Keil Studio Cloud
Mistake on this page?
Report an issue in GitHub or email us
TARGET_TFM/TARGET_TFM_LATEST/include/psa/crypto_values.h
1 /*
2  * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  *
6  */
7 /**
8  * \file psa/crypto_values.h
9  *
10  * \brief PSA cryptography module: macros to build and analyze integer values.
11  *
12  * \note This file may not be included directly. Applications must
13  * include psa/crypto.h. Drivers must include the appropriate driver
14  * header file.
15  *
16  * This file contains portable definitions of macros to build and analyze
17  * values of integral types that encode properties of cryptographic keys,
18  * designations of cryptographic algorithms, and error codes returned by
19  * the library.
20  *
21  * This header file only defines preprocessor macros.
22  */
23 
24 #ifndef PSA_CRYPTO_VALUES_H
25 #define PSA_CRYPTO_VALUES_H
26 
27 #include "mbedtls_svc_key_id.h"
28 
29 /** \defgroup error Error codes
30  * @{
31  */
32 
33 /* PSA error codes */
34 
35 /** The action was completed successfully. */
36 #ifndef PSA_SUCCESS
37 #define PSA_SUCCESS ((psa_status_t)0)
38 #endif
39 
40 /** An error occurred that does not correspond to any defined
41  * failure cause.
42  *
43  * Implementations may use this error code if none of the other standard
44  * error codes are applicable. */
45 #define PSA_ERROR_GENERIC_ERROR ((psa_status_t)-132)
46 
47 /** The requested operation or a parameter is not supported
48  * by this implementation.
49  *
50  * Implementations should return this error code when an enumeration
51  * parameter such as a key type, algorithm, etc. is not recognized.
52  * If a combination of parameters is recognized and identified as
53  * not valid, return #PSA_ERROR_INVALID_ARGUMENT instead. */
54 #define PSA_ERROR_NOT_SUPPORTED ((psa_status_t)-134)
55 
56 /** The requested action is denied by a policy.
57  *
58  * Implementations should return this error code when the parameters
59  * are recognized as valid and supported, and a policy explicitly
60  * denies the requested operation.
61  *
62  * If a subset of the parameters of a function call identify a
63  * forbidden operation, and another subset of the parameters are
64  * not valid or not supported, it is unspecified whether the function
65  * returns #PSA_ERROR_NOT_PERMITTED, #PSA_ERROR_NOT_SUPPORTED or
66  * #PSA_ERROR_INVALID_ARGUMENT. */
67 #define PSA_ERROR_NOT_PERMITTED ((psa_status_t)-133)
68 
69 /** An output buffer is too small.
70  *
71  * Applications can call the \c PSA_xxx_SIZE macro listed in the function
72  * description to determine a sufficient buffer size.
73  *
74  * Implementations should preferably return this error code only
75  * in cases when performing the operation with a larger output
76  * buffer would succeed. However implementations may return this
77  * error if a function has invalid or unsupported parameters in addition
78  * to the parameters that determine the necessary output buffer size. */
79 #define PSA_ERROR_BUFFER_TOO_SMALL ((psa_status_t)-138)
80 
81 /** Asking for an item that already exists
82  *
83  * Implementations should return this error, when attempting
84  * to write an item (like a key) that already exists. */
85 #define PSA_ERROR_ALREADY_EXISTS ((psa_status_t)-139)
86 
87 /** Asking for an item that doesn't exist
88  *
89  * Implementations should return this error, if a requested item (like
90  * a key) does not exist. */
91 #define PSA_ERROR_DOES_NOT_EXIST ((psa_status_t)-140)
92 
93 /** The requested action cannot be performed in the current state.
94  *
95  * Multipart operations return this error when one of the
96  * functions is called out of sequence. Refer to the function
97  * descriptions for permitted sequencing of functions.
98  *
99  * Implementations shall not return this error code to indicate
100  * that a key either exists or not,
101  * but shall instead return #PSA_ERROR_ALREADY_EXISTS or #PSA_ERROR_DOES_NOT_EXIST
102  * as applicable.
103  *
104  * Implementations shall not return this error code to indicate that a
105  * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
106  * instead. */
107 #define PSA_ERROR_BAD_STATE ((psa_status_t)-137)
108 
109 /** The parameters passed to the function are invalid.
110  *
111  * Implementations may return this error any time a parameter or
112  * combination of parameters are recognized as invalid.
113  *
114  * Implementations shall not return this error code to indicate that a
115  * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
116  * instead.
117  */
118 #define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)
119 
120 /** There is not enough runtime memory.
121  *
122  * If the action is carried out across multiple security realms, this
123  * error can refer to available memory in any of the security realms. */
124 #define PSA_ERROR_INSUFFICIENT_MEMORY ((psa_status_t)-141)
125 
126 /** There is not enough persistent storage.
127  *
128  * Functions that modify the key storage return this error code if
129  * there is insufficient storage space on the host media. In addition,
130  * many functions that do not otherwise access storage may return this
131  * error code if the implementation requires a mandatory log entry for
132  * the requested action and the log storage space is full. */
133 #define PSA_ERROR_INSUFFICIENT_STORAGE ((psa_status_t)-142)
134 
135 /** There was a communication failure inside the implementation.
136  *
137  * This can indicate a communication failure between the application
138  * and an external cryptoprocessor or between the cryptoprocessor and
139  * an external volatile or persistent memory. A communication failure
140  * may be transient or permanent depending on the cause.
141  *
142  * \warning If a function returns this error, it is undetermined
143  * whether the requested action has completed or not. Implementations
144  * should return #PSA_SUCCESS on successful completion whenever
145  * possible, however functions may return #PSA_ERROR_COMMUNICATION_FAILURE
146  * if the requested action was completed successfully in an external
147  * cryptoprocessor but there was a breakdown of communication before
148  * the cryptoprocessor could report the status to the application.
149  */
150 #define PSA_ERROR_COMMUNICATION_FAILURE ((psa_status_t)-145)
151 
152 /** There was a storage failure that may have led to data loss.
153  *
154  * This error indicates that some persistent storage is corrupted.
155  * It should not be used for a corruption of volatile memory
156  * (use #PSA_ERROR_CORRUPTION_DETECTED), for a communication error
157  * between the cryptoprocessor and its external storage (use
158  * #PSA_ERROR_COMMUNICATION_FAILURE), or when the storage is
159  * in a valid state but is full (use #PSA_ERROR_INSUFFICIENT_STORAGE).
160  *
161  * Note that a storage failure does not indicate that any data that was
162  * previously read is invalid. However this previously read data may no
163  * longer be readable from storage.
164  *
165  * When a storage failure occurs, it is no longer possible to ensure
166  * the global integrity of the keystore. Depending on the global
167  * integrity guarantees offered by the implementation, access to other
168  * data may or may not fail even if the data is still readable but
169  * its integrity cannot be guaranteed.
170  *
171  * Implementations should only use this error code to report a
172  * permanent storage corruption. However application writers should
173  * keep in mind that transient errors while reading the storage may be
174  * reported using this error code. */
175 #define PSA_ERROR_STORAGE_FAILURE ((psa_status_t)-146)
176 
177 /** A hardware failure was detected.
178  *
179  * A hardware failure may be transient or permanent depending on the
180  * cause. */
181 #define PSA_ERROR_HARDWARE_FAILURE ((psa_status_t)-147)
182 
183 /** A tampering attempt was detected.
184  *
185  * If an application receives this error code, there is no guarantee
186  * that previously accessed or computed data was correct and remains
187  * confidential. Applications should not perform any security function
188  * and should enter a safe failure state.
189  *
190  * Implementations may return this error code if they detect an invalid
191  * state that cannot happen during normal operation and that indicates
192  * that the implementation's security guarantees no longer hold. Depending
193  * on the implementation architecture and on its security and safety goals,
194  * the implementation may forcibly terminate the application.
195  *
196  * This error code is intended as a last resort when a security breach
197  * is detected and it is unsure whether the keystore data is still
198  * protected. Implementations shall only return this error code
199  * to report an alarm from a tampering detector, to indicate that
200  * the confidentiality of stored data can no longer be guaranteed,
201  * or to indicate that the integrity of previously returned data is now
202  * considered compromised. Implementations shall not use this error code
203  * to indicate a hardware failure that merely makes it impossible to
204  * perform the requested operation (use #PSA_ERROR_COMMUNICATION_FAILURE,
205  * #PSA_ERROR_STORAGE_FAILURE, #PSA_ERROR_HARDWARE_FAILURE,
206  * #PSA_ERROR_INSUFFICIENT_ENTROPY or other applicable error code
207  * instead).
208  *
209  * This error indicates an attack against the application. Implementations
210  * shall not return this error code as a consequence of the behavior of
211  * the application itself. */
212 #define PSA_ERROR_CORRUPTION_DETECTED ((psa_status_t)-151)
213 
214 /** There is not enough entropy to generate random data needed
215  * for the requested action.
216  *
217  * This error indicates a failure of a hardware random generator.
218  * Application writers should note that this error can be returned not
219  * only by functions whose purpose is to generate random data, such
220  * as key, IV or nonce generation, but also by functions that execute
221  * an algorithm with a randomized result, as well as functions that
222  * use randomization of intermediate computations as a countermeasure
223  * to certain attacks.
224  *
225  * Implementations should avoid returning this error after psa_crypto_init()
226  * has succeeded. Implementations should generate sufficient
227  * entropy during initialization and subsequently use a cryptographically
228  * secure pseudorandom generator (PRNG). However implementations may return
229  * this error at any time if a policy requires the PRNG to be reseeded
230  * during normal operation. */
231 #define PSA_ERROR_INSUFFICIENT_ENTROPY ((psa_status_t)-148)
232 
233 /** The signature, MAC or hash is incorrect.
234  *
235  * Verification functions return this error if the verification
236  * calculations completed successfully, and the value to be verified
237  * was determined to be incorrect.
238  *
239  * If the value to verify has an invalid size, implementations may return
240  * either #PSA_ERROR_INVALID_ARGUMENT or #PSA_ERROR_INVALID_SIGNATURE. */
241 #define PSA_ERROR_INVALID_SIGNATURE ((psa_status_t)-149)
242 
243 /** The decrypted padding is incorrect.
244  *
245  * \warning In some protocols, when decrypting data, it is essential that
246  * the behavior of the application does not depend on whether the padding
247  * is correct, down to precise timing. Applications should prefer
248  * protocols that use authenticated encryption rather than plain
249  * encryption. If the application must perform a decryption of
250  * unauthenticated data, the application writer should take care not
251  * to reveal whether the padding is invalid.
252  *
253  * Implementations should strive to make valid and invalid padding
254  * as close as possible to indistinguishable to an external observer.
255  * In particular, the timing of a decryption operation should not
256  * depend on the validity of the padding. */
257 #define PSA_ERROR_INVALID_PADDING ((psa_status_t)-150)
258 
259 /** Return this error when there's insufficient data when attempting
260  * to read from a resource. */
261 #define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
262 
263 /** The key identifier is not valid. See also :ref:\`key-handles\`.
264  */
265 #define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
266 
267 /** Stored data has been corrupted.
268  *
269  * This error indicates that some persistent storage has suffered corruption.
270  * It does not indicate the following situations, which have specific error
271  * codes:
272  *
273  * - A corruption of volatile memory - use #PSA_ERROR_CORRUPTION_DETECTED.
274  * - A communication error between the cryptoprocessor and its external
275  * storage - use #PSA_ERROR_COMMUNICATION_FAILURE.
276  * - When the storage is in a valid state but is full - use
277  * #PSA_ERROR_INSUFFICIENT_STORAGE.
278  * - When the storage fails for other reasons - use
279  * #PSA_ERROR_STORAGE_FAILURE.
280  * - When the stored data is not valid - use #PSA_ERROR_DATA_INVALID.
281  *
282  * \note A storage corruption does not indicate that any data that was
283  * previously read is invalid. However this previously read data might no
284  * longer be readable from storage.
285  *
286  * When a storage failure occurs, it is no longer possible to ensure the
287  * global integrity of the keystore.
