Keil Studio Cloud
Mistake on this page?
Report an issue in GitHub or email us
TARGET_MBED_PSA_SRV/inc/psa/crypto.h
1 /**
2  * \file psa/crypto.h
3  * \brief Platform Security Architecture cryptography module
4  */
5 /*
6  * Copyright The Mbed TLS Contributors
7  * SPDX-License-Identifier: Apache-2.0
8  *
9  * Licensed under the Apache License, Version 2.0 (the "License"); you may
10  * not use this file except in compliance with the License.
11  * You may obtain a copy of the License at
12  *
13  * http://www.apache.org/licenses/LICENSE-2.0
14  *
15  * Unless required by applicable law or agreed to in writing, software
16  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18  * See the License for the specific language governing permissions and
19  * limitations under the License.
20  */
21 
22 #ifndef PSA_CRYPTO_H
23 #define PSA_CRYPTO_H
24 
25 #include "crypto_platform.h"
26 
27 #include <stddef.h>
28 
29 #ifdef __DOXYGEN_ONLY__
30 /* This __DOXYGEN_ONLY__ block contains mock definitions for things that
31  * must be defined in the crypto_platform.h header. These mock definitions
32  * are present in this file as a convenience to generate pretty-printed
33  * documentation that includes those definitions. */
34 
35 /** \defgroup platform Implementation-specific definitions
36  * @{
37  */
38 
39 /** \brief Key handle.
40  *
41  * This type represents open handles to keys. It must be an unsigned integral
42  * type. The choice of type is implementation-dependent.
43  *
44  * 0 is not a valid key handle. How other handle values are assigned is
45  * implementation-dependent.
46  */
47 typedef _unsigned_integral_type_ psa_key_handle_t;
48 
49 /**@}*/
50 #endif /* __DOXYGEN_ONLY__ */
51 
52 #ifdef __cplusplus
53 extern "C" {
54 #endif
55 
56 /* The file "crypto_types.h" declares types that encode errors,
57  * algorithms, key types, policies, etc. */
58 #include "crypto_types.h"
59 
60 /** \defgroup version API version
61  * @{
62  */
63 
64 /**
65  * The major version of this implementation of the PSA Crypto API
66  */
67 #define PSA_CRYPTO_API_VERSION_MAJOR 1
68 
69 /**
70  * The minor version of this implementation of the PSA Crypto API
71  */
72 #define PSA_CRYPTO_API_VERSION_MINOR 0
73 
74 /**@}*/
75 
76 /* The file "crypto_values.h" declares macros to build and analyze values
77  * of integral types defined in "crypto_types.h". */
78 #include "crypto_values.h"
79 
80 /** \defgroup initialization Library initialization
81  * @{
82  */
83 
84 /**
85  * \brief Library initialization.
86  *
87  * Applications must call this function before calling any other
88  * function in this module.
89  *
90  * Applications may call this function more than once. Once a call
91  * succeeds, subsequent calls are guaranteed to succeed.
92  *
93  * If the application calls other functions before calling psa_crypto_init(),
94  * the behavior is undefined. Implementations are encouraged to either perform
95  * the operation as if the library had been initialized or to return
96  * #PSA_ERROR_BAD_STATE or some other applicable error. In particular,
97  * implementations should not return a success status if the lack of
98  * initialization may have security implications, for example due to improper
99  * seeding of the random number generator.
100  *
101  * \retval #PSA_SUCCESS
102  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
103  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
104  * \retval #PSA_ERROR_HARDWARE_FAILURE
105  * \retval #PSA_ERROR_CORRUPTION_DETECTED
106  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
107  */
108 psa_status_t psa_crypto_init(void);
109 
110 /**@}*/
111 
112 /** \addtogroup attributes
113  * @{
114  */
115 
116 /** \def PSA_KEY_ATTRIBUTES_INIT
117  *
118  * This macro returns a suitable initializer for a key attribute structure
119  * of type #psa_key_attributes_t.
120  */
121 #ifdef __DOXYGEN_ONLY__
122 /* This is an example definition for documentation purposes.
123  * Implementations should define a suitable value in `crypto_struct.h`.
124  */
125 #define PSA_KEY_ATTRIBUTES_INIT {0}
126 #endif
127 
128 /** Return an initial value for a key attributes structure.
129  */
130 static psa_key_attributes_t psa_key_attributes_init(void);
131 
132 /** Declare a key as persistent and set its key identifier.
133  *
134  * If the attribute structure currently declares the key as volatile (which
135  * is the default content of an attribute structure), this function sets
136  * the lifetime attribute to #PSA_KEY_LIFETIME_PERSISTENT.
137  *
138  * This function does not access storage, it merely stores the given
139  * value in the structure.
140  * The persistent key will be written to storage when the attribute
141  * structure is passed to a key creation function such as
142  * psa_import_key(), psa_generate_key(),
143  * psa_key_derivation_output_key() or psa_copy_key().
144  *
145  * This function may be declared as `static` (i.e. without external
146  * linkage). This function may be provided as a function-like macro,
147  * but in this case it must evaluate each of its arguments exactly once.
148  *
149  * \param[out] attributes The attribute structure to write to.
150  * \param id The persistent identifier for the key.
151  */
152 static void psa_set_key_id(psa_key_attributes_t *attributes,
153  psa_key_id_t id);
154 
155 /** Set the location of a persistent key.
156  *
157  * To make a key persistent, you must give it a persistent key identifier
158  * with psa_set_key_id(). By default, a key that has a persistent identifier
159  * is stored in the default storage area identifier by
160  * #PSA_KEY_LIFETIME_PERSISTENT. Call this function to choose a storage
161  * area, or to explicitly declare the key as volatile.
162  *
163  * This function does not access storage, it merely stores the given
164  * value in the structure.
165  * The persistent key will be written to storage when the attribute
166  * structure is passed to a key creation function such as
167  * psa_import_key(), psa_generate_key(),
168  * psa_key_derivation_output_key() or psa_copy_key().
169  *
170  * This function may be declared as `static` (i.e. without external
171  * linkage). This function may be provided as a function-like macro,
172  * but in this case it must evaluate each of its arguments exactly once.
173  *
174  * \param[out] attributes The attribute structure to write to.
175  * \param lifetime The lifetime for the key.
176  * If this is #PSA_KEY_LIFETIME_VOLATILE, the
177  * key will be volatile, and the key identifier
178  * attribute is reset to 0.
179  */
180 static void psa_set_key_lifetime(psa_key_attributes_t *attributes,
181  psa_key_lifetime_t lifetime);
182 
183 /** Retrieve the key identifier from key attributes.
184  *
185  * This function may be declared as `static` (i.e. without external
186  * linkage). This function may be provided as a function-like macro,
187  * but in this case it must evaluate its argument exactly once.
188  *
189  * \param[in] attributes The key attribute structure to query.
190  *
191  * \return The persistent identifier stored in the attribute structure.
192  * This value is unspecified if the attribute structure declares
193  * the key as volatile.
194  */
195 static psa_key_id_t psa_get_key_id(const psa_key_attributes_t *attributes);
196 
197 /** Retrieve the lifetime from key attributes.
198  *
199  * This function may be declared as `static` (i.e. without external
200  * linkage). This function may be provided as a function-like macro,
201  * but in this case it must evaluate its argument exactly once.
202  *
203  * \param[in] attributes The key attribute structure to query.
204  *
205  * \return The lifetime value stored in the attribute structure.
206  */
207 static psa_key_lifetime_t psa_get_key_lifetime(
208  const psa_key_attributes_t *attributes);
209 
210 /** Declare usage flags for a key.
211  *
212  * Usage flags are part of a key's usage policy. They encode what
213  * kind of operations are permitted on the key. For more details,
214  * refer to the documentation of the type #psa_key_usage_t.
215  *
216  * This function overwrites any usage flags
217  * previously set in \p attributes.
218  *
219  * This function may be declared as `static` (i.e. without external
220  * linkage). This function may be provided as a function-like macro,
221  * but in this case it must evaluate each of its arguments exactly once.
222  *
223  * \param[out] attributes The attribute structure to write to.
224  * \param usage_flags The usage flags to write.
225  */
226 static void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
227  psa_key_usage_t usage_flags);
228 
229 /** Retrieve the usage flags from key attributes.
230  *
231  * This function may be declared as `static` (i.e. without external
232  * linkage). This function may be provided as a function-like macro,
233  * but in this case it must evaluate its argument exactly once.
234  *
235  * \param[in] attributes The key attribute structure to query.
236  *
237  * \return The usage flags stored in the attribute structure.
238  */
239 static psa_key_usage_t psa_get_key_usage_flags(
240  const psa_key_attributes_t *attributes);
241 
242 /** Declare the permitted algorithm policy for a key.
243  *
244  * The permitted algorithm policy of a key encodes which algorithm or
245  * algorithms are permitted to be used with this key. The following
246  * algorithm policies are supported:
247  * - 0 does not allow any cryptographic operation with the key. The key
248  * may be used for non-cryptographic actions such as exporting (if
249  * permitted by the usage flags).
250  * - An algorithm value permits this particular algorithm.
251  * - An algorithm wildcard built from #PSA_ALG_ANY_HASH allows the specified
252  * signature scheme with any hash algorithm.
253  *
254  * This function overwrites any algorithm policy
255  * previously set in \p attributes.
256  *
257  * This function may be declared as `static` (i.e. without external
258  * linkage). This function may be provided as a function-like macro,
259  * but in this case it must evaluate each of its arguments exactly once.
260  *
261  * \param[out] attributes The attribute structure to write to.
262  * \param alg The permitted algorithm policy to write.
263  */
264 static void psa_set_key_algorithm(psa_key_attributes_t *attributes,
265  psa_algorithm_t alg);
266 
267 
268 /** Retrieve the algorithm policy from key attributes.
269  *
270  * This function may be declared as `static` (i.e. without external
271  * linkage). This function may be provided as a function-like macro,
272  * but in this case it must evaluate its argument exactly once.
273  *
274  * \param[in] attributes The key attribute structure to query.
275  *
276  * \return The algorithm stored in the attribute structure.
277  */
278 static psa_algorithm_t psa_get_key_algorithm(
279  const psa_key_attributes_t *attributes);
280 
281 /** Declare the type of a key.
282  *
283  * This function overwrites any key type
284  * previously set in \p attributes.
285  *
286  * This function may be declared as `static` (i.e. without external
287  * linkage). This function may be provided as a function-like macro,
288  * but in this case it must evaluate each of its arguments exactly once.
289  *
290  * \param[out] attributes The attribute structure to write to.
291  * \param type The key type to write.
292  * If this is 0, the key type in \p attributes
293  * becomes unspecified.
294  */
295 static void psa_set_key_type(psa_key_attributes_t *attributes,
296  psa_key_type_t type);
297 
298 
299 /** Declare the size of a key.
300  *
301  * This function overwrites any key size previously set in \p attributes.
302  *
303  * This function may be declared as `static` (i.e. without external
304  * linkage). This function may be provided as a function-like macro,
305  * but in this case it must evaluate each of its arguments exactly once.
306  *
307  * \param[out] attributes The attribute structure to write to.
308  * \param bits The key size in bits.
309  * If this is 0, the key size in \p attributes
310  * becomes unspecified. Keys of size 0 are
311  * not supported.
312  */
313 static void psa_set_key_bits(psa_key_attributes_t *attributes,
314  size_t bits);
315 
316 /** Retrieve the key type from key attributes.
317  *
318  * This function may be declared as `static` (i.e. without external
319  * linkage). This function may be provided as a function-like macro,
320  * but in this case it must evaluate its argument exactly once.
321  *
322  * \param[in] attributes The key attribute structure to query.
323  *
324  * \return The key type stored in the attribute structure.
325  */
326 static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes);
327 
328 /** Retrieve the key size from key attributes.
329  *
330  * This function may be declared as `static` (i.e. without external
331  * linkage). This function may be provided as a function-like macro,
332  * but in this case it must evaluate its argument exactly once.
333  *
334  * \param[in] attributes The key attribute structure to query.
335  *
336  * \return The key size stored in the attribute structure, in bits.
337  */
338 static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
339 
340 /** Retrieve the attributes of a key.
341  *
342  * This function first resets the attribute structure as with
343  * psa_reset_key_attributes(). It then copies the attributes of
344  * the given key into the given attribute structure.
345  *
346  * \note This function may allocate memory or other resources.
347  * Once you have called this function on an attribute structure,
348  * you must call psa_reset_key_attributes() to free these resources.
349  *
350  * \param[in] handle Handle to the key to query.
351  * \param[in,out] attributes On success, the attributes of the key.
352  * On failure, equivalent to a
353  * freshly-initialized structure.
354  *
355  * \retval #PSA_SUCCESS
356  * \retval #PSA_ERROR_INVALID_HANDLE
357  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
358  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
359  * \retval #PSA_ERROR_CORRUPTION_DETECTED
360  * \retval #PSA_ERROR_STORAGE_FAILURE
361  * \retval #PSA_ERROR_BAD_STATE
362  * The library has not been previously initialized by psa_crypto_init().
363  * It is implementation-dependent whether a failure to initialize
364  * results in this error code.
365  */
366 psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
367  psa_key_attributes_t *attributes);
368 
369 /** Reset a key attribute structure to a freshly initialized state.
370  *
371  * You must initialize the attribute structure as described in the
372  * documentation of the type #psa_key_attributes_t before calling this
373  * function. Once the structure has been initialized, you may call this
374  * function at any time.
375  *
376  * This function frees any auxiliary resources that the structure
377  * may contain.
378  *
379  * \param[in,out] attributes The attribute structure to reset.
380  */
381 void psa_reset_key_attributes(psa_key_attributes_t *attributes);
382 
383 /**@}*/
384 
385 /** \defgroup key_management Key management
386  * @{
387  */
388 
389 /** Open a handle to an existing persistent key.
390  *
391  * Open a handle to a persistent key. A key is persistent if it was created
392  * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
393  * always has a nonzero key identifier, set with psa_set_key_id() when
394  * creating the key. Implementations may provide additional pre-provisioned
395  * keys that can be opened with psa_open_key(). Such keys have a key identifier
396  * in the vendor range, as documented in the description of #psa_key_id_t.
397  *
398  * The application must eventually close the handle with psa_close_key() or
399  * psa_destroy_key() to release associated resources. If the application dies
400  * without calling one of these functions, the implementation should perform
401  * the equivalent of a call to psa_close_key().
402  *
403  * Some implementations permit an application to open the same key multiple
404  * times. If this is successful, each call to psa_open_key() will return a
405  * different key handle.
406  *
407  * \note Applications that rely on opening a key multiple times will not be
408  * portable to implementations that only permit a single key handle to be
409  * opened. See also :ref:\`key-handles\`.
410  *
411  * \param id The persistent identifier of the key.
412  * \param[out] handle On success, a handle to the key.
413  *
414  * \retval #PSA_SUCCESS
415  * Success. The application can now use the value of `*handle`
416  * to access the key.
417  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
418  * The implementation does not have sufficient resources to open the
419  * key. This can be due to reaching an implementation limit on the
420  * number of open keys, the number of open key handles, or available
421  * memory.
422  * \retval #PSA_ERROR_DOES_NOT_EXIST
423  * There is no persistent key with key identifier \p id.
424  * \retval #PSA_ERROR_INVALID_ARGUMENT
425  * \p id is not a valid persistent key identifier.
426  * \retval #PSA_ERROR_NOT_PERMITTED
427  * The specified key exists, but the application does not have the
428  * permission to access it. Note that this specification does not
429  * define any way to create such a key, but it may be possible
430  * through implementation-specific means.
431  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
432  * \retval #PSA_ERROR_CORRUPTION_DETECTED
433  * \retval #PSA_ERROR_STORAGE_FAILURE
434  * \retval #PSA_ERROR_BAD_STATE
435  * The library has not been previously initialized by psa_crypto_init().
436  * It is implementation-dependent whether a failure to initialize
437  * results in this error code.
438  */
439 psa_status_t psa_open_key(psa_key_id_t id,
440  psa_key_handle_t *handle);
441 
442 
443 /** Close a key handle.
444  *
445  * If the handle designates a volatile key, this will destroy the key material
446  * and free all associated resources, just like psa_destroy_key().
447  *
448  * If this is the last open handle to a persistent key, then closing the handle
449  * will free all resources associated with the key in volatile memory. The key
450  * data in persistent storage is not affected and can be opened again later
451  * with a call to psa_open_key().
452  *
453  * Closing the key handle makes the handle invalid, and the key handle
454  * must not be used again by the application.
455  *
456  * \note If the key handle was used to set up an active
457  * :ref:\`multipart operation <multipart-operations>\`, then closing the
458  * key handle can cause the multipart operation to fail. Applications should
459  * maintain the key handle until after the multipart operation has finished.
460  *
461  * \param handle The key handle to close.
462  * If this is \c 0, do nothing and return \c PSA_SUCCESS.
463  *
464  * \retval #PSA_SUCCESS
465  * \p handle was a valid handle or \c 0. It is now closed.
466  * \retval #PSA_ERROR_INVALID_HANDLE
467  * \p handle is not a valid handle nor \c 0.
468  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
469  * \retval #PSA_ERROR_CORRUPTION_DETECTED
470  * \retval #PSA_ERROR_BAD_STATE
471  * The library has not been previously initialized by psa_crypto_init().
472  * It is implementation-dependent whether a failure to initialize
473  * results in this error code.
474  */
475 psa_status_t psa_close_key(psa_key_handle_t handle);
476 
477 /** Make a copy of a key.
478  *
479  * Copy key material from one location to another.
480  *
481  * This function is primarily useful to copy a key from one location
482  * to another, since it populates a key using the material from
483  * another key which may have a different lifetime.
484  *
485  * This function may be used to share a key with a different party,
486  * subject to implementation-defined restrictions on key sharing.
487  *
488  * The policy on the source key must have the usage flag
489  * #PSA_KEY_USAGE_COPY set.
490  * This flag is sufficient to permit the copy if the key has the lifetime
491  * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
492  * Some secure elements do not provide a way to copy a key without
493  * making it extractable from the secure element. If a key is located
494  * in such a secure element, then the key must have both usage flags
495  * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
496  * a copy of the key outside the secure element.
497  *
498  * The resulting key may only be used in a way that conforms to
499  * both the policy of the original key and the policy specified in
500  * the \p attributes parameter:
501  * - The usage flags on the resulting key are the bitwise-and of the
502  * usage flags on the source policy and the usage flags in \p attributes.
503  * - If both allow the same algorithm or wildcard-based
504  * algorithm policy, the resulting key has the same algorithm policy.
505  * - If either of the policies allows an algorithm and the other policy
506  * allows a wildcard-based algorithm policy that includes this algorithm,
507  * the resulting key allows the same algorithm.
508  * - If the policies do not allow any algorithm in common, this function
509  * fails with the status #PSA_ERROR_INVALID_ARGUMENT.
510  *
511  * The effect of this function on implementation-defined attributes is
512  * implementation-defined.
513  *
514  * \param source_handle The key to copy. It must be a valid key handle.
515  * \param[in] attributes The attributes for the new key.
516  * They are used as follows:
517  * - The key type and size may be 0. If either is
518  * nonzero, it must match the corresponding
519  * attribute of the source key.
520  * - The key location (the lifetime and, for
521  * persistent keys, the key identifier) is
522  * used directly.
523  * - The policy constraints (usage flags and
524  * algorithm policy) are combined from
525  * the source key and \p attributes so that
526  * both sets of restrictions apply, as
527  * described in the documentation of this function.
528  * \param[out] target_handle On success, a handle to the newly created key.
529  * \c 0 on failure.
530  *
531  * \retval #PSA_SUCCESS
532  * \retval #PSA_ERROR_INVALID_HANDLE
533  * \p source_handle is invalid.
534  * \retval #PSA_ERROR_ALREADY_EXISTS
535  * This is an attempt to create a persistent key, and there is
536  * already a persistent key with the given identifier.
537  * \retval #PSA_ERROR_INVALID_ARGUMENT
538  * The lifetime or identifier in \p attributes are invalid.
539  * \retval #PSA_ERROR_INVALID_ARGUMENT
540  * The policy constraints on the source and specified in
541  * \p attributes are incompatible.
542  * \retval #PSA_ERROR_INVALID_ARGUMENT
543  * \p attributes specifies a key type or key size
544  * which does not match the attributes of the source key.
545  * \retval #PSA_ERROR_NOT_PERMITTED
546  * The source key does not have the #PSA_KEY_USAGE_COPY usage flag.
547  * \retval #PSA_ERROR_NOT_PERMITTED
548  * The source key is not exportable and its lifetime does not
549  * allow copying it to the target's lifetime.
550  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
551  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
552  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
553  * \retval #PSA_ERROR_HARDWARE_FAILURE
554  * \retval #PSA_ERROR_STORAGE_FAILURE
555  * \retval #PSA_ERROR_CORRUPTION_DETECTED
556  * \retval #PSA_ERROR_BAD_STATE
557  * The library has not been previously initialized by psa_crypto_init().
558  * It is implementation-dependent whether a failure to initialize
559  * results in this error code.
560  */
561 psa_status_t psa_copy_key(psa_key_handle_t source_handle,
562  const psa_key_attributes_t *attributes,
563  psa_key_handle_t *target_handle);
564 
565 
566 /**
567  * \brief Destroy a key.
