• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /**
2  * \file psa/crypto_sizes.h
3  *
4  * \brief PSA cryptography module: Mbed TLS buffer size macros
5  *
6  * \note This file may not be included directly. Applications must
7  * include psa/crypto.h.
8  *
9  * This file contains the definitions of macros that are useful to
10  * compute buffer sizes. The signatures and semantics of these macros
11  * are standardized, but the definitions are not, because they depend on
12  * the available algorithms and, in some cases, on permitted tolerances
13  * on buffer sizes.
14  *
15  * In implementations with isolation between the application and the
16  * cryptography module, implementers should take care to ensure that
17  * the definitions that are exposed to applications match what the
18  * module implements.
19  *
20  * Macros that compute sizes whose values do not depend on the
21  * implementation are in crypto.h.
22  */
23 /*
24  *  Copyright The Mbed TLS Contributors
25  *  SPDX-License-Identifier: Apache-2.0
26  *
27  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
28  *  not use this file except in compliance with the License.
29  *  You may obtain a copy of the License at
30  *
31  *  http://www.apache.org/licenses/LICENSE-2.0
32  *
33  *  Unless required by applicable law or agreed to in writing, software
34  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
35  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
36  *  See the License for the specific language governing permissions and
37  *  limitations under the License.
38  */
39 
40 #ifndef PSA_CRYPTO_SIZES_H
41 #define PSA_CRYPTO_SIZES_H
42 
43 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
44  * in each of its header files. */
45 #include "mbedtls/build_info.h"
46 
47 #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
48 #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
49 
50 #define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
51     (((length) + (block_size) - 1) / (block_size) * (block_size))
52 
53 /** The size of the output of psa_hash_finish(), in bytes.
54  *
55  * This is also the hash size that psa_hash_verify() expects.
56  *
57  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
58  *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm
59  *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a
60  *              hash algorithm).
61  *
62  * \return The hash size for the specified hash algorithm.
63  *         If the hash algorithm is not recognized, return 0.
64  */
65 #define PSA_HASH_LENGTH(alg)                                        \
66     (                                                               \
67         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16 :            \
68         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20 :      \
69         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20 :          \
70         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28 :        \
71         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32 :        \
72         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48 :        \
73         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64 :        \
74         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28 :    \
75         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32 :    \
76         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28 :       \
77         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32 :       \
78         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48 :       \
79         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 :       \
80         0)
81 
82 /** The input block size of a hash algorithm, in bytes.
83  *
84  * Hash algorithms process their input data in blocks. Hash operations will
85  * retain any partial blocks until they have enough input to fill the block or
86  * until the operation is finished.
87  * This affects the output from psa_hash_suspend().
88  *
89  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
90  *              PSA_ALG_IS_HASH(\p alg) is true).
91  *
92  * \return      The block size in bytes for the specified hash algorithm.
93  *              If the hash algorithm is not recognized, return 0.
94  *              An implementation can return either 0 or the correct size for a
95  *              hash algorithm that it recognizes, but does not support.
96  */
97 #define PSA_HASH_BLOCK_LENGTH(alg)                                  \
98     (                                                               \
99         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 :            \
100         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 :      \
101         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 :          \
102         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 :        \
103         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 :        \
104         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 :       \
105         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 :       \
106         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 :   \
107         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 :   \
108         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 :      \
109         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 :      \
110         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 :      \
111         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 :       \
112         0)
113 
114 /** \def PSA_HASH_MAX_SIZE
115  *
116  * Maximum size of a hash.
117  *
118  * This macro expands to a compile-time constant integer. This value
119  * is the maximum size of a hash in bytes.
120  */
121 /* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
122  * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
123  * HMAC-SHA3-512. */
124 #if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
125 #define PSA_HASH_MAX_SIZE 64
126 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
127 #else
128 #define PSA_HASH_MAX_SIZE 32
129 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
130 #endif
131 
132 /** \def PSA_MAC_MAX_SIZE
133  *
134  * Maximum size of a MAC.
135  *
136  * This macro expands to a compile-time constant integer. This value
137  * is the maximum size of a MAC in bytes.
138  */
139 /* All non-HMAC MACs have a maximum size that's smaller than the
140  * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
141 /* Note that the encoding of truncated MAC algorithms limits this value
142  * to 64 bytes.
143  */
144 #define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
145 
146 /** The length of a tag for an AEAD algorithm, in bytes.
147  *
148  * This macro can be used to allocate a buffer of sufficient size to store the
149  * tag output from psa_aead_finish().
150  *
151  * See also #PSA_AEAD_TAG_MAX_SIZE.
152  *
153  * \param key_type            The type of the AEAD key.
154  * \param key_bits            The size of the AEAD key in bits.
155  * \param alg                 An AEAD algorithm
156  *                            (\c PSA_ALG_XXX value such that
157  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
158  *
159  * \return                    The tag length for the specified algorithm and key.