288  */
289 #define PSA_ERROR_DATA_CORRUPT ((psa_status_t)-152)
290 
291 /** Data read from storage is not valid for the implementation.
292  *
293  * This error indicates that some data read from storage does not have a valid
294  * format. It does not indicate the following situations, which have specific
295  * error codes:
296  *
297  * - When the storage or stored data is corrupted - use #PSA_ERROR_DATA_CORRUPT
298  * - When the storage fails for other reasons - use #PSA_ERROR_STORAGE_FAILURE
299  * - An invalid argument to the API - use #PSA_ERROR_INVALID_ARGUMENT
300  *
301  * This error is typically a result of either storage corruption on a
302  * cleartext storage backend, or an attempt to read data that was
303  * written by an incompatible version of the library.
304  */
305 #define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
306 
307 /**@}*/
308 
309 /** \defgroup crypto_types Key and algorithm types
310  * @{
311  */
312 
313 /** An invalid key type value.
314  *
315  * Zero is not the encoding of any key type.
316  */
317 #define PSA_KEY_TYPE_NONE ((psa_key_type_t)0x0000)
318 
319 /** Vendor-defined key type flag.
320  *
321  * Key types defined by this standard will never have the
322  * #PSA_KEY_TYPE_VENDOR_FLAG bit set. Vendors who define additional key types
323  * must use an encoding with the #PSA_KEY_TYPE_VENDOR_FLAG bit set and should
324  * respect the bitwise structure used by standard encodings whenever practical.
325  */
326 #define PSA_KEY_TYPE_VENDOR_FLAG ((psa_key_type_t)0x8000)
327 
328 #define PSA_KEY_TYPE_CATEGORY_MASK ((psa_key_type_t)0x7000)
329 #define PSA_KEY_TYPE_CATEGORY_RAW ((psa_key_type_t)0x1000)
330 #define PSA_KEY_TYPE_CATEGORY_SYMMETRIC ((psa_key_type_t)0x2000)
331 #define PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY ((psa_key_type_t)0x4000)
332 #define PSA_KEY_TYPE_CATEGORY_KEY_PAIR ((psa_key_type_t)0x7000)
333 
334 #define PSA_KEY_TYPE_CATEGORY_FLAG_PAIR ((psa_key_type_t)0x3000)
335 
336 /** Whether a key type is vendor-defined.
337  *
338  * See also #PSA_KEY_TYPE_VENDOR_FLAG.
339  */
340 #define PSA_KEY_TYPE_IS_VENDOR_DEFINED(type) \
341  (((type) & PSA_KEY_TYPE_VENDOR_FLAG) != 0)
342 
343 /** Whether a key type is an unstructured array of bytes.
344  *
345  * This encompasses both symmetric keys and non-key data.
346  */
347 #define PSA_KEY_TYPE_IS_UNSTRUCTURED(type) \
348  (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_RAW || \
349  ((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC)
350 
351 /** Whether a key type is asymmetric: either a key pair or a public key. */
352 #define PSA_KEY_TYPE_IS_ASYMMETRIC(type) \
353  (((type) & PSA_KEY_TYPE_CATEGORY_MASK \
354  & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR) == \
355  PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
356 /** Whether a key type is the public part of a key pair. */
357 #define PSA_KEY_TYPE_IS_PUBLIC_KEY(type) \
358  (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_PUBLIC_KEY)
359 /** Whether a key type is a key pair containing a private part and a public
360  * part. */
361 #define PSA_KEY_TYPE_IS_KEY_PAIR(type) \
362  (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_KEY_PAIR)
363 /** The key pair type corresponding to a public key type.
364  *
365  * You may also pass a key pair type as \p type, it will be left unchanged.
366  *
367  * \param type A public key type or key pair type.
368  *
369  * \return The corresponding key pair type.
370  * If \p type is not a public key or a key pair,
371  * the return value is undefined.
372  */
373 #define PSA_KEY_TYPE_KEY_PAIR_OF_PUBLIC_KEY(type) \
374  ((type) | PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
375 /** The public key type corresponding to a key pair type.
376  *
377  * You may also pass a key pair type as \p type, it will be left unchanged.
378  *
379  * \param type A public key type or key pair type.
380  *
381  * \return The corresponding public key type.
382  * If \p type is not a public key or a key pair,
383  * the return value is undefined.
384  */
385 #define PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) \
386  ((type) & ~PSA_KEY_TYPE_CATEGORY_FLAG_PAIR)
387 
388 /** Raw data.
389  *
390  * A "key" of this type cannot be used for any cryptographic operation.
391  * Applications may use this type to store arbitrary data in the keystore. */
392 #define PSA_KEY_TYPE_RAW_DATA ((psa_key_type_t)0x1001)
393 
394 /** HMAC key.
395  *
396  * The key policy determines which underlying hash algorithm the key can be
397  * used for.
398  *
399  * HMAC keys should generally have the same size as the underlying hash.
400  * This size can be calculated with #PSA_HASH_LENGTH(\c alg) where
401  * \c alg is the HMAC algorithm or the underlying hash algorithm. */
402 #define PSA_KEY_TYPE_HMAC ((psa_key_type_t)0x1100)
403 
404 /** A secret for key derivation.
405  *
406  * This key type is for high-entropy secrets only. For low-entropy secrets,
407  * #PSA_KEY_TYPE_PASSWORD should be used instead.
408  *
409  * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_SECRET or
410  * #PSA_KEY_DERIVATION_INPUT_PASSWORD input of key derivation algorithms.
411  *
412  * The key policy determines which key derivation algorithm the key
413  * can be used for.
414  */
415 #define PSA_KEY_TYPE_DERIVE ((psa_key_type_t)0x1200)
416 
417 /** A low-entropy secret for password hashing or key derivation.
418  *
419  * This key type is suitable for passwords and passphrases which are typically
420  * intended to be memorizable by humans, and have a low entropy relative to
421  * their size. It can be used for randomly generated or derived keys with
422  * maximum or near-maximum entropy, but #PSA_KEY_TYPE_DERIVE is more suitable
423  * for such keys. It is not suitable for passwords with extremely low entropy,
424  * such as numerical PINs.
425  *
426  * These keys can be used as the #PSA_KEY_DERIVATION_INPUT_PASSWORD input of
427  * key derivation algorithms. Algorithms that accept such an input were
428  * designed to accept low-entropy secret and are known as password hashing or
429  * key stretching algorithms.
430  *
431  * These keys cannot be used as the #PSA_KEY_DERIVATION_INPUT_SECRET input of
432  * key derivation algorithms, as the algorithms that take such an input expect
433  * it to be high-entropy.
434  *
435  * The key policy determines which key derivation algorithm the key can be
436  * used for, among the permissible subset defined above.
437  */
438 #define PSA_KEY_TYPE_PASSWORD ((psa_key_type_t)0x1203)
439 
440 /** A secret value that can be used to verify a password hash.
441  *
442  * The key policy determines which key derivation algorithm the key
443  * can be used for, among the same permissible subset as for
444  * #PSA_KEY_TYPE_PASSWORD.
445  */
446 #define PSA_KEY_TYPE_PASSWORD_HASH ((psa_key_type_t)0x1205)
447 
448 /** A secret value that can be used in when computing a password hash.
449  *
450  * The key policy determines which key derivation algorithm the key
451  * can be used for, among the subset of algorithms that can use pepper.
452  */
453 #define PSA_KEY_TYPE_PEPPER ((psa_key_type_t)0x1206)
454 
455 /** Key for a cipher, AEAD or MAC algorithm based on the AES block cipher.
456  *
457  * The size of the key can be 16 bytes (AES-128), 24 bytes (AES-192) or
458  * 32 bytes (AES-256).
459  */
460 #define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)
461 
462 /** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
463  *
464  * The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
465  * 192 bits (3-key 3DES).
466  *
467  * Note that single DES and 2-key 3DES are weak and strongly
468  * deprecated and should only be used to decrypt legacy data. 3-key 3DES
469  * is weak and deprecated and should only be used in legacy protocols.
470  */
471 #define PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301)
472 
473 /** Key for a cipher, AEAD or MAC algorithm based on the
474  * Camellia block cipher. */
475 #define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403)
476 
477 /** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
478  *
479  * ChaCha20 and the ChaCha20_Poly1305 construction are defined in RFC 7539.
480  *
481  * Implementations must support 12-byte nonces, may support 8-byte nonces,
482  * and should reject other sizes.
483  */
484 #define PSA_KEY_TYPE_CHACHA20 ((psa_key_type_t)0x2004)
485 
486 /** RSA public key.
487  *
488  * The size of an RSA key is the bit size of the modulus.
489  */
490 #define PSA_KEY_TYPE_RSA_PUBLIC_KEY ((psa_key_type_t)0x4001)
491 /** RSA key pair (private and public key).
492  *
493  * The size of an RSA key is the bit size of the modulus.
494  */
495 #define PSA_KEY_TYPE_RSA_KEY_PAIR ((psa_key_type_t)0x7001)
496 /** Whether a key type is an RSA key (pair or public-only). */
497 #define PSA_KEY_TYPE_IS_RSA(type) \
498  (PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY)
499 
500 #define PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE ((psa_key_type_t)0x4100)
501 #define PSA_KEY_TYPE_ECC_KEY_PAIR_BASE ((psa_key_type_t)0x7100)
502 #define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)
503 /** Elliptic curve key pair.
504  *
505  * The size of an elliptic curve key is the bit size associated with the curve,
506  * i.e. the bit size of *q* for a curve over a field *F<sub>q</sub>*.
507  * See the documentation of `PSA_ECC_FAMILY_xxx` curve families for details.
508  *
509  * \param curve A value of type ::psa_ecc_family_t that
510  * identifies the ECC curve to be used.
511  */
512 #define PSA_KEY_TYPE_ECC_KEY_PAIR(curve) \
513  (PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
514 /** Elliptic curve public key.
515  *
516  * The size of an elliptic curve public key is the same as the corresponding
517  * private key (see #PSA_KEY_TYPE_ECC_KEY_PAIR and the documentation of
518  * `PSA_ECC_FAMILY_xxx` curve families).
519  *
520  * \param curve A value of type ::psa_ecc_family_t that
521  * identifies the ECC curve to be used.
522  */
523 #define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) \
524  (PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
525 
526 /** Whether a key type is an elliptic curve key (pair or public-only). */
527 #define PSA_KEY_TYPE_IS_ECC(type) \
528  ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \
529  ~PSA_KEY_TYPE_ECC_CURVE_MASK) == PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
530 /** Whether a key type is an elliptic curve key pair. */
531 #define PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type) \
532  (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \
533  PSA_KEY_TYPE_ECC_KEY_PAIR_BASE)
534 /** Whether a key type is an elliptic curve public key. */
535 #define PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(type) \
536  (((type) & ~PSA_KEY_TYPE_ECC_CURVE_MASK) == \
537  PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
538 
539 /** Extract the curve from an elliptic curve key type. */
540 #define PSA_KEY_TYPE_ECC_GET_FAMILY(type) \
541  ((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
542  ((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
543  0))
544 
545 /** SEC Koblitz curves over prime fields.
546  *
547  * This family comprises the following curves:
548  * secp192k1, secp224k1, secp256k1.
549  * They are defined in _Standards for Efficient Cryptography_,
550  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
551  * https://www.secg.org/sec2-v2.pdf
552  */
553 #define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17)
554 
555 /** SEC random curves over prime fields.
556  *
557  * This family comprises the following curves:
558  * secp192k1, secp224r1, secp256r1, secp384r1, secp521r1.
559  * They are defined in _Standards for Efficient Cryptography_,
560  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
561  * https://www.secg.org/sec2-v2.pdf
562  */
563 #define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12)
564 /* SECP160R2 (SEC2 v1, obsolete) */
565 #define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b)
566 
567 /** SEC Koblitz curves over binary fields.
568  *
569  * This family comprises the following curves:
570  * sect163k1, sect233k1, sect239k1, sect283k1, sect409k1, sect571k1.
571  * They are defined in _Standards for Efficient Cryptography_,
572  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
573  * https://www.secg.org/sec2-v2.pdf
574  */
575 #define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27)
576 
577 /** SEC random curves over binary fields.
