1 /*
2  * Copyright (c) 2018-2023, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  *
6  */
7 /**
8  * \file psa/crypto_sizes.h
9  *
10  * \brief PSA cryptography module: Mbed TLS buffer size macros
11  *
12  * \note This file may not be included directly. Applications must
13  * include psa/crypto.h.
14  *
15  * This file contains the definitions of macros that are useful to
16  * compute buffer sizes. The signatures and semantics of these macros
17  * are standardized, but the definitions are not, because they depend on
18  * the available algorithms and, in some cases, on permitted tolerances
19  * on buffer sizes.
20  *
21  * In implementations with isolation between the application and the
22  * cryptography module, implementers should take care to ensure that
23  * the definitions that are exposed to applications match what the
24  * module implements.
25  *
26  * Macros that compute sizes whose values do not depend on the
27  * implementation are in crypto.h.
28  */
29 
30 #ifndef PSA_CRYPTO_SIZES_H
31 #define PSA_CRYPTO_SIZES_H
32 
33 #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
34 #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
35 
36 #define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
37     (((length) + (block_size) - 1) / (block_size) * (block_size))
38 
39 /** The size of the output of psa_hash_finish(), in bytes.
40  *
41  * This is also the hash size that psa_hash_verify() expects.
42  *
43  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
44  *              #PSA_ALG_IS_HASH(\p alg) is true), or an HMAC algorithm
45  *              (#PSA_ALG_HMAC(\c hash_alg) where \c hash_alg is a
46  *              hash algorithm).
47  *
48  * \return The hash size for the specified hash algorithm.
49  *         If the hash algorithm is not recognized, return 0.
50  */
51 #define PSA_HASH_LENGTH(alg)                                        \
52     (                                                               \
53         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 16 :            \
54         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 20 :      \
55         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 20 :          \
56         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 28 :        \
57         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 32 :        \
58         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 48 :        \
59         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 64 :        \
60         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 28 :    \
61         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 32 :    \
62         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 28 :       \
63         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 32 :       \
64         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 48 :       \
65         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 :       \
66         0)
67 
68 /** The input block size of a hash algorithm, in bytes.
69  *
70  * Hash algorithms process their input data in blocks. Hash operations will
71  * retain any partial blocks until they have enough input to fill the block or
72  * until the operation is finished.
73  * This affects the output from psa_hash_suspend().
74  *
75  * \param alg   A hash algorithm (\c PSA_ALG_XXX value such that
76  *              PSA_ALG_IS_HASH(\p alg) is true).
77  *
78  * \return      The block size in bytes for the specified hash algorithm.
79  *              If the hash algorithm is not recognized, return 0.
80  *              An implementation can return either 0 or the correct size for a
81  *              hash algorithm that it recognizes, but does not support.
82  */
83 #define PSA_HASH_BLOCK_LENGTH(alg)                                  \
84     (                                                               \
85         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 :            \
86         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 :      \
87         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 :          \
88         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 :        \
89         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 :        \
90         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 :       \
91         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 :       \
92         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 :   \
93         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 :   \
94         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 :      \
95         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 :      \
96         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 :      \
97         PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 :       \
98         0)
99 
100 /** \def PSA_HASH_MAX_SIZE
101  *
102  * Maximum size of a hash.
103  *
104  * This macro expands to a compile-time constant integer. This value
105  * is the maximum size of a hash in bytes.
106  */
107 /* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
108  * 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
109  * HMAC-SHA3-512. */
110 #if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
111 #define PSA_HASH_MAX_SIZE 64
112 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
113 #else
114 #define PSA_HASH_MAX_SIZE 32
115 #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
116 #endif
117 
118 /** \def PSA_MAC_MAX_SIZE
119  *
120  * Maximum size of a MAC.
121  *
122  * This macro expands to a compile-time constant integer. This value
123  * is the maximum size of a MAC in bytes.
124  */
125 /* All non-HMAC MACs have a maximum size that's smaller than the
126  * minimum possible value of PSA_HASH_MAX_SIZE in this implementation. */
127 /* Note that the encoding of truncated MAC algorithms limits this value
128  * to 64 bytes.
129  */
130 #define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
131 
132 /** The length of a tag for an AEAD algorithm, in bytes.
133  *
134  * This macro can be used to allocate a buffer of sufficient size to store the
135  * tag output from psa_aead_finish().
136  *
137  * See also #PSA_AEAD_TAG_MAX_SIZE.
138  *
139  * \param key_type            The type of the AEAD key.
140  * \param key_bits            The size of the AEAD key in bits.
141  * \param alg                 An AEAD algorithm
142  *                            (\c PSA_ALG_XXX value such that
143  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
144  *
145  * \return                    The tag length for the specified algorithm and key.
146  *                            If the AEAD algorithm does not have an identified
147  *                            tag that can be distinguished from the rest of
148  *                            the ciphertext, return 0.
149  *                            If the key type or AEAD algorithm is not
150  *                            recognized, or the parameters are incompatible,
151  *                            return 0.
152  */
153 #define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)                        \
154     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                            \
155      PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :                                     \
156      ((void) (key_bits), 0))
157 
158 /** The maximum tag size for all supported AEAD algorithms, in bytes.
159  *
160  * See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
161  */
162 #define PSA_AEAD_TAG_MAX_SIZE       16
163 
164 /* The maximum size of an RSA key on this implementation, in bits.
165  * This is a vendor-specific macro.
166  *
167  * Mbed TLS does not set a hard limit on the size of RSA keys: any key
168  * whose parameters fit in a bignum is accepted. However large keys can
169  * induce a large memory usage and long computation times. Unlike other
170  * auxiliary macros in this file and in crypto.h, which reflect how the
171  * library is configured, this macro defines how the library is
172  * configured. This implementation refuses to import or generate an
173  * RSA key whose size is larger than the value defined here.
