• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file psa/crypto_sizes.h
3  *
4  * \brief PSA cryptography module: Mbed TLS buffer size macros
5  *
6  * \note This file may not be included directly. Applications must
7  * include psa/crypto.h.
8  *
9  * This file contains the definitions of macros that are useful to
10  * compute buffer sizes. The signatures and semantics of these macros
11  * are standardized, but the definitions are not, because they depend on
12  * the available algorithms and, in some cases, on permitted tolerances
13  * on buffer sizes.
14  *
15  * In implementations with isolation between the application and the
16  * cryptography module, implementers should take care to ensure that
17  * the definitions that are exposed to applications match what the
18  * module implements.
19  *
20  * Macros that compute sizes whose values do not depend on the
21  * implementation are in crypto.h.
22  */
23 /*
24  *  Copyright The Mbed TLS Contributors
25  *  SPDX-License-Identifier: Apache-2.0
26  *
27  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
28  *  not use this file except in compliance with the License.
29  *  You may obtain a copy of the License at
30  *
31  *  http://www.apache.org/licenses/LICENSE-2.0
32  *
33  *  Unless required by applicable law or agreed to in writing, software
34  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
35  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
36  *  See the License for the specific language governing permissions and
37  *  limitations under the License.
38  */
39 
40 #ifndef PSA_CRYPTO_SIZES_H
41 #define PSA_CRYPTO_SIZES_H
42 
43 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
44  * in each of its header files. */
45 #include "mbedtls/build_info.h"
46 
47 #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
48 #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
49 
50 #define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
51     (((length) + (block_size) - 1) / (block_size) * (block_size))
52 
53 /** The size of the output of psa_hash_finish(), in bytes.
54  *
55  * This is also the hash size that psa_hash_verify() expects.
56  *
57  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
58  *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm
59  *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a
60  *              hash algorithm).
61  *
62  * \return The hash size for the specified hash algorithm.
63  *         If the hash algorithm is not recognized, return 0.
64  */
65 #define PSA_HASH_LENGTH(alg)                                        \
66     (                                                               \
67         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16 :            \
68         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20 :      \
69         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20 :          \
70         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28 :        \
71         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32 :        \
72         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48 :        \
73         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64 :        \
74         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28 :    \
75         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32 :    \
76         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28 :       \
77         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32 :       \
78         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48 :       \
79         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 :       \
80         0)
81 
82 /** The input block size of a hash algorithm, in bytes.
83  *
84  * Hash algorithms process their input data in blocks. Hash operations will
85  * retain any partial blocks until they have enough input to fill the block or
86  * until the operation is finished.
87  * This affects the output from psa_hash_suspend().
88  *
89  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
90  *              PSA_ALG_IS_HASH(\p alg) is true).
91  *
92  * \return      The block size in bytes for the specified hash algorithm.
93  *              If the hash algorithm is not recognized, return 0.
94  *              An implementation can return either 0 or the correct size for a
95  *              hash algorithm that it recognizes, but does not support.
96  */
97 #define PSA_HASH_BLOCK_LENGTH(alg)                                  \
98     (                                                               \
99         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 :            \
100         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 :      \
101         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 :          \
102         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 :        \
103         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 :        \
104         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 :       \
105         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 :       \
106         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 :   \
107         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 :   \
108         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 :      \
109         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 :      \
110         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 :      \
111         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 :       \
112         0)
113 
114 /** \def PSA_HASH_MAX_SIZE
115  *
116  * Maximum size of a hash.
117  *
118  * This macro expands to a compile-time constant integer. This value
119  * is the maximum size of a hash in bytes.
120  */
121 /* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
122  * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
123  * HMAC-SHA3-512. */
124 #if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
125 #define PSA_HASH_MAX_SIZE 64
126 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
127 #else
128 #define PSA_HASH_MAX_SIZE 32
129 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
130 #endif
131 
132 /** \def PSA_MAC_MAX_SIZE
133  *
134  * Maximum size of a MAC.
135  *
136  * This macro expands to a compile-time constant integer. This value
137  * is the maximum size of a MAC in bytes.
138  */
139 /* All non-HMAC MACs have a maximum size that's smaller than the
140  * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
141 /* Note that the encoding of truncated MAC algorithms limits this value
142  * to 64 bytes.
143  */
144 #define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
145 
146 /** The length of a tag for an AEAD algorithm, in bytes.
147  *
148  * This macro can be used to allocate a buffer of sufficient size to store the
149  * tag output from psa_aead_finish().
150  *
151  * See also #PSA_AEAD_TAG_MAX_SIZE.
152  *
153  * \param key_type            The type of the AEAD key.
154  * \param key_bits            The size of the AEAD key in bits.
155  * \param alg                 An AEAD algorithm
156  *                            (\c PSA_ALG_XXX value such that
157  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
158  *
159  * \return                    The tag length for the specified algorithm and key.