578  *
579  * This family comprises the following curves:
580  * sect163r1, sect233r1, sect283r1, sect409r1, sect571r1.
581  * They are defined in _Standards for Efficient Cryptography_,
582  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
583  * https://www.secg.org/sec2-v2.pdf
584  */
585 #define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22)
586 
587 /** SEC additional random curves over binary fields.
588  *
589  * This family comprises the following curve:
590  * sect163r2.
591  * It is defined in _Standards for Efficient Cryptography_,
592  * _SEC 2: Recommended Elliptic Curve Domain Parameters_.
593  * https://www.secg.org/sec2-v2.pdf
594  */
595 #define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b)
596 
597 /** Brainpool P random curves.
598  *
599  * This family comprises the following curves:
600  * brainpoolP160r1, brainpoolP192r1, brainpoolP224r1, brainpoolP256r1,
601  * brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
602  * It is defined in RFC 5639.
603  */
604 #define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30)
605 
606 /** Curve25519 and Curve448.
607  *
608  * This family comprises the following Montgomery curves:
609  * - 255-bit: Bernstein et al.,
610  * _Curve25519: new Diffie-Hellman speed records_, LNCS 3958, 2006.
611  * The algorithm #PSA_ALG_ECDH performs X25519 when used with this curve.
612  * - 448-bit: Hamburg,
613  * _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
614  * The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
615  */
616 #define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t) 0x41)
617 
618 /** The twisted Edwards curves Ed25519 and Ed448.
619  *
620  * These curves are suitable for EdDSA (#PSA_ALG_PURE_EDDSA for both curves,
621  * #PSA_ALG_ED25519PH for the 255-bit curve,
622  * #PSA_ALG_ED448PH for the 448-bit curve).
623  *
624  * This family comprises the following twisted Edwards curves:
625  * - 255-bit: Edwards25519, the twisted Edwards curve birationally equivalent
626  * to Curve25519.
627  * Bernstein et al., _Twisted Edwards curves_, Africacrypt 2008.
628  * - 448-bit: Edwards448, the twisted Edwards curve birationally equivalent
629  * to Curve448.
630  * Hamburg, _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
631  */
632 #define PSA_ECC_FAMILY_TWISTED_EDWARDS ((psa_ecc_family_t) 0x42)
633 
634 #define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE ((psa_key_type_t)0x4200)
635 #define PSA_KEY_TYPE_DH_KEY_PAIR_BASE ((psa_key_type_t)0x7200)
636 #define PSA_KEY_TYPE_DH_GROUP_MASK ((psa_key_type_t)0x00ff)
637 /** Diffie-Hellman key pair.
638  *
639  * \param group A value of type ::psa_dh_family_t that identifies the
640  * Diffie-Hellman group to be used.
641  */
642 #define PSA_KEY_TYPE_DH_KEY_PAIR(group) \
643  (PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
644 /** Diffie-Hellman public key.
645  *
646  * \param group A value of type ::psa_dh_family_t that identifies the
647  * Diffie-Hellman group to be used.
648  */
649 #define PSA_KEY_TYPE_DH_PUBLIC_KEY(group) \
650  (PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE | (group))
651 
652 /** Whether a key type is a Diffie-Hellman key (pair or public-only). */
653 #define PSA_KEY_TYPE_IS_DH(type) \
654  ((PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(type) & \
655  ~PSA_KEY_TYPE_DH_GROUP_MASK) == PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
656 /** Whether a key type is a Diffie-Hellman key pair. */
657 #define PSA_KEY_TYPE_IS_DH_KEY_PAIR(type) \
658  (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \
659  PSA_KEY_TYPE_DH_KEY_PAIR_BASE)
660 /** Whether a key type is a Diffie-Hellman public key. */
661 #define PSA_KEY_TYPE_IS_DH_PUBLIC_KEY(type) \
662  (((type) & ~PSA_KEY_TYPE_DH_GROUP_MASK) == \
663  PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
664 
665 /** Extract the group from a Diffie-Hellman key type. */
666 #define PSA_KEY_TYPE_DH_GET_FAMILY(type) \
667  ((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ? \
668  ((type) & PSA_KEY_TYPE_DH_GROUP_MASK) : \
669  0))
670 
671 /** Diffie-Hellman groups defined in RFC 7919 Appendix A.
672  *
673  * This family includes groups with the following key sizes (in bits):
674  * 2048, 3072, 4096, 6144, 8192. A given implementation may support
675  * all of these sizes or only a subset.
676  */
677 #define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t) 0x03)
678 
679 #define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) \
680  (((type) >> 8) & 7)
681 /** The block size of a block cipher.
682  *
683  * \param type A cipher key type (value of type #psa_key_type_t).
684  *
685  * \return The block size for a block cipher, or 1 for a stream cipher.
686  * The return value is undefined if \p type is not a supported
687  * cipher key type.
688  *
689  * \note It is possible to build stream cipher algorithms on top of a block
690  * cipher, for example CTR mode (#PSA_ALG_CTR).
691  * This macro only takes the key type into account, so it cannot be
692  * used to determine the size of the data that #psa_cipher_update()
693  * might buffer for future processing in general.
694  *
695  * \note This macro returns a compile-time constant if its argument is one.
696  *
697  * \warning This macro may evaluate its argument multiple times.
698  */
699 #define PSA_BLOCK_CIPHER_BLOCK_LENGTH(type) \
700  (((type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
701  1u << PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) : \
702  0u)
703 
704 /** Vendor-defined algorithm flag.
705  *
706  * Algorithms defined by this standard will never have the #PSA_ALG_VENDOR_FLAG
707  * bit set. Vendors who define additional algorithms must use an encoding with
708  * the #PSA_ALG_VENDOR_FLAG bit set and should respect the bitwise structure
709  * used by standard encodings whenever practical.
710  */
711 #define PSA_ALG_VENDOR_FLAG ((psa_algorithm_t)0x80000000)
712 
713 #define PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000)
714 #define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000)
715 #define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000)
716 #define PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000)
717 #define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000)
718 #define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000)
719 #define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000)
720 #define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000)
721 #define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000)
722 
723 /** Whether an algorithm is vendor-defined.
724  *
725  * See also #PSA_ALG_VENDOR_FLAG.
726  */
727 #define PSA_ALG_IS_VENDOR_DEFINED(alg) \
728  (((alg) & PSA_ALG_VENDOR_FLAG) != 0)
729 
730 /** Whether the specified algorithm is a hash algorithm.
731  *
732  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
733  *
734  * \return 1 if \p alg is a hash algorithm, 0 otherwise.
735  * This macro may return either 0 or 1 if \p alg is not a supported
736  * algorithm identifier.
737  */
738 #define PSA_ALG_IS_HASH(alg) \
739  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_HASH)
740 
741 /** Whether the specified algorithm is a MAC algorithm.
742  *
743  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
744  *
745  * \return 1 if \p alg is a MAC algorithm, 0 otherwise.
746  * This macro may return either 0 or 1 if \p alg is not a supported
747  * algorithm identifier.
748  */
749 #define PSA_ALG_IS_MAC(alg) \
750  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_MAC)
751 
752 /** Whether the specified algorithm is a symmetric cipher algorithm.
753  *
754  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
755  *
756  * \return 1 if \p alg is a symmetric cipher algorithm, 0 otherwise.
757  * This macro may return either 0 or 1 if \p alg is not a supported
758  * algorithm identifier.
759  */
760 #define PSA_ALG_IS_CIPHER(alg) \
761  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_CIPHER)
762 
763 /** Whether the specified algorithm is an authenticated encryption
764  * with associated data (AEAD) algorithm.
765  *
766  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
767  *
768  * \return 1 if \p alg is an AEAD algorithm, 0 otherwise.
769  * This macro may return either 0 or 1 if \p alg is not a supported
770  * algorithm identifier.
771  */
772 #define PSA_ALG_IS_AEAD(alg) \
773  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_AEAD)
774 
775 /** Whether the specified algorithm is an asymmetric signature algorithm,
776  * also known as public-key signature algorithm.
777  *
778  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
779  *
780  * \return 1 if \p alg is an asymmetric signature algorithm, 0 otherwise.
781  * This macro may return either 0 or 1 if \p alg is not a supported
782  * algorithm identifier.
783  */
784 #define PSA_ALG_IS_SIGN(alg) \
785  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_SIGN)
786 
787 /** Whether the specified algorithm is an asymmetric encryption algorithm,
788  * also known as public-key encryption algorithm.
789  *
790  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
791  *
792  * \return 1 if \p alg is an asymmetric encryption algorithm, 0 otherwise.
793  * This macro may return either 0 or 1 if \p alg is not a supported
794  * algorithm identifier.
795  */
796 #define PSA_ALG_IS_ASYMMETRIC_ENCRYPTION(alg) \
797  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION)
798 
799 /** Whether the specified algorithm is a key agreement algorithm.
800  *
801  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
802  *
803  * \return 1 if \p alg is a key agreement algorithm, 0 otherwise.
804  * This macro may return either 0 or 1 if \p alg is not a supported
805  * algorithm identifier.
806  */
807 #define PSA_ALG_IS_KEY_AGREEMENT(alg) \
808  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_AGREEMENT)
809 
810 /** Whether the specified algorithm is a key derivation algorithm.
811  *
812  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
813  *
814  * \return 1 if \p alg is a key derivation algorithm, 0 otherwise.
815  * This macro may return either 0 or 1 if \p alg is not a supported
816  * algorithm identifier.
817  */
818 #define PSA_ALG_IS_KEY_DERIVATION(alg) \
819  (((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)
820 
821 /** Whether the specified algorithm is a key stretching / password hashing
822  * algorithm.
823  *
824  * A key stretching / password hashing algorithm is a key derivation algorithm
825  * that is suitable for use with a low-entropy secret such as a password.
826  * Equivalently, it's a key derivation algorithm that uses a
827  * #PSA_KEY_DERIVATION_INPUT_PASSWORD input step.
828  *
829  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
830  *
831  * \return 1 if \p alg is a key stretching / password hashing algorithm, 0
832  * otherwise. This macro may return either 0 or 1 if \p alg is not a
833  * supported algorithm identifier.
834  */
835 #define PSA_ALG_IS_KEY_DERIVATION_STRETCHING(alg) \
836  (PSA_ALG_IS_KEY_DERIVATION(alg) && \
837  (alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
838 
839 #define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
840 /** MD5 */
841 #define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
842 /** PSA_ALG_RIPEMD160 */
843 #define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004)
844 /** SHA1 */
845 #define PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005)
846 /** SHA2-224 */
847 #define PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008)
848 /** SHA2-256 */
849 #define PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009)
850 /** SHA2-384 */
851 #define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a)
852 /** SHA2-512 */
853 #define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b)
854 /** SHA2-512/224 */
855 #define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c)
856 /** SHA2-512/256 */
857 #define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d)
858 /** SHA3-224 */
859 #define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010)
860 /** SHA3-256 */
861 #define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011)
862 /** SHA3-384 */
863 #define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012)
864 /** SHA3-512 */
865 #define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013)
866 /** The first 512 bits (64 bytes) of the SHAKE256 output.
867  *
868  * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
869  * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
870  * has the same output size and a (theoretically) higher security strength.
871  */
872 #define PSA_ALG_SHAKE256_512 ((psa_algorithm_t)0x02000015)
873 
874 /** In a hash-and-sign algorithm policy, allow any hash algorithm.
875  *
876  * This value may be used to form the algorithm usage field of a policy
877  * for a signature algorithm that is parametrized by a hash. The key
878  * may then be used to perform operations using the same signature
879  * algorithm parametrized with any supported hash.
880  *
881  * That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
882  * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS,
883  * - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
884  * Then you may create and use a key as follows:
885  * - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
886  * ```
887  * psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); // or VERIFY
888  * psa_set_key_algorithm(&attributes, PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
889  * ```
890  * - Import or generate key material.
891  * - Call psa_sign_hash() or psa_verify_hash(), passing
892  * an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
893  * call to sign or verify a message may use a different hash.
894  * ```
895  * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
896  * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
897  * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
898  * ```
899  *
900  * This value may not be used to build other algorithms that are
901  * parametrized over a hash. For any valid use of this macro to build
902  * an algorithm \c alg, #PSA_ALG_IS_HASH_AND_SIGN(\c alg) is true.
