1 /**
2 * \file psa/crypto_struct.h
3 *
4 * \brief PSA cryptography module: Mbed TLS structured type implementations
5 *
6 * \note This file may not be included directly. Applications must
7 * include psa/crypto.h.
8 *
9 * This file contains the definitions of some data structures with
10 * implementation-specific definitions.
11 *
12 * In implementations with isolation between the application and the
13 * cryptography module, it is expected that the front-end and the back-end
14 * would have different versions of this file.
15 *
16 * <h3>Design notes about multipart operation structures</h3>
17 *
18 * For multipart operations without driver delegation support, each multipart
19 * operation structure contains a `psa_algorithm_t alg` field which indicates
20 * which specific algorithm the structure is for. When the structure is not in
21 * use, `alg` is 0. Most of the structure consists of a union which is
22 * discriminated by `alg`.
23 *
24 * For multipart operations with driver delegation support, each multipart
25 * operation structure contains an `unsigned int id` field indicating which
26 * driver got assigned to do the operation. When the structure is not in use,
27 * 'id' is 0. The structure contains also a driver context which is the union
28 * of the contexts of all drivers able to handle the type of multipart
29 * operation.
30 *
31 * Note that when `alg` or `id` is 0, the content of other fields is undefined.
32 * In particular, it is not guaranteed that a freshly-initialized structure
33 * is all-zero: we initialize structures to something like `{0, 0}`, which
34 * is only guaranteed to initializes the first member of the union;
35 * GCC and Clang initialize the whole structure to 0 (at the time of writing),
36 * but MSVC and CompCert don't.
37 *
38 * In Mbed TLS, multipart operation structures live independently from
39 * the key. This allows Mbed TLS to free the key objects when destroying
40 * a key slot. If a multipart operation needs to remember the key after
41 * the setup function returns, the operation structure needs to contain a
42 * copy of the key.
43 */
44 /*
45 * Copyright The Mbed TLS Contributors
46 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
47 */
48
49 #ifndef PSA_CRYPTO_STRUCT_H
50 #define PSA_CRYPTO_STRUCT_H
51 #include "mbedtls/private_access.h"
52
53 #ifdef __cplusplus
54 extern "C" {
55 #endif
56
57 /*
58 * Include the build-time configuration information header. Here, we do not
59 * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
60 * is basically just an alias to it. This is to ease the maintenance of the
61 * TF-PSA-Crypto repository which has a different build system and
62 * configuration.
63 */
64 #include "psa/build_info.h"
65
66 /* Include the context definition for the compiled-in drivers for the primitive
67 * algorithms. */
68 #include "psa/crypto_driver_contexts_primitives.h"
69
70 struct psa_hash_operation_s {
71 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
72 mbedtls_psa_client_handle_t handle;
73 #else
74 /** Unique ID indicating which driver got assigned to do the
75 * operation. Since driver contexts are driver-specific, swapping
76 * drivers halfway through the operation is not supported.
77 * ID values are auto-generated in psa_driver_wrappers.h.
78 * ID value zero means the context is not valid or not assigned to
79 * any driver (i.e. the driver context is not active, in use). */
80 unsigned int MBEDTLS_PRIVATE(id);
81 psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx);
82 #endif
83 };
84 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
85 #define PSA_HASH_OPERATION_INIT { 0 }
86 #else
87 #define PSA_HASH_OPERATION_INIT { 0, { 0 } }
88 #endif
psa_hash_operation_init(void)89 static inline struct psa_hash_operation_s psa_hash_operation_init(void)
90 {
91 const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
92 return v;
93 }
94
95 struct psa_cipher_operation_s {
96 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
97 mbedtls_psa_client_handle_t handle;
98 #else
99 /** Unique ID indicating which driver got assigned to do the
100 * operation. Since driver contexts are driver-specific, swapping
101 * drivers halfway through the operation is not supported.
102 * ID values are auto-generated in psa_crypto_driver_wrappers.h
103 * ID value zero means the context is not valid or not assigned to
104 * any driver (i.e. none of the driver contexts are active). */
105 unsigned int MBEDTLS_PRIVATE(id);
106
107 unsigned int MBEDTLS_PRIVATE(iv_required) : 1;
108 unsigned int MBEDTLS_PRIVATE(iv_set) : 1;
109
110 uint8_t MBEDTLS_PRIVATE(default_iv_length);
111
112 psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx);
113 #endif
114 };
115
116 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
117 #define PSA_CIPHER_OPERATION_INIT { 0 }
118 #else
119 #define PSA_CIPHER_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
120 #endif
psa_cipher_operation_init(void)121 static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
122 {
123 const struct psa_cipher_operation_s v = PSA_CIPHER_OPERATION_INIT;
124 return v;
125 }
126
127 /* Include the context definition for the compiled-in drivers for the composite
128 * algorithms. */
129 #include "psa/crypto_driver_contexts_composites.h"
130
131 struct psa_mac_operation_s {
132 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
133 mbedtls_psa_client_handle_t handle;
134 #else
135 /** Unique ID indicating which driver got assigned to do the
136 * operation. Since driver contexts are driver-specific, swapping
137 * drivers halfway through the operation is not supported.