160  *                            If the AEAD algorithm does not have an identified
161  *                            tag that can be distinguished from the rest of
162  *                            the ciphertext, return 0.
163  *                            If the key type or AEAD algorithm is not
164  *                            recognized, or the parameters are incompatible,
165  *                            return 0.
166  */
167 #define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \
168     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \
169      PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \
170      ((void) (key_bits), 0))
171 
172 /** The maximum tag size for all supported AEAD algorithms, in bytes.
173  *
174  * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
175  */
176 #define PSA_AEAD_TAG_MAX_SIZE       16
177 
178 /* The maximum size of an RSA key on this implementation, in bits.
179  * This is a vendor-specific macro.
180  *
181  * Mbed TLS does not set a hard limit on the size of RSA keys: any key
182  * whose parameters fit in a bignum is accepted. However large keys can
183  * induce a large memory usage and long computation times. Unlike other
184  * auxiliary macros in this file and in crypto.h, which reflect how the
185  * library is configured, this macro defines how the library is
186  * configured. This implementation refuses to import or generate an
187  * RSA key whose size is larger than the value defined here.
188  *
189  * Note that an implementation may set different size limits for different
190  * operations, and does not need to accept all key sizes up to the limit. */
191 #define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
192 
193 /* The maximum size of an ECC key on this implementation, in bits.
194  * This is a vendor-specific macro. */
195 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
196 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521
197 #elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
198 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 512
199 #elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
200 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 448
201 #elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
202 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
203 #elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
204 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
205 #elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
206 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
207 #elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
208 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
209 #elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
210 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
211 #elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
212 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 255
213 #elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
214 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
215 #elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
216 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
217 #elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
218 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
219 #elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
220 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
221 #else
222 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 0
223 #endif
224 
225 /** This macro returns the maximum supported length of the PSK for the
226  * TLS-1.2 PSK-to-MS key derivation
227  * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).
228  *
229  * The maximum supported length does not depend on the chosen hash algorithm.
230  *
231  * Quoting RFC 4279, Sect 5.3:
232  * TLS implementations supporting these ciphersuites MUST support
233  * arbitrary PSK identities up to 128 octets in length, and arbitrary
234  * PSKs up to 64 octets in length.  Supporting longer identities and
235  * keys is RECOMMENDED.
236  *
237  * Therefore, no implementation should define a value smaller than 64
238  * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
239  */
240 #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128
241 
242 /* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
243  * which is expected to work with P-256 curve only. */
244 #define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65
245 
246 /* The size of a serialized K.X coordinate to be used in
247  * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
248  * curve. */
249 #define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
250 
251 /** The maximum size of a block cipher. */
252 #define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
253 
254 /** The size of the output of psa_mac_sign_finish(), in bytes.
255  *
256  * This is also the MAC size that psa_mac_verify_finish() expects.
257  *
258  * \warning This macro may evaluate its arguments multiple times or
259  *          zero times, so you should not pass arguments that contain
260  *          side effects.
261  *
262  * \param key_type      The type of the MAC key.
263  * \param key_bits      The size of the MAC key in bits.
264  * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that
265  *                      #PSA_ALG_IS_MAC(\p alg) is true).
266  *
267  * \return              The MAC size for the specified algorithm with
268  *                      the specified key parameters.
269  * \return              0 if the MAC algorithm is not recognized.
270  * \return              Either 0 or the correct size for a MAC algorithm that
271  *                      the implementation recognizes, but does not support.
272  * \return              Unspecified if the key parameters are not consistent
273  *                      with the algorithm.
274  */
275 #define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \
276     ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \
277      PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \
278      PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
279      ((void) (key_type), (void) (key_bits), 0))
280 
281 /** The maximum size of the output of psa_aead_encrypt(), in bytes.
282  *
283  * If the size of the ciphertext buffer is at least this large, it is
284  * guaranteed that psa_aead_encrypt() will not fail due to an
285  * insufficient buffer size. Depending on the algorithm, the actual size of
286  * the ciphertext may be smaller.
287  *
288  * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
289  *
290  * \warning This macro may evaluate its arguments multiple times or
291  *          zero times, so you should not pass arguments that contain
292  *          side effects.
293  *
294  * \param key_type            A symmetric key type that is
295  *                            compatible with algorithm \p alg.
296  * \param alg                 An AEAD algorithm
297  *                            (\c PSA_ALG_XXX value such that
298  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
299  * \param plaintext_length    Size of the plaintext in bytes.
300  *
301  * \return                    The AEAD ciphertext size for the specified
302  *                            algorithm.
303  *                            If the key type or AEAD algorithm is not
304  *                            recognized, or the parameters are incompatible,
305  *                            return 0.
306  */
307 #define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
308     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \
309      (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
310      0)
311 
312 /** A sufficient output buffer size for psa_aead_encrypt(), for any of the
313  *  supported key types and AEAD algorithms.
314  *
315  * If the size of the ciphertext buffer is at least this large, it is guaranteed
316  * that psa_aead_encrypt() will not fail due to an insufficient buffer size.
