1 /**
2 * \file psa/crypto_struct.h
3 *
4 * \brief PSA cryptography module: Mbed TLS structured type implementations
5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h.
8 *
9 * This file contains the definitions of some data structures with
10 * implementation-specific definitions.
11 *
12 * In implementations with isolation between the application and the
13 * cryptography module, it is expected that the front-end and the back-end
14 * would have different versions of this file.
15 *
16 * <h3>Design notes about multipart operation structures</h3>
17 *
18 * For multipart operations without driver delegation support, each multipart
19 * operation structure contains a `psa_algorithm_t alg` field which indicates
20 * which specific algorithm the structure is for. When the structure is not in
21 * use, `alg` is 0. Most of the structure consists of a union which is
22 * discriminated by `alg`.
23 *
24 * For multipart operations with driver delegation support, each multipart
25 * operation structure contains an `unsigned int id` field indicating which
26 * driver got assigned to do the operation. When the structure is not in use,
27 * 'id' is 0. The structure contains also a driver context which is the union
28 * of the contexts of all drivers able to handle the type of multipart
29 * operation.
30 *
31 * Note that when `alg` or `id` is 0, the content of other fields is undefined.
32 * In particular, it is not guaranteed that a freshly-initialized structure
33 * is all-zero: we initialize structures to something like `{0, 0}`, which
34 * is only guaranteed to initializes the first member of the union;
35 * GCC and Clang initialize the whole structure to 0 (at the time of writing),
36 * but MSVC and CompCert don't.
37 *
38 * In Mbed TLS, multipart operation structures live independently from
39 * the key. This allows Mbed TLS to free the key objects when destroying
40 * a key slot. If a multipart operation needs to remember the key after
41 * the setup function returns, the operation structure needs to contain a
42 * copy of the key.
43 */
44 /*
45 * Copyright The Mbed TLS Contributors
46 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
47 */
48
49 #ifndef PSA_CRYPTO_STRUCT_H
50 #define PSA_CRYPTO_STRUCT_H
51 #include "mbedtls/private_access.h"
52
53 #ifdef __cplusplus
54 extern "C" {
55 #endif
56
57 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
58 * in each of its header files. */
59 #include "mbedtls/build_info.h"
60
61 /* Include the context definition for the compiled-in drivers for the primitive
62 * algorithms. */
63 #include "psa/crypto_driver_contexts_primitives.h"
64
65 struct psa_hash_operation_s {
66 /** Unique ID indicating which driver got assigned to do the
67 * operation. Since driver contexts are driver-specific, swapping
68 * drivers halfway through the operation is not supported.
69 * ID values are auto-generated in psa_driver_wrappers.h.
70 * ID value zero means the context is not valid or not assigned to
71 * any driver (i.e. the driver context is not active, in use). */
72 unsigned int MBEDTLS_PRIVATE(id);
73 psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx);
74 };
75
76 #define PSA_HASH_OPERATION_INIT { 0, { 0 } }
psa_hash_operation_init(void)77 static inline struct psa_hash_operation_s psa_hash_operation_init(void)
78 {
79 const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
80 return v;
81 }
82
83 struct psa_cipher_operation_s {
84 /** Unique ID indicating which driver got assigned to do the
85 * operation. Since driver contexts are driver-specific, swapping
86 * drivers halfway through the operation is not supported.
87 * ID values are auto-generated in psa_crypto_driver_wrappers.h
88 * ID value zero means the context is not valid or not assigned to
89 * any driver (i.e. none of the driver contexts are active). */
90 unsigned int MBEDTLS_PRIVATE(id);
91
92 unsigned int MBEDTLS_PRIVATE(iv_required) : 1;
93 unsigned int MBEDTLS_PRIVATE(iv_set) : 1;
94
95 uint8_t MBEDTLS_PRIVATE(default_iv_length);
96
97 psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx);
98 };
99
100 #define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
psa_cipher_operation_init(void)101 static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
102 {
103 const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
104 return v;
105 }
106
107 /* Include the context definition for the compiled-in drivers for the composite
108 * algorithms. */
109 #include "psa/crypto_driver_contexts_composites.h"
110
111 struct psa_mac_operation_s {
112 /** Unique ID indicating which driver got assigned to do the
113 * operation. Since driver contexts are driver-specific, swapping
114 * drivers halfway through the operation is not supported.