174  *
175  * Note that an implementation may set different size limits for different
176  * operations, and does not need to accept all key sizes up to the limit. */
177 #define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
178 
179 /* The maximum size of an ECC key on this implementation, in bits.
180  * This is a vendor-specific macro. */
181 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
182 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
183 #include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
184 #else
185 #include "crypto_config.h"
186 #endif
187 #if defined(PSA_WANT_ECC_SECP_R1_521)
188 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521
189 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
190 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 512
191 #elif defined(PSA_WANT_ECC_MONTGOMERY_448)
192 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 448
193 #elif defined(PSA_WANT_ECC_SECP_R1_384)
194 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
195 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
196 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 384
197 #elif defined(PSA_WANT_ECC_SECP_R1_256)
198 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
199 #elif defined(PSA_WANT_ECC_SECP_K1_256)
200 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
201 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
202 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 256
203 #elif defined(PSA_WANT_ECC_MONTGOMERY_255)
204 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 255
205 #elif defined(PSA_WANT_ECC_SECP_R1_224)
206 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
207 #elif defined(PSA_WANT_ECC_SECP_K1_224)
208 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 224
209 #elif defined(PSA_WANT_ECC_SECP_R1_192)
210 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
211 #elif defined(PSA_WANT_ECC_SECP_K1_192)
212 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 192
213 #else
214 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 0
215 #endif
216 #else /* defined(MBEDTLS_PSA_CRYPTO_CONFIG)  */
217 #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521
218 #endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG)  */
219 
220 /** This macro returns the maximum supported length of the PSK for the
221  * TLS-1.2 PSK-to-MS key derivation
222  * (#PSA_ALG_TLS12_PSK_TO_MS(\c hash_alg)).
223  *
224  * The maximum supported length does not depend on the chosen hash algorithm.
225  *
226  * Quoting RFC 4279, Sect 5.3:
227  * TLS implementations supporting these ciphersuites MUST support
228  * arbitrary PSK identities up to 128 octets in length, and arbitrary
229  * PSKs up to 64 octets in length.  Supporting longer identities and
230  * keys is RECOMMENDED.
231  *
232  * Therefore, no implementation should define a value smaller than 64
233  * for #PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE.
234  */
235 #define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE 128
236 
237 /* The expected size of input passed to psa_tls12_ecjpake_to_pms_input,
238  * which is expected to work with P-256 curve only. */
239 #define PSA_TLS12_ECJPAKE_TO_PMS_INPUT_SIZE 65
240 
241 /* The size of a serialized K.X coordinate to be used in
242  * psa_tls12_ecjpake_to_pms_input. This function only accepts the P-256
243  * curve. */
244 #define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
245 
246 /** The maximum size of a block cipher. */
247 #define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
248 
249 /** The size of the output of psa_mac_sign_finish(), in bytes.
250  *
251  * This is also the MAC size that psa_mac_verify_finish() expects.
252  *
253  * \warning This macro may evaluate its arguments multiple times or
254  *          zero times, so you should not pass arguments that contain
255  *          side effects.
256  *
257  * \param key_type      The type of the MAC key.
258  * \param key_bits      The size of the MAC key in bits.
259  * \param alg           A MAC algorithm (\c PSA_ALG_XXX value such that
260  *                      #PSA_ALG_IS_MAC(\p alg) is true).
261  *
262  * \return              The MAC size for the specified algorithm with
263  *                      the specified key parameters.
264  * \return              0 if the MAC algorithm is not recognized.
265  * \return              Either 0 or the correct size for a MAC algorithm that
266  *                      the implementation recognizes, but does not support.
267  * \return              Unspecified if the key parameters are not consistent
268  *                      with the algorithm.
269  */
270 #define PSA_MAC_LENGTH(key_type, key_bits, alg)                                   \
271     ((alg) & PSA_ALG_MAC_TRUNCATION_MASK ? PSA_MAC_TRUNCATED_LENGTH(alg) :        \
272      PSA_ALG_IS_HMAC(alg) ? PSA_HASH_LENGTH(PSA_ALG_HMAC_GET_HASH(alg)) :         \
273      PSA_ALG_IS_BLOCK_CIPHER_MAC(alg) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
274      ((void)(key_type), (void)(key_bits), 0))
275 
276 /** The maximum size of the output of psa_aead_encrypt(), in bytes.
277  *
278  * If the size of the ciphertext buffer is at least this large, it is
279  * guaranteed that psa_aead_encrypt() will not fail due to an
280  * insufficient buffer size. Depending on the algorithm, the actual size of
281  * the ciphertext may be smaller.
282  *
283  * See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
284  *
285  * \warning This macro may evaluate its arguments multiple times or
286  *          zero times, so you should not pass arguments that contain
287  *          side effects.
288  *
289  * \param key_type            A symmetric key type that is
290  *                            compatible with algorithm \p alg.
291  * \param alg                 An AEAD algorithm
292  *                            (\c PSA_ALG_XXX value such that
293  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
294  * \param plaintext_length    Size of the plaintext in bytes.
295  *
296  * \return                    The AEAD ciphertext size for the specified
297  *                            algorithm.
298  *                            If the key type or AEAD algorithm is not
299  *                            recognized, or the parameters are incompatible,
300  *                            return 0.
301  */
302 #define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
303     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                      \
304      (plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :          \
305      0)
306 
307 /** A sufficient output buffer size for psa_aead_encrypt(), for any of the
308  *  supported key types and AEAD algorithms.