903  *
904  * This value may not be used to build an algorithm specification to
905  * perform an operation. It is only valid to build policies.
906  */
907 #define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)
908 
909 #define PSA_ALG_MAC_SUBCATEGORY_MASK ((psa_algorithm_t)0x00c00000)
910 #define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x03800000)
911 /** Macro to build an HMAC algorithm.
912  *
913  * For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.
914  *
915  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
916  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
917  *
918  * \return The corresponding HMAC algorithm.
919  * \return Unspecified if \p hash_alg is not a supported
920  * hash algorithm.
921  */
922 #define PSA_ALG_HMAC(hash_alg) \
923  (PSA_ALG_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
924 
925 #define PSA_ALG_HMAC_GET_HASH(hmac_alg) \
926  (PSA_ALG_CATEGORY_HASH | ((hmac_alg) & PSA_ALG_HASH_MASK))
927 
928 /** Whether the specified algorithm is an HMAC algorithm.
929  *
930  * HMAC is a family of MAC algorithms that are based on a hash function.
931  *
932  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
933  *
934  * \return 1 if \p alg is an HMAC algorithm, 0 otherwise.
935  * This macro may return either 0 or 1 if \p alg is not a supported
936  * algorithm identifier.
937  */
938 #define PSA_ALG_IS_HMAC(alg) \
939  (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
940  PSA_ALG_HMAC_BASE)
941 
942 /* In the encoding of a MAC algorithm, the bits corresponding to
943  * PSA_ALG_MAC_TRUNCATION_MASK encode the length to which the MAC is
944  * truncated. As an exception, the value 0 means the untruncated algorithm,
945  * whatever its length is. The length is encoded in 6 bits, so it can
946  * reach up to 63; the largest MAC is 64 bytes so its trivial truncation
947  * to full length is correctly encoded as 0 and any non-trivial truncation
948  * is correctly encoded as a value between 1 and 63. */
949 #define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x003f0000)
950 #define PSA_MAC_TRUNCATION_OFFSET 16
951 
952 /* In the encoding of a MAC algorithm, the bit corresponding to
953  * #PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
954  * is a wildcard algorithm. A key with such wildcard algorithm as permitted
955  * algorithm policy can be used with any algorithm corresponding to the
956  * same base class and having a (potentially truncated) MAC length greater or
957  * equal than the one encoded in #PSA_ALG_MAC_TRUNCATION_MASK. */
958 #define PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000)
959 
960 /** Macro to build a truncated MAC algorithm.
961  *
962  * A truncated MAC algorithm is identical to the corresponding MAC
963  * algorithm except that the MAC value for the truncated algorithm
964  * consists of only the first \p mac_length bytes of the MAC value
965  * for the untruncated algorithm.
966  *
967  * \note This macro may allow constructing algorithm identifiers that
968  * are not valid, either because the specified length is larger
969  * than the untruncated MAC or because the specified length is
970  * smaller than permitted by the implementation.
971  *
972  * \note It is implementation-defined whether a truncated MAC that
973  * is truncated to the same length as the MAC of the untruncated
974  * algorithm is considered identical to the untruncated algorithm
975  * for policy comparison purposes.
976  *
977  * \param mac_alg A MAC algorithm identifier (value of type
978  * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
979  * is true). This may be a truncated or untruncated
980  * MAC algorithm.
981  * \param mac_length Desired length of the truncated MAC in bytes.
982  * This must be at most the full length of the MAC
983  * and must be at least an implementation-specified
984  * minimum. The implementation-specified minimum
985  * shall not be zero.
986  *
987  * \return The corresponding MAC algorithm with the specified
988  * length.
989  * \return Unspecified if \p mac_alg is not a supported
990  * MAC algorithm or if \p mac_length is too small or
991  * too large for the specified MAC algorithm.
992  */
993 #define PSA_ALG_TRUNCATED_MAC(mac_alg, mac_length) \
994  (((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \
995  PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG)) | \
996  ((mac_length) << PSA_MAC_TRUNCATION_OFFSET & PSA_ALG_MAC_TRUNCATION_MASK))
997 
998 /** Macro to build the base MAC algorithm corresponding to a truncated
999  * MAC algorithm.
1000  *
1001  * \param mac_alg A MAC algorithm identifier (value of type
1002  * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1003  * is true). This may be a truncated or untruncated
1004  * MAC algorithm.
1005  *
1006  * \return The corresponding base MAC algorithm.
1007  * \return Unspecified if \p mac_alg is not a supported
1008  * MAC algorithm.
1009  */
1010 #define PSA_ALG_FULL_LENGTH_MAC(mac_alg) \
1011  ((mac_alg) & ~(PSA_ALG_MAC_TRUNCATION_MASK | \
1012  PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG))
1013 
1014 /** Length to which a MAC algorithm is truncated.
1015  *
1016  * \param mac_alg A MAC algorithm identifier (value of type
1017  * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1018  * is true).
1019  *
1020  * \return Length of the truncated MAC in bytes.
1021  * \return 0 if \p mac_alg is a non-truncated MAC algorithm.
1022  * \return Unspecified if \p mac_alg is not a supported
1023  * MAC algorithm.
1024  */
1025 #define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \
1026  (((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET)
1027 
1028 /** Macro to build a MAC minimum-MAC-length wildcard algorithm.
1029  *
1030  * A minimum-MAC-length MAC wildcard algorithm permits all MAC algorithms
1031  * sharing the same base algorithm, and where the (potentially truncated) MAC
1032  * length of the specific algorithm is equal to or larger then the wildcard
1033  * algorithm's minimum MAC length.
1034  *
1035  * \note When setting the minimum required MAC length to less than the
1036  * smallest MAC length allowed by the base algorithm, this effectively
1037  * becomes an 'any-MAC-length-allowed' policy for that base algorithm.
1038  *
1039  * \param mac_alg A MAC algorithm identifier (value of type
1040  * #psa_algorithm_t such that #PSA_ALG_IS_MAC(\p mac_alg)
1041  * is true).
1042  * \param min_mac_length Desired minimum length of the message authentication
1043  * code in bytes. This must be at most the untruncated
1044  * length of the MAC and must be at least 1.
1045  *
1046  * \return The corresponding MAC wildcard algorithm with the
1047  * specified minimum length.
1048  * \return Unspecified if \p mac_alg is not a supported MAC
1049  * algorithm or if \p min_mac_length is less than 1 or
1050  * too large for the specified MAC algorithm.
1051  */
1052 #define PSA_ALG_AT_LEAST_THIS_LENGTH_MAC(mac_alg, min_mac_length) \
1053  ( PSA_ALG_TRUNCATED_MAC(mac_alg, min_mac_length) | \
1054  PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG )
1055 
1056 #define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000)
1057 /** The CBC-MAC construction over a block cipher
1058  *
1059  * \warning CBC-MAC is insecure in many cases.
1060  * A more secure mode, such as #PSA_ALG_CMAC, is recommended.
1061  */
1062 #define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100)
1063 /** The CMAC construction over a block cipher */
1064 #define PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200)
1065 
1066 /** Whether the specified algorithm is a MAC algorithm based on a block cipher.
1067  *
1068  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1069  *
1070  * \return 1 if \p alg is a MAC algorithm based on a block cipher, 0 otherwise.
1071  * This macro may return either 0 or 1 if \p alg is not a supported
1072  * algorithm identifier.
1073  */
1074 #define PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) \
1075  (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_MAC_SUBCATEGORY_MASK)) == \
1076  PSA_ALG_CIPHER_MAC_BASE)
1077 
1078 #define PSA_ALG_CIPHER_STREAM_FLAG ((psa_algorithm_t)0x00800000)
1079 #define PSA_ALG_CIPHER_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000)
1080 
1081 /** Whether the specified algorithm is a stream cipher.
1082  *
1083  * A stream cipher is a symmetric cipher that encrypts or decrypts messages
1084  * by applying a bitwise-xor with a stream of bytes that is generated
1085  * from a key.
1086  *
1087  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1088  *
1089  * \return 1 if \p alg is a stream cipher algorithm, 0 otherwise.
1090  * This macro may return either 0 or 1 if \p alg is not a supported
1091  * algorithm identifier or if it is not a symmetric cipher algorithm.
1092  */
1093 #define PSA_ALG_IS_STREAM_CIPHER(alg) \
1094  (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \
1095  (PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG))
1096 
1097 /** The stream cipher mode of a stream cipher algorithm.
1098  *
1099  * The underlying stream cipher is determined by the key type.
1100  * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20.
1101  */
1102 #define PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100)
1103 
1104 /** The CTR stream cipher mode.
1105  *
1106  * CTR is a stream cipher which is built from a block cipher.
1107  * The underlying block cipher is determined by the key type.
1108  * For example, to use AES-128-CTR, use this algorithm with
1109  * a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes).
1110  */
1111 #define PSA_ALG_CTR ((psa_algorithm_t)0x04c01000)
1112 
1113 /** The CFB stream cipher mode.
1114  *
1115  * The underlying block cipher is determined by the key type.
1116  */
1117 #define PSA_ALG_CFB ((psa_algorithm_t)0x04c01100)
1118 
1119 /** The OFB stream cipher mode.
1120  *
1121  * The underlying block cipher is determined by the key type.
1122  */
1123 #define PSA_ALG_OFB ((psa_algorithm_t)0x04c01200)
1124 
1125 /** The XTS cipher mode.
1126  *
1127  * XTS is a cipher mode which is built from a block cipher. It requires at
1128  * least one full block of input, but beyond this minimum the input
1129  * does not need to be a whole number of blocks.
1130  */
1131 #define PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00)
1132 
1133 /** The Electronic Code Book (ECB) mode of a block cipher, with no padding.
1134  *
1135  * \warning ECB mode does not protect the confidentiality of the encrypted data
1136  * except in extremely narrow circumstances. It is recommended that applications
1137  * only use ECB if they need to construct an operating mode that the
1138  * implementation does not provide. Implementations are encouraged to provide
1139  * the modes that applications need in preference to supporting direct access
1140  * to ECB.
1141  *
1142  * The underlying block cipher is determined by the key type.
1143  *
1144  * This symmetric cipher mode can only be used with messages whose lengths are a
1145  * multiple of the block size of the chosen block cipher.
1146  *
1147  * ECB mode does not accept an initialization vector (IV). When using a
1148  * multi-part cipher operation with this algorithm, psa_cipher_generate_iv()
1149  * and psa_cipher_set_iv() must not be called.
1150  */
1151 #define PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400)
1152 
1153 /** The CBC block cipher chaining mode, with no padding.
1154  *
1155  * The underlying block cipher is determined by the key type.
1156  *
1157  * This symmetric cipher mode can only be used with messages whose lengths
1158  * are whole number of blocks for the chosen block cipher.
1159  */
1160 #define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000)
1161 
1162 /** The CBC block cipher chaining mode with PKCS#7 padding.
1163  *
1164  * The underlying block cipher is determined by the key type.
1165  *
1166  * This is the padding method defined by PKCS#7 (RFC 2315) &sect;10.3.
1167  */
1168 #define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100)
1169 
1170 #define PSA_ALG_AEAD_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000)
1171 
1172 /** Whether the specified algorithm is an AEAD mode on a block cipher.
1173  *
1174  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1175  *
1176  * \return 1 if \p alg is an AEAD algorithm which is an AEAD mode based on
1177  * a block cipher, 0 otherwise.
1178  * This macro may return either 0 or 1 if \p alg is not a supported
1179  * algorithm identifier.
1180  */
1181 #define PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) \
1182  (((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_AEAD_FROM_BLOCK_FLAG)) == \
1183  (PSA_ALG_CATEGORY_AEAD | PSA_ALG_AEAD_FROM_BLOCK_FLAG))
1184 
1185 /** The CCM authenticated encryption algorithm.
1186  *
1187  * The underlying block cipher is determined by the key type.
1188  */
1189 #define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
1190 
1191 /** The GCM authenticated encryption algorithm.
1192  *
1193  * The underlying block cipher is determined by the key type.