317  *
318  * \note This macro returns a compile-time constant if its arguments are
319  *       compile-time constants.
320  *
321  * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
322  * \p plaintext_length).
323  *
324  * \param plaintext_length    Size of the plaintext in bytes.
325  *
326  * \return                    A sufficient output buffer size for any of the
327  *                            supported key types and AEAD algorithms.
328  *
329  */
330 #define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \
331     ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
332 
333 
334 /** The maximum size of the output of psa_aead_decrypt(), in bytes.
335  *
336  * If the size of the plaintext buffer is at least this large, it is
337  * guaranteed that psa_aead_decrypt() will not fail due to an
338  * insufficient buffer size. Depending on the algorithm, the actual size of
339  * the plaintext may be smaller.
340  *
341  * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
342  *
343  * \warning This macro may evaluate its arguments multiple times or
344  *          zero times, so you should not pass arguments that contain
345  *          side effects.
346  *
347  * \param key_type            A symmetric key type that is
348  *                            compatible with algorithm \p alg.
349  * \param alg                 An AEAD algorithm
350  *                            (\c PSA_ALG_XXX value such that
351  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
352  * \param ciphertext_length   Size of the plaintext in bytes.
353  *
354  * \return                    The AEAD ciphertext size for the specified
355  *                            algorithm.
356  *                            If the key type or AEAD algorithm is not
357  *                            recognized, or the parameters are incompatible,
358  *                            return 0.
359  */
360 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
361     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
362      (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
363      (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
364      0)
365 
366 /** A sufficient output buffer size for psa_aead_decrypt(), for any of the
367  *  supported key types and AEAD algorithms.
368  *
369  * If the size of the plaintext buffer is at least this large, it is guaranteed
370  * that psa_aead_decrypt() will not fail due to an insufficient buffer size.
371  *
372  * \note This macro returns a compile-time constant if its arguments are
373  *       compile-time constants.
374  *
375  * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
376  * \p ciphertext_length).
377  *
378  * \param ciphertext_length   Size of the ciphertext in bytes.
379  *
380  * \return                    A sufficient output buffer size for any of the
381  *                            supported key types and AEAD algorithms.
382  *
383  */
384 #define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \
385     (ciphertext_length)
386 
387 /** The default nonce size for an AEAD algorithm, in bytes.
388  *
389  * This macro can be used to allocate a buffer of sufficient size to
390  * store the nonce output from #psa_aead_generate_nonce().
391  *
392  * See also #PSA_AEAD_NONCE_MAX_SIZE.
393  *
394  * \note This is not the maximum size of nonce supported as input to
395  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
396  *       just the default size that is generated by #psa_aead_generate_nonce().
397  *
398  * \warning This macro may evaluate its arguments multiple times or
399  *          zero times, so you should not pass arguments that contain
400  *          side effects.
401  *
402  * \param key_type  A symmetric key type that is compatible with
403  *                  algorithm \p alg.
404  *
405  * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that
406  *                  #PSA_ALG_IS_AEAD(\p alg) is true).
407  *
408  * \return The default nonce size for the specified key type and algorithm.
409  *         If the key type or AEAD algorithm is not recognized,
410  *         or the parameters are incompatible, return 0.
411  */
412 #define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
413     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
414      MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13 : \
415      MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12 : \
416      0 : \
417      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
418      MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12 : \
419      0)
420 
421 /** The maximum default nonce size among all supported pairs of key types and
422  *  AEAD algorithms, in bytes.
423  *
424  * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()
425  * may return.
426  *
427  * \note This is not the maximum size of nonce supported as input to
428  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
429  *       just the largest size that may be generated by
430  *       #psa_aead_generate_nonce().
431  */
432 #define PSA_AEAD_NONCE_MAX_SIZE 13
433 
434 /** A sufficient output buffer size for psa_aead_update().
435  *
436  * If the size of the output buffer is at least this large, it is
437  * guaranteed that psa_aead_update() will not fail due to an
438  * insufficient buffer size. The actual size of the output may be smaller
439  * in any given call.
440  *
441  * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
442  *
443  * \warning This macro may evaluate its arguments multiple times or
444  *          zero times, so you should not pass arguments that contain
445  *          side effects.
446  *
447  * \param key_type            A symmetric key type that is
448  *                            compatible with algorithm \p alg.
449  * \param alg                 An AEAD algorithm
450  *                            (\c PSA_ALG_XXX value such that
451  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
452  * \param input_length        Size of the input in bytes.
453  *
454  * \return                    A sufficient output buffer size for the specified
455  *                            algorithm.
456  *                            If the key type or AEAD algorithm is not
457  *                            recognized, or the parameters are incompatible,
458  *                            return 0.