138 * ID values are auto-generated in psa_driver_wrappers.h
139 * ID value zero means the context is not valid or not assigned to
140 * any driver (i.e. none of the driver contexts are active). */
141 unsigned int MBEDTLS_PRIVATE(id);
142 uint8_t MBEDTLS_PRIVATE(mac_size);
143 unsigned int MBEDTLS_PRIVATE(is_sign) : 1;
144 psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx);
145 #endif
146 };
147
148 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
149 #define PSA_MAC_OPERATION_INIT { 0 }
150 #else
151 #define PSA_MAC_OPERATION_INIT { 0, 0, 0, { 0 } }
152 #endif
psa_mac_operation_init(void)153 static inline struct psa_mac_operation_s psa_mac_operation_init(void)
154 {
155 const struct psa_mac_operation_s v = PSA_MAC_OPERATION_INIT;
156 return v;
157 }
158
159 struct psa_aead_operation_s {
160 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
161 mbedtls_psa_client_handle_t handle;
162 #else
163 /** Unique ID indicating which driver got assigned to do the
164 * operation. Since driver contexts are driver-specific, swapping
165 * drivers halfway through the operation is not supported.
166 * ID values are auto-generated in psa_crypto_driver_wrappers.h
167 * ID value zero means the context is not valid or not assigned to
168 * any driver (i.e. none of the driver contexts are active). */
169 unsigned int MBEDTLS_PRIVATE(id);
170
171 psa_algorithm_t MBEDTLS_PRIVATE(alg);
172 psa_key_type_t MBEDTLS_PRIVATE(key_type);
173
174 size_t MBEDTLS_PRIVATE(ad_remaining);
175 size_t MBEDTLS_PRIVATE(body_remaining);
176
177 unsigned int MBEDTLS_PRIVATE(nonce_set) : 1;
178 unsigned int MBEDTLS_PRIVATE(lengths_set) : 1;
179 unsigned int MBEDTLS_PRIVATE(ad_started) : 1;
180 unsigned int MBEDTLS_PRIVATE(body_started) : 1;
181 unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
182
183 psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx);
184 #endif
185 };
186
187 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
188 #define PSA_AEAD_OPERATION_INIT { 0 }
189 #else
190 #define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, { 0 } }
191 #endif
psa_aead_operation_init(void)192 static inline struct psa_aead_operation_s psa_aead_operation_init(void)
193 {
194 const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;
195 return v;
196 }
197
198 /* Include the context definition for the compiled-in drivers for the key
199 * derivation algorithms. */
200 #include "psa/crypto_driver_contexts_key_derivation.h"
201
202 struct psa_key_derivation_s {
203 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
204 mbedtls_psa_client_handle_t handle;
205 #else
206 psa_algorithm_t MBEDTLS_PRIVATE(alg);
207 unsigned int MBEDTLS_PRIVATE(can_output_key) : 1;
208 size_t MBEDTLS_PRIVATE(capacity);
209 psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx);
210 #endif
211 };
212
213 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
214 #define PSA_KEY_DERIVATION_OPERATION_INIT { 0 }
215 #else
216 /* This only zeroes out the first byte in the union, the rest is unspecified. */
217 #define PSA_KEY_DERIVATION_OPERATION_INIT { 0, 0, 0, { 0 } }
218 #endif
psa_key_derivation_operation_init(void)219 static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
220 void)
221 {
222 const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
223 return v;
224 }
225
226 struct psa_key_production_parameters_s {
227 /* Future versions may add other fields in this structure. */
228 uint32_t flags;
229 uint8_t data[];
230 };
231
232 /** The default production parameters for key generation or key derivation.
233 *
234 * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext()
235 * with `params=PSA_KEY_PRODUCTION_PARAMETERS_INIT` and
236 * `params_data_length == 0` is equivalent to
237 * calling psa_generate_key() or psa_key_derivation_output_key()
238 * respectively.