160  *                            If the AEAD algorithm does not have an identified
161  *                            tag that can be distinguished from the rest of
162  *                            the ciphertext, return 0.
163  *                            If the key type or AEAD algorithm is not
164  *                            recognized, or the parameters are incompatible,
165  *                            return 0.
166  */
167 #define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \
168     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \
169      PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \
170      ((void) (key_bits), 0))
171 
172 /** The maximum tag size for all supported AEAD algorithms, in bytes.
173  *
174  * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
175  */
176 #define PSA_AEAD_TAG_MAX_SIZE       16
177 
178 /* The maximum size of an RSA key on this implementation, in bits.
179  * This is a vendor-specific macro.
180  *
181  * Mbed TLS does not set a hard limit on the size of RSA keys: any key
182  * whose parameters fit in a bignum is accepted. However large keys can
183  * induce a large memory usage and long computation times. Unlike other
184  * auxiliary macros in this file and in crypto.h, which reflect how the
185  * library is configured, this macro defines how the library is
186  * configured. This implementation refuses to import or generate an
187  * RSA key whose size is larger than the value defined here.
188  *
189  * Note that an implementation may set different size limits for different
190  * operations, and does not need to accept all key sizes up to the limit. */
191 #define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
192 
193 /* The maximum size of an ECC key on this implementation, in bits.
194  * This is a vendor-specific macro. */
195 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
196 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521
197 #elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
198 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 512
199 #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
200 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 448
201 #elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
202 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
203 #elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
204 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
205 #elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
206 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
207 #elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
208 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
209 #elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
210 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
211 #elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
212 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 255
213 #elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
214 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
215 #elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
216 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
217 #elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
218 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
219 #elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
220 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
221 #else
222 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 0
223 #endif
224 
225 /** This macro returns the maximum supported length of the PSK for the
226  * TLS-1.2 PSK-to-MS key derivation
227  * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).
228  *
229  * The maximum supported length does not depend on the chosen hash algorithm.
230  *
231  * Quoting RFC 4279, Sect 5.3:
232  * TLS implementations supporting these ciphersuites MUST support
233  * arbitrary PSK identities up to 128 octets in length, and arbitrary
234  * PSKs up to 64 octets in length.  Supporting longer identities and
235  * keys is RECOMMENDED.
236  *
237  * Therefore, no implementation should define a value smaller than 64
238  * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
239  */
240 #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128
241 
242 /** The maximum size of a block cipher. */
243 #define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
244 
245 /** The size of the output of psa_mac_sign_finish(), in bytes.
246  *
247  * This is also the MAC size that psa_mac_verify_finish() expects.
248  *
249  * \warning This macro may evaluate its arguments multiple times or
250  *          zero times, so you should not pass arguments that contain
251  *          side effects.
252  *
253  * \param key_type      The type of the MAC key.
254  * \param key_bits      The size of the MAC key in bits.
255  * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that
256  *                      #PSA_ALG_IS_MAC(\p alg) is true).
257  *
258  * \return              The MAC size for the specified algorithm with
259  *                      the specified key parameters.
260  * \return              0 if the MAC algorithm is not recognized.
261  * \return              Either 0 or the correct size for a MAC algorithm that
262  *                      the implementation recognizes, but does not support.
263  * \return              Unspecified if the key parameters are not consistent
264  *                      with the algorithm.
265  */
266 #define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \
267     ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \
268      PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \
269      PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
270      ((void)(key_type), (void)(key_bits), 0))
271 
272 /** The maximum size of the output of psa_aead_encrypt(), in bytes.
273  *
274  * If the size of the ciphertext buffer is at least this large, it is
275  * guaranteed that psa_aead_encrypt() will not fail due to an
276  * insufficient buffer size. Depending on the algorithm, the actual size of
277  * the ciphertext may be smaller.
278  *
279  * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
280  *
281  * \warning This macro may evaluate its arguments multiple times or
282  *          zero times, so you should not pass arguments that contain
283  *          side effects.
284  *
285  * \param key_type            A symmetric key type that is
286  *                            compatible with algorithm \p alg.
287  * \param alg                 An AEAD algorithm
288  *                            (\c PSA_ALG_XXX value such that
289  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
290  * \param plaintext_length    Size of the plaintext in bytes.
291  *
292  * \return                    The AEAD ciphertext size for the specified
293  *                            algorithm.
294  *                            If the key type or AEAD algorithm is not
295  *                            recognized, or the parameters are incompatible,
296  *                            return 0.
297  */
298 #define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
299     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \
300      (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
301      0)
302 
303 /** A sufficient output buffer size for psa_aead_encrypt(), for any of the
304  *  supported key types and AEAD algorithms.
305  *
306  * If the size of the ciphertext buffer is at least this large, it is guaranteed
307  * that psa_aead_encrypt() will not fail due to an insufficient buffer size.
308  *
309  * \note This macro returns a compile-time constant if its arguments are
310  *       compile-time constants.