459  */
460 /* For all the AEAD modes defined in this specification, it is possible
461  * to emit output without delay. However, hardware may not always be
462  * capable of this. So for modes based on a block cipher, allow the
463  * implementation to delay the output until it has a full block. */
464 #define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \
465     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \
466      PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \
467      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
468      (input_length) : \
469      0)
470 
471 /** A sufficient output buffer size for psa_aead_update(), for any of the
472  *  supported key types and AEAD algorithms.
473  *
474  * If the size of the output buffer is at least this large, it is guaranteed
475  * that psa_aead_update() will not fail due to an insufficient buffer size.
476  *
477  * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
478  *
479  * \param input_length      Size of the input in bytes.
480  */
481 #define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \
482     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))
483 
484 /** A sufficient ciphertext buffer size for psa_aead_finish().
485  *
486  * If the size of the ciphertext buffer is at least this large, it is
487  * guaranteed that psa_aead_finish() will not fail due to an
488  * insufficient ciphertext buffer size. The actual size of the output may
489  * be smaller in any given call.
490  *
491  * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
492  *
493  * \param key_type            A symmetric key type that is
494                               compatible with algorithm \p alg.
495  * \param alg                 An AEAD algorithm
496  *                            (\c PSA_ALG_XXX value such that
497  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
498  *
499  * \return                    A sufficient ciphertext buffer size for the
500  *                            specified algorithm.
501  *                            If the key type or AEAD algorithm is not
502  *                            recognized, or the parameters are incompatible,
503  *                            return 0.
504  */
505 #define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
506     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
507      PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
508      PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
509      0)
510 
511 /** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
512  *  supported key types and AEAD algorithms.
513  *
514  * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
515  */
516 #define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
517 
518 /** A sufficient plaintext buffer size for psa_aead_verify().
519  *
520  * If the size of the plaintext buffer is at least this large, it is
521  * guaranteed that psa_aead_verify() will not fail due to an
522  * insufficient plaintext buffer size. The actual size of the output may
523  * be smaller in any given call.
524  *
525  * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
526  *
527  * \param key_type            A symmetric key type that is
528  *                            compatible with algorithm \p alg.
529  * \param alg                 An AEAD algorithm
530  *                            (\c PSA_ALG_XXX value such that
531  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
532  *
533  * \return                    A sufficient plaintext buffer size for the
534  *                            specified algorithm.
535  *                            If the key type or AEAD algorithm is not
536  *                            recognized, or the parameters are incompatible,
537  *                            return 0.
538  */
539 #define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
540     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
541      PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
542      PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
543      0)
544 
545 /** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
546  *  supported key types and AEAD algorithms.
547  *
548  * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
549  */
550 #define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
551 
552 #define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \
553     (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \
554      2 * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1 :    \
555      11 /*PKCS#1v1.5*/)
556 
557 /**
558  * \brief ECDSA signature size for a given curve bit size
559  *
560  * \param curve_bits    Curve size in bits.
561  * \return              Signature size in bytes.
562  *
563  * \note This macro returns a compile-time constant if its argument is one.
564  */
565 #define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \
566     (PSA_BITS_TO_BYTES(curve_bits) * 2)
567 
568 /** Sufficient signature buffer size for psa_sign_hash().
569  *
570  * This macro returns a sufficient buffer size for a signature using a key
571  * of the specified type and size, with the specified algorithm.
572  * Note that the actual size of the signature may be smaller
573  * (some algorithms produce a variable-size signature).
574  *
575  * \warning This function may call its arguments multiple times or
576  *          zero times, so you should not pass arguments that contain
577  *          side effects.
578  *
579  * \param key_type  An asymmetric key type (this may indifferently be a
580  *                  key pair type or a public key type).
581  * \param key_bits  The size of the key in bits.
582  * \param alg       The signature algorithm.
583  *
584  * \return If the parameters are valid and supported, return
585  *         a buffer size in bytes that guarantees that
586  *         psa_sign_hash() will not fail with
587  *         #PSA_ERROR_BUFFER_TOO_SMALL.
588  *         If the parameters are a valid combination that is not supported,
589  *         return either a sensible size or 0.
590  *         If the parameters are not valid, the
591  *         return value is unspecified.
592  */
593 #define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
594     (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void) alg, PSA_BITS_TO_BYTES(key_bits)) : \
595      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
596      ((void) alg, 0))
597 
598 #define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \
599     PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
600 
601 /** \def PSA_SIGNATURE_MAX_SIZE
602  *
603  * Maximum size of an asymmetric signature.
604  *
605  * This macro expands to a compile-time constant integer. This value
606  * is the maximum size of a signature in bytes.
607  */
608 #define PSA_SIGNATURE_MAX_SIZE                               \
609     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE ? \
610      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) :                   \
611      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE)
612 
613 /** Sufficient output buffer size for psa_asymmetric_encrypt().
614  *
615  * This macro returns a sufficient buffer size for a ciphertext produced using
616  * a key of the specified type and size, with the specified algorithm.
617  * Note that the actual size of the ciphertext may be smaller, depending
618  * on the algorithm.