568  *
569  * This function destroys a key from both volatile
570  * memory and, if applicable, non-volatile storage. Implementations shall
571  * make a best effort to ensure that that the key material cannot be recovered.
572  *
573  * This function also erases any metadata such as policies and frees
574  * resources associated with the key. To free all resources associated with
575  * the key, all handles to the key must be closed or destroyed.
576  *
577  * Destroying the key makes the handle invalid, and the key handle
578  * must not be used again by the application. Using other open handles to the
579  * destroyed key in a cryptographic operation will result in an error.
580  *
581  * If a key is currently in use in a multipart operation, then destroying the
582  * key will cause the multipart operation to fail.
583  *
584  * \param handle Handle to the key to erase.
585  * If this is \c 0, do nothing and return \c PSA_SUCCESS.
586  *
587  * \retval #PSA_SUCCESS
588  * \p handle was a valid handle and the key material that it
589  * referred to has been erased.
590  * Alternatively, \p handle is \c 0.
591  * \retval #PSA_ERROR_NOT_PERMITTED
592  * The key cannot be erased because it is
593  * read-only, either due to a policy or due to physical restrictions.
594  * \retval #PSA_ERROR_INVALID_HANDLE
595  * \p handle is not a valid handle nor \c 0.
596  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
597  * There was an failure in communication with the cryptoprocessor.
598  * The key material may still be present in the cryptoprocessor.
599  * \retval #PSA_ERROR_STORAGE_FAILURE
600  * The storage is corrupted. Implementations shall make a best effort
601  * to erase key material even in this stage, however applications
602  * should be aware that it may be impossible to guarantee that the
603  * key material is not recoverable in such cases.
604  * \retval #PSA_ERROR_CORRUPTION_DETECTED
605  * An unexpected condition which is not a storage corruption or
606  * a communication failure occurred. The cryptoprocessor may have
607  * been compromised.
608  * \retval #PSA_ERROR_BAD_STATE
609  * The library has not been previously initialized by psa_crypto_init().
610  * It is implementation-dependent whether a failure to initialize
611  * results in this error code.
612  */
613 psa_status_t psa_destroy_key(psa_key_handle_t handle);
614 
615 /**@}*/
616 
617 /** \defgroup import_export Key import and export
618  * @{
619  */
620 
621 /**
622  * \brief Import a key in binary format.
623  *
624  * This function supports any output from psa_export_key(). Refer to the
625  * documentation of psa_export_public_key() for the format of public keys
626  * and to the documentation of psa_export_key() for the format for
627  * other key types.
628  *
629  * The key data determines the key size. The attributes may optionally
630  * specify a key size; in this case it must match the size determined
631  * from the key data. A key size of 0 in \p attributes indicates that
632  * the key size is solely determined by the key data.
633  *
634  * Implementations must reject an attempt to import a key of size 0.
635  *
636  * This specification supports a single format for each key type.
637  * Implementations may support other formats as long as the standard
638  * format is supported. Implementations that support other formats
639  * should ensure that the formats are clearly unambiguous so as to
640  * minimize the risk that an invalid input is accidentally interpreted
641  * according to a different format.
642  *
643  * \param[in] attributes The attributes for the new key.
644  * The key size is always determined from the
645  * \p data buffer.
646  * If the key size in \p attributes is nonzero,
647  * it must be equal to the size from \p data.
648  * \param[out] handle On success, a handle to the newly created key.
649  * \c 0 on failure.
650  * \param[in] data Buffer containing the key data. The content of this
651  * buffer is interpreted according to the type declared
652  * in \p attributes.
653  * All implementations must support at least the format
654  * described in the documentation
655  * of psa_export_key() or psa_export_public_key() for
656  * the chosen type. Implementations may allow other
657  * formats, but should be conservative: implementations
658  * should err on the side of rejecting content if it
659  * may be erroneous (e.g. wrong type or truncated data).
660  * \param data_length Size of the \p data buffer in bytes.
661  *
662  * \retval #PSA_SUCCESS
663  * Success.
664  * If the key is persistent, the key material and the key's metadata
665  * have been saved to persistent storage.
666  * \retval #PSA_ERROR_ALREADY_EXISTS
667  * This is an attempt to create a persistent key, and there is
668  * already a persistent key with the given identifier.
669  * \retval #PSA_ERROR_NOT_SUPPORTED
670  * The key type or key size is not supported, either by the
671  * implementation in general or in this particular persistent location.
672  * \retval #PSA_ERROR_INVALID_ARGUMENT
673  * The key attributes, as a whole, are invalid.
674  * \retval #PSA_ERROR_INVALID_ARGUMENT
675  * The key data is not correctly formatted.
676  * \retval #PSA_ERROR_INVALID_ARGUMENT
677  * The size in \p attributes is nonzero and does not match the size
678  * of the key data.
679  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
680  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
681  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
682  * \retval #PSA_ERROR_STORAGE_FAILURE
683  * \retval #PSA_ERROR_HARDWARE_FAILURE
684  * \retval #PSA_ERROR_CORRUPTION_DETECTED
685  * \retval #PSA_ERROR_BAD_STATE
686  * The library has not been previously initialized by psa_crypto_init().
687  * It is implementation-dependent whether a failure to initialize
688  * results in this error code.
689  */
690 psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
691  const uint8_t *data,
692  size_t data_length,
693  psa_key_handle_t *handle);
694 
695 
696 
697 /**
698  * \brief Export a key in binary format.
699  *
700  * The output of this function can be passed to psa_import_key() to
701  * create an equivalent object.
702  *
703  * If the implementation of psa_import_key() supports other formats
704  * beyond the format specified here, the output from psa_export_key()
705  * must use the representation specified here, not the original
706  * representation.
707  *
708  * For standard key types, the output format is as follows:
709  *
710  * - For symmetric keys (including MAC keys), the format is the
711  * raw bytes of the key.
712  * - For DES, the key data consists of 8 bytes. The parity bits must be
713  * correct.
714  * - For Triple-DES, the format is the concatenation of the
715  * two or three DES keys.
716  * - For RSA key pairs (#PSA_KEY_TYPE_RSA_KEY_PAIR), the format
717  * is the non-encrypted DER encoding of the representation defined by
718  * PKCS\#1 (RFC 8017) as `RSAPrivateKey`, version 0.
719  * ```
720  * RSAPrivateKey ::= SEQUENCE {
721  * version INTEGER, -- must be 0
722  * modulus INTEGER, -- n
723  * publicExponent INTEGER, -- e
724  * privateExponent INTEGER, -- d
725  * prime1 INTEGER, -- p
726  * prime2 INTEGER, -- q
727  * exponent1 INTEGER, -- d mod (p-1)
728  * exponent2 INTEGER, -- d mod (q-1)
729  * coefficient INTEGER, -- (inverse of q) mod p
730  * }
731  * ```
732  * - For elliptic curve key pairs (key types for which
733  * #PSA_KEY_TYPE_IS_ECC_KEY_PAIR is true), the format is
734  * a representation of the private value as a `ceiling(m/8)`-byte string
735  * where `m` is the bit size associated with the curve, i.e. the bit size
736  * of the order of the curve's coordinate field. This byte string is
737  * in little-endian order for Montgomery curves (curve types
738  * `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
739  * curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
740  * and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
741  * For Weierstrass curves, this is the content of the `privateKey` field of
742  * the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves,
743  * the format is defined by RFC 7748, and output is masked according to §5.
744  * - For Diffie-Hellman key exchange key pairs (key types for which
745  * #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
746  * format is the representation of the private key `x` as a big-endian byte
747  * string. The length of the byte string is the private key size in bytes
748  * (leading zeroes are not stripped).
749  * - For public keys (key types for which #PSA_KEY_TYPE_IS_PUBLIC_KEY is
750  * true), the format is the same as for psa_export_public_key().
751  *
752  * The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
753  *
754  * \param handle Handle to the key to export.
755  * \param[out] data Buffer where the key data is to be written.
756  * \param data_size Size of the \p data buffer in bytes.
757  * \param[out] data_length On success, the number of bytes
758  * that make up the key data.
759  *
760  * \retval #PSA_SUCCESS
761  * \retval #PSA_ERROR_INVALID_HANDLE
762  * \retval #PSA_ERROR_NOT_PERMITTED
763  * The key does not have the #PSA_KEY_USAGE_EXPORT flag.
764  * \retval #PSA_ERROR_NOT_SUPPORTED
765  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
766  * The size of the \p data buffer is too small. You can determine a
767  * sufficient buffer size by calling
768  * #PSA_KEY_EXPORT_MAX_SIZE(\c type, \c bits)
769  * where \c type is the key type
770  * and \c bits is the key size in bits.
771  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
772  * \retval #PSA_ERROR_HARDWARE_FAILURE
773  * \retval #PSA_ERROR_CORRUPTION_DETECTED
774  * \retval #PSA_ERROR_STORAGE_FAILURE
775  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
776  * \retval #PSA_ERROR_BAD_STATE
777  * The library has not been previously initialized by psa_crypto_init().
778  * It is implementation-dependent whether a failure to initialize
779  * results in this error code.
780  */
781 psa_status_t psa_export_key(psa_key_handle_t handle,
782  uint8_t *data,
783  size_t data_size,
784  size_t *data_length);
785 
786 /**
787  * \brief Export a public key or the public part of a key pair in binary format.
788  *
789  * The output of this function can be passed to psa_import_key() to
790  * create an object that is equivalent to the public key.
791  *
792  * This specification supports a single format for each key type.
793  * Implementations may support other formats as long as the standard
794  * format is supported. Implementations that support other formats
795  * should ensure that the formats are clearly unambiguous so as to
796  * minimize the risk that an invalid input is accidentally interpreted
797  * according to a different format.
798  *
799  * For standard key types, the output format is as follows:
800  * - For RSA public keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY), the DER encoding of
801  * the representation defined by RFC 3279 &sect;2.3.1 as `RSAPublicKey`.
802  * ```
803  * RSAPublicKey ::= SEQUENCE {
804  * modulus INTEGER, -- n
805  * publicExponent INTEGER } -- e
806  * ```
807  * - For elliptic curve public keys (key types for which
808  * #PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY is true), the format is the uncompressed
809  * representation defined by SEC1 &sect;2.3.3 as the content of an ECPoint.
810  * Let `m` be the bit size associated with the curve, i.e. the bit size of
811  * `q` for a curve over `F_q`. The representation consists of:
812  * - The byte 0x04;
813  * - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
814  * - `y_P` as a `ceiling(m/8)`-byte string, big-endian.
815  * - For Diffie-Hellman key exchange public keys (key types for which
816  * #PSA_KEY_TYPE_IS_DH_PUBLIC_KEY is true),
817  * the format is the representation of the public key `y = g^x mod p` as a
818  * big-endian byte string. The length of the byte string is the length of the
819  * base prime `p` in bytes.
820  *
821  * Exporting a public key object or the public part of a key pair is
822  * always permitted, regardless of the key's usage flags.
823  *
824  * \param handle Handle to the key to export.
825  * \param[out] data Buffer where the key data is to be written.
826  * \param data_size Size of the \p data buffer in bytes.
827  * \param[out] data_length On success, the number of bytes
828  * that make up the key data.
829  *
830  * \retval #PSA_SUCCESS
831  * \retval #PSA_ERROR_INVALID_HANDLE
832  * \retval #PSA_ERROR_INVALID_ARGUMENT
833  * The key is neither a public key nor a key pair.
834  * \retval #PSA_ERROR_NOT_SUPPORTED
835  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
836  * The size of the \p data buffer is too small. You can determine a
837  * sufficient buffer size by calling
838  * #PSA_KEY_EXPORT_MAX_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
839  * where \c type is the key type
840  * and \c bits is the key size in bits.
841  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
842  * \retval #PSA_ERROR_HARDWARE_FAILURE
843  * \retval #PSA_ERROR_CORRUPTION_DETECTED
844  * \retval #PSA_ERROR_STORAGE_FAILURE
845  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
846  * \retval #PSA_ERROR_BAD_STATE
847  * The library has not been previously initialized by psa_crypto_init().
848  * It is implementation-dependent whether a failure to initialize
849  * results in this error code.
850  */
851 psa_status_t psa_export_public_key(psa_key_handle_t handle,
852  uint8_t *data,
853  size_t data_size,
854  size_t *data_length);
855 
856 
857 
858 /**@}*/
859 
860 /** \defgroup hash Message digests
861  * @{
862  */
863 
864 /** Calculate the hash (digest) of a message.
865  *
866  * \note To verify the hash of a message against an
867  * expected value, use psa_hash_compare() instead.
868  *
869  * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
870  * such that #PSA_ALG_IS_HASH(\p alg) is true).
871  * \param[in] input Buffer containing the message to hash.
872  * \param input_length Size of the \p input buffer in bytes.
873  * \param[out] hash Buffer where the hash is to be written.
874  * \param hash_size Size of the \p hash buffer in bytes.
875  * \param[out] hash_length On success, the number of bytes
876  * that make up the hash value. This is always
877  * #PSA_HASH_SIZE(\p alg).
878  *
879  * \retval #PSA_SUCCESS
880  * Success.
881  * \retval #PSA_ERROR_NOT_SUPPORTED
882  * \p alg is not supported or is not a hash algorithm.
883  * \retval #PSA_ERROR_INVALID_ARGUMENT
884  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
885  * \p hash_size is too small
886  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
887  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
888  * \retval #PSA_ERROR_HARDWARE_FAILURE
889  * \retval #PSA_ERROR_CORRUPTION_DETECTED
890  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
891  * \retval #PSA_ERROR_BAD_STATE
892  * The library has not been previously initialized by psa_crypto_init().
893  * It is implementation-dependent whether a failure to initialize
894  * results in this error code.
895  */
896 psa_status_t psa_hash_compute(psa_algorithm_t alg,
897  const uint8_t *input,
898  size_t input_length,
899  uint8_t *hash,
900  size_t hash_size,
901  size_t *hash_length);
902 
903 /** Calculate the hash (digest) of a message and compare it with a
904  * reference value.
905  *
906  * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
907  * such that #PSA_ALG_IS_HASH(\p alg) is true).
908  * \param[in] input Buffer containing the message to hash.
909  * \param input_length Size of the \p input buffer in bytes.
910  * \param[out] hash Buffer containing the expected hash value.
911  * \param hash_length Size of the \p hash buffer in bytes.
912  *
913  * \retval #PSA_SUCCESS
914  * The expected hash is identical to the actual hash of the input.
915  * \retval #PSA_ERROR_INVALID_SIGNATURE
916  * The hash of the message was calculated successfully, but it
917  * differs from the expected hash.
918  * \retval #PSA_ERROR_NOT_SUPPORTED
919  * \p alg is not supported or is not a hash algorithm.
920  * \retval #PSA_ERROR_INVALID_ARGUMENT
921  * \p input_length or \p hash_length do not match the hash size for \p alg
922  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
923  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
924  * \retval #PSA_ERROR_HARDWARE_FAILURE
925  * \retval #PSA_ERROR_CORRUPTION_DETECTED
926  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
927  * \retval #PSA_ERROR_BAD_STATE
928  * The library has not been previously initialized by psa_crypto_init().
929  * It is implementation-dependent whether a failure to initialize
930  * results in this error code.
931  */
932 psa_status_t psa_hash_compare(psa_algorithm_t alg,
933  const uint8_t *input,
934  size_t input_length,
935  const uint8_t *hash,
936  size_t hash_length);
937 
938 /** The type of the state data structure for multipart hash operations.
939  *
940  * Before calling any function on a hash operation object, the application must
941  * initialize it by any of the following means:
942  * - Set the structure to all-bits-zero, for example:
943  * \code
944  * psa_hash_operation_t operation;
945  * memset(&operation, 0, sizeof(operation));
946  * \endcode
947  * - Initialize the structure to logical zero values, for example:
948  * \code
949  * psa_hash_operation_t operation = {0};
950  * \endcode
951  * - Initialize the structure to the initializer #PSA_HASH_OPERATION_INIT,
952  * for example:
953  * \code
954  * psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
955  * \endcode
956  * - Assign the result of the function psa_hash_operation_init()
957  * to the structure, for example:
958  * \code
959  * psa_hash_operation_t operation;
960  * operation = psa_hash_operation_init();
961  * \endcode
962  *
963  * This is an implementation-defined \c struct. Applications should not
964  * make any assumptions about the content of this structure except
965  * as directed by the documentation of a specific implementation. */
966 typedef struct psa_hash_operation_s psa_hash_operation_t;
967 
968 /** \def PSA_HASH_OPERATION_INIT
969  *
970  * This macro returns a suitable initializer for a hash operation object
971  * of type #psa_hash_operation_t.
972  */
973 #ifdef __DOXYGEN_ONLY__
974 /* This is an example definition for documentation purposes.
975  * Implementations should define a suitable value in `crypto_struct.h`.
976  */
977 #define PSA_HASH_OPERATION_INIT {0}
978 #endif
979 
980 /** Return an initial value for a hash operation object.
981  */
982 static psa_hash_operation_t psa_hash_operation_init(void);
983 
984 /** Set up a multipart hash operation.
985  *
986  * The sequence of operations to calculate a hash (message digest)
987  * is as follows:
988  * -# Allocate an operation object which will be passed to all the functions
989  * listed here.
990  * -# Initialize the operation object with one of the methods described in the
991  * documentation for #psa_hash_operation_t, e.g. #PSA_HASH_OPERATION_INIT.
992  * -# Call psa_hash_setup() to specify the algorithm.
993  * -# Call psa_hash_update() zero, one or more times, passing a fragment
994  * of the message each time. The hash that is calculated is the hash
995  * of the concatenation of these messages in order.
996  * -# To calculate the hash, call psa_hash_finish().
997  * To compare the hash with an expected value, call psa_hash_verify().
998  *
999  * If an error occurs at any step after a call to psa_hash_setup(), the
1000  * operation will need to be reset by a call to psa_hash_abort(). The
1001  * application may call psa_hash_abort() at any time after the operation
1002  * has been initialized.
1003  *
1004  * After a successful call to psa_hash_setup(), the application must
1005  * eventually terminate the operation. The following events terminate an
1006  * operation:
1007  * - A successful call to psa_hash_finish() or psa_hash_verify().
1008  * - A call to psa_hash_abort().
1009  *
1010  * \param[in,out] operation The operation object to set up. It must have
1011  * been initialized as per the documentation for
1012  * #psa_hash_operation_t and not yet in use.
1013  * \param alg The hash algorithm to compute (\c PSA_ALG_XXX value
1014  * such that #PSA_ALG_IS_HASH(\p alg) is true).
1015  *
1016  * \retval #PSA_SUCCESS
1017  * Success.
1018  * \retval #PSA_ERROR_NOT_SUPPORTED
1019  * \p alg is not a supported hash algorithm.
1020  * \retval #PSA_ERROR_INVALID_ARGUMENT
1021  * \p alg is not a hash algorithm.
1022  * \retval #PSA_ERROR_BAD_STATE
1023  * The operation state is not valid (it must be inactive).
1024  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1025  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1026  * \retval #PSA_ERROR_HARDWARE_FAILURE
1027  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1028  * \retval #PSA_ERROR_BAD_STATE
1029  * The library has not been previously initialized by psa_crypto_init().
1030  * It is implementation-dependent whether a failure to initialize
1031  * results in this error code.
1032  */
1033 psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
1034  psa_algorithm_t alg);
1035 
1036 /** Add a message fragment to a multipart hash operation.
1037  *
1038  * The application must call psa_hash_setup() before calling this function.
1039  *
1040  * If this function returns an error status, the operation enters an error
1041  * state and must be aborted by calling psa_hash_abort().
1042  *
1043  * \param[in,out] operation Active hash operation.
1044  * \param[in] input Buffer containing the message fragment to hash.
1045  * \param input_length Size of the \p input buffer in bytes.
1046  *
1047  * \retval #PSA_SUCCESS
1048  * Success.
1049  * \retval #PSA_ERROR_BAD_STATE
1050  * The operation state is not valid (it muct be active).
1051  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1052  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1053  * \retval #PSA_ERROR_HARDWARE_FAILURE
1054  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1055  * \retval #PSA_ERROR_BAD_STATE
1056  * The library has not been previously initialized by psa_crypto_init().
1057  * It is implementation-dependent whether a failure to initialize
1058  * results in this error code.
1059  */
1060 psa_status_t psa_hash_update(psa_hash_operation_t *operation,
1061  const uint8_t *input,
1062  size_t input_length);
1063 
1064 /** Finish the calculation of the hash of a message.
1065  *
1066  * The application must call psa_hash_setup() before calling this function.
1067  * This function calculates the hash of the message formed by concatenating
1068  * the inputs passed to preceding calls to psa_hash_update().
1069  *
1070  * When this function returns successfuly, the operation becomes inactive.
1071  * If this function returns an error status, the operation enters an error
1072  * state and must be aborted by calling psa_hash_abort().
1073  *
1074  * \warning Applications should not call this function if they expect
1075  * a specific value for the hash. Call psa_hash_verify() instead.
1076  * Beware that comparing integrity or authenticity data such as
1077  * hash values with a function such as \c memcmp is risky
1078  * because the time taken by the comparison may leak information
1079  * about the hashed data which could allow an attacker to guess
1080  * a valid hash and thereby bypass security controls.
1081  *
1082  * \param[in,out] operation Active hash operation.
1083  * \param[out] hash Buffer where the hash is to be written.