311  *
312  * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
313  * \p plaintext_length).
314  *
315  * \param plaintext_length    Size of the plaintext in bytes.
316  *
317  * \return                    A sufficient output buffer size for any of the
318  *                            supported key types and AEAD algorithms.
319  *
320  */
321 #define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \
322     ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
323 
324 
325 /** The maximum size of the output of psa_aead_decrypt(), in bytes.
326  *
327  * If the size of the plaintext buffer is at least this large, it is
328  * guaranteed that psa_aead_decrypt() will not fail due to an
329  * insufficient buffer size. Depending on the algorithm, the actual size of
330  * the plaintext may be smaller.
331  *
332  * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
333  *
334  * \warning This macro may evaluate its arguments multiple times or
335  *          zero times, so you should not pass arguments that contain
336  *          side effects.
337  *
338  * \param key_type            A symmetric key type that is
339  *                            compatible with algorithm \p alg.
340  * \param alg                 An AEAD algorithm
341  *                            (\c PSA_ALG_XXX value such that
342  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
343  * \param ciphertext_length   Size of the plaintext in bytes.
344  *
345  * \return                    The AEAD ciphertext size for the specified
346  *                            algorithm.
347  *                            If the key type or AEAD algorithm is not
348  *                            recognized, or the parameters are incompatible,
349  *                            return 0.
350  */
351 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
352     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
353          (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
354          (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
355      0)
356 
357 /** A sufficient output buffer size for psa_aead_decrypt(), for any of the
358  *  supported key types and AEAD algorithms.
359  *
360  * If the size of the plaintext buffer is at least this large, it is guaranteed
361  * that psa_aead_decrypt() will not fail due to an insufficient buffer size.
362  *
363  * \note This macro returns a compile-time constant if its arguments are
364  *       compile-time constants.
365  *
366  * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
367  * \p ciphertext_length).
368  *
369  * \param ciphertext_length   Size of the ciphertext in bytes.
370  *
371  * \return                    A sufficient output buffer size for any of the
372  *                            supported key types and AEAD algorithms.
373  *
374  */
375 #define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \
376      (ciphertext_length)
377 
378 /** The default nonce size for an AEAD algorithm, in bytes.
379  *
380  * This macro can be used to allocate a buffer of sufficient size to
381  * store the nonce output from #psa_aead_generate_nonce().
382  *
383  * See also #PSA_AEAD_NONCE_MAX_SIZE.
384  *
385  * \note This is not the maximum size of nonce supported as input to
386  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
387  *       just the default size that is generated by #psa_aead_generate_nonce().
388  *
389  * \warning This macro may evaluate its arguments multiple times or
390  *          zero times, so you should not pass arguments that contain
391  *          side effects.
392  *
393  * \param key_type  A symmetric key type that is compatible with
394  *                  algorithm \p alg.
395  *
396  * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that
397  *                  #PSA_ALG_IS_AEAD(\p alg) is true).
398  *
399  * \return The default nonce size for the specified key type and algorithm.
400  *         If the key type or AEAD algorithm is not recognized,
401  *         or the parameters are incompatible, return 0.
402  */
403 #define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
404     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
405           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13 : \
406           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12 : \
407           0 : \
408      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
409           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12 : \
410      0)
411 
412 /** The maximum default nonce size among all supported pairs of key types and
413  *  AEAD algorithms, in bytes.
414  *
415  * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()
416  * may return.
417  *
418  * \note This is not the maximum size of nonce supported as input to
419  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
420  *       just the largest size that may be generated by
421  *       #psa_aead_generate_nonce().
422  */
423 #define PSA_AEAD_NONCE_MAX_SIZE 13
424 
425 /** A sufficient output buffer size for psa_aead_update().
426  *
427  * If the size of the output buffer is at least this large, it is
428  * guaranteed that psa_aead_update() will not fail due to an
429  * insufficient buffer size. The actual size of the output may be smaller
430  * in any given call.
431  *
432  * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
433  *
434  * \warning This macro may evaluate its arguments multiple times or
435  *          zero times, so you should not pass arguments that contain
436  *          side effects.
437  *
438  * \param key_type            A symmetric key type that is
439  *                            compatible with algorithm \p alg.
440  * \param alg                 An AEAD algorithm
441  *                            (\c PSA_ALG_XXX value such that
442  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
443  * \param input_length        Size of the input in bytes.
444  *
445  * \return                    A sufficient output buffer size for the specified
446  *                            algorithm.
447  *                            If the key type or AEAD algorithm is not
448  *                            recognized, or the parameters are incompatible,
449  *                            return 0.
450  */
451 /* For all the AEAD modes defined in this specification, it is possible
452  * to emit output without delay. However, hardware may not always be
453  * capable of this. So for modes based on a block cipher, allow the
454  * implementation to delay the output until it has a full block. */
455 #define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \
456     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \
457          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \
458          PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
459          (input_length) : \
460      0)
461 
462 /** A sufficient output buffer size for psa_aead_update(), for any of the
463  *  supported key types and AEAD algorithms.