1194  */
1195 #define PSA_ALG_GCM ((psa_algorithm_t)0x05500200)
1196 
1197 /** The Chacha20-Poly1305 AEAD algorithm.
1198  *
1199  * The ChaCha20_Poly1305 construction is defined in RFC 7539.
1200  *
1201  * Implementations must support 12-byte nonces, may support 8-byte nonces,
1202  * and should reject other sizes.
1203  *
1204  * Implementations must support 16-byte tags and should reject other sizes.
1205  */
1206 #define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500)
1207 
1208 /* In the encoding of a AEAD algorithm, the bits corresponding to
1209  * PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
1210  * The constants for default lengths follow this encoding.
1211  */
1212 #define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x003f0000)
1213 #define PSA_AEAD_TAG_LENGTH_OFFSET 16
1214 
1215 /* In the encoding of an AEAD algorithm, the bit corresponding to
1216  * #PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG encodes the fact that the algorithm
1217  * is a wildcard algorithm. A key with such wildcard algorithm as permitted
1218  * algorithm policy can be used with any algorithm corresponding to the
1219  * same base class and having a tag length greater than or equal to the one
1220  * encoded in #PSA_ALG_AEAD_TAG_LENGTH_MASK. */
1221 #define PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG ((psa_algorithm_t)0x00008000)
1222 
1223 /** Macro to build a shortened AEAD algorithm.
1224  *
1225  * A shortened AEAD algorithm is similar to the corresponding AEAD
1226  * algorithm, but has an authentication tag that consists of fewer bytes.
1227  * Depending on the algorithm, the tag length may affect the calculation
1228  * of the ciphertext.
1229  *
1230  * \param aead_alg An AEAD algorithm identifier (value of type
1231  * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p alg)
1232  * is true).
1233  * \param tag_length Desired length of the authentication tag in bytes.
1234  *
1235  * \return The corresponding AEAD algorithm with the specified
1236  * length.
1237  * \return Unspecified if \p alg is not a supported
1238  * AEAD algorithm or if \p tag_length is not valid
1239  * for the specified AEAD algorithm.
1240  */
1241 #define PSA_ALG_AEAD_WITH_TAG_LENGTH(aead_alg, tag_length) \
1242  (((aead_alg) & ~PSA_ALG_AEAD_TAG_LENGTH_MASK) | \
1243  ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \
1244  PSA_ALG_AEAD_TAG_LENGTH_MASK))
1245 
1246 /** Macro to build a shortened AEAD algorithm.
1247  *
1248  * A shortened AEAD algorithm is similar to the corresponding AEAD
1249  * algorithm, but has an authentication tag that consists of fewer bytes.
1250  * Depending on the algorithm, the tag length may affect the calculation
1251  * of the ciphertext.
1252  *
1253  * \param aead_alg An AEAD algorithm identifier (value of type
1254  * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
1255  * is true).
1256  * \param tag_length Desired length of the authentication tag in bytes.
1257  *
1258  * \return The corresponding AEAD algorithm with the specified
1259  * length.
1260  * \return Unspecified if \p aead_alg is not a supported
1261  * AEAD algorithm or if \p tag_length is not valid
1262  * for the specified AEAD algorithm.
1263  */
1264 #define PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, tag_length) \
1265  (((aead_alg) & ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | \
1266  PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)) | \
1267  ((tag_length) << PSA_AEAD_TAG_LENGTH_OFFSET & \
1268  PSA_ALG_AEAD_TAG_LENGTH_MASK))
1269 
1270 /** Retrieve the tag length of a specified AEAD algorithm
1271  *
1272  * \param aead_alg An AEAD algorithm identifier (value of type
1273  * #psa_algorithm_t such that #PSA_ALG_IS_AEAD(\p aead_alg)
1274  * is true).
1275  *
1276  * \return The tag length specified by the input algorithm.
1277  * \return Unspecified if \p aead_alg is not a supported
1278  * AEAD algorithm.
1279  */
1280 #define PSA_ALG_AEAD_GET_TAG_LENGTH(aead_alg) \
1281  (((aead_alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> \
1282  PSA_AEAD_TAG_LENGTH_OFFSET )
1283 
1284 /** Calculate the corresponding AEAD algorithm with the default tag length.
1285  *
1286  * \param aead_alg An AEAD algorithm (\c PSA_ALG_XXX value such that
1287  * #PSA_ALG_IS_AEAD(\p aead_alg) is true).
1288  *
1289  * \return The corresponding AEAD algorithm with the default
1290  * tag length for that algorithm.
1291  */
1292 #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(aead_alg) \
1293  ( \
1294  PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CCM) \
1295  PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_GCM) \
1296  PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, PSA_ALG_CHACHA20_POLY1305) \
1297  0)
1298 #define PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG_CASE(aead_alg, ref) \
1299  PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, 0) == \
1300  PSA_ALG_AEAD_WITH_SHORTENED_TAG(ref, 0) ? \
1301  ref :
1302 
1303 /** Macro to build an AEAD minimum-tag-length wildcard algorithm.
1304  *
1305  * A minimum-tag-length AEAD wildcard algorithm permits all AEAD algorithms
1306  * sharing the same base algorithm, and where the tag length of the specific
1307  * algorithm is equal to or larger then the minimum tag length specified by the
1308  * wildcard algorithm.
1309  *
1310  * \note When setting the minimum required tag length to less than the
1311  * smallest tag length allowed by the base algorithm, this effectively
1312  * becomes an 'any-tag-length-allowed' policy for that base algorithm.
1313  *
1314  * \param aead_alg An AEAD algorithm identifier (value of type
1315  * #psa_algorithm_t such that
1316  * #PSA_ALG_IS_AEAD(\p aead_alg) is true).
1317  * \param min_tag_length Desired minimum length of the authentication tag in
1318  * bytes. This must be at least 1 and at most the largest
1319  * allowed tag length of the algorithm.
1320  *
1321  * \return The corresponding AEAD wildcard algorithm with the
1322  * specified minimum length.
1323  * \return Unspecified if \p aead_alg is not a supported
1324  * AEAD algorithm or if \p min_tag_length is less than 1
1325  * or too large for the specified AEAD algorithm.
1326  */
1327 #define PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG(aead_alg, min_tag_length) \
1328  ( PSA_ALG_AEAD_WITH_SHORTENED_TAG(aead_alg, min_tag_length) | \
1329  PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG )
1330 
1331 #define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200)
1332 /** RSA PKCS#1 v1.5 signature with hashing.
1333  *
1334  * This is the signature scheme defined by RFC 8017
1335  * (PKCS#1: RSA Cryptography Specifications) under the name
1336  * RSASSA-PKCS1-v1_5.
1337  *
1338  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1339  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1340  * This includes #PSA_ALG_ANY_HASH
1341  * when specifying the algorithm in a usage policy.
1342  *
1343  * \return The corresponding RSA PKCS#1 v1.5 signature algorithm.
1344  * \return Unspecified if \p hash_alg is not a supported
1345  * hash algorithm.
1346  */
1347 #define PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg) \
1348  (PSA_ALG_RSA_PKCS1V15_SIGN_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1349 /** Raw PKCS#1 v1.5 signature.
1350  *
1351  * The input to this algorithm is the DigestInfo structure used by
1352  * RFC 8017 (PKCS#1: RSA Cryptography Specifications), &sect;9.2
1353  * steps 3&ndash;6.
1354  */
1355 #define PSA_ALG_RSA_PKCS1V15_SIGN_RAW PSA_ALG_RSA_PKCS1V15_SIGN_BASE
1356 #define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) \
1357  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
1358 
1359 #define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300)
1360 /** RSA PSS signature with hashing.
1361  *
1362  * This is the signature scheme defined by RFC 8017
1363  * (PKCS#1: RSA Cryptography Specifications) under the name
1364  * RSASSA-PSS, with the message generation function MGF1, and with
1365  * a salt length equal to the length of the hash. The specified
1366  * hash algorithm is used to hash the input message, to create the
1367  * salted hash, and for the mask generation.
1368  *
1369  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1370  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1371  * This includes #PSA_ALG_ANY_HASH
1372  * when specifying the algorithm in a usage policy.
1373  *
1374  * \return The corresponding RSA PSS signature algorithm.
1375  * \return Unspecified if \p hash_alg is not a supported
1376  * hash algorithm.
1377  */
1378 #define PSA_ALG_RSA_PSS(hash_alg) \
1379  (PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1380 #define PSA_ALG_IS_RSA_PSS(alg) \
1381  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
1382 
1383 #define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
1384 /** ECDSA signature with hashing.
1385  *
1386  * This is the ECDSA signature scheme defined by ANSI X9.62,
1387  * with a random per-message secret number (*k*).
1388  *
1389  * The representation of the signature as a byte string consists of
1390  * the concatentation of the signature values *r* and *s*. Each of
1391  * *r* and *s* is encoded as an *N*-octet string, where *N* is the length
1392  * of the base point of the curve in octets. Each value is represented
1393  * in big-endian order (most significant octet first).
1394  *
1395  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1396  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1397  * This includes #PSA_ALG_ANY_HASH
1398  * when specifying the algorithm in a usage policy.
1399  *
1400  * \return The corresponding ECDSA signature algorithm.
1401  * \return Unspecified if \p hash_alg is not a supported
1402  * hash algorithm.
1403  */
1404 #define PSA_ALG_ECDSA(hash_alg) \
1405  (PSA_ALG_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1406 /** ECDSA signature without hashing.
1407  *
1408  * This is the same signature scheme as #PSA_ALG_ECDSA(), but
1409  * without specifying a hash algorithm. This algorithm may only be
1410  * used to sign or verify a sequence of bytes that should be an
1411  * already-calculated hash. Note that the input is padded with
1412  * zeros on the left or truncated on the left as required to fit
1413  * the curve size.
1414  */
1415 #define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
1416 #define PSA_ALG_DETERMINISTIC_ECDSA_BASE ((psa_algorithm_t)0x06000700)
1417 /** Deterministic ECDSA signature with hashing.
1418  *
1419  * This is the deterministic ECDSA signature scheme defined by RFC 6979.
1420  *
1421  * The representation of a signature is the same as with #PSA_ALG_ECDSA().
1422  *
1423  * Note that when this algorithm is used for verification, signatures
1424  * made with randomized ECDSA (#PSA_ALG_ECDSA(\p hash_alg)) with the
1425  * same private key are accepted. In other words,
1426  * #PSA_ALG_DETERMINISTIC_ECDSA(\p hash_alg) differs from
1427  * #PSA_ALG_ECDSA(\p hash_alg) only for signature, not for verification.
1428  *
1429  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1430  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1431  * This includes #PSA_ALG_ANY_HASH
1432  * when specifying the algorithm in a usage policy.
1433  *
1434  * \return The corresponding deterministic ECDSA signature
1435  * algorithm.
1436  * \return Unspecified if \p hash_alg is not a supported
1437  * hash algorithm.
1438  */
1439 #define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) \
1440  (PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1441 #define PSA_ALG_ECDSA_DETERMINISTIC_FLAG ((psa_algorithm_t)0x00000100)
1442 #define PSA_ALG_IS_ECDSA(alg) \
1443  (((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) == \
1444  PSA_ALG_ECDSA_BASE)
1445 #define PSA_ALG_ECDSA_IS_DETERMINISTIC(alg) \
1446  (((alg) & PSA_ALG_ECDSA_DETERMINISTIC_FLAG) != 0)
1447 #define PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) \
1448  (PSA_ALG_IS_ECDSA(alg) && PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
1449 #define PSA_ALG_IS_RANDOMIZED_ECDSA(alg) \
1450  (PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
1451 
1452 /** Edwards-curve digital signature algorithm without prehashing (PureEdDSA),
1453  * using standard parameters.
1454  *
1455  * Contexts are not supported in the current version of this specification
1456  * because there is no suitable signature interface that can take the
1457  * context as a parameter. A future version of this specification may add
1458  * suitable functions and extend this algorithm to support contexts.
1459  *
1460  * PureEdDSA requires an elliptic curve key on a twisted Edwards curve.
1461  * In this specification, the following curves are supported:
1462  * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 255-bit: Ed25519 as specified
1463  * in RFC 8032.
