
    (PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \

988
     PSA_EXPORT_KEY_PAIR_MAX_SIZE)

989
#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE

990
#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \

991
    PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)

992
#endif

993
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && \

994
    (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \

995
     PSA_EXPORT_KEY_PAIR_MAX_SIZE)

996
#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE

997
#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \

998
    PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)

999
#endif

1000
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \

1001
    (PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \

1002
     PSA_EXPORT_KEY_PAIR_MAX_SIZE)

1003
#undef PSA_EXPORT_KEY_PAIR_MAX_SIZE

1004
#define PSA_EXPORT_KEY_PAIR_MAX_SIZE    \

1005
    PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)

1006
#endif

1007


1008
/** Sufficient buffer size for exporting any asymmetric public key.

1009
 *

1010
 * This macro expands to a compile-time constant integer. This value is

1011
 * a sufficient buffer size when calling psa_export_key() or

1012
 * psa_export_public_key() to export any asymmetric public key,

1013
 * regardless of the exact key type and key size.

1014
 *

1015
 * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).

1016
 */

1017
#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE            1

1018


1019
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \

1020
    (PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \

1021
     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)

1022
#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE

1023
#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \

1024
    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)

1025
#endif

1026
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) && \

1027
    (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \

1028
     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)

1029
#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE

1030
#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \

1031
    PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS)

1032
#endif

1033
#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \

1034
    (PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS) > \

1035
     PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)

1036
#undef PSA_EXPORT_PUBLIC_KEY_MAX_SIZE

1037
#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE    \

1038
    PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)

1039
#endif

1040


1041
#define PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE \

1042
    ((PSA_EXPORT_KEY_PAIR_MAX_SIZE > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) ? \

1043
     PSA_EXPORT_KEY_PAIR_MAX_SIZE : PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)

1044


1045
/** Sufficient output buffer size for psa_raw_key_agreement().

1046
 *

1047
 * This macro returns a compile-time constant if its arguments are

1048
 * compile-time constants.

1049
 *

1050
 * \warning This macro may evaluate its arguments multiple times or

1051
 *          zero times, so you should not pass arguments that contain

1052
 *          side effects.

1053
 *

1054
 * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.

1055
 *

1056
 * \param key_type      A supported key type.

1057
 * \param key_bits      The size of the key in bits.

1058
 *

1059
 * \return              If the parameters are valid and supported, return

1060
 *                      a buffer size in bytes that guarantees that

1061
 *                      psa_raw_key_agreement() will not fail with

1062
 *                      #PSA_ERROR_BUFFER_TOO_SMALL.

1063
 *                      If the parameters are a valid combination that

1064
 *                      is not supported, return either a sensible size or 0.

1065
 *                      If the parameters are not valid,

1066
 *                      the return value is unspecified.

1067
 */

1068
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \

1069
    ((PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) || \

1070
      PSA_KEY_TYPE_IS_DH_KEY_PAIR(key_type)) ? PSA_BITS_TO_BYTES(key_bits) : 0u)

1071


1072
/** Maximum size of the output from psa_raw_key_agreement().

1073
 *

1074
 * This macro expands to a compile-time constant integer. This value is the

1075
 * maximum size of the output any raw key agreement algorithm, in bytes.

1076
 *

1077
 * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).

1078
 */

1079
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE       1

1080


1081
#if defined(PSA_WANT_ALG_ECDH) && \

1082
    (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)

1083
#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE

1084
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)

1085
#endif

1086
#if defined(PSA_WANT_ALG_FFDH) && \

1087
    (PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) > PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE)

1088
#undef PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE

1089
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE    PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS)

1090
#endif

1091


1092
/** Maximum key length for ciphers.

1093
 *

1094
 * Since there is no additional PSA_WANT_xxx symbol to specifiy the size of

1095
 * the key once a cipher is enabled (as it happens for asymmetric keys for

1096
 * example), the maximum key length is taken into account for each cipher.

1097
 * The resulting value will be the maximum cipher's key length given depending

1098
 * on which ciphers are enabled.

1099
 *

1100
 * Note: max value for AES used below would be doubled if XTS were enabled, but

1101
 *       this mode is currently not supported in Mbed TLS implementation of PSA

1102
 *       APIs.