1084  * \param hash_size Size of the \p hash buffer in bytes.
1085  * \param[out] hash_length On success, the number of bytes
1086  * that make up the hash value. This is always
1087  * #PSA_HASH_SIZE(\c alg) where \c alg is the
1088  * hash algorithm that is calculated.
1089  *
1090  * \retval #PSA_SUCCESS
1091  * Success.
1092  * \retval #PSA_ERROR_BAD_STATE
1093  * The operation state is not valid (it must be active).
1094  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1095  * The size of the \p hash buffer is too small. You can determine a
1096  * sufficient buffer size by calling #PSA_HASH_SIZE(\c alg)
1097  * where \c alg is the hash algorithm that is calculated.
1098  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1099  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1100  * \retval #PSA_ERROR_HARDWARE_FAILURE
1101  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1102  * \retval #PSA_ERROR_BAD_STATE
1103  * The library has not been previously initialized by psa_crypto_init().
1104  * It is implementation-dependent whether a failure to initialize
1105  * results in this error code.
1106  */
1107 psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
1108  uint8_t *hash,
1109  size_t hash_size,
1110  size_t *hash_length);
1111 
1112 /** Finish the calculation of the hash of a message and compare it with
1113  * an expected value.
1114  *
1115  * The application must call psa_hash_setup() before calling this function.
1116  * This function calculates the hash of the message formed by concatenating
1117  * the inputs passed to preceding calls to psa_hash_update(). It then
1118  * compares the calculated hash with the expected hash passed as a
1119  * parameter to this function.
1120  *
1121  * When this function returns successfuly, the operation becomes inactive.
1122  * If this function returns an error status, the operation enters an error
1123  * state and must be aborted by calling psa_hash_abort().
1124  *
1125  * \note Implementations shall make the best effort to ensure that the
1126  * comparison between the actual hash and the expected hash is performed
1127  * in constant time.
1128  *
1129  * \param[in,out] operation Active hash operation.
1130  * \param[in] hash Buffer containing the expected hash value.
1131  * \param hash_length Size of the \p hash buffer in bytes.
1132  *
1133  * \retval #PSA_SUCCESS
1134  * The expected hash is identical to the actual hash of the message.
1135  * \retval #PSA_ERROR_INVALID_SIGNATURE
1136  * The hash of the message was calculated successfully, but it
1137  * differs from the expected hash.
1138  * \retval #PSA_ERROR_BAD_STATE
1139  * The operation state is not valid (it must be active).
1140  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1141  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1142  * \retval #PSA_ERROR_HARDWARE_FAILURE
1143  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1144  * \retval #PSA_ERROR_BAD_STATE
1145  * The library has not been previously initialized by psa_crypto_init().
1146  * It is implementation-dependent whether a failure to initialize
1147  * results in this error code.
1148  */
1149 psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
1150  const uint8_t *hash,
1151  size_t hash_length);
1152 
1153 /** Abort a hash operation.
1154  *
1155  * Aborting an operation frees all associated resources except for the
1156  * \p operation structure itself. Once aborted, the operation object
1157  * can be reused for another operation by calling
1158  * psa_hash_setup() again.
1159  *
1160  * You may call this function any time after the operation object has
1161  * been initialized by one of the methods described in #psa_hash_operation_t.
1162  *
1163  * In particular, calling psa_hash_abort() after the operation has been
1164  * terminated by a call to psa_hash_abort(), psa_hash_finish() or
1165  * psa_hash_verify() is safe and has no effect.
1166  *
1167  * \param[in,out] operation Initialized hash operation.
1168  *
1169  * \retval #PSA_SUCCESS
1170  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1171  * \retval #PSA_ERROR_HARDWARE_FAILURE
1172  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1173  * \retval #PSA_ERROR_BAD_STATE
1174  * The library has not been previously initialized by psa_crypto_init().
1175  * It is implementation-dependent whether a failure to initialize
1176  * results in this error code.
1177  */
1178 psa_status_t psa_hash_abort(psa_hash_operation_t *operation);
1179 
1180 /** Clone a hash operation.
1181  *
1182  * This function copies the state of an ongoing hash operation to
1183  * a new operation object. In other words, this function is equivalent
1184  * to calling psa_hash_setup() on \p target_operation with the same
1185  * algorithm that \p source_operation was set up for, then
1186  * psa_hash_update() on \p target_operation with the same input that
1187  * that was passed to \p source_operation. After this function returns, the
1188  * two objects are independent, i.e. subsequent calls involving one of
1189  * the objects do not affect the other object.
1190  *
1191  * \param[in] source_operation The active hash operation to clone.
1192  * \param[in,out] target_operation The operation object to set up.
1193  * It must be initialized but not active.
1194  *
1195  * \retval #PSA_SUCCESS
1196  * \retval #PSA_ERROR_BAD_STATE
1197  * The \p source_operation state is not valid (it must be active).
1198  * \retval #PSA_ERROR_BAD_STATE
1199  * The \p target_operation state is not valid (it must be inactive).
1200  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1201  * \retval #PSA_ERROR_HARDWARE_FAILURE
1202  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1203  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1204  * \retval #PSA_ERROR_BAD_STATE
1205  * The library has not been previously initialized by psa_crypto_init().
1206  * It is implementation-dependent whether a failure to initialize
1207  * results in this error code.
1208  */
1209 psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
1210  psa_hash_operation_t *target_operation);
1211 
1212 /**@}*/
1213 
1214 /** \defgroup MAC Message authentication codes
1215  * @{
1216  */
1217 
1218 /** Calculate the MAC (message authentication code) of a message.
1219  *
1220  * \note To verify the MAC of a message against an
1221  * expected value, use psa_mac_verify() instead.
1222  * Beware that comparing integrity or authenticity data such as
1223  * MAC values with a function such as \c memcmp is risky
1224  * because the time taken by the comparison may leak information
1225  * about the MAC value which could allow an attacker to guess
1226  * a valid MAC and thereby bypass security controls.
1227  *
1228  * \param handle Handle to the key to use for the operation.
1229  * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1230  * such that #PSA_ALG_IS_MAC(\p alg) is true).
1231  * \param[in] input Buffer containing the input message.
1232  * \param input_length Size of the \p input buffer in bytes.
1233  * \param[out] mac Buffer where the MAC value is to be written.
1234  * \param mac_size Size of the \p mac buffer in bytes.
1235  * \param[out] mac_length On success, the number of bytes
1236  * that make up the MAC value.
1237  *
1238  * \retval #PSA_SUCCESS
1239  * Success.
1240  * \retval #PSA_ERROR_INVALID_HANDLE
1241  * \retval #PSA_ERROR_NOT_PERMITTED
1242  * \retval #PSA_ERROR_INVALID_ARGUMENT
1243  * \p handle is not compatible with \p alg.
1244  * \retval #PSA_ERROR_NOT_SUPPORTED
1245  * \p alg is not supported or is not a MAC algorithm.
1246  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1247  * \p mac_size is too small
1248  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1249  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1250  * \retval #PSA_ERROR_HARDWARE_FAILURE
1251  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1252  * \retval #PSA_ERROR_STORAGE_FAILURE
1253  * The key could not be retrieved from storage.
1254  * \retval #PSA_ERROR_BAD_STATE
1255  * The library has not been previously initialized by psa_crypto_init().
1256  * It is implementation-dependent whether a failure to initialize
1257  * results in this error code.
1258  */
1259 psa_status_t psa_mac_compute(psa_key_handle_t handle,
1260  psa_algorithm_t alg,
1261  const uint8_t *input,
1262  size_t input_length,
1263  uint8_t *mac,
1264  size_t mac_size,
1265  size_t *mac_length);
1266 
1267 /** Calculate the MAC of a message and compare it with a reference value.
1268  *
1269  * \param handle Handle to the key to use for the operation.
1270  * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1271  * such that #PSA_ALG_IS_MAC(\p alg) is true).
1272  * \param[in] input Buffer containing the input message.
1273  * \param input_length Size of the \p input buffer in bytes.
1274  * \param[out] mac Buffer containing the expected MAC value.
1275  * \param mac_length Size of the \p mac buffer in bytes.
1276  *
1277  * \retval #PSA_SUCCESS
1278  * The expected MAC is identical to the actual MAC of the input.
1279  * \retval #PSA_ERROR_INVALID_SIGNATURE
1280  * The MAC of the message was calculated successfully, but it
1281  * differs from the expected value.
1282  * \retval #PSA_ERROR_INVALID_HANDLE
1283  * \retval #PSA_ERROR_NOT_PERMITTED
1284  * \retval #PSA_ERROR_INVALID_ARGUMENT
1285  * \p handle is not compatible with \p alg.
1286  * \retval #PSA_ERROR_NOT_SUPPORTED
1287  * \p alg is not supported or is not a MAC algorithm.
1288  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1289  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1290  * \retval #PSA_ERROR_HARDWARE_FAILURE
1291  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1292  * \retval #PSA_ERROR_STORAGE_FAILURE
1293  * The key could not be retrieved from storage.
1294  * \retval #PSA_ERROR_BAD_STATE
1295  * The library has not been previously initialized by psa_crypto_init().
1296  * It is implementation-dependent whether a failure to initialize
1297  * results in this error code.
1298  */
1299 psa_status_t psa_mac_verify(psa_key_handle_t handle,
1300  psa_algorithm_t alg,
1301  const uint8_t *input,
1302  size_t input_length,
1303  const uint8_t *mac,
1304  size_t mac_length);
1305 
1306 /** The type of the state data structure for multipart MAC operations.
1307  *
1308  * Before calling any function on a MAC operation object, the application must
1309  * initialize it by any of the following means:
1310  * - Set the structure to all-bits-zero, for example:
1311  * \code
1312  * psa_mac_operation_t operation;
1313  * memset(&operation, 0, sizeof(operation));
1314  * \endcode
1315  * - Initialize the structure to logical zero values, for example:
1316  * \code
1317  * psa_mac_operation_t operation = {0};
1318  * \endcode
1319  * - Initialize the structure to the initializer #PSA_MAC_OPERATION_INIT,
1320  * for example:
1321  * \code
1322  * psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
1323  * \endcode
1324  * - Assign the result of the function psa_mac_operation_init()
1325  * to the structure, for example:
1326  * \code
1327  * psa_mac_operation_t operation;
1328  * operation = psa_mac_operation_init();
1329  * \endcode
1330  *
1331  * This is an implementation-defined \c struct. Applications should not
1332  * make any assumptions about the content of this structure except
1333  * as directed by the documentation of a specific implementation. */
1334 typedef struct psa_mac_operation_s psa_mac_operation_t;
1335 
1336 /** \def PSA_MAC_OPERATION_INIT
1337  *
1338  * This macro returns a suitable initializer for a MAC operation object of type
1339  * #psa_mac_operation_t.
1340  */
1341 #ifdef __DOXYGEN_ONLY__
1342 /* This is an example definition for documentation purposes.
1343  * Implementations should define a suitable value in `crypto_struct.h`.
1344  */
1345 #define PSA_MAC_OPERATION_INIT {0}
1346 #endif
1347 
1348 /** Return an initial value for a MAC operation object.
1349  */
1350 static psa_mac_operation_t psa_mac_operation_init(void);
1351 
1352 /** Set up a multipart MAC calculation operation.
1353  *
1354  * This function sets up the calculation of the MAC
1355  * (message authentication code) of a byte string.
1356  * To verify the MAC of a message against an
1357  * expected value, use psa_mac_verify_setup() instead.
1358  *
1359  * The sequence of operations to calculate a MAC is as follows:
1360  * -# Allocate an operation object which will be passed to all the functions
1361  * listed here.
1362  * -# Initialize the operation object with one of the methods described in the
1363  * documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1364  * -# Call psa_mac_sign_setup() to specify the algorithm and key.
1365  * -# Call psa_mac_update() zero, one or more times, passing a fragment
1366  * of the message each time. The MAC that is calculated is the MAC
1367  * of the concatenation of these messages in order.
1368  * -# At the end of the message, call psa_mac_sign_finish() to finish
1369  * calculating the MAC value and retrieve it.
1370  *
1371  * If an error occurs at any step after a call to psa_mac_sign_setup(), the
1372  * operation will need to be reset by a call to psa_mac_abort(). The
1373  * application may call psa_mac_abort() at any time after the operation
1374  * has been initialized.
1375  *
1376  * After a successful call to psa_mac_sign_setup(), the application must
1377  * eventually terminate the operation through one of the following methods:
1378  * - A successful call to psa_mac_sign_finish().
1379  * - A call to psa_mac_abort().
1380  *
1381  * \param[in,out] operation The operation object to set up. It must have
1382  * been initialized as per the documentation for
1383  * #psa_mac_operation_t and not yet in use.
1384  * \param handle Handle to the key to use for the operation.
1385  * It must remain valid until the operation
1386  * terminates.
1387  * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1388  * such that #PSA_ALG_IS_MAC(\p alg) is true).
1389  *
1390  * \retval #PSA_SUCCESS
1391  * Success.
1392  * \retval #PSA_ERROR_INVALID_HANDLE
1393  * \retval #PSA_ERROR_NOT_PERMITTED
1394  * \retval #PSA_ERROR_INVALID_ARGUMENT
1395  * \p handle is not compatible with \p alg.
1396  * \retval #PSA_ERROR_NOT_SUPPORTED
1397  * \p alg is not supported or is not a MAC algorithm.
1398  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1399  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1400  * \retval #PSA_ERROR_HARDWARE_FAILURE
1401  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1402  * \retval #PSA_ERROR_STORAGE_FAILURE
1403  * The key could not be retrieved from storage.
1404  * \retval #PSA_ERROR_BAD_STATE
1405  * The operation state is not valid (it must be inactive).
1406  * \retval #PSA_ERROR_BAD_STATE
1407  * The library has not been previously initialized by psa_crypto_init().
1408  * It is implementation-dependent whether a failure to initialize
1409  * results in this error code.
1410  */
1411 psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
1412  psa_key_handle_t handle,
1413  psa_algorithm_t alg);
1414 
1415 /** Set up a multipart MAC verification operation.
1416  *
1417  * This function sets up the verification of the MAC
1418  * (message authentication code) of a byte string against an expected value.
1419  *
1420  * The sequence of operations to verify a MAC is as follows:
1421  * -# Allocate an operation object which will be passed to all the functions
1422  * listed here.
1423  * -# Initialize the operation object with one of the methods described in the
1424  * documentation for #psa_mac_operation_t, e.g. #PSA_MAC_OPERATION_INIT.
1425  * -# Call psa_mac_verify_setup() to specify the algorithm and key.
1426  * -# Call psa_mac_update() zero, one or more times, passing a fragment
1427  * of the message each time. The MAC that is calculated is the MAC
1428  * of the concatenation of these messages in order.
1429  * -# At the end of the message, call psa_mac_verify_finish() to finish
1430  * calculating the actual MAC of the message and verify it against
1431  * the expected value.
1432  *
1433  * If an error occurs at any step after a call to psa_mac_verify_setup(), the
1434  * operation will need to be reset by a call to psa_mac_abort(). The
1435  * application may call psa_mac_abort() at any time after the operation
1436  * has been initialized.
1437  *
1438  * After a successful call to psa_mac_verify_setup(), the application must
1439  * eventually terminate the operation through one of the following methods:
1440  * - A successful call to psa_mac_verify_finish().
1441  * - A call to psa_mac_abort().
1442  *
1443  * \param[in,out] operation The operation object to set up. It must have
1444  * been initialized as per the documentation for
1445  * #psa_mac_operation_t and not yet in use.
1446  * \param handle Handle to the key to use for the operation.
1447  * It must remain valid until the operation
1448  * terminates.
1449  * \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
1450  * such that #PSA_ALG_IS_MAC(\p alg) is true).
1451  *
1452  * \retval #PSA_SUCCESS
1453  * Success.
1454  * \retval #PSA_ERROR_INVALID_HANDLE
1455  * \retval #PSA_ERROR_NOT_PERMITTED
1456  * \retval #PSA_ERROR_INVALID_ARGUMENT
1457  * \c key is not compatible with \c alg.
1458  * \retval #PSA_ERROR_NOT_SUPPORTED
1459  * \c alg is not supported or is not a MAC algorithm.
1460  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1461  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1462  * \retval #PSA_ERROR_HARDWARE_FAILURE
1463  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1464  * \retval #PSA_ERROR_STORAGE_FAILURE
1465  * The key could not be retrieved from storage
1466  * \retval #PSA_ERROR_BAD_STATE
1467  * The operation state is not valid (it must be inactive).
1468  * \retval #PSA_ERROR_BAD_STATE
1469  * The library has not been previously initialized by psa_crypto_init().
1470  * It is implementation-dependent whether a failure to initialize
1471  * results in this error code.
1472  */
1473 psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
1474  psa_key_handle_t handle,
1475  psa_algorithm_t alg);
1476 
1477 /** Add a message fragment to a multipart MAC operation.
1478  *
1479  * The application must call psa_mac_sign_setup() or psa_mac_verify_setup()
1480  * before calling this function.
1481  *
1482  * If this function returns an error status, the operation enters an error
1483  * state and must be aborted by calling psa_mac_abort().
1484  *
1485  * \param[in,out] operation Active MAC operation.
1486  * \param[in] input Buffer containing the message fragment to add to
1487  * the MAC calculation.
1488  * \param input_length Size of the \p input buffer in bytes.
1489  *
1490  * \retval #PSA_SUCCESS
1491  * Success.
1492  * \retval #PSA_ERROR_BAD_STATE
1493  * The operation state is not valid (it must be active).
1494  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1495  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1496  * \retval #PSA_ERROR_HARDWARE_FAILURE
1497  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1498  * \retval #PSA_ERROR_STORAGE_FAILURE
1499  * \retval #PSA_ERROR_BAD_STATE
1500  * The library has not been previously initialized by psa_crypto_init().
1501  * It is implementation-dependent whether a failure to initialize
1502  * results in this error code.
1503  */
1504 psa_status_t psa_mac_update(psa_mac_operation_t *operation,
1505  const uint8_t *input,
1506  size_t input_length);
1507 
1508 /** Finish the calculation of the MAC of a message.
1509  *
1510  * The application must call psa_mac_sign_setup() before calling this function.
1511  * This function calculates the MAC of the message formed by concatenating
1512  * the inputs passed to preceding calls to psa_mac_update().
1513  *
1514  * When this function returns successfuly, the operation becomes inactive.
1515  * If this function returns an error status, the operation enters an error
1516  * state and must be aborted by calling psa_mac_abort().
1517  *
1518  * \warning Applications should not call this function if they expect
1519  * a specific value for the MAC. Call psa_mac_verify_finish() instead.
1520  * Beware that comparing integrity or authenticity data such as
1521  * MAC values with a function such as \c memcmp is risky
1522  * because the time taken by the comparison may leak information
1523  * about the MAC value which could allow an attacker to guess
1524  * a valid MAC and thereby bypass security controls.
1525  *
1526  * \param[in,out] operation Active MAC operation.
1527  * \param[out] mac Buffer where the MAC value is to be written.
1528  * \param mac_size Size of the \p mac buffer in bytes.
1529  * \param[out] mac_length On success, the number of bytes
1530  * that make up the MAC value. This is always
1531  * #PSA_MAC_FINAL_SIZE(\c key_type, \c key_bits, \c alg)
1532  * where \c key_type and \c key_bits are the type and
1533  * bit-size respectively of the key and \c alg is the
1534  * MAC algorithm that is calculated.
1535  *
1536  * \retval #PSA_SUCCESS
1537  * Success.
1538  * \retval #PSA_ERROR_BAD_STATE
1539  * The operation state is not valid (it must be an active mac sign
1540  * operation).
1541  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1542  * The size of the \p mac buffer is too small. You can determine a
1543  * sufficient buffer size by calling PSA_MAC_FINAL_SIZE().
1544  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1545  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1546  * \retval #PSA_ERROR_HARDWARE_FAILURE
1547  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1548  * \retval #PSA_ERROR_STORAGE_FAILURE
1549  * \retval #PSA_ERROR_BAD_STATE
1550  * The library has not been previously initialized by psa_crypto_init().
1551  * It is implementation-dependent whether a failure to initialize
1552  * results in this error code.
1553  */
1554 psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
1555  uint8_t *mac,
1556  size_t mac_size,
1557  size_t *mac_length);
1558 
1559 /** Finish the calculation of the MAC of a message and compare it with
1560  * an expected value.
1561  *
1562  * The application must call psa_mac_verify_setup() before calling this function.
1563  * This function calculates the MAC of the message formed by concatenating
1564  * the inputs passed to preceding calls to psa_mac_update(). It then
1565  * compares the calculated MAC with the expected MAC passed as a
1566  * parameter to this function.
1567  *
1568  * When this function returns successfuly, the operation becomes inactive.
1569  * If this function returns an error status, the operation enters an error
1570  * state and must be aborted by calling psa_mac_abort().
1571  *
1572  * \note Implementations shall make the best effort to ensure that the
1573  * comparison between the actual MAC and the expected MAC is performed
1574  * in constant time.
1575  *
1576  * \param[in,out] operation Active MAC operation.
1577  * \param[in] mac Buffer containing the expected MAC value.
1578  * \param mac_length Size of the \p mac buffer in bytes.
1579  *
1580  * \retval #PSA_SUCCESS
1581  * The expected MAC is identical to the actual MAC of the message.