464  *
465  * If the size of the output buffer is at least this large, it is guaranteed
466  * that psa_aead_update() will not fail due to an insufficient buffer size.
467  *
468  * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
469  *
470  * \param input_length      Size of the input in bytes.
471  */
472 #define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \
473     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))
474 
475 /** A sufficient ciphertext buffer size for psa_aead_finish().
476  *
477  * If the size of the ciphertext buffer is at least this large, it is
478  * guaranteed that psa_aead_finish() will not fail due to an
479  * insufficient ciphertext buffer size. The actual size of the output may
480  * be smaller in any given call.
481  *
482  * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
483  *
484  * \param key_type            A symmetric key type that is
485                               compatible with algorithm \p alg.
486  * \param alg                 An AEAD algorithm
487  *                            (\c PSA_ALG_XXX value such that
488  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
489  *
490  * \return                    A sufficient ciphertext buffer size for the
491  *                            specified algorithm.
492  *                            If the key type or AEAD algorithm is not
493  *                            recognized, or the parameters are incompatible,
494  *                            return 0.
495  */
496 #define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
497     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
498          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
499          PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
500      0)
501 
502 /** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
503  *  supported key types and AEAD algorithms.
504  *
505  * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
506  */
507 #define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
508 
509 /** A sufficient plaintext buffer size for psa_aead_verify().
510  *
511  * If the size of the plaintext buffer is at least this large, it is
512  * guaranteed that psa_aead_verify() will not fail due to an
513  * insufficient plaintext buffer size. The actual size of the output may
514  * be smaller in any given call.
515  *
516  * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
517  *
518  * \param key_type            A symmetric key type that is
519  *                            compatible with algorithm \p alg.
520  * \param alg                 An AEAD algorithm
521  *                            (\c PSA_ALG_XXX value such that
522  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
523  *
524  * \return                    A sufficient plaintext buffer size for the
525  *                            specified algorithm.
526  *                            If the key type or AEAD algorithm is not
527  *                            recognized, or the parameters are incompatible,
528  *                            return 0.
529  */
530 #define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
531     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
532          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
533          PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
534      0)
535 
536 /** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
537  *  supported key types and AEAD algorithms.
538  *
539  * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
540  */
541 #define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
542 
543 #define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \
544     (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \
545      2 * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1 :    \
546      11 /*PKCS#1v1.5*/)
547 
548 /**
549  * \brief ECDSA signature size for a given curve bit size
550  *
551  * \param curve_bits    Curve size in bits.
552  * \return              Signature size in bytes.
553  *
554  * \note This macro returns a compile-time constant if its argument is one.
555  */
556 #define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \
557     (PSA_BITS_TO_BYTES(curve_bits) * 2)
558 
559 /** Sufficient signature buffer size for psa_sign_hash().
560  *
561  * This macro returns a sufficient buffer size for a signature using a key
562  * of the specified type and size, with the specified algorithm.
563  * Note that the actual size of the signature may be smaller
564  * (some algorithms produce a variable-size signature).
565  *
566  * \warning This function may call its arguments multiple times or
567  *          zero times, so you should not pass arguments that contain
568  *          side effects.
569  *
570  * \param key_type  An asymmetric key type (this may indifferently be a
571  *                  key pair type or a public key type).
572  * \param key_bits  The size of the key in bits.
573  * \param alg       The signature algorithm.
574  *
575  * \return If the parameters are valid and supported, return
576  *         a buffer size in bytes that guarantees that
577  *         psa_sign_hash() will not fail with
578  *         #PSA_ERROR_BUFFER_TOO_SMALL.
579  *         If the parameters are a valid combination that is not supported,
580  *         return either a sensible size or 0.
581  *         If the parameters are not valid, the
582  *         return value is unspecified.
583  */
584 #define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
585     (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void)alg, PSA_BITS_TO_BYTES(key_bits)) : \
586      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
587      ((void)alg, 0))
588 
589 #define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \
590     PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
591 
592 /** \def PSA_SIGNATURE_MAX_SIZE
593  *
594  * Maximum size of an asymmetric signature.
595  *
596  * This macro expands to a compile-time constant integer. This value
597  * is the maximum size of a signature in bytes.
598  */
599 #define PSA_SIGNATURE_MAX_SIZE                               \
600     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE ? \
601      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) :                   \
602      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE)
603 
604 /** Sufficient output buffer size for psa_asymmetric_encrypt().
605  *
606  * This macro returns a sufficient buffer size for a ciphertext produced using
607  * a key of the specified type and size, with the specified algorithm.
608  * Note that the actual size of the ciphertext may be smaller, depending
609  * on the algorithm.
610  *
611  * \warning This function may call its arguments multiple times or
612  *          zero times, so you should not pass arguments that contain
613  *          side effects.