1464  * The curve is Edwards25519.
1465  * The hash function used internally is SHA-512.
1466  * - #PSA_ECC_FAMILY_TWISTED_EDWARDS, 448-bit: Ed448 as specified
1467  * in RFC 8032.
1468  * The curve is Edwards448.
1469  * The hash function used internally is the first 114 bytes of the
1470  * SHAKE256 output.
1471  *
1472  * This algorithm can be used with psa_sign_message() and
1473  * psa_verify_message(). Since there is no prehashing, it cannot be used
1474  * with psa_sign_hash() or psa_verify_hash().
1475  *
1476  * The signature format is the concatenation of R and S as defined by
1477  * RFC 8032 §5.1.6 and §5.2.6 (a 64-byte string for Ed25519, a 114-byte
1478  * string for Ed448).
1479  */
1480 #define PSA_ALG_PURE_EDDSA ((psa_algorithm_t)0x06000800)
1481 
1482 #define PSA_ALG_HASH_EDDSA_BASE ((psa_algorithm_t)0x06000900)
1483 #define PSA_ALG_IS_HASH_EDDSA(alg) \
1484  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HASH_EDDSA_BASE)
1485 
1486 /** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
1487  * using SHA-512 and the Edwards25519 curve.
1488  *
1489  * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
1490  *
1491  * This algorithm is Ed25519 as specified in RFC 8032.
1492  * The curve is Edwards25519.
1493  * The prehash is SHA-512.
1494  * The hash function used internally is SHA-512.
1495  *
1496  * This is a hash-and-sign algorithm: to calculate a signature,
1497  * you can either:
1498  * - call psa_sign_message() on the message;
1499  * - or calculate the SHA-512 hash of the message
1500  * with psa_hash_compute()
1501  * or with a multi-part hash operation started with psa_hash_setup(),
1502  * using the hash algorithm #PSA_ALG_SHA_512,
1503  * then sign the calculated hash with psa_sign_hash().
1504  * Verifying a signature is similar, using psa_verify_message() or
1505  * psa_verify_hash() instead of the signature function.
1506  */
1507 #define PSA_ALG_ED25519PH \
1508  (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
1509 
1510 /** Edwards-curve digital signature algorithm with prehashing (HashEdDSA),
1511  * using SHAKE256 and the Edwards448 curve.
1512  *
1513  * See #PSA_ALG_PURE_EDDSA regarding context support and the signature format.
1514  *
1515  * This algorithm is Ed448 as specified in RFC 8032.
1516  * The curve is Edwards448.
1517  * The prehash is the first 64 bytes of the SHAKE256 output.
1518  * The hash function used internally is the first 114 bytes of the
1519  * SHAKE256 output.
1520  *
1521  * This is a hash-and-sign algorithm: to calculate a signature,
1522  * you can either:
1523  * - call psa_sign_message() on the message;
1524  * - or calculate the first 64 bytes of the SHAKE256 output of the message
1525  * with psa_hash_compute()
1526  * or with a multi-part hash operation started with psa_hash_setup(),
1527  * using the hash algorithm #PSA_ALG_SHAKE256_512,
1528  * then sign the calculated hash with psa_sign_hash().
1529  * Verifying a signature is similar, using psa_verify_message() or
1530  * psa_verify_hash() instead of the signature function.
1531  */
1532 #define PSA_ALG_ED448PH \
1533  (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK))
1534 
1535 /* Default definition, to be overridden if the library is extended with
1536  * more hash-and-sign algorithms that we want to keep out of this header
1537  * file. */
1538 #define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
1539 
1540 /** Whether the specified algorithm is a hash-and-sign algorithm.
1541  *
1542  * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
1543  * structured in two parts: first the calculation of a hash in a way that
1544  * does not depend on the key, then the calculation of a signature from the
1545  * hash value and the key.
1546  *
1547  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1548  *
1549  * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
1550  * This macro may return either 0 or 1 if \p alg is not a supported
1551  * algorithm identifier.
1552  */
1553 #define PSA_ALG_IS_HASH_AND_SIGN(alg) \
1554  (PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
1555  PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) || \
1556  PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
1557 
1558 /** Whether the specified algorithm is a signature algorithm that can be used
1559  * with psa_sign_message() and psa_verify_message().
1560  *
1561  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1562  *
1563  * \return 1 if alg is a signature algorithm that can be used to sign a
1564  * message. 0 if \p alg is a signature algorithm that can only be used
1565  * to sign an already-calculated hash. 0 if \p alg is not a signature
1566  * algorithm. This macro can return either 0 or 1 if \p alg is not a
1567  * supported algorithm identifier.
1568  */
1569 #define PSA_ALG_IS_SIGN_MESSAGE(alg) \
1570  (PSA_ALG_IS_HASH_AND_SIGN(alg) || (alg) == PSA_ALG_PURE_EDDSA )
1571 
1572 /** Get the hash used by a hash-and-sign signature algorithm.
1573  *
1574  * A hash-and-sign algorithm is a signature algorithm which is
1575  * composed of two phases: first a hashing phase which does not use
1576  * the key and produces a hash of the input message, then a signing
1577  * phase which only uses the hash and the key and not the message
1578  * itself.
1579  *
1580  * \param alg A signature algorithm (\c PSA_ALG_XXX value such that
1581  * #PSA_ALG_IS_SIGN(\p alg) is true).
1582  *
1583  * \return The underlying hash algorithm if \p alg is a hash-and-sign
1584  * algorithm.
1585  * \return 0 if \p alg is a signature algorithm that does not
1586  * follow the hash-and-sign structure.
1587  * \return Unspecified if \p alg is not a signature algorithm or
1588  * if it is not supported by the implementation.
1589  */
1590 #define PSA_ALG_SIGN_GET_HASH(alg) \
1591  (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
1592  ((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \
1593  ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
1594  0)
1595 
1596 /** RSA PKCS#1 v1.5 encryption.
1597  */
1598 #define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200)
1599 
1600 #define PSA_ALG_RSA_OAEP_BASE ((psa_algorithm_t)0x07000300)
1601 /** RSA OAEP encryption.
1602  *
1603  * This is the encryption scheme defined by RFC 8017
1604  * (PKCS#1: RSA Cryptography Specifications) under the name
1605  * RSAES-OAEP, with the message generation function MGF1.
1606  *
1607  * \param hash_alg The hash algorithm (\c PSA_ALG_XXX value such that
1608  * #PSA_ALG_IS_HASH(\p hash_alg) is true) to use
1609  * for MGF1.
1610  *
1611  * \return The corresponding RSA OAEP encryption algorithm.
1612  * \return Unspecified if \p hash_alg is not a supported
1613  * hash algorithm.
1614  */
1615 #define PSA_ALG_RSA_OAEP(hash_alg) \
1616  (PSA_ALG_RSA_OAEP_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1617 #define PSA_ALG_IS_RSA_OAEP(alg) \
1618  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_OAEP_BASE)
1619 #define PSA_ALG_RSA_OAEP_GET_HASH(alg) \
1620  (PSA_ALG_IS_RSA_OAEP(alg) ? \
1621  ((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
1622  0)
1623 
1624 #define PSA_ALG_HKDF_BASE ((psa_algorithm_t)0x08000100)
1625 /** Macro to build an HKDF algorithm.
1626  *
1627  * For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256.
1628  *
1629  * This key derivation algorithm uses the following inputs:
1630  * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step.
1631  * It is optional; if omitted, the derivation uses an empty salt.
1632  * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step.
1633  * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step.
1634  * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET.
1635  * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
1636  * starting to generate output.
1637  *
1638  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1639  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1640  *
1641  * \return The corresponding HKDF algorithm.
1642  * \return Unspecified if \p hash_alg is not a supported
1643  * hash algorithm.
1644  */
1645 #define PSA_ALG_HKDF(hash_alg) \
1646  (PSA_ALG_HKDF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1647 /** Whether the specified algorithm is an HKDF algorithm.
1648  *
1649  * HKDF is a family of key derivation algorithms that are based on a hash
1650  * function and the HMAC construction.
1651  *
1652  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1653  *
1654  * \return 1 if \c alg is an HKDF algorithm, 0 otherwise.
1655  * This macro may return either 0 or 1 if \c alg is not a supported
1656  * key derivation algorithm identifier.
1657  */
1658 #define PSA_ALG_IS_HKDF(alg) \
1659  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_HKDF_BASE)
1660 #define PSA_ALG_HKDF_GET_HASH(hkdf_alg) \
1661  (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
1662 
1663 #define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x08000200)
1664 /** Macro to build a TLS-1.2 PRF algorithm.
1665  *
1666  * TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule,
1667  * specified in Section 5 of RFC 5246. It is based on HMAC and can be
1668  * used with either SHA-256 or SHA-384.
1669  *
1670  * This key derivation algorithm uses the following inputs, which must be
1671  * passed in the order given here:
1672  * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
1673  * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
1674  * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
1675  *
1676  * For the application to TLS-1.2 key expansion, the seed is the
1677  * concatenation of ServerHello.Random + ClientHello.Random,
1678  * and the label is "key expansion".
1679  *
1680  * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the
1681  * TLS 1.2 PRF using HMAC-SHA-256.
1682  *
1683  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1684  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1685  *
1686  * \return The corresponding TLS-1.2 PRF algorithm.
1687  * \return Unspecified if \p hash_alg is not a supported
1688  * hash algorithm.
1689  */
1690 #define PSA_ALG_TLS12_PRF(hash_alg) \
1691  (PSA_ALG_TLS12_PRF_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1692 
1693 /** Whether the specified algorithm is a TLS-1.2 PRF algorithm.
1694  *
1695  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1696  *
1697  * \return 1 if \c alg is a TLS-1.2 PRF algorithm, 0 otherwise.
1698  * This macro may return either 0 or 1 if \c alg is not a supported
1699  * key derivation algorithm identifier.
1700  */
1701 #define PSA_ALG_IS_TLS12_PRF(alg) \
1702  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PRF_BASE)
1703 #define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg) \
1704  (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
1705 
1706 #define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x08000300)
1707 /** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
1708  *
1709  * In a pure-PSK handshake in TLS 1.2, the master secret is derived
1710  * from the PreSharedKey (PSK) through the application of padding
1711  * (RFC 4279, Section 2) and the TLS-1.2 PRF (RFC 5246, Section 5).
1712  * The latter is based on HMAC and can be used with either SHA-256
1713  * or SHA-384.
1714  *
1715  * This key derivation algorithm uses the following inputs, which must be
1716  * passed in the order given here:
1717  * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
1718  * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
1719  * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
1720  *
1721  * For the application to TLS-1.2, the seed (which is
1722  * forwarded to the TLS-1.2 PRF) is the concatenation of the
1723  * ClientHello.Random + ServerHello.Random,
1724  * and the label is "master secret" or "extended master secret".
1725  *
1726  * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the
1727  * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
1728  *
1729  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1730  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1731  *
1732  * \return The corresponding TLS-1.2 PSK to MS algorithm.
1733  * \return Unspecified if \p hash_alg is not a supported
1734  * hash algorithm.
1735  */
1736 #define PSA_ALG_TLS12_PSK_TO_MS(hash_alg) \
1737  (PSA_ALG_TLS12_PSK_TO_MS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1738 
1739 /** Whether the specified algorithm is a TLS-1.2 PSK to MS algorithm.
1740  *
1741  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1742  *
1743  * \return 1 if \c alg is a TLS-1.2 PSK to MS algorithm, 0 otherwise.
1744  * This macro may return either 0 or 1 if \c alg is not a supported
1745  * key derivation algorithm identifier.
1746  */
1747 #define PSA_ALG_IS_TLS12_PSK_TO_MS(alg) \
1748  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_TLS12_PSK_TO_MS_BASE)
1749 #define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \
1750  (PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
1751 
1752 /* This flag indicates whether the key derivation algorithm is suitable for
1753  * use on low-entropy secrets such as password - these algorithms are also
1754  * known as key stretching or password hashing schemes. These are also the
1755  * algorithms that accepts inputs of type #PSA_KEY_DERIVATION_INPUT_PASSWORD.