1582  * \retval #PSA_ERROR_INVALID_SIGNATURE
1583  * The MAC of the message was calculated successfully, but it
1584  * differs from the expected MAC.
1585  * \retval #PSA_ERROR_BAD_STATE
1586  * The operation state is not valid (it must be an active mac verify
1587  * operation).
1588  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1589  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1590  * \retval #PSA_ERROR_HARDWARE_FAILURE
1591  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1592  * \retval #PSA_ERROR_STORAGE_FAILURE
1593  * \retval #PSA_ERROR_BAD_STATE
1594  * The library has not been previously initialized by psa_crypto_init().
1595  * It is implementation-dependent whether a failure to initialize
1596  * results in this error code.
1597  */
1598 psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
1599  const uint8_t *mac,
1600  size_t mac_length);
1601 
1602 /** Abort a MAC operation.
1603  *
1604  * Aborting an operation frees all associated resources except for the
1605  * \p operation structure itself. Once aborted, the operation object
1606  * can be reused for another operation by calling
1607  * psa_mac_sign_setup() or psa_mac_verify_setup() again.
1608  *
1609  * You may call this function any time after the operation object has
1610  * been initialized by one of the methods described in #psa_mac_operation_t.
1611  *
1612  * In particular, calling psa_mac_abort() after the operation has been
1613  * terminated by a call to psa_mac_abort(), psa_mac_sign_finish() or
1614  * psa_mac_verify_finish() is safe and has no effect.
1615  *
1616  * \param[in,out] operation Initialized MAC operation.
1617  *
1618  * \retval #PSA_SUCCESS
1619  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1620  * \retval #PSA_ERROR_HARDWARE_FAILURE
1621  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1622  * \retval #PSA_ERROR_BAD_STATE
1623  * The library has not been previously initialized by psa_crypto_init().
1624  * It is implementation-dependent whether a failure to initialize
1625  * results in this error code.
1626  */
1627 psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
1628 
1629 /**@}*/
1630 
1631 /** \defgroup cipher Symmetric ciphers
1632  * @{
1633  */
1634 
1635 /** Encrypt a message using a symmetric cipher.
1636  *
1637  * This function encrypts a message with a random IV (initialization
1638  * vector). Use the multipart operation interface with a
1639  * #psa_cipher_operation_t object to provide other forms of IV.
1640  *
1641  * \param handle Handle to the key to use for the operation.
1642  * It must remain valid until the operation
1643  * terminates.
1644  * \param alg The cipher algorithm to compute
1645  * (\c PSA_ALG_XXX value such that
1646  * #PSA_ALG_IS_CIPHER(\p alg) is true).
1647  * \param[in] input Buffer containing the message to encrypt.
1648  * \param input_length Size of the \p input buffer in bytes.
1649  * \param[out] output Buffer where the output is to be written.
1650  * The output contains the IV followed by
1651  * the ciphertext proper.
1652  * \param output_size Size of the \p output buffer in bytes.
1653  * \param[out] output_length On success, the number of bytes
1654  * that make up the output.
1655  *
1656  * \retval #PSA_SUCCESS
1657  * Success.
1658  * \retval #PSA_ERROR_INVALID_HANDLE
1659  * \retval #PSA_ERROR_NOT_PERMITTED
1660  * \retval #PSA_ERROR_INVALID_ARGUMENT
1661  * \p handle is not compatible with \p alg.
1662  * \retval #PSA_ERROR_NOT_SUPPORTED
1663  * \p alg is not supported or is not a cipher algorithm.
1664  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1665  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1666  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1667  * \retval #PSA_ERROR_HARDWARE_FAILURE
1668  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1669  * \retval #PSA_ERROR_STORAGE_FAILURE
1670  * \retval #PSA_ERROR_BAD_STATE
1671  * The library has not been previously initialized by psa_crypto_init().
1672  * It is implementation-dependent whether a failure to initialize
1673  * results in this error code.
1674  */
1675 psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
1676  psa_algorithm_t alg,
1677  const uint8_t *input,
1678  size_t input_length,
1679  uint8_t *output,
1680  size_t output_size,
1681  size_t *output_length);
1682 
1683 /** Decrypt a message using a symmetric cipher.
1684  *
1685  * This function decrypts a message encrypted with a symmetric cipher.
1686  *
1687  * \param handle Handle to the key to use for the operation.
1688  * It must remain valid until the operation
1689  * terminates.
1690  * \param alg The cipher algorithm to compute
1691  * (\c PSA_ALG_XXX value such that
1692  * #PSA_ALG_IS_CIPHER(\p alg) is true).
1693  * \param[in] input Buffer containing the message to decrypt.
1694  * This consists of the IV followed by the
1695  * ciphertext proper.
1696  * \param input_length Size of the \p input buffer in bytes.
1697  * \param[out] output Buffer where the plaintext is to be written.
1698  * \param output_size Size of the \p output buffer in bytes.
1699  * \param[out] output_length On success, the number of bytes
1700  * that make up the output.
1701  *
1702  * \retval #PSA_SUCCESS
1703  * Success.
1704  * \retval #PSA_ERROR_INVALID_HANDLE
1705  * \retval #PSA_ERROR_NOT_PERMITTED
1706  * \retval #PSA_ERROR_INVALID_ARGUMENT
1707  * \p handle is not compatible with \p alg.
1708  * \retval #PSA_ERROR_NOT_SUPPORTED
1709  * \p alg is not supported or is not a cipher algorithm.
1710  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1711  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1712  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1713  * \retval #PSA_ERROR_HARDWARE_FAILURE
1714  * \retval #PSA_ERROR_STORAGE_FAILURE
1715  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1716  * \retval #PSA_ERROR_BAD_STATE
1717  * The library has not been previously initialized by psa_crypto_init().
1718  * It is implementation-dependent whether a failure to initialize
1719  * results in this error code.
1720  */
1721 psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
1722  psa_algorithm_t alg,
1723  const uint8_t *input,
1724  size_t input_length,
1725  uint8_t *output,
1726  size_t output_size,
1727  size_t *output_length);
1728 
1729 /** The type of the state data structure for multipart cipher operations.
1730  *
1731  * Before calling any function on a cipher operation object, the application
1732  * must initialize it by any of the following means:
1733  * - Set the structure to all-bits-zero, for example:
1734  * \code
1735  * psa_cipher_operation_t operation;
1736  * memset(&operation, 0, sizeof(operation));
1737  * \endcode
1738  * - Initialize the structure to logical zero values, for example:
1739  * \code
1740  * psa_cipher_operation_t operation = {0};
1741  * \endcode
1742  * - Initialize the structure to the initializer #PSA_CIPHER_OPERATION_INIT,
1743  * for example:
1744  * \code
1745  * psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
1746  * \endcode
1747  * - Assign the result of the function psa_cipher_operation_init()
1748  * to the structure, for example:
1749  * \code
1750  * psa_cipher_operation_t operation;
1751  * operation = psa_cipher_operation_init();
1752  * \endcode
1753  *
1754  * This is an implementation-defined \c struct. Applications should not
1755  * make any assumptions about the content of this structure except
1756  * as directed by the documentation of a specific implementation. */
1757 typedef struct psa_cipher_operation_s psa_cipher_operation_t;
1758 
1759 /** \def PSA_CIPHER_OPERATION_INIT
1760  *
1761  * This macro returns a suitable initializer for a cipher operation object of
1762  * type #psa_cipher_operation_t.
1763  */
1764 #ifdef __DOXYGEN_ONLY__
1765 /* This is an example definition for documentation purposes.
1766  * Implementations should define a suitable value in `crypto_struct.h`.
1767  */
1768 #define PSA_CIPHER_OPERATION_INIT {0}
1769 #endif
1770 
1771 /** Return an initial value for a cipher operation object.
1772  */
1773 static psa_cipher_operation_t psa_cipher_operation_init(void);
1774 
1775 /** Set the key for a multipart symmetric encryption operation.
1776  *
1777  * The sequence of operations to encrypt a message with a symmetric cipher
1778  * is as follows:
1779  * -# Allocate an operation object which will be passed to all the functions
1780  * listed here.
1781  * -# Initialize the operation object with one of the methods described in the
1782  * documentation for #psa_cipher_operation_t, e.g.
1783  * #PSA_CIPHER_OPERATION_INIT.
1784  * -# Call psa_cipher_encrypt_setup() to specify the algorithm and key.
1785  * -# Call either psa_cipher_generate_iv() or psa_cipher_set_iv() to
1786  * generate or set the IV (initialization vector). You should use
1787  * psa_cipher_generate_iv() unless the protocol you are implementing
1788  * requires a specific IV value.
1789  * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1790  * of the message each time.
1791  * -# Call psa_cipher_finish().
1792  *
1793  * If an error occurs at any step after a call to psa_cipher_encrypt_setup(),
1794  * the operation will need to be reset by a call to psa_cipher_abort(). The
1795  * application may call psa_cipher_abort() at any time after the operation
1796  * has been initialized.
1797  *
1798  * After a successful call to psa_cipher_encrypt_setup(), the application must
1799  * eventually terminate the operation. The following events terminate an
1800  * operation:
1801  * - A successful call to psa_cipher_finish().
1802  * - A call to psa_cipher_abort().
1803  *
1804  * \param[in,out] operation The operation object to set up. It must have
1805  * been initialized as per the documentation for
1806  * #psa_cipher_operation_t and not yet in use.
1807  * \param handle Handle to the key to use for the operation.
1808  * It must remain valid until the operation
1809  * terminates.
1810  * \param alg The cipher algorithm to compute
1811  * (\c PSA_ALG_XXX value such that
1812  * #PSA_ALG_IS_CIPHER(\p alg) is true).
1813  *
1814  * \retval #PSA_SUCCESS
1815  * Success.
1816  * \retval #PSA_ERROR_INVALID_HANDLE
1817  * \retval #PSA_ERROR_NOT_PERMITTED
1818  * \retval #PSA_ERROR_INVALID_ARGUMENT
1819  * \p handle is not compatible with \p alg.
1820  * \retval #PSA_ERROR_NOT_SUPPORTED
1821  * \p alg is not supported or is not a cipher algorithm.
1822  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1823  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1824  * \retval #PSA_ERROR_HARDWARE_FAILURE
1825  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1826  * \retval #PSA_ERROR_STORAGE_FAILURE
1827  * \retval #PSA_ERROR_BAD_STATE
1828  * The operation state is not valid (it must be inactive).
1829  * \retval #PSA_ERROR_BAD_STATE
1830  * The library has not been previously initialized by psa_crypto_init().
1831  * It is implementation-dependent whether a failure to initialize
1832  * results in this error code.
1833  */
1834 psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
1835  psa_key_handle_t handle,
1836  psa_algorithm_t alg);
1837 
1838 /** Set the key for a multipart symmetric decryption operation.
1839  *
1840  * The sequence of operations to decrypt a message with a symmetric cipher
1841  * is as follows:
1842  * -# Allocate an operation object which will be passed to all the functions
1843  * listed here.
1844  * -# Initialize the operation object with one of the methods described in the
1845  * documentation for #psa_cipher_operation_t, e.g.
1846  * #PSA_CIPHER_OPERATION_INIT.
1847  * -# Call psa_cipher_decrypt_setup() to specify the algorithm and key.
1848  * -# Call psa_cipher_set_iv() with the IV (initialization vector) for the
1849  * decryption. If the IV is prepended to the ciphertext, you can call
1850  * psa_cipher_update() on a buffer containing the IV followed by the
1851  * beginning of the message.
1852  * -# Call psa_cipher_update() zero, one or more times, passing a fragment
1853  * of the message each time.
1854  * -# Call psa_cipher_finish().
1855  *
1856  * If an error occurs at any step after a call to psa_cipher_decrypt_setup(),
1857  * the operation will need to be reset by a call to psa_cipher_abort(). The
1858  * application may call psa_cipher_abort() at any time after the operation
1859  * has been initialized.
1860  *
1861  * After a successful call to psa_cipher_decrypt_setup(), the application must
1862  * eventually terminate the operation. The following events terminate an
1863  * operation:
1864  * - A successful call to psa_cipher_finish().
1865  * - A call to psa_cipher_abort().
1866  *
1867  * \param[in,out] operation The operation object to set up. It must have
1868  * been initialized as per the documentation for
1869  * #psa_cipher_operation_t and not yet in use.
1870  * \param handle Handle to the key to use for the operation.
1871  * It must remain valid until the operation
1872  * terminates.
1873  * \param alg The cipher algorithm to compute
1874  * (\c PSA_ALG_XXX value such that
1875  * #PSA_ALG_IS_CIPHER(\p alg) is true).
1876  *
1877  * \retval #PSA_SUCCESS
1878  * Success.
1879  * \retval #PSA_ERROR_INVALID_HANDLE
1880  * \retval #PSA_ERROR_NOT_PERMITTED
1881  * \retval #PSA_ERROR_INVALID_ARGUMENT
1882  * \p handle is not compatible with \p alg.
1883  * \retval #PSA_ERROR_NOT_SUPPORTED
1884  * \p alg is not supported or is not a cipher algorithm.
1885  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1886  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1887  * \retval #PSA_ERROR_HARDWARE_FAILURE
1888  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1889  * \retval #PSA_ERROR_STORAGE_FAILURE
1890  * \retval #PSA_ERROR_BAD_STATE
1891  * The operation state is not valid (it must be inactive).
1892  * \retval #PSA_ERROR_BAD_STATE
1893  * The library has not been previously initialized by psa_crypto_init().
1894  * It is implementation-dependent whether a failure to initialize
1895  * results in this error code.
1896  */
1897 psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
1898  psa_key_handle_t handle,
1899  psa_algorithm_t alg);
1900 
1901 /** Generate an IV for a symmetric encryption operation.
1902  *
1903  * This function generates a random IV (initialization vector), nonce
1904  * or initial counter value for the encryption operation as appropriate
1905  * for the chosen algorithm, key type and key size.
1906  *
1907  * The application must call psa_cipher_encrypt_setup() before
1908  * calling this function.
1909  *
1910  * If this function returns an error status, the operation enters an error
1911  * state and must be aborted by calling psa_cipher_abort().
1912  *
1913  * \param[in,out] operation Active cipher operation.
1914  * \param[out] iv Buffer where the generated IV is to be written.
1915  * \param iv_size Size of the \p iv buffer in bytes.
1916  * \param[out] iv_length On success, the number of bytes of the
1917  * generated IV.
1918  *
1919  * \retval #PSA_SUCCESS
1920  * Success.
1921  * \retval #PSA_ERROR_BAD_STATE
1922  * The operation state is not valid (it must be active, with no IV set).
1923  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
1924  * The size of the \p iv buffer is too small.
1925  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1926  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1927  * \retval #PSA_ERROR_HARDWARE_FAILURE
1928  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1929  * \retval #PSA_ERROR_STORAGE_FAILURE
1930  * \retval #PSA_ERROR_BAD_STATE
1931  * The library has not been previously initialized by psa_crypto_init().
1932  * It is implementation-dependent whether a failure to initialize
1933  * results in this error code.
1934  */
1935 psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
1936  uint8_t *iv,
1937  size_t iv_size,
1938  size_t *iv_length);
1939 
1940 /** Set the IV for a symmetric encryption or decryption operation.
1941  *
1942  * This function sets the IV (initialization vector), nonce
1943  * or initial counter value for the encryption or decryption operation.
1944  *
1945  * The application must call psa_cipher_encrypt_setup() before
1946  * calling this function.
1947  *
1948  * If this function returns an error status, the operation enters an error
1949  * state and must be aborted by calling psa_cipher_abort().
1950  *
1951  * \note When encrypting, applications should use psa_cipher_generate_iv()
1952  * instead of this function, unless implementing a protocol that requires
1953  * a non-random IV.
1954  *
1955  * \param[in,out] operation Active cipher operation.
1956  * \param[in] iv Buffer containing the IV to use.
1957  * \param iv_length Size of the IV in bytes.
1958  *
1959  * \retval #PSA_SUCCESS
1960  * Success.
1961  * \retval #PSA_ERROR_BAD_STATE
1962  * The operation state is not valid (it must be an active cipher
1963  * encrypt operation, with no IV set).
1964  * \retval #PSA_ERROR_INVALID_ARGUMENT
1965  * The size of \p iv is not acceptable for the chosen algorithm,
1966  * or the chosen algorithm does not use an IV.
1967  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
1968  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
1969  * \retval #PSA_ERROR_HARDWARE_FAILURE
1970  * \retval #PSA_ERROR_CORRUPTION_DETECTED
1971  * \retval #PSA_ERROR_STORAGE_FAILURE
1972  * \retval #PSA_ERROR_BAD_STATE
1973  * The library has not been previously initialized by psa_crypto_init().
1974  * It is implementation-dependent whether a failure to initialize
1975  * results in this error code.
1976  */
1977 psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
1978  const uint8_t *iv,
1979  size_t iv_length);
1980 
1981 /** Encrypt or decrypt a message fragment in an active cipher operation.
1982  *
1983  * Before calling this function, you must:
1984  * 1. Call either psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup().
1985  * The choice of setup function determines whether this function
1986  * encrypts or decrypts its input.
1987  * 2. If the algorithm requires an IV, call psa_cipher_generate_iv()
1988  * (recommended when encrypting) or psa_cipher_set_iv().
1989  *
1990  * If this function returns an error status, the operation enters an error
1991  * state and must be aborted by calling psa_cipher_abort().
1992  *
1993  * \param[in,out] operation Active cipher operation.
1994  * \param[in] input Buffer containing the message fragment to
1995  * encrypt or decrypt.
1996  * \param input_length Size of the \p input buffer in bytes.
1997  * \param[out] output Buffer where the output is to be written.
1998  * \param output_size Size of the \p output buffer in bytes.
1999  * \param[out] output_length On success, the number of bytes
2000  * that make up the returned output.
2001  *
2002  * \retval #PSA_SUCCESS
2003  * Success.
2004  * \retval #PSA_ERROR_BAD_STATE
2005  * The operation state is not valid (it must be active, with an IV set
2006  * if required for the algorithm).
2007  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2008  * The size of the \p output buffer is too small.
2009  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2010  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2011  * \retval #PSA_ERROR_HARDWARE_FAILURE
2012  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2013  * \retval #PSA_ERROR_STORAGE_FAILURE
2014  * \retval #PSA_ERROR_BAD_STATE
2015  * The library has not been previously initialized by psa_crypto_init().
2016  * It is implementation-dependent whether a failure to initialize
2017  * results in this error code.
2018  */
2019 psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
2020  const uint8_t *input,
2021  size_t input_length,
2022  uint8_t *output,
2023  size_t output_size,
2024  size_t *output_length);
2025 
2026 /** Finish encrypting or decrypting a message in a cipher operation.
2027  *
2028  * The application must call psa_cipher_encrypt_setup() or
2029  * psa_cipher_decrypt_setup() before calling this function. The choice
2030  * of setup function determines whether this function encrypts or
2031  * decrypts its input.
2032  *
2033  * This function finishes the encryption or decryption of the message
2034  * formed by concatenating the inputs passed to preceding calls to
2035  * psa_cipher_update().
2036  *
2037  * When this function returns successfuly, the operation becomes inactive.
2038  * If this function returns an error status, the operation enters an error
2039  * state and must be aborted by calling psa_cipher_abort().
2040  *
2041  * \param[in,out] operation Active cipher operation.
2042  * \param[out] output Buffer where the output is to be written.
2043  * \param output_size Size of the \p output buffer in bytes.
2044  * \param[out] output_length On success, the number of bytes
2045  * that make up the returned output.
2046  *
2047  * \retval #PSA_SUCCESS
2048  * Success.
2049  * \retval #PSA_ERROR_INVALID_ARGUMENT
2050  * The total input size passed to this operation is not valid for
2051  * this particular algorithm. For example, the algorithm is a based
2052  * on block cipher and requires a whole number of blocks, but the
2053  * total input size is not a multiple of the block size.
2054  * \retval #PSA_ERROR_INVALID_PADDING
2055  * This is a decryption operation for an algorithm that includes
2056  * padding, and the ciphertext does not contain valid padding.
2057  * \retval #PSA_ERROR_BAD_STATE
2058  * The operation state is not valid (it must be active, with an IV set
2059  * if required for the algorithm).
2060  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2061  * The size of the \p output buffer is too small.
2062  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2063  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2064  * \retval #PSA_ERROR_HARDWARE_FAILURE
2065  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2066  * \retval #PSA_ERROR_STORAGE_FAILURE
2067  * \retval #PSA_ERROR_BAD_STATE
2068  * The library has not been previously initialized by psa_crypto_init().
2069  * It is implementation-dependent whether a failure to initialize
2070  * results in this error code.
2071  */
2072 psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
2073  uint8_t *output,
2074  size_t output_size,
2075  size_t *output_length);
2076 
2077 /** Abort a cipher operation.
2078  *
2079  * Aborting an operation frees all associated resources except for the
2080  * \p operation structure itself. Once aborted, the operation object
2081  * can be reused for another operation by calling
2082  * psa_cipher_encrypt_setup() or psa_cipher_decrypt_setup() again.
2083  *
2084  * You may call this function any time after the operation object has
2085  * been initialized as described in #psa_cipher_operation_t.
2086  *
2087  * In particular, calling psa_cipher_abort() after the operation has been
2088  * terminated by a call to psa_cipher_abort() or psa_cipher_finish()
2089  * is safe and has no effect.