614  *
615  * \param key_type  An asymmetric key type (this may indifferently be a
616  *                  key pair type or a public key type).
617  * \param key_bits  The size of the key in bits.
618  * \param alg       The asymmetric encryption algorithm.
619  *
620  * \return If the parameters are valid and supported, return
621  *         a buffer size in bytes that guarantees that
622  *         psa_asymmetric_encrypt() will not fail with
623  *         #PSA_ERROR_BUFFER_TOO_SMALL.
624  *         If the parameters are a valid combination that is not supported,
625  *         return either a sensible size or 0.
626  *         If the parameters are not valid, the
627  *         return value is unspecified.
628  */
629 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
630     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
631      ((void)alg, PSA_BITS_TO_BYTES(key_bits)) :                         \
632      0)
633 
634 /** A sufficient output buffer size for psa_asymmetric_encrypt(), for any
635  *  supported asymmetric encryption.
636  *
637  * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
638  */
639 /* This macro assumes that RSA is the only supported asymmetric encryption. */
640 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \
641     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
642 
643 /** Sufficient output buffer size for psa_asymmetric_decrypt().
644  *
645  * This macro returns a sufficient buffer size for a plaintext produced using
646  * a key of the specified type and size, with the specified algorithm.
647  * Note that the actual size of the plaintext may be smaller, depending
648  * on the algorithm.
649  *
650  * \warning This function may call its arguments multiple times or
651  *          zero times, so you should not pass arguments that contain
652  *          side effects.
653  *
654  * \param key_type  An asymmetric key type (this may indifferently be a
655  *                  key pair type or a public key type).
656  * \param key_bits  The size of the key in bits.
657  * \param alg       The asymmetric encryption algorithm.
658  *
659  * \return If the parameters are valid and supported, return
660  *         a buffer size in bytes that guarantees that
661  *         psa_asymmetric_decrypt() will not fail with
662  *         #PSA_ERROR_BUFFER_TOO_SMALL.
663  *         If the parameters are a valid combination that is not supported,
664  *         return either a sensible size or 0.
665  *         If the parameters are not valid, the
666  *         return value is unspecified.
667  */
668 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
669     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
670      PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \
671      0)
672 
673 /** A sufficient output buffer size for psa_asymmetric_decrypt(), for any
674  *  supported asymmetric decryption.
675  *
676  * This macro assumes that RSA is the only supported asymmetric encryption.
677  *
678  * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
679  */
680 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \
681     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
682 
683 /* Maximum size of the ASN.1 encoding of an INTEGER with the specified
684  * number of bits.
685  *
686  * This definition assumes that bits <= 2^19 - 9 so that the length field
687  * is at most 3 bytes. The length of the encoding is the length of the
688  * bit string padded to a whole number of bytes plus:
689  * - 1 type byte;
690  * - 1 to 3 length bytes;
691  * - 0 to 1 bytes of leading 0 due to the sign bit.
692  */
693 #define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \
694     ((bits) / 8 + 5)
695 
696 /* Maximum size of the export encoding of an RSA public key.
697  * Assumes that the public exponent is less than 2^32.
698  *
699  * RSAPublicKey  ::=  SEQUENCE  {
700  *    modulus            INTEGER,    -- n
701  *    publicExponent     INTEGER  }  -- e
702  *
703  * - 4 bytes of SEQUENCE overhead;
704  * - n : INTEGER;
705  * - 7 bytes for the public exponent.
706  */
707 #define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
708     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11)
709 
710 /* Maximum size of the export encoding of an RSA key pair.
711  * Assumes thatthe public exponent is less than 2^32 and that the size
712  * difference between the two primes is at most 1 bit.
713  *
714  * RSAPrivateKey ::= SEQUENCE {
715  *     version           Version,  -- 0
716  *     modulus           INTEGER,  -- N-bit
717  *     publicExponent    INTEGER,  -- 32-bit
718  *     privateExponent   INTEGER,  -- N-bit
719  *     prime1            INTEGER,  -- N/2-bit
720  *     prime2            INTEGER,  -- N/2-bit
721  *     exponent1         INTEGER,  -- N/2-bit
722  *     exponent2         INTEGER,  -- N/2-bit
723  *     coefficient       INTEGER,  -- N/2-bit
724  * }
725  *
726  * - 4 bytes of SEQUENCE overhead;
727  * - 3 bytes of version;
728  * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
729  *   overapproximated as 9 half-size INTEGERS;
730  * - 7 bytes for the public exponent.
731  */
732 #define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \
733     (9 * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2 + 1) + 14)
734 
735 /* Maximum size of the export encoding of a DSA public key.