1756  *
1757  * Those algorithms cannot be combined with a key agreement algorithm.
1758  */
1759 #define PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG ((psa_algorithm_t)0x00800000)
1760 
1761 #define PSA_ALG_PBKDF2_HMAC_BASE ((psa_algorithm_t)0x08800100)
1762 /** Macro to build a PBKDF2-HMAC password hashing / key stretching algorithm.
1763  *
1764  * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
1765  * This macro specifies the PBKDF2 algorithm constructed using a PRF based on
1766  * HMAC with the specified hash.
1767  * For example, `PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA256)` specifies PBKDF2
1768  * using the PRF HMAC-SHA-256.
1769  *
1770  * This key derivation algorithm uses the following inputs, which must be
1771  * provided in the following order:
1772  * - #PSA_KEY_DERIVATION_INPUT_COST is the iteration count.
1773  * This input step must be used exactly once.
1774  * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt.
1775  * This input step must be used one or more times; if used several times, the
1776  * inputs will be concatenated. This can be used to build the final salt
1777  * from multiple sources, both public and secret (also known as pepper).
1778  * - #PSA_KEY_DERIVATION_INPUT_PASSWORD is the password to be hashed.
1779  * This input step must be used exactly once.
1780  *
1781  * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
1782  * #PSA_ALG_IS_HASH(\p hash_alg) is true).
1783  *
1784  * \return The corresponding PBKDF2-HMAC-XXX algorithm.
1785  * \return Unspecified if \p hash_alg is not a supported
1786  * hash algorithm.
1787  */
1788 #define PSA_ALG_PBKDF2_HMAC(hash_alg) \
1789  (PSA_ALG_PBKDF2_HMAC_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
1790 
1791 /** Whether the specified algorithm is a PBKDF2-HMAC algorithm.
1792  *
1793  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1794  *
1795  * \return 1 if \c alg is a PBKDF2-HMAC algorithm, 0 otherwise.
1796  * This macro may return either 0 or 1 if \c alg is not a supported
1797  * key derivation algorithm identifier.
1798  */
1799 #define PSA_ALG_IS_PBKDF2_HMAC(alg) \
1800  (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
1801 
1802 /** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
1803  *
1804  * PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).
1805  * This macro specifies the PBKDF2 algorithm constructed using the
1806  * AES-CMAC-PRF-128 PRF specified by RFC 4615.
1807  *
1808  * This key derivation algorithm uses the same inputs as
1809  * #PSA_ALG_PBKDF2_HMAC() with the same constraints.
1810  */
1811 #define PSA_ALG_PBKDF2_AES_CMAC_PRF_128 ((psa_algorithm_t)0x08800200)
1812 
1813 #define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff)
1814 #define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000)
1815 
1816 /** Macro to build a combined algorithm that chains a key agreement with
1817  * a key derivation.
1818  *
1819  * \param ka_alg A key agreement algorithm (\c PSA_ALG_XXX value such
1820  * that #PSA_ALG_IS_KEY_AGREEMENT(\p ka_alg) is true).
1821  * \param kdf_alg A key derivation algorithm (\c PSA_ALG_XXX value such
1822  * that #PSA_ALG_IS_KEY_DERIVATION(\p kdf_alg) is true).
1823  *
1824  * \return The corresponding key agreement and derivation
1825  * algorithm.
1826  * \return Unspecified if \p ka_alg is not a supported
1827  * key agreement algorithm or \p kdf_alg is not a
1828  * supported key derivation algorithm.
1829  */
1830 #define PSA_ALG_KEY_AGREEMENT(ka_alg, kdf_alg) \
1831  ((ka_alg) | (kdf_alg))
1832 
1833 #define PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) \
1834  (((alg) & PSA_ALG_KEY_DERIVATION_MASK) | PSA_ALG_CATEGORY_KEY_DERIVATION)
1835 
1836 #define PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) \
1837  (((alg) & PSA_ALG_KEY_AGREEMENT_MASK) | PSA_ALG_CATEGORY_KEY_AGREEMENT)
1838 
1839 /** Whether the specified algorithm is a raw key agreement algorithm.
1840  *
1841  * A raw key agreement algorithm is one that does not specify
1842  * a key derivation function.
1843  * Usually, raw key agreement algorithms are constructed directly with
1844  * a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are
1845  * constructed with #PSA_ALG_KEY_AGREEMENT().
1846  *
1847  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1848  *
1849  * \return 1 if \p alg is a raw key agreement algorithm, 0 otherwise.
1850  * This macro may return either 0 or 1 if \p alg is not a supported
1851  * algorithm identifier.
1852  */
1853 #define PSA_ALG_IS_RAW_KEY_AGREEMENT(alg) \
1854  (PSA_ALG_IS_KEY_AGREEMENT(alg) && \
1855  PSA_ALG_KEY_AGREEMENT_GET_KDF(alg) == PSA_ALG_CATEGORY_KEY_DERIVATION)
1856 
1857 #define PSA_ALG_IS_KEY_DERIVATION_OR_AGREEMENT(alg) \
1858  ((PSA_ALG_IS_KEY_DERIVATION(alg) || PSA_ALG_IS_KEY_AGREEMENT(alg)))
1859 
1860 /** The finite-field Diffie-Hellman (DH) key agreement algorithm.
1861  *
1862  * The shared secret produced by key agreement is
1863  * `g^{ab}` in big-endian format.
1864  * It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p`
1865  * in bits.
1866  */
1867 #define PSA_ALG_FFDH ((psa_algorithm_t)0x09010000)
1868 
1869 /** Whether the specified algorithm is a finite field Diffie-Hellman algorithm.
1870  *
1871  * This includes the raw finite field Diffie-Hellman algorithm as well as
1872  * finite-field Diffie-Hellman followed by any supporter key derivation
1873  * algorithm.
1874  *
1875  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1876  *
1877  * \return 1 if \c alg is a finite field Diffie-Hellman algorithm, 0 otherwise.
1878  * This macro may return either 0 or 1 if \c alg is not a supported
1879  * key agreement algorithm identifier.
1880  */
1881 #define PSA_ALG_IS_FFDH(alg) \
1882  (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_FFDH)
1883 
1884 /** The elliptic curve Diffie-Hellman (ECDH) key agreement algorithm.
1885  *
1886  * The shared secret produced by key agreement is the x-coordinate of
1887  * the shared secret point. It is always `ceiling(m / 8)` bytes long where
1888  * `m` is the bit size associated with the curve, i.e. the bit size of the
1889  * order of the curve's coordinate field. When `m` is not a multiple of 8,
1890  * the byte containing the most significant bit of the shared secret
1891  * is padded with zero bits. The byte order is either little-endian
1892  * or big-endian depending on the curve type.
1893  *
1894  * - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
1895  * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
1896  * in little-endian byte order.
1897  * The bit size is 448 for Curve448 and 255 for Curve25519.
1898  * - For Weierstrass curves over prime fields (curve types
1899  * `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
1900  * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
1901  * in big-endian byte order.
1902  * The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
1903  * - For Weierstrass curves over binary fields (curve types
1904  * `PSA_ECC_FAMILY_SECTXXX`),
1905  * the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
1906  * in big-endian byte order.
1907  * The bit size is `m` for the field `F_{2^m}`.
1908  */
1909 #define PSA_ALG_ECDH ((psa_algorithm_t)0x09020000)
1910 
1911 /** Whether the specified algorithm is an elliptic curve Diffie-Hellman
1912  * algorithm.
1913  *
1914  * This includes the raw elliptic curve Diffie-Hellman algorithm as well as
1915  * elliptic curve Diffie-Hellman followed by any supporter key derivation
1916  * algorithm.
1917  *
1918  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1919  *
1920  * \return 1 if \c alg is an elliptic curve Diffie-Hellman algorithm,
1921  * 0 otherwise.
1922  * This macro may return either 0 or 1 if \c alg is not a supported
1923  * key agreement algorithm identifier.
1924  */
1925 #define PSA_ALG_IS_ECDH(alg) \
1926  (PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH)
1927 
1928 /** Whether the specified algorithm encoding is a wildcard.
1929  *
1930  * Wildcard values may only be used to set the usage algorithm field in
1931  * a policy, not to perform an operation.
1932  *
1933  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1934  *
1935  * \return 1 if \c alg is a wildcard algorithm encoding.
1936  * \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for
1937  * an operation).
1938  * \return This macro may return either 0 or 1 if \c alg is not a supported
1939  * algorithm identifier.
1940  */
1941 #define PSA_ALG_IS_WILDCARD(alg) \
1942  (PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
1943  PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \
1944  PSA_ALG_IS_MAC(alg) ? \
1945  (alg & PSA_ALG_MAC_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \
1946  PSA_ALG_IS_AEAD(alg) ? \
1947  (alg & PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG) != 0 : \
1948  (alg) == PSA_ALG_ANY_HASH)
1949 
1950 /** Get the hash used by a composite algorithm.
1951  *
1952  * \param alg An algorithm identifier (value of type #psa_algorithm_t).
1953  *
1954  * \return The underlying hash algorithm if alg is a composite algorithm that
1955  * uses a hash algorithm.
1956  *
1957  * \return \c 0 if alg is not a composite algorithm that uses a hash.
1958  */
1959 #define PSA_ALG_GET_HASH(alg) \
1960  (((alg) & 0x000000ff) == 0 ? ((psa_algorithm_t)0) : 0x02000000 | ((alg) & 0x000000ff))
1961 
1962 /**@}*/
1963 
1964 /** \defgroup key_lifetimes Key lifetimes
1965  * @{
1966  */
1967 
1968 /** The default lifetime for volatile keys.
1969  *
1970  * A volatile key only exists as long as the identifier to it is not destroyed.
1971  * The key material is guaranteed to be erased on a power reset.
1972  *
1973  * A key with this lifetime is typically stored in the RAM area of the
1974  * PSA Crypto subsystem. However this is an implementation choice.
1975  * If an implementation stores data about the key in a non-volatile memory,
1976  * it must release all the resources associated with the key and erase the
1977  * key material if the calling application terminates.
1978  */
1979 #define PSA_KEY_LIFETIME_VOLATILE ((psa_key_lifetime_t)0x00000000)
1980 
1981 /** The default lifetime for persistent keys.
1982  *
1983  * A persistent key remains in storage until it is explicitly destroyed or
1984  * until the corresponding storage area is wiped. This specification does
1985  * not define any mechanism to wipe a storage area, but integrations may
1986  * provide their own mechanism (for example to perform a factory reset,
1987  * to prepare for device refurbishment, or to uninstall an application).
1988  *
1989  * This lifetime value is the default storage area for the calling
1990  * application. Integrations of Mbed TLS may support other persistent lifetimes.
1991  * See ::psa_key_lifetime_t for more information.
1992  */
1993 #define PSA_KEY_LIFETIME_PERSISTENT ((psa_key_lifetime_t)0x00000001)
1994 
1995 /** The persistence level of volatile keys.
1996  *
1997  * See ::psa_key_persistence_t for more information.
1998  */
1999 #define PSA_KEY_PERSISTENCE_VOLATILE ((psa_key_persistence_t)0x00)
2000 
2001 /** The default persistence level for persistent keys.
2002  *
2003  * See ::psa_key_persistence_t for more information.
2004  */
2005 #define PSA_KEY_PERSISTENCE_DEFAULT ((psa_key_persistence_t)0x01)
2006 
2007 /** A persistence level indicating that a key is never destroyed.
2008  *
2009  * See ::psa_key_persistence_t for more information.
2010  */
2011 #define PSA_KEY_PERSISTENCE_READ_ONLY ((psa_key_persistence_t)0xff)
2012 
2013 #define PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) \
2014  ((psa_key_persistence_t)((lifetime) & 0x000000ff))
2015 
2016 #define PSA_KEY_LIFETIME_GET_LOCATION(lifetime) \
2017  ((psa_key_location_t)((lifetime) >> 8))
2018 
2019 /** Whether a key lifetime indicates that the key is volatile.
2020  *
2021  * A volatile key is automatically destroyed by the implementation when
2022  * the application instance terminates. In particular, a volatile key
2023  * is automatically destroyed on a power reset of the device.