309  *
310  * If the size of the ciphertext buffer is at least this large, it is guaranteed
311  * that psa_aead_encrypt() will not fail due to an insufficient buffer size.
312  *
313  * \note This macro returns a compile-time constant if its arguments are
314  *       compile-time constants.
315  *
316  * See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
317  * \p plaintext_length).
318  *
319  * \param plaintext_length    Size of the plaintext in bytes.
320  *
321  * \return                    A sufficient output buffer size for any of the
322  *                            supported key types and AEAD algorithms.
323  *
324  */
325 #define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length)          \
326     ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
327 
328 
329 /** The maximum size of the output of psa_aead_decrypt(), in bytes.
330  *
331  * If the size of the plaintext buffer is at least this large, it is
332  * guaranteed that psa_aead_decrypt() will not fail due to an
333  * insufficient buffer size. Depending on the algorithm, the actual size of
334  * the plaintext may be smaller.
335  *
336  * See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
337  *
338  * \warning This macro may evaluate its arguments multiple times or
339  *          zero times, so you should not pass arguments that contain
340  *          side effects.
341  *
342  * \param key_type            A symmetric key type that is
343  *                            compatible with algorithm \p alg.
344  * \param alg                 An AEAD algorithm
345  *                            (\c PSA_ALG_XXX value such that
346  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
347  * \param ciphertext_length   Size of the plaintext in bytes.
348  *
349  * \return                    The AEAD ciphertext size for the specified
350  *                            algorithm.
351  *                            If the key type or AEAD algorithm is not
352  *                            recognized, or the parameters are incompatible,
353  *                            return 0.
354  */
355 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
356     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                      \
357          (ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ?      \
358          (ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) :      \
359      0)
360 
361 /** A sufficient output buffer size for psa_aead_decrypt(), for any of the
362  *  supported key types and AEAD algorithms.
363  *
364  * If the size of the plaintext buffer is at least this large, it is guaranteed
365  * that psa_aead_decrypt() will not fail due to an insufficient buffer size.
366  *
367  * \note This macro returns a compile-time constant if its arguments are
368  *       compile-time constants.
369  *
370  * See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
371  * \p ciphertext_length).
372  *
373  * \param ciphertext_length   Size of the ciphertext in bytes.
374  *
375  * \return                    A sufficient output buffer size for any of the
376  *                            supported key types and AEAD algorithms.
377  *
378  */
379 #define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length)     \
380      (ciphertext_length)
381 
382 /** The default nonce size for an AEAD algorithm, in bytes.
383  *
384  * This macro can be used to allocate a buffer of sufficient size to
385  * store the nonce output from #psa_aead_generate_nonce().
386  *
387  * See also #PSA_AEAD_NONCE_MAX_SIZE.
388  *
389  * \note This is not the maximum size of nonce supported as input to
390  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
391  *       just the default size that is generated by #psa_aead_generate_nonce().
392  *
393  * \warning This macro may evaluate its arguments multiple times or
394  *          zero times, so you should not pass arguments that contain
395  *          side effects.
396  *
397  * \param key_type  A symmetric key type that is compatible with
398  *                  algorithm \p alg.
399  *
400  * \param alg       An AEAD algorithm (\c PSA_ALG_XXX value such that
401  *                  #PSA_ALG_IS_AEAD(\p alg) is true).
402  *
403  * \return The default nonce size for the specified key type and algorithm.
404  *         If the key type or AEAD algorithm is not recognized,
405  *         or the parameters are incompatible, return 0.
406  */
407 #define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
408     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
409           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13 : \
410           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12 : \
411           0 : \
412      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
413           MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12 : \
414      0)
415 
416 /** The maximum default nonce size among all supported pairs of key types and
417  *  AEAD algorithms, in bytes.
418  *
419  * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH()
420  * may return.
421  *
422  * \note This is not the maximum size of nonce supported as input to
423  *       #psa_aead_set_nonce(), #psa_aead_encrypt() or #psa_aead_decrypt(),
424  *       just the largest size that may be generated by
425  *       #psa_aead_generate_nonce().
426  */
427 #define PSA_AEAD_NONCE_MAX_SIZE 13
428 
429 /** A sufficient output buffer size for psa_aead_update().
430  *
431  * If the size of the output buffer is at least this large, it is
432  * guaranteed that psa_aead_update() will not fail due to an
433  * insufficient buffer size. The actual size of the output may be smaller
434  * in any given call.
435  *
436  * See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
437  *
438  * \warning This macro may evaluate its arguments multiple times or
439  *          zero times, so you should not pass arguments that contain
440  *          side effects.
441  *
442  * \param key_type            A symmetric key type that is
443  *                            compatible with algorithm \p alg.
444  * \param alg                 An AEAD algorithm
445  *                            (\c PSA_ALG_XXX value such that
446  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
447  * \param input_length        Size of the input in bytes.
448  *
449  * \return                    A sufficient output buffer size for the specified
450  *                            algorithm.
451  *                            If the key type or AEAD algorithm is not
452  *                            recognized, or the parameters are incompatible,
453  *                            return 0.
454  */
455 /* For all the AEAD modes defined in this specification, it is possible
456  * to emit output without delay. However, hardware may not always be
457  * capable of this. So for modes based on a block cipher, allow the
458  * implementation to delay the output until it has a full block. */
459 #define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)                             \
460     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                                             \
461          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?                                              \
462          PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
463          (input_length) : \
464      0)
465 
466 /** A sufficient output buffer size for psa_aead_update(), for any of the
467  *  supported key types and AEAD algorithms.