736  *
737  * SubjectPublicKeyInfo  ::=  SEQUENCE  {
738  *      algorithm            AlgorithmIdentifier,
739  *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey
740  * AlgorithmIdentifier  ::=  SEQUENCE  {
741  *      algorithm               OBJECT IDENTIFIER,
742  *      parameters              Dss-Parms  } -- SEQUENCE of 3 INTEGERs
743  * DSAPublicKey  ::=  INTEGER -- public key, Y
744  *
745  * - 3 * 4 bytes of SEQUENCE overhead;
746  * - 1 + 1 + 7 bytes of algorithm (DSA OID);
747  * - 4 bytes of BIT STRING overhead;
748  * - 3 full-size INTEGERs (p, g, y);
749  * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
750  */
751 #define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
752     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 59)
753 
754 /* Maximum size of the export encoding of a DSA key pair.
755  *
756  * DSAPrivateKey ::= SEQUENCE {
757  *     version             Version,  -- 0
758  *     prime               INTEGER,  -- p
759  *     subprime            INTEGER,  -- q
760  *     generator           INTEGER,  -- g
761  *     public              INTEGER,  -- y
762  *     private             INTEGER,  -- x
763  * }
764  *
765  * - 4 bytes of SEQUENCE overhead;
766  * - 3 bytes of version;
767  * - 3 full-size INTEGERs (p, g, y);
768  * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
769  */
770 #define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \
771     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 75)
772 
773 /* Maximum size of the export encoding of an ECC public key.
774  *
775  * The representation of an ECC public key is:
776  *      - The byte 0x04;
777  *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
778  *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
779  *      - where m is the bit size associated with the curve.
780  *
781  * - 1 byte + 2 * point size.
782  */
783 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
784     (2 * PSA_BITS_TO_BYTES(key_bits) + 1)
785 
786 /* Maximum size of the export encoding of an ECC key pair.
787  *
788  * An ECC key pair is represented by the secret value.
789  */
790 #define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \
791     (PSA_BITS_TO_BYTES(key_bits))
792 
793 /** Sufficient output buffer size for psa_export_key() or
794  * psa_export_public_key().
795  *
796  * This macro returns a compile-time constant if its arguments are
797  * compile-time constants.
798  *
799  * \warning This macro may evaluate its arguments multiple times or
800  *          zero times, so you should not pass arguments that contain
801  *          side effects.
802  *
803  * The following code illustrates how to allocate enough memory to export
804  * a key by querying the key type and size at runtime.
805  * \code{c}
806  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
807  * psa_status_t status;
808  * status = psa_get_key_attributes(key, &attributes);
809  * if (status != PSA_SUCCESS) handle_error(...);
810  * psa_key_type_t key_type = psa_get_key_type(&attributes);
811  * size_t key_bits = psa_get_key_bits(&attributes);
812  * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);
813  * psa_reset_key_attributes(&attributes);
814  * uint8_t *buffer = malloc(buffer_size);
815  * if (buffer == NULL) handle_error(...);
816  * size_t buffer_length;
817  * status = psa_export_key(key, buffer, buffer_size, &buffer_length);
818  * if (status != PSA_SUCCESS) handle_error(...);
819  * \endcode
820  *
821  * \param key_type  A supported key type.
822  * \param key_bits  The size of the key in bits.
823  *
824  * \return If the parameters are valid and supported, return
825  *         a buffer size in bytes that guarantees that
826  *         psa_export_key() or psa_export_public_key() will not fail with
827  *         #PSA_ERROR_BUFFER_TOO_SMALL.
828  *         If the parameters are a valid combination that is not supported,
829  *         return either a sensible size or 0.
830  *         If the parameters are not valid, the return value is unspecified.
831  */
832 #define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \
833     (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \
834      (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
835      (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
836      (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
837      (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
838      PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \
839      PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \
840      0)
841 
842 /** Sufficient output buffer size for psa_export_public_key().
843  *
844  * This macro returns a compile-time constant if its arguments are
845  * compile-time constants.
846  *
847  * \warning This macro may evaluate its arguments multiple times or
848  *          zero times, so you should not pass arguments that contain
849  *          side effects.
850  *
851  * The following code illustrates how to allocate enough memory to export
852  * a public key by querying the key type and size at runtime.
853  * \code{c}
854  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
855  * psa_status_t status;
856  * status = psa_get_key_attributes(key, &attributes);
857  * if (status != PSA_SUCCESS) handle_error(...);
858  * psa_key_type_t key_type = psa_get_key_type(&attributes);
859  * size_t key_bits = psa_get_key_bits(&attributes);
860  * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);
861  * psa_reset_key_attributes(&attributes);
862  * uint8_t *buffer = malloc(buffer_size);
863  * if (buffer == NULL) handle_error(...);
864  * size_t buffer_length;
865  * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);
866  * if (status != PSA_SUCCESS) handle_error(...);
867  * \endcode
868  *
869  * \param key_type      A public key or key pair key type.
870  * \param key_bits      The size of the key in bits.