619  *
620  * \warning This function may call its arguments multiple times or
621  *          zero times, so you should not pass arguments that contain
622  *          side effects.
623  *
624  * \param key_type  An asymmetric key type (this may indifferently be a
625  *                  key pair type or a public key type).
626  * \param key_bits  The size of the key in bits.
627  * \param alg       The asymmetric encryption algorithm.
628  *
629  * \return If the parameters are valid and supported, return
630  *         a buffer size in bytes that guarantees that
631  *         psa_asymmetric_encrypt() will not fail with
632  *         #PSA_ERROR_BUFFER_TOO_SMALL.
633  *         If the parameters are a valid combination that is not supported,
634  *         return either a sensible size or 0.
635  *         If the parameters are not valid, the
636  *         return value is unspecified.
637  */
638 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
639     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
640      ((void) alg, PSA_BITS_TO_BYTES(key_bits)) :                         \
641      0)
642 
643 /** A sufficient output buffer size for psa_asymmetric_encrypt(), for any
644  *  supported asymmetric encryption.
645  *
646  * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
647  */
648 /* This macro assumes that RSA is the only supported asymmetric encryption. */
649 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \
650     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
651 
652 /** Sufficient output buffer size for psa_asymmetric_decrypt().
653  *
654  * This macro returns a sufficient buffer size for a plaintext produced using
655  * a key of the specified type and size, with the specified algorithm.
656  * Note that the actual size of the plaintext may be smaller, depending
657  * on the algorithm.
658  *
659  * \warning This function may call its arguments multiple times or
660  *          zero times, so you should not pass arguments that contain
661  *          side effects.
662  *
663  * \param key_type  An asymmetric key type (this may indifferently be a
664  *                  key pair type or a public key type).
665  * \param key_bits  The size of the key in bits.
666  * \param alg       The asymmetric encryption algorithm.
667  *
668  * \return If the parameters are valid and supported, return
669  *         a buffer size in bytes that guarantees that
670  *         psa_asymmetric_decrypt() will not fail with
671  *         #PSA_ERROR_BUFFER_TOO_SMALL.
672  *         If the parameters are a valid combination that is not supported,
673  *         return either a sensible size or 0.
674  *         If the parameters are not valid, the
675  *         return value is unspecified.
676  */
677 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
678     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
679      PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \
680      0)
681 
682 /** A sufficient output buffer size for psa_asymmetric_decrypt(), for any
683  *  supported asymmetric decryption.
684  *
685  * This macro assumes that RSA is the only supported asymmetric encryption.
686  *
687  * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
688  */
689 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \
690     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
691 
692 /* Maximum size of the ASN.1 encoding of an INTEGER with the specified
693  * number of bits.
694  *
695  * This definition assumes that bits <= 2^19 - 9 so that the length field
696  * is at most 3 bytes. The length of the encoding is the length of the
697  * bit string padded to a whole number of bytes plus:
698  * - 1 type byte;
699  * - 1 to 3 length bytes;
700  * - 0 to 1 bytes of leading 0 due to the sign bit.
701  */
702 #define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \
703     ((bits) / 8 + 5)
704 
705 /* Maximum size of the export encoding of an RSA public key.
706  * Assumes that the public exponent is less than 2^32.
707  *
708  * RSAPublicKey  ::=  SEQUENCE  {
709  *    modulus            INTEGER,    -- n
710  *    publicExponent     INTEGER  }  -- e
711  *
712  * - 4 bytes of SEQUENCE overhead;
713  * - n : INTEGER;
714  * - 7 bytes for the public exponent.
715  */
716 #define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
717     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11)
718 
719 /* Maximum size of the export encoding of an RSA key pair.
720  * Assumes that the public exponent is less than 2^32 and that the size
721  * difference between the two primes is at most 1 bit.
722  *
723  * RSAPrivateKey ::= SEQUENCE {
724  *     version           Version,  -- 0
725  *     modulus           INTEGER,  -- N-bit
726  *     publicExponent    INTEGER,  -- 32-bit
727  *     privateExponent   INTEGER,  -- N-bit
728  *     prime1            INTEGER,  -- N/2-bit
729  *     prime2            INTEGER,  -- N/2-bit
730  *     exponent1         INTEGER,  -- N/2-bit
731  *     exponent2         INTEGER,  -- N/2-bit
732  *     coefficient       INTEGER,  -- N/2-bit
733  * }
734  *
735  * - 4 bytes of SEQUENCE overhead;
736  * - 3 bytes of version;
737  * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
738  *   overapproximated as 9 half-size INTEGERS;
739  * - 7 bytes for the public exponent.
740  */
741 #define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \
742     (9 * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2 + 1) + 14)
743 
744 /* Maximum size of the export encoding of a DSA public key.