468  *
469  * If the size of the output buffer is at least this large, it is guaranteed
470  * that psa_aead_update() will not fail due to an insufficient buffer size.
471  *
472  * See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
473  *
474  * \param input_length      Size of the input in bytes.
475  */
476 #define PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_length)                           \
477     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)))
478 
479 /** A sufficient ciphertext buffer size for psa_aead_finish().
480  *
481  * If the size of the ciphertext buffer is at least this large, it is
482  * guaranteed that psa_aead_finish() will not fail due to an
483  * insufficient ciphertext buffer size. The actual size of the output may
484  * be smaller in any given call.
485  *
486  * See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
487  *
488  * \param key_type            A symmetric key type that is
489                               compatible with algorithm \p alg.
490  * \param alg                 An AEAD algorithm
491  *                            (\c PSA_ALG_XXX value such that
492  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
493  *
494  * \return                    A sufficient ciphertext buffer size for the
495  *                            specified algorithm.
496  *                            If the key type or AEAD algorithm is not
497  *                            recognized, or the parameters are incompatible,
498  *                            return 0.
499  */
500 #define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
501     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
502          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
503          PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
504      0)
505 
506 /** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
507  *  supported key types and AEAD algorithms.
508  *
509  * See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
510  */
511 #define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
512 
513 /** A sufficient plaintext buffer size for psa_aead_verify().
514  *
515  * If the size of the plaintext buffer is at least this large, it is
516  * guaranteed that psa_aead_verify() will not fail due to an
517  * insufficient plaintext buffer size. The actual size of the output may
518  * be smaller in any given call.
519  *
520  * See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
521  *
522  * \param key_type            A symmetric key type that is
523  *                            compatible with algorithm \p alg.
524  * \param alg                 An AEAD algorithm
525  *                            (\c PSA_ALG_XXX value such that
526  *                            #PSA_ALG_IS_AEAD(\p alg) is true).
527  *
528  * \return                    A sufficient plaintext buffer size for the
529  *                            specified algorithm.
530  *                            If the key type or AEAD algorithm is not
531  *                            recognized, or the parameters are incompatible,
532  *                            return 0.
533  */
534 #define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
535     (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&  \
536          PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ?    \
537          PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
538      0)
539 
540 /** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
541  *  supported key types and AEAD algorithms.
542  *
543  * See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
544  */
545 #define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
546 
547 #define PSA_RSA_MINIMUM_PADDING_SIZE(alg)                         \
548     (PSA_ALG_IS_RSA_OAEP(alg) ?                                   \
549      2 * PSA_HASH_LENGTH(PSA_ALG_RSA_OAEP_GET_HASH(alg)) + 1 :    \
550      11 /*PKCS#1v1.5*/)
551 
552 /**
553  * \brief ECDSA signature size for a given curve bit size
554  *
555  * \param curve_bits    Curve size in bits.
556  * \return              Signature size in bytes.
557  *
558  * \note This macro returns a compile-time constant if its argument is one.
559  */
560 #define PSA_ECDSA_SIGNATURE_SIZE(curve_bits)    \
561     (PSA_BITS_TO_BYTES(curve_bits) * 2)
562 
563 /** Sufficient signature buffer size for psa_sign_hash().
564  *
565  * This macro returns a sufficient buffer size for a signature using a key
566  * of the specified type and size, with the specified algorithm.
567  * Note that the actual size of the signature may be smaller
568  * (some algorithms produce a variable-size signature).
569  *
570  * \warning This function may call its arguments multiple times or
571  *          zero times, so you should not pass arguments that contain
572  *          side effects.
573  *
574  * \param key_type  An asymmetric key type (this may indifferently be a
575  *                  key pair type or a public key type).
576  * \param key_bits  The size of the key in bits.
577  * \param alg       The signature algorithm.
578  *
579  * \return If the parameters are valid and supported, return
580  *         a buffer size in bytes that guarantees that
581  *         psa_sign_hash() will not fail with
582  *         #PSA_ERROR_BUFFER_TOO_SMALL.
583  *         If the parameters are a valid combination that is not supported,
584  *         return either a sensible size or 0.
585  *         If the parameters are not valid, the
586  *         return value is unspecified.
587  */
588 #define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
589     (PSA_KEY_TYPE_IS_RSA(key_type) ? ((void)alg, PSA_BITS_TO_BYTES(key_bits)) : \
590      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(key_bits) : \
591      ((void)alg, 0))
592 
593 #define PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE     \
594     PSA_ECDSA_SIGNATURE_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
595 
596 /** \def PSA_SIGNATURE_MAX_SIZE
597  *
598  * Maximum size of an asymmetric signature.
599  *
600  * This macro expands to a compile-time constant integer. This value
601  * is the maximum size of a signature in bytes.
602  */
603 #define PSA_SIGNATURE_MAX_SIZE                               \
604     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) > PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE ? \
605      PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS) :                   \
606      PSA_VENDOR_ECDSA_SIGNATURE_MAX_SIZE)
607 
608 /** Sufficient output buffer size for psa_asymmetric_encrypt().
609  *
610  * This macro returns a sufficient buffer size for a ciphertext produced using
611  * a key of the specified type and size, with the specified algorithm.
612  * Note that the actual size of the ciphertext may be smaller, depending
613  * on the algorithm.
614  *
615  * \warning This function may call its arguments multiple times or
616  *          zero times, so you should not pass arguments that contain
617  *          side effects.
618  *
619  * \param key_type  An asymmetric key type (this may indifferently be a
620  *                  key pair type or a public key type).
621  * \param key_bits  The size of the key in bits.
622  * \param alg       The asymmetric encryption algorithm.