871  *
872  * \return              If the parameters are valid and supported, return
873  *                      a buffer size in bytes that guarantees that
874  *                      psa_export_public_key() will not fail with
875  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
876  *                      If the parameters are a valid combination that is not
877  *                      supported, return either a sensible size or 0.
878  *                      If the parameters are not valid,
879  *                      the return value is unspecified.
880  *
881  *                      If the parameters are valid and supported,
882  *                      return the same result as
883  *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(
884  *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),
885  *                          \p key_bits).
886  */
887 #define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \
888     (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
889      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
890      0)
891 
892 /** Sufficient buffer size for exporting any asymmetric key pair.
893  *
894  * This macro expands to a compile-time constant integer. This value is
895  * a sufficient buffer size when calling psa_export_key() to export any
896  * asymmetric key pair, regardless of the exact key type and key size.
897  *
898  * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
899  */
900 #define PSA_EXPORT_KEY_PAIR_MAX_SIZE                                            \
901     (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >        \
902      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?      \
903      PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :        \
904      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
905 
906 /** Sufficient buffer size for exporting any asymmetric public key.
907  *
908  * This macro expands to a compile-time constant integer. This value is
909  * a sufficient buffer size when calling psa_export_key() or
910  * psa_export_public_key() to export any asymmetric public key,
911  * regardless of the exact key type and key size.
912  *
913  * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
914  */
915 #define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE                                          \
916     (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >      \
917      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?    \
918      PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :      \
919      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
920 
921 /** Sufficient output buffer size for psa_raw_key_agreement().
922  *
923  * This macro returns a compile-time constant if its arguments are
924  * compile-time constants.
925  *
926  * \warning This macro may evaluate its arguments multiple times or
927  *          zero times, so you should not pass arguments that contain
928  *          side effects.
929  *
930  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.
931  *
932  * \param key_type      A supported key type.
933  * \param key_bits      The size of the key in bits.
934  *
935  * \return              If the parameters are valid and supported, return
936  *                      a buffer size in bytes that guarantees that
937  *                      psa_raw_key_agreement() will not fail with
938  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
939  *                      If the parameters are a valid combination that
940  *                      is not supported, return either a sensible size or 0.
941  *                      If the parameters are not valid,
942  *                      the return value is unspecified.
943  */
944 /* FFDH is not yet supported in PSA. */
945 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \
946     (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ?                   \
947      PSA_BITS_TO_BYTES(key_bits) :                              \
948      0)
949 
950 /** Maximum size of the output from psa_raw_key_agreement().
951  *
952  * This macro expands to a compile-time constant integer. This value is the
953  * maximum size of the output any raw key agreement algorithm, in bytes.
954  *
955  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
956  */
957 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE   \
958     (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS))
959 
960 /** The default IV size for a cipher algorithm, in bytes.
961  *
962  * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
963  * the default IV length for the algorithm.
964  *
965  * This macro can be used to allocate a buffer of sufficient size to
966  * store the IV output from #psa_cipher_generate_iv() when using
967  * a multi-part cipher operation.
968  *
969  * See also #PSA_CIPHER_IV_MAX_SIZE.
970  *
971  * \warning This macro may evaluate its arguments multiple times or
972  *          zero times, so you should not pass arguments that contain
973  *          side effects.
974  *
975  * \param key_type  A symmetric key type that is compatible with algorithm \p alg.
976  *
977  * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).
978  *
979  * \return The default IV size for the specified key type and algorithm.
980  *         If the algorithm does not use an IV, return 0.
981  *         If the key type or cipher algorithm is not recognized,
982  *         or the parameters are incompatible, return 0.
983  */
984 #define PSA_CIPHER_IV_LENGTH(key_type, alg) \
985     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \
986         ((alg) == PSA_ALG_CTR || \
987          (alg) == PSA_ALG_CFB || \
988          (alg) == PSA_ALG_OFB || \
989          (alg) == PSA_ALG_XTS || \
990          (alg) == PSA_ALG_CBC_NO_PADDING || \
991          (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
992      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
993          (alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
994          (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \
995          0)
996 
997 /** The maximum IV size for all supported cipher algorithms, in bytes.
998  *
999  * See also #PSA_CIPHER_IV_LENGTH().
1000  */
1001 #define PSA_CIPHER_IV_MAX_SIZE 16
1002 
1003 /** The maximum size of the output of psa_cipher_encrypt(), in bytes.
1004  *
1005  * If the size of the output buffer is at least this large, it is guaranteed
1006  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1007  * Depending on the algorithm, the actual size of the output might be smaller.
1008  *
1009  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).
1010  *
1011  * \warning This macro may evaluate its arguments multiple times or
1012  *          zero times, so you should not pass arguments that contain
1013  *          side effects.
1014  *
1015  * \param key_type      A symmetric key type that is compatible with algorithm
1016  *                      alg.
1017  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1018  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1019  * \param input_length  Size of the input in bytes.