2090  *
2091  * \param[in,out] operation Initialized cipher operation.
2092  *
2093  * \retval #PSA_SUCCESS
2094  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2095  * \retval #PSA_ERROR_HARDWARE_FAILURE
2096  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2097  * \retval #PSA_ERROR_BAD_STATE
2098  * The library has not been previously initialized by psa_crypto_init().
2099  * It is implementation-dependent whether a failure to initialize
2100  * results in this error code.
2101  */
2102 psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
2103 
2104 /**@}*/
2105 
2106 /** \defgroup aead Authenticated encryption with associated data (AEAD)
2107  * @{
2108  */
2109 
2110 /** Process an authenticated encryption operation.
2111  *
2112  * \param handle Handle to the key to use for the operation.
2113  * \param alg The AEAD algorithm to compute
2114  * (\c PSA_ALG_XXX value such that
2115  * #PSA_ALG_IS_AEAD(\p alg) is true).
2116  * \param[in] nonce Nonce or IV to use.
2117  * \param nonce_length Size of the \p nonce buffer in bytes.
2118  * \param[in] additional_data Additional data that will be authenticated
2119  * but not encrypted.
2120  * \param additional_data_length Size of \p additional_data in bytes.
2121  * \param[in] plaintext Data that will be authenticated and
2122  * encrypted.
2123  * \param plaintext_length Size of \p plaintext in bytes.
2124  * \param[out] ciphertext Output buffer for the authenticated and
2125  * encrypted data. The additional data is not
2126  * part of this output. For algorithms where the
2127  * encrypted data and the authentication tag
2128  * are defined as separate outputs, the
2129  * authentication tag is appended to the
2130  * encrypted data.
2131  * \param ciphertext_size Size of the \p ciphertext buffer in bytes.
2132  * This must be at least
2133  * #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p alg,
2134  * \p plaintext_length).
2135  * \param[out] ciphertext_length On success, the size of the output
2136  * in the \p ciphertext buffer.
2137  *
2138  * \retval #PSA_SUCCESS
2139  * Success.
2140  * \retval #PSA_ERROR_INVALID_HANDLE
2141  * \retval #PSA_ERROR_NOT_PERMITTED
2142  * \retval #PSA_ERROR_INVALID_ARGUMENT
2143  * \p handle is not compatible with \p alg.
2144  * \retval #PSA_ERROR_NOT_SUPPORTED
2145  * \p alg is not supported or is not an AEAD algorithm.
2146  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2147  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2148  * \p ciphertext_size is too small
2149  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2150  * \retval #PSA_ERROR_HARDWARE_FAILURE
2151  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2152  * \retval #PSA_ERROR_STORAGE_FAILURE
2153  * \retval #PSA_ERROR_BAD_STATE
2154  * The library has not been previously initialized by psa_crypto_init().
2155  * It is implementation-dependent whether a failure to initialize
2156  * results in this error code.
2157  */
2158 psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
2159  psa_algorithm_t alg,
2160  const uint8_t *nonce,
2161  size_t nonce_length,
2162  const uint8_t *additional_data,
2163  size_t additional_data_length,
2164  const uint8_t *plaintext,
2165  size_t plaintext_length,
2166  uint8_t *ciphertext,
2167  size_t ciphertext_size,
2168  size_t *ciphertext_length);
2169 
2170 /** Process an authenticated decryption operation.
2171  *
2172  * \param handle Handle to the key to use for the operation.
2173  * \param alg The AEAD algorithm to compute
2174  * (\c PSA_ALG_XXX value such that
2175  * #PSA_ALG_IS_AEAD(\p alg) is true).
2176  * \param[in] nonce Nonce or IV to use.
2177  * \param nonce_length Size of the \p nonce buffer in bytes.
2178  * \param[in] additional_data Additional data that has been authenticated
2179  * but not encrypted.
2180  * \param additional_data_length Size of \p additional_data in bytes.
2181  * \param[in] ciphertext Data that has been authenticated and
2182  * encrypted. For algorithms where the
2183  * encrypted data and the authentication tag
2184  * are defined as separate inputs, the buffer
2185  * must contain the encrypted data followed
2186  * by the authentication tag.
2187  * \param ciphertext_length Size of \p ciphertext in bytes.
2188  * \param[out] plaintext Output buffer for the decrypted data.
2189  * \param plaintext_size Size of the \p plaintext buffer in bytes.
2190  * This must be at least
2191  * #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p alg,
2192  * \p ciphertext_length).
2193  * \param[out] plaintext_length On success, the size of the output
2194  * in the \p plaintext buffer.
2195  *
2196  * \retval #PSA_SUCCESS
2197  * Success.
2198  * \retval #PSA_ERROR_INVALID_HANDLE
2199  * \retval #PSA_ERROR_INVALID_SIGNATURE
2200  * The ciphertext is not authentic.
2201  * \retval #PSA_ERROR_NOT_PERMITTED
2202  * \retval #PSA_ERROR_INVALID_ARGUMENT
2203  * \p handle is not compatible with \p alg.
2204  * \retval #PSA_ERROR_NOT_SUPPORTED
2205  * \p alg is not supported or is not an AEAD algorithm.
2206  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2207  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2208  * \p plaintext_size or \p nonce_length is too small
2209  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2210  * \retval #PSA_ERROR_HARDWARE_FAILURE
2211  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2212  * \retval #PSA_ERROR_STORAGE_FAILURE
2213  * \retval #PSA_ERROR_BAD_STATE
2214  * The library has not been previously initialized by psa_crypto_init().
2215  * It is implementation-dependent whether a failure to initialize
2216  * results in this error code.
2217  */
2218 psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
2219  psa_algorithm_t alg,
2220  const uint8_t *nonce,
2221  size_t nonce_length,
2222  const uint8_t *additional_data,
2223  size_t additional_data_length,
2224  const uint8_t *ciphertext,
2225  size_t ciphertext_length,
2226  uint8_t *plaintext,
2227  size_t plaintext_size,
2228  size_t *plaintext_length);
2229 
2230 /** The type of the state data structure for multipart AEAD operations.
2231  *
2232  * Before calling any function on an AEAD operation object, the application
2233  * must initialize it by any of the following means:
2234  * - Set the structure to all-bits-zero, for example:
2235  * \code
2236  * psa_aead_operation_t operation;
2237  * memset(&operation, 0, sizeof(operation));
2238  * \endcode
2239  * - Initialize the structure to logical zero values, for example:
2240  * \code
2241  * psa_aead_operation_t operation = {0};
2242  * \endcode
2243  * - Initialize the structure to the initializer #PSA_AEAD_OPERATION_INIT,
2244  * for example:
2245  * \code
2246  * psa_aead_operation_t operation = PSA_AEAD_OPERATION_INIT;
2247  * \endcode
2248  * - Assign the result of the function psa_aead_operation_init()
2249  * to the structure, for example:
2250  * \code
2251  * psa_aead_operation_t operation;
2252  * operation = psa_aead_operation_init();
2253  * \endcode
2254  *
2255  * This is an implementation-defined \c struct. Applications should not
2256  * make any assumptions about the content of this structure except
2257  * as directed by the documentation of a specific implementation. */
2258 typedef struct psa_aead_operation_s psa_aead_operation_t;
2259 
2260 /** \def PSA_AEAD_OPERATION_INIT
2261  *
2262  * This macro returns a suitable initializer for an AEAD operation object of
2263  * type #psa_aead_operation_t.
2264  */
2265 #ifdef __DOXYGEN_ONLY__
2266 /* This is an example definition for documentation purposes.
2267  * Implementations should define a suitable value in `crypto_struct.h`.
2268  */
2269 #define PSA_AEAD_OPERATION_INIT {0}
2270 #endif
2271 
2272 /** Return an initial value for an AEAD operation object.
2273  */
2274 static psa_aead_operation_t psa_aead_operation_init(void);
2275 
2276 /** Set the key for a multipart authenticated encryption operation.
2277  *
2278  * The sequence of operations to encrypt a message with authentication
2279  * is as follows:
2280  * -# Allocate an operation object which will be passed to all the functions
2281  * listed here.
2282  * -# Initialize the operation object with one of the methods described in the
2283  * documentation for #psa_aead_operation_t, e.g.
2284  * #PSA_AEAD_OPERATION_INIT.
2285  * -# Call psa_aead_encrypt_setup() to specify the algorithm and key.
2286  * -# If needed, call psa_aead_set_lengths() to specify the length of the
2287  * inputs to the subsequent calls to psa_aead_update_ad() and
2288  * psa_aead_update(). See the documentation of psa_aead_set_lengths()
2289  * for details.
2290  * -# Call either psa_aead_generate_nonce() or psa_aead_set_nonce() to
2291  * generate or set the nonce. You should use
2292  * psa_aead_generate_nonce() unless the protocol you are implementing
2293  * requires a specific nonce value.
2294  * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2295  * of the non-encrypted additional authenticated data each time.
2296  * -# Call psa_aead_update() zero, one or more times, passing a fragment
2297  * of the message to encrypt each time.
2298  * -# Call psa_aead_finish().
2299  *
2300  * If an error occurs at any step after a call to psa_aead_encrypt_setup(),
2301  * the operation will need to be reset by a call to psa_aead_abort(). The
2302  * application may call psa_aead_abort() at any time after the operation
2303  * has been initialized.
2304  *
2305  * After a successful call to psa_aead_encrypt_setup(), the application must
2306  * eventually terminate the operation. The following events terminate an
2307  * operation:
2308  * - A successful call to psa_aead_finish().
2309  * - A call to psa_aead_abort().
2310  *
2311  * \param[in,out] operation The operation object to set up. It must have
2312  * been initialized as per the documentation for
2313  * #psa_aead_operation_t and not yet in use.
2314  * \param handle Handle to the key to use for the operation.
2315  * It must remain valid until the operation
2316  * terminates.
2317  * \param alg The AEAD algorithm to compute
2318  * (\c PSA_ALG_XXX value such that
2319  * #PSA_ALG_IS_AEAD(\p alg) is true).
2320  *
2321  * \retval #PSA_SUCCESS
2322  * Success.
2323  * \retval #PSA_ERROR_BAD_STATE
2324  * The operation state is not valid (it must be inactive).
2325  * \retval #PSA_ERROR_INVALID_HANDLE
2326  * \retval #PSA_ERROR_NOT_PERMITTED
2327  * \retval #PSA_ERROR_INVALID_ARGUMENT
2328  * \p handle is not compatible with \p alg.
2329  * \retval #PSA_ERROR_NOT_SUPPORTED
2330  * \p alg is not supported or is not an AEAD algorithm.
2331  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2332  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2333  * \retval #PSA_ERROR_HARDWARE_FAILURE
2334  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2335  * \retval #PSA_ERROR_STORAGE_FAILURE
2336  * \retval #PSA_ERROR_BAD_STATE
2337  * The library has not been previously initialized by psa_crypto_init().
2338  * It is implementation-dependent whether a failure to initialize
2339  * results in this error code.
2340  */
2341 psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
2342  psa_key_handle_t handle,
2343  psa_algorithm_t alg);
2344 
2345 /** Set the key for a multipart authenticated decryption operation.
2346  *
2347  * The sequence of operations to decrypt a message with authentication
2348  * is as follows:
2349  * -# Allocate an operation object which will be passed to all the functions
2350  * listed here.
2351  * -# Initialize the operation object with one of the methods described in the
2352  * documentation for #psa_aead_operation_t, e.g.
2353  * #PSA_AEAD_OPERATION_INIT.
2354  * -# Call psa_aead_decrypt_setup() to specify the algorithm and key.
2355  * -# If needed, call psa_aead_set_lengths() to specify the length of the
2356  * inputs to the subsequent calls to psa_aead_update_ad() and
2357  * psa_aead_update(). See the documentation of psa_aead_set_lengths()
2358  * for details.
2359  * -# Call psa_aead_set_nonce() with the nonce for the decryption.
2360  * -# Call psa_aead_update_ad() zero, one or more times, passing a fragment
2361  * of the non-encrypted additional authenticated data each time.
2362  * -# Call psa_aead_update() zero, one or more times, passing a fragment
2363  * of the ciphertext to decrypt each time.
2364  * -# Call psa_aead_verify().
2365  *
2366  * If an error occurs at any step after a call to psa_aead_decrypt_setup(),
2367  * the operation will need to be reset by a call to psa_aead_abort(). The
2368  * application may call psa_aead_abort() at any time after the operation
2369  * has been initialized.
2370  *
2371  * After a successful call to psa_aead_decrypt_setup(), the application must
2372  * eventually terminate the operation. The following events terminate an
2373  * operation:
2374  * - A successful call to psa_aead_verify().
2375  * - A call to psa_aead_abort().
2376  *
2377  * \param[in,out] operation The operation object to set up. It must have
2378  * been initialized as per the documentation for
2379  * #psa_aead_operation_t and not yet in use.
2380  * \param handle Handle to the key to use for the operation.
2381  * It must remain valid until the operation
2382  * terminates.
2383  * \param alg The AEAD algorithm to compute
2384  * (\c PSA_ALG_XXX value such that
2385  * #PSA_ALG_IS_AEAD(\p alg) is true).
2386  *
2387  * \retval #PSA_SUCCESS
2388  * Success.
2389  * \retval #PSA_ERROR_BAD_STATE
2390  * The operation state is not valid (it must be inactive).
2391  * \retval #PSA_ERROR_INVALID_HANDLE
2392  * \retval #PSA_ERROR_NOT_PERMITTED
2393  * \retval #PSA_ERROR_INVALID_ARGUMENT
2394  * \p handle is not compatible with \p alg.
2395  * \retval #PSA_ERROR_NOT_SUPPORTED
2396  * \p alg is not supported or is not an AEAD algorithm.
2397  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2398  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2399  * \retval #PSA_ERROR_HARDWARE_FAILURE
2400  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2401  * \retval #PSA_ERROR_STORAGE_FAILURE
2402  * \retval #PSA_ERROR_BAD_STATE
2403  * The library has not been previously initialized by psa_crypto_init().
2404  * It is implementation-dependent whether a failure to initialize
2405  * results in this error code.
2406  */
2407 psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
2408  psa_key_handle_t handle,
2409  psa_algorithm_t alg);
2410 
2411 /** Generate a random nonce for an authenticated encryption operation.
2412  *
2413  * This function generates a random nonce for the authenticated encryption
2414  * operation with an appropriate size for the chosen algorithm, key type
2415  * and key size.
2416  *
2417  * The application must call psa_aead_encrypt_setup() before
2418  * calling this function.
2419  *
2420  * If this function returns an error status, the operation enters an error
2421  * state and must be aborted by calling psa_aead_abort().
2422  *
2423  * \param[in,out] operation Active AEAD operation.
2424  * \param[out] nonce Buffer where the generated nonce is to be
2425  * written.
2426  * \param nonce_size Size of the \p nonce buffer in bytes.
2427  * \param[out] nonce_length On success, the number of bytes of the
2428  * generated nonce.
2429  *
2430  * \retval #PSA_SUCCESS
2431  * Success.
2432  * \retval #PSA_ERROR_BAD_STATE
2433  * The operation state is not valid (it must be an active aead encrypt
2434  operation, with no nonce set).
2435  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2436  * The size of the \p nonce buffer is too small.
2437  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2438  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2439  * \retval #PSA_ERROR_HARDWARE_FAILURE
2440  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2441  * \retval #PSA_ERROR_STORAGE_FAILURE
2442  * \retval #PSA_ERROR_BAD_STATE
2443  * The library has not been previously initialized by psa_crypto_init().
2444  * It is implementation-dependent whether a failure to initialize
2445  * results in this error code.
2446  */
2447 psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
2448  uint8_t *nonce,
2449  size_t nonce_size,
2450  size_t *nonce_length);
2451 
2452 /** Set the nonce for an authenticated encryption or decryption operation.
2453  *
2454  * This function sets the nonce for the authenticated
2455  * encryption or decryption operation.
2456  *
2457  * The application must call psa_aead_encrypt_setup() or
2458  * psa_aead_decrypt_setup() before calling this function.
2459  *
2460  * If this function returns an error status, the operation enters an error
2461  * state and must be aborted by calling psa_aead_abort().
2462  *
2463  * \note When encrypting, applications should use psa_aead_generate_nonce()
2464  * instead of this function, unless implementing a protocol that requires
2465  * a non-random IV.
2466  *
2467  * \param[in,out] operation Active AEAD operation.
2468  * \param[in] nonce Buffer containing the nonce to use.
2469  * \param nonce_length Size of the nonce in bytes.
2470  *
2471  * \retval #PSA_SUCCESS
2472  * Success.
2473  * \retval #PSA_ERROR_BAD_STATE
2474  * The operation state is not valid (it must be active, with no nonce
2475  * set).
2476  * \retval #PSA_ERROR_INVALID_ARGUMENT
2477  * The size of \p nonce is not acceptable for the chosen algorithm.
2478  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2479  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2480  * \retval #PSA_ERROR_HARDWARE_FAILURE
2481  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2482  * \retval #PSA_ERROR_STORAGE_FAILURE
2483  * \retval #PSA_ERROR_BAD_STATE
2484  * The library has not been previously initialized by psa_crypto_init().
2485  * It is implementation-dependent whether a failure to initialize
2486  * results in this error code.
2487  */
2488 psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
2489  const uint8_t *nonce,
2490  size_t nonce_length);
2491 
2492 /** Declare the lengths of the message and additional data for AEAD.
2493  *
2494  * The application must call this function before calling
2495  * psa_aead_update_ad() or psa_aead_update() if the algorithm for
2496  * the operation requires it. If the algorithm does not require it,
2497  * calling this function is optional, but if this function is called
2498  * then the implementation must enforce the lengths.
2499  *
2500  * You may call this function before or after setting the nonce with
2501  * psa_aead_set_nonce() or psa_aead_generate_nonce().
2502  *
2503  * - For #PSA_ALG_CCM, calling this function is required.
2504  * - For the other AEAD algorithms defined in this specification, calling
2505  * this function is not required.
2506  * - For vendor-defined algorithm, refer to the vendor documentation.
2507  *
2508  * If this function returns an error status, the operation enters an error
2509  * state and must be aborted by calling psa_aead_abort().
2510  *
2511  * \param[in,out] operation Active AEAD operation.
2512  * \param ad_length Size of the non-encrypted additional
2513  * authenticated data in bytes.
2514  * \param plaintext_length Size of the plaintext to encrypt in bytes.
2515  *
2516  * \retval #PSA_SUCCESS
2517  * Success.
2518  * \retval #PSA_ERROR_BAD_STATE
2519  * The operation state is not valid (it must be active, and
2520  * psa_aead_update_ad() and psa_aead_update() must not have been
2521  * called yet).
2522  * \retval #PSA_ERROR_INVALID_ARGUMENT
2523  * At least one of the lengths is not acceptable for the chosen
2524  * algorithm.
2525  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2526  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2527  * \retval #PSA_ERROR_HARDWARE_FAILURE
2528  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2529  * \retval #PSA_ERROR_BAD_STATE
2530  * The library has not been previously initialized by psa_crypto_init().
2531  * It is implementation-dependent whether a failure to initialize
2532  * results in this error code.
2533  */
2534 psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
2535  size_t ad_length,
2536  size_t plaintext_length);
2537 
2538 /** Pass additional data to an active AEAD operation.
2539  *
2540  * Additional data is authenticated, but not encrypted.
2541  *
2542  * You may call this function multiple times to pass successive fragments
2543  * of the additional data. You may not call this function after passing
2544  * data to encrypt or decrypt with psa_aead_update().
2545  *
2546  * Before calling this function, you must:
2547  * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2548  * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2549  *
2550  * If this function returns an error status, the operation enters an error
2551  * state and must be aborted by calling psa_aead_abort().
2552  *
2553  * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2554  * there is no guarantee that the input is valid. Therefore, until
2555  * you have called psa_aead_verify() and it has returned #PSA_SUCCESS,
2556  * treat the input as untrusted and prepare to undo any action that
2557  * depends on the input if psa_aead_verify() returns an error status.
2558  *
2559  * \param[in,out] operation Active AEAD operation.
2560  * \param[in] input Buffer containing the fragment of
2561  * additional data.
2562  * \param input_length Size of the \p input buffer in bytes.
2563  *
2564  * \retval #PSA_SUCCESS
2565  * Success.
2566  * \retval #PSA_ERROR_BAD_STATE
2567  * The operation state is not valid (it must be active, have a nonce
2568  * set, have lengths set if required by the algorithm, and
2569  * psa_aead_update() must not have been called yet).
2570  * \retval #PSA_ERROR_INVALID_ARGUMENT
2571  * The total input length overflows the additional data length that
2572  * was previously specified with psa_aead_set_lengths().
2573  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2574  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2575  * \retval #PSA_ERROR_HARDWARE_FAILURE
2576  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2577  * \retval #PSA_ERROR_STORAGE_FAILURE
2578  * \retval #PSA_ERROR_BAD_STATE
2579  * The library has not been previously initialized by psa_crypto_init().
2580  * It is implementation-dependent whether a failure to initialize
2581  * results in this error code.
2582  */
2583 psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
2584  const uint8_t *input,
2585  size_t input_length);
2586 
2587 /** Encrypt or decrypt a message fragment in an active AEAD operation.