1103
 */

1104
#if (defined(PSA_WANT_KEY_TYPE_AES) || defined(PSA_WANT_KEY_TYPE_ARIA) || \

1105
    defined(PSA_WANT_KEY_TYPE_CAMELLIA) || defined(PSA_WANT_KEY_TYPE_CHACHA20))

1106
#define PSA_CIPHER_MAX_KEY_LENGTH       32u

1107
#elif defined(PSA_WANT_KEY_TYPE_DES)

1108
#define PSA_CIPHER_MAX_KEY_LENGTH       24u

1109
#else

1110
#define PSA_CIPHER_MAX_KEY_LENGTH       0u

1111
#endif

1112


1113
/** The default IV size for a cipher algorithm, in bytes.

1114
 *

1115
 * The IV that is generated as part of a call to #psa_cipher_encrypt() is always

1116
 * the default IV length for the algorithm.

1117
 *

1118
 * This macro can be used to allocate a buffer of sufficient size to

1119
 * store the IV output from #psa_cipher_generate_iv() when using

1120
 * a multi-part cipher operation.

1121
 *

1122
 * See also #PSA_CIPHER_IV_MAX_SIZE.

1123
 *

1124
 * \warning This macro may evaluate its arguments multiple times or

1125
 *          zero times, so you should not pass arguments that contain

1126
 *          side effects.

1127
 *

1128
 * \param key_type  A symmetric key type that is compatible with algorithm \p alg.

1129
 *

1130
 * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).

1131
 *

1132
 * \return The default IV size for the specified key type and algorithm.

1133
 *         If the algorithm does not use an IV, return 0.

1134
 *         If the key type or cipher algorithm is not recognized,

1135
 *         or the parameters are incompatible, return 0.

1136
 */

1137
#define PSA_CIPHER_IV_LENGTH(key_type, alg) \

1138
    (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \

1139
     ((alg) == PSA_ALG_CTR || \

1140
      (alg) == PSA_ALG_CFB || \

1141
      (alg) == PSA_ALG_OFB || \

1142
      (alg) == PSA_ALG_XTS || \

1143
      (alg) == PSA_ALG_CBC_NO_PADDING || \

1144
      (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \

1145
     (key_type) == PSA_KEY_TYPE_CHACHA20 && \

1146
     (alg) == PSA_ALG_STREAM_CIPHER ? 12u : \

1147
     (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13u : \

1148
     0u)

1149


1150
/** The maximum IV size for all supported cipher algorithms, in bytes.

1151
 *

1152
 * See also #PSA_CIPHER_IV_LENGTH().

1153
 */

1154
#define PSA_CIPHER_IV_MAX_SIZE 16u

1155


1156
/** The maximum size of the output of psa_cipher_encrypt(), in bytes.

1157
 *

1158
 * If the size of the output buffer is at least this large, it is guaranteed

1159
 * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.

1160
 * Depending on the algorithm, the actual size of the output might be smaller.

1161
 *

1162
 * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).

1163
 *

1164
 * \warning This macro may evaluate its arguments multiple times or

1165
 *          zero times, so you should not pass arguments that contain

1166
 *          side effects.

1167
 *

1168
 * \param key_type      A symmetric key type that is compatible with algorithm

1169
 *                      alg.

1170
 * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that

1171
 *                      #PSA_ALG_IS_CIPHER(\p alg) is true).

1172
 * \param input_length  Size of the input in bytes.

1173
 *

1174
 * \return              A sufficient output size for the specified key type and

1175
 *                      algorithm. If the key type or cipher algorithm is not

1176
 *                      recognized, or the parameters are incompatible,

1177
 *                      return 0.

1178
 */

1179
#define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \

1180
    (alg == PSA_ALG_CBC_PKCS7 ?                                         \

1181
     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \

1182
      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \

1183
                               (input_length) + 1u) +                   \

1184
      PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0u) :                   \

1185
     (PSA_ALG_IS_CIPHER(alg) ?                                          \

1186
      (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :        \

1187
      0u))

1188


1189
/** A sufficient output buffer size for psa_cipher_encrypt(), for any of the

1190
 *  supported key types and cipher algorithms.

1191
 *

1192
 * If the size of the output buffer is at least this large, it is guaranteed

1193
 * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.

1194
 *

1195
 * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).

1196
 *

1197
 * \param input_length  Size of the input in bytes.

1198
 *

1199
 */

1200
#define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                \

1201
    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,          \

1202
                              (input_length) + 1u) +                    \

1203
     PSA_CIPHER_IV_MAX_SIZE)

1204


1205
/** The maximum size of the output of psa_cipher_decrypt(), in bytes.

1206
 *

1207
 * If the size of the output buffer is at least this large, it is guaranteed

1208
 * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.