1020  *
1021  * \return              A sufficient output size for the specified key type and
1022  *                      algorithm. If the key type or cipher algorithm is not
1023  *                      recognized, or the parameters are incompatible,
1024  *                      return 0.
1025  */
1026 #define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)             \
1027     (alg == PSA_ALG_CBC_PKCS7 ?                                                 \
1028      (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                            \
1029      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),          \
1030                               (input_length) + 1) +                             \
1031      PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0) :                             \
1032      (PSA_ALG_IS_CIPHER(alg) ?                                                  \
1033       (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :                \
1034      0))
1035 
1036 /** A sufficient output buffer size for psa_cipher_encrypt(), for any of the
1037  *  supported key types and cipher algorithms.
1038  *
1039  * If the size of the output buffer is at least this large, it is guaranteed
1040  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1041  *
1042  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1043  *
1044  * \param input_length  Size of the input in bytes.
1045  *
1046  */
1047 #define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                        \
1048     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,                  \
1049                               (input_length) + 1) +                             \
1050      PSA_CIPHER_IV_MAX_SIZE)
1051 
1052 /** The maximum size of the output of psa_cipher_decrypt(), in bytes.
1053  *
1054  * If the size of the output buffer is at least this large, it is guaranteed
1055  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1056  * Depending on the algorithm, the actual size of the output might be smaller.
1057  *
1058  * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).
1059  *
1060  * \param key_type      A symmetric key type that is compatible with algorithm
1061  *                      alg.
1062  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1063  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1064  * \param input_length  Size of the input in bytes.
1065  *
1066  * \return              A sufficient output size for the specified key type and
1067  *                      algorithm. If the key type or cipher algorithm is not
1068  *                      recognized, or the parameters are incompatible,
1069  *                      return 0.
1070  */
1071 #define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)                 \
1072     (PSA_ALG_IS_CIPHER(alg) &&                                                      \
1073      ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
1074      (input_length) :                                                               \
1075      0)
1076 
1077 /** A sufficient output buffer size for psa_cipher_decrypt(), for any of the
1078  *  supported key types and cipher algorithms.
1079  *
1080  * If the size of the output buffer is at least this large, it is guaranteed
1081  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1082  *
1083  * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1084  *
1085  * \param input_length  Size of the input in bytes.
1086  */
1087 #define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \
1088     (input_length)
1089 
1090 /** A sufficient output buffer size for psa_cipher_update().
1091  *
1092  * If the size of the output buffer is at least this large, it is guaranteed
1093  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1094  * The actual size of the output might be smaller in any given call.
1095  *
1096  * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
1097  *
1098  * \param key_type      A symmetric key type that is compatible with algorithm
1099  *                      alg.
1100  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1101  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1102  * \param input_length  Size of the input in bytes.
1103  *
1104  * \return              A sufficient output size for the specified key type and
1105  *                      algorithm. If the key type or cipher algorithm is not
1106  *                      recognized, or the parameters are incompatible, return 0.
1107  */
1108 #define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)              \
1109     (PSA_ALG_IS_CIPHER(alg) ?                                                   \
1110     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                             \
1111      (((alg) == PSA_ALG_CBC_PKCS7      ||                                       \
1112        (alg) == PSA_ALG_CBC_NO_PADDING ||                                       \
1113        (alg) == PSA_ALG_ECB_NO_PADDING) ?                                       \
1114       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),         \
1115                                 input_length) :                                 \
1116       (input_length)) : 0) :                                                    \
1117      0)
1118 
1119 /** A sufficient output buffer size for psa_cipher_update(), for any of the
1120  *  supported key types and cipher algorithms.
1121  *
1122  * If the size of the output buffer is at least this large, it is guaranteed
1123  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1124  *
1125  * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1126  *
1127  * \param input_length  Size of the input in bytes.
1128  */
1129 #define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \
1130     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))
1131 
1132 /** A sufficient ciphertext buffer size for psa_cipher_finish().
1133  *
1134  * If the size of the ciphertext buffer is at least this large, it is
1135  * guaranteed that psa_cipher_finish() will not fail due to an insufficient
1136  * ciphertext buffer size. The actual size of the output might be smaller in
1137  * any given call.
1138  *
1139  * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().
1140  *
1141  * \param key_type      A symmetric key type that is compatible with algorithm
1142  *                      alg.
1143  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1144  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1145  * \return              A sufficient output size for the specified key type and
1146  *                      algorithm. If the key type or cipher algorithm is not
1147  *                      recognized, or the parameters are incompatible, return 0.
1148  */
1149 #define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \
1150     (PSA_ALG_IS_CIPHER(alg) ?                           \
1151      (alg == PSA_ALG_CBC_PKCS7 ?                        \
1152       PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \
1153       0) :                                              \
1154      0)
1155 
1156 /** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the
1157  *  supported key types and cipher algorithms.
1158  *
1159  * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
1160  */
1161 #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \
1162     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
1163 
1164 #endif /* PSA_CRYPTO_SIZES_H */
1165