239 */
240 #define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 }
241
242 struct psa_key_policy_s {
243 psa_key_usage_t MBEDTLS_PRIVATE(usage);
244 psa_algorithm_t MBEDTLS_PRIVATE(alg);
245 psa_algorithm_t MBEDTLS_PRIVATE(alg2);
246 };
247 typedef struct psa_key_policy_s psa_key_policy_t;
248
249 #define PSA_KEY_POLICY_INIT { 0, 0, 0 }
psa_key_policy_init(void)250 static inline struct psa_key_policy_s psa_key_policy_init(void)
251 {
252 const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;
253 return v;
254 }
255
256 /* The type used internally for key sizes.
257 * Public interfaces use size_t, but internally we use a smaller type. */
258 typedef uint16_t psa_key_bits_t;
259 /* The maximum value of the type used to represent bit-sizes.
260 * This is used to mark an invalid key size. */
261 #define PSA_KEY_BITS_TOO_LARGE ((psa_key_bits_t) -1)
262 /* The maximum size of a key in bits.
263 * Currently defined as the maximum that can be represented, rounded down
264 * to a whole number of bytes.
265 * This is an uncast value so that it can be used in preprocessor
266 * conditionals. */
267 #define PSA_MAX_KEY_BITS 0xfff8
268
269 struct psa_key_attributes_s {
270 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
271 psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
272 int MBEDTLS_PRIVATE(has_slot_number);
273 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
274 psa_key_type_t MBEDTLS_PRIVATE(type);
275 psa_key_bits_t MBEDTLS_PRIVATE(bits);
276 psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime);
277 psa_key_policy_t MBEDTLS_PRIVATE(policy);
278 /* This type has a different layout in the client view wrt the
279 * service view of the key id, i.e. in service view usually is
280 * expected to have MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined
281 * thus adding an owner field to the standard psa_key_id_t. For
282 * implementations with client/service separation, this means the
283 * object will be marshalled through a transport channel and
284 * interpreted differently at each side of the transport. Placing
285 * it at the end of structures allows to interpret the structure
286 * at the client without reorganizing the memory layout of the
287 * struct
288 */
289 mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id);
290 };
291
292 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
293 #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER 0, 0,
294 #else
295 #define PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER
296 #endif
297 #define PSA_KEY_ATTRIBUTES_INIT { PSA_KEY_ATTRIBUTES_MAYBE_SLOT_NUMBER \
298 PSA_KEY_TYPE_NONE, 0, \
299 PSA_KEY_LIFETIME_VOLATILE, \
300 PSA_KEY_POLICY_INIT, \
301 MBEDTLS_SVC_KEY_ID_INIT }
302
psa_key_attributes_init(void)303 static inline struct psa_key_attributes_s psa_key_attributes_init(void)
304 {
305 const struct psa_key_attributes_s v = PSA_KEY_ATTRIBUTES_INIT;
306 return v;
307 }
308
psa_set_key_id(psa_key_attributes_t * attributes,mbedtls_svc_key_id_t key)309 static inline void psa_set_key_id(psa_key_attributes_t *attributes,
310 mbedtls_svc_key_id_t key)
311 {
312 psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(lifetime);
313
314 attributes->MBEDTLS_PRIVATE(id) = key;
315
316 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
317 attributes->MBEDTLS_PRIVATE(lifetime) =
318 PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
319 PSA_KEY_LIFETIME_PERSISTENT,
320 PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
321 }
322 }
323
psa_get_key_id(const psa_key_attributes_t * attributes)324 static inline mbedtls_svc_key_id_t psa_get_key_id(
325 const psa_key_attributes_t *attributes)
326 {
327 return attributes->MBEDTLS_PRIVATE(id);
328 }
329
330 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
mbedtls_set_key_owner_id(psa_key_attributes_t * attributes,mbedtls_key_owner_id_t owner)331 static inline void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
332 mbedtls_key_owner_id_t owner)
333 {
334 attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner;
335 }
336 #endif
337
psa_set_key_lifetime(psa_key_attributes_t * attributes,psa_key_lifetime_t lifetime)338 static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
339 psa_key_lifetime_t lifetime)
340 {
341 attributes->MBEDTLS_PRIVATE(lifetime) = lifetime;
342 if (PSA_KEY_LIFETIME_IS_VOLATILE(lifetime)) {
343 #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
344 attributes->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0;
345 #else
346 attributes->MBEDTLS_PRIVATE(id) = 0;
347 #endif
348 }
349 }
350
psa_get_key_lifetime(const psa_key_attributes_t * attributes)351 static inline psa_key_lifetime_t psa_get_key_lifetime(
352 const psa_key_attributes_t *attributes)
353 {
354 return attributes->MBEDTLS_PRIVATE(lifetime);
355 }
356
psa_extend_key_usage_flags(psa_key_usage_t * usage_flags)357 static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
358 {
359 if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH) {
360 *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
361 }
362
363 if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH) {