115 * ID values are auto-generated in psa_driver_wrappers.h
116 * ID value zero means the context is not valid or not assigned to
117 * any driver (i.e. none of the driver contexts are active). */
118 unsigned int MBEDTLS_PRIVATE(id);
119 uint8_t MBEDTLS_PRIVATE(mac_size);
120 unsigned int MBEDTLS_PRIVATE(is_sign) : 1;
121 psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx);
122 };
123
124 #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }
psa_mac_operation_init(void)125 static inline struct psa_mac_operation_s psa_mac_operation_init(void)
126 {
127 const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
128 return v;
129 }
130
131 struct psa_aead_operation_s {
132
133 /** Unique ID indicating which driver got assigned to do the
134 * operation. Since driver contexts are driver-specific, swapping
135 * drivers halfway through the operation is not supported.
136 * ID values are auto-generated in psa_crypto_driver_wrappers.h
137 * ID value zero means the context is not valid or not assigned to
138 * any driver (i.e. none of the driver contexts are active). */
139 unsigned int MBEDTLS_PRIVATE(id);
140
141 psa_algorithm_t MBEDTLS_PRIVATE(alg);
142 psa_key_type_t MBEDTLS_PRIVATE(key_type);
143
144 size_t MBEDTLS_PRIVATE(ad_remaining);
145 size_t MBEDTLS_PRIVATE(body_remaining);
146
147 unsigned int MBEDTLS_PRIVATE(nonce_set) : 1;
148 unsigned int MBEDTLS_PRIVATE(lengths_set) : 1;
149 unsigned int MBEDTLS_PRIVATE(ad_started) : 1;
150 unsigned int MBEDTLS_PRIVATE(body_started) : 1;
151 unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
152
153 psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx);
154 };
155
156 #define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } }
psa_aead_operation_init(void)157 static inline struct psa_aead_operation_s psa_aead_operation_init(void)
158 {
159 const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
160 return v;
161 }
162
163 /* Include the context definition for the compiled-in drivers for the key
164 * derivation algorithms. */
165 #include "psa/crypto_driver_contexts_key_derivation.h"
166
167 struct psa_key_derivation_s {
168 psa_algorithm_t MBEDTLS_PRIVATE(alg);
169 unsigned int MBEDTLS_PRIVATE(can_output_key) : 1;
170 size_t MBEDTLS_PRIVATE(capacity);
171 psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx);
172 };
173
174 /* This only zeroes out the first byte in the union, the rest is unspecified. */
175 #define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } }
psa_key_derivation_operation_init(void)176 static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
177 void)
178 {
179 const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
180 return v;
181 }
182
183 struct psa_key_policy_s {
184 psa_key_usage_t MBEDTLS_PRIVATE(usage);
185 psa_algorithm_t MBEDTLS_PRIVATE(alg);
186 psa_algorithm_t MBEDTLS_PRIVATE(alg2);
187 };
188 typedef struct psa_key_policy_s psa_key_policy_t;
189
190 #define PSA_KEY_POLICY_INIT { 0, 0, 0 }
psa_key_policy_init(void)191 static inline struct psa_key_policy_s psa_key_policy_init(void)
192 {
193 const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
194 return v;
195 }
196
197 /* The type used internally for key sizes.
198 * Public interfaces use size_t, but internally we use a smaller type. */
199 typedef uint16_t psa_key_bits_t;
200 /* The maximum value of the type used to represent bit-sizes.
201 * This is used to mark an invalid key size. */
202 #define PSA_KEY_BITS_TOO_LARGE ((psa_key_bits_t) -1)
203 /* The maximum size of a key in bits.
204 * Currently defined as the maximum that can be represented, rounded down
205 * to a whole number of bytes.
206 * This is an uncast value so that it can be used in preprocessor
207 * conditionals. */
208 #define PSA_MAX_KEY_BITS 0xfff8
209
210 /** A mask of flags that can be stored in key attributes.