745  *
746  * SubjectPublicKeyInfo  ::=  SEQUENCE  {
747  *      algorithm            AlgorithmIdentifier,
748  *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey
749  * AlgorithmIdentifier  ::=  SEQUENCE  {
750  *      algorithm               OBJECT IDENTIFIER,
751  *      parameters              Dss-Params  } -- SEQUENCE of 3 INTEGERs
752  * DSAPublicKey  ::=  INTEGER -- public key, Y
753  *
754  * - 3 * 4 bytes of SEQUENCE overhead;
755  * - 1 + 1 + 7 bytes of algorithm (DSA OID);
756  * - 4 bytes of BIT STRING overhead;
757  * - 3 full-size INTEGERs (p, g, y);
758  * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
759  */
760 #define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
761     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 59)
762 
763 /* Maximum size of the export encoding of a DSA key pair.
764  *
765  * DSAPrivateKey ::= SEQUENCE {
766  *     version             Version,  -- 0
767  *     prime               INTEGER,  -- p
768  *     subprime            INTEGER,  -- q
769  *     generator           INTEGER,  -- g
770  *     public              INTEGER,  -- y
771  *     private             INTEGER,  -- x
772  * }
773  *
774  * - 4 bytes of SEQUENCE overhead;
775  * - 3 bytes of version;
776  * - 3 full-size INTEGERs (p, g, y);
777  * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
778  */
779 #define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \
780     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 75)
781 
782 /* Maximum size of the export encoding of an ECC public key.
783  *
784  * The representation of an ECC public key is:
785  *      - The byte 0x04;
786  *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
787  *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
788  *      - where m is the bit size associated with the curve.
789  *
790  * - 1 byte + 2 * point size.
791  */
792 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
793     (2 * PSA_BITS_TO_BYTES(key_bits) + 1)
794 
795 /* Maximum size of the export encoding of an ECC key pair.
796  *
797  * An ECC key pair is represented by the secret value.
798  */
799 #define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \
800     (PSA_BITS_TO_BYTES(key_bits))
801 
802 /** Sufficient output buffer size for psa_export_key() or
803  * psa_export_public_key().
804  *
805  * This macro returns a compile-time constant if its arguments are
806  * compile-time constants.
807  *
808  * \warning This macro may evaluate its arguments multiple times or
809  *          zero times, so you should not pass arguments that contain
810  *          side effects.
811  *
812  * The following code illustrates how to allocate enough memory to export
813  * a key by querying the key type and size at runtime.
814  * \code{c}
815  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
816  * psa_status_t status;
817  * status = psa_get_key_attributes(key, &attributes);
818  * if (status != PSA_SUCCESS) handle_error(...);
819  * psa_key_type_t key_type = psa_get_key_type(&attributes);
820  * size_t key_bits = psa_get_key_bits(&attributes);
821  * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);
822  * psa_reset_key_attributes(&attributes);
823  * uint8_t *buffer = malloc(buffer_size);
824  * if (buffer == NULL) handle_error(...);
825  * size_t buffer_length;
826  * status = psa_export_key(key, buffer, buffer_size, &buffer_length);
827  * if (status != PSA_SUCCESS) handle_error(...);
828  * \endcode
829  *
830  * \param key_type  A supported key type.
831  * \param key_bits  The size of the key in bits.
832  *
833  * \return If the parameters are valid and supported, return
834  *         a buffer size in bytes that guarantees that
835  *         psa_export_key() or psa_export_public_key() will not fail with
836  *         #PSA_ERROR_BUFFER_TOO_SMALL.
837  *         If the parameters are a valid combination that is not supported,
838  *         return either a sensible size or 0.
839  *         If the parameters are not valid, the return value is unspecified.
840  */
841 #define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \
842     (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \
843      (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
844      (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
845      (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
846      (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
847      PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \
848      PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \
849      0)
850 
851 /** Sufficient output buffer size for psa_export_public_key().
852  *
853  * This macro returns a compile-time constant if its arguments are
854  * compile-time constants.
855  *
856  * \warning This macro may evaluate its arguments multiple times or
857  *          zero times, so you should not pass arguments that contain
858  *          side effects.
859  *
860  * The following code illustrates how to allocate enough memory to export
861  * a public key by querying the key type and size at runtime.
862  * \code{c}
863  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
864  * psa_status_t status;
865  * status = psa_get_key_attributes(key, &attributes);
866  * if (status != PSA_SUCCESS) handle_error(...);
867  * psa_key_type_t key_type = psa_get_key_type(&attributes);
868  * size_t key_bits = psa_get_key_bits(&attributes);
869  * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);
870  * psa_reset_key_attributes(&attributes);
871  * uint8_t *buffer = malloc(buffer_size);
872  * if (buffer == NULL) handle_error(...);
873  * size_t buffer_length;
874  * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);
875  * if (status != PSA_SUCCESS) handle_error(...);
876  * \endcode
877  *
878  * \param key_type      A public key or key pair key type.
879  * \param key_bits      The size of the key in bits.