2588  *
2589  * Before calling this function, you must:
2590  * 1. Call either psa_aead_encrypt_setup() or psa_aead_decrypt_setup().
2591  * The choice of setup function determines whether this function
2592  * encrypts or decrypts its input.
2593  * 2. Set the nonce with psa_aead_generate_nonce() or psa_aead_set_nonce().
2594  * 3. Call psa_aead_update_ad() to pass all the additional data.
2595  *
2596  * If this function returns an error status, the operation enters an error
2597  * state and must be aborted by calling psa_aead_abort().
2598  *
2599  * \warning When decrypting, until psa_aead_verify() has returned #PSA_SUCCESS,
2600  * there is no guarantee that the input is valid. Therefore, until
2601  * you have called psa_aead_verify() and it has returned #PSA_SUCCESS:
2602  * - Do not use the output in any way other than storing it in a
2603  * confidential location. If you take any action that depends
2604  * on the tentative decrypted data, this action will need to be
2605  * undone if the input turns out not to be valid. Furthermore,
2606  * if an adversary can observe that this action took place
2607  * (for example through timing), they may be able to use this
2608  * fact as an oracle to decrypt any message encrypted with the
2609  * same key.
2610  * - In particular, do not copy the output anywhere but to a
2611  * memory or storage space that you have exclusive access to.
2612  *
2613  * This function does not require the input to be aligned to any
2614  * particular block boundary. If the implementation can only process
2615  * a whole block at a time, it must consume all the input provided, but
2616  * it may delay the end of the corresponding output until a subsequent
2617  * call to psa_aead_update(), psa_aead_finish() or psa_aead_verify()
2618  * provides sufficient input. The amount of data that can be delayed
2619  * in this way is bounded by #PSA_AEAD_UPDATE_OUTPUT_SIZE.
2620  *
2621  * \param[in,out] operation Active AEAD operation.
2622  * \param[in] input Buffer containing the message fragment to
2623  * encrypt or decrypt.
2624  * \param input_length Size of the \p input buffer in bytes.
2625  * \param[out] output Buffer where the output is to be written.
2626  * \param output_size Size of the \p output buffer in bytes.
2627  * This must be at least
2628  * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c alg,
2629  * \p input_length) where \c alg is the
2630  * algorithm that is being calculated.
2631  * \param[out] output_length On success, the number of bytes
2632  * that make up the returned output.
2633  *
2634  * \retval #PSA_SUCCESS
2635  * Success.
2636  * \retval #PSA_ERROR_BAD_STATE
2637  * The operation state is not valid (it must be active, have a nonce
2638  * set, and have lengths set if required by the algorithm).
2639  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2640  * The size of the \p output buffer is too small.
2641  * You can determine a sufficient buffer size by calling
2642  * #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c alg, \p input_length)
2643  * where \c alg is the algorithm that is being calculated.
2644  * \retval #PSA_ERROR_INVALID_ARGUMENT
2645  * The total length of input to psa_aead_update_ad() so far is
2646  * less than the additional data length that was previously
2647  * specified with psa_aead_set_lengths().
2648  * \retval #PSA_ERROR_INVALID_ARGUMENT
2649  * The total input length overflows the plaintext length that
2650  * was previously specified with psa_aead_set_lengths().
2651  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2652  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2653  * \retval #PSA_ERROR_HARDWARE_FAILURE
2654  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2655  * \retval #PSA_ERROR_STORAGE_FAILURE
2656  * \retval #PSA_ERROR_BAD_STATE
2657  * The library has not been previously initialized by psa_crypto_init().
2658  * It is implementation-dependent whether a failure to initialize
2659  * results in this error code.
2660  */
2661 psa_status_t psa_aead_update(psa_aead_operation_t *operation,
2662  const uint8_t *input,
2663  size_t input_length,
2664  uint8_t *output,
2665  size_t output_size,
2666  size_t *output_length);
2667 
2668 /** Finish encrypting a message in an AEAD operation.
2669  *
2670  * The operation must have been set up with psa_aead_encrypt_setup().
2671  *
2672  * This function finishes the authentication of the additional data
2673  * formed by concatenating the inputs passed to preceding calls to
2674  * psa_aead_update_ad() with the plaintext formed by concatenating the
2675  * inputs passed to preceding calls to psa_aead_update().
2676  *
2677  * This function has two output buffers:
2678  * - \p ciphertext contains trailing ciphertext that was buffered from
2679  * preceding calls to psa_aead_update().
2680  * - \p tag contains the authentication tag. Its length is always
2681  * #PSA_AEAD_TAG_LENGTH(\c alg) where \c alg is the AEAD algorithm
2682  * that the operation performs.
2683  *
2684  * When this function returns successfuly, the operation becomes inactive.
2685  * If this function returns an error status, the operation enters an error
2686  * state and must be aborted by calling psa_aead_abort().
2687  *
2688  * \param[in,out] operation Active AEAD operation.
2689  * \param[out] ciphertext Buffer where the last part of the ciphertext
2690  * is to be written.
2691  * \param ciphertext_size Size of the \p ciphertext buffer in bytes.
2692  * This must be at least
2693  * #PSA_AEAD_FINISH_OUTPUT_SIZE(\c alg) where
2694  * \c alg is the algorithm that is being
2695  * calculated.
2696  * \param[out] ciphertext_length On success, the number of bytes of
2697  * returned ciphertext.
2698  * \param[out] tag Buffer where the authentication tag is
2699  * to be written.
2700  * \param tag_size Size of the \p tag buffer in bytes.
2701  * This must be at least
2702  * #PSA_AEAD_TAG_LENGTH(\c alg) where \c alg is
2703  * the algorithm that is being calculated.
2704  * \param[out] tag_length On success, the number of bytes
2705  * that make up the returned tag.
2706  *
2707  * \retval #PSA_SUCCESS
2708  * Success.
2709  * \retval #PSA_ERROR_BAD_STATE
2710  * The operation state is not valid (it must be an active encryption
2711  * operation with a nonce set).
2712  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2713  * The size of the \p ciphertext or \p tag buffer is too small.
2714  * You can determine a sufficient buffer size for \p ciphertext by
2715  * calling #PSA_AEAD_FINISH_OUTPUT_SIZE(\c alg)
2716  * where \c alg is the algorithm that is being calculated.
2717  * You can determine a sufficient buffer size for \p tag by
2718  * calling #PSA_AEAD_TAG_LENGTH(\c alg).
2719  * \retval #PSA_ERROR_INVALID_ARGUMENT
2720  * The total length of input to psa_aead_update_ad() so far is
2721  * less than the additional data length that was previously
2722  * specified with psa_aead_set_lengths().
2723  * \retval #PSA_ERROR_INVALID_ARGUMENT
2724  * The total length of input to psa_aead_update() so far is
2725  * less than the plaintext length that was previously
2726  * specified with psa_aead_set_lengths().
2727  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2728  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2729  * \retval #PSA_ERROR_HARDWARE_FAILURE
2730  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2731  * \retval #PSA_ERROR_STORAGE_FAILURE
2732  * \retval #PSA_ERROR_BAD_STATE
2733  * The library has not been previously initialized by psa_crypto_init().
2734  * It is implementation-dependent whether a failure to initialize
2735  * results in this error code.
2736  */
2737 psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
2738  uint8_t *ciphertext,
2739  size_t ciphertext_size,
2740  size_t *ciphertext_length,
2741  uint8_t *tag,
2742  size_t tag_size,
2743  size_t *tag_length);
2744 
2745 /** Finish authenticating and decrypting a message in an AEAD operation.
2746  *
2747  * The operation must have been set up with psa_aead_decrypt_setup().
2748  *
2749  * This function finishes the authenticated decryption of the message
2750  * components:
2751  *
2752  * - The additional data consisting of the concatenation of the inputs
2753  * passed to preceding calls to psa_aead_update_ad().
2754  * - The ciphertext consisting of the concatenation of the inputs passed to
2755  * preceding calls to psa_aead_update().
2756  * - The tag passed to this function call.
2757  *
2758  * If the authentication tag is correct, this function outputs any remaining
2759  * plaintext and reports success. If the authentication tag is not correct,
2760  * this function returns #PSA_ERROR_INVALID_SIGNATURE.
2761  *
2762  * When this function returns successfuly, the operation becomes inactive.
2763  * If this function returns an error status, the operation enters an error
2764  * state and must be aborted by calling psa_aead_abort().
2765  *
2766  * \note Implementations shall make the best effort to ensure that the
2767  * comparison between the actual tag and the expected tag is performed
2768  * in constant time.
2769  *
2770  * \param[in,out] operation Active AEAD operation.
2771  * \param[out] plaintext Buffer where the last part of the plaintext
2772  * is to be written. This is the remaining data
2773  * from previous calls to psa_aead_update()
2774  * that could not be processed until the end
2775  * of the input.
2776  * \param plaintext_size Size of the \p plaintext buffer in bytes.
2777  * This must be at least
2778  * #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c alg) where
2779  * \c alg is the algorithm that is being
2780  * calculated.
2781  * \param[out] plaintext_length On success, the number of bytes of
2782  * returned plaintext.
2783  * \param[in] tag Buffer containing the authentication tag.
2784  * \param tag_length Size of the \p tag buffer in bytes.
2785  *
2786  * \retval #PSA_SUCCESS
2787  * Success.
2788  * \retval #PSA_ERROR_INVALID_SIGNATURE
2789  * The calculations were successful, but the authentication tag is
2790  * not correct.
2791  * \retval #PSA_ERROR_BAD_STATE
2792  * The operation state is not valid (it must be an active decryption
2793  * operation with a nonce set).
2794  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2795  * The size of the \p plaintext buffer is too small.
2796  * You can determine a sufficient buffer size for \p plaintext by
2797  * calling #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c alg)
2798  * where \c alg is the algorithm that is being calculated.
2799  * \retval #PSA_ERROR_INVALID_ARGUMENT
2800  * The total length of input to psa_aead_update_ad() so far is
2801  * less than the additional data length that was previously
2802  * specified with psa_aead_set_lengths().
2803  * \retval #PSA_ERROR_INVALID_ARGUMENT
2804  * The total length of input to psa_aead_update() so far is
2805  * less than the plaintext length that was previously
2806  * specified with psa_aead_set_lengths().
2807  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2808  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2809  * \retval #PSA_ERROR_HARDWARE_FAILURE
2810  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2811  * \retval #PSA_ERROR_STORAGE_FAILURE
2812  * \retval #PSA_ERROR_BAD_STATE
2813  * The library has not been previously initialized by psa_crypto_init().
2814  * It is implementation-dependent whether a failure to initialize
2815  * results in this error code.
2816  */
2817 psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
2818  uint8_t *plaintext,
2819  size_t plaintext_size,
2820  size_t *plaintext_length,
2821  const uint8_t *tag,
2822  size_t tag_length);
2823 
2824 /** Abort an AEAD operation.
2825  *
2826  * Aborting an operation frees all associated resources except for the
2827  * \p operation structure itself. Once aborted, the operation object
2828  * can be reused for another operation by calling
2829  * psa_aead_encrypt_setup() or psa_aead_decrypt_setup() again.
2830  *
2831  * You may call this function any time after the operation object has
2832  * been initialized as described in #psa_aead_operation_t.
2833  *
2834  * In particular, calling psa_aead_abort() after the operation has been
2835  * terminated by a call to psa_aead_abort(), psa_aead_finish() or
2836  * psa_aead_verify() is safe and has no effect.
2837  *
2838  * \param[in,out] operation Initialized AEAD operation.
2839  *
2840  * \retval #PSA_SUCCESS
2841  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2842  * \retval #PSA_ERROR_HARDWARE_FAILURE
2843  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2844  * \retval #PSA_ERROR_BAD_STATE
2845  * The library has not been previously initialized by psa_crypto_init().
2846  * It is implementation-dependent whether a failure to initialize
2847  * results in this error code.
2848  */
2849 psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
2850 
2851 /**@}*/
2852 
2853 /** \defgroup asymmetric Asymmetric cryptography
2854  * @{
2855  */
2856 
2857 /**
2858  * \brief Sign a hash or short message with a private key.
2859  *
2860  * Note that to perform a hash-and-sign signature algorithm, you must
2861  * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
2862  * and psa_hash_finish(). Then pass the resulting hash as the \p hash
2863  * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
2864  * to determine the hash algorithm to use.
2865  *
2866  * \param handle Handle to the key to use for the operation.
2867  * It must be an asymmetric key pair.
2868  * \param alg A signature algorithm that is compatible with
2869  * the type of \p handle.
2870  * \param[in] hash The hash or message to sign.
2871  * \param hash_length Size of the \p hash buffer in bytes.
2872  * \param[out] signature Buffer where the signature is to be written.
2873  * \param signature_size Size of the \p signature buffer in bytes.
2874  * \param[out] signature_length On success, the number of bytes
2875  * that make up the returned signature value.
2876  *
2877  * \retval #PSA_SUCCESS
2878  * \retval #PSA_ERROR_INVALID_HANDLE
2879  * \retval #PSA_ERROR_NOT_PERMITTED
2880  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2881  * The size of the \p signature buffer is too small. You can
2882  * determine a sufficient buffer size by calling
2883  * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2884  * where \c key_type and \c key_bits are the type and bit-size
2885  * respectively of \p handle.
2886  * \retval #PSA_ERROR_NOT_SUPPORTED
2887  * \retval #PSA_ERROR_INVALID_ARGUMENT
2888  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2889  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2890  * \retval #PSA_ERROR_HARDWARE_FAILURE
2891  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2892  * \retval #PSA_ERROR_STORAGE_FAILURE
2893  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
2894  * \retval #PSA_ERROR_BAD_STATE
2895  * The library has not been previously initialized by psa_crypto_init().
2896  * It is implementation-dependent whether a failure to initialize
2897  * results in this error code.
2898  */
2899 psa_status_t psa_sign_hash(psa_key_handle_t handle,
2900  psa_algorithm_t alg,
2901  const uint8_t *hash,
2902  size_t hash_length,
2903  uint8_t *signature,
2904  size_t signature_size,
2905  size_t *signature_length);
2906 
2907 /**
2908  * \brief Verify the signature a hash or short message using a public key.
2909  *
2910  * Note that to perform a hash-and-sign signature algorithm, you must
2911  * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
2912  * and psa_hash_finish(). Then pass the resulting hash as the \p hash
2913  * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
2914  * to determine the hash algorithm to use.
2915  *
2916  * \param handle Handle to the key to use for the operation.
2917  * It must be a public key or an asymmetric key pair.
2918  * \param alg A signature algorithm that is compatible with
2919  * the type of \p handle.
2920  * \param[in] hash The hash or message whose signature is to be
2921  * verified.
2922  * \param hash_length Size of the \p hash buffer in bytes.
2923  * \param[in] signature Buffer containing the signature to verify.
2924  * \param signature_length Size of the \p signature buffer in bytes.
2925  *
2926  * \retval #PSA_SUCCESS
2927  * The signature is valid.
2928  * \retval #PSA_ERROR_INVALID_HANDLE
2929  * \retval #PSA_ERROR_NOT_PERMITTED
2930  * \retval #PSA_ERROR_INVALID_SIGNATURE
2931  * The calculation was perfomed successfully, but the passed
2932  * signature is not a valid signature.
2933  * \retval #PSA_ERROR_NOT_SUPPORTED
2934  * \retval #PSA_ERROR_INVALID_ARGUMENT
2935  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2936  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2937  * \retval #PSA_ERROR_HARDWARE_FAILURE
2938  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2939  * \retval #PSA_ERROR_STORAGE_FAILURE
2940  * \retval #PSA_ERROR_BAD_STATE
2941  * The library has not been previously initialized by psa_crypto_init().
2942  * It is implementation-dependent whether a failure to initialize
2943  * results in this error code.
2944  */
2945 psa_status_t psa_verify_hash(psa_key_handle_t handle,
2946  psa_algorithm_t alg,
2947  const uint8_t *hash,
2948  size_t hash_length,
2949  const uint8_t *signature,
2950  size_t signature_length);
2951 
2952 /**
2953  * \brief Encrypt a short message with a public key.
2954  *
2955  * \param handle Handle to the key to use for the operation.
2956  * It must be a public key or an asymmetric
2957  * key pair.
2958  * \param alg An asymmetric encryption algorithm that is
2959  * compatible with the type of \p handle.
2960  * \param[in] input The message to encrypt.
2961  * \param input_length Size of the \p input buffer in bytes.
2962  * \param[in] salt A salt or label, if supported by the
2963  * encryption algorithm.
2964  * If the algorithm does not support a
2965  * salt, pass \c NULL.
2966  * If the algorithm supports an optional
2967  * salt and you do not want to pass a salt,
2968  * pass \c NULL.
2969  *
2970  * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
2971  * supported.
2972  * \param salt_length Size of the \p salt buffer in bytes.
2973  * If \p salt is \c NULL, pass 0.
2974  * \param[out] output Buffer where the encrypted message is to
2975  * be written.
2976  * \param output_size Size of the \p output buffer in bytes.
2977  * \param[out] output_length On success, the number of bytes
2978  * that make up the returned output.
2979  *
2980  * \retval #PSA_SUCCESS
2981  * \retval #PSA_ERROR_INVALID_HANDLE
2982  * \retval #PSA_ERROR_NOT_PERMITTED
2983  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
2984  * The size of the \p output buffer is too small. You can
2985  * determine a sufficient buffer size by calling
2986  * #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
2987  * where \c key_type and \c key_bits are the type and bit-size
2988  * respectively of \p handle.
2989  * \retval #PSA_ERROR_NOT_SUPPORTED
2990  * \retval #PSA_ERROR_INVALID_ARGUMENT
2991  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
2992  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
2993  * \retval #PSA_ERROR_HARDWARE_FAILURE
2994  * \retval #PSA_ERROR_CORRUPTION_DETECTED
2995  * \retval #PSA_ERROR_STORAGE_FAILURE
2996  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
2997  * \retval #PSA_ERROR_BAD_STATE
2998  * The library has not been previously initialized by psa_crypto_init().
2999  * It is implementation-dependent whether a failure to initialize
3000  * results in this error code.
3001  */
3002 psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
3003  psa_algorithm_t alg,
3004  const uint8_t *input,
3005  size_t input_length,
3006  const uint8_t *salt,
3007  size_t salt_length,
3008  uint8_t *output,
3009  size_t output_size,
3010  size_t *output_length);
3011 
3012 /**
3013  * \brief Decrypt a short message with a private key.
3014  *
3015  * \param handle Handle to the key to use for the operation.
3016  * It must be an asymmetric key pair.
3017  * \param alg An asymmetric encryption algorithm that is
3018  * compatible with the type of \p handle.
3019  * \param[in] input The message to decrypt.
3020  * \param input_length Size of the \p input buffer in bytes.
3021  * \param[in] salt A salt or label, if supported by the
3022  * encryption algorithm.
3023  * If the algorithm does not support a
3024  * salt, pass \c NULL.
3025  * If the algorithm supports an optional
3026  * salt and you do not want to pass a salt,
3027  * pass \c NULL.
3028  *
3029  * - For #PSA_ALG_RSA_PKCS1V15_CRYPT, no salt is
3030  * supported.
3031  * \param salt_length Size of the \p salt buffer in bytes.
3032  * If \p salt is \c NULL, pass 0.
3033  * \param[out] output Buffer where the decrypted message is to
3034  * be written.
3035  * \param output_size Size of the \c output buffer in bytes.
3036  * \param[out] output_length On success, the number of bytes
3037  * that make up the returned output.
3038  *
3039  * \retval #PSA_SUCCESS
3040  * \retval #PSA_ERROR_INVALID_HANDLE
3041  * \retval #PSA_ERROR_NOT_PERMITTED
3042  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3043  * The size of the \p output buffer is too small. You can
3044  * determine a sufficient buffer size by calling
3045  * #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
3046  * where \c key_type and \c key_bits are the type and bit-size
3047  * respectively of \p handle.
3048  * \retval #PSA_ERROR_NOT_SUPPORTED
3049  * \retval #PSA_ERROR_INVALID_ARGUMENT
3050  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3051  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3052  * \retval #PSA_ERROR_HARDWARE_FAILURE
3053  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3054  * \retval #PSA_ERROR_STORAGE_FAILURE
3055  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
3056  * \retval #PSA_ERROR_INVALID_PADDING
3057  * \retval #PSA_ERROR_BAD_STATE
3058  * The library has not been previously initialized by psa_crypto_init().
3059  * It is implementation-dependent whether a failure to initialize
3060  * results in this error code.
3061  */
3062 psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
3063  psa_algorithm_t alg,
3064  const uint8_t *input,
3065  size_t input_length,
3066  const uint8_t *salt,
3067  size_t salt_length,
3068  uint8_t *output,
3069  size_t output_size,
3070  size_t *output_length);
3071 
3072 /**@}*/
3073 
3074 /** \defgroup key_derivation Key derivation and pseudorandom generation
3075  * @{
3076  */
3077 
3078 /** The type of the state data structure for key derivation operations.