211 *
212 * This type is also used internally to store flags in slots. Internal
213 * flags are defined in library/psa_crypto_core.h. Internal flags may have
214 * the same value as external flags if they are properly handled during
215 * key creation and in psa_get_key_attributes.
216 */
217 typedef uint16_t psa_key_attributes_flag_t;
218
219 #define MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER \
220 ((psa_key_attributes_flag_t) 0x0001)
221
222 /* A mask of key attribute flags used externally only.
223 * Only meant for internal checks inside the library. */
224 #define MBEDTLS_PSA_KA_MASK_EXTERNAL_ONLY ( \
225 MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER | \
226 0)
227
228 /* A mask of key attribute flags used both internally and externally.
229 * Currently there aren't any. */
230 #define MBEDTLS_PSA_KA_MASK_DUAL_USE ( \
231 0)
232
233 typedef struct {
234 psa_key_type_t MBEDTLS_PRIVATE(type);
235 psa_key_bits_t MBEDTLS_PRIVATE(bits);
236 psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
237 mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
238 psa_key_policy_t MBEDTLS_PRIVATE(policy);
239 psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags);
240 } psa_core_key_attributes_t;
241
242 #define PSA_CORE_KEY_ATTRIBUTES_INIT { PSA_KEY_TYPE_NONE, 0, \
243 PSA_KEY_LIFETIME_VOLATILE, \
244 MBEDTLS_SVC_KEY_ID_INIT, \
245 PSA_KEY_POLICY_INIT, 0 }
246
247 struct psa_key_attributes_s {
248 psa_core_key_attributes_t MBEDTLS_PRIVATE(core);
249 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
250 psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
251 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
252 void *MBEDTLS_PRIVATE(domain_parameters);
253 size_t MBEDTLS_PRIVATE(domain_parameters_size);
254 };
255
256 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
257 #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, 0, NULL, 0 }
258 #else
259 #define PSA_KEY_ATTRIBUTES_INIT { PSA_CORE_KEY_ATTRIBUTES_INIT, NULL, 0 }
260 #endif
261
psa_key_attributes_init(void)262 static inline struct psa_key_attributes_s psa_key_attributes_init(void)
263 {
264 const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
265 return v;
266 }
267
psa_set_key_id(psa_key_attributes_t * attributes,mbedtls_svc_key_id_t key)268 static inline void psa_set_key_id(psa_key_attributes_t *attributes,
269 mbedtls_svc_key_id_t key)
270 {
271 psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime);
272
273 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = key;
274
275 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
276 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) =
277 PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
278 PSA_KEY_LIFETIME_PERSISTENT,
279 PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
280 }
281 }
282
psa_get_key_id(const psa_key_attributes_t * attributes)283 static inline mbedtls_svc_key_id_t psa_get_key_id(
284 const psa_key_attributes_t *attributes)
285 {
286 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id);
287 }
288
289 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
mbedtls_set_key_owner_id(psa_key_attributes_t * attributes,mbedtls_key_owner_id_t owner)290 static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
291 mbedtls_key_owner_id_t owner)
292 {
293 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner;
294 }
295 #endif
296
psa_set_key_lifetime(psa_key_attributes_t * attributes,psa_key_lifetime_t lifetime)297 static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
298 psa_key_lifetime_t lifetime)
299 {
300 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = lifetime;
301 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
302 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
303 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0;
304 #else
305 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = 0;
306 #endif
307 }
308 }
309
psa_get_key_lifetime(const psa_key_attributes_t * attributes)310 static inline psa_key_lifetime_t psa_get_key_lifetime(
311 const psa_key_attributes_t *attributes)
312 {
313 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime);
314 }
315
psa_extend_key_usage_flags(psa_key_usage_t * usage_flags)316 static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
317 {
318 if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH) {
319 *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
320 }
321
322 if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH) {
323 *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
324 }
325 }
326
psa_set_key_usage_flags(psa_key_attributes_t * attributes,psa_key_usage_t usage_flags)327 static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
328 psa_key_usage_t usage_flags)
329 {
330 psa_extend_key_usage_flags(&usage_flags);
331 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags;
332 }
333
psa_get_key_usage_flags(const psa_key_attributes_t * attributes)334 static inline psa_key_usage_t psa_get_key_usage_flags(
335 const psa_key_attributes_t *attributes)
336 {
337 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage);
338 }
339
psa_set_key_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg)340 static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
341 psa_algorithm_t alg)
342 {
343 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg;
344 }
345
psa_get_key_algorithm(const psa_key_attributes_t * attributes)346 static inline psa_algorithm_t psa_get_key_algorithm(
347 const psa_key_attributes_t *attributes)
348 {
349 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg);
350 }
351
352 /* This function is declared in crypto_extra.h, which comes after this
353 * header file, but we need the function here, so repeat the declaration. */
354 psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
355 psa_key_type_t type,
356 const uint8_t *data,
357 size_t data_length);
358
psa_set_key_type(psa_key_attributes_t * attributes,psa_key_type_t type)359 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
360 psa_key_type_t type)
361 {
362 if (attributes->MBEDTLS_PRIVATE(domain_parameters) == NULL) {
363 /* Common case: quick path */
364 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type;
365 } else {
366 /* Call the bigger function to free the old domain parameters.