880  *
881  * \return              If the parameters are valid and supported, return
882  *                      a buffer size in bytes that guarantees that
883  *                      psa_export_public_key() will not fail with
884  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
885  *                      If the parameters are a valid combination that is not
886  *                      supported, return either a sensible size or 0.
887  *                      If the parameters are not valid,
888  *                      the return value is unspecified.
889  *
890  *                      If the parameters are valid and supported,
891  *                      return the same result as
892  *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(
893  *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),
894  *                          \p key_bits).
895  */
896 #define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \
897     (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
898      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
899      0)
900 
901 /** Sufficient buffer size for exporting any asymmetric key pair.
902  *
903  * This macro expands to a compile-time constant integer. This value is
904  * a sufficient buffer size when calling psa_export_key() to export any
905  * asymmetric key pair, regardless of the exact key type and key size.
906  *
907  * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
908  */
909 #define PSA_EXPORT_KEY_PAIR_MAX_SIZE                                            \
910     (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >        \
911      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?      \
912      PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :        \
913      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
914 
915 /** Sufficient buffer size for exporting any asymmetric public key.
916  *
917  * This macro expands to a compile-time constant integer. This value is
918  * a sufficient buffer size when calling psa_export_key() or
919  * psa_export_public_key() to export any asymmetric public key,
920  * regardless of the exact key type and key size.
921  *
922  * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
923  */
924 #define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE                                          \
925     (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >      \
926      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?    \
927      PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :      \
928      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
929 
930 /** Sufficient output buffer size for psa_raw_key_agreement().
931  *
932  * This macro returns a compile-time constant if its arguments are
933  * compile-time constants.
934  *
935  * \warning This macro may evaluate its arguments multiple times or
936  *          zero times, so you should not pass arguments that contain
937  *          side effects.
938  *
939  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.
940  *
941  * \param key_type      A supported key type.
942  * \param key_bits      The size of the key in bits.
943  *
944  * \return              If the parameters are valid and supported, return
945  *                      a buffer size in bytes that guarantees that
946  *                      psa_raw_key_agreement() will not fail with
947  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
948  *                      If the parameters are a valid combination that
949  *                      is not supported, return either a sensible size or 0.
950  *                      If the parameters are not valid,
951  *                      the return value is unspecified.
952  */
953 /* FFDH is not yet supported in PSA. */
954 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \
955     (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ?                   \
956      PSA_BITS_TO_BYTES(key_bits) :                              \
957      0)
958 
959 /** Maximum size of the output from psa_raw_key_agreement().
960  *
961  * This macro expands to a compile-time constant integer. This value is the
962  * maximum size of the output any raw key agreement algorithm, in bytes.
963  *
964  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
965  */
966 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE   \
967     (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS))
968 
969 /** The default IV size for a cipher algorithm, in bytes.
970  *
971  * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
972  * the default IV length for the algorithm.
973  *
974  * This macro can be used to allocate a buffer of sufficient size to
975  * store the IV output from #psa_cipher_generate_iv() when using
976  * a multi-part cipher operation.
977  *
978  * See also #PSA_CIPHER_IV_MAX_SIZE.
979  *
980  * \warning This macro may evaluate its arguments multiple times or
981  *          zero times, so you should not pass arguments that contain
982  *          side effects.
983  *
984  * \param key_type  A symmetric key type that is compatible with algorithm \p alg.
985  *
986  * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).
987  *
988  * \return The default IV size for the specified key type and algorithm.
989  *         If the algorithm does not use an IV, return 0.
990  *         If the key type or cipher algorithm is not recognized,
991  *         or the parameters are incompatible, return 0.
992  */
993 #define PSA_CIPHER_IV_LENGTH(key_type, alg) \
994     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \
995      ((alg) == PSA_ALG_CTR || \
996       (alg) == PSA_ALG_CFB || \
997       (alg) == PSA_ALG_OFB || \
998       (alg) == PSA_ALG_XTS || \
999       (alg) == PSA_ALG_CBC_NO_PADDING || \
1000       (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
1001      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
1002      (alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
1003      (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \
1004      0)
1005 
1006 /** The maximum IV size for all supported cipher algorithms, in bytes.
1007  *
1008  * See also #PSA_CIPHER_IV_LENGTH().
1009  */
1010 #define PSA_CIPHER_IV_MAX_SIZE 16
1011 
1012 /** The maximum size of the output of psa_cipher_encrypt(), in bytes.
1013  *
1014  * If the size of the output buffer is at least this large, it is guaranteed
1015  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1016  * Depending on the algorithm, the actual size of the output might be smaller.
1017  *
1018  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).
1019  *
1020  * \warning This macro may evaluate its arguments multiple times or
1021  *          zero times, so you should not pass arguments that contain
1022  *          side effects.
1023  *
1024  * \param key_type      A symmetric key type that is compatible with algorithm
1025  *                      alg.
1026  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1027  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1028  * \param input_length  Size of the input in bytes.