364 *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
365 }
366 }
367
psa_set_key_usage_flags(psa_key_attributes_t * attributes,psa_key_usage_t usage_flags)368 static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
369 psa_key_usage_t usage_flags)
370 {
371 psa_extend_key_usage_flags(&usage_flags);
372 attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags;
373 }
374
psa_get_key_usage_flags(const psa_key_attributes_t * attributes)375 static inline psa_key_usage_t psa_get_key_usage_flags(
376 const psa_key_attributes_t *attributes)
377 {
378 return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage);
379 }
380
psa_set_key_algorithm(psa_key_attributes_t * attributes,psa_algorithm_t alg)381 static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes,
382 psa_algorithm_t alg)
383 {
384 attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg;
385 }
386
psa_get_key_algorithm(const psa_key_attributes_t * attributes)387 static inline psa_algorithm_t psa_get_key_algorithm(
388 const psa_key_attributes_t *attributes)
389 {
390 return attributes->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg);
391 }
392
psa_set_key_type(psa_key_attributes_t * attributes,psa_key_type_t type)393 static inline void psa_set_key_type(psa_key_attributes_t *attributes,
394 psa_key_type_t type)
395 {
396 attributes->MBEDTLS_PRIVATE(type) = type;
397 }
398
psa_get_key_type(const psa_key_attributes_t * attributes)399 static inline psa_key_type_t psa_get_key_type(
400 const psa_key_attributes_t *attributes)
401 {
402 return attributes->MBEDTLS_PRIVATE(type);
403 }
404
psa_set_key_bits(psa_key_attributes_t * attributes,size_t bits)405 static inline void psa_set_key_bits(psa_key_attributes_t *attributes,
406 size_t bits)
407 {
408 if (bits > PSA_MAX_KEY_BITS) {
409 attributes->MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE;
410 } else {
411 attributes->MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits;
412 }
413 }
414
psa_get_key_bits(const psa_key_attributes_t * attributes)415 static inline size_t psa_get_key_bits(
416 const psa_key_attributes_t *attributes)
417 {
418 return attributes->MBEDTLS_PRIVATE(bits);
419 }
420
421 /**
422 * \brief The context for PSA interruptible hash signing.
423 */
424 struct psa_sign_hash_interruptible_operation_s {
425 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
426 mbedtls_psa_client_handle_t handle;
427 #else
428 /** Unique ID indicating which driver got assigned to do the
429 * operation. Since driver contexts are driver-specific, swapping
430 * drivers halfway through the operation is not supported.
431 * ID values are auto-generated in psa_crypto_driver_wrappers.h
432 * ID value zero means the context is not valid or not assigned to
433 * any driver (i.e. none of the driver contexts are active). */
434 unsigned int MBEDTLS_PRIVATE(id);
435
436 psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
437
438 unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
439
440 uint32_t MBEDTLS_PRIVATE(num_ops);
441 #endif
442 };
443
444 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
445 #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
446 #else
447 #define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
448 #endif
449
450 static inline struct psa_sign_hash_interruptible_operation_s
psa_sign_hash_interruptible_operation_init(void)451 psa_sign_hash_interruptible_operation_init(void)
452 {
453 const struct psa_sign_hash_interruptible_operation_s v =
454 PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
455
456 return v;
457 }
458
459 /**
460 * \brief The context for PSA interruptible hash verification.
461 */
462 struct psa_verify_hash_interruptible_operation_s {
463 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
464 mbedtls_psa_client_handle_t handle;
465 #else
466 /** Unique ID indicating which driver got assigned to do the
467 * operation. Since driver contexts are driver-specific, swapping
468 * drivers halfway through the operation is not supported.
469 * ID values are auto-generated in psa_crypto_driver_wrappers.h
470 * ID value zero means the context is not valid or not assigned to
471 * any driver (i.e. none of the driver contexts are active). */
472 unsigned int MBEDTLS_PRIVATE(id);
473
474 psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
475
476 unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
477
478 uint32_t MBEDTLS_PRIVATE(num_ops);
479 #endif
480 };
481
482 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT) && !defined(MBEDTLS_PSA_CRYPTO_C)
483 #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
484 #else
485 #define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
486 #endif
487
488 static inline struct psa_verify_hash_interruptible_operation_s
psa_verify_hash_interruptible_operation_init(void)489 psa_verify_hash_interruptible_operation_init(void)
490 {
491 const struct psa_verify_hash_interruptible_operation_s v =
492 PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
493
494 return v;
495 }
496
497 #ifdef __cplusplus
498 }
499 #endif
500
501 #endif /* PSA_CRYPTO_STRUCT_H */
502