3079  *
3080  * Before calling any function on a key derivation operation object, the
3081  * application must initialize it by any of the following means:
3082  * - Set the structure to all-bits-zero, for example:
3083  * \code
3084  * psa_key_derivation_operation_t operation;
3085  * memset(&operation, 0, sizeof(operation));
3086  * \endcode
3087  * - Initialize the structure to logical zero values, for example:
3088  * \code
3089  * psa_key_derivation_operation_t operation = {0};
3090  * \endcode
3091  * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
3092  * for example:
3093  * \code
3094  * psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
3095  * \endcode
3096  * - Assign the result of the function psa_key_derivation_operation_init()
3097  * to the structure, for example:
3098  * \code
3099  * psa_key_derivation_operation_t operation;
3100  * operation = psa_key_derivation_operation_init();
3101  * \endcode
3102  *
3103  * This is an implementation-defined \c struct. Applications should not
3104  * make any assumptions about the content of this structure except
3105  * as directed by the documentation of a specific implementation.
3106  */
3107 typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
3108 
3109 /** \def PSA_KEY_DERIVATION_OPERATION_INIT
3110  *
3111  * This macro returns a suitable initializer for a key derivation operation
3112  * object of type #psa_key_derivation_operation_t.
3113  */
3114 #ifdef __DOXYGEN_ONLY__
3115 /* This is an example definition for documentation purposes.
3116  * Implementations should define a suitable value in `crypto_struct.h`.
3117  */
3118 #define PSA_KEY_DERIVATION_OPERATION_INIT {0}
3119 #endif
3120 
3121 /** Return an initial value for a key derivation operation object.
3122  */
3123 static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
3124 
3125 /** Set up a key derivation operation.
3126  *
3127  * A key derivation algorithm takes some inputs and uses them to generate
3128  * a byte stream in a deterministic way.
3129  * This byte stream can be used to produce keys and other
3130  * cryptographic material.
3131  *
3132  * To derive a key:
3133  * -# Start with an initialized object of type #psa_key_derivation_operation_t.
3134  * -# Call psa_key_derivation_setup() to select the algorithm.
3135  * -# Provide the inputs for the key derivation by calling
3136  * psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
3137  * as appropriate. Which inputs are needed, in what order, and whether
3138  * they may be keys and if so of what type depends on the algorithm.
3139  * -# Optionally set the operation's maximum capacity with
3140  * psa_key_derivation_set_capacity(). You may do this before, in the middle
3141  * of or after providing inputs. For some algorithms, this step is mandatory
3142  * because the output depends on the maximum capacity.
3143  * -# To derive a key, call psa_key_derivation_output_key().
3144  * To derive a byte string for a different purpose, call
3145  * psa_key_derivation_output_bytes().
3146  * Successive calls to these functions use successive output bytes
3147  * calculated by the key derivation algorithm.
3148  * -# Clean up the key derivation operation object with
3149  * psa_key_derivation_abort().
3150  *
3151  * If this function returns an error, the key derivation operation object is
3152  * not changed.
3153  *
3154  * If an error occurs at any step after a call to psa_key_derivation_setup(),
3155  * the operation will need to be reset by a call to psa_key_derivation_abort().
3156  *
3157  * Implementations must reject an attempt to derive a key of size 0.
3158  *
3159  * \param[in,out] operation The key derivation operation object
3160  * to set up. It must
3161  * have been initialized but not set up yet.
3162  * \param alg The key derivation algorithm to compute
3163  * (\c PSA_ALG_XXX value such that
3164  * #PSA_ALG_IS_KEY_DERIVATION(\p alg) is true).
3165  *
3166  * \retval #PSA_SUCCESS
3167  * Success.
3168  * \retval #PSA_ERROR_INVALID_ARGUMENT
3169  * \c alg is not a key derivation algorithm.
3170  * \retval #PSA_ERROR_NOT_SUPPORTED
3171  * \c alg is not supported or is not a key derivation algorithm.
3172  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3173  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3174  * \retval #PSA_ERROR_HARDWARE_FAILURE
3175  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3176  * \retval #PSA_ERROR_STORAGE_FAILURE
3177  * \retval #PSA_ERROR_BAD_STATE
3178  * The operation state is not valid (it must be inactive).
3179  * \retval #PSA_ERROR_BAD_STATE
3180  * The library has not been previously initialized by psa_crypto_init().
3181  * It is implementation-dependent whether a failure to initialize
3182  * results in this error code.
3183  */
3184 psa_status_t psa_key_derivation_setup(
3185  psa_key_derivation_operation_t *operation,
3186  psa_algorithm_t alg);
3187 
3188 /** Retrieve the current capacity of a key derivation operation.
3189  *
3190  * The capacity of a key derivation is the maximum number of bytes that it can
3191  * return. When you get *N* bytes of output from a key derivation operation,
3192  * this reduces its capacity by *N*.
3193  *
3194  * \param[in] operation The operation to query.
3195  * \param[out] capacity On success, the capacity of the operation.
3196  *
3197  * \retval #PSA_SUCCESS
3198  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3199  * \retval #PSA_ERROR_BAD_STATE
3200  * The operation state is not valid (it must be active).
3201  * \retval #PSA_ERROR_HARDWARE_FAILURE
3202  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3203  * \retval #PSA_ERROR_BAD_STATE
3204  * The library has not been previously initialized by psa_crypto_init().
3205  * It is implementation-dependent whether a failure to initialize
3206  * results in this error code.
3207  */
3208 psa_status_t psa_key_derivation_get_capacity(
3209  const psa_key_derivation_operation_t *operation,
3210  size_t *capacity);
3211 
3212 /** Set the maximum capacity of a key derivation operation.
3213  *
3214  * The capacity of a key derivation operation is the maximum number of bytes
3215  * that the key derivation operation can return from this point onwards.
3216  *
3217  * \param[in,out] operation The key derivation operation object to modify.
3218  * \param capacity The new capacity of the operation.
3219  * It must be less or equal to the operation's
3220  * current capacity.
3221  *
3222  * \retval #PSA_SUCCESS
3223  * \retval #PSA_ERROR_INVALID_ARGUMENT
3224  * \p capacity is larger than the operation's current capacity.
3225  * In this case, the operation object remains valid and its capacity
3226  * remains unchanged.
3227  * \retval #PSA_ERROR_BAD_STATE
3228  * The operation state is not valid (it must be active).
3229  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3230  * \retval #PSA_ERROR_HARDWARE_FAILURE
3231  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3232  * \retval #PSA_ERROR_BAD_STATE
3233  * The library has not been previously initialized by psa_crypto_init().
3234  * It is implementation-dependent whether a failure to initialize
3235  * results in this error code.
3236  */
3237 psa_status_t psa_key_derivation_set_capacity(
3238  psa_key_derivation_operation_t *operation,
3239  size_t capacity);
3240 
3241 /** Use the maximum possible capacity for a key derivation operation.
3242  *
3243  * Use this value as the capacity argument when setting up a key derivation
3244  * to indicate that the operation should have the maximum possible capacity.
3245  * The value of the maximum possible capacity depends on the key derivation
3246  * algorithm.
3247  */
3248 #define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t)(-1))
3249 
3250 /** Provide an input for key derivation or key agreement.
3251  *
3252  * Which inputs are required and in what order depends on the algorithm.
3253  * Refer to the documentation of each key derivation or key agreement
3254  * algorithm for information.
3255  *
3256  * This function passes direct inputs, which is usually correct for
3257  * non-secret inputs. To pass a secret input, which should be in a key
3258  * object, call psa_key_derivation_input_key() instead of this function.
3259  * Refer to the documentation of individual step types
3260  * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3261  * for more information.
3262  *
3263  * If this function returns an error status, the operation enters an error
3264  * state and must be aborted by calling psa_key_derivation_abort().
3265  *
3266  * \param[in,out] operation The key derivation operation object to use.
3267  * It must have been set up with
3268  * psa_key_derivation_setup() and must not
3269  * have produced any output yet.
3270  * \param step Which step the input data is for.
3271  * \param[in] data Input data to use.
3272  * \param data_length Size of the \p data buffer in bytes.
3273  *
3274  * \retval #PSA_SUCCESS
3275  * Success.
3276  * \retval #PSA_ERROR_INVALID_ARGUMENT
3277  * \c step is not compatible with the operation's algorithm.
3278  * \retval #PSA_ERROR_INVALID_ARGUMENT
3279  * \c step does not allow direct inputs.
3280  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3281  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3282  * \retval #PSA_ERROR_HARDWARE_FAILURE
3283  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3284  * \retval #PSA_ERROR_STORAGE_FAILURE
3285  * \retval #PSA_ERROR_BAD_STATE
3286  * The operation state is not valid for this input \p step.
3287  * \retval #PSA_ERROR_BAD_STATE
3288  * The library has not been previously initialized by psa_crypto_init().
3289  * It is implementation-dependent whether a failure to initialize
3290  * results in this error code.
3291  */
3292 psa_status_t psa_key_derivation_input_bytes(
3293  psa_key_derivation_operation_t *operation,
3294  psa_key_derivation_step_t step,
3295  const uint8_t *data,
3296  size_t data_length);
3297 
3298 /** Provide an input for key derivation in the form of a key.
3299  *
3300  * Which inputs are required and in what order depends on the algorithm.
3301  * Refer to the documentation of each key derivation or key agreement
3302  * algorithm for information.
3303  *
3304  * This function obtains input from a key object, which is usually correct for
3305  * secret inputs or for non-secret personalization strings kept in the key
3306  * store. To pass a non-secret parameter which is not in the key store,
3307  * call psa_key_derivation_input_bytes() instead of this function.
3308  * Refer to the documentation of individual step types
3309  * (`PSA_KEY_DERIVATION_INPUT_xxx` values of type ::psa_key_derivation_step_t)
3310  * for more information.
3311  *
3312  * If this function returns an error status, the operation enters an error
3313  * state and must be aborted by calling psa_key_derivation_abort().
3314  *
3315  * \param[in,out] operation The key derivation operation object to use.
3316  * It must have been set up with
3317  * psa_key_derivation_setup() and must not
3318  * have produced any output yet.
3319  * \param step Which step the input data is for.
3320  * \param handle Handle to the key. It must have an
3321  * appropriate type for \p step and must
3322  * allow the usage #PSA_KEY_USAGE_DERIVE.
3323  *
3324  * \retval #PSA_SUCCESS
3325  * Success.
3326  * \retval #PSA_ERROR_INVALID_HANDLE
3327  * \retval #PSA_ERROR_NOT_PERMITTED
3328  * \retval #PSA_ERROR_INVALID_ARGUMENT
3329  * \c step is not compatible with the operation's algorithm.
3330  * \retval #PSA_ERROR_INVALID_ARGUMENT
3331  * \c step does not allow key inputs of the given type
3332  * or does not allow key inputs at all.
3333  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3334  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3335  * \retval #PSA_ERROR_HARDWARE_FAILURE
3336  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3337  * \retval #PSA_ERROR_STORAGE_FAILURE
3338  * \retval #PSA_ERROR_BAD_STATE
3339  * The operation state is not valid for this input \p step.
3340  * \retval #PSA_ERROR_BAD_STATE
3341  * The library has not been previously initialized by psa_crypto_init().
3342  * It is implementation-dependent whether a failure to initialize
3343  * results in this error code.
3344  */
3345 psa_status_t psa_key_derivation_input_key(
3346  psa_key_derivation_operation_t *operation,
3347  psa_key_derivation_step_t step,
3348  psa_key_handle_t handle);
3349 
3350 /** Perform a key agreement and use the shared secret as input to a key
3351  * derivation.
3352  *
3353  * A key agreement algorithm takes two inputs: a private key \p private_key
3354  * a public key \p peer_key.
3355  * The result of this function is passed as input to a key derivation.
3356  * The output of this key derivation can be extracted by reading from the
3357  * resulting operation to produce keys and other cryptographic material.
3358  *
3359  * If this function returns an error status, the operation enters an error
3360  * state and must be aborted by calling psa_key_derivation_abort().
3361  *
3362  * \param[in,out] operation The key derivation operation object to use.
3363  * It must have been set up with
3364  * psa_key_derivation_setup() with a
3365  * key agreement and derivation algorithm
3366  * \c alg (\c PSA_ALG_XXX value such that
3367  * #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
3368  * and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
3369  * is false).
3370  * The operation must be ready for an
3371  * input of the type given by \p step.
3372  * \param step Which step the input data is for.
3373  * \param private_key Handle to the private key to use.
3374  * \param[in] peer_key Public key of the peer. The peer key must be in the
3375  * same format that psa_import_key() accepts for the
3376  * public key type corresponding to the type of
3377  * private_key. That is, this function performs the
3378  * equivalent of
3379  * #psa_import_key(...,
3380  * `peer_key`, `peer_key_length`) where
3381  * with key attributes indicating the public key
3382  * type corresponding to the type of `private_key`.
3383  * For example, for EC keys, this means that peer_key
3384  * is interpreted as a point on the curve that the
3385  * private key is on. The standard formats for public
3386  * keys are documented in the documentation of
3387  * psa_export_public_key().
3388  * \param peer_key_length Size of \p peer_key in bytes.
3389  *
3390  * \retval #PSA_SUCCESS
3391  * Success.
3392  * \retval #PSA_ERROR_BAD_STATE
3393  * The operation state is not valid for this key agreement \p step.
3394  * \retval #PSA_ERROR_INVALID_HANDLE
3395  * \retval #PSA_ERROR_NOT_PERMITTED
3396  * \retval #PSA_ERROR_INVALID_ARGUMENT
3397  * \c private_key is not compatible with \c alg,
3398  * or \p peer_key is not valid for \c alg or not compatible with
3399  * \c private_key.
3400  * \retval #PSA_ERROR_NOT_SUPPORTED
3401  * \c alg is not supported or is not a key derivation algorithm.
3402  * \retval #PSA_ERROR_INVALID_ARGUMENT
3403  * \c step does not allow an input resulting from a key agreement.
3404  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3405  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3406  * \retval #PSA_ERROR_HARDWARE_FAILURE
3407  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3408  * \retval #PSA_ERROR_STORAGE_FAILURE
3409  * \retval #PSA_ERROR_BAD_STATE
3410  * The library has not been previously initialized by psa_crypto_init().
3411  * It is implementation-dependent whether a failure to initialize
3412  * results in this error code.
3413  */
3414 psa_status_t psa_key_derivation_key_agreement(
3415  psa_key_derivation_operation_t *operation,
3416  psa_key_derivation_step_t step,
3417  psa_key_handle_t private_key,
3418  const uint8_t *peer_key,
3419  size_t peer_key_length);
3420 
3421 /** Read some data from a key derivation operation.
3422  *
3423  * This function calculates output bytes from a key derivation algorithm and
3424  * return those bytes.
3425  * If you view the key derivation's output as a stream of bytes, this
3426  * function destructively reads the requested number of bytes from the
3427  * stream.
3428  * The operation's capacity decreases by the number of bytes read.
3429  *
3430  * If this function returns an error status other than
3431  * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3432  * state and must be aborted by calling psa_key_derivation_abort().
3433  *
3434  * \param[in,out] operation The key derivation operation object to read from.
3435  * \param[out] output Buffer where the output will be written.
3436  * \param output_length Number of bytes to output.
3437  *
3438  * \retval #PSA_SUCCESS
3439  * \retval #PSA_ERROR_INSUFFICIENT_DATA
3440  * The operation's capacity was less than
3441  * \p output_length bytes. Note that in this case,
3442  * no output is written to the output buffer.
3443  * The operation's capacity is set to 0, thus
3444  * subsequent calls to this function will not
3445  * succeed, even with a smaller output buffer.
3446  * \retval #PSA_ERROR_BAD_STATE
3447  * The operation state is not valid (it must be active and completed
3448  * all required input steps).
3449  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3450  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3451  * \retval #PSA_ERROR_HARDWARE_FAILURE
3452  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3453  * \retval #PSA_ERROR_STORAGE_FAILURE
3454  * \retval #PSA_ERROR_BAD_STATE
3455  * The library has not been previously initialized by psa_crypto_init().
3456  * It is implementation-dependent whether a failure to initialize
3457  * results in this error code.
3458  */
3459 psa_status_t psa_key_derivation_output_bytes(
3460  psa_key_derivation_operation_t *operation,
3461  uint8_t *output,
3462  size_t output_length);
3463 
3464 /** Derive a key from an ongoing key derivation operation.
3465  *
3466  * This function calculates output bytes from a key derivation algorithm
3467  * and uses those bytes to generate a key deterministically.
3468  * The key's location, usage policy, type and size are taken from
3469  * \p attributes.
3470  *
3471  * If you view the key derivation's output as a stream of bytes, this
3472  * function destructively reads as many bytes as required from the
3473  * stream.
3474  * The operation's capacity decreases by the number of bytes read.
3475  *
3476  * If this function returns an error status other than
3477  * #PSA_ERROR_INSUFFICIENT_DATA, the operation enters an error
3478  * state and must be aborted by calling psa_key_derivation_abort().
3479  *
3480  * How much output is produced and consumed from the operation, and how
3481  * the key is derived, depends on the key type:
3482  *
3483  * - For key types for which the key is an arbitrary sequence of bytes
3484  * of a given size, this function is functionally equivalent to
3485  * calling #psa_key_derivation_output_bytes
3486  * and passing the resulting output to #psa_import_key.
3487  * However, this function has a security benefit:
3488  * if the implementation provides an isolation boundary then
3489  * the key material is not exposed outside the isolation boundary.
3490  * As a consequence, for these key types, this function always consumes
3491  * exactly (\p bits / 8) bytes from the operation.
3492  * The following key types defined in this specification follow this scheme:
3493  *
3494  * - #PSA_KEY_TYPE_AES;
3495  * - #PSA_KEY_TYPE_ARC4;
3496  * - #PSA_KEY_TYPE_CAMELLIA;
3497  * - #PSA_KEY_TYPE_DERIVE;
3498  * - #PSA_KEY_TYPE_HMAC.
3499  *
3500  * - For ECC keys on a Montgomery elliptic curve
3501  * (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3502  * Montgomery curve), this function always draws a byte string whose
3503  * length is determined by the curve, and sets the mandatory bits
3504  * accordingly. That is:
3505  *
3506  * - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
3507  * string and process it as specified in RFC 7748 &sect;5.
3508  * - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
3509  * string and process it as specified in RFC 7748 &sect;5.
3510  *
3511  * - For key types for which the key is represented by a single sequence of
3512  * \p bits bits with constraints as to which bit sequences are acceptable,
3513  * this function draws a byte string of length (\p bits / 8) bytes rounded
3514  * up to the nearest whole number of bytes. If the resulting byte string
3515  * is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
3516  * This process is repeated until an acceptable byte string is drawn.
3517  * The byte string drawn from the operation is interpreted as specified
3518  * for the output produced by psa_export_key().
3519  * The following key types defined in this specification follow this scheme:
3520  *
3521  * - #PSA_KEY_TYPE_DES.
3522  * Force-set the parity bits, but discard forbidden weak keys.
3523  * For 2-key and 3-key triple-DES, the three keys are generated
3524  * successively (for example, for 3-key triple-DES,
3525  * if the first 8 bytes specify a weak key and the next 8 bytes do not,
3526  * discard the first 8 bytes, use the next 8 bytes as the first key,
3527  * and continue reading output from the operation to derive the other
3528  * two keys).
3529  * - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEY_PAIR(\c group)
3530  * where \c group designates any Diffie-Hellman group) and
3531  * ECC keys on a Weierstrass elliptic curve
3532  * (#PSA_KEY_TYPE_ECC_KEY_PAIR(\c curve) where \c curve designates a
3533  * Weierstrass curve).
3534  * For these key types, interpret the byte string as integer
3535  * in big-endian order. Discard it if it is not in the range
3536  * [0, *N* - 2] where *N* is the boundary of the private key domain
3537  * (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
3538  * or the order of the curve's base point for ECC).
3539  * Add 1 to the resulting integer and use this as the private key *x*.
3540  * This method allows compliance to NIST standards, specifically
3541  * the methods titled "key-pair generation by testing candidates"
3542  * in NIST SP 800-56A &sect;5.6.1.1.4 for Diffie-Hellman,
3543  * in FIPS 186-4 &sect;B.1.2 for DSA, and
3544  * in NIST SP 800-56A &sect;5.6.1.2.2 or
3545  * FIPS 186-4 &sect;B.4.2 for elliptic curve keys.
3546  *
3547  * - For other key types, including #PSA_KEY_TYPE_RSA_KEY_PAIR,
3548  * the way in which the operation output is consumed is
3549  * implementation-defined.
3550  *
3551  * In all cases, the data that is read is discarded from the operation.
3552  * The operation's capacity is decreased by the number of bytes read.
3553  *
3554  * For algorithms that take an input step #PSA_KEY_DERIVATION_INPUT_SECRET,
3555  * the input to that step must be provided with psa_key_derivation_input_key().
3556  * Future versions of this specification may include additional restrictions
3557  * on the derived key based on the attributes and strength of the secret key.
3558  *
3559  * \param[in] attributes The attributes for the new key.
3560  * \param[in,out] operation The key derivation operation object to read from.
3561  * \param[out] handle On success, a handle to the newly created key.
3562  * \c 0 on failure.
3563  *
3564  * \retval #PSA_SUCCESS
3565  * Success.
3566  * If the key is persistent, the key material and the key's metadata
3567  * have been saved to persistent storage.
3568  * \retval #PSA_ERROR_ALREADY_EXISTS
3569  * This is an attempt to create a persistent key, and there is
3570  * already a persistent key with the given identifier.
3571  * \retval #PSA_ERROR_INSUFFICIENT_DATA
3572  * There was not enough data to create the desired key.
3573  * Note that in this case, no output is written to the output buffer.