623  *
624  * \return If the parameters are valid and supported, return
625  *         a buffer size in bytes that guarantees that
626  *         psa_asymmetric_encrypt() will not fail with
627  *         #PSA_ERROR_BUFFER_TOO_SMALL.
628  *         If the parameters are a valid combination that is not supported,
629  *         return either a sensible size or 0.
630  *         If the parameters are not valid, the
631  *         return value is unspecified.
632  */
633 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
634     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
635      ((void)alg, PSA_BITS_TO_BYTES(key_bits)) :                         \
636      0)
637 
638 /** A sufficient output buffer size for psa_asymmetric_encrypt(), for any
639  *  supported asymmetric encryption.
640  *
641  * See also #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
642  */
643 /* This macro assumes that RSA is the only supported asymmetric encryption. */
644 #define PSA_ASYMMETRIC_ENCRYPT_OUTPUT_MAX_SIZE          \
645     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
646 
647 /** Sufficient output buffer size for psa_asymmetric_decrypt().
648  *
649  * This macro returns a sufficient buffer size for a plaintext produced using
650  * a key of the specified type and size, with the specified algorithm.
651  * Note that the actual size of the plaintext may be smaller, depending
652  * on the algorithm.
653  *
654  * \warning This function may call its arguments multiple times or
655  *          zero times, so you should not pass arguments that contain
656  *          side effects.
657  *
658  * \param key_type  An asymmetric key type (this may indifferently be a
659  *                  key pair type or a public key type).
660  * \param key_bits  The size of the key in bits.
661  * \param alg       The asymmetric encryption algorithm.
662  *
663  * \return If the parameters are valid and supported, return
664  *         a buffer size in bytes that guarantees that
665  *         psa_asymmetric_decrypt() will not fail with
666  *         #PSA_ERROR_BUFFER_TOO_SMALL.
667  *         If the parameters are a valid combination that is not supported,
668  *         return either a sensible size or 0.
669  *         If the parameters are not valid, the
670  *         return value is unspecified.
671  */
672 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(key_type, key_bits, alg)     \
673     (PSA_KEY_TYPE_IS_RSA(key_type) ?                                    \
674      PSA_BITS_TO_BYTES(key_bits) - PSA_RSA_MINIMUM_PADDING_SIZE(alg) :  \
675      0)
676 
677 /** A sufficient output buffer size for psa_asymmetric_decrypt(), for any
678  *  supported asymmetric decryption.
679  *
680  * This macro assumes that RSA is the only supported asymmetric encryption.
681  *
682  * See also #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\p key_type, \p key_bits, \p alg).
683  */
684 #define PSA_ASYMMETRIC_DECRYPT_OUTPUT_MAX_SIZE          \
685     (PSA_BITS_TO_BYTES(PSA_VENDOR_RSA_MAX_KEY_BITS))
686 
687 /* Maximum size of the ASN.1 encoding of an INTEGER with the specified
688  * number of bits.
689  *
690  * This definition assumes that bits <= 2^19 - 9 so that the length field
691  * is at most 3 bytes. The length of the encoding is the length of the
692  * bit string padded to a whole number of bytes plus:
693  * - 1 type byte;
694  * - 1 to 3 length bytes;
695  * - 0 to 1 bytes of leading 0 due to the sign bit.
696  */
697 #define PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(bits)      \
698     ((bits) / 8 + 5)
699 
700 /* Maximum size of the export encoding of an RSA public key.
701  * Assumes that the public exponent is less than 2^32.
702  *
703  * RSAPublicKey  ::=  SEQUENCE  {
704  *    modulus            INTEGER,    -- n
705  *    publicExponent     INTEGER  }  -- e
706  *
707  * - 4 bytes of SEQUENCE overhead;
708  * - n : INTEGER;
709  * - 7 bytes for the public exponent.
710  */
711 #define PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
712     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) + 11)
713 
714 /* Maximum size of the export encoding of an RSA key pair.
715  * Assumes that the public exponent is less than 2^32 and that the size
716  * difference between the two primes is at most 1 bit.
717  *
718  * RSAPrivateKey ::= SEQUENCE {
719  *     version           Version,  -- 0
720  *     modulus           INTEGER,  -- N-bit
721  *     publicExponent    INTEGER,  -- 32-bit
722  *     privateExponent   INTEGER,  -- N-bit
723  *     prime1            INTEGER,  -- N/2-bit
724  *     prime2            INTEGER,  -- N/2-bit
725  *     exponent1         INTEGER,  -- N/2-bit
726  *     exponent2         INTEGER,  -- N/2-bit
727  *     coefficient       INTEGER,  -- N/2-bit
728  * }
729  *
730  * - 4 bytes of SEQUENCE overhead;
731  * - 3 bytes of version;
732  * - 7 half-size INTEGERs plus 2 full-size INTEGERs,
733  *   overapproximated as 9 half-size INTEGERS;
734  * - 7 bytes for the public exponent.
735  */
736 #define PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits)   \
737     (9 * PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE((key_bits) / 2 + 1) + 14)
738 
739 /* Maximum size of the export encoding of a DSA public key.
740  *
741  * SubjectPublicKeyInfo  ::=  SEQUENCE  {
742  *      algorithm            AlgorithmIdentifier,
743  *      subjectPublicKey     BIT STRING  } -- contains DSAPublicKey
744  * AlgorithmIdentifier  ::=  SEQUENCE  {
745  *      algorithm               OBJECT IDENTIFIER,
746  *      parameters              Dss-Params  } -- SEQUENCE of 3 INTEGERs
747  * DSAPublicKey  ::=  INTEGER -- public key, Y
748  *
749  * - 3 * 4 bytes of SEQUENCE overhead;
750  * - 1 + 1 + 7 bytes of algorithm (DSA OID);
751  * - 4 bytes of BIT STRING overhead;
752  * - 3 full-size INTEGERs (p, g, y);
753  * - 1 + 1 + 32 bytes for 1 sub-size INTEGER (q <= 256 bits).