367 * Ignore any errors which may arise due to type requiring
368 * non-default domain parameters, since this function can't
369 * report errors. */
370 (void) psa_set_key_domain_parameters(attributes, type, NULL, 0);
371 }
372 }
373
psa_get_key_type(const psa_key_attributes_t * attributes)374 static inline psa_key_type_t psa_get_key_type(
375 const psa_key_attributes_t *attributes)
376 {
377 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type);
378 }
379
psa_set_key_bits(psa_key_attributes_t * attributes,size_t bits)380 static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
381 size_t bits)
382 {
383 if (bits > PSA_MAX_KEY_BITS) {
384 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE;
385 } else {
386 attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits;
387 }
388 }
389
psa_get_key_bits(const psa_key_attributes_t * attributes)390 static inline size_t psa_get_key_bits(
391 const psa_key_attributes_t *attributes)
392 {
393 return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits);
394 }
395
396 /**
397 * \brief The context for PSA interruptible hash signing.
398 */
399 struct psa_sign_hash_interruptible_operation_s {
400 /** Unique ID indicating which driver got assigned to do the
401 * operation. Since driver contexts are driver-specific, swapping
402 * drivers halfway through the operation is not supported.
403 * ID values are auto-generated in psa_crypto_driver_wrappers.h
404 * ID value zero means the context is not valid or not assigned to
405 * any driver (i.e. none of the driver contexts are active). */
406 unsigned int MBEDTLS_PRIVATE(id);
407
408 psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
409
410 unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
411
412 uint32_t MBEDTLS_PRIVATE(num_ops);
413 };
414
415 #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
416
417 static inline struct psa_sign_hash_interruptible_operation_s
psa_sign_hash_interruptible_operation_init(void)418 psa_sign_hash_interruptible_operation_init(void)
419 {
420 const struct psa_sign_hash_interruptible_operation_s v =
421 PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
422
423 return v;
424 }
425
426 /**
427 * \brief The context for PSA interruptible hash verification.
428 */
429 struct psa_verify_hash_interruptible_operation_s {
430 /** Unique ID indicating which driver got assigned to do the
431 * operation. Since driver contexts are driver-specific, swapping
432 * drivers halfway through the operation is not supported.
433 * ID values are auto-generated in psa_crypto_driver_wrappers.h
434 * ID value zero means the context is not valid or not assigned to
435 * any driver (i.e. none of the driver contexts are active). */
436 unsigned int MBEDTLS_PRIVATE(id);
437
438 psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
439
440 unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
441
442 uint32_t MBEDTLS_PRIVATE(num_ops);
443 };
444
445 #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
446
447 static inline struct psa_verify_hash_interruptible_operation_s
psa_verify_hash_interruptible_operation_init(void)448 psa_verify_hash_interruptible_operation_init(void)
449 {
450 const struct psa_verify_hash_interruptible_operation_s v =
451 PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
452
453 return v;
454 }
455
456 #ifdef __cplusplus
457 }
458 #endif
459
460 #endif /* PSA_CRYPTO_STRUCT_H */
461