3574  * The operation's capacity is set to 0, thus subsequent calls to
3575  * this function will not succeed, even with a smaller output buffer.
3576  * \retval #PSA_ERROR_NOT_SUPPORTED
3577  * The key type or key size is not supported, either by the
3578  * implementation in general or in this particular location.
3579  * \retval #PSA_ERROR_INVALID_ARGUMENT
3580  * The provided key attributes are not valid for the operation.
3581  * \retval #PSA_ERROR_NOT_PERMITTED
3582  * The #PSA_KEY_DERIVATION_INPUT_SECRET input was not provided through
3583  * a key.
3584  * \retval #PSA_ERROR_BAD_STATE
3585  * The operation state is not valid (it must be active and completed
3586  * all required input steps).
3587  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3588  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
3589  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3590  * \retval #PSA_ERROR_HARDWARE_FAILURE
3591  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3592  * \retval #PSA_ERROR_STORAGE_FAILURE
3593  * \retval #PSA_ERROR_BAD_STATE
3594  * The library has not been previously initialized by psa_crypto_init().
3595  * It is implementation-dependent whether a failure to initialize
3596  * results in this error code.
3597  */
3598 psa_status_t psa_key_derivation_output_key(
3599  const psa_key_attributes_t *attributes,
3600  psa_key_derivation_operation_t *operation,
3601  psa_key_handle_t *handle);
3602 
3603 /** Abort a key derivation operation.
3604  *
3605  * Aborting an operation frees all associated resources except for the \c
3606  * operation structure itself. Once aborted, the operation object can be reused
3607  * for another operation by calling psa_key_derivation_setup() again.
3608  *
3609  * This function may be called at any time after the operation
3610  * object has been initialized as described in #psa_key_derivation_operation_t.
3611  *
3612  * In particular, it is valid to call psa_key_derivation_abort() twice, or to
3613  * call psa_key_derivation_abort() on an operation that has not been set up.
3614  *
3615  * \param[in,out] operation The operation to abort.
3616  *
3617  * \retval #PSA_SUCCESS
3618  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3619  * \retval #PSA_ERROR_HARDWARE_FAILURE
3620  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3621  * \retval #PSA_ERROR_BAD_STATE
3622  * The library has not been previously initialized by psa_crypto_init().
3623  * It is implementation-dependent whether a failure to initialize
3624  * results in this error code.
3625  */
3626 psa_status_t psa_key_derivation_abort(
3627  psa_key_derivation_operation_t *operation);
3628 
3629 /** Perform a key agreement and return the raw shared secret.
3630  *
3631  * \warning The raw result of a key agreement algorithm such as finite-field
3632  * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
3633  * not be used directly as key material. It should instead be passed as
3634  * input to a key derivation algorithm. To chain a key agreement with
3635  * a key derivation, use psa_key_derivation_key_agreement() and other
3636  * functions from the key derivation interface.
3637  *
3638  * \param alg The key agreement algorithm to compute
3639  * (\c PSA_ALG_XXX value such that
3640  * #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
3641  * is true).
3642  * \param private_key Handle to the private key to use.
3643  * \param[in] peer_key Public key of the peer. It must be
3644  * in the same format that psa_import_key()
3645  * accepts. The standard formats for public
3646  * keys are documented in the documentation
3647  * of psa_export_public_key().
3648  * \param peer_key_length Size of \p peer_key in bytes.
3649  * \param[out] output Buffer where the decrypted message is to
3650  * be written.
3651  * \param output_size Size of the \c output buffer in bytes.
3652  * \param[out] output_length On success, the number of bytes
3653  * that make up the returned output.
3654  *
3655  * \retval #PSA_SUCCESS
3656  * Success.
3657  * \retval #PSA_ERROR_INVALID_HANDLE
3658  * \retval #PSA_ERROR_NOT_PERMITTED
3659  * \retval #PSA_ERROR_INVALID_ARGUMENT
3660  * \p alg is not a key agreement algorithm
3661  * \retval #PSA_ERROR_INVALID_ARGUMENT
3662  * \p private_key is not compatible with \p alg,
3663  * or \p peer_key is not valid for \p alg or not compatible with
3664  * \p private_key.
3665  * \retval #PSA_ERROR_BUFFER_TOO_SMALL
3666  * \p output_size is too small
3667  * \retval #PSA_ERROR_NOT_SUPPORTED
3668  * \p alg is not a supported key agreement algorithm.
3669  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3670  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3671  * \retval #PSA_ERROR_HARDWARE_FAILURE
3672  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3673  * \retval #PSA_ERROR_STORAGE_FAILURE
3674  * \retval #PSA_ERROR_BAD_STATE
3675  * The library has not been previously initialized by psa_crypto_init().
3676  * It is implementation-dependent whether a failure to initialize
3677  * results in this error code.
3678  */
3679 psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
3680  psa_key_handle_t private_key,
3681  const uint8_t *peer_key,
3682  size_t peer_key_length,
3683  uint8_t *output,
3684  size_t output_size,
3685  size_t *output_length);
3686 
3687 /**@}*/
3688 
3689 /** \defgroup random Random generation
3690  * @{
3691  */
3692 
3693 /**
3694  * \brief Generate random bytes.
3695  *
3696  * \warning This function **can** fail! Callers MUST check the return status
3697  * and MUST NOT use the content of the output buffer if the return
3698  * status is not #PSA_SUCCESS.
3699  *
3700  * \note To generate a key, use psa_generate_key() instead.
3701  *
3702  * \param[out] output Output buffer for the generated data.
3703  * \param output_size Number of bytes to generate and output.
3704  *
3705  * \retval #PSA_SUCCESS
3706  * \retval #PSA_ERROR_NOT_SUPPORTED
3707  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
3708  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3709  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3710  * \retval #PSA_ERROR_HARDWARE_FAILURE
3711  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3712  * \retval #PSA_ERROR_BAD_STATE
3713  * The library has not been previously initialized by psa_crypto_init().
3714  * It is implementation-dependent whether a failure to initialize
3715  * results in this error code.
3716  */
3717 psa_status_t psa_generate_random(uint8_t *output,
3718  size_t output_size);
3719 
3720 /**
3721  * \brief Generate a key or key pair.
3722  *
3723  * The key is generated randomly.
3724  * Its location, usage policy, type and size are taken from \p attributes.
3725  *
3726  * Implementations must reject an attempt to generate a key of size 0.
3727  *
3728  * The following type-specific considerations apply:
3729  * - For RSA keys (#PSA_KEY_TYPE_RSA_KEY_PAIR),
3730  * the public exponent is 65537.
3731  * The modulus is a product of two probabilistic primes
3732  * between 2^{n-1} and 2^n where n is the bit size specified in the
3733  * attributes.
3734  *
3735  * \param[in] attributes The attributes for the new key.
3736  * \param[out] handle On success, a handle to the newly created key.
3737  * \c 0 on failure.
3738  *
3739  * \retval #PSA_SUCCESS
3740  * Success.
3741  * If the key is persistent, the key material and the key's metadata
3742  * have been saved to persistent storage.
3743  * \retval #PSA_ERROR_ALREADY_EXISTS
3744  * This is an attempt to create a persistent key, and there is
3745  * already a persistent key with the given identifier.
3746  * \retval #PSA_ERROR_NOT_SUPPORTED
3747  * \retval #PSA_ERROR_INVALID_ARGUMENT
3748  * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
3749  * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
3750  * \retval #PSA_ERROR_COMMUNICATION_FAILURE
3751  * \retval #PSA_ERROR_HARDWARE_FAILURE
3752  * \retval #PSA_ERROR_CORRUPTION_DETECTED
3753  * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
3754  * \retval #PSA_ERROR_STORAGE_FAILURE
3755  * \retval #PSA_ERROR_BAD_STATE
3756  * The library has not been previously initialized by psa_crypto_init().
3757  * It is implementation-dependent whether a failure to initialize
3758  * results in this error code.
3759  */
3760 psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
3761  psa_key_handle_t *handle);
3762 
3763 /**@}*/
3764 
3765 #ifdef __cplusplus
3766 }
3767 #endif
3768 
3769 /* The file "crypto_sizes.h" contains definitions for size calculation
3770  * macros whose definitions are implementation-specific. */
3771 #include "crypto_sizes.h"
3772 
3773 /* The file "crypto_struct.h" contains definitions for
3774  * implementation-specific structs that are declared above. */
3775 #include "crypto_struct.h"
3776 
3777 /* The file "crypto_extra.h" contains vendor-specific definitions. This
3778  * can include vendor-defined algorithms, extra functions, etc. */
3779 #include "crypto_extra.h"
3780 
3781 #endif /* PSA_CRYPTO_H */
psa_cipher_encrypt_setup
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set the key for a multipart symmetric encryption operation.
psa_reset_key_attributes
void psa_reset_key_attributes(psa_key_attributes_t *attributes)
Reset a key attribute structure to a freshly initialized state.
psa_cipher_update
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt or decrypt a message fragment in an active cipher operation.
psa_set_key_id
static void psa_set_key_id(psa_key_attributes_t *attributes, psa_key_id_t id)
Declare a key as persistent and set its key identifier.
psa_key_attributes_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:340
psa_generate_random
psa_status_t psa_generate_random(uint8_t *output, size_t output_size)
Generate random bytes.
psa_export_key
psa_status_t psa_export_key(psa_key_handle_t handle, uint8_t *data, size_t data_size, size_t *data_length)
Export a key in binary format.
psa_mac_sign_finish
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation, uint8_t *mac, size_t mac_size, size_t *mac_length)
Finish the calculation of the MAC of a message.
psa_aead_operation_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:177
psa_destroy_key
psa_status_t psa_destroy_key(psa_key_handle_t handle)
Destroy a key.
psa_mac_operation_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:127
psa_cipher_decrypt_setup
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set the key for a multipart symmetric decryption operation.
psa_sign_hash
psa_status_t psa_sign_hash(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, uint8_t *signature, size_t signature_size, size_t *signature_length)
Sign a hash or short message with a private key.
psa_aead_encrypt_setup
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set the key for a multipart authenticated encryption operation.
psa_key_derivation_operation_init
static psa_key_derivation_operation_t psa_key_derivation_operation_init(void)
Return an initial value for a key derivation operation object.
psa_key_derivation_set_capacity
psa_status_t psa_key_derivation_set_capacity(psa_key_derivation_operation_t *operation, size_t capacity)
Set the maximum capacity of a key derivation operation.
psa_raw_key_agreement
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, psa_key_handle_t private_key, const uint8_t *peer_key, size_t peer_key_length, uint8_t *output, size_t output_size, size_t *output_length)
Perform a key agreement and return the raw shared secret.
psa_close_key
psa_status_t psa_close_key(psa_key_handle_t handle)
Close a key handle.
psa_key_derivation_abort
psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
Abort a key derivation operation.
psa_cipher_decrypt
psa_status_t psa_cipher_decrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Decrypt a message using a symmetric cipher.
psa_mac_verify_finish
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation, const uint8_t *mac, size_t mac_length)
Finish the calculation of the MAC of a message and compare it with an expected value.
psa_export_public_key
psa_status_t psa_export_public_key(psa_key_handle_t handle, uint8_t *data, size_t data_size, size_t *data_length)
Export a public key or the public part of a key pair in binary format.
psa_set_key_bits
static void psa_set_key_bits(psa_key_attributes_t *attributes, size_t bits)
Declare the size of a key.
psa_cipher_operation_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:155
psa_mac_abort
psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
Abort a MAC operation.
psa_key_derivation_step_t
uint16_t psa_key_derivation_step_t
Encoding of the step of a key derivation.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:380
psa_key_id_t
uint32_t psa_key_id_t
Encoding of identifiers of persistent keys.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:235
psa_verify_hash
psa_status_t psa_verify_hash(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, const uint8_t *signature, size_t signature_length)
Verify the signature a hash or short message using a public key.
psa_hash_compute
psa_status_t psa_hash_compute(psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *hash, size_t hash_size, size_t *hash_length)
Calculate the hash (digest) of a message.
psa_get_key_algorithm
static psa_algorithm_t psa_get_key_algorithm(const psa_key_attributes_t *attributes)
Retrieve the algorithm policy from key attributes.
psa_set_key_usage_flags
static void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags)
Declare usage flags for a key.
psa_key_derivation_input_key
psa_status_t psa_key_derivation_input_key(psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, psa_key_handle_t handle)
Provide an input for key derivation in the form of a key.
psa_hash_update
psa_status_t psa_hash_update(psa_hash_operation_t *operation, const uint8_t *input, size_t input_length)
Add a message fragment to a multipart hash operation.
psa_set_key_lifetime
static void psa_set_key_lifetime(psa_key_attributes_t *attributes, psa_key_lifetime_t lifetime)
Set the location of a persistent key.
psa_hash_operation_init
static psa_hash_operation_t psa_hash_operation_init(void)
Return an initial value for a hash operation object.
psa_aead_set_nonce
psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation, const uint8_t *nonce, size_t nonce_length)
Set the nonce for an authenticated encryption or decryption operation.
psa_get_key_lifetime
static psa_key_lifetime_t psa_get_key_lifetime(const psa_key_attributes_t *attributes)
Retrieve the lifetime from key attributes.
psa_key_derivation_get_capacity
psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation, size_t *capacity)
Retrieve the current capacity of a key derivation operation.
psa_set_key_type
static void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type)
Declare the type of a key.
psa_aead_finish
psa_status_t psa_aead_finish(psa_aead_operation_t *operation, uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length, uint8_t *tag, size_t tag_size, size_t *tag_length)
Finish encrypting a message in an AEAD operation.
psa_get_key_id
static psa_key_id_t psa_get_key_id(const psa_key_attributes_t *attributes)
Retrieve the key identifier from key attributes.
psa_asymmetric_encrypt
psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *salt, size_t salt_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt a short message with a public key.
psa_key_derivation_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:253
psa_get_key_bits
static size_t psa_get_key_bits(const psa_key_attributes_t *attributes)
Retrieve the key size from key attributes.
psa_mac_verify_setup
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set up a multipart MAC verification operation.
psa_asymmetric_decrypt
psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *salt, size_t salt_length, uint8_t *output, size_t output_size, size_t *output_length)
Decrypt a short message with a private key.
psa_cipher_finish
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation, uint8_t *output, size_t output_size, size_t *output_length)
Finish encrypting or decrypting a message in a cipher operation.
psa_hash_operation_s
Definition: TARGET_MBED_PSA_SRV/mbedtls/crypto_struct.h:80
psa_aead_update_ad
psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation, const uint8_t *input, size_t input_length)
Pass additional data to an active AEAD operation.
psa_import_key
psa_status_t psa_import_key(const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, psa_key_handle_t *handle)
Import a key in binary format.
psa_hash_verify
psa_status_t psa_hash_verify(psa_hash_operation_t *operation, const uint8_t *hash, size_t hash_length)
Finish the calculation of the hash of a message and compare it with an expected value.
psa_aead_set_lengths
psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation, size_t ad_length, size_t plaintext_length)
Declare the lengths of the message and additional data for AEAD.
psa_aead_decrypt
psa_status_t psa_aead_decrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *ciphertext, size_t ciphertext_length, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length)
Process an authenticated decryption operation.
psa_mac_verify
psa_status_t psa_mac_verify(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *mac, size_t mac_length)
Calculate the MAC of a message and compare it with a reference value.
psa_hash_clone
psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation, psa_hash_operation_t *target_operation)
Clone a hash operation.
psa_copy_key
psa_status_t psa_copy_key(psa_key_handle_t source_handle, const psa_key_attributes_t *attributes, psa_key_handle_t *target_handle)
Make a copy of a key.
psa_algorithm_t
uint32_t psa_algorithm_t
Encoding of a cryptographic algorithm.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:96
psa_aead_encrypt
psa_status_t psa_aead_encrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *nonce, size_t nonce_length, const uint8_t *additional_data, size_t additional_data_length, const uint8_t *plaintext, size_t plaintext_length, uint8_t *ciphertext, size_t ciphertext_size, size_t *ciphertext_length)
Process an authenticated encryption operation.
psa_cipher_set_iv
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation, const uint8_t *iv, size_t iv_length)
Set the IV for a symmetric encryption or decryption operation.
psa_aead_generate_nonce
psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation, uint8_t *nonce, size_t nonce_size, size_t *nonce_length)
Generate a random nonce for an authenticated encryption operation.
psa_cipher_operation_init
static psa_cipher_operation_t psa_cipher_operation_init(void)
Return an initial value for a cipher operation object.
psa_hash_setup
psa_status_t psa_hash_setup(psa_hash_operation_t *operation, psa_algorithm_t alg)
Set up a multipart hash operation.
psa_aead_decrypt_setup
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set the key for a multipart authenticated decryption operation.
psa_cipher_generate_iv
psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation, uint8_t *iv, size_t iv_size, size_t *iv_length)
Generate an IV for a symmetric encryption operation.
psa_key_usage_t
uint32_t psa_key_usage_t
Encoding of permitted usage on a key.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:246
psa_set_key_algorithm
static void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg)
Declare the permitted algorithm policy for a key.
psa_mac_sign_setup
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, psa_key_handle_t handle, psa_algorithm_t alg)
Set up a multipart MAC calculation operation.
psa_key_type_t
uint16_t psa_key_type_t
Encoding of a key type.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:64
psa_get_key_attributes
psa_status_t psa_get_key_attributes(psa_key_handle_t handle, psa_key_attributes_t *attributes)
Retrieve the attributes of a key.
psa_crypto_init
psa_status_t psa_crypto_init(void)
Library initialization.
psa_key_derivation_output_bytes
psa_status_t psa_key_derivation_output_bytes(psa_key_derivation_operation_t *operation, uint8_t *output, size_t output_length)
Read some data from a key derivation operation.
psa_aead_operation_init
static psa_aead_operation_t psa_aead_operation_init(void)
Return an initial value for an AEAD operation object.
psa_key_derivation_input_bytes
psa_status_t psa_key_derivation_input_bytes(psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, const uint8_t *data, size_t data_length)
Provide an input for key derivation or key agreement.
psa_generate_key
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, psa_key_handle_t *handle)
Generate a key or key pair.
psa_get_key_type
static psa_key_type_t psa_get_key_type(const psa_key_attributes_t *attributes)
Retrieve the key type from key attributes.
psa_aead_verify
psa_status_t psa_aead_verify(psa_aead_operation_t *operation, uint8_t *plaintext, size_t plaintext_size, size_t *plaintext_length, const uint8_t *tag, size_t tag_length)
Finish authenticating and decrypting a message in an AEAD operation.
psa_key_derivation_key_agreement
psa_status_t psa_key_derivation_key_agreement(psa_key_derivation_operation_t *operation, psa_key_derivation_step_t step, psa_key_handle_t private_key, const uint8_t *peer_key, size_t peer_key_length)
Perform a key agreement and use the shared secret as input to a key derivation.
psa_get_key_usage_flags
static psa_key_usage_t psa_get_key_usage_flags(const psa_key_attributes_t *attributes)
Retrieve the usage flags from key attributes.
psa_hash_abort
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
Abort a hash operation.
psa_key_attributes_init
static psa_key_attributes_t psa_key_attributes_init(void)
Return an initial value for a key attributes structure.
psa_open_key
psa_status_t psa_open_key(psa_key_id_t id, psa_key_handle_t *handle)
Open a handle to an existing persistent key.
psa_key_derivation_setup
psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, psa_algorithm_t alg)
Set up a key derivation operation.
psa_mac_compute
psa_status_t psa_mac_compute(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *mac, size_t mac_size, size_t *mac_length)
Calculate the MAC (message authentication code) of a message.
psa_aead_abort
psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
Abort an AEAD operation.
psa_aead_update
psa_status_t psa_aead_update(psa_aead_operation_t *operation, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt or decrypt a message fragment in an active AEAD operation.
psa_key_lifetime_t
uint32_t psa_key_lifetime_t
Encoding of key lifetimes.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:139
psa_mac_operation_init
static psa_mac_operation_t psa_mac_operation_init(void)
Return an initial value for a MAC operation object.
psa_status_t
int32_t psa_status_t
Function return status.
Definition: TARGET_MBED_PSA_SRV/inc/psa/crypto_types.h:53
psa_mac_update
psa_status_t psa_mac_update(psa_mac_operation_t *operation, const uint8_t *input, size_t input_length)
Add a message fragment to a multipart MAC operation.
psa_cipher_abort
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
Abort a cipher operation.
psa_hash_compare
psa_status_t psa_hash_compare(psa_algorithm_t alg, const uint8_t *input, size_t input_length, const uint8_t *hash, size_t hash_length)
Calculate the hash (digest) of a message and compare it with a reference value.
psa_key_derivation_output_key
psa_status_t psa_key_derivation_output_key(const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, psa_key_handle_t *handle)
Derive a key from an ongoing key derivation operation.
psa_cipher_encrypt
psa_status_t psa_cipher_encrypt(psa_key_handle_t handle, psa_algorithm_t alg, const uint8_t *input, size_t input_length, uint8_t *output, size_t output_size, size_t *output_length)
Encrypt a message using a symmetric cipher.
psa_hash_finish
psa_status_t psa_hash_finish(psa_hash_operation_t *operation, uint8_t *hash, size_t hash_size, size_t *hash_length)
Finish the calculation of the hash of a message.
Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.