1209
 * Depending on the algorithm, the actual size of the output might be smaller.

1210
 *

1211
 * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).

1212
 *

1213
 * \param key_type      A symmetric key type that is compatible with algorithm

1214
 *                      alg.

1215
 * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that

1216
 *                      #PSA_ALG_IS_CIPHER(\p alg) is true).

1217
 * \param input_length  Size of the input in bytes.

1218
 *

1219
 * \return              A sufficient output size for the specified key type and

1220
 *                      algorithm. If the key type or cipher algorithm is not

1221
 *                      recognized, or the parameters are incompatible,

1222
 *                      return 0.

1223
 */

1224
#define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)     \

1225
    (PSA_ALG_IS_CIPHER(alg) &&                                          \

1226
     ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \

1227
     (input_length) :                                                   \

1228
     0u)

1229


1230
/** A sufficient output buffer size for psa_cipher_decrypt(), for any of the

1231
 *  supported key types and cipher algorithms.

1232
 *

1233
 * If the size of the output buffer is at least this large, it is guaranteed

1234
 * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.

1235
 *

1236
 * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).

1237
 *

1238
 * \param input_length  Size of the input in bytes.

1239
 */

1240
#define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \

1241
    (input_length)

1242


1243
/** A sufficient output buffer size for psa_cipher_update().

1244
 *

1245
 * If the size of the output buffer is at least this large, it is guaranteed

1246
 * that psa_cipher_update() will not fail due to an insufficient buffer size.

1247
 * The actual size of the output might be smaller in any given call.

1248
 *

1249
 * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).

1250
 *

1251
 * \param key_type      A symmetric key type that is compatible with algorithm

1252
 *                      alg.

1253
 * \param alg           A cipher algorithm (PSA_ALG_XXX value such that

1254
 *                      #PSA_ALG_IS_CIPHER(\p alg) is true).

1255
 * \param input_length  Size of the input in bytes.

1256
 *

1257
 * \return              A sufficient output size for the specified key type and

1258
 *                      algorithm. If the key type or cipher algorithm is not

1259
 *                      recognized, or the parameters are incompatible, return 0.

1260
 */

1261
#define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)      \

1262
    (PSA_ALG_IS_CIPHER(alg) ?                                           \

1263
     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                    \

1264
      (((alg) == PSA_ALG_CBC_PKCS7      ||                              \

1265
        (alg) == PSA_ALG_CBC_NO_PADDING ||                              \

1266
        (alg) == PSA_ALG_ECB_NO_PADDING) ?                              \

1267
       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \

1268
                                input_length) :                         \

1269
       (input_length)) : 0u) :                                          \

1270
     0u)

1271


1272
/** A sufficient output buffer size for psa_cipher_update(), for any of the

1273
 *  supported key types and cipher algorithms.

1274
 *

1275
 * If the size of the output buffer is at least this large, it is guaranteed

1276
 * that psa_cipher_update() will not fail due to an insufficient buffer size.

1277
 *

1278
 * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).

1279
 *

1280
 * \param input_length  Size of the input in bytes.

1281
 */

1282
#define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \

1283
    (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))

1284


1285
/** A sufficient ciphertext buffer size for psa_cipher_finish().

1286
 *

1287
 * If the size of the ciphertext buffer is at least this large, it is

1288
 * guaranteed that psa_cipher_finish() will not fail due to an insufficient

1289
 * ciphertext buffer size. The actual size of the output might be smaller in

1290
 * any given call.

1291
 *

1292
 * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().

1293
 *

1294
 * \param key_type      A symmetric key type that is compatible with algorithm

1295
 *                      alg.

1296
 * \param alg           A cipher algorithm (PSA_ALG_XXX value such that

1297
 *                      #PSA_ALG_IS_CIPHER(\p alg) is true).

1298
 * \return              A sufficient output size for the specified key type and

1299
 *                      algorithm. If the key type or cipher algorithm is not

1300
 *                      recognized, or the parameters are incompatible, return 0.

1301
 */

1302
#define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \

1303
    (PSA_ALG_IS_CIPHER(alg) ?                           \

1304
     (alg == PSA_ALG_CBC_PKCS7 ?                        \

1305
      PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \

1306
      0u) :                                             \

1307
     0u)

1308


1309
/** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the

1310
 *  supported key types and cipher algorithms.

1311
 *

1312
 * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).

1313
 */

1314
#define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \

1315
    (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)

1316


1317
#endif /* PSA_CRYPTO_SIZES_H */

1318


1319