2024  *
2025  * A key that is not volatile is persistent. Persistent keys are
2026  * preserved until the application explicitly destroys them or until an
2027  * implementation-specific device management event occurs (for example,
2028  * a factory reset).
2029  *
2030  * \param lifetime The lifetime value to query (value of type
2031  * ::psa_key_lifetime_t).
2032  *
2033  * \return \c 1 if the key is volatile, otherwise \c 0.
2034  */
2035 #define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \
2036  (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
2037  PSA_KEY_PERSISTENCE_VOLATILE)
2038 
2039 /** Whether a key lifetime indicates that the key is read-only.
2040  *
2041  * Read-only keys cannot be created or destroyed through the PSA Crypto API.
2042  * They must be created through platform-specific means that bypass the API.
2043  *
2044  * Some platforms may offer ways to destroy read-only keys. For example,
2045  * consider a platform with multiple levels of privilege, where a
2046  * low-privilege application can use a key but is not allowed to destroy
2047  * it, and the platform exposes the key to the application with a read-only
2048  * lifetime. High-privilege code can destroy the key even though the
2049  * application sees the key as read-only.
2050  *
2051  * \param lifetime The lifetime value to query (value of type
2052  * ::psa_key_lifetime_t).
2053  *
2054  * \return \c 1 if the key is read-only, otherwise \c 0.
2055  */
2056 #define PSA_KEY_LIFETIME_IS_READ_ONLY(lifetime) \
2057  (PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
2058  PSA_KEY_PERSISTENCE_READ_ONLY)
2059 
2060 /** Construct a lifetime from a persistence level and a location.
2061  *
2062  * \param persistence The persistence level
2063  * (value of type ::psa_key_persistence_t).
2064  * \param location The location indicator
2065  * (value of type ::psa_key_location_t).
2066  *
2067  * \return The constructed lifetime value.
2068  */
2069 #define PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence, location) \
2070  ((location) << 8 | (persistence))
2071 
2072 /** The local storage area for persistent keys.
2073  *
2074  * This storage area is available on all systems that can store persistent
2075  * keys without delegating the storage to a third-party cryptoprocessor.
2076  *
2077  * See ::psa_key_location_t for more information.
2078  */
2079 #define PSA_KEY_LOCATION_LOCAL_STORAGE ((psa_key_location_t)0x000000)
2080 
2081 #define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
2082 
2083 /** The minimum value for a key identifier chosen by the application.
2084  */
2085 #define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)
2086 /** The maximum value for a key identifier chosen by the application.
2087  */
2088 #define PSA_KEY_ID_USER_MAX ((psa_key_id_t)0x3fffffff)
2089 /** The minimum value for a key identifier chosen by the implementation.
2090  */
2091 #define PSA_KEY_ID_VENDOR_MIN ((psa_key_id_t)0x40000000)
2092 /** The maximum value for a key identifier chosen by the implementation.
2093  */
2094 #define PSA_KEY_ID_VENDOR_MAX ((psa_key_id_t)0x7fffffff)
2095 
2096 /**@}*/
2097 
2098 /** \defgroup policy Key policies
2099  * @{
2100  */
2101 
2102 /** Whether the key may be exported.
2103  *
2104  * A public key or the public part of a key pair may always be exported
2105  * regardless of the value of this permission flag.
2106  *
2107  * If a key does not have export permission, implementations shall not
2108  * allow the key to be exported in plain form from the cryptoprocessor,
2109  * whether through psa_export_key() or through a proprietary interface.
2110  * The key may however be exportable in a wrapped form, i.e. in a form
2111  * where it is encrypted by another key.
2112  */
2113 #define PSA_KEY_USAGE_EXPORT ((psa_key_usage_t)0x00000001)
2114 
2115 /** Whether the key may be copied.
2116  *
2117  * This flag allows the use of psa_copy_key() to make a copy of the key
2118  * with the same policy or a more restrictive policy.
2119  *
2120  * For lifetimes for which the key is located in a secure element which
2121  * enforce the non-exportability of keys, copying a key outside the secure
2122  * element also requires the usage flag #PSA_KEY_USAGE_EXPORT.
2123  * Copying the key inside the secure element is permitted with just
2124  * #PSA_KEY_USAGE_COPY if the secure element supports it.
2125  * For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or
2126  * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY
2127  * is sufficient to permit the copy.
2128  */
2129 #define PSA_KEY_USAGE_COPY ((psa_key_usage_t)0x00000002)
2130 
2131 /** Whether the key may be used to encrypt a message.
2132  *
2133  * This flag allows the key to be used for a symmetric encryption operation,
2134  * for an AEAD encryption-and-authentication operation,
2135  * or for an asymmetric encryption operation,
2136  * if otherwise permitted by the key's type and policy.
2137  *
2138  * For a key pair, this concerns the public key.
2139  */
2140 #define PSA_KEY_USAGE_ENCRYPT ((psa_key_usage_t)0x00000100)
2141 
2142 /** Whether the key may be used to decrypt a message.
2143  *
2144  * This flag allows the key to be used for a symmetric decryption operation,
2145  * for an AEAD decryption-and-verification operation,
2146  * or for an asymmetric decryption operation,
2147  * if otherwise permitted by the key's type and policy.
2148  *
2149  * For a key pair, this concerns the private key.
2150  */
2151 #define PSA_KEY_USAGE_DECRYPT ((psa_key_usage_t)0x00000200)
2152 
2153 /** Whether the key may be used to sign a message.
2154  *
2155  * This flag allows the key to be used for a MAC calculation operation or for
2156  * an asymmetric message signature operation, if otherwise permitted by the
2157  * key’s type and policy.
2158  *
2159  * For a key pair, this concerns the private key.
2160  */
2161 #define PSA_KEY_USAGE_SIGN_MESSAGE ((psa_key_usage_t)0x00000400)
2162 
2163 /** Whether the key may be used to verify a message.
2164  *
2165  * This flag allows the key to be used for a MAC verification operation or for
2166  * an asymmetric message signature verification operation, if otherwise
2167  * permitted by the key’s type and policy.
2168  *
2169  * For a key pair, this concerns the public key.
2170  */
2171 #define PSA_KEY_USAGE_VERIFY_MESSAGE ((psa_key_usage_t)0x00000800)
2172 
2173 /** Whether the key may be used to sign a message.
2174  *
2175  * This flag allows the key to be used for a MAC calculation operation
2176  * or for an asymmetric signature operation,
2177  * if otherwise permitted by the key's type and policy.
2178  *
2179  * For a key pair, this concerns the private key.
2180  */
2181 #define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)
2182 
2183 /** Whether the key may be used to verify a message signature.
2184  *
2185  * This flag allows the key to be used for a MAC verification operation
2186  * or for an asymmetric signature verification operation,
2187  * if otherwise permitted by by the key's type and policy.
2188  *
2189  * For a key pair, this concerns the public key.
2190  */
2191 #define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000)
2192 
2193 /** Whether the key may be used to derive other keys or produce a password
2194  * hash.
2195  *
2196  * This flag allows the key to be used for a key derivation operation or for
2197  * a key agreement operation, if otherwise permitted by by the key's type and
2198  * policy.
2199  *
2200  * If this flag is present on all keys used in calls to
2201  * psa_key_derivation_input_key() for a key derivation operation, then it
2202  * permits calling psa_key_derivation_output_bytes() or
2203  * psa_key_derivation_output_key() at the end of the operation.
2204  */
2205 #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)
2206 
2207 /** Whether the key may be used to verify the result of a key derivation,
2208  * including password hashing.
2209  *
2210  * This flag allows the key to be used:
2211  *
2212  * This flag allows the key to be used in a key derivation operation, if
2213  * otherwise permitted by by the key's type and policy.
2214  *
2215  * If this flag is present on all keys used in calls to
2216  * psa_key_derivation_input_key() for a key derivation operation, then it
2217  * permits calling psa_key_derivation_verify_bytes() or
2218  * psa_key_derivation_verify_key() at the end of the operation.
2219  */
2220 #define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000)
2221 
2222 /**@}*/
2223 
2224 /** \defgroup derivation Key derivation
2225  * @{
2226  */
2227 
2228 /** A secret input for key derivation.
2229  *
2230  * This should be a key of type #PSA_KEY_TYPE_DERIVE
2231  * (passed to psa_key_derivation_input_key())
2232  * or the shared secret resulting from a key agreement
2233  * (obtained via psa_key_derivation_key_agreement()).
2234  *
2235  * The secret can also be a direct input (passed to
2236  * key_derivation_input_bytes()). In this case, the derivation operation
2237  * may not be used to derive keys: the operation will only allow
2238  * psa_key_derivation_output_bytes(),
2239  * psa_key_derivation_verify_bytes(), or
2240  * psa_key_derivation_verify_key(), but not
2241  * psa_key_derivation_output_key().
2242  */
2243 #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101)
2244 
2245 /** A low-entropy secret input for password hashing / key stretching.
2246  *
2247  * This is usually a key of type #PSA_KEY_TYPE_PASSWORD (passed to
2248  * psa_key_derivation_input_key()) or a direct input (passed to
2249  * psa_key_derivation_input_bytes()) that is a password or passphrase. It can
2250  * also be high-entropy secret such as a key of type #PSA_KEY_TYPE_DERIVE or
2251  * the shared secret resulting from a key agreement.
2252  *
2253  * The secret can also be a direct input (passed to
2254  * key_derivation_input_bytes()). In this case, the derivation operation
2255  * may not be used to derive keys: the operation will only allow
2256  * psa_key_derivation_output_bytes(),
2257  * psa_key_derivation_verify_bytes(), or
2258  * psa_key_derivation_verify_key(), but not
2259  * psa_key_derivation_output_key().
2260  */
2261 #define PSA_KEY_DERIVATION_INPUT_PASSWORD ((psa_key_derivation_step_t)0x0102)
2262 
2263 /** A label for key derivation.
2264  *
2265  * This should be a direct input.
2266  * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2267  */
2268 #define PSA_KEY_DERIVATION_INPUT_LABEL ((psa_key_derivation_step_t)0x0201)
2269 
2270 /** A salt for key derivation.
2271  *
2272  * This should be a direct input.
2273  * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA or
2274  * #PSA_KEY_TYPE_PEPPER.
2275  */
2276 #define PSA_KEY_DERIVATION_INPUT_SALT ((psa_key_derivation_step_t)0x0202)
2277 
2278 /** An information string for key derivation.
2279  *
2280  * This should be a direct input.
2281  * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2282  */
2283 #define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203)
2284 
2285 /** A seed for key derivation.
2286  *
2287  * This should be a direct input.
2288  * It can also be a key of type #PSA_KEY_TYPE_RAW_DATA.
2289  */
2290 #define PSA_KEY_DERIVATION_INPUT_SEED ((psa_key_derivation_step_t)0x0204)
2291 
2292 /** A cost parameter for password hashing / key stretching.
2293  *
2294  * This must be a direct input, passed to psa_key_derivation_input_integer().
2295  */
2296 #define PSA_KEY_DERIVATION_INPUT_COST ((psa_key_derivation_step_t)0x0205)
2297 
2298 /**@}*/
2299 
2300 /** \defgroup helper_macros Helper macros
2301  * @{
2302  */
2303 
2304 /* Helper macros */
2305 
2306 /** Check if two AEAD algorithm identifiers refer to the same AEAD algorithm
2307  * regardless of the tag length they encode.
2308  *
2309  * \param aead_alg_1 An AEAD algorithm identifier.
2310  * \param aead_alg_2 An AEAD algorithm identifier.
2311  *
2312  * \return 1 if both identifiers refer to the same AEAD algorithm,
2313  * 0 otherwise.
2314  * Unspecified if neither \p aead_alg_1 nor \p aead_alg_2 are
2315  * a supported AEAD algorithm.
2316  */
2317 #define MBEDTLS_PSA_ALG_AEAD_EQUAL(aead_alg_1, aead_alg_2) \
2318  (!(((aead_alg_1) ^ (aead_alg_2)) & \
2319  ~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)))
2320 
2321 /**@}*/
2322 
2323 #endif /* PSA_CRYPTO_VALUES_H */
Important Information for this Arm website

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work.