754  */
755 #define PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits)        \
756     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 59)
757 
758 /* Maximum size of the export encoding of a DSA key pair.
759  *
760  * DSAPrivateKey ::= SEQUENCE {
761  *     version             Version,  -- 0
762  *     prime               INTEGER,  -- p
763  *     subprime            INTEGER,  -- q
764  *     generator           INTEGER,  -- g
765  *     public              INTEGER,  -- y
766  *     private             INTEGER,  -- x
767  * }
768  *
769  * - 4 bytes of SEQUENCE overhead;
770  * - 3 bytes of version;
771  * - 3 full-size INTEGERs (p, g, y);
772  * - 2 * (1 + 1 + 32) bytes for 2 sub-size INTEGERs (q, x <= 256 bits).
773  */
774 #define PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits)   \
775     (PSA_KEY_EXPORT_ASN1_INTEGER_MAX_SIZE(key_bits) * 3 + 75)
776 
777 /* Maximum size of the export encoding of an ECC public key.
778  *
779  * The representation of an ECC public key is:
780  *      - The byte 0x04;
781  *      - `x_P` as a `ceiling(m/8)`-byte string, big-endian;
782  *      - `y_P` as a `ceiling(m/8)`-byte string, big-endian;
783  *      - where m is the bit size associated with the curve.
784  *
785  * - 1 byte + 2 * point size.
786  */
787 #define PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)        \
788     (2 * PSA_BITS_TO_BYTES(key_bits) + 1)
789 
790 /* Maximum size of the export encoding of an ECC key pair.
791  *
792  * An ECC key pair is represented by the secret value.
793  */
794 #define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits)   \
795     (PSA_BITS_TO_BYTES(key_bits))
796 
797 /** Sufficient output buffer size for psa_export_key() or
798  * psa_export_public_key().
799  *
800  * This macro returns a compile-time constant if its arguments are
801  * compile-time constants.
802  *
803  * \warning This macro may evaluate its arguments multiple times or
804  *          zero times, so you should not pass arguments that contain
805  *          side effects.
806  *
807  * The following code illustrates how to allocate enough memory to export
808  * a key by querying the key type and size at runtime.
809  * \code{c}
810  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
811  * psa_status_t status;
812  * status = psa_get_key_attributes(key, &attributes);
813  * if (status != PSA_SUCCESS) handle_error(...);
814  * psa_key_type_t key_type = psa_get_key_type(&attributes);
815  * size_t key_bits = psa_get_key_bits(&attributes);
816  * size_t buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits);
817  * psa_reset_key_attributes(&attributes);
818  * uint8_t *buffer = malloc(buffer_size);
819  * if (buffer == NULL) handle_error(...);
820  * size_t buffer_length;
821  * status = psa_export_key(key, buffer, buffer_size, &buffer_length);
822  * if (status != PSA_SUCCESS) handle_error(...);
823  * \endcode
824  *
825  * \param key_type  A supported key type.
826  * \param key_bits  The size of the key in bits.
827  *
828  * \return If the parameters are valid and supported, return
829  *         a buffer size in bytes that guarantees that
830  *         psa_export_key() or psa_export_public_key() will not fail with
831  *         #PSA_ERROR_BUFFER_TOO_SMALL.
832  *         If the parameters are a valid combination that is not supported,
833  *         return either a sensible size or 0.
834  *         If the parameters are not valid, the return value is unspecified.
835  */
836 #define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits)                                              \
837     (PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) :                         \
838      (key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
839      (key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
840      (key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) :     \
841      (key_type) == PSA_KEY_TYPE_DSA_PUBLIC_KEY ? PSA_KEY_EXPORT_DSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
842      PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) :      \
843      PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) :  \
844      0)
845 
846 /** Sufficient output buffer size for psa_export_public_key().
847  *
848  * This macro returns a compile-time constant if its arguments are
849  * compile-time constants.
850  *
851  * \warning This macro may evaluate its arguments multiple times or
852  *          zero times, so you should not pass arguments that contain
853  *          side effects.
854  *
855  * The following code illustrates how to allocate enough memory to export
856  * a public key by querying the key type and size at runtime.
857  * \code{c}
858  * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
859  * psa_status_t status;
860  * status = psa_get_key_attributes(key, &attributes);
861  * if (status != PSA_SUCCESS) handle_error(...);
862  * psa_key_type_t key_type = psa_get_key_type(&attributes);
863  * size_t key_bits = psa_get_key_bits(&attributes);
864  * size_t buffer_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits);
865  * psa_reset_key_attributes(&attributes);
866  * uint8_t *buffer = malloc(buffer_size);
867  * if (buffer == NULL) handle_error(...);
868  * size_t buffer_length;
869  * status = psa_export_public_key(key, buffer, buffer_size, &buffer_length);
870  * if (status != PSA_SUCCESS) handle_error(...);
871  * \endcode
872  *
873  * \param key_type      A public key or key pair key type.
874  * \param key_bits      The size of the key in bits.
875  *
876  * \return              If the parameters are valid and supported, return
877  *                      a buffer size in bytes that guarantees that
878  *                      psa_export_public_key() will not fail with
879  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
880  *                      If the parameters are a valid combination that is not
881  *                      supported, return either a sensible size or 0.
882  *                      If the parameters are not valid,
883  *                      the return value is unspecified.