1029  *
1030  * \return              A sufficient output size for the specified key type and
1031  *                      algorithm. If the key type or cipher algorithm is not
1032  *                      recognized, or the parameters are incompatible,
1033  *                      return 0.
1034  */
1035 #define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)             \
1036     (alg == PSA_ALG_CBC_PKCS7 ?                                                 \
1037      (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                            \
1038       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),          \
1039                                (input_length) + 1) +                             \
1040       PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0) :                             \
1041      (PSA_ALG_IS_CIPHER(alg) ?                                                  \
1042       (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :                \
1043       0))
1044 
1045 /** A sufficient output buffer size for psa_cipher_encrypt(), for any of the
1046  *  supported key types and cipher algorithms.
1047  *
1048  * If the size of the output buffer is at least this large, it is guaranteed
1049  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1050  *
1051  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1052  *
1053  * \param input_length  Size of the input in bytes.
1054  *
1055  */
1056 #define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                        \
1057     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,                  \
1058                               (input_length) + 1) +                             \
1059      PSA_CIPHER_IV_MAX_SIZE)
1060 
1061 /** The maximum size of the output of psa_cipher_decrypt(), in bytes.
1062  *
1063  * If the size of the output buffer is at least this large, it is guaranteed
1064  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1065  * Depending on the algorithm, the actual size of the output might be smaller.
1066  *
1067  * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).
1068  *
1069  * \param key_type      A symmetric key type that is compatible with algorithm
1070  *                      alg.
1071  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1072  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1073  * \param input_length  Size of the input in bytes.
1074  *
1075  * \return              A sufficient output size for the specified key type and
1076  *                      algorithm. If the key type or cipher algorithm is not
1077  *                      recognized, or the parameters are incompatible,
1078  *                      return 0.
1079  */
1080 #define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)                 \
1081     (PSA_ALG_IS_CIPHER(alg) &&                                                      \
1082      ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
1083      (input_length) :                                                               \
1084      0)
1085 
1086 /** A sufficient output buffer size for psa_cipher_decrypt(), for any of the
1087  *  supported key types and cipher algorithms.
1088  *
1089  * If the size of the output buffer is at least this large, it is guaranteed
1090  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1091  *
1092  * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1093  *
1094  * \param input_length  Size of the input in bytes.
1095  */
1096 #define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \
1097     (input_length)
1098 
1099 /** A sufficient output buffer size for psa_cipher_update().
1100  *
1101  * If the size of the output buffer is at least this large, it is guaranteed
1102  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1103  * The actual size of the output might be smaller in any given call.
1104  *
1105  * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
1106  *
1107  * \param key_type      A symmetric key type that is compatible with algorithm
1108  *                      alg.
1109  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1110  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1111  * \param input_length  Size of the input in bytes.
1112  *
1113  * \return              A sufficient output size for the specified key type and
1114  *                      algorithm. If the key type or cipher algorithm is not
1115  *                      recognized, or the parameters are incompatible, return 0.
1116  */
1117 #define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)              \
1118     (PSA_ALG_IS_CIPHER(alg) ?                                                   \
1119      (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                             \
1120       (((alg) == PSA_ALG_CBC_PKCS7      ||                                       \
1121         (alg) == PSA_ALG_CBC_NO_PADDING ||                                       \
1122         (alg) == PSA_ALG_ECB_NO_PADDING) ?                                       \
1123        PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),         \
1124                                 input_length) :                                 \
1125        (input_length)) : 0) :                                                    \
1126      0)
1127 
1128 /** A sufficient output buffer size for psa_cipher_update(), for any of the
1129  *  supported key types and cipher algorithms.
1130  *
1131  * If the size of the output buffer is at least this large, it is guaranteed
1132  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1133  *
1134  * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1135  *
1136  * \param input_length  Size of the input in bytes.
1137  */
1138 #define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \
1139     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))
1140 
1141 /** A sufficient ciphertext buffer size for psa_cipher_finish().
1142  *
1143  * If the size of the ciphertext buffer is at least this large, it is
1144  * guaranteed that psa_cipher_finish() will not fail due to an insufficient
1145  * ciphertext buffer size. The actual size of the output might be smaller in
1146  * any given call.
1147  *
1148  * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().
1149  *
1150  * \param key_type      A symmetric key type that is compatible with algorithm
1151  *                      alg.
1152  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1153  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1154  * \return              A sufficient output size for the specified key type and
1155  *                      algorithm. If the key type or cipher algorithm is not
1156  *                      recognized, or the parameters are incompatible, return 0.
1157  */
1158 #define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \
1159     (PSA_ALG_IS_CIPHER(alg) ?                           \
1160      (alg == PSA_ALG_CBC_PKCS7 ?                        \
1161       PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \
1162       0) :                                              \
1163      0)
1164 
1165 /** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the
1166  *  supported key types and cipher algorithms.
1167  *
1168  * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
1169  */
1170 #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \
1171     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
1172 
1173 #endif /* PSA_CRYPTO_SIZES_H */
1174