884  *
885  *                      If the parameters are valid and supported,
886  *                      return the same result as
887  *                      #PSA_EXPORT_KEY_OUTPUT_SIZE(
888  *                          \p #PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\p key_type),
889  *                          \p key_bits).
890  */
891 #define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits)                           \
892     (PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
893      PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
894      0)
895 
896 /** Sufficient buffer size for exporting any asymmetric key pair.
897  *
898  * This macro expands to a compile-time constant integer. This value is
899  * a sufficient buffer size when calling psa_export_key() to export any
900  * asymmetric key pair, regardless of the exact key type and key size.
901  *
902  * See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
903  */
904 #define PSA_EXPORT_KEY_PAIR_MAX_SIZE                                            \
905     (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >        \
906      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?      \
907      PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :        \
908      PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
909 
910 /** Sufficient buffer size for exporting any asymmetric public key.
911  *
912  * This macro expands to a compile-time constant integer. This value is
913  * a sufficient buffer size when calling psa_export_key() or
914  * psa_export_public_key() to export any asymmetric public key,
915  * regardless of the exact key type and key size.
916  *
917  * See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
918  */
919 #define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE                                          \
920     (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) >      \
921      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ?    \
922      PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) :      \
923      PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
924 
925 /** Sufficient output buffer size for psa_raw_key_agreement().
926  *
927  * This macro returns a compile-time constant if its arguments are
928  * compile-time constants.
929  *
930  * \warning This macro may evaluate its arguments multiple times or
931  *          zero times, so you should not pass arguments that contain
932  *          side effects.
933  *
934  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE.
935  *
936  * \param key_type      A supported key type.
937  * \param key_bits      The size of the key in bits.
938  *
939  * \return              If the parameters are valid and supported, return
940  *                      a buffer size in bytes that guarantees that
941  *                      psa_raw_key_agreement() will not fail with
942  *                      #PSA_ERROR_BUFFER_TOO_SMALL.
943  *                      If the parameters are a valid combination that
944  *                      is not supported, return either a sensible size or 0.
945  *                      If the parameters are not valid,
946  *                      the return value is unspecified.
947  */
948 /* FFDH is not yet supported in PSA. */
949 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits)   \
950     (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ?                   \
951      PSA_BITS_TO_BYTES(key_bits) :                              \
952      0)
953 
954 /** Maximum size of the output from psa_raw_key_agreement().
955  *
956  * This macro expands to a compile-time constant integer. This value is the
957  * maximum size of the output any raw key agreement algorithm, in bytes.
958  *
959  * See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
960  */
961 #define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE   \
962     (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS))
963 
964 /** The default IV size for a cipher algorithm, in bytes.
965  *
966  * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
967  * the default IV length for the algorithm.
968  *
969  * This macro can be used to allocate a buffer of sufficient size to
970  * store the IV output from #psa_cipher_generate_iv() when using
971  * a multi-part cipher operation.
972  *
973  * See also #PSA_CIPHER_IV_MAX_SIZE.
974  *
975  * \warning This macro may evaluate its arguments multiple times or
976  *          zero times, so you should not pass arguments that contain
977  *          side effects.
978  *
979  * \param key_type  A symmetric key type that is compatible with algorithm \p alg.
980  *
981  * \param alg       A cipher algorithm (\c PSA_ALG_XXX value such that #PSA_ALG_IS_CIPHER(\p alg) is true).
982  *
983  * \return The default IV size for the specified key type and algorithm.
984  *         If the algorithm does not use an IV, return 0.
985  *         If the key type or cipher algorithm is not recognized,
986  *         or the parameters are incompatible, return 0.
987  */
988 #define PSA_CIPHER_IV_LENGTH(key_type, alg) \
989     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) > 1 && \
990         ((alg) == PSA_ALG_CTR || \
991          (alg) == PSA_ALG_CFB || \
992          (alg) == PSA_ALG_OFB || \
993          (alg) == PSA_ALG_XTS || \
994          (alg) == PSA_ALG_CBC_NO_PADDING || \
995          (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
996      (key_type) == PSA_KEY_TYPE_CHACHA20 && \
997          (alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
998          (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \
999          0)
1000 
1001 /** The maximum IV size for all supported cipher algorithms, in bytes.
1002  *
1003  * See also #PSA_CIPHER_IV_LENGTH().
1004  */
1005 #define PSA_CIPHER_IV_MAX_SIZE 16
1006 
1007 /** The maximum size of the output of psa_cipher_encrypt(), in bytes.
1008  *
1009  * If the size of the output buffer is at least this large, it is guaranteed
1010  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1011  * Depending on the algorithm, the actual size of the output might be smaller.
1012  *
1013  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(\p input_length).
1014  *
1015  * \warning This macro may evaluate its arguments multiple times or
1016  *          zero times, so you should not pass arguments that contain
1017  *          side effects.
1018  *
1019  * \param key_type      A symmetric key type that is compatible with algorithm
1020  *                      alg.
1021  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1022  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1023  * \param input_length  Size of the input in bytes.
1024  *
1025  * \return              A sufficient output size for the specified key type and
1026  *                      algorithm. If the key type or cipher algorithm is not
1027  *                      recognized, or the parameters are incompatible,
1028  *                      return 0.
1029  */
1030 #define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length)             \
1031     (alg == PSA_ALG_CBC_PKCS7 ?                                                 \
1032      (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                            \
1033      PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),          \
1034                               (input_length) + 1) +                             \
1035      PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0) :                             \
1036      (PSA_ALG_IS_CIPHER(alg) ?                                                  \
1037       (input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) :                \
1038      0))
1039 
1040 /** A sufficient output buffer size for psa_cipher_encrypt(), for any of the
1041  *  supported key types and cipher algorithms.
1042  *
1043  * If the size of the output buffer is at least this large, it is guaranteed
1044  * that psa_cipher_encrypt() will not fail due to an insufficient buffer size.
1045  *
1046  * See also #PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1047  *
1048  * \param input_length  Size of the input in bytes.
1049  *
1050  */
1051 #define PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_length)                        \
1052     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE,                  \
1053                               (input_length) + 1) +                             \
1054      PSA_CIPHER_IV_MAX_SIZE)
1055 
1056 /** The maximum size of the output of psa_cipher_decrypt(), in bytes.
1057  *
1058  * If the size of the output buffer is at least this large, it is guaranteed
1059  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1060  * Depending on the algorithm, the actual size of the output might be smaller.
1061  *
1062  * See also #PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(\p input_length).
1063  *
1064  * \param key_type      A symmetric key type that is compatible with algorithm
1065  *                      alg.
1066  * \param alg           A cipher algorithm (\c PSA_ALG_XXX value such that
1067  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1068  * \param input_length  Size of the input in bytes.
1069  *
1070  * \return              A sufficient output size for the specified key type and
1071  *                      algorithm. If the key type or cipher algorithm is not
1072  *                      recognized, or the parameters are incompatible,
1073  *                      return 0.
1074  */
1075 #define PSA_CIPHER_DECRYPT_OUTPUT_SIZE(key_type, alg, input_length)                 \
1076     (PSA_ALG_IS_CIPHER(alg) &&                                                      \
1077      ((key_type) & PSA_KEY_TYPE_CATEGORY_MASK) == PSA_KEY_TYPE_CATEGORY_SYMMETRIC ? \
1078      (input_length) :                                                               \
1079      0)
1080 
1081 /** A sufficient output buffer size for psa_cipher_decrypt(), for any of the
1082  *  supported key types and cipher algorithms.
1083  *
1084  * If the size of the output buffer is at least this large, it is guaranteed
1085  * that psa_cipher_decrypt() will not fail due to an insufficient buffer size.
1086  *
1087  * See also #PSA_CIPHER_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1088  *
1089  * \param input_length  Size of the input in bytes.
1090  */
1091 #define PSA_CIPHER_DECRYPT_OUTPUT_MAX_SIZE(input_length)    \
1092     (input_length)
1093 
1094 /** A sufficient output buffer size for psa_cipher_update().
1095  *
1096  * If the size of the output buffer is at least this large, it is guaranteed
1097  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1098  * The actual size of the output might be smaller in any given call.
1099  *
1100  * See also #PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
1101  *
1102  * \param key_type      A symmetric key type that is compatible with algorithm
1103  *                      alg.
1104  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1105  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1106  * \param input_length  Size of the input in bytes.
1107  *
1108  * \return              A sufficient output size for the specified key type and
1109  *                      algorithm. If the key type or cipher algorithm is not
1110  *                      recognized, or the parameters are incompatible, return 0.
1111  */
1112 #define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length)              \
1113     (PSA_ALG_IS_CIPHER(alg) ?                                                   \
1114     (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ?                             \
1115      (((alg) == PSA_ALG_CBC_PKCS7      ||                                       \
1116        (alg) == PSA_ALG_CBC_NO_PADDING ||                                       \
1117        (alg) == PSA_ALG_ECB_NO_PADDING) ?                                       \
1118       PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type),         \
1119                                 input_length) :                                 \
1120       (input_length)) : 0) :                                                    \
1121      0)
1122 
1123 /** A sufficient output buffer size for psa_cipher_update(), for any of the
1124  *  supported key types and cipher algorithms.
1125  *
1126  * If the size of the output buffer is at least this large, it is guaranteed
1127  * that psa_cipher_update() will not fail due to an insufficient buffer size.
1128  *
1129  * See also #PSA_CIPHER_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
1130  *
1131  * \param input_length  Size of the input in bytes.
1132  */
1133 #define PSA_CIPHER_UPDATE_OUTPUT_MAX_SIZE(input_length)     \
1134     (PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, input_length))
1135 
1136 /** A sufficient ciphertext buffer size for psa_cipher_finish().
1137  *
1138  * If the size of the ciphertext buffer is at least this large, it is
1139  * guaranteed that psa_cipher_finish() will not fail due to an insufficient
1140  * ciphertext buffer size. The actual size of the output might be smaller in
1141  * any given call.
1142  *
1143  * See also #PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE().
1144  *
1145  * \param key_type      A symmetric key type that is compatible with algorithm
1146  *                      alg.
1147  * \param alg           A cipher algorithm (PSA_ALG_XXX value such that
1148  *                      #PSA_ALG_IS_CIPHER(\p alg) is true).
1149  * \return              A sufficient output size for the specified key type and
1150  *                      algorithm. If the key type or cipher algorithm is not
1151  *                      recognized, or the parameters are incompatible, return 0.
1152  */
1153 #define PSA_CIPHER_FINISH_OUTPUT_SIZE(key_type, alg)    \
1154     (PSA_ALG_IS_CIPHER(alg) ?                           \
1155      (alg == PSA_ALG_CBC_PKCS7 ?                        \
1156       PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) :         \
1157       0) :                                              \
1158      0)
1159 
1160 /** A sufficient ciphertext buffer size for psa_cipher_finish(), for any of the
1161  *  supported key types and cipher algorithms.
1162  *
1163  * See also #PSA_CIPHER_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
1164  */
1165 #define PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE           \
1166     (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
1167 
1168 #endif /* PSA_CRYPTO_SIZES_H */
1169